feat(port security): adds port security strategy

Change-Id: I31b067a787f3f9b90b1e8f9cb7ba042e723c270b
Signed-off-by: bravof <fbravo@whitestack.com>

diff --git a/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py b/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py
index 99cb64f..acc5ba8 100644 (file)
--- a/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py
+++ b/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py
@@ -1338,7 +1338,7 @@ class vimconnector(vimconn.VimConnector):
                 # is dropped.
                 # As a workaround we wait until the VM is active and then disable the port-security
                 if net.get("port_security") is False and not self.config.get("no_port_security_extension"):
-                    no_secured_ports.append(new_port["port"]["id"])
+                    no_secured_ports.append((new_port["port"]["id"], net.get("port_security_disable_strategy")))
 
             # if metadata_vpci:
             #     metadata = {"pci_assignement": json.dumps(metadata_vpci)}
@@ -1412,13 +1412,33 @@ class vimconnector(vimconn.VimConnector):
             if no_secured_ports:
                 self.__wait_for_vm(server.id, 'ACTIVE')
 
-            for port_id in no_secured_ports:
+            for port in no_secured_ports:
+                port_update = {
+                    "port": {
+                        "port_security_enabled": False,
+                        "security_groups": None
+                    }
+                }
+
+                if port[1] == "allow-address-pairs":
+                    port_update = {
+                        "port": {
+                            "allowed_address_pairs": [
+                                {
+                                    "ip_address": "0.0.0.0/0"
+                                }
+                            ]
+                        }
+                    }
+
                 try:
-                    self.neutron.update_port(port_id,
-                                             {"port": {"port_security_enabled": False, "security_groups": None}})
+                    self.neutron.update_port(port[0], port_update)
                 except Exception:
-                    raise vimconn.VimConnException("It was not possible to disable port security for port {}".format(
-                        port_id))
+                    raise vimconn.VimConnException(
+                        "It was not possible to disable port security for port {}"
+                        .format(port[0])
+                    )
+
             # print "DONE :-)", server
 
             # pool_id = None

diff --git a/RO/osm_ro/database_utils/migrate_mano_db.sh b/RO/osm_ro/database_utils/migrate_mano_db.sh
index 334b5ab..12f4566 100755 (executable)
--- a/RO/osm_ro/database_utils/migrate_mano_db.sh
+++ b/RO/osm_ro/database_utils/migrate_mano_db.sh
@@ -36,7 +36,7 @@ QUIET_MODE=""
 BACKUP_DIR=""
 BACKUP_FILE=""
 # TODO update it with the last database version
-LAST_DB_VERSION=41
+LAST_DB_VERSION=42
 
 # Detect paths
 MYSQL=$(which mysql)
@@ -199,6 +199,7 @@ fi
 #[ $OPENMANO_VER_NUM -ge 6020 ] && DB_VERSION=39  #0.6.20 =>  39
 #[ $OPENMANO_VER_NUM -ge 6000004 ] && DB_VERSION=40  #6.0.4 =>  40
 #[ $OPENMANO_VER_NUM -ge 8000000 ] && DB_VERSION=41  #8.0.0 =>  41
+#[ $OPENMANO_VER_NUM -ge 8000002 ] && DB_VERSION=42  #8.0.2 =>  42
 # TODO ... put next versions here
 
 function upgrade_to_1(){
@@ -1526,6 +1527,19 @@ function downgrade_from_41(){
     sql "DELETE FROM schema_version WHERE version_int='41';"
 }
 
+function upgrade_to_42(){
+    echo "      Adding 'port_security_disable_strategy' to 'interfaces'"
+    sql "ALTER TABLE interfaces    ADD COLUMN port_security_disable_strategy CHAR(25);"
+    sql "INSERT INTO schema_version (version_int, version, openmano_ver, comments, date) " \
+        "VALUES (42, '0.42', '8.0.2', 'Adding port_security_disable_strategy to interfaces', '2020-10-19');"
+}
+
+function downgrade_to_42(){
+    echo "      Removing 'port_security_disable_strategy' from 'interfaces'"
+    sql "ALTER TABLE interfaces     DROP port_security_disable_strategy;"
+    sql "DELETE FROM schema_version WHERE version_int='42';"
+}
+
 #TODO ... put functions here
 
 

diff --git a/RO/osm_ro/nfvo.py b/RO/osm_ro/nfvo.py
index a7b15a2..74cfbf0 100644 (file)
--- a/RO/osm_ro/nfvo.py
+++ b/RO/osm_ro/nfvo.py
@@ -1198,8 +1198,9 @@ def new_vnfd_v3(mydb, tenant_id, vnf_descriptor):
                                 vdu_id2cp_name[vdu_id] = db_interface["external_name"]
 
                             # port security
-                            if str(cp_descriptor.get("port-security-enabled")).lower() == "false":
+                            if "port-security-disable-strategy" in cp_descriptor or str(cp_descriptor.get("port-security-enabled")).lower() == "false":
                                 db_interface["port_security"] = 0
+                                db_interface["port_security_disable_strategy"] = cp_descriptor.get("port-security-disable-strategy", "full")
                             elif str(cp_descriptor.get("port-security-enabled")).lower() == "true":
                                 db_interface["port_security"] = 1
                         except KeyError:
@@ -1233,8 +1234,9 @@ def new_vnfd_v3(mydb, tenant_id, vnf_descriptor):
                                     ("SR-IOV", "PCI-PASSTHROUGH"):
                                 db_nets[net_id2index[icp_vld.get("id")]]["type"] = "data"
                             db_interface["net_id"] = net_id2uuid[icp_vld.get("id")]
-                            if str(icp_descriptor.get("port-security-enabled")).lower() == "false":
+                            if "port-security-disable-strategy" in icp_descriptor or str(icp_descriptor.get("port-security-enabled")).lower() == "false":
                                 db_interface["port_security"] = 0
+                                db_interface["port_security_disable_strategy"] = icp_descriptor.get("port-security-disable-strategy", "full")
                             elif str(icp_descriptor.get("port-security-enabled")).lower() == "true":
                                 db_interface["port_security"] = 1
                             if icp.get("ip-address"):
@@ -4115,6 +4117,8 @@ def instantiate_vnf(mydb, sce_vnf, params, params_out, rollbackList):
                 netDict['ip_address'] = iface['ip_address']
             if iface.get("port-security") is not None:
                 netDict['port_security'] = iface['port-security']
+            if iface.get("port_security_disable_strategy") is not None:
+                netDict['port_security_disable_strategy'] = iface['port_security_disable_strategy']
             if iface.get("floating-ip") is not None:
                 netDict['floating_ip'] = iface['floating-ip']
             netDict['name'] = iface['internal_name']

diff --git a/RO/osm_ro/openmanod.py b/RO/osm_ro/openmanod.py
index d53450d..d6ac566 100755 (executable)
--- a/RO/osm_ro/openmanod.py
+++ b/RO/osm_ro/openmanod.py
@@ -54,8 +54,8 @@ import osm_ro
 __author__ = "Alfonso Tierno, Gerardo Garcia, Pablo Montes"
 __date__ = "$26-aug-2014 11:09:29$"
 __version__ = "8.0.0.post1"
-version_date = "Jul 2020"
-database_version = 41      # expected database schema version
+version_date = "Oct 2020"
+database_version = 42      # expected database schema version
 
 global global_config
 global logger