From 7026d96ce44522c95c785376178347d2b0a9d750 Mon Sep 17 00:00:00 2001 From: Claudiu Belu Date: Mon, 17 Mar 2014 13:53:55 -0700 Subject: [PATCH] Fixes Hyper-V agent security groups enable issue Fixes the weight of the applied allow rules by ignoring the weight of the reject rules. Fixes the override allow rules issue by fixing the ACL filtering condition. Change-Id: I38ddd7142d0fa45f308460153d29580f276ce07e Closes-Bug: #1294368 --- neutron/plugins/hyperv/agent/utilsv2.py | 5 +-- .../tests/unit/hyperv/test_hyperv_utilsv2.py | 31 ++++++++++++++----- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/neutron/plugins/hyperv/agent/utilsv2.py b/neutron/plugins/hyperv/agent/utilsv2.py index cc38db139..87ed8704c 100644 --- a/neutron/plugins/hyperv/agent/utilsv2.py +++ b/neutron/plugins/hyperv/agent/utilsv2.py @@ -366,11 +366,12 @@ class HyperVUtilsV2R2(HyperVUtilsV2): return [v for v in acls if v.Action == action and v.Direction == direction and - v.LocalPort in [str(local_port), self._ACL_DEFAULT] and - v.Protocol in [protocol] and + v.LocalPort == str(local_port) and + v.Protocol == protocol and v.RemoteIPAddress == remote_addr] def _get_new_weight(self, acls): + acls = [a for a in acls if a.Action is not self._ACL_ACTION_DENY] if not acls: return self._MAX_WEIGHT - 1 diff --git a/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py b/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py index 565368a24..0d7a59e72 100644 --- a/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py +++ b/neutron/tests/unit/hyperv/test_hyperv_utilsv2.py @@ -352,14 +352,19 @@ class TestHyperVUtilsV2R2(base.BaseTestCase): default, default, self._FAKE_REMOTE_ADDR) def _test_filter_security_acls(self, local_port, protocol, remote_addr): - mock_acl = mock.MagicMock() - mock_acl.Action = self._utils._ACL_ACTION_ALLOW - mock_acl.Direction = self._FAKE_ACL_DIR - mock_acl.LocalPort = local_port - mock_acl.Protocol = protocol - mock_acl.RemoteIPAddress = remote_addr + acls = [] + default = self._utils._ACL_DEFAULT + for port, proto in [(default, default), (local_port, protocol)]: + mock_acl = mock.MagicMock() + mock_acl.Action = self._utils._ACL_ACTION_ALLOW + mock_acl.Direction = self._FAKE_ACL_DIR + mock_acl.LocalPort = port + mock_acl.Protocol = proto + mock_acl.RemoteIPAddress = remote_addr + acls.append(mock_acl) + + right_acls = [a for a in acls if a.LocalPort == local_port] - acls = [mock_acl, mock_acl] good_acls = self._utils._filter_security_acls( acls, mock_acl.Action, self._FAKE_ACL_DIR, self._FAKE_ACL_TYPE, local_port, protocol, remote_addr) @@ -367,7 +372,7 @@ class TestHyperVUtilsV2R2(base.BaseTestCase): acls, self._FAKE_ACL_ACT, self._FAKE_ACL_DIR, self._FAKE_ACL_TYPE, local_port, protocol, remote_addr) - self.assertEqual(acls, good_acls) + self.assertEqual(right_acls, good_acls) self.assertEqual([], bad_acls) def test_get_new_weight(self): @@ -381,3 +386,13 @@ class TestHyperVUtilsV2R2(base.BaseTestCase): def test_get_new_weight_no_acls(self): self.assertEqual(self._utils._MAX_WEIGHT - 1, self._utils._get_new_weight([])) + + def test_get_new_weight_default_acls(self): + mockacl1 = mock.MagicMock() + mockacl1.Weight = self._utils._MAX_WEIGHT - 1 + mockacl2 = mock.MagicMock() + mockacl2.Weight = self._utils._MAX_WEIGHT - 2 + mockacl2.Action = self._utils._ACL_ACTION_DENY + + self.assertEqual(self._utils._MAX_WEIGHT - 2, + self._utils._get_new_weight([mockacl1, mockacl2])) -- 2.45.2