From: Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Date: Thu, 26 Feb 2015 21:29:26 +0000 (-0800)
Subject: Prevent direct port-delete of FIP Agent GW and CSNAT
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=17cae2cb7e6ece0d7219fdd92e2d0eb96992b852;p=openstack-build%2Fneutron-build.git

Prevent direct port-delete of FIP Agent GW and CSNAT

FloatingIP Agent GW Port and Centralized SNAT port
that are currently used by DVR in FloatingIP and
SNAT Namespaces respectively should not be allowed
to delete directly using the Port-delete command by
an admin.

This patch fixes the above stated issue by adding the
respective device-owners to the router_device_owners
list in l3_dvr_db.py

Change-Id: Ibdddf2af348907d2ec7513693d546739e16437dc
Closes-Bug: #1425504
---

diff --git a/neutron/db/l3_dvr_db.py b/neutron/db/l3_dvr_db.py
index 6b76d479d..facbbc20b 100644
--- a/neutron/db/l3_dvr_db.py
+++ b/neutron/db/l3_dvr_db.py
@@ -54,7 +54,9 @@ class L3_NAT_with_dvr_db_mixin(l3_db.L3_NAT_db_mixin,
 
     router_device_owners = (
         l3_db.L3_NAT_db_mixin.router_device_owners +
-        (DEVICE_OWNER_DVR_INTERFACE,))
+        (DEVICE_OWNER_DVR_INTERFACE,
+         DEVICE_OWNER_DVR_SNAT,
+         DEVICE_OWNER_AGENT_GW))
 
     extra_attributes = (
         l3_attrs_db.ExtraAttributesMixin.extra_attributes + [{
diff --git a/neutron/tests/unit/db/test_l3_dvr_db.py b/neutron/tests/unit/db/test_l3_dvr_db.py
index 65d908935..103e100cf 100644
--- a/neutron/tests/unit/db/test_l3_dvr_db.py
+++ b/neutron/tests/unit/db/test_l3_dvr_db.py
@@ -155,6 +155,30 @@ class L3DvrTestCase(testlib_api.SqlTestCase):
             'device_id': ['agent_id'],
             'device_owner': [l3_const.DEVICE_OWNER_AGENT_GW]})
 
+    def _test_prepare_direct_delete_dvr_internal_ports(self, port):
+        with mock.patch.object(manager.NeutronManager, 'get_plugin') as gp:
+            plugin = mock.Mock()
+            gp.return_value = plugin
+            plugin.get_ports.return_value = [port]
+        plugin.assertRaises(l3.L3PortInUse,
+                            plugin.delete_port,
+                            self.ctx,
+                            'my_port_id')
+
+    def test_prevent_delete_floatingip_agent_gateway_port(self):
+        port = {
+            'id': 'my_port_id',
+            'device_owner': l3_const.DEVICE_OWNER_AGENT_GW
+        }
+        self._test_prepare_direct_delete_dvr_internal_ports(port)
+
+    def test_prevent_delete_csnat_port(self):
+        port = {
+            'id': 'my_port_id',
+            'device_owner': l3_const.DEVICE_OWNER_ROUTER_SNAT
+        }
+        self._test_prepare_direct_delete_dvr_internal_ports(port)
+
     def test__create_gw_port_with_no_gateway(self):
         router = {
             'name': 'foo_router',