From 20f0f663894d9e8a6b1f1b660ee82e04bb2fbcd8 Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Thu, 16 Nov 2017 20:10:00 +0200
Subject: [PATCH] NSX|V3: ensure provider securiry updates are done

An update for the dynamic criteria tags is done by comparing
the old and the new. The problem is that the provider security
groups are part of the security groups and need to be removed
from the normal security groups.

This would result in the port to be updated but the tags not
correctly set on the NSX.

Change-Id: Ia100eb7e546124ca588b1306db63ae6f24d39e9f
---
 vmware_nsx/plugins/nsx_v3/plugin.py               |  2 ++
 .../extensions/test_provider_security_groups.py   | 15 ++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index 0b6cbe2c2a..f46d2a7009 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -2860,6 +2860,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
 
         with db_api.context_manager.writer.using(context):
             original_port = super(NsxV3Plugin, self).get_port(context, id)
+            self._remove_provider_security_groups_from_list(original_port)
             port_data = port['port']
             nsx_lswitch_id, nsx_lport_id = nsx_db.get_nsx_switch_and_port_id(
                 context.session, id)
@@ -2918,6 +2919,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                     raise n_exc.InvalidInput(error_message=msg)
                 self._update_mac_learning_state(context, id,
                                                 mac_learning_state)
+            self._remove_provider_security_groups_from_list(updated_port)
 
         address_bindings = self._build_address_bindings(updated_port)
         if port_security and address_bindings:
diff --git a/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py b/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
index 83742c6738..0f19a678e1 100644
--- a/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
+++ b/vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
@@ -344,7 +344,20 @@ class ProviderSecurityGroupExtTestCase(
 
 class TestNSXv3ProviderSecurityGrp(test_nsxv3_plugin.NsxV3PluginTestCaseMixin,
                                    ProviderSecurityGroupExtTestCase):
-    pass
+
+    def test_update_port_remove_provider_sg(self):
+        # need to create provider security group first.
+        self._create_provider_security_group()
+        with self.port(tenant_id=self._tenant_id) as p:
+            body = {'port': {'provider_security_groups': []}}
+            req = self.new_update_request('ports', body, p['port']['id'])
+            port = self.deserialize(self.fmt, req.get_response(self.api))
+            # confirm that the group has been removed.
+            self.assertEqual([], port['port']['provider_security_groups'])
+            # make sure that the security groups did not contain the provider
+            # security group
+            self.assertEqual(p['port']['security_groups'],
+                             port['port']['security_groups'])
 
 
 class TestNSXvProviderSecurityGroup(test_nsxv_plugin.NsxVPluginV2TestCase,