Fixes Hyper-V agent security groups enable issue

Fixes the weight of the applied allow rules by ignoring
the weight of the reject rules.
Fixes the override allow rules issue by fixing the
ACL filtering condition.

Change-Id: I38ddd7142d0fa45f308460153d29580f276ce07e
Closes-Bug: #1294368

diff --git a/neutron/plugins/hyperv/agent/utilsv2.py b/neutron/plugins/hyperv/agent/utilsv2.py
index cc38db139ab6da822db50743fe680d251c53d900..87ed8704c448fea06d2ea7cade4f67f6bbc8d2a6 100644 (file)
--- a/neutron/plugins/hyperv/agent/utilsv2.py
+++ b/neutron/plugins/hyperv/agent/utilsv2.py
@@ -366,11 +366,12 @@ class HyperVUtilsV2R2(HyperVUtilsV2):
         return [v for v in acls
                 if v.Action == action and
                 v.Direction == direction and
-                v.LocalPort in [str(local_port), self._ACL_DEFAULT] and
-                v.Protocol in [protocol] and
+                v.LocalPort == str(local_port) and
+                v.Protocol == protocol and
                 v.RemoteIPAddress == remote_addr]
 
     def _get_new_weight(self, acls):
+        acls = [a for a in acls if a.Action is not self._ACL_ACTION_DENY]
         if not acls:
             return self._MAX_WEIGHT - 1
 

diff --git a/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py b/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py
index 565368a24e5506b8cf5ebb11547f58cb66833e2d..0d7a59e721c9bdfbdc31e2125021893ed54ec494 100644 (file)
--- a/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py
+++ b/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py
@@ -352,14 +352,19 @@ class TestHyperVUtilsV2R2(base.BaseTestCase):
             default, default, self._FAKE_REMOTE_ADDR)
 
     def _test_filter_security_acls(self, local_port, protocol, remote_addr):
-        mock_acl = mock.MagicMock()
-        mock_acl.Action = self._utils._ACL_ACTION_ALLOW
-        mock_acl.Direction = self._FAKE_ACL_DIR
-        mock_acl.LocalPort = local_port
-        mock_acl.Protocol = protocol
-        mock_acl.RemoteIPAddress = remote_addr
+        acls = []
+        default = self._utils._ACL_DEFAULT
+        for port, proto in [(default, default), (local_port, protocol)]:
+            mock_acl = mock.MagicMock()
+            mock_acl.Action = self._utils._ACL_ACTION_ALLOW
+            mock_acl.Direction = self._FAKE_ACL_DIR
+            mock_acl.LocalPort = port
+            mock_acl.Protocol = proto
+            mock_acl.RemoteIPAddress = remote_addr
+            acls.append(mock_acl)
+
+        right_acls = [a for a in acls if a.LocalPort == local_port]
 
-        acls = [mock_acl, mock_acl]
         good_acls = self._utils._filter_security_acls(
             acls, mock_acl.Action, self._FAKE_ACL_DIR, self._FAKE_ACL_TYPE,
             local_port, protocol, remote_addr)
@@ -367,7 +372,7 @@ class TestHyperVUtilsV2R2(base.BaseTestCase):
             acls, self._FAKE_ACL_ACT, self._FAKE_ACL_DIR, self._FAKE_ACL_TYPE,
             local_port, protocol, remote_addr)
 
-        self.assertEqual(acls, good_acls)
+        self.assertEqual(right_acls, good_acls)
         self.assertEqual([], bad_acls)
 
     def test_get_new_weight(self):
@@ -381,3 +386,13 @@ class TestHyperVUtilsV2R2(base.BaseTestCase):
     def test_get_new_weight_no_acls(self):
         self.assertEqual(self._utils._MAX_WEIGHT - 1,
                          self._utils._get_new_weight([]))
+
+    def test_get_new_weight_default_acls(self):
+        mockacl1 = mock.MagicMock()
+        mockacl1.Weight = self._utils._MAX_WEIGHT - 1
+        mockacl2 = mock.MagicMock()
+        mockacl2.Weight = self._utils._MAX_WEIGHT - 2
+        mockacl2.Action = self._utils._ACL_ACTION_DENY
+
+        self.assertEqual(self._utils._MAX_WEIGHT - 2,
+                         self._utils._get_new_weight([mockacl1, mockacl2]))