def _process_sg_notification(self, resource, event, trigger, **kwargs):
sg_id = None
sg_rule = None
is_add_acl = True
admin_context = n_context.get_admin_context()
if resource == resources.SECURITY_GROUP:
sg_id = kwargs.get('security_group_id')
elif resource == resources.SECURITY_GROUP_RULE:
if event == events.AFTER_CREATE:
sg_rule = kwargs.get('security_group_rule')
sg_id = sg_rule['security_group_id']
elif event == events.BEFORE_DELETE:
sg_rule = self._plugin.get_security_group_rule(
admin_context, kwargs.get('security_group_rule_id'))
sg_id = sg_rule['security_group_id']
is_add_acl = False
# TODO(russellb) It's possible for Neutron and OVN to get out of sync
# here. If updating ACls fails somehow, we're out of sync until another
# change causes another refresh attempt.
ovn_acl.update_acls_for_security_group(self._plugin,
admin_context,
self._nb_ovn,
sg_id,
rule=sg_rule,
is_add_acl=is_add_acl)
def test_update_acls_for_security_group(self):
sg = fakes.FakeSecurityGroup.create_one_security_group().info()
remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info()
sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({
'security_group_id': sg['id'],
'remote_group_id': remote_sg['id']
}).info()
port = fakes.FakePort.create_one_port({
'security_groups': [sg['id']]
}).info()
self.plugin.get_ports.return_value = [port]
sg_ports_cache = {sg['id']: [{'port_id': port['id']}],
remote_sg['id']: []}
# Build ACL for validation.
expected_acl = ovn_acl._add_sg_rule_acl_for_port(port, sg_rule)
expected_acl.pop('lport')
expected_acl.pop('lswitch')
# Validate ACLs when port has security groups.
ovn_acl.update_acls_for_security_group(self.plugin,
self.admin_context,
self.driver._nb_ovn,
sg['id'],
sg_rule,
sg_ports_cache=sg_ports_cache)
self.driver._nb_ovn.update_acls.assert_called_once_with(
[port['network_id']],
mock.ANY,
{port['id']: expected_acl},
need_compare=False,
is_add_acl=True
)
def test_update_acls_for_security_group(self):
sg = fakes.FakeSecurityGroup.create_one_security_group().info()
remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info()
sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({
'security_group_id':
sg['id'],
'remote_group_id':
remote_sg['id']
}).info()
port = fakes.FakePort.create_one_port({
'security_groups': [sg['id']]
}).info()
self.plugin.get_ports.return_value = [port]
sg_ports_cache = {
sg['id']: [{
'port_id': port['id']
}],
remote_sg['id']: []
}
# Validate no ACLs to update when remote security group
# doesn't have any ports.
ovn_acl.update_acls_for_security_group(self.plugin,
self.admin_context,
self.driver._nb_ovn,
sg['id'],
sg_ports_cache=sg_ports_cache,
rule=sg_rule)
self.driver._nb_ovn.update_acls.assert_called_once_with(
[port['network_id']],
mock.ANY, {},
need_compare=False,
is_add_acl=True)
def test_update_acls_for_security_group(self):
sg = fakes.FakeSecurityGroup.create_one_security_group().info()
remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info()
sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({
'security_group_id': sg['id'],
'remote_group_id': remote_sg['id']
}).info()
port = fakes.FakePort.create_one_port({
'security_groups': [sg['id']]
}).info()
self.plugin.get_ports.return_value = [port]
sg_ports_cache = {sg['id']: [{'port_id': port['id']}],
remote_sg['id']: []}
# Validate no ACLs to update when remote security group
# doesn't have any ports.
ovn_acl.update_acls_for_security_group(self.plugin,
self.admin_context,
self.driver._nb_ovn,
sg['id'],
sg_ports_cache=sg_ports_cache,
rule=sg_rule)
self.driver._nb_ovn.update_acls.assert_called_once_with(
[port['network_id']],
mock.ANY,
{},
need_compare=False,
is_add_acl=True
)
def _process_sg_rule_notification(self, resource, event, trigger,
**kwargs):
sg_id = None
sg_rule = None
is_add_acl = True
admin_context = n_context.get_admin_context()
if event == events.AFTER_CREATE:
sg_rule = kwargs.get('security_group_rule')
sg_id = sg_rule['security_group_id']
elif event == events.BEFORE_DELETE:
sg_rule = self._plugin.get_security_group_rule(
admin_context, kwargs.get('security_group_rule_id'))
sg_id = sg_rule['security_group_id']
is_add_acl = False
# TODO(russellb) It's possible for Neutron and OVN to get out of sync
# here. If updating ACls fails somehow, we're out of sync until another
# change causes another refresh attempt.
ovn_acl.update_acls_for_security_group(self._plugin,
admin_context,
self._nb_ovn,
sg_id,
sg_rule,
is_add_acl=is_add_acl)
def _test_update_acls_for_security_group(self, use_cache=True):
sg = fakes.FakeSecurityGroup.create_one_security_group().info()
remote_sg = fakes.FakeSecurityGroup.create_one_security_group().info()
sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({
'security_group_id':
sg['id'],
'remote_group_id':
remote_sg['id']
}).info()
port = fakes.FakePort.create_one_port({
'security_groups': [sg['id']]
}).info()
self.plugin.get_ports.return_value = [port]
if use_cache:
sg_ports_cache = {
sg['id']: [{
'port_id': port['id']
}],
remote_sg['id']: []
}
else:
sg_ports_cache = None
self.plugin._get_port_security_group_bindings.return_value = \
[{'port_id': port['id']}]
# Build ACL for validation.
expected_acl = ovn_acl._add_sg_rule_acl_for_port(port, sg_rule)
expected_acl.pop('lport')
expected_acl.pop('lswitch')
# Validate ACLs when port has security groups.
ovn_acl.update_acls_for_security_group(self.plugin,
self.admin_context,
self.driver._nb_ovn,
sg['id'],
sg_rule,
sg_ports_cache=sg_ports_cache)
self.driver._nb_ovn.update_acls.assert_called_once_with(
[port['network_id']],
mock.ANY, {port['id']: expected_acl},
need_compare=False,
is_add_acl=True)
def test_sg_disabled(self):
sg = fakes.FakeSecurityGroup.create_one_security_group().info()
port = fakes.FakePort.create_one_port({
'security_groups': [sg['id']]
}).info()
with mock.patch('networking_ovn.common.acl.is_sg_enabled',
return_value=False):
acl_list = ovn_acl.add_acls(self.plugin, self.admin_context, port,
{}, {}, self.driver._ovn)
self.assertEqual([], acl_list)
ovn_acl.update_acls_for_security_group(self.plugin,
self.admin_context,
self.driver._ovn, sg['id'],
None)
self.driver._ovn.update_acls.assert_not_called()
addresses = ovn_acl.acl_port_ips(port)
self.assertEqual({'ip4': [], 'ip6': []}, addresses)
def test_sg_disabled(self):
sg = fakes.FakeSecurityGroup.create_one_security_group().info()
port = fakes.FakePort.create_one_port({
'security_groups': [sg['id']]
}).info()
with mock.patch('networking_ovn.common.acl.is_sg_enabled',
return_value=False):
acl_list = ovn_acl.add_acls(self.plugin,
self.admin_context,
port, {}, {})
self.assertEqual([], acl_list)
ovn_acl.update_acls_for_security_group(self.plugin,
self.admin_context,
self.driver._ovn,
sg['id'])
self.driver._ovn.update_acls.assert_not_called()
addresses = ovn_acl.acl_port_ips(port)
self.assertEqual({'ip4': [], 'ip6': []}, addresses)
