diff --git a/neutron/common/ovn/acl.py b/neutron/common/ovn/acl.py index a0a3e47fac1..0553301a596 100644 --- a/neutron/common/ovn/acl.py +++ b/neutron/common/ovn/acl.py @@ -171,23 +171,6 @@ def drop_all_ip_traffic_for_port(port): return acl_list -def add_sg_rule_acl_for_port(port, r, match): - dir_map = {const.INGRESS_DIRECTION: 'to-lport', - const.EGRESS_DIRECTION: 'from-lport'} - acl = {"lswitch": utils.ovn_name(port['network_id']), - "lport": port['id'], - "priority": ovn_const.ACL_PRIORITY_ALLOW, - "action": ovn_const.ACL_ACTION_ALLOW_RELATED, - "log": False, - "name": [], - "severity": [], - "direction": dir_map[r['direction']], - "match": match, - "external_ids": {'neutron:lport': port['id'], - ovn_const.OVN_SG_RULE_EXT_ID_KEY: r['id']}} - return acl - - def add_sg_rule_acl_for_port_group(port_group, r, match): dir_map = {const.INGRESS_DIRECTION: 'to-lport', const.EGRESS_DIRECTION: 'from-lport'} diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/commands.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/commands.py index d0299d310e5..21f54792d90 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/commands.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/commands.py @@ -465,168 +465,6 @@ class DelACLCommand(command.BaseCommand): _updatevalues_in_list(lswitch, 'acls', old_values=acls_to_del) -class UpdateACLsCommand(command.BaseCommand): - def __init__(self, api, lswitch_names, port_list, acl_new_values_dict, - need_compare=True, is_add_acl=True): - """This command updates the acl list for the logical switches - - @param lswitch_names: List of Logical Switch Names - @type lswitch_names: [] - @param port_list: Iterator of List of Ports - @type port_list: [] - @param acl_new_values_dict: Dictionary of acls indexed by port id - @type acl_new_values_dict: {} - @need_compare: If acl_new_values_dict needs be compared with existing - acls. - @type: Boolean. - @is_add_acl: If updating is caused by acl adding action. - @type: Boolean. - - """ - super(UpdateACLsCommand, self).__init__(api) - self.lswitch_names = lswitch_names - self.port_list = port_list - self.acl_new_values_dict = acl_new_values_dict - self.need_compare = need_compare - self.is_add_acl = is_add_acl - - def _acl_list_sub(self, acl_list1, acl_list2): - """Compute the elements in acl_list1 but not in acl_list2. - - If acl_list1 and acl_list2 were sets, the result of this routine - could be thought of as acl_list1 - acl_list2. Note that acl_list1 - and acl_list2 cannot actually be sets as they contain dictionary - items i.e. set([{'a':1}) doesn't work. - """ - acl_diff = [] - for acl in acl_list1: - if acl not in acl_list2: - acl_diff.append(acl) - return acl_diff - - def _compute_acl_differences(self, port_list, acl_old_values_dict, - acl_new_values_dict, acl_obj_dict): - """Compute the difference between the new and old sets of acls - - @param port_list: Iterator of a List of ports - @type port_list: [] - @param acl_old_values_dict: Dictionary of old acl values indexed - by port id - @param acl_new_values_dict: Dictionary of new acl values indexed - by port id - @param acl_obj_dict: Dictionary of acl objects indexed by the acl - value in string format. - @var acl_del_objs_dict: Dictionary of acl objects to be deleted - indexed by the lswitch. - @var acl_add_values_dict: Dictionary of acl values to be added - indexed by the lswitch. - @return: (acl_del_objs_dict, acl_add_values_dict) - @rtype: ({}, {}) - """ - - acl_del_objs_dict = {} - acl_add_values_dict = {} - for port in port_list: - lswitch_name = port['network_id'] - acls_old = acl_old_values_dict.get(port['id'], []) - acls_new = acl_new_values_dict.get(port['id'], []) - acls_del = self._acl_list_sub(acls_old, acls_new) - acls_add = self._acl_list_sub(acls_new, acls_old) - acl_del_objs = acl_del_objs_dict.setdefault(lswitch_name, []) - for acl in acls_del: - acl_del_objs.append(acl_obj_dict[str(acl)]) - acl_add_values = acl_add_values_dict.setdefault(lswitch_name, []) - for acl in acls_add: - # Remove lport and lswitch columns - del acl['lswitch'] - del acl['lport'] - acl_add_values.append(acl) - return acl_del_objs_dict, acl_add_values_dict - - def _get_update_data_without_compare(self): - lswitch_ovsdb_dict = {} - for switch_name in self.lswitch_names: - switch_name = utils.ovn_name(switch_name) - lswitch = idlutils.row_by_value(self.api.idl, 'Logical_Switch', - 'name', switch_name) - lswitch_ovsdb_dict[switch_name] = lswitch - if self.is_add_acl: - acl_add_values_dict = {} - for port in self.port_list: - switch_name = utils.ovn_name(port['network_id']) - if switch_name not in acl_add_values_dict: - acl_add_values_dict[switch_name] = [] - if port['id'] in self.acl_new_values_dict: - acl_add_values_dict[switch_name].append( - self.acl_new_values_dict[port['id']]) - acl_del_objs_dict = {} - else: - acl_add_values_dict = {} - acl_del_objs_dict = {} - del_acl_extids = [] - for acl_dict in self.acl_new_values_dict.values(): - del_acl_extids.append({acl_dict['match']: - acl_dict['external_ids']}) - for switch_name, lswitch in lswitch_ovsdb_dict.items(): - if switch_name not in acl_del_objs_dict: - acl_del_objs_dict[switch_name] = [] - acls = getattr(lswitch, 'acls', []) - for acl in acls: - match = getattr(acl, 'match') - acl_extids = {match: getattr(acl, 'external_ids')} - if acl_extids in del_acl_extids: - acl_del_objs_dict[switch_name].append(acl) - return lswitch_ovsdb_dict, acl_del_objs_dict, acl_add_values_dict - - def run_idl(self, txn): - - if self.need_compare: - # Get all relevant ACLs in 1 shot - acl_values_dict, acl_obj_dict, lswitch_ovsdb_dict = ( - self.api.get_acls_for_lswitches(self.lswitch_names)) - - # Compute the difference between the new and old set of ACLs - acl_del_objs_dict, acl_add_values_dict = ( - self._compute_acl_differences( - self.port_list, acl_values_dict, - self.acl_new_values_dict, acl_obj_dict)) - else: - lswitch_ovsdb_dict, acl_del_objs_dict, acl_add_values_dict = ( - self._get_update_data_without_compare()) - - for lswitch_name, lswitch in lswitch_ovsdb_dict.items(): - acl_del_objs = acl_del_objs_dict.get(lswitch_name, []) - acl_add_values = acl_add_values_dict.get(lswitch_name, []) - - # Continue if no ACLs to add or delete. - if not acl_del_objs and not acl_add_values: - continue - - # Delete old ACLs. - if acl_del_objs: - for acl_del_obj in acl_del_objs: - try: - acl_del_obj.delete() - except AssertionError: - # If we try to delete a row twice, just continue - pass - - # Add new ACLs. - acl_add_objs = None - if acl_add_values: - acl_add_objs = [] - for acl_value in acl_add_values: - row = txn.insert(self.api._tables['ACL']) - for col, val in acl_value.items(): - setattr(row, col, val) - acl_add_objs.append(row.uuid) - - # Update logical switch ACLs. - _updatevalues_in_list(lswitch, 'acls', - new_values=acl_add_objs, - old_values=acl_del_objs) - - class AddStaticRouteCommand(command.BaseCommand): def __init__(self, api, lrouter, **columns): super(AddStaticRouteCommand, self).__init__(api) diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/impl_idl_ovn.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/impl_idl_ovn.py index e5a629da586..4fed8769fdb 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/impl_idl_ovn.