feat: add more check when delete project or user from project (#35)

- added self remove from project
- added more information in project now show members and project owner
- added more check to avoid removing user with shared quota used
- added more check to avoid deleting project with instance or volume in
it

Author: msterhuj

fob_api/models/api/openstack.py

@@ -6,7 +6,9 @@ class OpenStackProjectCreate(BaseModel):
 
 class OpenStackProject(OpenStackProjectCreate):
     id: int
-    type: str
+    name: str
+    owner: str
+    members: List[str]
 
 class OpenStackUserPassword(BaseModel):
     username: str

fob_api/routes/openstack.py

@@ -2,17 +2,23 @@
 
 from fastapi import APIRouter, Depends, HTTPException
 from sqlmodel import Session, select
+from novaclient import exceptions as nova_exceptions
+from cinderclient import exceptions as cinder_exceptions
 
 from fob_api import auth, openstack, random_end_uid, OPENSTACK_DOMAIN_ID, OPENSTACK_ROLE_MEMBER_ID, random_password, get_session
-from fob_api.models.database import User, Project, ProjectUserMembership
-from fob_api.models.api import OpenStackProject as OpenStackProjectAPI
-from fob_api.models.api import OpenStackUserPassword as OpenStackUserPasswordAPI
+from fob_api.models.database import User, Project, ProjectUserMembership # deprecated import for models
+from fob_api.models import database as db_models
+from fob_api.models import api as api_models
+from fob_api.models.api import OpenStackProject as OpenStackProjectAPI # deprecated import for models
+from fob_api.models.api import OpenStackUserPassword as OpenStackUserPasswordAPI # deprecated import for models
 from fob_api.tasks.openstack import get_or_create_user as openstack_get_or_create_user
 from fob_api.tasks.openstack import set_user_password as openstack_set_user_password
-
+from fob_api.tasks import openstack as openstack_tasks
 
 router = APIRouter(prefix="/openstack")
 
+MAX_PROJECTS_USER_OWN = 3
+
 @router.get("/projects/{username}", tags=["openstack"])
 def list_openstack_project_for_user(
         username: str,
@@ -25,18 +31,33 @@ def list_openstack_project_for_user(
     auth.is_admin_or_self(user, username)
     user_find = session.exec(select(User).where(User.username == username)).first()
     projects_owner = session.exec(select(Project).where(Project.owner_id == user_find.id)).all()
+    # get all owner projects
+    data = []
+    for project in projects_owner:
+        db_members = session.exec(select(ProjectUserMembership).where(ProjectUserMembership.project_id == project.id)).all()
+        data.append(OpenStackProjectAPI(
+            id=project.id,
+            name=project.name,
+            owner=username,
+            members=[
+                session.exec(select(User).where(User.id == member.user_id)).first().username
+                for member in db_members
+            ]
+        ))
+    # get all member projects and add to data
     project_memberships = session.exec(select(ProjectUserMembership).where(ProjectUserMembership.user_id == user_find.id)).all()
-    data = [OpenStackProjectAPI(
-        id=project.id,
-        name=project.name,
-        type="owner"
-    ) for project in projects_owner]
     for project_membership in project_memberships:
         local_project = session.exec(select(Project).where(Project.id == project_membership.project_id)).first()
+        db_members = session.exec(select(ProjectUserMembership).where(ProjectUserMembership.project_id == local_project.id)).all()
+        owner = session.exec(select(User).where(User.id == local_project.owner_id)).first()
         data.append(OpenStackProjectAPI(
             id=local_project.id,
             name=local_project.name,
-            type="member"
+            owner=owner.username,
+            members=[
+                session.exec(select(User).where(User.id == member.user_id)).first().username
+                for member in db_members
+            ]
         ))
     return data
 
