NSX|V policy: get SG description from the policy

If the user didn't set the security group description, it will be taken from the backend NSX policy description (or name if no description) Change-Id: I6e333f7711bca398a8a9cdd4310dfa911701f5d2
2016-11-08 11:11:04 +02:00 · 2016-11-08 11:11:04 +02:00 · 7417b3b18a
commit 7417b3b18a
parent ba9a83a016
4 changed files with 44 additions and 6 deletions
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -3114,6 +3114,13 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            if sg_with_policy and security_group.get(sg_logging.LOGGING):
                msg = _('Cannot support logging when using NSX policies')
                raise n_exc.InvalidInput(error_message=msg)
+
+            # Use the NSX policy description as the description of this
+            # security group if the description was not set by the user
+            # and the security group is new or policy was updated
+            if new_policy and not security_group.get('description'):
+                security_group['description'] = (
+                    self.nsx_sg_utils.get_nsx_policy_description(new_policy))
        else:
            # must not have a policy:
            if security_group.get(sg_policy.POLICY):
--- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
@ -17,6 +17,8 @@ import xml.etree.ElementTree as et

 from oslo_log import log as logging

+from neutron.api.v2 import attributes
+
 from vmware_nsx.common import utils

 WAIT_INTERVAL = 2000
@ -202,3 +204,16 @@ class NsxSecurityGroupUtils(object):

        return self.nsxv_manager.vcns.update_security_policy(
            policy_id, et.tostring(policy))
+
+    def get_nsx_policy_description(self, policy_id):
+        if not policy_id:
+            return
+        # Get the policy configuration
+        policy = self.nsxv_manager.vcns.get_security_policy(policy_id)
+        policy = utils.normalize_xml(policy)
+        # If no description - use the name instead
+        description = policy.find('description').text
+        if not description:
+            description = policy.find('name').text
+        # use only the allowed length
+        return description[:attributes.DESCRIPTION_MAX_LEN]
--- a/vmware_nsx/tests/unit/extensions/test_security_group_policy.py
+++ b/vmware_nsx/tests/unit/extensions/test_security_group_policy.py
@ -53,11 +53,14 @@ class SecGroupPolicyExtensionTestCase(
        del attr.RESOURCE_ATTRIBUTE_MAP['security_groups']['policy']
        super(SecGroupPolicyExtensionTestCase, self).tearDown()

-    def _create_secgroup_with_policy(self, policy_id, logging=False):
-        body = {'security_group': {'name': 'sg-policy',
-                                   'tenant_id': self._tenant_id,
-                                   'policy': policy_id,
-                                   'logging': logging}}
+    def _create_secgroup_with_policy(self, policy_id, description=None,
+                                     logging=False):
+        body = {'security_group':
+            {'name': 'sg-policy',
+             'tenant_id': self._tenant_id,
+             'policy': policy_id,
+             'description': description if description else '',
+             'logging': logging}}
        security_group_req = self.new_create_request('security-groups', body)
        return security_group_req.get_response(self.ext_api)

@ -71,6 +74,15 @@ class SecGroupPolicyExtensionTestCase(
        res = self._create_secgroup_with_policy(policy_id)
        sg = self.deserialize(self.fmt, res)
        self.assertEqual(policy_id, sg['security_group']['policy'])
+        self.assertEqual('dummy', sg['security_group']['description'])
+
+    def test_secgroup_create_with_policyand_desc(self):
+        policy_id = 'policy-5'
+        desc = 'test'
+        res = self._create_secgroup_with_policy(policy_id, description=desc)
+        sg = self.deserialize(self.fmt, res)
+        self.assertEqual(policy_id, sg['security_group']['policy'])
+        self.assertEqual(desc, sg['security_group']['description'])

    def test_secgroup_create_without_policy(self):
        res = self._create_secgroup_with_policy(None)
@ -169,9 +181,11 @@ class SecGroupPolicyExtensionTestCaseWithRules(
    def test_secgroup_create_without_policy(self):
        # in case allow_tenant_rules_with_policy is True, it is allowed to
        # create a regular sg
-        res = self._create_secgroup_with_policy(None)
+        desc = 'test'
+        res = self._create_secgroup_with_policy(None, description=desc)
        sg = self.deserialize(self.fmt, res)
        self.assertIsNone(sg['security_group']['policy'])
+        self.assertEqual(desc, sg['security_group']['description'])

    def test_secgroup_create_without_policy_update_policy(self):
        # Create a regular security group. adding the policy later should fail
--- a/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py
+++ b/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py
@ -1346,6 +1346,8 @@ class FakeVcns(object):
        response_text = (
            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
            "<securityPolicy><objectId>%s</objectId>"
+            "<name>pol1</name>"
+            "<description>dummy</description>"
            "</securityPolicy>") % policy_id
        return response_text