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/impl_idl_ovn.py @@ -359,13 +359,6 @@ class OvsdbNbOvnIdl(nb_impl_idl.OvnNbApiIdlImpl, Backend): def delete_acl(self, lswitch, lport, if_exists=True): return cmd.DelACLCommand(self, lswitch, lport, if_exists) - def update_acls(self, lswitch_names, port_list, acl_new_values_dict, - need_compare=True, is_add_acl=True): - return cmd.UpdateACLsCommand(self, lswitch_names, - port_list, acl_new_values_dict, - need_compare=need_compare, - is_add_acl=is_add_acl) - def add_static_route(self, lrouter, **columns): return cmd.AddStaticRouteCommand(self, lrouter, **columns) diff --git a/neutron/tests/unit/common/ovn/test_acl.py b/neutron/tests/unit/common/ovn/test_acl.py index d4dcd2d5df3..8e0eb105f75 100644 --- a/neutron/tests/unit/common/ovn/test_acl.py +++ b/neutron/tests/unit/common/ovn/test_acl.py @@ -11,17 +11,14 @@ # License for the specific language governing permissions and limitations # under the License. -import copy from unittest import mock from neutron_lib import constants as const from ovsdbapp.backend.ovs_idl import idlutils from neutron.common.ovn import acl as ovn_acl -from neutron.common.ovn import constants as ovn_const from neutron.common.ovn import utils as ovn_utils from neutron.conf.agent import securitygroups_rpc -from neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb import commands as cmd from neutron.tests import base from neutron.tests.unit import fake_resources as fakes @@ -114,239 +111,6 @@ class TestACLs(base.BaseTestCase): if 'from-lport' in acl.values(): self.assertEqual(acl_from_lport, acl) - def _test_add_sg_rule_acl_for_port(self, sg_rule, direction, match): - port = {'id': 'port-id', - 'network_id': 'network-id'} - acl = ovn_acl.add_sg_rule_acl_for_port(port, sg_rule, match) - self.assertEqual({'lswitch': 'neutron-network-id', - 'lport': 'port-id', - 'priority': ovn_const.ACL_PRIORITY_ALLOW, - 'action': ovn_const.ACL_ACTION_ALLOW_RELATED, - 'log': False, 'name': [], 'severity': [], - 'direction': direction, - 'match': match, - 'external_ids': { - 'neutron:lport': 'port-id', - 'neutron:security_group_rule_id': 'sgr_id'}}, - acl) - - def test_add_sg_rule_acl_for_port_remote_ip_prefix(self): - sg_rule = {'id': 'sgr_id', - 'direction': 'ingress', - 'ethertype': 'IPv4', - 'remote_group_id': None, - 'remote_ip_prefix': '1.1.1.0/24', - 'protocol': None} - match = 'outport == "port-id" && ip4 && ip4.src == 1.1.1.0/24' - self._test_add_sg_rule_acl_for_port(sg_rule, - 'to-lport', - match) - sg_rule['direction'] = 'egress' - match = 'inport == "port-id" && ip4 && ip4.dst == 1.1.1.0/24' - self._test_add_sg_rule_acl_for_port(sg_rule, - 'from-lport', - match) - - def test_add_sg_rule_acl_for_port_remote_group(self): - sg_rule = {'id': 'sgr_id', - 'direction': 'ingress', - 'ethertype': 'IPv4', - 'remote_group_id': 'sg1', - 'remote_ip_prefix': None, - 'protocol': None} - match = 'outport == "port-id" && ip4 && (ip4.src == 1.1.1.100' \ - ' || ip4.src == 1.1.1.101' \ - ' || ip4.src == 1.1.1.102)' - - self._test_add_sg_rule_acl_for_port(sg_rule, - 'to-lport', - match) - sg_rule['direction'] = 'egress' - match = 'inport == "port-id" && ip4 && (ip4.dst == 1.1.1.100' \ - ' || ip4.dst == 1.1.1.101' \ - ' || ip4.dst == 1.1.1.102)' - self._test_add_sg_rule_acl_for_port(sg_rule, - 'from-lport', - match) - - def test__update_acls_compute_difference(self): - lswitch_name = 'lswitch-1' - port1 = {'id': 'port-id1', - 'network_id': lswitch_name, - 'fixed_ips': [{'subnet_id': 'subnet-id', - 'ip_address': '1.1.1.101'}, - {'subnet_id': 'subnet-id-v6', - 'ip_address': '2001:0db8::1:0:0:1'}]} - port2 = {'id': 'port-id2', - 'network_id': lswitch_name, - 'fixed_ips': [{'subnet_id': 'subnet-id', - 'ip_address': '1.1.1.102'}, - {'subnet_id': 'subnet-id-v6', - 'ip_address': '2001:0db8::1:0:0:2'}]} - ports = [port1, port2] - # OLD ACLs, allow IPv4 communication - aclport1_old1 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port1['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip4 && (ip.src == %s)' % - (port1['id'], port1['fixed_ips'][0]['ip_address'])} - aclport1_old2 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port1['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip6 && (ip.src == %s)' % - (port1['id'], port1['fixed_ips'][1]['ip_address'])} - aclport1_old3 = {'priority': 1002, 'direction': 'to-lport', - 'lport': port1['id'], 'lswitch': lswitch_name, - 'match': 'ip4 && (ip.src == %s)' % - (port2['fixed_ips'][0]['ip_address'])} - port1_acls_old = [aclport1_old1, aclport1_old2, aclport1_old3] - aclport2_old1 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port2['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip4 && (ip.src == %s)' % - (port2['id'], port2['fixed_ips'][0]['ip_address'])} - aclport2_old2 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port2['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip6 && (ip.src == %s)' % - (port2['id'], port2['fixed_ips'][1]['ip_address'])} - aclport2_old3 = {'priority': 1002, 'direction': 'to-lport', - 'lport': port2['id'], 'lswitch': lswitch_name, - 'match': 'ip4 && (ip.src == %s)' % - (port1['fixed_ips'][0]['ip_address'])} - port2_acls_old = [aclport2_old1, aclport2_old2, aclport2_old3] - acls_old_dict = {'%s' % (port1['id']): port1_acls_old, - '%s' % (port2['id']): port2_acls_old} - acl_obj_dict = {str(aclport1_old1): 'row1', - str(aclport1_old2): 'row2', - str(aclport1_old3): 'row3', - str(aclport2_old1): 'row4', - str(aclport2_old2): 'row5', - str(aclport2_old3): 'row6'} - # NEW ACLs, allow IPv6 communication - aclport1_new1 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port1['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip4 && (ip.src == %s)' % - (port1['id'], port1['fixed_ips'][0]['ip_address'])} - aclport1_new2 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port1['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip6 && (ip.src == %s)' % - (port1['id'], port1['fixed_ips'][1]['ip_address'])} - aclport1_new3 = {'priority': 1002, 'direction': 'to-lport', - 'lport': port1['id'], 'lswitch': lswitch_name, - 'match': 'ip6 && (ip.src == %s)' % - (port2['fixed_ips'][1]['ip_address'])} - port1_acls_new = [aclport1_new1, aclport1_new2, aclport1_new3] - aclport2_new1 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port2['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip4 && (ip.src == %s)' % - (port2['id'], port2['fixed_ips'][0]['ip_address'])} - aclport2_new2 = {'priority': 1002, 'direction': 'from-lport', - 'lport': port2['id'], 'lswitch': lswitch_name, - 'match': 'inport == %s && ip6 && (ip.src == %s)' % - (port2['id'], port2['fixed_ips'][1]['ip_address'])} - aclport2_new3 = {'priority': 1002, 'direction': 'to-lport', - 'lport': port2['id'], 'lswitch': lswitch_name, - 'match': 'ip6 && (ip.src == %s)' % - (port1['fixed_ips'][1]['ip_address'])} - port2_acls_new = [aclport2_new1, aclport2_new2, aclport2_new3] - acls_new_dict = {'%s' % (port1['id']): port1_acls_new, - '%s' % (port2['id']): port2_acls_new} - - acls_new_dict_copy = copy.deepcopy(acls_new_dict) - - # Invoke _compute_acl_differences - update_cmd = cmd.UpdateACLsCommand(self.driver._nb_ovn, - [lswitch_name], - iter(ports), - acls_new_dict - ) - acl_dels, acl_adds =\ - update_cmd._compute_acl_differences(iter(ports), - acls_old_dict, - acls_new_dict, - acl_obj_dict) - # Expected Difference (Sorted) - acl_del_exp = {lswitch_name: ['row3', 'row6']} - acl_adds_exp = {lswitch_name: - [{'priority': 1002, 'direction': 'to-lport', - 'match': 'ip6 && (ip.src == %s)' % - (port2['fixed_ips'][1]['ip_address'])}, - {'priority': 1002, 'direction': 'to-lport', - 'match': 'ip6 && (ip.src == %s)' % - (port1['fixed_ips'][1]['ip_address'])}]} - self.assertEqual(acl_del_exp, acl_dels) - self.assertEqual(acl_adds_exp, acl_adds) - - # make sure argument add_acl=False will take no affect in - # need_compare=True scenario - update_cmd_with_acl = cmd.UpdateACLsCommand(self.driver._nb_ovn, - [lswitch_name], - iter(ports), - acls_new_dict_copy, - need_compare=True, - is_add_acl=False) - new_acl_dels, new_acl_adds =\ - update_cmd_with_acl._compute_acl_differences(iter(ports), - acls_old_dict, - acls_new_dict_copy, - acl_obj_dict) - self.assertEqual(acl_dels, new_acl_dels) - self.assertEqual(acl_adds, new_acl_adds) - - def