Merge "NSX|V3: enforce provider rules not being set when not port sec"

2017-08-24 17:11:10 +00:00 · 2017-08-24 17:11:10 +00:00 · 36de1f3cf9
commit 36de1f3cf9
parent 48601bf047 6535cccf0b
1 changed files with 11 additions and 7 deletions
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -1733,6 +1733,14 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
            if not utils.is_ipv4_ip_address(ip):
                raise nsx_exc.InvalidIPAddress(ip_address=ip)

+    def _provider_sgs_specified(self, port_data):
+        # checks if security groups were updated adding/modifying
+        # security groups, port security is set and port has ip
+        provider_sgs_specified = (validators.is_attr_set(
+            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS)) and
+            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS) != [])
+        return provider_sgs_specified
+
    def _create_port_preprocess_security(
            self, context, port, port_data, neutron_db):
        (port_security, has_ip) = self._determine_port_security_and_has_ip(
@ -1758,10 +1766,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
            self._ensure_default_security_group_on_port(context, port)
            (sgids, psgids) = self._get_port_security_groups_lists(
                context, port)
-        # FIXME(roeyc): Also raise when provider security-groups specified but
-        # port-security is disabled.
-        elif self._check_update_has_security_groups(
-                {'port': port_data}):
+        elif (self._check_update_has_security_groups({'port': port_data}) or
+              self._provider_sgs_specified(port_data)):
            raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
        else:
            sgids = psgids = []
@ -2352,9 +2358,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,

        # checks if security groups were updated adding/modifying
        # security groups, port security is set and port has ip
-        provider_sgs_specified = (validators.is_attr_set(
-            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS)) and
-            port['port'][provider_sg.PROVIDER_SECURITYGROUPS] != [])
+        provider_sgs_specified = self._provider_sgs_specified(port_data)
        if (validate_port_sec and
            not (has_ip and updated_port[psec.PORTSECURITY])):
            if has_security_groups or provider_sgs_specified: