From 2ce8b589c11d37d3f13ff37cf412d00f1e718e4b Mon Sep 17 00:00:00 2001
From: James Arendt <james.arendt@hp.com>
Date: Sat, 13 Feb 2016 18:54:09 -0800
Subject: [PATCH] FWaaS quota registration

Builds on prior attempts to register FWaaS resources to the quota
engine, such as commit Ia4d6b9a65acd1111a050dc73b63a1f0ce619cb55
which had to be reverted for bug 1513280 for failing gate via commit
28948f6559711a0d861fa76f3adf65cda22768fb.

Since with router insertion a user can have a separate firewall
and policy per targeted router in their tenant, the original
fixes which had defaults of only 1 were too low.

Also added the release notes to reflect the quota.

Set default as -1 (unlimited) in Liberty to avoid breaking
compatibility.

Change-Id: I68a5538f7bc8df78212633c73eeca0eaae0d8455
Closes-Bug: #1399280
---
 neutron_fwaas/extensions/firewall.py          |  9 +++++----
 .../services/firewall/test_fwaas_plugin.py    | 19 ++++++++++++++++---
 .../notes/enable-quotas-a3d0a21743bb1985.yaml | 17 +++++++++++++++++
 3 files changed, 38 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml

diff --git a/neutron_fwaas/extensions/firewall.py b/neutron_fwaas/extensions/firewall.py
index 8b7b4ff62..fa45ba038 100644
--- a/neutron_fwaas/extensions/firewall.py
+++ b/neutron_fwaas/extensions/firewall.py
@@ -353,15 +353,15 @@ RESOURCE_ATTRIBUTE_MAP = {
 
 firewall_quota_opts = [
     cfg.IntOpt('quota_firewall',
-               default=1,
+               default=-1,
                help=_('Number of firewalls allowed per tenant. '
                       'A negative value means unlimited.')),
     cfg.IntOpt('quota_firewall_policy',
-               default=1,
+               default=-1,
                help=_('Number of firewall policies allowed per tenant. '
                       'A negative value means unlimited.')),
     cfg.IntOpt('quota_firewall_rule',
-               default=100,
+               default=-1,
                help=_('Number of firewall rules allowed per tenant. '
                       'A negative value means unlimited.')),
 ]
@@ -401,7 +401,8 @@ class Firewall(extensions.ExtensionDescriptor):
         return resource_helper.build_resource_info(plural_mappings,
                                                    RESOURCE_ATTRIBUTE_MAP,
                                                    p_const.FIREWALL,
-                                                   action_map=action_map)
+                                                   action_map=action_map,
+                                                   register_quota=True)
 
     @classmethod
     def get_plugin_interface(cls):
diff --git a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py
index 974c448cb..9cb679b2e 100644
--- a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py
+++ b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py
@@ -62,10 +62,8 @@ class TestFirewallRouterInsertionBase(
             create=True, new=test_db_firewall.FakeAgentApi().delete_firewall)
         self.agentapi_del_fw_p.start()
 
-        plugin = None
         # the plugin without L3 support
-        if not plugin:
-            plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
+        plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
         # the L3 service plugin
         l3_plugin = ('neutron.tests.unit.extensions.test_l3.'
                      'TestL3NatServicePlugin')
@@ -611,3 +609,18 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase,
                     fw_rules = self.plugin._make_firewall_dict_with_rules(
                         ctx, fw_id)
                     self.assertEqual([], fw_rules['firewall_rule_list'])
+
+    def test_firewall_quota_lower(self):
+        """Test quota using overridden value."""
+        cfg.CONF.set_override('quota_firewall', 3, group='QUOTAS')
+        with self.firewall(name='quota1'), \
+                self.firewall(name='quota2'), \
+                self.firewall(name='quota3'):
+            data = {'firewall': {'name': 'quota4',
+                                 'firewall_policy_id': None,
+                                 'tenant_id': self._tenant_id,
+                                 'shared': False}}
+            req = self.new_create_request('firewalls', data, 'json')
+            res = req.get_response(self.ext_api)
+            self.assertIn('Quota exceeded', res.body.decode('utf-8'))
+            self.assertEqual(exc.HTTPConflict.code, res.status_int)
diff --git a/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml b/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml
new file mode 100644
index 000000000..9c864c8ca
--- /dev/null
+++ b/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml
@@ -0,0 +1,17 @@
+---
+prelude: >
+    Enable quotas for FWaaS.
+features:
+  - The FWaaS extension can register quotas.
+    The default values for quota_firewall,
+    quota_firewall_policy, and quota_firewall_rule
+    are set to -1 (unlimited).
+issues:
+  - Tenants may receive a 409 Conflict error with a
+    message body containing a quota exceeded message
+    during resource creation if their quota is exceeded.
+other:
+  - Operators that increase the default limit for quota_routers
+    from 10 may want to bump FWaaS quotas as well, since with
+    router insertion a tenant can potentially have a unique
+    policy and firewall for each router.