test__get_update_data_without_compare(self): - lswitch_name = 'lswitch-1' - port1 = {'id': 'port-id1', - 'network_id': lswitch_name, - 'fixed_ips': mock.Mock()} - port2 = {'id': 'port-id2', - 'network_id': lswitch_name, - 'fixed_ips': mock.Mock()} - ports = [port1, port2] - aclport1_new = {'priority': 1002, 'direction': 'to-lport', - 'match': 'outport == %s && ip4 && icmp4' % - (port1['id']), 'external_ids': {}} - aclport2_new = {'priority': 1002, 'direction': 'to-lport', - 'match': 'outport == %s && ip4 && icmp4' % - (port2['id']), 'external_ids': {}} - acls_new_dict = {'%s' % (port1['id']): aclport1_new, - '%s' % (port2['id']): aclport2_new} - - # test for creating new acls - update_cmd_add_acl = cmd.UpdateACLsCommand(self.driver._nb_ovn, - [lswitch_name], - iter(ports), - acls_new_dict, - need_compare=False, - is_add_acl=True) - lswitch_dict, acl_del_dict, acl_add_dict = \ - update_cmd_add_acl._get_update_data_without_compare() - self.assertIn('neutron-lswitch-1', lswitch_dict) - self.assertEqual({}, acl_del_dict) - expected_acls = {'neutron-lswitch-1': [aclport1_new, aclport2_new]} - self.assertEqual(expected_acls, acl_add_dict) - - # test for deleting existing acls - acl1 = mock.Mock( - match='outport == port-id1 && ip4 && icmp4', external_ids={}) - acl2 = mock.Mock( - match='outport == port-id2 && ip4 && icmp4', external_ids={}) - acl3 = mock.Mock( - match='outport == port-id1 && ip4 && (ip4.src == fake_ip)', - external_ids={}) - lswitch_obj = mock.Mock( - name='neutron-lswitch-1', acls=[acl1, acl2, acl3]) - with mock.patch('ovsdbapp.backend.ovs_idl.idlutils.row_by_value', - return_value=lswitch_obj): - update_cmd_del_acl = cmd.UpdateACLsCommand(self.driver._nb_ovn, - [lswitch_name], - iter(ports), - acls_new_dict, - need_compare=False, - is_add_acl=False) - lswitch_dict, acl_del_dict, acl_add_dict = \ - update_cmd_del_acl._get_update_data_without_compare() - self.assertIn('neutron-lswitch-1', lswitch_dict) - expected_acls = {'neutron-lswitch-1': [acl1, acl2]} - self.assertEqual(expected_acls, acl_del_dict) - self.assertEqual({}, acl_add_dict) - def test_acl_protocol_and_ports_for_tcp_udp_and_sctp_number(self): sg_rule = {'port_range_min': None, 'port_range_max': None} diff --git a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_commands.py b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_commands.py index 69715b9ce3f..da188485351 100644 --- a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_commands.py +++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_commands.py @@ -16,10 +16,8 @@ from unittest import mock from ovsdbapp.backend.ovs_idl import idlutils -from neutron.common.ovn import acl as ovn_acl from neutron.common.ovn import constants as ovn_const from neutron.common.ovn import exceptions as ovn_exc -from neutron.common.ovn import utils as ovn_utils from neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb import commands from neutron.tests import base from neutron.tests.unit import fake_resources as fakes @@ -744,117 +742,6 @@ class TestDelACLCommand(TestBaseCommand): fake_lswitch.delvalue.assert_called_once_with('acls', mock.ANY) -class TestUpdateACLsCommand(TestBaseCommand): - - def test_lswitch_no_exist(self): - fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row() - self.ovn_api.get_acls_for_lswitches.return_value = ({}, {}, {}) - cmd = commands.UpdateACLsCommand( - self.ovn_api, [fake_lswitch.name], port_list=[], - acl_new_values_dict={}, - need_compare=True) - cmd.run_idl(self.transaction) - self.transaction.insert.assert_not_called() - fake_lswitch.addvalue.assert_not_called() - fake_lswitch.delvalue.assert_not_called() - - def _test_acl_update_no_acls(self, need_compare): - fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row() - self.ovn_api.get_acls_for_lswitches.return_value = ( - {}, {}, {fake_lswitch.name: fake_lswitch}) - with mock.patch.object(idlutils, 'row_by_value', - return_value=fake_lswitch): - cmd = commands.UpdateACLsCommand( - self.ovn_api, [fake_lswitch.name], port_list=[], - acl_new_values_dict={}, - need_compare=need_compare) - cmd.run_idl(self.transaction) - self.transaction.insert.assert_not_called() - fake_lswitch.addvalue.assert_not_called() - fake_lswitch.delvalue.assert_not_called() - - def test_acl_update_compare_no_acls(self): - self._test_acl_update_no_acls(need_compare=True) - - def test_acl_update_no_compare_no_acls(self): - self._test_acl_update_no_acls(need_compare=False) - - def test_acl_update_compare_acls(self): - fake_sg_rule = \ - fakes.FakeSecurityGroupRule.create_one_security_group_rule().info() - fake_port = fakes.FakePort.create_one_port().info() - fake_add_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row( - attrs={'match': 'add_acl'}) - fake_del_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row( - attrs={'match': 'del_acl'}) - fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row( - attrs={'name': ovn_utils.ovn_name(fake_port['network_id']), - 'acls': []}) - add_acl = ovn_acl.add_sg_rule_acl_for_port( - fake_port, fake_sg_rule, 'add_acl') - self.ovn_api.get_acls_for_lswitches.return_value = ( - {fake_port['id']: [fake_del_acl.match]}, - {fake_del_acl.match: fake_del_acl}, - {fake_lswitch.name.replace('neutron-', ''): fake_lswitch}) - cmd = commands.UpdateACLsCommand( - self.ovn_api, [fake_port['network_id']], - [fake_port], {fake_port['id']: [add_acl]}, - need_compare=True) - self.transaction.insert.return_value = fake_add_acl - cmd.run_idl(self.transaction) - self.transaction.insert.assert_called_once_with( - self.ovn_api._tables['ACL']) - fake_lswitch.addvalue.assert_called_with('acls', fake_add_acl.uuid) - - def test_acl_update_no_compare_add_acls(self): - fake_sg_rule = \ - fakes.FakeSecurityGroupRule.create_one_security_group_rule().info() - fake_port = fakes.FakePort.create_one_port().info() - fake_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row( - attrs={'match': '*'}) - fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row( - attrs={'name': ovn_utils.ovn_name(fake_port['network_id'])}) - add_acl = ovn_acl.add_sg_rule_acl_for_port( - fake_port, fake_sg_rule, '*') - with mock.patch.object(idlutils, 'row_by_value', - return_value=fake_lswitch): - self.transaction.insert.return_value = fake_acl - cmd = commands.UpdateACLsCommand( - self.ovn_api, [fake_port['network_id']], - [fake_port], {fake_port['id']: add_acl}, - need_compare=False, - is_add_acl=True) - cmd.run_idl(self.transaction) - self.transaction.insert.assert_called_once_with( - self.ovn_api._tables['ACL']) - fake_lswitch.addvalue.assert_called_once_with( - 'acls', fake_acl.uuid) - - def test_acl_update_no_compare_del_acls(self): - fake_sg_rule = \ - fakes.FakeSecurityGroupRule.create_one_security_group_rule().info() - fake_port = fakes.FakePort.create_one_port().info() - fake_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row( - attrs={'match': '*', 'external_ids': - {'neutron:lport': fake_port['id'], - 'neutron:security_group_rule_id': fake_sg_rule['id']}}) - fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row( - attrs={'name': ovn_utils.ovn_name(fake_port['network_id']), - 'acls': [fake_acl]}) - del_acl = ovn_acl.add_sg_rule_acl_for_port( - fake_port, fake_sg_rule, '*') - with mock.patch.object(idlutils, 'row_by_value', - return_value=fake_lswitch): - cmd = commands.UpdateACLsCommand( - self.ovn_api, [fake_port['network_id']], - [fake_port], {fake_port['id']: del_acl}, - need_compare=False, - is_add_acl=False) - cmd.run_idl(self.transaction) - self.transaction.insert.assert_not_called() - fake_lswitch.delvalue.assert_called_with('acls', mock.ANY) - - class TestAddStaticRouteCommand(TestBaseCommand): def test_lrouter_not_found(self):