Proper validation for inserting firewall rule

Say rule r2 is associated with policy p2. If user tries to insert rule r1 into a policy p1 before/after r2, error should be thrown saying that rule r2 is not associated with policy p1. Change-Id: Ifa415acc9533b7a323f966ee42d476460e68c9d3 Closes-bug: 1330898
2014-06-17 07:03:10 -07:00 · 2014-06-17 07:03:10 -07:00 · 738a8531b9
commit 738a8531b9
parent 305dadf75e
2 changed files with 29 additions and 0 deletions
--- a/neutron/db/firewall/firewall_db.py
+++ b/neutron/db/firewall/firewall_db.py
@ -452,6 +452,10 @@ class Firewall_db_mixin(firewall.FirewallPluginBase, base_db.CommonDbMixin):
                # rule is inserted after reference_firewall_rule_id.
                ref_fwr_db = self._get_firewall_rule(
                    context, ref_firewall_rule_id)
+                if ref_fwr_db.firewall_policy_id != id:
+                    raise firewall.FirewallRuleNotAssociatedWithPolicy(
+                        firewall_rule_id=ref_fwr_db['id'],
+                        firewall_policy_id=id)
                if insert_before:
                    position = ref_fwr_db.position
                else:
--- a/neutron/tests/unit/db/firewall/test_db_firewall.py
+++ b/neutron/tests/unit/db/firewall/test_db_firewall.py
@ -929,6 +929,31 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
                        expected_code=webob.exc.HTTPConflict.code,
                        expected_body=None, body_data=insert_data)

+    def test_insert_rule_for_prev_associated_ref_rule(self):
+        with contextlib.nested(self.firewall_rule(name='fwr0'),
+                               self.firewall_rule(name='fwr1')) as fwr:
+            fwr0_id = fwr[0]['firewall_rule']['id']
+            fwr1_id = fwr[1]['firewall_rule']['id']
+            with contextlib.nested(
+                self.firewall_policy(name='fwp0'),
+                    self.firewall_policy(name='fwp1',
+                                         firewall_rules=[fwr1_id])) as fwp:
+                fwp0_id = fwp[0]['firewall_policy']['id']
+                #test inserting before a rule which is associated
+                #with different policy
+                self._rule_action(
+                    'insert', fwp0_id, fwr0_id,
+                    insert_before=fwr1_id,
+                    expected_code=webob.exc.HTTPBadRequest.code,
+                    expected_body=None)
+                #test inserting  after a rule which is associated
+                #with different policy
+                self._rule_action(
+                    'insert', fwp0_id, fwr0_id,
+                    insert_after=fwr1_id,
+                    expected_code=webob.exc.HTTPBadRequest.code,
+                    expected_body=None)
+
    def test_insert_rule_in_policy(self):
        attrs = self._get_test_firewall_policy_attrs()
        attrs['audited'] = False