Expand Designate RBAC testing - Quotas

This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
quotas API.

Depends-On: https://review.opendev.org/c/openstack/designate/+/834975
Change-Id: If65926433b64316adba5fb29ec945b84de77951f
diff --git a/designate_tempest_plugin/tests/api/v2/test_quotas.py b/designate_tempest_plugin/tests/api/v2/test_quotas.py
index d7b86fa..83b9fdd 100644
--- a/designate_tempest_plugin/tests/api/v2/test_quotas.py
+++ b/designate_tempest_plugin/tests/api/v2/test_quotas.py
@@ -29,7 +29,8 @@
 
 class QuotasV2Test(base.BaseDnsV2Test):
 
-    credentials = ["primary", "admin", "system_admin", "alt"]
+    credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+                   "project_member", "project_reader"]
 
     @classmethod
     def setup_credentials(cls):
@@ -90,10 +91,28 @@
                     'Failed, the value of:{} is:{}, expected integer'.format(
                         quota_type, quota_value))
 
+        expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.extend(['os_system_admin', 'os_system_reader',
+                                     'os_project_member', 'os_project_reader'])
+
+        self.check_list_show_with_ID_RBAC_enforcement(
+            'QuotasClient', 'show_quotas', expected_allowed, False)
+
     @decorators.idempotent_id('0448b089-5803-4ce3-8a6c-5c15ff75a2cc')
     def test_reset_quotas(self):
         self._store_quotas(project_id=self.quotas_client.project_id)
+
         LOG.info("Deleting (reset) quotas")
+
+        expected_allowed = ['os_admin']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.extend(['os_system_admin'])
+
+        self.check_CUD_RBAC_enforcement(
+            'QuotasClient', 'delete_quotas', expected_allowed, False,
+            project_id=self.quotas_client.project_id)
+
         body = self.admin_client.delete_quotas(
             project_id=self.quotas_client.project_id,
             headers=self.all_projects_header)[1]
@@ -103,16 +122,21 @@
 
     @decorators.idempotent_id('76d24c87-1b39-4e19-947c-c08e1380dc61')
     def test_update_quotas(self):
-        if CONF.enforce_scope.designate:
-            raise self.skipException(
-                "System scoped tokens do not have a project_id.")
-
-        self._store_quotas(project_id=self.admin_client.project_id)
+        self._store_quotas(project_id=self.quotas_client.project_id)
         LOG.info("Updating quotas")
         quotas = dns_data_utils.rand_quotas()
         body = self.admin_client.update_quotas(
-            project_id=self.admin_client.project_id,
-            **quotas)[1]
+            project_id=self.quotas_client.project_id,
+            **quotas, headers=self.all_projects_header)[1]
+
+        expected_allowed = ['os_admin']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.extend(['os_system_admin'])
+
+        self.check_CUD_RBAC_enforcement(
+            'QuotasClient', 'update_quotas', expected_allowed, False,
+            project_id=self.quotas_client.project_id,
+            **quotas, headers=self.all_projects_header)
 
         LOG.info("Ensuring the response has all quota types")
         self.assertExpected(quotas, body, [])
diff --git a/designate_tempest_plugin/tests/rbac_utils.py b/designate_tempest_plugin/tests/rbac_utils.py
index a0148bb..fa66410 100644
--- a/designate_tempest_plugin/tests/rbac_utils.py
+++ b/designate_tempest_plugin/tests/rbac_utils.py
@@ -33,8 +33,15 @@
         method = getattr(client_obj, method_str)
         return method
 
+    def _get_client_project_id(self, cred_obj, client_str):
+        """Get project ID for the credential."""
+        dns_clients = getattr(cred_obj, 'dns_v2')
+        client = getattr(dns_clients, client_str)
+        client_obj = client()
+        return client_obj.project_id
+
     def _check_allowed(self, client_str, method_str, allowed_list,
-                       *args, **kwargs):
+                       with_project, *args, **kwargs):
         """Test an API call allowed RBAC enforcement.
 
         :param client_str: The service client to use for the test, without the
@@ -43,6 +50,7 @@
                            Example: 'list_zones'
         :param allowed_list: The list of credentials expected to be
                              allowed.  Example: ['primary'].
+        :param with_project: When true, pass the project ID to the call.
         :param args: Any positional parameters needed by the method.
         :param kwargs: Any named parameters needed by the method.
         :raises AssertionError: Raised if the RBAC tests fail.
@@ -69,8 +77,12 @@
                               'credentials setup. This is likely a bug in the '
                               'test.'.format(cred))
             method = self._get_client_method(cred_obj, client_str, method_str)
+            project_id = self._get_client_project_id(cred_obj, client_str)
             try:
-                method(*args, **kwargs)
+                if with_project:
+                    method(project_id, *args, **kwargs)
+                else:
+                    method(*args, **kwargs)
             except exceptions.Forbidden as e:
                 self.fail('Method {}.{} failed to allow access via RBAC using '
                           'credential {}. Error: {}'.format(
@@ -81,7 +93,7 @@
                               client_str, method_str, cred, str(e)))
 
     def _check_disallowed(self, client_str, method_str, allowed_list,
-                          expect_404, *args, **kwargs):
+                          expect_404, with_project, *args, **kwargs):
         """Test an API call disallowed RBAC enforcement.
 
