14023639065

Committed 23 Mar 2025 10:30PM UTC coverage: 79.468% (+0.02%) from 79.445%

Build # 14023639065

Build Type

Pull #674

github

Committed by

majewsky

Commit Message

review: do not block renewal on a non-empty transfer status

There is currently no way for a user to reset the transfer status on a
commitment, so if a transfer is started and not completed, this would
block renewing the commitment, which is bad UX.

I understand that this restriction was meant to avoid a race condition
when a commitment is renewed at the same time as being transferred.
But both these operations touch the original commitment, so one of the
associated DB transactions would be forced to fail on commit. That's
good enough of a guarantee for me.

Pull Request Pull Request #674: Add commitment renewal endpoint

Run Details

109 of 135 new or added lines in 2 files covered. (80.74%)

139 existing lines in 3 files now uncovered.

6038 of 7598 relevant lines covered (79.47%)

61.56 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.59

/internal/api/commitment.go

/******************************************************************************
*
*  Copyright 2023 SAP SE
*
*  Licensed under the Apache License, Version 2.0 (the "License");
*  you may not use this file except in compliance with the License.
*  You may obtain a copy of the License at
*
*      http://www.apache.org/licenses/LICENSE-2.0
*
*  Unless required by applicable law or agreed to in writing, software
*  distributed under the License is distributed on an "AS IS" BASIS,
*  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*  See the License for the specific language governing permissions and
*  limitations under the License.
*
******************************************************************************/

package api

import (
        "database/sql"
        "encoding/json"
        "errors"
        "fmt"
        "maps"
        "net/http"
        "slices"
        "strings"
        "time"

        "github.com/gorilla/mux"
        "github.com/sapcc/go-api-declarations/cadf"
        "github.com/sapcc/go-api-declarations/limes"
        limesresources "github.com/sapcc/go-api-declarations/limes/resources"
        "github.com/sapcc/go-api-declarations/liquid"
        "github.com/sapcc/go-bits/audittools"
        "github.com/sapcc/go-bits/errext"
        "github.com/sapcc/go-bits/gopherpolicy"
        "github.com/sapcc/go-bits/httpapi"
        "github.com/sapcc/go-bits/must"
        "github.com/sapcc/go-bits/respondwith"
        "github.com/sapcc/go-bits/sqlext"

        "github.com/sapcc/limes/internal/core"
        "github.com/sapcc/limes/internal/datamodel"
        "github.com/sapcc/limes/internal/db"
        "github.com/sapcc/limes/internal/liquids"
        "github.com/sapcc/limes/internal/reports"
)

var (
        getProjectCommitmentsQuery = sqlext.SimplifyWhitespace(`
                SELECT pc.*
                  FROM project_commitments pc
                  JOIN project_az_resources par ON pc.az_resource_id = par.id
                  JOIN project_resources pr ON par.resource_id = pr.id {{AND pr.name = $resource_name}}
                  JOIN project_services ps ON pr.service_id = ps.id {{AND ps.type = $service_type}}
                 WHERE %s AND pc.state NOT IN ('superseded', 'expired')
                 ORDER BY pc.id
        `)

        getProjectAZResourceLocationsQuery = sqlext.SimplifyWhitespace(`
                SELECT par.id, ps.type, pr.name, par.az
                  FROM project_az_resources par
                  JOIN project_resources pr ON par.resource_id = pr.id {{AND pr.name = $resource_name}}
                  JOIN project_services ps ON pr.service_id = ps.id {{AND ps.type = $service_type}}
                 WHERE %s
        `)

        findProjectCommitmentByIDQuery = sqlext.SimplifyWhitespace(`
                SELECT pc.*
                  FROM project_commitments pc
                  JOIN project_az_resources par ON pc.az_resource_id = par.id
                  JOIN project_resources pr ON par.resource_id = pr.id
                  JOIN project_services ps ON pr.service_id = ps.id
                 WHERE pc.id = $1 AND ps.project_id = $2
        `)

        // NOTE: The third output column is `resourceAllowsCommitments`.
        // We should be checking for `ResourceUsageReport.Forbidden == true`, but
        // since the `Forbidden` field is not persisted in the DB, we need to use
        // `max_quota_from_backend` as a proxy.
        findProjectAZResourceIDByLocationQuery = sqlext.SimplifyWhitespace(`
                SELECT pr.id, par.id, pr.max_quota_from_backend IS NULL
                  FROM project_az_resources par
                  JOIN project_resources pr ON par.resource_id = pr.id
                  JOIN project_services ps ON pr.service_id = ps.id
                 WHERE ps.project_id = $1 AND ps.type = $2 AND pr.name = $3 AND par.az = $4
        `)

        findProjectAZResourceLocationByIDQuery = sqlext.SimplifyWhitespace(`
                SELECT ps.type, pr.name, par.az
                  FROM project_az_resources par
                  JOIN project_resources pr ON par.resource_id = pr.id
                  JOIN project_services ps ON pr.service_id = ps.id
                 WHERE par.id = $1
        `)
        getCommitmentWithMatchingTransferTokenQuery = sqlext.SimplifyWhitespace(`
                SELECT * FROM project_commitments WHERE id = $1 AND transfer_token = $2
        `)
        findCommitmentByTransferToken = sqlext.SimplifyWhitespace(`
                SELECT * FROM project_commitments WHERE transfer_token = $1
        `)
        findTargetAZResourceIDBySourceIDQuery = sqlext.SimplifyWhitespace(`
                WITH source as (
                SELECT pr.id AS resource_id, ps.type, pr.name, par.az
                  FROM project_az_resources as par
                  JOIN project_resources pr ON par.resource_id = pr.id
                  JOIN project_services ps ON pr.service_id = ps.id
                 WHERE par.id = $1
                )
                SELECT s.resource_id, pr.id, par.id
                  FROM project_az_resources as par
                  JOIN project_resources pr ON par.resource_id = pr.id
                  JOIN project_services ps ON pr.service_id = ps.id
                  JOIN source s ON ps.type = s.type AND pr.name = s.name AND par.az = s.az
                 WHERE ps.project_id = $2
        `)
        findTargetAZResourceByTargetProjectQuery = sqlext.SimplifyWhitespace(`
                SELECT pr.id, par.id
                  FROM project_az_resources par
                  JOIN project_resources pr ON par.resource_id = pr.id
                  JOIN project_services ps ON pr.service_id = ps.id
                 WHERE ps.project_id = $1 AND ps.type = $2 AND pr.name = $3 AND par.az = $4
        `)
        forceImmediateCapacityScrapeQuery = sqlext.SimplifyWhitespace(`
                UPDATE cluster_capacitors SET next_scrape_at = $1 WHERE capacitor_id = (
                        SELECT capacitor_id FROM cluster_services cs JOIN cluster_resources cr ON cs.id = cr.service_id
                        WHERE cs.type = $2 AND cr.name = $3
                )
        `)
)

// GetProjectCommitments handles GET /v1/domains/:domain_id/projects/:project_id/commitments.
func (p *v1Provider) GetProjectCommitments(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/commitments")
        token := p.CheckToken(r)
        if !token.Require(w, "project:show") {
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }

        // enumerate project AZ resources
        filter := reports.ReadFilter(r, p.Cluster)
        queryStr, joinArgs := filter.PrepareQuery(getProjectAZResourceLocationsQuery)
        whereStr, whereArgs := db.BuildSimpleWhereClause(map[string]any{"ps.project_id": dbProject.ID}, len(joinArgs))
        azResourceLocationsByID := make(map[db.ProjectAZResourceID]core.AZResourceLocation)
        err := sqlext.ForeachRow(p.DB, fmt.Sprintf(queryStr, whereStr), append(joinArgs, whereArgs...), func(rows *sql.Rows) error {
                var (
                        id  db.ProjectAZResourceID
                        loc core.AZResourceLocation
                )
                err := rows.Scan(&id, &loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
                if err != nil {
                        return err
                }
                // this check is defense in depth (the DB should be consistent with our config)
                if p.Cluster.HasResource(loc.ServiceType, loc.ResourceName) {
                        azResourceLocationsByID[id] = loc
                }
                return nil
        })
        if respondwith.ErrorText(w, err) {
                return
        }

        // enumerate relevant project commitments
        queryStr, joinArgs = filter.PrepareQuery(getProjectCommitmentsQuery)
        whereStr, whereArgs = db.BuildSimpleWhereClause(map[string]any{"ps.project_id": dbProject.ID}, len(joinArgs))
        var dbCommitments []db.ProjectCommitment
        _, err = p.DB.Select(&dbCommitments, fmt.Sprintf(queryStr, whereStr), append(joinArgs, whereArgs...)...)
        if respondwith.ErrorText(w, err) {
                return
        }

        // render response
        result := make([]limesresources.Commitment, 0, len(dbCommitments))
        for _, c := range dbCommitments {
                loc, exists := azResourceLocationsByID[c.AZResourceID]
                if !exists {
                        // defense in depth (the DB should not change that much between those two queries above)
                        continue
                }
                result = append(result, p.convertCommitmentToDisplayForm(c, loc, token))
        }

        respondwith.JSON(w, http.StatusOK, map[string]any{"commitments": result})
}

func (p *v1Provider) convertCommitmentToDisplayForm(c db.ProjectCommitment, loc core.AZResourceLocation, token *gopherpolicy.Token) limesresources.Commitment {
        resInfo := p.Cluster.InfoForResource(loc.ServiceType, loc.ResourceName)
        apiIdentity := p.Cluster.BehaviorForResource(loc.ServiceType, loc.ResourceName).IdentityInV1API
        return limesresources.Commitment{
                ID:               int64(c.ID),
                ServiceType:      apiIdentity.ServiceType,
                ResourceName:     apiIdentity.Name,
                AvailabilityZone: loc.AvailabilityZone,
                Amount:           c.Amount,
                Unit:             resInfo.Unit,
                Duration:         c.Duration,
                CreatedAt:        limes.UnixEncodedTime{Time: c.CreatedAt},
                CreatorUUID:      c.CreatorUUID,
                CreatorName:      c.CreatorName,
                CanBeDeleted:     p.canDeleteCommitment(token, c),
                ConfirmBy:        maybeUnixEncodedTime(c.ConfirmBy),
                ConfirmedAt:      maybeUnixEncodedTime(c.ConfirmedAt),
                ExpiresAt:        limes.UnixEncodedTime{Time: c.ExpiresAt},
                TransferStatus:   c.TransferStatus,
                TransferToken:    c.TransferToken,
                NotifyOnConfirm:  c.NotifyOnConfirm,
                WasRenewed:       c.WasRenewed,
        }
}

func (p *v1Provider) parseAndValidateCommitmentRequest(w http.ResponseWriter, r *http.Request) (*limesresources.CommitmentRequest, *core.AZResourceLocation, *core.ResourceBehavior) {
        // parse request
        var parseTarget struct {
                Request limesresources.CommitmentRequest `json:"commitment"`
        }
        if !RequireJSON(w, r, &parseTarget) {
                return nil, nil, nil
        }
        req := parseTarget.Request

        // validate request
        nm := core.BuildResourceNameMapping(p.Cluster)
        dbServiceType, dbResourceName, ok := nm.MapFromV1API(req.ServiceType, req.ResourceName)
        if !ok {
                msg := fmt.Sprintf("no such service and/or resource: %s/%s", req.ServiceType, req.ResourceName)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return nil, nil, nil
        }
        behavior := p.Cluster.BehaviorForResource(dbServiceType, dbResourceName)
        resInfo := p.Cluster.InfoForResource(dbServiceType, dbResourceName)
        if len(behavior.CommitmentDurations) == 0 {
                http.Error(w, "commitments are not enabled for this resource", http.StatusUnprocessableEntity)
                return nil, nil, nil
        }
        if resInfo.Topology == liquid.FlatTopology {
                if req.AvailabilityZone != limes.AvailabilityZoneAny {
                        http.Error(w, `resource does not accept AZ-aware commitments, so the AZ must be set to "any"`, http.StatusUnprocessableEntity)
                        return nil, nil, nil
                }
        } else {
                if !slices.Contains(p.Cluster.Config.AvailabilityZones, req.AvailabilityZone) {
                        http.Error(w, "no such availability zone", http.StatusUnprocessableEntity)
                        return nil, nil, nil
                }
        }
        if !slices.Contains(behavior.CommitmentDurations, req.Duration) {
                buf := must.Return(json.Marshal(behavior.CommitmentDurations)) // panic on error is acceptable here, marshals should never fail
                msg := "unacceptable commitment duration for this resource, acceptable values: " + string(buf)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return nil, nil, nil
        }
        if req.Amount == 0 {
                http.Error(w, "amount of committed resource must be greater than zero", http.StatusUnprocessableEntity)
                return nil, nil, nil
        }

        loc := core.AZResourceLocation{
                ServiceType:      dbServiceType,
                ResourceName:     dbResourceName,
                AvailabilityZone: req.AvailabilityZone,
        }
        return &req, &loc, &behavior
}

// CanConfirmNewProjectCommitment handles POST /v1/domains/:domain_id/projects/:project_id/commitments/can-confirm.
func (p *v1Provider) CanConfirmNewProjectCommitment(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/commitments/can-confirm")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }
        req, loc, behavior := p.parseAndValidateCommitmentRequest(w, r)
        if req == nil {
                return
        }

        var (
                resourceID                db.ProjectResourceID
                azResourceID              db.ProjectAZResourceID
                resourceAllowsCommitments bool
        )
        err := p.DB.QueryRow(findProjectAZResourceIDByLocationQuery, dbProject.ID, loc.ServiceType, loc.ResourceName, loc.AvailabilityZone).
                Scan(&resourceID, &azResourceID, &resourceAllowsCommitments)
        if respondwith.ErrorText(w, err) {
                return
        }
        if !resourceAllowsCommitments {
                msg := fmt.Sprintf("resource %s/%s is not enabled in this project", req.ServiceType, req.ResourceName)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return
        }
        _ = azResourceID // returned by the above query, but not used in this function

        // commitments can never be confirmed immediately if we are before the min_confirm_date
        now := p.timeNow()
        if behavior.CommitmentMinConfirmDate != nil && behavior.CommitmentMinConfirmDate.After(now) {
                respondwith.JSON(w, http.StatusOK, map[string]bool{"result": false})
                return
        }

        // check for committable capacity
        result, err := datamodel.CanConfirmNewCommitment(*loc, resourceID, req.Amount, p.Cluster, p.DB)
        if respondwith.ErrorText(w, err) {
                return
        }
        respondwith.JSON(w, http.StatusOK, map[string]bool{"result": result})
}

// CreateProjectCommitment handles POST /v1/domains/:domain_id/projects/:project_id/commitments/new.
func (p *v1Provider) CreateProjectCommitment(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/commitments/new")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }
        req, loc, behavior := p.parseAndValidateCommitmentRequest(w, r)
        if req == nil {
                return
        }

        var (
                resourceID                db.ProjectResourceID
                azResourceID              db.ProjectAZResourceID
                resourceAllowsCommitments bool
        )
        err := p.DB.QueryRow(findProjectAZResourceIDByLocationQuery, dbProject.ID, loc.ServiceType, loc.ResourceName, loc.AvailabilityZone).
                Scan(&resourceID, &azResourceID, &resourceAllowsCommitments)
        if respondwith.ErrorText(w, err) {
                return
        }
        if !resourceAllowsCommitments {
                msg := fmt.Sprintf("resource %s/%s is not enabled in this project", req.ServiceType, req.ResourceName)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return
        }

        // if given, confirm_by must definitely after time.Now(), and also after the MinConfirmDate if configured
        now := p.timeNow()
        if req.ConfirmBy != nil && req.ConfirmBy.Before(now) {
                http.Error(w, "confirm_by must not be set in the past", http.StatusUnprocessableEntity)
                return
        }
        if minConfirmBy := behavior.CommitmentMinConfirmDate; minConfirmBy != nil && minConfirmBy.After(now) {
                if req.ConfirmBy == nil || req.ConfirmBy.Before(*minConfirmBy) {
                        msg := "this commitment needs a `confirm_by` timestamp at or after " + behavior.CommitmentMinConfirmDate.Format(time.RFC3339)
                        http.Error(w, msg, http.StatusUnprocessableEntity)
                        return
                }
        }

        // we want to validate committable capacity in the same transaction that creates the commitment
        tx, err := p.DB.Begin()
        if respondwith.ErrorText(w, err) {
                return
        }
        defer sqlext.RollbackUnlessCommitted(tx)

        // prepare commitment
        confirmBy := maybeUnpackUnixEncodedTime(req.ConfirmBy)
        creationContext := db.CommitmentWorkflowContext{Reason: db.CommitmentReasonCreate}
        buf, err := json.Marshal(creationContext)
        if respondwith.ErrorText(w, err) {
                return
        }
        dbCommitment := db.ProjectCommitment{
                AZResourceID:        azResourceID,
                Amount:              req.Amount,
                Duration:            req.Duration,
                CreatedAt:           now,
                CreatorUUID:         token.UserUUID(),
                CreatorName:         fmt.Sprintf("%s@%s", token.UserName(), token.UserDomainName()),
                ConfirmBy:           confirmBy,
                ConfirmedAt:         nil, // may be set below
                ExpiresAt:           req.Duration.AddTo(unwrapOrDefault(confirmBy, now)),
                CreationContextJSON: json.RawMessage(buf),
        }
        if req.NotifyOnConfirm && req.ConfirmBy == nil {
                http.Error(w, "notification on confirm cannot be set for commitments with immediate confirmation", http.StatusConflict)
                return
        }
        dbCommitment.NotifyOnConfirm = req.NotifyOnConfirm

        if req.ConfirmBy == nil {
                // if not planned for confirmation in the future, confirm immediately (or fail)
                ok, err := datamodel.CanConfirmNewCommitment(*loc, resourceID, req.Amount, p.Cluster, tx)
                if respondwith.ErrorText(w, err) {
                        return
                }
                if !ok {
                        http.Error(w, "not enough capacity available for immediate confirmation", http.StatusConflict)
                        return
                }
                dbCommitment.ConfirmedAt = &now
                dbCommitment.State = db.CommitmentStateActive
        } else {
                dbCommitment.State = db.CommitmentStatePlanned
        }

        // create commitment
        err = tx.Insert(&dbCommitment)
        if respondwith.ErrorText(w, err) {
                return
        }
        err = tx.Commit()
        if respondwith.ErrorText(w, err) {
                return
        }
        p.auditor.Record(audittools.Event{
                Time:       now,
                Request:    r,
                User:       token,
                ReasonCode: http.StatusCreated,
                Action:     cadf.CreateAction,
                Target: commitmentEventTarget{
                        DomainID:        dbDomain.UUID,
                        DomainName:      dbDomain.Name,
                        ProjectID:       dbProject.UUID,
                        ProjectName:     dbProject.Name,
                        Commitments:     []limesresources.Commitment{p.convertCommitmentToDisplayForm(dbCommitment, *loc, token)},
                        WorkflowContext: &creationContext,
                },
        })

        // if the commitment is immediately confirmed, trigger a capacity scrape in
        // order to ApplyComputedProjectQuotas based on the new commitment
        if dbCommitment.ConfirmedAt != nil {
                _, err := p.DB.Exec(forceImmediateCapacityScrapeQuery, now, loc.ServiceType, loc.ResourceName)
                if respondwith.ErrorText(w, err) {
                        return
                }
        }

        // display the possibly confirmed commitment to the user
        err = p.DB.SelectOne(&dbCommitment, `SELECT * FROM project_commitments WHERE id = $1`, dbCommitment.ID)
        if respondwith.ErrorText(w, err) {
                return
        }

        c := p.convertCommitmentToDisplayForm(dbCommitment, *loc, token)
        respondwith.JSON(w, http.StatusCreated, map[string]any{"commitment": c})
}

// MergeProjectCommitments handles POST /v1/domains/:domain_id/projects/:project_id/commitments/merge.
func (p *v1Provider) MergeProjectCommitments(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/commitments/merge")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }
        var parseTarget struct {
                CommitmentIDs []db.ProjectCommitmentID `json:"commitment_ids"`
        }
        if !RequireJSON(w, r, &parseTarget) {
                return
        }
        commitmentIDs := parseTarget.CommitmentIDs
        if len(commitmentIDs) < 2 {
                http.Error(w, fmt.Sprintf("merging requires at least two commitments, but %d were given", len(commitmentIDs)), http.StatusBadRequest)
                return
        }

        // Load commitments
        dbCommitments := make([]db.ProjectCommitment, len(commitmentIDs))
        for i, commitmentID := range commitmentIDs {
                err := p.DB.SelectOne(&dbCommitments[i], findProjectCommitmentByIDQuery, commitmentID, dbProject.ID)
                if errors.Is(err, sql.ErrNoRows) {
                        http.Error(w, "no such commitment", http.StatusNotFound)
                        return
                } else if respondwith.ErrorText(w, err) {
                        return
                }
        }

        // Verify that all commitments agree on resource and AZ and are active
        azResourceID := dbCommitments[0].AZResourceID
        for _, dbCommitment := range dbCommitments {
                if dbCommitment.AZResourceID != azResourceID {
                        http.Error(w, "all commitments must be on the same resource and AZ", http.StatusConflict)
                        return
                }
                if dbCommitment.State != db.CommitmentStateActive {
                        http.Error(w, "only active commitments may be merged", http.StatusConflict)
                        return
                }
        }

        var loc core.AZResourceLocation
        err := p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, azResourceID).
                Scan(&loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
        if errors.Is(err, sql.ErrNoRows) {
                http.Error(w, "no route to this commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        // Start transaction for creating new commitment and marking merged commitments as superseded
        tx, err := p.DB.Begin()
        if respondwith.ErrorText(w, err) {
                return
        }
        defer sqlext.RollbackUnlessCommitted(tx)

        // Create merged template
        now := p.timeNow()
        dbMergedCommitment := db.ProjectCommitment{
                AZResourceID: azResourceID,
                Amount:       0,                                   // overwritten below
                Duration:     limesresources.CommitmentDuration{}, // overwritten below
                CreatedAt:    now,
                CreatorUUID:  token.UserUUID(),
                CreatorName:  fmt.Sprintf("%s@%s", token.UserName(), token.UserDomainName()),
                ConfirmedAt:  &now,
                ExpiresAt:    time.Time{}, // overwritten below
                State:        db.CommitmentStateActive,
        }

        // Fill amount and latest expiration date
        for _, dbCommitment := range dbCommitments {
                dbMergedCommitment.Amount += dbCommitment.Amount
                if dbCommitment.ExpiresAt.After(dbMergedCommitment.ExpiresAt) {
                        dbMergedCommitment.ExpiresAt = dbCommitment.ExpiresAt
                        dbMergedCommitment.Duration = dbCommitment.Duration
                }
        }

        // Fill workflow context
        creationContext := db.CommitmentWorkflowContext{
                Reason:               db.CommitmentReasonMerge,
                RelatedCommitmentIDs: commitmentIDs,
        }
        buf, err := json.Marshal(creationContext)
        if respondwith.ErrorText(w, err) {
                return
        }
        dbMergedCommitment.CreationContextJSON = json.RawMessage(buf)

        // Insert into database
        err = tx.Insert(&dbMergedCommitment)
        if respondwith.ErrorText(w, err) {
                return
        }

        // Mark merged commits as superseded
        supersedeContext := db.CommitmentWorkflowContext{
                Reason:               db.CommitmentReasonMerge,
                RelatedCommitmentIDs: []db.ProjectCommitmentID{dbMergedCommitment.ID},
        }
        buf, err = json.Marshal(supersedeContext)
        if respondwith.ErrorText(w, err) {
                return
        }
        for _, dbCommitment := range dbCommitments {
                dbCommitment.SupersededAt = &now
                dbCommitment.SupersedeContextJSON = liquids.PointerTo(json.RawMessage(buf))
                dbCommitment.State = db.CommitmentStateSuperseded
                _, err = tx.Update(&dbCommitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
        }

        err = tx.Commit()
        if respondwith.ErrorText(w, err) {
                return
        }

        c := p.convertCommitmentToDisplayForm(dbMergedCommitment, loc, token)
        auditEvent := commitmentEventTarget{
                DomainID:        dbDomain.UUID,
                DomainName:      dbDomain.Name,
                ProjectID:       dbProject.UUID,
                ProjectName:     dbProject.Name,
                Commitments:     []limesresources.Commitment{c},
                WorkflowContext: &creationContext,
        }
        p.auditor.Record(audittools.Event{
                Time:       p.timeNow(),
                Request:    r,
                User:       token,
                ReasonCode: http.StatusAccepted,
                Action:     cadf.UpdateAction,
                Target:     auditEvent,
        })

        respondwith.JSON(w, http.StatusAccepted, map[string]any{"commitment": c})
}

// As per the API spec, commitments can be renewed 90 days in advance at the earliest.
const commitmentRenewalPeriod = 90 * 24 * time.Hour

// RenewProjectCommitments handles POST /v1/domains/:domain_id/projects/:project_id/commitments/renew.
func (p *v1Provider) RenewProjectCommitments(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/commitments/renew")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }
        var parseTarget struct {
                CommitmentIDs []db.ProjectCommitmentID `json:"commitment_ids"`
        }
        if !RequireJSON(w, r, &parseTarget) {
                return
        }

        // Load commitments
        commitmentIDs := parseTarget.CommitmentIDs
        dbCommitments := make([]db.ProjectCommitment, len(commitmentIDs))
        for i, commitmentID := range commitmentIDs {
                err := p.DB.SelectOne(&dbCommitments[i], findProjectCommitmentByIDQuery, commitmentID, dbProject.ID)
                if errors.Is(err, sql.ErrNoRows) {
                        http.Error(w, "no such commitment", http.StatusNotFound)
                        return
                } else if respondwith.ErrorText(w, err) {
                        return
                }
        }
        now := p.timeNow()

        // Check if commitments are renewable
        for _, dbCommitment := range dbCommitments {
                var errs errext.ErrorSet
                if dbCommitment.State != db.CommitmentStateActive {
                        errs.Addf("invalid state %q", dbCommitment.State)
                } else if now.After(dbCommitment.ExpiresAt) {
                        errs.Addf("invalid state %q", db.CommitmentStateExpired)
                }
                if now.Before(dbCommitment.ExpiresAt.Add(-commitmentRenewalPeriod)) {
                        errs.Addf("renewal attempt too early")
                }
                if dbCommitment.WasRenewed {
                        errs.Addf("already renewed")
                }

                if !errs.IsEmpty() {
                        msg := fmt.Sprintf("cannot renew commitment %d: %s", dbCommitment.ID, errs.Join(", "))
                        http.Error(w, msg, http.StatusConflict)
                        return
                }
        }

        // Create renewed commitments
        tx, err := p.DB.Begin()
        if respondwith.ErrorText(w, err) {
                return
        }
        defer sqlext.RollbackUnlessCommitted(tx)

        type renewContext struct {
                commitment db.ProjectCommitment
                location   core.AZResourceLocation
                context    db.CommitmentWorkflowContext
        }
        dbRenewedCommitments := make(map[db.ProjectCommitmentID]renewContext)
        for _, commitment := range dbCommitments {
                var loc core.AZResourceLocation
                err := p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, commitment.AZResourceID).
                        Scan(&loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
                if errors.Is(err, sql.ErrNoRows) {
                        http.Error(w, "no route to this commitment", http.StatusNotFound)
                        return
                } else if respondwith.ErrorText(w, err) {
                        return
                }

                creationContext := db.CommitmentWorkflowContext{
                        Reason:               db.CommitmentReasonRenew,
                        RelatedCommitmentIDs: []db.ProjectCommitmentID{commitment.ID},
                }
                buf, err := json.Marshal(creationContext)
                if respondwith.ErrorText(w, err) {
                        return
                }
                dbRenewedCommitment := db.ProjectCommitment{
                        AZResourceID:        commitment.AZResourceID,
                        Amount:              commitment.Amount,
                        Duration:            commitment.Duration,
                        CreatedAt:           now,
                        CreatorUUID:         token.UserUUID(),
                        CreatorName:         fmt.Sprintf("%s@%s", token.UserName(), token.UserDomainName()),
                        ConfirmBy:           &commitment.ExpiresAt,
                        ExpiresAt:           commitment.Duration.AddTo(unwrapOrDefault(&commitment.ExpiresAt, now)),
                        State:               db.CommitmentStatePlanned,
                        CreationContextJSON: json.RawMessage(buf),
                }

                err = tx.Insert(&dbRenewedCommitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
                dbRenewedCommitments[dbRenewedCommitment.ID] = renewContext{commitment: dbRenewedCommitment, location: loc, context: creationContext}

                commitment.WasRenewed = true
                _, err = tx.Update(&commitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
        }

        err = tx.Commit()
        if respondwith.ErrorText(w, err) {
                return
        }

        // Create resultset and auditlogs
        var commitments []limesresources.Commitment
        for _, key := range slices.Sorted(maps.Keys(dbRenewedCommitments)) {
                ctx := dbRenewedCommitments[key]
                c := p.convertCommitmentToDisplayForm(ctx.commitment, ctx.location, token)
                commitments = append(commitments, c)
                auditEvent := commitmentEventTarget{
                        DomainID:        dbDomain.UUID,
                        DomainName:      dbDomain.Name,
                        ProjectID:       dbProject.UUID,
                        ProjectName:     dbProject.Name,
                        Commitments:     []limesresources.Commitment{c},
                        WorkflowContext: &ctx.context,
                }

                p.auditor.Record(audittools.Event{
                        Time:       p.timeNow(),
                        Request:    r,
                        User:       token,
                        ReasonCode: http.StatusAccepted,
                        Action:     cadf.UpdateAction,
                        Target:     auditEvent,
                })
        }

        respondwith.JSON(w, http.StatusAccepted, map[string]any{"commitments": commitments})
}

// DeleteProjectCommitment handles DELETE /v1/domains/:domain_id/projects/:project_id/commitments/:id.
func (p *v1Provider) DeleteProjectCommitment(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/commitments/:id")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") { //NOTE: There is a more specific AuthZ check further down below.
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }

        // load commitment
        var dbCommitment db.ProjectCommitment
        err := p.DB.SelectOne(&dbCommitment, findProjectCommitmentByIDQuery, mux.Vars(r)["id"], dbProject.ID)
        if errors.Is(err, sql.ErrNoRows) {
                http.Error(w, "no such commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }
        var loc core.AZResourceLocation
        err = p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, dbCommitment.AZResourceID).
                Scan(&loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
        if errors.Is(err, sql.ErrNoRows) {
                // defense in depth: this should not happen because all the relevant tables are connected by FK constraints
                http.Error(w, "no route to this commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        // check authorization for this specific commitment
        if !p.canDeleteCommitment(token, dbCommitment) {
                http.Error(w, "Forbidden", http.StatusForbidden)
                return
        }

        // perform deletion
        _, err = p.DB.Delete(&dbCommitment)
        if respondwith.ErrorText(w, err) {
                return
        }
        p.auditor.Record(audittools.Event{
                Time:       p.timeNow(),
                Request:    r,
                User:       token,
                ReasonCode: http.StatusNoContent,
                Action:     cadf.DeleteAction,
                Target: commitmentEventTarget{
                        DomainID:    dbDomain.UUID,
                        DomainName:  dbDomain.Name,
                        ProjectID:   dbProject.UUID,
                        ProjectName: dbProject.Name,
                        Commitments: []limesresources.Commitment{p.convertCommitmentToDisplayForm(dbCommitment, loc, token)},
                },
        })

        w.WriteHeader(http.StatusNoContent)
}

func (p *v1Provider) canDeleteCommitment(token *gopherpolicy.Token, commitment db.ProjectCommitment) bool {
        // up to 24 hours after creation of fresh commitments, future commitments can still be deleted by their creators
        if commitment.State == db.CommitmentStatePlanned || commitment.State == db.CommitmentStatePending || commitment.State == db.CommitmentStateActive {
                var creationContext db.CommitmentWorkflowContext
                err := json.Unmarshal(commitment.CreationContextJSON, &creationContext)
                if err == nil && creationContext.Reason == db.CommitmentReasonCreate && p.timeNow().Before(commitment.CreatedAt.Add(24*time.Hour)) {
                        if token.Check("project:edit") {
                                return true
                        }
                }
        }

        // afterwards, a more specific permission is required to delete it
        //
        // This protects cloud admins making capacity planning decisions based on future commitments
        // from having their forecasts ruined by project admins suffering from buyer's remorse.
        return token.Check("project:uncommit")
}

// StartCommitmentTransfer handles POST /v1/domains/:id/projects/:id/commitments/:id/start-transfer
func (p *v1Provider) StartCommitmentTransfer(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/commitments/:id/start-transfer")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }
        // TODO: eventually migrate this struct into go-api-declarations
        var parseTarget struct {
                Request struct {
                        Amount         uint64                                  `json:"amount"`
                        TransferStatus limesresources.CommitmentTransferStatus `json:"transfer_status,omitempty"`
                } `json:"commitment"`
        }
        if !RequireJSON(w, r, &parseTarget) {
                return
        }
        req := parseTarget.Request

        if req.TransferStatus != limesresources.CommitmentTransferStatusUnlisted && req.TransferStatus != limesresources.CommitmentTransferStatusPublic {
                http.Error(w, fmt.Sprintf("Invalid transfer_status code. Must be %s or %s.", limesresources.CommitmentTransferStatusUnlisted, limesresources.CommitmentTransferStatusPublic), http.StatusBadRequest)
                return
        }

        if req.Amount <= 0 {
                http.Error(w, "delivered amount needs to be a positive value.", http.StatusBadRequest)
                return
        }

        // load commitment
        var dbCommitment db.ProjectCommitment
        err := p.DB.SelectOne(&dbCommitment, findProjectCommitmentByIDQuery, mux.Vars(r)["id"], dbProject.ID)
        if errors.Is(err, sql.ErrNoRows) {
                http.Error(w, "no such commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        // Mark whole commitment or a newly created, splitted one as transferrable.
        tx, err := p.DB.Begin()
        if respondwith.ErrorText(w, err) {
                return
        }
        defer sqlext.RollbackUnlessCommitted(tx)
        transferToken := p.generateTransferToken()

        // Deny requests with a greater amount than the commitment.
        if req.Amount > dbCommitment.Amount {
                http.Error(w, "delivered amount exceeds the commitment amount.", http.StatusBadRequest)
                return
        }

        if req.Amount == dbCommitment.Amount {
                dbCommitment.TransferStatus = req.TransferStatus
                dbCommitment.TransferToken = &transferToken
                _, err = tx.Update(&dbCommitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
        } else {
                now := p.timeNow()
                transferAmount := req.Amount
                remainingAmount := dbCommitment.Amount - req.Amount
                transferCommitment, err := p.buildSplitCommitment(dbCommitment, transferAmount)
                if respondwith.ErrorText(w, err) {
                        return
                }
                transferCommitment.TransferStatus = req.TransferStatus
                transferCommitment.TransferToken = &transferToken
                remainingCommitment, err := p.buildSplitCommitment(dbCommitment, remainingAmount)
                if respondwith.ErrorText(w, err) {
                        return
                }
                err = tx.Insert(&transferCommitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
                err = tx.Insert(&remainingCommitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
                supersedeContext := db.CommitmentWorkflowContext{
                        Reason:               db.CommitmentReasonSplit,
                        RelatedCommitmentIDs: []db.ProjectCommitmentID{transferCommitment.ID, remainingCommitment.ID},
                }
                buf, err := json.Marshal(supersedeContext)
                if respondwith.ErrorText(w, err) {
                        return
                }
                dbCommitment.State = db.CommitmentStateSuperseded
                dbCommitment.SupersededAt = &now
                dbCommitment.SupersedeContextJSON = liquids.PointerTo(json.RawMessage(buf))
                _, err = tx.Update(&dbCommitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
                dbCommitment = transferCommitment
        }
        err = tx.Commit()
        if respondwith.ErrorText(w, err) {
                return
        }

        var loc core.AZResourceLocation
        err = p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, dbCommitment.AZResourceID).
                Scan(&loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
        if errors.Is(err, sql.ErrNoRows) {
                // defense in depth: this should not happen because all the relevant tables are connected by FK constraints
                http.Error(w, "no route to this commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        c := p.convertCommitmentToDisplayForm(dbCommitment, loc, token)
        p.auditor.Record(audittools.Event{
                Time:       p.timeNow(),
                Request:    r,
                User:       token,
                ReasonCode: http.StatusAccepted,
                Action:     cadf.UpdateAction,
                Target: commitmentEventTarget{
                        DomainID:    dbDomain.UUID,
                        DomainName:  dbDomain.Name,
                        ProjectID:   dbProject.UUID,
                        ProjectName: dbProject.Name,
                        Commitments: []limesresources.Commitment{c},
                },
        })
        respondwith.JSON(w, http.StatusAccepted, map[string]any{"commitment": c})
}

func (p *v1Provider) buildSplitCommitment(dbCommitment db.ProjectCommitment, amount uint64) (db.ProjectCommitment, error) {
        now := p.timeNow()
        creationContext := db.CommitmentWorkflowContext{
                Reason:               db.CommitmentReasonSplit,
                RelatedCommitmentIDs: []db.ProjectCommitmentID{dbCommitment.ID},
        }
        buf, err := json.Marshal(creationContext)
        if err != nil {
                return db.ProjectCommitment{}, err
        }
        return db.ProjectCommitment{
                AZResourceID:        dbCommitment.AZResourceID,
                Amount:              amount,
                Duration:            dbCommitment.Duration,
                CreatedAt:           now,
                CreatorUUID:         dbCommitment.CreatorUUID,
                CreatorName:         dbCommitment.CreatorName,
                ConfirmBy:           dbCommitment.ConfirmBy,
                ConfirmedAt:         dbCommitment.ConfirmedAt,
                ExpiresAt:           dbCommitment.ExpiresAt,
                CreationContextJSON: json.RawMessage(buf),
                State:               dbCommitment.State,
        }, nil
}

func (p *v1Provider) buildConvertedCommitment(dbCommitment db.ProjectCommitment, azResourceID db.ProjectAZResourceID, amount uint64) (db.ProjectCommitment, error) {
        now := p.timeNow()
        creationContext := db.CommitmentWorkflowContext{
                Reason:               db.CommitmentReasonConvert,
                RelatedCommitmentIDs: []db.ProjectCommitmentID{dbCommitment.ID},
        }
        buf, err := json.Marshal(creationContext)
        if err != nil {
                return db.ProjectCommitment{}, err
        }
        return db.ProjectCommitment{
                AZResourceID:        azResourceID,
                Amount:              amount,
                Duration:            dbCommitment.Duration,
                CreatedAt:           now,
                CreatorUUID:         dbCommitment.CreatorUUID,
                CreatorName:         dbCommitment.CreatorName,
                ConfirmBy:           dbCommitment.ConfirmBy,
                ConfirmedAt:         dbCommitment.ConfirmedAt,
                ExpiresAt:           dbCommitment.ExpiresAt,
                CreationContextJSON: json.RawMessage(buf),
                State:               dbCommitment.State,
        }, nil
}

// GetCommitmentByTransferToken handles GET /v1/commitments/{token}
func (p *v1Provider) GetCommitmentByTransferToken(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/commitments/:token")
        token := p.CheckToken(r)
        if !token.Require(w, "cluster:show_basic") {
                return
        }
        transferToken := mux.Vars(r)["token"]

        // The token column is a unique key, so we expect only one result.
        var dbCommitment db.ProjectCommitment
        err := p.DB.SelectOne(&dbCommitment, findCommitmentByTransferToken, transferToken)
        if errors.Is(err, sql.ErrNoRows) {
                http.Error(w, "no matching commitment found.", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        var loc core.AZResourceLocation
        err = p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, dbCommitment.AZResourceID).
                Scan(&loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
        if errors.Is(err, sql.ErrNoRows) {
                // defense in depth: this should not happen because all the relevant tables are connected by FK constraints
                http.Error(w, "location data not found.", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        c := p.convertCommitmentToDisplayForm(dbCommitment, loc, token)
        respondwith.JSON(w, http.StatusAccepted, map[string]any{"commitment": c})
}

// TransferCommitment handles POST /v1/domains/{domain_id}/projects/{project_id}/transfer-commitment/{id}?token={token}
func (p *v1Provider) TransferCommitment(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/transfer-commitment/:id")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        transferToken := r.Header.Get("Transfer-Token")
        if transferToken == "" {
                http.Error(w, "no transfer token provided", http.StatusBadRequest)
                return
        }
        commitmentID := mux.Vars(r)["id"]
        if commitmentID == "" {
                http.Error(w, "no transfer token provided", http.StatusBadRequest)
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        targetProject := p.FindProjectFromRequest(w, r, dbDomain)
        if targetProject == nil {
                return
        }

        // find commitment by transfer_token
        var dbCommitment db.ProjectCommitment
        err := p.DB.SelectOne(&dbCommitment, getCommitmentWithMatchingTransferTokenQuery, commitmentID, transferToken)
        if errors.Is(err, sql.ErrNoRows) {
                http.Error(w, "no matching commitment found", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        var loc core.AZResourceLocation
        err = p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, dbCommitment.AZResourceID).
                Scan(&loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
        if errors.Is(err, sql.ErrNoRows) {
                // defense in depth: this should not happen because all the relevant tables are connected by FK constraints
                http.Error(w, "no route to this commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        // get target service and AZ resource
        var (
                sourceResourceID   db.ProjectResourceID
                targetResourceID   db.ProjectResourceID
                targetAZResourceID db.ProjectAZResourceID
        )
        err = p.DB.QueryRow(findTargetAZResourceIDBySourceIDQuery, dbCommitment.AZResourceID, targetProject.ID).
                Scan(&sourceResourceID, &targetResourceID, &targetAZResourceID)
        if respondwith.ErrorText(w, err) {
                return
        }

        // validate that we have enough committable capacity on the receiving side
        tx, err := p.DB.Begin()
        if respondwith.ErrorText(w, err) {
                return
        }
        defer sqlext.RollbackUnlessCommitted(tx)
        ok, err := datamodel.CanMoveExistingCommitment(dbCommitment.Amount, loc, sourceResourceID, targetResourceID, p.Cluster, tx)
        if respondwith.ErrorText(w, err) {
                return
        }
        if !ok {
                http.Error(w, "not enough committable capacity on the receiving side", http.StatusConflict)
                return
        }

        dbCommitment.TransferStatus = ""
        dbCommitment.TransferToken = nil
        dbCommitment.AZResourceID = targetAZResourceID
        _, err = tx.Update(&dbCommitment)
        if respondwith.ErrorText(w, err) {
                return
        }
        err = tx.Commit()
        if respondwith.ErrorText(w, err) {
                return
        }

        c := p.convertCommitmentToDisplayForm(dbCommitment, loc, token)
        p.auditor.Record(audittools.Event{
                Time:       p.timeNow(),
                Request:    r,
                User:       token,
                ReasonCode: http.StatusAccepted,
                Action:     cadf.UpdateAction,
                Target: commitmentEventTarget{
                        DomainID:    dbDomain.UUID,
                        DomainName:  dbDomain.Name,
                        ProjectID:   targetProject.UUID,
                        ProjectName: targetProject.Name,
                        Commitments: []limesresources.Commitment{c},
                },
        })

        respondwith.JSON(w, http.StatusAccepted, map[string]any{"commitment": c})
}

// GetCommitmentConversion handles GET /v1/commitment-conversion/{service_type}/{resource_name}
func (p *v1Provider) GetCommitmentConversions(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/commitment-conversion/:service_type/:resource_name")
        token := p.CheckToken(r)
        if !token.Require(w, "cluster:show_basic") {
                return
        }

        // validate request
        vars := mux.Vars(r)
        nm := core.BuildResourceNameMapping(p.Cluster)
        sourceServiceType, sourceResourceName, exists := nm.MapFromV1API(
                limes.ServiceType(vars["service_type"]),
                limesresources.ResourceName(vars["resource_name"]),
        )
        if !exists {
                msg := fmt.Sprintf("no such service and/or resource: %s/%s", vars["service_type"], vars["resource_name"])
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return
        }
        sourceBehavior := p.Cluster.BehaviorForResource(sourceServiceType, sourceResourceName)
        sourceResInfo := p.Cluster.InfoForResource(sourceServiceType, sourceResourceName)

        // enumerate possible conversions
        conversions := make([]limesresources.CommitmentConversionRule, 0)
        for targetServiceType, quotaPlugin := range p.Cluster.QuotaPlugins {
                for targetResourceName, targetResInfo := range quotaPlugin.Resources() {
                        targetBehavior := p.Cluster.BehaviorForResource(targetServiceType, targetResourceName)
                        if targetBehavior.CommitmentConversion == (core.CommitmentConversion{}) {
                                continue
                        }
                        if sourceServiceType == targetServiceType && sourceResourceName == targetResourceName {
                                continue
                        }
                        if sourceResInfo.Unit != targetResInfo.Unit {
                                continue
                        }
                        if sourceBehavior.CommitmentConversion.Identifier != targetBehavior.CommitmentConversion.Identifier {
                                continue
                        }

                        fromAmount, toAmount := p.getCommitmentConversionRate(sourceBehavior, targetBehavior)
                        apiServiceType, apiResourceName, ok := nm.MapToV1API(targetServiceType, targetResourceName)
                        if ok {
                                conversions = append(conversions, limesresources.CommitmentConversionRule{
                                        FromAmount:     fromAmount,
                                        ToAmount:       toAmount,
                                        TargetService:  apiServiceType,
                                        TargetResource: apiResourceName,
                                })
                        }
                }
        }

        // use a defined sorting to ensure deterministic behavior in tests
        slices.SortFunc(conversions, func(lhs, rhs limesresources.CommitmentConversionRule) int {
                result := strings.Compare(string(lhs.TargetService), string(rhs.TargetService))
                if result != 0 {
                        return result
                }
                return strings.Compare(string(lhs.TargetResource), string(rhs.TargetResource))
        })

        respondwith.JSON(w, http.StatusOK, map[string]any{"conversions": conversions})
}

// ConvertCommitment handles POST /v1/domains/{domain_id}/projects/{project_id}/commitments/{commitment_id}/convert
func (p *v1Provider) ConvertCommitment(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:domain_id/projects/:project_id/commitments/:commitment_id/convert")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        commitmentID := mux.Vars(r)["commitment_id"]
        if commitmentID == "" {
                http.Error(w, "no transfer token provided", http.StatusBadRequest)
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }

        // section: sourceBehavior
        var dbCommitment db.ProjectCommitment
        err := p.DB.SelectOne(&dbCommitment, findProjectCommitmentByIDQuery, commitmentID, dbProject.ID)
        if errors.Is(err, sql.ErrNoRows) {
                http.Error(w, "no such commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }
        var sourceLoc core.AZResourceLocation
        err = p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, dbCommitment.AZResourceID).
                Scan(&sourceLoc.ServiceType, &sourceLoc.ResourceName, &sourceLoc.AvailabilityZone)
        if errors.Is(err, sql.ErrNoRows) {
                // defense in depth: this should not happen because all the relevant tables are connected by FK constraints
                http.Error(w, "no route to this commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }
        sourceBehavior := p.Cluster.BehaviorForResource(sourceLoc.ServiceType, sourceLoc.ResourceName)

        // section: targetBehavior
        var parseTarget struct {
                Request struct {
                        TargetService  limes.ServiceType           `json:"target_service"`
                        TargetResource limesresources.ResourceName `json:"target_resource"`
                        SourceAmount   uint64                      `json:"source_amount"`
                        TargetAmount   uint64                      `json:"target_amount"`
                } `json:"commitment"`
        }
        if !RequireJSON(w, r, &parseTarget) {
                return
        }
        req := parseTarget.Request
        nm := core.BuildResourceNameMapping(p.Cluster)
        targetServiceType, targetResourceName, exists := nm.MapFromV1API(req.TargetService, req.TargetResource)
        if !exists {
                msg := fmt.Sprintf("no such service and/or resource: %s/%s", req.TargetService, req.TargetResource)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return
        }
        targetBehavior := p.Cluster.BehaviorForResource(targetServiceType, targetResourceName)
        if sourceLoc.ResourceName == targetResourceName && sourceLoc.ServiceType == targetServiceType {
                http.Error(w, "conversion attempt to the same resource.", http.StatusConflict)
                return
        }
        if len(targetBehavior.CommitmentDurations) == 0 {
                msg := fmt.Sprintf("commitments are not enabled for resource %s/%s", req.TargetService, req.TargetResource)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return
        }
        if sourceBehavior.CommitmentConversion.Identifier == "" || sourceBehavior.CommitmentConversion.Identifier != targetBehavior.CommitmentConversion.Identifier {
                msg := fmt.Sprintf("commitment is not convertible into resource %s/%s", req.TargetService, req.TargetResource)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return
        }

        // section: conversion
        if req.SourceAmount > dbCommitment.Amount {
                msg := fmt.Sprintf("unprocessable source amount. provided: %v, commitment: %v", req.SourceAmount, dbCommitment.Amount)
                http.Error(w, msg, http.StatusConflict)
                return
        }
        fromAmount, toAmount := p.getCommitmentConversionRate(sourceBehavior, targetBehavior)
        conversionAmount := (req.SourceAmount / fromAmount) * toAmount
        remainderAmount := req.SourceAmount % fromAmount
        if remainderAmount > 0 {
                msg := fmt.Sprintf("amount: %v does not fit into conversion rate of: %v", req.SourceAmount, fromAmount)
                http.Error(w, msg, http.StatusConflict)
                return
        }
        if conversionAmount != req.TargetAmount {
                msg := fmt.Sprintf("conversion mismatch. provided: %v, calculated: %v", req.TargetAmount, conversionAmount)
                http.Error(w, msg, http.StatusConflict)
                return
        }

        tx, err := p.DB.Begin()
        if respondwith.ErrorText(w, err) {
                return
        }
        defer sqlext.RollbackUnlessCommitted(tx)

        var (
                targetResourceID   db.ProjectResourceID
                targetAZResourceID db.ProjectAZResourceID
        )
        err = p.DB.QueryRow(findTargetAZResourceByTargetProjectQuery, dbProject.ID, targetServiceType, targetResourceName, sourceLoc.AvailabilityZone).
                Scan(&targetResourceID, &targetAZResourceID)
        if respondwith.ErrorText(w, err) {
                return
        }
        // defense in depth. ServiceType and ResourceName of source and target are already checked. Here it's possible to explicitly check the ID's.
        if dbCommitment.AZResourceID == targetAZResourceID {
                http.Error(w, "conversion attempt to the same resource.", http.StatusConflict)
                return
        }
        targetLoc := core.AZResourceLocation{
                ServiceType:      targetServiceType,
                ResourceName:     targetResourceName,
                AvailabilityZone: sourceLoc.AvailabilityZone,
        }
        // The commitment at the source resource was already confirmed and checked.
        // Therefore only the addition to the target resource has to be checked against.
        if dbCommitment.ConfirmedAt != nil {
                ok, err := datamodel.CanConfirmNewCommitment(targetLoc, targetResourceID, conversionAmount, p.Cluster, p.DB)
                if respondwith.ErrorText(w, err) {
                        return
                }
                if !ok {
                        http.Error(w, "not enough capacity to confirm the commitment", http.StatusUnprocessableEntity)
                        return
                }
        }

        auditEvent := commitmentEventTarget{
                DomainID:    dbDomain.UUID,
                DomainName:  dbDomain.Name,
                ProjectID:   dbProject.UUID,
                ProjectName: dbProject.Name,
        }

        relatedCommitmentIDs := make([]db.ProjectCommitmentID, 0)
        remainingAmount := dbCommitment.Amount - req.SourceAmount
        if remainingAmount > 0 {
                remainingCommitment, err := p.buildSplitCommitment(dbCommitment, remainingAmount)
                if respondwith.ErrorText(w, err) {
                        return
                }
                relatedCommitmentIDs = append(relatedCommitmentIDs, remainingCommitment.ID)
                err = tx.Insert(&remainingCommitment)
                if respondwith.ErrorText(w, err) {
                        return
                }
                auditEvent.Commitments = append(auditEvent.Commitments,
                        p.convertCommitmentToDisplayForm(remainingCommitment, sourceLoc, token),
                )
        }

        convertedCommitment, err := p.buildConvertedCommitment(dbCommitment, targetAZResourceID, conversionAmount)
        if respondwith.ErrorText(w, err) {
                return
        }
        relatedCommitmentIDs = append(relatedCommitmentIDs, convertedCommitment.ID)
        err = tx.Insert(&convertedCommitment)
        if respondwith.ErrorText(w, err) {
                return
        }

        // supersede the original commitment
        now := p.timeNow()
        supersedeContext := db.CommitmentWorkflowContext{
                Reason:               db.CommitmentReasonConvert,
                RelatedCommitmentIDs: relatedCommitmentIDs,
        }
        buf, err := json.Marshal(supersedeContext)
        if respondwith.ErrorText(w, err) {
                return
        }
        dbCommitment.State = db.CommitmentStateSuperseded
        dbCommitment.SupersededAt = &now
        dbCommitment.SupersedeContextJSON = liquids.PointerTo(json.RawMessage(buf))
        _, err = tx.Update(&dbCommitment)
        if respondwith.ErrorText(w, err) {
                return
        }

        err = tx.Commit()
        if respondwith.ErrorText(w, err) {
                return
        }

        c := p.convertCommitmentToDisplayForm(convertedCommitment, targetLoc, token)
        auditEvent.Commitments = append([]limesresources.Commitment{c}, auditEvent.Commitments...)
        auditEvent.WorkflowContext = &db.CommitmentWorkflowContext{
                Reason:               db.CommitmentReasonSplit,
                RelatedCommitmentIDs: []db.ProjectCommitmentID{dbCommitment.ID},
        }
        p.auditor.Record(audittools.Event{
                Time:       p.timeNow(),
                Request:    r,
                User:       token,
                ReasonCode: http.StatusAccepted,
                Action:     cadf.UpdateAction,
                Target:     auditEvent,
        })

        respondwith.JSON(w, http.StatusAccepted, map[string]any{"commitment": c})
}

func (p *v1Provider) getCommitmentConversionRate(source, target core.ResourceBehavior) (fromAmount, toAmount uint64) {
        divisor := GetGreatestCommonDivisor(source.CommitmentConversion.Weight, target.CommitmentConversion.Weight)
        fromAmount = target.CommitmentConversion.Weight / divisor
        toAmount = source.CommitmentConversion.Weight / divisor
        return fromAmount, toAmount
}

// ExtendCommitmentDuration handles POST /v1/domains/{domain_id}/projects/{project_id}/commitments/{commitment_id}/update-duration
func (p *v1Provider) UpdateCommitmentDuration(w http.ResponseWriter, r *http.Request) {
        httpapi.IdentifyEndpoint(r, "/v1/domains/:domain_id/projects/:project_id/commitments/:commitment_id/update-duration")
        token := p.CheckToken(r)
        if !token.Require(w, "project:edit") {
                return
        }
        commitmentID := mux.Vars(r)["commitment_id"]
        if commitmentID == "" {
                http.Error(w, "no transfer token provided", http.StatusBadRequest)
                return
        }
        dbDomain := p.FindDomainFromRequest(w, r)
        if dbDomain == nil {
                return
        }
        dbProject := p.FindProjectFromRequest(w, r, dbDomain)
        if dbProject == nil {
                return
        }
        var Request struct {
                Duration limesresources.CommitmentDuration `json:"duration"`
        }
        req := Request
        if !RequireJSON(w, r, &req) {
                return
        }

        var dbCommitment db.ProjectCommitment
        err := p.DB.SelectOne(&dbCommitment, findProjectCommitmentByIDQuery, commitmentID, dbProject.ID)
        if errors.Is(err, sql.ErrNoRows) {
                http.Error(w, "no such commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }

        now := p.timeNow()
        if dbCommitment.ExpiresAt.Before(now) || dbCommitment.ExpiresAt.Equal(now) {
                http.Error(w, "unable to process expired commitment", http.StatusForbidden)
                return
        }

        if dbCommitment.State == db.CommitmentStateSuperseded {
                msg := fmt.Sprintf("unable to operate on commitment with a state of %s", dbCommitment.State)
                http.Error(w, msg, http.StatusForbidden)
                return
        }

        var loc core.AZResourceLocation
        err = p.DB.QueryRow(findProjectAZResourceLocationByIDQuery, dbCommitment.AZResourceID).
                Scan(&loc.ServiceType, &loc.ResourceName, &loc.AvailabilityZone)
        if errors.Is(err, sql.ErrNoRows) {
                // defense in depth: this should not happen because all the relevant tables are connected by FK constraints
                http.Error(w, "no route to this commitment", http.StatusNotFound)
                return
        } else if respondwith.ErrorText(w, err) {
                return
        }
        behavior := p.Cluster.BehaviorForResource(loc.ServiceType, loc.ResourceName)
        if !slices.Contains(behavior.CommitmentDurations, req.Duration) {
                msg := fmt.Sprintf("provided duration: %s does not match the config %v", req.Duration, behavior.CommitmentDurations)
                http.Error(w, msg, http.StatusUnprocessableEntity)
                return
        }

        newExpiresAt := req.Duration.AddTo(unwrapOrDefault(dbCommitment.ConfirmBy, dbCommitment.CreatedAt))
        if newExpiresAt.Before(dbCommitment.ExpiresAt) {
                msg := fmt.Sprintf("duration change from %s to %s forbidden", dbCommitment.Duration, req.Duration)
                http.Error(w, msg, http.StatusForbidden)
                return
        }

        dbCommitment.Duration = req.Duration
        dbCommitment.ExpiresAt = newExpiresAt
        _, err = p.DB.Update(&dbCommitment)
        if respondwith.ErrorText(w, err) {
                return
        }

        c := p.convertCommitmentToDisplayForm(dbCommitment, loc, token)
        p.auditor.Record(audittools.Event{
                Time:       p.timeNow(),
                Request:    r,
                User:       token,
                ReasonCode: http.StatusOK,
                Action:     cadf.UpdateAction,
                Target: commitmentEventTarget{
                        DomainID:    dbDomain.UUID,
                        DomainName:  dbDomain.Name,
                        ProjectID:   dbProject.UUID,
                        ProjectName: dbProject.Name,
                        Commitments: []limesresources.Commitment{c},
                },
        })

        respondwith.JSON(w, http.StatusOK, map[string]any{"commitment": c})
}

sapcc / limes / 14023639065

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous