add the option to disable auto approve for tasks

* This add a simple config option for tasks that lets a deployer
  selectively disable auto_approve for tasks that normally would
  approve themselves.
* adds a test to confirm this functionality works as expected.
* add a doc note about how to use this feature.

Implements: disable-auto-approve
Change-Id: I3cabd8a39c9ff1d3fc3f4dd8c50a8fa83f031fcf

adjutant/actions/v1/base.py

@@ -120,9 +120,15 @@ class BaseAction(object):
         return self.action.auto_approve
 
     def set_auto_approve(self, can_approve=True):
-        self.add_note("Auto approve set to %s." % can_approve)
-        self.action.auto_approve = can_approve
-        self.action.save()
+        task_conf = settings.TASK_SETTINGS.get(self.action.task.task_type, {})
+        if task_conf.get('allow_auto_approve', True):
+            self.add_note("Auto approve set to %s." % can_approve)
+            self.action.auto_approve = can_approve
+            self.action.save()
+        else:
+            self.add_note("Task disallows action auto approve.")
+            self.action.auto_approve = False
+            self.action.save()
 
     def add_note(self, note):
         """

adjutant/api/v1/tests/test_api_openstack.py

@@ -1159,3 +1159,39 @@ class QuotaAPITests(APITestCase):
                                     headers=headers, format='json')
 
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+    @modify_dict_settings(TASK_SETTINGS=[
+        {'key_list': ['update_quota', 'allow_auto_approve'],
+         'operation': 'override',
+         'value': False,
+         }])
+    def test_no_auto_approved_quota_change(self):
+        """ Test allow_auto_approve config setting on a task."""
+
+        project = fake_clients.FakeProject(
+            name="test_project", id='test_project_id')
+
+        user = fake_clients.FakeUser(
+            name="test@example.com", password="123", email="test@example.com")
+
+        setup_identity_cache(projects=[project], users=[user])
+
+        headers = {
+            'project_name': "test_project",
+            'project_id': project.id,
+            'roles': "project_admin,_member_,project_mod",
+            'username': "test@example.com",
+            'user_id': "user_id",
+            'authenticated': True
+        }
+
+        url = "/v1/openstack/quotas/"
+
+        data = {'size': 'medium', 'regions': ['RegionOne', 'RegionTwo']}
+        response = self.client.post(url, data, headers=headers, format='json')
+
+        self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
+
+        self.check_quota_cache('RegionOne', 'test_project_id', 'small')
+
+        self.check_quota_cache('RegionTwo', 'test_project_id', 'small')

doc/source/configuration.rst

@@ -135,18 +135,27 @@ options are available, overriding the default actions or adding in additional
 actions. These will run in the order specified.
 
 .. code-block:: yaml
-
-    signup:
-        default_actions:
-             - NewProjectAction
-    invite_user:
-        additional_actions:
-            - SendAdditionalEmailAction
+    TASK_SETTINGS:
+        signup:
+            default_actions:
+                 - NewProjectAction
+        invite_user:
+            additional_actions:
+                - SendAdditionalEmailAction
 
 
 By default duplicate tasks will be marked as invalid, however the duplicate
 policy can be set to 'cancel' to cancel duplicates and start a new class.
 
+You can also here at the task settings layer ensure that the task is never auto
+approved by it's underlying actions.
+
+.. code-block:: yaml
+    TASK_SETTINGS:
+        update_quota:
+            allow_auto_approve: False
+
+
 Email Settings
 ~~~~~~~~~~~~~~
 The ``initial`` email will be sent after the user makes the request, the