         :param client_str: The service client to use for the test, without the
@@ -91,6 +103,7 @@
         :param allowed_list: The list of credentials expected to be
                              allowed.  Example: ['primary'].
         :param expect_404: When True, 404 responses are considered ok.
+        :param with_project: When true, pass the project ID to the call.
         :param args: Any positional parameters needed by the method.
         :param kwargs: Any named parameters needed by the method.
         :raises AssertionError: Raised if the RBAC tests fail.
@@ -105,6 +118,7 @@
         for cred in expected_disallowed:
             cred_obj = getattr(self, cred)
             method = self._get_client_method(cred_obj, client_str, method_str)
+            project_id = self._get_client_project_id(cred_obj, client_str)
 
             # Unfortunately tempest uses testtools assertRaises[1] which means
             # we cannot use the unittest assertRaises context[2] with msg= to
@@ -120,7 +134,10 @@
             #     unittest.html#unittest.TestCase.assertRaises
             # [3] https://github.com/testing-cabal/testtools/issues/235
             try:
-                method(*args, **kwargs)
+                if with_project:
+                    method(project_id, *args, **kwargs)
+                else:
+                    method(*args, **kwargs)
             except exceptions.Forbidden:
                 continue
             except exceptions.NotFound:
@@ -158,15 +175,16 @@
 
         # #### Test that disallowed credentials cannot access the API.
         self._check_disallowed(client_str, method_str, allowed_list,
-                               expect_404, *args, **kwargs)
+                               expect_404, False, *args, **kwargs)
 
         # #### Test that allowed credentials can access the API.
-        self._check_allowed(client_str, method_str, allowed_list,
+        self._check_allowed(client_str, method_str, allowed_list, False,
                             *args, **kwargs)
 
-    def check_CUD_RBAC_enforcement(self, client_str, method_str,
-                                   expected_allowed, *args, **kwargs):
-        """Test an API create/update/delete call RBAC enforcement.
+    def check_list_show_with_ID_RBAC_enforcement(self, client_str, method_str,
+                                                 expected_allowed, expect_404,
+                                                 *args, **kwargs):
+        """Test list or show API call passing the project ID RBAC enforcement.
 
         :param client_str: The service client to use for the test, without the
                            credential.  Example: 'ZonesClient'
@@ -174,6 +192,7 @@
                            Example: 'list_zones'
         :param expected_allowed: The list of credentials expected to be
                                  allowed.  Example: ['primary'].
+        :param expect_404: When True, 404 responses are considered ok.
         :param args: Any positional parameters needed by the method.
         :param kwargs: Any named parameters needed by the method.
         :raises AssertionError: Raised if the RBAC tests fail.
@@ -188,7 +207,39 @@
 
         # #### Test that disallowed credentials cannot access the API.
         self._check_disallowed(client_str, method_str, allowed_list,
-                               *args, **kwargs)
+                               expect_404, True, *args, **kwargs)
+
+        # #### Test that allowed credentials can access the API.
+        self._check_allowed(client_str, method_str, allowed_list, True,
+                            *args, **kwargs)
+
+    def check_CUD_RBAC_enforcement(self, client_str, method_str,
+                                   expected_allowed, expect_404,
+                                   *args, **kwargs):
+        """Test an API create/update/delete call RBAC enforcement.
+
+        :param client_str: The service client to use for the test, without the
+                           credential.  Example: 'ZonesClient'
+        :param method_str: The method on the client to call for the test.
+                           Example: 'list_zones'
+        :param expected_allowed: The list of credentials expected to be
+                                 allowed.  Example: ['primary'].
+        :param expect_404: When True, 404 responses are considered ok.
+        :param args: Any positional parameters needed by the method.
+        :param kwargs: Any named parameters needed by the method.
+        :raises AssertionError: Raised if the RBAC tests fail.
+        :raises Forbidden: Raised if a credential that should have access does
+                           not and is denied.
+        :raises InvalidScope: Raised if a credential that should have the
+                              correct scope for access is denied.
+        :returns: None on success
+        """
+
+        allowed_list = copy.deepcopy(expected_allowed)
+
+        # #### Test that disallowed credentials cannot access the API.
+        self._check_disallowed(client_str, method_str, allowed_list,
+                               expect_404, False, *args, **kwargs)
 
     def check_list_RBAC_enforcement_count(
             self, client_str, method_str, expected_allowed, expected_count,