From acb51f642d28e29e8c7555e534f230ea3d9d2701 Mon Sep 17 00:00:00 2001
From: dparalen <vetrisko@gmail.com>
Date: Thu, 19 Oct 2017 17:10:27 +0200
Subject: [PATCH] Support manage_firewall during deprecation period

This is a follow-up on If83db978080b9c4e5d51ba50bbe8ed26e29abe83: allow
folks to use:

  [firewall]
  manage_firewall = False

to disable the (default) iptables driver during the deprecation period of
the [firewall] option group.  This effectively sets the pxe_filter.driver
to noop.

Change-Id: Idcbc457fffeb1c4bd7c1c747e870b53e2e167d55
---
 ironic_inspector/pxe_filter/base.py           |  5 +++++
 ironic_inspector/test/unit/test_pxe_filter.py | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/ironic_inspector/pxe_filter/base.py b/ironic_inspector/pxe_filter/base.py
index 1612e9181..3e0901b00 100644
--- a/ironic_inspector/pxe_filter/base.py
+++ b/ironic_inspector/pxe_filter/base.py
@@ -218,6 +218,11 @@ def _driver_manager():
     global _DRIVER_MANAGER
 
     name = CONF.pxe_filter.driver
+    # FIXME(milan): to be removed after the transition period of deprecating
+    # the firewall option group
+    if name == 'iptables' and not CONF.iptables.manage_firewall:
+        name = 'noop'
+
     if _DRIVER_MANAGER is None:
         _DRIVER_MANAGER = stevedore.driver.DriverManager(
             _STEVEDORE_DRIVER_NAMESPACE,
diff --git a/ironic_inspector/test/unit/test_pxe_filter.py b/ironic_inspector/test/unit/test_pxe_filter.py
index 7ed1a8566..8b5277022 100644
--- a/ironic_inspector/test/unit/test_pxe_filter.py
+++ b/ironic_inspector/test/unit/test_pxe_filter.py
@@ -64,6 +64,20 @@ class TestDriverManager(test_base.BaseTest):
         self.stevedore_driver_mock.assert_not_called()
         self.assertIs(pxe_filter._DRIVER_MANAGER, driver_manager)
 
+    def test_manage_firewall(self):
+        # FIXME(milan): to be removed after the transition period of
+        # deprecating the firewall option group
+        # NOTE(milan) the default filter driver is iptables
+        # this should revert it to noop
+        CONF.set_override('manage_firewall', False, 'iptables')
+        driver_manager = pxe_filter._driver_manager()
+        self.stevedore_driver_mock.assert_called_once_with(
+            pxe_filter._STEVEDORE_DRIVER_NAMESPACE,
+            name='noop',
+            invoke_on_load=True)
+        self.assertIsNotNone(driver_manager)
+        self.assertIs(pxe_filter._DRIVER_MANAGER, driver_manager)
+
 
 class TestDriverManagerLoading(test_base.BaseTest):
     def setUp(self):