Firewall group associated with ports is not allowed to be deleted

Currently, we determine that the firewall group is in use based on
its ACTIVE status. But the firewall group may have just updated
the port and is currently PENDING_UPDATE status, deletion should
not be allowed at this time.
This patch changes the judgment method for deleting firewall
groups, no longer based on their status. But like other neutron
resources, based on whether or not they are associated.

Closes-Bug: #2018967
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/883826

Change-Id: Ib7ab0daf9f6de45125ffc9408f865fc0964ff339

neutron_fwaas/services/firewall/fwaas_plugin_v2.py

@@ -339,7 +339,7 @@ class FirewallPluginV2(Firewallv2PluginBase):
         except f_exc.FirewallGroupNotFound:
             return
 
-        if fwg['status'] == nl_constants.ACTIVE:
+        if fwg['ports']:
             raise f_exc.FirewallGroupInUse(firewall_id=id)
 
         self.driver.delete_firewall_group(context, id)

neutron_fwaas/services/firewall/service_drivers/agents/agents.py

@@ -270,31 +270,6 @@ class FirewallAgentDriver(driver_api.FirewallDriverDB,
                 context, firewall_group['ports'])
             self.agent_rpc.create_firewall_group(context, fwg_with_rules)
 
-    def delete_firewall_group_precommit(self, context, firewall_group):
-        if firewall_group['status'] == nl_constants.ACTIVE:
-            raise f_exc.FirewallGroupInUse(firewall_id=firewall_group['id'])
-        elif firewall_group['status'] != nl_constants.INACTIVE:
-            # Firewall group is in inconsistent state, remove it
-            return
-        if not firewall_group['ports']:
-            # No associated port, can safety remove it
-            return
-
-        # Need to prevent agent to delete the firewall group before delete it
-        self.firewall_db.update_firewall_group_status(
-            context, firewall_group['id'], nl_constants.PENDING_DELETE)
-        firewall_group['status'] = nl_constants.PENDING_DELETE
-
-        fwg_with_rules = self.firewall_db.make_firewall_group_dict_with_rules(
-            context, firewall_group['id'])
-        fwg_with_rules['del-port-ids'] = firewall_group['ports']
-        fwg_with_rules['add-port-ids'] = []
-        # Reflect state change in fwg_with_rules
-        fwg_with_rules['status'] = nl_constants.PENDING_DELETE
-        fwg_with_rules['port_details'] = self._get_fwg_port_details(
-            context, fwg_with_rules['del-port-ids'])
-        self.agent_rpc.delete_firewall_group(context, fwg_with_rules)
-
     def _need_pending_update(self, old_firewall_group, new_firewall_group):
         port_updated = (set(new_firewall_group['ports']) !=
                         set(old_firewall_group['ports']))

neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py

@@ -382,6 +382,22 @@ class FirewallPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase):
         firewall_group = self.deserialize(fmt or self.fmt, res)
         yield firewall_group
         if do_delete:
+            self.plugin.driver.firewall_db.update_firewall_group_status(
+                context.get_admin_context(),
+                firewall_group['firewall_group']['id'],
+                nl_constants.ACTIVE)
+            data = {
+                'firewall_group': {
+                    'ports': [],
+                },
+            }
+            req = self.new_update_request(
+                'firewall_groups',
+                data,
+                firewall_group['firewall_group']['id'],
+                as_admin=True,
+            )
+            req.get_response(self.ext_api)
             self._delete('firewall_groups',
                          firewall_group['firewall_group']['id'],
                          as_admin=True)