Add RBAC tests for identity v3 project tags

This PS adds RBAC tests for the identity v3 project tags
API [0], whose policies can be found here: [1]. The
corresponding Tempest client is implemented in [2].

[0] https://developer.openstack.org/api-ref/identity/v3/index.html#project-tags
[1] https://github.com/openstack/keystone/blob/19f9937e98473e4fab9f4ee5c86b23a2eaacfe0f/keystone/common/policies/project.py#L98-161
[2] Iec6b34c10ea1bd7103720c773b48ce130643115d

Depends-On: Iad6b3a88639bb4a0dc3aea5af2ba0162dfa19f96
Change-Id: I6024fbe89d3d8f673be223bd5a07b1068be12034
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 5124f52..90fa6aa 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -127,16 +127,17 @@
         cls.endpoint_groups_client = cls.os_primary.endpoint_groups_client
         cls.groups_client = cls.os_primary.groups_client
         cls.identity_client = cls.os_primary.identity_v3_client
+        cls.oauth_token_client = cls.os_primary.oauth_token_client
         cls.projects_client = cls.os_primary.projects_client
+        cls.project_tags_client = cls.os_primary.project_tags_client
         cls.policies_client = cls.os_primary.policies_client
         cls.regions_client = cls.os_primary.regions_client
         cls.role_assignments_client = cls.os_primary.role_assignments_client
         cls.roles_client = cls.os_primary.roles_v3_client
         cls.services_client = cls.os_primary.identity_services_v3_client
+        cls.token_client = cls.os_primary.token_v3_client
         cls.trusts_client = cls.os_primary.trusts_client
         cls.users_client = cls.os_primary.users_v3_client
-        cls.oauth_token_client = cls.os_primary.oauth_token_client
-        cls.token_client = cls.os_primary.token_v3_client
 
     @classmethod
     def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_project_tags_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_project_tags_rbac.py
new file mode 100644
index 0000000..d3d84b6
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_project_tags_rbac.py
@@ -0,0 +1,87 @@
+# Copyright 2018 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class ProjectTagsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+    @classmethod
+    def resource_setup(cls):
+        super(ProjectTagsV3RbacTest, cls).resource_setup()
+        cls.project_id = cls.setup_test_project()['id']
+
+    def tearDown(self):
+        self.project_tags_client.delete_all_project_tags(self.project_id)
+        super(ProjectTagsV3RbacTest, self).tearDown()
+
+    @decorators.idempotent_id('acbd7b2d-0a4d-4990-9fab-eccad69d4238')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:create_project_tag")
+    def test_update_project_tag(self):
+        tag = data_utils.rand_name(self.__class__.__name__ + '-Tag')
+        with self.rbac_utils.override_role(self):
+            self.project_tags_client.update_project_tag(self.project_id, tag)
+
+    @decorators.idempotent_id('e122d7d1-bb6d-43af-b489-afa8c609b9ae')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:list_project_tags")
+    def test_list_project_tags(self):
+        with self.rbac_utils.override_role(self):
+            self.project_tags_client.list_project_tags(self.project_id)
+
+    @decorators.idempotent_id('716f9081-4626-4594-a82c-e7dc037464ac')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:update_project_tags")
+    def test_update_all_project_tags(self):
+        tags = [
+            data_utils.rand_name(self.__class__.__name__ + '-Tag')
+            for _ in range(2)
+        ]
+        with self.rbac_utils.override_role(self):
+            self.project_tags_client.update_all_project_tags(
+                self.project_id, tags)
+
+    @decorators.idempotent_id('974cb1da-d7d4-4863-99da-4a3f0c801729')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:get_project_tag")
+    def test_check_project_tag_existence(self):
+        tag = data_utils.rand_name(self.__class__.__name__ + '-Tag')
+        self.project_tags_client.update_project_tag(self.project_id, tag)
+
+        with self.rbac_utils.override_role(self):
+            self.project_tags_client.check_project_tag_existence(
+                self.project_id, tag)
+
+    @decorators.idempotent_id('ffe0c8e1-f9eb-43c5-8097-1e938fc08e07')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:delete_project_tag")
+    def test_delete_project_tag(self):
+        tag = data_utils.rand_name(self.__class__.__name__ + '-Tag')
+        self.project_tags_client.update_project_tag(self.project_id, tag)
+
+        with self.rbac_utils.override_role(self):
+            self.project_tags_client.delete_project_tag(self.project_id, tag)
+
+    @decorators.idempotent_id('94d0ef63-e9e3-4287-9c5e-bd5464467d77')
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:delete_project_tags")
+    def test_delete_all_project_tags(self):
+        with self.rbac_utils.override_role(self):
+            self.project_tags_client.delete_all_project_tags(self.project_id)