commit ef021cb82e78cd3c1d84a1d58d60e73224ab2a5e
author Michael Johnson <johnsomor@gmail.com> Fri Mar 11 23:32:28 2022 +0000
committer Michael Johnson <johnsomor@gmail.com> Wed May 25 22:27:42 2022 +0000
tree c4813c7e0a313b205f10f647c38d3d31477703c2
parent 0fbbccdfd4d004e49aa41e5f2d3ebb2b710e03f9

Expand Designate RBAC testing - Service Statuses

This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
service statuses API.

Change-Id: Ia9c474edb7e936a507b20cc4692fe72141997798

designate_tempest_plugin/tests/api/v2/test_service_statuses.py

diff --git a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
index bee364e..c1f634b 100644
--- a/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
+++ b/designate_tempest_plugin/tests/api/v2/test_service_statuses.py
@@ -26,7 +26,8 @@
 
 class ServiceStatusAdmin(base.BaseDnsV2Test):
 
-    credentials = ["admin", "system_admin"]
+    credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+                   "project_reader", "project_member"]
 
     mandatory_services = ['central', 'mdns', 'worker', 'producer']
     service_status_fields = [
@@ -71,6 +72,15 @@
             "Failed, not all listed services are in UP status, "
             "services: {}".format(services_statuses_tup))
 
+        # Test RBAC
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed = ['os_system_admin', 'os_system_reader']
+        else:
+            expected_allowed = ['os_admin']
+
+        self.check_list_show_RBAC_enforcement(
+            'ServiceClient', 'list_statuses', expected_allowed, False)
+
     @decorators.idempotent_id('fce0f704-c0ae-11ec-8213-201e8823901f')
     def test_admin_show_service_status(self):