From e87eca48b7ca265dffa088164d645dbbeea10ace Mon Sep 17 00:00:00 2001
From: Arkady Shtempler <ashtempl@redhat.com>
Date: Mon, 22 Mar 2021 14:35:07 +0200
Subject: [PATCH] Adding 2 new test cases into a zone suite

1) test_show_zone_impersonate_another_project
   Based on: "x-auth-all-projects" HTTP header
   This allows a user to impersonate another project

2) test_list_all_projects_zones
   Based on: "x-auth-all-projects:True"
   If enabled this will show results from all projects in Designate.
   Note: this test case replaced and improved "test_get_other_tenant_zone"
   as it covers more than one single tenant in its test scenario.

Change-Id: I0848299ff9f407aa7918cd12358cad4e17e71e6d
---
 .../services/dns/v2/json/zones_client.py      | 11 ++-
 .../tests/api/v2/test_zones.py                | 84 ++++++++++++++++---
 2 files changed, 81 insertions(+), 14 deletions(-)

diff --git a/designate_tempest_plugin/services/dns/v2/json/zones_client.py b/designate_tempest_plugin/services/dns/v2/json/zones_client.py
index ac360e6f..db039e36 100644
--- a/designate_tempest_plugin/services/dns/v2/json/zones_client.py
+++ b/designate_tempest_plugin/services/dns/v2/json/zones_client.py
@@ -57,23 +57,26 @@ class ZonesClient(base.DnsClientV2Base):
         return resp, body
 
     @base.handle_errors
-    def show_zone(self, uuid, params=None):
+    def show_zone(self, uuid, params=None, headers=None):
         """Gets a specific zone.
         :param uuid: Unique identifier of the zone in UUID format.
         :param params: A Python dict that represents the query paramaters to
                        include in the request URI.
+        :param headers (dict): The headers to use for the request.
         :return: Serialized zone as a dictionary.
         """
-        return self._show_request('zones', uuid, params=params)
+        return self._show_request(
+            'zones', uuid, params=params, headers=headers)
 
     @base.handle_errors
-    def list_zones(self, params=None):
+    def list_zones(self, params=None, headers=None):
         """Gets a list of zones.
         :param params: A Python dict that represents the query paramaters to
                        include in the request URI.
+        :param headers (dict): The headers to use for the request.
         :return: Serialized zones as a list.
         """
-        return self._list_request('zones', params=params)
+        return self._list_request('zones', params=params, headers=headers)
 
     @base.handle_errors
     def delete_zone(self, uuid, params=None):
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones.py b/designate_tempest_plugin/tests/api/v2/test_zones.py
index ee31b9b0..fb8c7fe8 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones.py
@@ -19,6 +19,7 @@ from tempest.lib.common.utils import data_utils
 from designate_tempest_plugin import data_utils as dns_data_utils
 from designate_tempest_plugin.tests import base
 
+from designate_tempest_plugin.common import waiters
 LOG = logging.getLogger(__name__)
 
 
@@ -119,7 +120,7 @@ class ZonesTest(BaseZonesTest):
 
 
 class ZonesAdminTest(BaseZonesTest):
-    credentials = ['primary', 'admin']
+    credentials = ['primary', 'admin', 'alt']
 
     @classmethod
     def setup_credentials(cls):
@@ -133,19 +134,82 @@ class ZonesAdminTest(BaseZonesTest):
 
         cls.client = cls.os_primary.zones_client
         cls.admin_client = cls.os_admin.zones_client
+        cls.alt_client = cls.os_alt.zones_client
 
-    @decorators.idempotent_id('6477f92d-70ba-46eb-bd6c-fc50c405e222')
-    def test_get_other_tenant_zone(self):
-        LOG.info('Create a zone as a user')
-        _, zone = self.client.create_zone()
+    @decorators.idempotent_id('f6fe8cce-8b04-11eb-a861-74e5f9e2a801')
+    def test_show_zone_impersonate_another_project(self):
+        LOG.info('Create zone "A" using primary client')
+        zone = self.client.create_zone()[1]
         self.addCleanup(self.wait_zone_delete, self.client, zone['id'])
 
-        LOG.info('Fetch the zone as an admin')
-        _, body = self.admin_client.show_zone(
-            zone['id'], params={'all_projects': True})
+        LOG.info('As Alt tenant show zone created by Primary tenant. '
+                 'Expected: 404 NotFound')
+        self.assertRaises(
+            lib_exc.NotFound, self.alt_client.show_zone, uuid=zone['id'])
 
-        LOG.info('Ensure the fetched response matches the created zone')
-        self.assertExpected(zone, body, self.excluded_keys)
+        LOG.info('As Admin tenant show zone created by Primary tenant. '
+                 'Expected: 404 NotFound')
+        self.assertRaises(
+            lib_exc.NotFound, self.admin_client.show_zone, uuid=zone['id'])
+
+        LOG.info('As Alt tenant show zone created by Primary tenant using '
+                 '"x-auth-sudo-project-id" HTTP header. '
+                 'Expected: 403 Forbidden')
+        self.assertRaises(
+            lib_exc.Forbidden, self.alt_client.show_zone, uuid=None,
+            headers={'x-auth-sudo-project-id': zone['project_id']})
+
+        LOG.info('As Admin user impersonate another project '
+                 '(using "x-auth-sudo-project-id" HTTP header) to show '
+                 'a Primary tenant zone.')
+        body = self.admin_client.show_zone(
+            uuid=None, headers={
+                'x-auth-sudo-project-id': zone['project_id']})[1]
+
+        LOG.info('Ensure the fetched response matches the impersonated'
+                 ' project, it means the ID of a zone "A"')
+        self.assertExpected(zone, body['zones'][0], self.excluded_keys)
+
+    @decorators.idempotent_id('e1cf7104-8b06-11eb-a861-74e5f9e2a801')
+    def test_list_all_projects_zones(self):
+
+        LOG.info('Create zone "A" using Primary client')
+        primary_zone = self.client.create_zone()[1]
+        self.addCleanup(
+            self.wait_zone_delete, self.client, primary_zone['id'])
+        LOG.info('Wait till the zone is ACTIVE')
+        waiters.wait_for_zone_status(
+            self.client, primary_zone['id'], 'ACTIVE')
+
+        LOG.info('Create zone "B" using Alt client')
+        alt_zone = self.alt_client.create_zone()[1]
+        self.addCleanup(
+            self.wait_zone_delete, self.alt_client, alt_zone['id'])
+        LOG.info('Wait till the zone is ACTIVE')
+        waiters.wait_for_zone_status(
+            self.alt_client, alt_zone['id'], 'ACTIVE')
+
+        LOG.info('Create zone "C" using Admin client')
+        admin_zone = self.admin_client.create_zone()[1]
+        self.addCleanup(
+            self.wait_zone_delete, self.admin_client, admin_zone['id'])
+        LOG.info('Wait till the zone is ACTIVE')
+        waiters.wait_for_zone_status(
+            self.admin_client, admin_zone['id'], 'ACTIVE')
+
+        LOG.info('As admin user list all projects zones')
+        body = self.admin_client.list_zones(
+            headers={'x-auth-all-projects': True})[1]['zones']
+        listed_zone_ids = [item['id'] for item in body]
+
+        LOG.info('Ensure the fetched response includes all zone '
+                 'IDs created within the test')
+
+        for id in [primary_zone['id'], alt_zone['id'], admin_zone['id']]:
+            self.assertIn(
+                id, listed_zone_ids,
+                'Failed, id:{} was not found in listed zones:{} '.format(
+                    id, listed_zone_ids))
 
 
 class ZoneOwnershipTest(BaseZonesTest):