Allow regular user to get quotas

The project user can query the project's own resource quota. Story: 2009140 Task: 43082 Change-Id: Iebac740e982a89fcf882a2cfc3e447ac53ee6656
2021-08-25 16:11:12 +12:00 · 2021-08-25 16:11:12 +12:00 · f3459e2662
commit f3459e2662
parent c3a8930eb1
6 changed files with 98 additions and 3 deletions
--- a/api-ref/source/quotas.inc
+++ b/api-ref/source/quotas.inc
@ -38,7 +38,8 @@ Show resources quota for a specific project

 .. rest_method::  GET /v1.0/{project_id}/mgmt/quotas/{user_project}

-Admin only action by default.
+Admin can query resource quota of any project. The project user can only show
+the project's own quota.

 Normal response codes: 200

--- a/releasenotes/notes/xena-allow-project-show-resource-quota.yaml
+++ b/releasenotes/notes/xena-allow-project-show-resource-quota.yaml
@ -0,0 +1,3 @@
+---
+features:
+  - The project user can query the project's own resource quota.
--- a/trove/common/wsgi.py
+++ b/trove/common/wsgi.py
@ -324,6 +324,7 @@ class Controller(object):
            exception.ModuleAppliedToInstance,
            exception.PolicyNotAuthorized,
            exception.LogAccessForbidden,
+            exception.TroveOperationAuthError,
        ],
        webob.exc.HTTPBadRequest: [
            exception.InvalidModelError,
--- a/trove/extensions/mgmt/quota/service.py
+++ b/trove/extensions/mgmt/quota/service.py
@ -29,12 +29,21 @@ LOG = logging.getLogger(__name__)
 class QuotaController(wsgi.Controller):
    """Controller for quota functionality."""

-    @admin_context
    def show(self, req, tenant_id, id):
-        """Return all quotas for this tenant."""
+        """Return all quotas for this tenant.
+
+        Regular tenant can get his own resource quota.
+        Admin user can get quota for any tenant.
+        """
        LOG.info("Indexing quota info for tenant '%(id)s'\n"
                 "req : '%(req)s'\n\n", {"id": id, "req": req})

+        context = req.environ[wsgi.CONTEXT_KEY]
+        if id != tenant_id and not context.is_admin:
+            raise exception.TroveOperationAuthError(
+                tenant_id=tenant_id
+            )
+
        usages = quota_engine.get_all_quota_usages_by_tenant(id)
        limits = quota_engine.get_all_quotas_by_tenant(id)
        for key in usages.keys():
--- a/trove/tests/unittests/extensions/mgmt/quota/init.py
+++ b/trove/tests/unittests/extensions/mgmt/quota/init.py
--- a/trove/tests/unittests/extensions/mgmt/quota/test_service.py
+++ b/trove/tests/unittests/extensions/mgmt/quota/test_service.py
@ -0,0 +1,81 @@
+# Copyright 2021 Catalyst Cloud
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+from unittest import mock
+
+from trove.common import exception
+from trove.common import wsgi
+from trove.extensions.mgmt.quota import service as quota_service
+from trove.tests.unittests import trove_testtools
+from trove.tests.unittests.util import util
+
+
+class TestQuotaController(trove_testtools.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        util.init_db()
+        cls.controller = quota_service.QuotaController()
+        cls.admin_project_id = cls.random_uuid()
+        super(TestQuotaController, cls).setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        util.cleanup_db()
+        super(TestQuotaController, cls).tearDownClass()
+
+    def test_show_admin_query(self):
+        user_project_id = self.random_uuid()
+        req_mock = mock.MagicMock(
+            environ={
+                wsgi.CONTEXT_KEY: mock.MagicMock(
+                    project_id=self.admin_project_id,
+                    is_admin=True
+                )
+            }
+        )
+        result = self.controller.show(req_mock, self.admin_project_id,
+                                      user_project_id)
+
+        self.assertEqual(200, result.status)
+
+    def test_show_user_query(self):
+        """Show the tenant's own quota."""
+        user_project_id = self.random_uuid()
+        req_mock = mock.MagicMock(
+            environ={
+                wsgi.CONTEXT_KEY: mock.MagicMock(
+                    is_admin=False
+                )
+            }
+        )
+        result = self.controller.show(req_mock, user_project_id,
+                                      user_project_id)
+
+        self.assertEqual(200, result.status)
+
+    def test_show_user_query_not_allowed(self):
+        """Show other tenant's quota should fail."""
+        user_project_id = self.random_uuid()
+        req_mock = mock.MagicMock(
+            environ={
+                wsgi.CONTEXT_KEY: mock.MagicMock(
+                    is_admin=False
+                )
+            }
+        )
+        self.assertRaises(
+            exception.TroveOperationAuthError,
+            self.controller.show,
+            req_mock, user_project_id,
+            self.random_uuid()
+        )