Merge "Allow creating security rules without protocol"

Zuul · openstack-gerrit · commit e83a0941a322 · 2017-10-21T17:20:10.000Z
diff --git a/openstackclient/network/v2/security_group_rule.py b/openstackclient/network/v2/security_group_rule.py
@@ -159,8 +159,8 @@ def update_parser_network(self, parser):
             help=_("IP protocol (ah, dccp, egp, esp, gre, icmp, igmp, "
                    "ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, "
                    "ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, "
-                   "udp, udplite, vrrp and integer representations [0-255]; "
-                   "default: tcp)")
+                   "udp, udplite, vrrp and integer representations [0-255] "
+                   "or any; default: tcp)")
         )
         protocol_group.add_argument(
             '--proto',
@@ -230,14 +230,16 @@ def _get_protocol(self, parsed_args):
             protocol = parsed_args.protocol
         if parsed_args.proto is not None:
             protocol = parsed_args.proto
+        if protocol == 'any':
+            protocol = None
         return protocol
 
     def _is_ipv6_protocol(self, protocol):
         # NOTE(rtheis): Neutron has deprecated protocol icmpv6.
         # However, while the OSC CLI doesn't document the protocol,
         # the code must still handle it. In addition, handle both
         # protocol names and numbers.
-        if (protocol.startswith('ipv6-') or
+        if (protocol is not None and protocol.startswith('ipv6-') or
                 protocol in ['icmpv6', '41', '43', '44', '58', '59', '60']):
             return True
         else:
diff --git a/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py b/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py
@@ -211,6 +211,36 @@ def test_create_proto_option(self):
         self.assertEqual(self.expected_columns, columns)
         self.assertEqual(self.expected_data, data)
 
+    def test_create_protocol_any(self):
+        self._setup_security_group_rule({
+            'protocol': None,
+            'remote_ip_prefix': '10.0.2.0/24',
+        })
+        arglist = [
+            '--proto', 'any',
+            '--src-ip', self._security_group_rule.remote_ip_prefix,
+            self._security_group.id,
+        ]
+        verifylist = [
+            ('proto', 'any'),
+            ('protocol', None),
+            ('src_ip', self._security_group_rule.remote_ip_prefix),
+            ('group', self._security_group.id),
+        ]
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        columns, data = self.cmd.take_action(parsed_args)
+
+        self.network.create_security_group_rule.assert_called_once_with(**{
+            'direction': self._security_group_rule.direction,
+            'ethertype': self._security_group_rule.ether_type,
+            'protocol': self._security_group_rule.protocol,
+            'remote_ip_prefix': self._security_group_rule.remote_ip_prefix,
+            'security_group_id': self._security_group.id,
+        })
+        self.assertEqual(self.expected_columns, columns)
+        self.assertEqual(self.expected_data, data)
+
     def test_create_remote_group(self):
         self._setup_security_group_rule({
             'port_range_max': 22,
diff --git a/releasenotes/notes/bug-1712242-934bbe2f2378f5bd.yaml b/releasenotes/notes/bug-1712242-934bbe2f2378f5bd.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Add ``any`` as a ``--protocol`` option to ``security group rule create``
+    command.
+    [Bug `1517134 <https://bugs.launchpad.net/bugs/1712242>`_]
+fixes:
+  - |
+    It is now possible to create a security rule without specifying protocol
+    (using ``--protocol any``), which skips sending the protocol to the API
+    server entirely. Previously TCP was forced as default protocol when none
+    was specified.
