From 7417b3b18a191b14e706be1332e323074b5041ea Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Tue, 8 Nov 2016 11:11:04 +0200 Subject: [PATCH] NSX|V policy: get SG description from the policy If the user didn't set the security group description, it will be taken from the backend NSX policy description (or name if no description) Change-Id: I6e333f7711bca398a8a9cdd4310dfa911701f5d2 --- vmware_nsx/plugins/nsx_v/plugin.py | 7 +++++ .../nsx_v/vshield/securitygroup_utils.py | 15 +++++++++++ .../extensions/test_security_group_policy.py | 26 ++++++++++++++----- .../tests/unit/nsx_v/vshield/fake_vcns.py | 2 ++ 4 files changed, 44 insertions(+), 6 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index 0b4689737c..11370e9831 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -3114,6 +3114,13 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, if sg_with_policy and security_group.get(sg_logging.LOGGING): msg = _('Cannot support logging when using NSX policies') raise n_exc.InvalidInput(error_message=msg) + + # Use the NSX policy description as the description of this + # security group if the description was not set by the user + # and the security group is new or policy was updated + if new_policy and not security_group.get('description'): + security_group['description'] = ( + self.nsx_sg_utils.get_nsx_policy_description(new_policy)) else: # must not have a policy: if security_group.get(sg_policy.POLICY): diff --git a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py index 894251fbd0..06f474df15 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py +++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py @@ -17,6 +17,8 @@ import xml.etree.ElementTree as et from oslo_log import log as logging +from neutron.api.v2 import attributes + from vmware_nsx.common import utils WAIT_INTERVAL = 2000 @@ -202,3 +204,16 @@ class NsxSecurityGroupUtils(object): return self.nsxv_manager.vcns.update_security_policy( policy_id, et.tostring(policy)) + + def get_nsx_policy_description(self, policy_id): + if not policy_id: + return + # Get the policy configuration + policy = self.nsxv_manager.vcns.get_security_policy(policy_id) + policy = utils.normalize_xml(policy) + # If no description - use the name instead + description = policy.find('description').text + if not description: + description = policy.find('name').text + # use only the allowed length + return description[:attributes.DESCRIPTION_MAX_LEN] diff --git a/vmware_nsx/tests/unit/extensions/test_security_group_policy.py b/vmware_nsx/tests/unit/extensions/test_security_group_policy.py index 1f6d81c1ea..3f4f0c407e 100644 --- a/vmware_nsx/tests/unit/extensions/test_security_group_policy.py +++ b/vmware_nsx/tests/unit/extensions/test_security_group_policy.py @@ -53,11 +53,14 @@ class SecGroupPolicyExtensionTestCase( del attr.RESOURCE_ATTRIBUTE_MAP['security_groups']['policy'] super(SecGroupPolicyExtensionTestCase, self).tearDown() - def _create_secgroup_with_policy(self, policy_id, logging=False): - body = {'security_group': {'name': 'sg-policy', - 'tenant_id': self._tenant_id, - 'policy': policy_id, - 'logging': logging}} + def _create_secgroup_with_policy(self, policy_id, description=None, + logging=False): + body = {'security_group': + {'name': 'sg-policy', + 'tenant_id': self._tenant_id, + 'policy': policy_id, + 'description': description if description else '', + 'logging': logging}} security_group_req = self.new_create_request('security-groups', body) return security_group_req.get_response(self.ext_api) @@ -71,6 +74,15 @@ class SecGroupPolicyExtensionTestCase( res = self._create_secgroup_with_policy(policy_id) sg = self.deserialize(self.fmt, res) self.assertEqual(policy_id, sg['security_group']['policy']) + self.assertEqual('dummy', sg['security_group']['description']) + + def test_secgroup_create_with_policyand_desc(self): + policy_id = 'policy-5' + desc = 'test' + res = self._create_secgroup_with_policy(policy_id, description=desc) + sg = self.deserialize(self.fmt, res) + self.assertEqual(policy_id, sg['security_group']['policy']) + self.assertEqual(desc, sg['security_group']['description']) def test_secgroup_create_without_policy(self): res = self._create_secgroup_with_policy(None) @@ -169,9 +181,11 @@ class SecGroupPolicyExtensionTestCaseWithRules( def test_secgroup_create_without_policy(self): # in case allow_tenant_rules_with_policy is True, it is allowed to # create a regular sg - res = self._create_secgroup_with_policy(None) + desc = 'test' + res = self._create_secgroup_with_policy(None, description=desc) sg = self.deserialize(self.fmt, res) self.assertIsNone(sg['security_group']['policy']) + self.assertEqual(desc, sg['security_group']['description']) def test_secgroup_create_without_policy_update_policy(self): # Create a regular security group. adding the policy later should fail diff --git a/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py b/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py index 7ca49aced2..5d9cc3994a 100644 --- a/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py +++ b/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py @@ -1346,6 +1346,8 @@ class FakeVcns(object): response_text = ( "" "%s" + "pol1" + "dummy" "") % policy_id return response_text