From 1c46d4224691b48cfd42568a23346a00dac0b557 Mon Sep 17 00:00:00 2001
From: Aswin Suryanarayanan <asuryana@redhat.com>
Date: Mon, 16 May 2016 12:53:41 +0530
Subject: [PATCH] Added support for enable/disable security on a port
 dynamically.

Change-Id: I96a3599927cbc7ca36a870187145380207e8f494
Signed-off-by: Aswin Suryanarayanan <asuryana@redhat.com>
---
 .../netvirt/api/SecurityServicesManager.java  |  6 +++
 .../netvirt/impl/NeutronL3Adapter.java        | 20 +++++++-
 .../netvirt/impl/SecurityServicesImpl.java    | 47 +++++++++++++++++--
 .../impl/NeutronPortChangeListener.java       |  5 ++
 4 files changed, 73 insertions(+), 5 deletions(-)

diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java
index 2418792b28..27e9c542e3 100644
--- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java
+++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java
@@ -103,6 +103,12 @@ public interface SecurityServicesManager {
      * @param write whether to add/delete flow.
      */
     void syncSecurityGroup(NeutronPort port, List<NeutronSecurityGroup> securityGroup, boolean write);
+    /**
+     * Add or remove the fixed security groups  from the port.
+     * @param port the neutron port.
+     * @param write whether to add/delete flow.
+     */
+    void syncFixedSecurityGroup(NeutronPort port, boolean write);
     /**
      * Add or remove individual security  rules from the port.
      * @param port the neutron port.
diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java
index 13b535448a..644c36d81c 100644
--- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java
+++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java
@@ -431,6 +431,9 @@ public class NeutronL3Adapter extends AbstractHandler implements GatewayMacResol
             if (neutronPort.getPortSecurityEnabled()) {
                 this.processSecurityGroupUpdate(neutronPort);
             }
+            if (isPortSecurityEnableUpdated(neutronPort)) {
+                this.processPortSecurityEnableUpdated(neutronPort);
+            }
         }
 
         if (!this.enabled) {
@@ -906,7 +909,6 @@ public class NeutronL3Adapter extends AbstractHandler implements GatewayMacResol
          * added and removed and call the appropriate providers for updating the flows.
          */
         try {
-            NeutronPort originalPort = neutronPort.getOriginalPort();
             List<NeutronSecurityGroup> addedGroup = getsecurityGroupChanged(neutronPort,
                                                                             neutronPort.getOriginalPort());
             List<NeutronSecurityGroup> deletedGroup = getsecurityGroupChanged(neutronPort.getOriginalPort(),
@@ -924,6 +926,22 @@ public class NeutronL3Adapter extends AbstractHandler implements GatewayMacResol
         }
     }
 
+    private void processPortSecurityEnableUpdated(NeutronPort neutronPort) {
+        LOG.trace("processPortSecurityEnableUpdated:" + neutronPort);
+        securityServicesManager.syncFixedSecurityGroup(neutronPort,
+            neutronPort.getPortSecurityEnabled());
+    }
+
+    private boolean isPortSecurityEnableUpdated(NeutronPort neutronPort) {
+        LOG.trace("isPortSecuirtyEnableUpdated:" + neutronPort);
+        if (neutronPort.getOriginalPort().getPortSecurityEnabled()
+                != neutronPort.getPortSecurityEnabled()) {
+            return true;
+        }
+        return false;
+    }
+
+
     private List<NeutronSecurityGroup> getsecurityGroupChanged(NeutronPort port1, NeutronPort port2) {
         LOG.trace("getsecurityGroupChanged:" + "Port1:" + port1 + "Port2" + port2);
         if (port1 == null) {
diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java
index fc2486aa91..7f5f96f0aa 100644
--- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java
+++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java
@@ -426,6 +426,45 @@ public class SecurityServicesImpl implements ConfigInterface, SecurityServicesMa
 
