From fdb7b51799feefcfc830929fab1cf28f7c8204a8 Mon Sep 17 00:00:00 2001
From: Michael Johnson <johnsomor@gmail.com>
Date: Sat, 12 Mar 2022 00:33:09 +0000
Subject: [PATCH] Expand Designate RBAC testing - Zone Abandon

This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
zone abandon API.

Change-Id: Ic4822155a1402cc8585da4d12e8b2465bea75dad
---
 .../tests/api/v2/test_zone_tasks.py                | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py b/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py
index db6541ea..70a2e776 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zone_tasks.py
@@ -61,7 +61,8 @@ class BaseZonesTest(base.BaseDnsV2Test):
 
 
 class ZoneTasks(BaseZonesTest):
-    credentials = ["primary", "alt", "admin", "system_admin"]
+    credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+                   "project_member", "project_reader"]
 
     @classmethod
     def setup_credentials(cls):
@@ -98,6 +99,17 @@ class ZoneTasks(BaseZonesTest):
         LOG.info('Check that the zone was created on Nameserver/BIND')
         waiters.wait_for_query(self.query_client, pr_zone['name'], "SOA")
 
+        # Test RBAC
+        expected_allowed = ['os_admin']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+
+        self.check_CUD_RBAC_enforcement(
+            'ZonesClient', 'abandon_zone', expected_allowed, False,
+            pr_zone['id'],
+            headers={'x-auth-sudo-project-id': pr_zone['project_id']})
+
+        # Test abandoning the zone
         LOG.info('Abandon a zone')
         self.admin_client.abandon_zone(
             pr_zone['id'],