@@ -45,15 +66,15 @@ def create_openstack_project(
         project_name: str,
         user: Annotated[User, Depends(auth.get_current_user)],
         session: Session = Depends(get_session)
-    ) -> OpenStackProjectAPI | None:
+    ) -> api_models.OpenStackProject | None:
     """
     Create a new OpenStack project
     """
     openstack_client = openstack.get_keystone_client()
 
     projects = session.exec(select(Project).where(Project.owner_id == user.id)).all()
-    if len(projects) >= 3:
-        raise HTTPException(status_code=400, detail="You cannot create more than 3 projects")
+    if len(projects) >= MAX_PROJECTS_USER_OWN:
+        raise HTTPException(status_code=400, detail=f"You cannot create more than {str(MAX_PROJECTS_USER_OWN)} projects")
     project_name = project_name + "-" + random_end_uid()
     new_project = Project(name=project_name, owner_id=user.id)
     session.add(new_project)
@@ -85,6 +106,20 @@ def delete_openstack_project(
         raise HTTPException(status_code=404, detail="Project not found")
     if project.owner_id != user.id and not user.is_admin:
         raise HTTPException(status_code=403, detail="Not allowed to delete this project")
+    
+    # check if quota is given to project
+    # here we are checking if project has any quotas assigned to it so nothing is left behind not assigned to any project
+    project_quotas = session.exec(select(db_models.UserQuotaShare).where(db_models.UserQuotaShare.project_id == project.id)).all()
+    for project_quota in project_quotas:
+        if project_quota.quantity > 0:
+            print(project_quota.quantity)
+            raise HTTPException(status_code=400, detail="Cannot delete project with quotas assigned to it please remove all quotas assigned to project")
+
+    # check if project has members
+    project_memberships = session.exec(select(db_models.ProjectUserMembership).where(db_models.ProjectUserMembership.project_id == project.id)).all()
+    if project_memberships:
+        raise HTTPException(status_code=400, detail="Cannot delete project with members please remove all members from project")
+
     openstack_project = openstack_client.projects.find(name=project_name)
     openstack_client.projects.delete(openstack_project.id)
     session.delete(project)
@@ -115,19 +150,21 @@ def add_user_to_project(
         session: Session = Depends(get_session)
     ) -> None:
     """
-    Add user to project if user is owner of the project
+    Add user to project
     """
     db_project = session.exec(select(Project).where(Project.name == project_name)).first()
+    # check if owner of the project or is admin
     if db_project.owner_id != user.id and not user.is_admin:
         raise HTTPException(status_code=403, detail="Not allowed to add user to this project")
-    
+
+    # reject if user is owner of the project
+    if user.username == username and db_project.owner_id == user.id:
+        raise HTTPException(status_code=400, detail="Cannot add owner to project (owner is already in project)")
+
+    # get user to add
     user_to_add = session.exec(select(User).where(User.username == username)).first()
     if not user_to_add or not db_project:
-        raise HTTPException(status_code=404, detail="User or project not found")
-
-    # if user is owner of the project
-    if user_to_add.id == db_project.owner_id:
-        raise HTTPException(status_code=400, detail="User is owner of the project do not need to be added")
+        raise HTTPException(status_code=404, detail="User to add not found")
 
     # check if user is already in project
     assignment = session.exec(select(ProjectUserMembership).where(ProjectUserMembership.project_id == db_project.id, ProjectUserMembership.user_id == user_to_add.id)).first()
@@ -153,31 +190,73 @@ def remove_user_from_project(
         session: Session = Depends(get_session)
     ) -> None:
     """
-    Remove user from project if user is owner of the project
+    Remove user from project
     """
+    # check if owner of the project or is admin
     db_project = session.exec(select(Project).where(Project.name == project_name)).first()
-    if db_project.owner_id != user.id and not user.is_admin:
+    db_project_members_name = [
+        session.exec(select(User).where(User.id == member.user_id)).first().username
+        for member in session.exec(select(ProjectUserMembership).where(ProjectUserMembership.project_id == db_project.id)).all()
+    ]
+
+    # action allowed if anyone of the following is true
+    # 1. user is admin
+    # 2. user is owner of the project and wants to remove other user
+    # 3. user is not owner of the project and wants to remove himself from project
+
+    if db_project.owner_id != user.id and not user.is_admin and user.username not in db_project_members_name:
         raise HTTPException(status_code=403, detail="Not allowed to remove user from this project")
 
+    if user.username in db_project_members_name:
+        # this avoids the case where user is not owner of the project and wants to remove other user
+        username = user.username
+    
+    # reject if user is owner of the project
+    if user.username == username and db_project.owner_id == user.id:
+        raise HTTPException(status_code=400, detail="Cannot remove yourself from project (delete project instead)")
+
+    # get user to remove    
     user_to_remove = session.exec(select(User).where(User.username == username)).first()
     if not user_to_remove or not db_project:
-        raise HTTPException(status_code=404, detail="User or project not found")
-    
-    # check if user is owner of the project
-    if db_project.owner_id == user_to_remove.id:
-        raise HTTPException(status_code=400, detail="Cannot remove owner from project")
+        raise HTTPException(status_code=404, detail="User not found")
 
     # check if user is already in project
     assignment = session.exec(select(ProjectUserMembership).where(ProjectUserMembership.project_id == db_project.id, ProjectUserMembership.user_id == user_to_remove.id)).first()
     if not assignment:
         raise HTTPException(status_code=400, detail="User not in project")
 
-    session.delete(assignment)
+    # get project from openstack
     openstack_client = openstack.get_keystone_client()
     try:
         os_project = openstack_client.projects.find(name=project_name)
     except Exception:
         raise HTTPException(status_code=500, detail="OpenStack error cant get project")
+        
+    os_project = openstack.get_keystone_client().projects.find(name=project_name)    
+    # check if user has any quotas assigned to project
+    project_quotas = session.exec(select(db_models.UserQuotaShare).where(db_models.UserQuotaShare.project_id == db_project.id, db_models.UserQuotaShare.user_id == user_to_remove.id)).all()
+    # try to set all quotas to 0
+    old_quotas_map = {k: 0 for k in db_models.QuotaType}
+    for project_quota in project_quotas:
+        old_quotas_map[project_quota.type] = project_quota.quantity
+        project_quota.quantity = 0
+        session.add(project_quota)
+    session.commit()
+
+    # try to sync quotas with openstack without user quotas if it fails rollback quotas
+    try:
+        openstack_tasks.sync_project_quota(os_project)
+    except (nova_exceptions.ClientException, cinder_exceptions.ClientException) as e:
+        # rollback quotas when quota sync fails (when quota is lower than current usage)
+        for project_quota in project_quotas:
+            session.refresh(project_quota)
+            project_quota.quantity = old_quotas_map[project_quota.type]
+            session.add(project_quota)
+        session.commit()
+        raise HTTPException(status_code=400, detail="Cannot remove user from project, user share used quotas with project")
+    
+    # remove user from project
     os_user = openstack_get_or_create_user(username)
     openstack_client.roles.revoke(role=OPENSTACK_ROLE_MEMBER_ID, user=os_user.id, project=os_project.id)
+    session.delete(assignment)
     session.commit()

fob_api/tasks/openstack.py

@@ -1,17 +1,18 @@
 from sqlmodel import Session, select
 from sqlalchemy.exc import IntegrityError
 from fob_api import engine, openstack, random_end_uid, random_password, OPENSTACK_DOMAIN_ID
-from fob_api.models.database import User
+from fob_api.models.database import User # deprecated call use db_models as prefix
+from fob_api.models import database as db_models
 
-def get_or_create_user(username: str) -> None: # todo return openstack user object
+def get_or_create_user(username: str): # todo return openstack user object
     """
     Create OpenStack User if not exists
 
     Args:
         username (str): User name
 
     Returns:
-        None
+        openstack user object
     """
     with Session(engine) as session:
         user = session.exec(select(User).where(User.username == username)).first()
@@ -29,3 +30,11 @@ def set_user_password(username: str, password: str) -> None:
     openstack_client = openstack.get_keystone_client()
     user = get_or_create_user(username)
     openstack_client.users.update(user=user, password=password)
+
+def sync_project_quota(openstack_project: db_models.Project) -> None:
+    """
+    Temp warp function to the correct function
+    """
+    # temporary for how long? who knows write 01-03-2025 19:19
+    from fob_api.routes.quota import sync_project_quota as sync_project_quota_real
+    sync_project_quota_real(openstack_project)