From 33a255612c661f174d2cb5d4ca93f8d7096e9290 Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Fri, 10 Nov 2017 10:58:58 -0500
Subject: [PATCH] Change default security group protocol to 'any'

The default protocol used to create a security rule was changed to
``tcp``, which was a regression from the neutron client.  Change it
back to ``any``, which skips sending the protocol to the API
server entirely when using the Neutron v2 API.

Users that had been creating rules without specifying a protocol
and expecting ``tcp`` need to change to use ``--protocol tcp``
explicitly.

Change-Id: Iedaa027240e00dced551513d8fa828564386b79f
Closes-bug: #1716789
---
 .../cli/command-objects/security-group-rule.rst |  6 +++---
 .../network/v2/security_group_rule.py           | 12 ++++++------
 openstackclient/tests/unit/network/v2/fakes.py  |  2 +-
 .../v2/test_security_group_rule_network.py      |  4 ++++
 .../notes/bug-1716789-abfae897b7e61246.yaml     | 17 +++++++++++++++++
 5 files changed, 31 insertions(+), 10 deletions(-)
 create mode 100644 releasenotes/notes/bug-1716789-abfae897b7e61246.yaml

diff --git a/doc/source/cli/command-objects/security-group-rule.rst b/doc/source/cli/command-objects/security-group-rule.rst
index 1dbf16d22b..5809e00278 100644
--- a/doc/source/cli/command-objects/security-group-rule.rst
+++ b/doc/source/cli/command-objects/security-group-rule.rst
@@ -61,8 +61,8 @@ Create a new security group rule
     IP protocol (ah, dccp, egp, esp, gre, icmp, igmp,
     ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,
     ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp,
-    udp, udplite, vrrp and integer representations [0-255];
-    default: tcp)
+    udp, udplite, vrrp and integer representations [0-255]
+    or any; default: any (all protocols))
 
     *Network version 2*
 
@@ -157,7 +157,7 @@ List security group rules
     List rules by the IP protocol (ah, dhcp, egp, esp, gre, icmp, igmp,
     ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,ipv6-opts, ipv6-route,
     ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp and integer
-    representations [0-255])
+    representations [0-255] or any; default: any (all protocols))
 
     *Network version 2*
 
diff --git a/openstackclient/network/v2/security_group_rule.py b/openstackclient/network/v2/security_group_rule.py
index 961125a9a7..c93b3af461 100644
--- a/openstackclient/network/v2/security_group_rule.py
+++ b/openstackclient/network/v2/security_group_rule.py
@@ -168,7 +168,7 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
                    "ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
                    "ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
                    "udp, udplite, vrrp and integer representations [0-255] "
-                   "or any; default: tcp)")
+                   "or any; default: any (all protocols))")
         )
         protocol_group.add_argument(
             '--proto',
@@ -233,8 +233,8 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
         )
         return parser
 
-    def _get_protocol(self, parsed_args):
-        protocol = 'tcp'
+    def _get_protocol(self, parsed_args, default_protocol='any'):
+        protocol = default_protocol
         if parsed_args.protocol is not None:
             protocol = parsed_args.protocol
         if parsed_args.proto is not None:
@@ -355,7 +355,7 @@ class CreateSecurityGroupRule(common.NetworkAndComputeShowOne):
 
     def take_action_compute(self, client, parsed_args):
         group = client.api.security_group_find(parsed_args.group)
-        protocol = self._get_protocol(parsed_args)
+        protocol = self._get_protocol(parsed_args, default_protocol='tcp')
         if protocol == 'icmp':
             from_port, to_port = -1, -1
         else:
@@ -462,8 +462,8 @@ class ListSecurityGroupRule(common.NetworkAndComputeLister):
                    "ah, dhcp, egp, esp, gre, icmp, igmp, "
                    "ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
                    "ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
-                   "udp, udplite, vrrp and integer representations [0-255])."
-                   )
+                   "udp, udplite, vrrp and integer representations [0-255] "
+                   "or any; default: any (all protocols))")
         )
         direction_group = parser.add_mutually_exclusive_group()
         direction_group.add_argument(
diff --git a/openstackclient/tests/unit/network/v2/fakes.py b/openstackclient/tests/unit/network/v2/fakes.py
index 100ea2b1ad..e41621a48e 100644
--- a/openstackclient/tests/unit/network/v2/fakes.py
+++ b/openstackclient/tests/unit/network/v2/fakes.py
@@ -1305,7 +1305,7 @@ class FakeSecurityGroupRule(object):
             'id': 'security-group-rule-id-' + uuid.uuid4().hex,
             'port_range_max': None,
             'port_range_min': None,
-            'protocol': 'tcp',
+            'protocol': None,
             'remote_group_id': None,
             'remote_ip_prefix': '0.0.0.0/0',
             'security_group_id': 'security-group-id-' + uuid.uuid4().hex,
diff --git a/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py b/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py
index b070ab6aab..06849112e2 100644
--- a/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py
+++ b/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py
@@ -177,10 +177,12 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
 
     def test_create_default_rule(self):
         self._setup_security_group_rule({
+            'protocol': 'tcp',
             'port_range_max': 443,
             'port_range_min': 443,
         })
         arglist = [
+            '--protocol', 'tcp',
             '--dst-port', str(self._security_group_rule.port_range_min),
             self._security_group.id,
         ]
@@ -267,11 +269,13 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
 
     def test_create_remote_group(self):
         self._setup_security_group_rule({
+            'protocol': 'tcp',
             'port_range_max': 22,
             'port_range_min': 22,
             'remote_group_id': self._security_group.id,
         })
         arglist = [
+            '--protocol', 'tcp',
             '--dst-port', str(self._security_group_rule.port_range_min),
             '--ingress',
             '--src-group', self._security_group.name,
diff --git a/releasenotes/notes/bug-1716789-abfae897b7e61246.yaml b/releasenotes/notes/bug-1716789-abfae897b7e61246.yaml
new file mode 100644
index 0000000000..1fd0a13de6
--- /dev/null
+++ b/releasenotes/notes/bug-1716789-abfae897b7e61246.yaml
@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Change to use ``any`` as the default ``--protocol`` option to
+    ``security group rule create`` command when using the Neutron v2 API.
+    [Bug `1716789 <https://bugs.launchpad.net/bugs/1716789>`_]
+fixes:
+  - |
+    The default protocol used to create a security rule was changed to
+    ``tcp``, which was a regression from the neutron client when using
+    the Neutron v2 API.  Change it back to ``any``, which skips sending
+    the protocol to the API server entirely.
+upgrade:
+  - |
+    Users that had been creating rules without specifying a protocol
+    and expecting ``tcp`` need to change to use ``--protocol tcp``
+    explicitly when using the Neutron v2 API.