From 0d91b1a86a211610f78ac5c0df5a0b02b5a2f3a1 Mon Sep 17 00:00:00 2001
From: Abhijeet Malawade <Abhijeet.Malawade@nttdata.com>
Date: Wed, 6 Nov 2013 03:20:54 -0800
Subject: [PATCH] Do not allow bad keys while updating quota

Raise 400 (bad request) error instead of 200 (ok) if bad keys
are passed to the update quota request

Closes-Bug: #1248815

Change-Id: Iaefaa4961dd3783dfab15f843cbb2dcb12195a7d
---
 cinder/api/contrib/quotas.py            | 33 ++++++++++++++++++-------
 cinder/tests/api/contrib/test_quotas.py |  4 +--
 2 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/cinder/api/contrib/quotas.py b/cinder/api/contrib/quotas.py
index a21f99106..08b233152 100644
--- a/cinder/api/contrib/quotas.py
+++ b/cinder/api/contrib/quotas.py
@@ -23,11 +23,13 @@ from cinder.api import xmlutil
 from cinder import db
 from cinder.db.sqlalchemy import api as sqlalchemy_api
 from cinder import exception
+from cinder.openstack.common.gettextutils import _
 from cinder.openstack.common import strutils
 from cinder import quota
 
 
 QUOTAS = quota.QUOTAS
+NON_QUOTA_KEYS = ['tenant_id', 'id']
 
 
 authorize_update = extensions.extension_authorizer('volume', 'quotas:update')
@@ -96,16 +98,29 @@ class QuotaSetsController(object):
         context = req.environ['cinder.context']
         authorize_update(context)
         project_id = id
+        bad_keys = []
+
+        for key, value in body['quota_set'].items():
+            if (key not in QUOTAS and key not in NON_QUOTA_KEYS):
+                bad_keys.append(key)
+                continue
+
+        if len(bad_keys) > 0:
+            msg = _("Bad key(s) in quota set: %s") % ",".join(bad_keys)
+            raise webob.exc.HTTPBadRequest(explanation=msg)
+
         for key in body['quota_set'].keys():
-            if key in QUOTAS:
-                self._validate_quota_limit(body['quota_set'][key])
-                value = int(body['quota_set'][key])
-                try:
-                    db.quota_update(context, project_id, key, value)
-                except exception.ProjectQuotaNotFound:
-                    db.quota_create(context, project_id, key, value)
-                except exception.AdminRequired:
-                    raise webob.exc.HTTPForbidden()
+            if key in NON_QUOTA_KEYS:
+                continue
+
+            self._validate_quota_limit(body['quota_set'][key])
+            value = int(body['quota_set'][key])
+            try:
+                db.quota_update(context, project_id, key, value)
+            except exception.ProjectQuotaNotFound:
+                db.quota_create(context, project_id, key, value)
+            except exception.AdminRequired:
+                raise webob.exc.HTTPForbidden()
         return {'quota_set': self._get_quotas(context, id)}
 
     @wsgi.serializers(xml=QuotaTemplate)
diff --git a/cinder/tests/api/contrib/test_quotas.py b/cinder/tests/api/contrib/test_quotas.py
index c145870e1..4a70f68c0 100644
--- a/cinder/tests/api/contrib/test_quotas.py
+++ b/cinder/tests/api/contrib/test_quotas.py
@@ -83,8 +83,8 @@ class QuotaSetsControllerTest(test.TestCase):
 
     def test_update_wrong_key(self):
         body = {'quota_set': {'bad': 'bad'}}
-        result = self.controller.update(self.req, 'foo', body)
-        self.assertDictMatch(result, make_body(tenant_id=None))
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.update,
+                          self.req, 'foo', body)
 
     def test_update_invalid_key_value(self):
         body = {'quota_set': {'gigabytes': "should_be_int"}}
-- 
2.45.2