RHINENG-22863: limit systems to 1000 in update and delete template systems apis

Author: xbhouse

manager/controllers/template_systems_delete.go

@@ -32,6 +32,10 @@ func TemplateSystemsDeleteHandler(c *gin.Context) {
 		return
 	}
 
+	if err := checkTemplateSystemsLimit(len(req.Systems), c); err != nil {
+		return
+	}
+
 	db := middlewares.DBFromContext(c)
 
 	err := checkTemplateSystems(c, db, account, nil, req.Systems, groups)

manager/controllers/template_systems_delete_test.go

@@ -3,15 +3,19 @@ package controllers
 import (
 	"app/base/core"
 	"app/base/database"
+	"app/base/utils"
 	"bytes"
+	"fmt"
 	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/bytedance/sonic"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
-func testTemplateSystemsDelete(t *testing.T, body TemplateSystemsUpdateRequest, status int) {
+func testTemplateSystemsDelete(t *testing.T, body TemplateSystemsUpdateRequest, status int) *httptest.ResponseRecorder {
 	bodyJSON, err := sonic.Marshal(&body)
 	if err != nil {
 		panic(err)
@@ -21,6 +25,7 @@ func testTemplateSystemsDelete(t *testing.T, body TemplateSystemsUpdateRequest,
 		TemplateSystemsDeleteHandler, templateAccount)
 
 	assert.Equal(t, status, w.Code)
+	return w
 }
 
 func TestTemplateSystemsDeleteDefault(t *testing.T) {
@@ -60,3 +65,42 @@ func TestTemplateSystemsDeleteInvalid(t *testing.T) {
 	testTemplateSystemsDelete(t, TemplateSystemsUpdateRequest{
 		Systems: []string{"c0ffeec0-ffee-c0ff-eec0-ffeec0ffee00"}}, http.StatusNotFound)
 }
+
+func TestTemplateSystemsDeleteTooManySystems(t *testing.T) {
+	core.SetupTest(t)
+
+	systems := make([]string, 0, TemplateSystemsUpdateLimit+1)
+	for i := 0; i < TemplateSystemsUpdateLimit; i++ {
+		systems = append(systems, uuid.NewString())
+	}
+
+	database.CreateTemplate(t, templateAccount, templateUUID, systems)
+	defer database.DeleteTemplate(t, templateAccount, templateUUID)
+
+	// Add one more system to the template so we can try to delete more than the limit
+	additionalSystem := "00000000-0000-0000-0000-000000000004"
+	putBody := TemplateSystemsUpdateRequest{
+		Systems: []string{additionalSystem},
+	}
+
+	putBodyJSON, err := sonic.Marshal(&putBody)
+	if err != nil {
+		panic(err)
+	}
+
+	w := CreateRequestRouterWithParams("PUT", templatePath, templateUUID, "", bytes.NewBuffer(putBodyJSON), "",
+		TemplateSystemsUpdateHandler, templateAccount)
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	systems = append(systems, additionalSystem)
+
+	req := TemplateSystemsUpdateRequest{
+		Systems: systems,
+	}
+
+	res := testTemplateSystemsDelete(t, req, http.StatusBadRequest)
+
+	var errResp utils.ErrorResponse
+	CheckResponse(t, res, http.StatusBadRequest, &errResp)
+	assert.Equal(t, fmt.Sprintf("Cannot process more than %d systems at once", TemplateSystemsUpdateLimit), errResp.Error)
+}

manager/controllers/template_systems_update.go

@@ -25,6 +25,7 @@ import (
 var candlepinClient = candlepin.CreateCandlepinClient()
 
 const InvalidInventoryIDsErr = "invalid list of inventory IDs"
+const TemplateSystemsUpdateLimit = 1000
 
 type TemplateSystemsUpdateRequest struct {
 	// List of inventory IDs to have templates removed
@@ -61,6 +62,10 @@ func TemplateSystemsUpdateHandler(c *gin.Context) {
 		return
 	}
 
+	if err := checkTemplateSystemsLimit(len(req.Systems), c); err != nil {
+		return
+	}
+
 	db := middlewares.DBFromContext(c)
 	template, err := getTemplate(c, db, account, templateUUID)
 	if err != nil {

manager/controllers/template_systems_update_test.go

@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"testing"
 
+	"github.com/bytedance/sonic"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -245,3 +247,30 @@ func TestUpdateTemplateSystemsCandlepin404(t *testing.T) {
 	database.CheckTemplateSystems(t, templateAccount, templateUUID,
 		[]string{"00000000-0000-0000-0000-000000000007"})
 }
+
+func TestUpdateTemplateTooManySystems(t *testing.T) {
+	core.SetupTest(t)
+
+	database.CreateTemplate(t, templateAccount, templateUUID, templateSystems)
+	defer database.DeleteTemplate(t, templateAccount, templateUUID)
+
+	systems := make([]string, 0, TemplateSystemsUpdateLimit+1)
+	for i := 0; i < TemplateSystemsUpdateLimit+1; i++ {
+		systems = append(systems, uuid.NewString())
+	}
+	body := map[string][]string{
+		"systems": systems,
+	}
+
+	bodyJSON, err := sonic.Marshal(body)
+	if err != nil {
+		panic(err)
+	}
+
+	w := CreateRequestRouterWithParams("PUT", templatePath, templateUUID, "", bytes.NewBuffer(bodyJSON), "",
+		TemplateSystemsUpdateHandler, templateAccount)
+
+	var errResp utils.ErrorResponse
+	CheckResponse(t, w, http.StatusBadRequest, &errResp)
+	assert.Equal(t, fmt.Sprintf("Cannot process more than %d systems at once", TemplateSystemsUpdateLimit), errResp.Error)
+}

manager/controllers/utils.go

@@ -588,3 +588,13 @@ func isFilterInURLValid(c *gin.Context) bool {
 	}
 	return true
 }
+
+func checkTemplateSystemsLimit(numSystems int, c *gin.Context) error {
+	if numSystems > TemplateSystemsUpdateLimit {
+		msg := fmt.Sprintf("Cannot process more than %d systems at once", TemplateSystemsUpdateLimit)
+		err := errors.New(msg)
+		utils.LogAndRespBadRequest(c, err, msg)
+		return err
+	}
+	return nil
+}