From c86b1f7723e4a4f768773a68fc3ac197ac751482 Mon Sep 17 00:00:00 2001
From: Koteswara Rao Kelam <koti.kelam@gmail.com>
Date: Tue, 17 Jun 2014 07:03:10 -0700
Subject: [PATCH] Proper validation for inserting firewall rule

Say rule r2 is associated with policy p2. If user tries to insert rule r1
into a policy p1 before/after r2, error should be thrown saying that rule
r2 is not associated with policy p1.

Change-Id: Ifa415acc9533b7a323f966ee42d476460e68c9d3
Closes-bug: 1330898
---
 neutron/db/firewall/firewall_db.py            |  4 +++
 .../unit/db/firewall/test_db_firewall.py      | 25 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/neutron/db/firewall/firewall_db.py b/neutron/db/firewall/firewall_db.py
index 47046139e..3460ea01b 100644
--- a/neutron/db/firewall/firewall_db.py
+++ b/neutron/db/firewall/firewall_db.py
@@ -452,6 +452,10 @@ class Firewall_db_mixin(firewall.FirewallPluginBase, base_db.CommonDbMixin):
                 # rule is inserted after reference_firewall_rule_id.
                 ref_fwr_db = self._get_firewall_rule(
                     context, ref_firewall_rule_id)
+                if ref_fwr_db.firewall_policy_id != id:
+                    raise firewall.FirewallRuleNotAssociatedWithPolicy(
+                        firewall_rule_id=ref_fwr_db['id'],
+                        firewall_policy_id=id)
                 if insert_before:
                     position = ref_fwr_db.position
                 else:
diff --git a/neutron/tests/unit/db/firewall/test_db_firewall.py b/neutron/tests/unit/db/firewall/test_db_firewall.py
index 0abd35464..5d7708735 100644
--- a/neutron/tests/unit/db/firewall/test_db_firewall.py
+++ b/neutron/tests/unit/db/firewall/test_db_firewall.py
@@ -929,6 +929,31 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
                         expected_code=webob.exc.HTTPConflict.code,
                         expected_body=None, body_data=insert_data)
 
+    def test_insert_rule_for_prev_associated_ref_rule(self):
+        with contextlib.nested(self.firewall_rule(name='fwr0'),
+                               self.firewall_rule(name='fwr1')) as fwr:
+            fwr0_id = fwr[0]['firewall_rule']['id']
+            fwr1_id = fwr[1]['firewall_rule']['id']
+            with contextlib.nested(
+                self.firewall_policy(name='fwp0'),
+                    self.firewall_policy(name='fwp1',
+                                         firewall_rules=[fwr1_id])) as fwp:
+                fwp0_id = fwp[0]['firewall_policy']['id']
+                #test inserting before a rule which is associated
+                #with different policy
+                self._rule_action(
+                    'insert', fwp0_id, fwr0_id,
+                    insert_before=fwr1_id,
+                    expected_code=webob.exc.HTTPBadRequest.code,
+                    expected_body=None)
+                #test inserting  after a rule which is associated
+                #with different policy
+                self._rule_action(
+                    'insert', fwp0_id, fwr0_id,
+                    insert_after=fwr1_id,
+                    expected_code=webob.exc.HTTPBadRequest.code,
+                    expected_body=None)
+
     def test_insert_rule_in_policy(self):
         attrs = self._get_test_firewall_policy_attrs()
         attrs['audited'] = False
-- 
2.45.2