     }
 
+    @Override
+    public void syncFixedSecurityGroup(NeutronPort port, boolean write) {
+
+        Node node = getNode(port);
+        if (node == null) {
+            return;
+        }
+        NeutronNetwork neutronNetwork = neutronNetworkCache.getNetwork(port.getNetworkUUID());
+        if (null == neutronNetwork) {
+            neutronNetwork = neutronL3Adapter.getNetworkFromCleanupCache(port.getNetworkUUID());
+            if (neutronNetwork == null) {
+                return;
+            }
+        }
+        OvsdbTerminationPointAugmentation intf = getInterface(node, port);
+        if (intf == null) {
+            return;
+        }
+        String attachedMac = southbound.getInterfaceExternalIdsValue(intf, Constants.EXTERNAL_ID_VM_MAC);
+        if (attachedMac == null) {
+            LOG.debug("syncFixedSecurityGroup: No AttachedMac seen in {}", intf);
+            return;
+        }
+        long dpid = getDpidOfIntegrationBridge(node);
+        if (dpid == 0L) {
+            return;
+        }
+        String segmentationId = neutronNetwork.getProviderSegmentationID();
+        long localPort = southbound.getOFPort(intf);
+        NeutronPort dhcpPort = this.getDhcpServerPort(intf);
+        List<Neutron_IPs> srcAddressList = null;
+        srcAddressList = this.getIpAddressList(intf);
+        ingressAclProvider.programFixedSecurityGroup(dpid, segmentationId,
+            dhcpPort.getMacAddress(), localPort, attachedMac, write);
+        egressAclProvider.programFixedSecurityGroup(dpid, segmentationId,
+            attachedMac, localPort, srcAddressList, write);;
+
+    }
+
     @Override
     public void syncSecurityGroup(NeutronPort port, List<NeutronSecurityGroup> securityGroupList, boolean write) {
         LOG.trace("syncSecurityGroup:" + securityGroupList + " Write:" + write);
@@ -437,9 +476,9 @@ public class SecurityServicesImpl implements ConfigInterface, SecurityServicesMa
             NeutronNetwork neutronNetwork = neutronNetworkCache.getNetwork(port.getNetworkUUID());
             if (null == neutronNetwork) {
                 neutronNetwork = neutronL3Adapter.getNetworkFromCleanupCache(port.getNetworkUUID());
-            }
-            if (neutronNetwork == null) {
-                return;
+                if (neutronNetwork == null) {
+                    return;
+                }
             }
             String segmentationId = neutronNetwork.getProviderSegmentationID();
             OvsdbTerminationPointAugmentation intf = getInterface(node, port);
@@ -449,7 +488,7 @@ public class SecurityServicesImpl implements ConfigInterface, SecurityServicesMa
             long localPort = southbound.getOFPort(intf);
             String attachedMac = southbound.getInterfaceExternalIdsValue(intf, Constants.EXTERNAL_ID_VM_MAC);
             if (attachedMac == null) {
-                LOG.debug("programVlanRules: No AttachedMac seen in {}", intf);
+                LOG.debug("syncSecurityGroup: No AttachedMac seen in {}", intf);
                 return;
             }
             long dpid = getDpidOfIntegrationBridge(node);
diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/iaware/impl/NeutronPortChangeListener.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/iaware/impl/NeutronPortChangeListener.java
index ea9b98f84b..e28ff4e888 100644
--- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/iaware/impl/NeutronPortChangeListener.java
+++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/iaware/impl/NeutronPortChangeListener.java
@@ -38,6 +38,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.por
 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.port.attributes.FixedIps;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.Ports;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.ports.Port;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.portsecurity.rev150712.PortSecurityExtension;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.rev150712.Neutron;
 import org.opendaylight.yangtools.concepts.ListenerRegistration;
 import org.opendaylight.yangtools.yang.binding.DataObject;
@@ -204,6 +205,10 @@ public class NeutronPortChangeListener implements ClusteredDataChangeListener, A
         }
         result.setBindingvifType(binding.getVifType());
         result.setBindingvnicType(binding.getVnicType());
+        PortSecurityExtension portSecurity = port.getAugmentation(PortSecurityExtension.class);
+        if (portSecurity != null && portSecurity.isPortSecurityEnabled() != null) {
+            result.setPortSecurityEnabled(portSecurity.isPortSecurityEnabled());
+        }
     }
 
     private  Map<String,NeutronPort> getChangedPorts(Map<InstanceIdentifier<?>, DataObject> changedData) {
-- 
2.36.6