From 6535cccf0bf63ba1efb60a15d364d1a7f9eee026 Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Thu, 24 Aug 2017 01:27:13 -0700
Subject: [PATCH] NSX|V3: enforce provider rules not being set when not port
 sec

Ensure that on port creation provider rules are not set if port
security is disabled.

Change-Id: I509c7452d4c1b93e70e90b0578f6b23dd6283654
---
 vmware_nsx/plugins/nsx_v3/plugin.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index c642bcf1df..c817960133 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -1733,6 +1733,14 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             if not utils.is_ipv4_ip_address(ip):
                 raise nsx_exc.InvalidIPAddress(ip_address=ip)
 
+    def _provider_sgs_specified(self, port_data):
+        # checks if security groups were updated adding/modifying
+        # security groups, port security is set and port has ip
+        provider_sgs_specified = (validators.is_attr_set(
+            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS)) and
+            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS) != [])
+        return provider_sgs_specified
+
     def _create_port_preprocess_security(
             self, context, port, port_data, neutron_db):
         (port_security, has_ip) = self._determine_port_security_and_has_ip(
@@ -1758,10 +1766,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             self._ensure_default_security_group_on_port(context, port)
             (sgids, psgids) = self._get_port_security_groups_lists(
                 context, port)
-        # FIXME(roeyc): Also raise when provider security-groups specified but
-        # port-security is disabled.
-        elif self._check_update_has_security_groups(
-                {'port': port_data}):
+        elif (self._check_update_has_security_groups({'port': port_data}) or
+              self._provider_sgs_specified(port_data)):
             raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
         else:
             sgids = psgids = []
@@ -2352,9 +2358,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
 
         # checks if security groups were updated adding/modifying
         # security groups, port security is set and port has ip
-        provider_sgs_specified = (validators.is_attr_set(
-            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS)) and
-            port['port'][provider_sg.PROVIDER_SECURITYGROUPS] != [])
+        provider_sgs_specified = self._provider_sgs_specified(port_data)
         if (validate_port_sec and
             not (has_ip and updated_port[psec.PORTSECURITY])):
             if has_security_groups or provider_sgs_specified: