Do not list Quota API's to accounts with Quota disabled

api/src/main/java/org/apache/cloudstack/api/BaseCmd.java

@@ -380,10 +380,9 @@ public Map<String, String> getFullUrlParams() {
     }
 
     /**
-     * To be overwritten by any class who needs specific validation
+     * Method intended to execute command's specific permissions and parameters. Should be overwritten by any class who needs specific validation.
      */
-    public void validateSpecificParameters(final Map<String, String> params){
-        // To be overwritten by any class who needs specific validation
+    public void validateCommandSpecificPermissionsAndParameters(final Map<String, String> params){
     }
 
     /**

api/src/main/java/org/apache/cloudstack/api/BaseListCmd.java

@@ -118,8 +118,8 @@ public Long getStartIndex() {
     }
 
     @Override
-    public void validateSpecificParameters(final Map<String, String> params){
-        super.validateSpecificParameters(params);
+    public void validateCommandSpecificPermissionsAndParameters(final Map<String, String> params){
+        super.validateCommandSpecificPermissionsAndParameters(params);
 
         final Object pageSizeObj = params.get(ApiConstants.PAGE_SIZE);
         Long pageSize = null;

framework/config/src/main/java/org/apache/cloudstack/framework/config/PluginAccessConfigs.java

@@ -0,0 +1,26 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.framework.config;
+
+public interface PluginAccessConfigs {
+
+    public static final ConfigKey<Boolean> QuotaPluginEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "quota.enable.service", "false",
+            "Indicates whether Quota plugin is enabled or not.", true);
+
+    ConfigKey<Boolean> QuotaAccountEnabled = new ConfigKey<>("Advanced", Boolean.class, "quota.account.enabled", "true", "Indicates whether Quota plugin is enabled or not for " +
+            "the account.", true, ConfigKey.Scope.Account);
+}

framework/quota/src/main/java/org/apache/cloudstack/quota/constant/QuotaConfig.java

@@ -18,11 +18,9 @@
 package org.apache.cloudstack.quota.constant;
 
 import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.PluginAccessConfigs;
 
-public interface QuotaConfig {
-
-    public static final ConfigKey<Boolean> QuotaPluginEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "quota.enable.service", "false",
-            "Indicates whether Quota plugin is enabled or not.", true);
+public interface QuotaConfig extends PluginAccessConfigs {
 
     public static final ConfigKey<String> QuotaEnableEnforcement = new ConfigKey<String>("Advanced", String.class, "quota.enable.enforcement", "false",
             "Enable the usage quota enforcement, i.e. on true when exceeding quota the respective account will be locked.", true);

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java

@@ -24,6 +24,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 
@@ -42,6 +43,7 @@
 import org.apache.cloudstack.api.response.ApiParameterResponse;
 import org.apache.cloudstack.api.response.ApiResponseResponse;
 import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.framework.config.PluginAccessConfigs;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
@@ -66,6 +68,8 @@ public class ApiDiscoveryServiceImpl extends ComponentLifecycleBase implements A
     List<PluggableService> _services = null;
     protected static Map<String, ApiDiscoveryResponse> s_apiNameDiscoveryResponseMap = null;
 
+    private List<String> quotaCmdList;
+
     @Inject
     AccountService accountService;
 
@@ -84,6 +88,7 @@ public boolean start() {
             Set<Class<?>> cmdClasses = new LinkedHashSet<Class<?>>();
             for (PluggableService service : _services) {
                 s_logger.debug(String.format("getting api commands of service: %s", service.getClass().getName()));
+                getQuotaCmdListIfQuotaService(service);
                 cmdClasses.addAll(service.getCommands());
             }
             cmdClasses.addAll(this.getCommands());
@@ -95,6 +100,12 @@ public boolean start() {
         return true;
     }
 
+    private void getQuotaCmdListIfQuotaService(PluggableService service) {
+        if (service.getClass().getSimpleName().equals("QuotaServiceImpl") && PluginAccessConfigs.QuotaPluginEnabled.value()) {
+            quotaCmdList = service.getCommands().parallelStream().map(cmdClass -> cmdClass.getAnnotation(APICommand.class).name()).collect(Collectors.toList());
+        }
+    }
+
     protected Map<String, List<String>> cacheResponseMap(Set<Class<?>> cmdClasses) {
         Map<String, List<String>> responseApiNameListMap = new HashMap<String, List<String>>();
 
@@ -247,13 +258,22 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
         List<ApiDiscoveryResponse> responseList = new ArrayList<>();
         List<String> apisAllowed = new ArrayList<>(s_apiNameDiscoveryResponseMap.keySet());
 
-        if (user == null)
+        if (user == null) {
             return null;
+        }
+
+        Account account = accountService.getAccount(user.getAccountId());
+        if (account == null) {
+            throw new PermissionDeniedException(String.format("The account with id [%s] for user [%s] is null.", user.getAccountId(), user));
+        }
 
         if (name != null) {
             if (!s_apiNameDiscoveryResponseMap.containsKey(name))
                 return null;
 
+            if (isAccountNotAdminAndQuotaEnabledAndQuotaAccountNotEnabledAndApiNameInQuotaCmdList(user, name, account))
+                return null;
+
             for (APIChecker apiChecker : _apiAccessCheckers) {
                 try {
                     apiChecker.checkAccess(user, name);
@@ -265,11 +285,6 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
             responseList.add(s_apiNameDiscoveryResponseMap.get(name));
 
         } else {
-            Account account = accountService.getAccount(user.getAccountId());
-            if (account == null) {
-                throw new PermissionDeniedException(String.format("The account with id [%s] for user [%s] is null.", user.getAccountId(), user));
-            }
-
             final Role role = roleService.findRole(account.getRoleId());
             if (role == null || role.getId() < 1L) {
                 throw new PermissionDeniedException(String.format("The account [%s] has role null or unknown.",
@@ -280,6 +295,8 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
                 s_logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
                         ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
             } else {
+                removeQuotaApisIfQuotaEnabledButQuotaDisabledForAccount(user, apisAllowed);
+
                 for (APIChecker apiChecker : _apiAccessCheckers) {
                     apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
                 }
@@ -293,6 +310,18 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
         return response;
     }
 
+    private void removeQuotaApisIfQuotaEnabledButQuotaDisabledForAccount(User user, List<String> apisAllowed) {
+        if (PluginAccessConfigs.QuotaPluginEnabled.value() && !PluginAccessConfigs.QuotaAccountEnabled.valueIn(user.getAccountId())) {
+            apisAllowed.removeAll(quotaCmdList);
+            apisAllowed.add("quotaIsEnabled");
+        }
+    }
+
+    private boolean isAccountNotAdminAndQuotaEnabledAndQuotaAccountNotEnabledAndApiNameInQuotaCmdList(User user, String name, Account account) {
+        return account.getType() != Account.Type.ADMIN && PluginAccessConfigs.QuotaPluginEnabled.value() &&
+                !PluginAccessConfigs.QuotaAccountEnabled.valueIn(user.getAccountId()) && quotaCmdList.parallelStream().anyMatch(name::equalsIgnoreCase);
+    }
+
     @Override
     public List<Class<?>> getCommands() {
         List<Class<?>> cmdList = new ArrayList<Class<?>>();

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaBalanceCmd.java

@@ -24,7 +24,6 @@
 import org.apache.log4j.Logger;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
@@ -34,7 +33,7 @@
 import org.apache.cloudstack.api.response.QuotaStatementItemResponse;
 
 @APICommand(name = "quotaBalance", responseObject = QuotaStatementItemResponse.class, description = "Create a quota balance statement", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
-public class QuotaBalanceCmd extends BaseCmd {
+public class QuotaBalanceCmd extends QuotaBaseCmd {
 
     public static final Logger s_logger = Logger.getLogger(QuotaBalanceCmd.class);
 

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaBaseCmd.java

@@ -0,0 +1,49 @@
+//Licensed to the Apache Software Foundation (ASF) under one
+//or more contributor license agreements.  See the NOTICE file
+//distributed with this work for additional information
+//regarding copyright ownership.  The ASF licenses this file
+//to you under the Apache License, Version 2.0 (the
+//"License"); you may not use this file except in compliance
+//with the License.  You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing,
+//software distributed under the License is distributed on an
+//"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+//KIND, either express or implied.  See the License for the
+//specific language governing permissions and limitations
+//under the License.
+package org.apache.cloudstack.api.command;
+
+import com.cloud.exception.UnavailableCommandException;
+import com.cloud.user.Account;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.quota.constant.QuotaConfig;
+import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
+
+import java.util.Map;
+
+public abstract class QuotaBaseCmd extends BaseCmd {
+
+    @Override
+    public void validateCommandSpecificPermissionsAndParameters(final Map<String, String> params) {
+        validateQuotaAccountEnabled(this);
+        super.validateCommandSpecificPermissionsAndParameters(params);
+    }
+
+    public static void validateQuotaAccountEnabled(BaseCmd cmd) {
+        Account caller = CallContext.current().getCallingAccount();
+
+        if (caller.getType().equals(Account.Type.ADMIN)) {
+            return;
+        }
+
+        if (!QuotaConfig.QuotaPluginEnabled.value() || !QuotaConfig.QuotaAccountEnabled.valueIn(caller.getAccountId())){
+            throw new UnavailableCommandException(String.format("The API [%s] is not available for account %s.", cmd.getActualCommandName(),
+                    ReflectionToStringBuilderUtils.reflectOnlySelectedFields(caller, "accountName", "uuid")));
+        }
+    }
+
+}

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaBaseListCmd.java

@@ -0,0 +1,31 @@
+//Licensed to the Apache Software Foundation (ASF) under one
+//or more contributor license agreements.  See the NOTICE file
+//distributed with this work for additional information
+//regarding copyright ownership.  The ASF licenses this file
+//to you under the Apache License, Version 2.0 (the
+//"License"); you may not use this file except in compliance
+//with the License.  You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing,
+//software distributed under the License is distributed on an
+//"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+//KIND, either express or implied.  See the License for the
+//specific language governing permissions and limitations
+//under the License.
+package org.apache.cloudstack.api.command;
+
+import org.apache.cloudstack.api.BaseListCmd;
+
+
+import java.util.Map;
+
+public abstract class QuotaBaseListCmd extends BaseListCmd {
+
+    @Override
+    public void validateCommandSpecificPermissionsAndParameters(final Map<String, String> params) {
+        QuotaBaseCmd.validateQuotaAccountEnabled(this);
+        super.validateCommandSpecificPermissionsAndParameters(params);
+    }
+}

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaCreditsCmd.java

@@ -21,7 +21,6 @@
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.DomainResponse;
@@ -34,7 +33,7 @@
 import javax.inject.Inject;
 
 @APICommand(name = "quotaCredits", responseObject = QuotaCreditsResponse.class, description = "Add +-credits to an account", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
-public class QuotaCreditsCmd extends BaseCmd {
+public class QuotaCreditsCmd extends QuotaBaseCmd {
 
     @Inject
     QuotaResponseBuilder _responseBuilder;

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaEmailTemplateListCmd.java

@@ -17,7 +17,6 @@
 package org.apache.cloudstack.api.command;
 
 import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.BaseListCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.api.response.QuotaEmailTemplateResponse;
@@ -27,7 +26,7 @@
 import javax.inject.Inject;
 
 @APICommand(name = "quotaEmailTemplateList", responseObject = QuotaEmailTemplateResponse.class, description = "Lists all quota email templates", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
-public class QuotaEmailTemplateListCmd extends BaseListCmd {
+public class QuotaEmailTemplateListCmd extends QuotaBaseListCmd {
     public static final Logger s_logger = Logger.getLogger(QuotaEmailTemplateListCmd.class);
 
     @Inject

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaEmailTemplateUpdateCmd.java

@@ -19,7 +19,6 @@
 import com.cloud.user.Account;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.QuotaResponseBuilder;
@@ -31,7 +30,7 @@
 import java.util.Arrays;
 
 @APICommand(name = "quotaEmailTemplateUpdate", responseObject = SuccessResponse.class, description = "Updates existing email templates for quota alerts", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
-public class QuotaEmailTemplateUpdateCmd extends BaseCmd {
+public class QuotaEmailTemplateUpdateCmd extends QuotaBaseCmd {
     public static final Logger s_logger = Logger.getLogger(QuotaEmailTemplateUpdateCmd.class);
 
     @Inject

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaStatementCmd.java

@@ -23,7 +23,6 @@
 
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
@@ -36,7 +35,7 @@
 import com.cloud.user.Account;
 
 @APICommand(name = "quotaStatement", responseObject = QuotaStatementItemResponse.class, description = "Create a quota statement", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
-public class QuotaStatementCmd extends BaseCmd {
+public class QuotaStatementCmd extends QuotaBaseCmd {
 
     public static final Logger s_logger = Logger.getLogger(QuotaStatementCmd.class);
 

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaSummaryCmd.java

@@ -21,7 +21,6 @@
 
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.api.response.ListResponse;
@@ -35,7 +34,7 @@
 import javax.inject.Inject;
 
 @APICommand(name = "quotaSummary", responseObject = QuotaSummaryResponse.class, description = "Lists balance and quota usage for all accounts", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
-public class QuotaSummaryCmd extends BaseListCmd {
+public class QuotaSummaryCmd extends QuotaBaseListCmd {
     public static final Logger s_logger = Logger.getLogger(QuotaSummaryCmd.class);
 
     @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, required = false, description = "Optional, Account Id for which statement needs to be generated")

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaTariffCreateCmd.java

@@ -22,7 +22,6 @@
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.QuotaResponseBuilder;
@@ -36,7 +35,7 @@
 
 @APICommand(name = "quotaTariffCreate", responseObject = QuotaTariffResponse.class, description = "Creates a quota tariff for a resource.", since = "4.18.0.0",
 requestHasSensitiveInfo = false, responseHasSensitiveInfo = false, authorized = {RoleType.Admin})
-public class QuotaTariffCreateCmd extends BaseCmd {
+public class QuotaTariffCreateCmd extends QuotaBaseCmd {
     protected Logger logger = Logger.getLogger(getClass());
 
     @Inject

plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaTariffDeleteCmd.java

@@ -33,7 +33,7 @@
 
 @APICommand(name = "quotaTariffDelete", description = "Marks a quota tariff as removed.", responseObject = SuccessResponse.class, requestHasSensitiveInfo = false,
 responseHasSensitiveInfo = false, since = "4.18.0.0", authorized = {RoleType.Admin})
-public class QuotaTariffDeleteCmd extends BaseCmd {
+public class QuotaTariffDeleteCmd extends QuotaBaseCmd {
     protected Logger logger = Logger.getLogger(getClass());
 
     @Inject