Don't require passing in port_security=False if security_groups present

If creating a port on a network that is marked as port_security_enabled=False
and one passes in a security_group in the port_create request previously an
error was raised saying they needed to also pass in
port_security_enabled=False. This patch removes that requirement and instead
sets port_security_enabled=True internally if a port has an ip_address and a
security_group is passed in. This is more convient and does not break
backwards compatibility.

Closes-bug: #1267249
Change-Id: Ifb5a5511f016a5d8c5b5075c9fdc27279cdd9bb5

diff --git a/neutron/db/portsecurity_db.py b/neutron/db/portsecurity_db.py
index e5ad6b19d42c551492b7d49ad40f62b96490edce..cefe85fb66d17b02ec29d08da9fabf362ebcf55d 100644 (file)
--- a/neutron/db/portsecurity_db.py
+++ b/neutron/db/portsecurity_db.py
@@ -161,6 +161,13 @@ class PortSecurityDbMixin(object):
         if (psec.PORTSECURITY in port and
             isinstance(port[psec.PORTSECURITY], bool)):
             port_security_enabled = port[psec.PORTSECURITY]
+
+        # If port has an ip and security_groups are passed in
+        # conveniently set port_security_enabled to true this way
+        # user doesn't also have to pass in port_security_enabled=True
+        # when creating ports.
+        elif (has_ip and attrs.is_attr_set('security_groups')):
+            port_security_enabled = True
         else:
             port_security_enabled = self._get_network_security_binding(
                 context, port['network_id'])

diff --git a/neutron/tests/unit/test_extension_portsecurity.py b/neutron/tests/unit/test_extension_portsecurity.py
index cdee46685928a34c94c1cc4db1c32199c7188272..a90e7a2cba9cd8cc277251b288c8435b5ce78b8d 100644 (file)
--- a/neutron/tests/unit/test_extension_portsecurity.py
+++ b/neutron/tests/unit/test_extension_portsecurity.py
@@ -263,6 +263,28 @@ class TestPortSecurity(PortSecurityDBTestCase):
                 self.assertEqual(len(port['port'][ext_sg.SECURITYGROUPS]), 1)
                 self._delete('ports', port['port']['id'])
 
+    def test_create_port_with_security_group_and_net_sec_false(self):
+        # This tests that port_security_enabled is true when creating
+        # a port on a network that is marked as port_security_enabled=False
+        # that has a subnet and securiy_groups are passed it.
+        if self._skip_security_group:
+            self.skipTest("Plugin does not support security groups")
+        res = self._create_network('json', 'net1', True,
+                                   arg_list=('port_security_enabled',),
+                                   port_security_enabled=False)
+        net = self.deserialize('json', res)
+        self._create_subnet('json', net['network']['id'], '10.0.0.0/24')
+        security_group = self.deserialize(
+            'json', self._create_security_group(self.fmt, 'asdf', 'asdf'))
+        security_group_id = security_group['security_group']['id']
+        res = self._create_port('json', net['network']['id'],
+                                arg_list=('security_groups',),
+                                security_groups=[security_group_id])
+        port = self.deserialize('json', res)
+        self.assertEqual(port['port'][psec.PORTSECURITY], True)
+        self.assertEqual(port['port']['security_groups'], [security_group_id])
+        self._delete('ports', port['port']['id'])
+
     def test_update_port_security_off_with_security_group(self):
         if self._skip_security_group:
             self.skipTest("Plugin does not support security groups")