Fixes Hyper-V agent security groups enable issue

Fixes the weight of the applied allow rules by ignoring the weight of the reject rules. Fixes the override allow rules issue by fixing the ACL filtering condition. Change-Id: I38ddd7142d0fa45f308460153d29580f276ce07e Closes-Bug: #1294368
2014-03-17 13:53:55 -07:00 · 2014-03-17 13:53:55 -07:00 · 529c04e125
commit 529c04e125
parent c677a0a89e
2 changed files with 26 additions and 10 deletions
--- a/neutron/plugins/hyperv/agent/utilsv2.py
+++ b/neutron/plugins/hyperv/agent/utilsv2.py
@ -366,11 +366,12 @@ class HyperVUtilsV2R2(HyperVUtilsV2):
        return [v for v in acls
                if v.Action == action and
                v.Direction == direction and
-                v.LocalPort in [str(local_port), self._ACL_DEFAULT] and
-                v.Protocol in [protocol] and
+                v.LocalPort == str(local_port) and
+                v.Protocol == protocol and
                v.RemoteIPAddress == remote_addr]

    def _get_new_weight(self, acls):
+        acls = [a for a in acls if a.Action is not self._ACL_ACTION_DENY]
        if not acls:
            return self._MAX_WEIGHT - 1

--- a/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py
+++ b/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py
@ -352,14 +352,19 @@ class TestHyperVUtilsV2R2(base.BaseTestCase):
            default, default, self._FAKE_REMOTE_ADDR)

    def _test_filter_security_acls(self, local_port, protocol, remote_addr):
-        mock_acl = mock.MagicMock()
-        mock_acl.Action = self._utils._ACL_ACTION_ALLOW
-        mock_acl.Direction = self._FAKE_ACL_DIR
-        mock_acl.LocalPort = local_port
-        mock_acl.Protocol = protocol
-        mock_acl.RemoteIPAddress = remote_addr
+        acls = []
+        default = self._utils._ACL_DEFAULT
+        for port, proto in [(default, default), (local_port, protocol)]:
+            mock_acl = mock.MagicMock()
+            mock_acl.Action = self._utils._ACL_ACTION_ALLOW
+            mock_acl.Direction = self._FAKE_ACL_DIR
+            mock_acl.LocalPort = port
+            mock_acl.Protocol = proto
+            mock_acl.RemoteIPAddress = remote_addr
+            acls.append(mock_acl)
+
+        right_acls = [a for a in acls if a.LocalPort == local_port]

-        acls = [mock_acl, mock_acl]
        good_acls = self._utils._filter_security_acls(
            acls, mock_acl.Action, self._FAKE_ACL_DIR, self._FAKE_ACL_TYPE,
            local_port, protocol, remote_addr)
@ -367,7 +372,7 @@ class TestHyperVUtilsV2R2(base.BaseTestCase):
            acls, self._FAKE_ACL_ACT, self._FAKE_ACL_DIR, self._FAKE_ACL_TYPE,
            local_port, protocol, remote_addr)

-        self.assertEqual(acls, good_acls)
+        self.assertEqual(right_acls, good_acls)
        self.assertEqual([], bad_acls)

    def test_get_new_weight(self):
@ -381,3 +386,13 @@ class TestHyperVUtilsV2R2(base.BaseTestCase):
    def test_get_new_weight_no_acls(self):
        self.assertEqual(self._utils._MAX_WEIGHT - 1,
                         self._utils._get_new_weight([]))
+
+    def test_get_new_weight_default_acls(self):
+        mockacl1 = mock.MagicMock()
+        mockacl1.Weight = self._utils._MAX_WEIGHT - 1
+        mockacl2 = mock.MagicMock()
+        mockacl2.Weight = self._utils._MAX_WEIGHT - 2
+        mockacl2.Action = self._utils._ACL_ACTION_DENY
+
+        self.assertEqual(self._utils._MAX_WEIGHT - 2,
+                         self._utils._get_new_weight([mockacl1, mockacl2]))