From c7dbed99d115989ad8d03db7dc3ffbcaa6fb78c3 Mon Sep 17 00:00:00 2001
From: Dan Prince <dprince@redhat.com>
Date: Wed, 4 Apr 2012 09:38:59 -0400
Subject: Add validation on quota limits (negative numbers).

Quotas should not accept negative numbers other than -1.

Fixes LP Bug #973034.

Change-Id: Icc647d80df42d09928717d48ae95dfc8b76c4795
---
 nova/api/openstack/compute/contrib/quotas.py            |  7 +++++++
 nova/tests/api/openstack/compute/contrib/test_quotas.py | 12 ++++++++++++
 2 files changed, 19 insertions(+)

(limited to 'nova')

diff --git a/nova/api/openstack/compute/contrib/quotas.py b/nova/api/openstack/compute/contrib/quotas.py
index f669fad79..cf42b434f 100644
--- a/nova/api/openstack/compute/contrib/quotas.py
+++ b/nova/api/openstack/compute/contrib/quotas.py
@@ -53,6 +53,12 @@ class QuotaSetsController(object):
 
         return dict(quota_set=result)
 
+    def _validate_quota_limit(self, limit):
+        # NOTE: -1 is a flag value for unlimited
+        if limit < -1:
+            msg = _("Quota limit must be -1 or greater.")
+            raise webob.exc.HTTPBadRequest(explanation=msg)
+
     @wsgi.serializers(xml=QuotaTemplate)
     def show(self, req, id):
         context = req.environ['nova.context']
@@ -72,6 +78,7 @@ class QuotaSetsController(object):
         for key in body['quota_set'].keys():
             if key in quota.quota_resources:
                 value = int(body['quota_set'][key])
+                self._validate_quota_limit(value)
                 try:
                     db.quota_update(context, project_id, key, value)
                 except exception.ProjectQuotaNotFound:
diff --git a/nova/tests/api/openstack/compute/contrib/test_quotas.py b/nova/tests/api/openstack/compute/contrib/test_quotas.py
index 46753b883..ea34a4e86 100644
--- a/nova/tests/api/openstack/compute/contrib/test_quotas.py
+++ b/nova/tests/api/openstack/compute/contrib/test_quotas.py
@@ -119,6 +119,18 @@ class QuotaSetsTest(test.TestCase):
         self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
                           req, 'update_me', body)
 
+    def test_quotas_update_invalid_limit(self):
+        body = {'quota_set': {'instances': -2, 'cores': -2,
+                              'ram': -2, 'volumes': -2,
+                              'gigabytes': -2, 'floating_ips': -2,
+                              'metadata_items': -2, 'injected_files': -2,
+                              'injected_file_content_bytes': -2}}
+
+        req = fakes.HTTPRequest.blank('/v2/fake4/os-quota-sets/update_me',
+                                      use_admin_context=True)
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.update,
+                          req, 'update_me', body)
+
 
 class QuotaXMLSerializerTest(test.TestCase):
     def setUp(self):
-- 
cgit