From ea3a0a428fac308f9ab65d0beb733de380cace56 Mon Sep 17 00:00:00 2001
From: Koteswara Rao Kelam <koteswara.kelam@hp.com>
Date: Fri, 26 Sep 2014 04:34:11 -0700
Subject: [PATCH] Disallow unsharing used firewall policy

When admin policy p1 is shared and is used by firewall f1 of different tenant,
then updating p1 with shared=False should not be allowed as it is in use.

Change-Id: I7c753f9d8a25a7edc40233316398475c8ad3efe9
Closes-bug: #1334994
---
 neutron/db/firewall/firewall_db.py                 |  6 ++++++
 neutron/tests/unit/db/firewall/test_db_firewall.py | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/neutron/db/firewall/firewall_db.py b/neutron/db/firewall/firewall_db.py
index 7321d1d12..9c8ce696a 100644
--- a/neutron/db/firewall/firewall_db.py
+++ b/neutron/db/firewall/firewall_db.py
@@ -338,6 +338,12 @@ class Firewall_db_mixin(firewall.FirewallPluginBase, base_db.CommonDbMixin):
         fwp = firewall_policy['firewall_policy']
         with context.session.begin(subtransactions=True):
             fwp_db = self._get_firewall_policy(context, id)
+            # check tenant ids are same for fw and fwp or not
+            if not fwp.get('shared', True) and fwp_db.firewalls:
+                for fw in fwp_db['firewalls']:
+                    if fwp_db['tenant_id'] != fw['tenant_id']:
+                        raise firewall.FirewallPolicyInUse(
+                            firewall_policy_id=id)
             # check any existing rules are not shared
             if 'shared' in fwp and 'firewall_rules' not in fwp:
                 self._check_unshared_rules_for_policy(fwp_db, fwp)
diff --git a/neutron/tests/unit/db/firewall/test_db_firewall.py b/neutron/tests/unit/db/firewall/test_db_firewall.py
index 0dd6f42aa..c25ba3305 100644
--- a/neutron/tests/unit/db/firewall/test_db_firewall.py
+++ b/neutron/tests/unit/db/firewall/test_db_firewall.py
@@ -573,6 +573,16 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
                 res = req.get_response(self.ext_api)
                 self.assertEqual(webob.exc.HTTPConflict.code, res.status_int)
 
+    def test_update_firewall_policy_assoc_with_other_tenant_firewall(self):
+        with self.firewall_policy(shared=True, tenant_id='tenant1') as fwp:
+            fwp_id = fwp['firewall_policy']['id']
+            with self.firewall(firewall_policy_id=fwp_id):
+                data = {'firewall_policy': {'shared': False}}
+                req = self.new_update_request('firewall_policies', data,
+                                              fwp['firewall_policy']['id'])
+                res = req.get_response(self.ext_api)
+                self.assertEqual(webob.exc.HTTPConflict.code, res.status_int)
+
     def test_delete_firewall_policy(self):
         ctx = context.get_admin_context()
         with self.firewall_policy(do_delete=False) as fwp:
-- 
2.45.2