Forbid to attach security services with same type to share network

Manila should not allow attach several security services with same type to a share network, for example, two LDAPs or two Active Directory services. Add unit tests and fix tempest tests. Closes-bug: #1358652 Change-Id: Id37e986e537941fe8f9086b8b150d6073c97d1ed
2014-08-22 14:40:58 +04:00 · 2014-08-22 14:40:58 +04:00 · 4f17b8d837
parent 0f76ed578b
commit 4f17b8d837
3 changed files with 49 additions and 13 deletions
--- a/contrib/tempest/tempest/api/share/test_security_services_mapping_negative.py
+++ b/contrib/tempest/tempest/api/share/test_security_services_mapping_negative.py
@ -33,7 +33,7 @@ class SecServicesMappingNegativeTest(base.BaseSharesTest):
        resp, __ = self.cl.add_sec_service_to_share_network(self.sn["id"],
                                                            self.ss["id"])
        self.assertIn(int(resp["status"]), test.HTTP_SUCCESS)
-        self.assertRaises(exceptions.BadRequest,
+        self.assertRaises(exceptions.Conflict,
                          self.cl.add_sec_service_to_share_network,
                          self.sn["id"], self.ss["id"])

@ -86,7 +86,7 @@ class SecServicesMappingNegativeTest(base.BaseSharesTest):
                          "wrong_id", "wrong_id")

    @test.attr(type=["gate", "smoke", "negative"])
-    def test_try_map_same_ss_to_sn_twice(self):
+    def test_try_map_two_ss_with_same_type_to_sn(self):
        # create share network
        data = self.generate_share_network_data()

@ -94,22 +94,24 @@ class SecServicesMappingNegativeTest(base.BaseSharesTest):
        self.assertIn(int(resp["status"]), test.HTTP_SUCCESS)
        self.assertDictContainsSubset(data, sn)

-        # create security service
-        data = self.generate_security_service_data()
-
-        resp, ss = self.create_security_service(client=self.cl, **data)
-        self.assertIn(int(resp["status"]), test.HTTP_SUCCESS)
-        self.assertDictContainsSubset(data, ss)
+        # create security services with same type
+        security_services = []
+        for i in range(2):
+            data = self.generate_security_service_data()
+            resp, ss = self.create_security_service(client=self.cl, **data)
+            self.assertIn(int(resp["status"]), test.HTTP_SUCCESS)
+            self.assertDictContainsSubset(data, ss)
+            security_services.insert(i, ss)

        # Add security service to share network
-        resp, __ = self.cl.add_sec_service_to_share_network(sn["id"],
-                                                            ss["id"])
+        resp, __ = self.cl.add_sec_service_to_share_network(
+            sn["id"], security_services[0]["id"])
        self.assertIn(int(resp["status"]), test.HTTP_SUCCESS)

-        # Try add same security service one more time
-        self.assertRaises(exceptions.BadRequest,
+        # Try to add security service with same type
+        self.assertRaises(exceptions.Conflict,
                          self.cl.add_sec_service_to_share_network,
-                          sn["id"], ss["id"])
+                          sn["id"], security_services[1]["id"])

    @test.attr(type=["gate", "smoke", "negative"])
    def test_try_delete_ss_that_assigned_to_sn(self):
--- a/manila/api/v1/share_networks.py
+++ b/manila/api/v1/share_networks.py
@ -249,6 +249,16 @@ class ShareNetworkController(wsgi.Controller):
        if share_network['share_servers']:
            msg = _("Cannot add security services. Share network is used.")
            raise exc.HTTPForbidden(explanation=msg)
+        security_service = db_api.security_service_get(
+            context, data['security_service_id'])
+        for attached_service in share_network['security_services']:
+            if attached_service['type'] == security_service['type']:
+                msg = _("Cannot add security service to share network. "
+                        "Security service with '%(ss_type)s' type already "
+                        "added to '%(sn_id)s' share network") % {
+                            'ss_type': security_service['type'],
+                            'sn_id': share_network['id']}
+                raise exc.HTTPConflict(explanation=msg)
        try:
            share_network = db_api.share_network_add_security_service(
                context,
--- a/manila/tests/api/v1/test_share_networks.py
+++ b/manila/tests/api/v1/test_share_networks.py
@ -293,6 +293,30 @@ class ShareNetworkAPITest(test.TestCase):
            self.controller._add_security_service.assert_called_once_with(
                self.req, share_network_id, body['add_security_service'])

+    @mock.patch.object(db_api, 'share_network_get', mock.Mock())
+    @mock.patch.object(db_api, 'security_service_get', mock.Mock())
+    def test_action_add_security_service_conflict(self):
+        share_network = fake_share_network.copy()
+        share_network['security_services'] = [{'id': 'security_service_1',
+                                               'type': 'ldap'}]
+        security_service = {'id': ' security_service_2',
+                            'type': 'ldap'}
+        body = {'add_security_service': {'security_service_id':
+                                         security_service['id']}}
+
+        db_api.security_service_get.return_value = security_service
+        db_api.share_network_get.return_value = share_network
+
+        self.assertRaises(webob_exc.HTTPConflict,
+                          self.controller.action,
+                          self.req,
+                          share_network['id'],
+                          body)
+        db_api.share_network_get.assert_called_once_with(
+            self.req.environ['manila.context'], share_network['id'])
+        db_api.security_service_get.assert_called_once_with(
+            self.req.environ['manila.context'], security_service['id'])
+
    def test_action_remove_security_service(self):
        share_network_id = 'fake network id'
        security_service_id = 'fake ss id'