From edcd2e09989852da94dd1333fcab0eab244d09d7 Mon Sep 17 00:00:00 2001
From: Michael Johnson <johnsomor@gmail.com>
Date: Fri, 31 Mar 2023 20:57:56 +0000
Subject: Fix sharing a zone with the zone owner

There was a bug that allowed users to create a zone share with the zone
owner. This would then cause issues deleting the zone share as the zone
owner owns the NS and SOA recordsets in the zone.
This patch raises a BadRequest if the user attempts to create a zone
share for the zone owner.

Closes-Bug: #2011585
Change-Id: I1b56c492436821f650d1ba669614d92595d2f476
---
 designate/central/service.py                                  |  4 ++++
 designate/tests/test_central/test_service.py                  | 11 +++++++++++
 .../Fix-share-zone-with-zone-owner-31a20c57a65c0cc4.yaml      |  4 ++++
 3 files changed, 19 insertions(+)
 create mode 100644 releasenotes/notes/Fix-share-zone-with-zone-owner-31a20c57a65c0cc4.yaml

diff --git a/designate/central/service.py b/designate/central/service.py
index fa7be5f3..1a87db73 100644
--- a/designate/central/service.py
+++ b/designate/central/service.py
@@ -1209,6 +1209,10 @@ class Service(service.RPCService):
 
         policy.check('share_zone', context, target)
 
+        if zone.tenant_id == shared_zone.target_project_id:
+            raise exceptions.BadRequest(
+                'Cannot share the zone with the zone owner.')
+
         shared_zone['project_id'] = context.project_id
         shared_zone['zone_id'] = zone_id
 
diff --git a/designate/tests/test_central/test_service.py b/designate/tests/test_central/test_service.py
index 641bac7b..e2d98028 100644
--- a/designate/tests/test_central/test_service.py
+++ b/designate/tests/test_central/test_service.py
@@ -3795,6 +3795,17 @@ class CentralServiceTest(CentralTestCase):
         self.assertEqual(context.project_id, shared_zone.project_id)
         self.assertEqual(zone.id, shared_zone.zone_id)
 
+    def test_share_zone_with_zone_owner(self):
+        # Create a Shared Zone
+        context = self.get_context(project_id='1')
+        zone = self.create_zone(context=context)
+        exc = self.assertRaises(
+            rpc_dispatcher.ExpectedException, self.share_zone,
+            context=context, zone_id=zone.id,
+            target_project_id=zone.tenant_id)
+
+        self.assertEqual(exceptions.BadRequest, exc.exc_info[0])
+
     def test_unshare_zone(self):
         context = self.get_context(project_id='1')
         zone = self.create_zone(context=context)
diff --git a/releasenotes/notes/Fix-share-zone-with-zone-owner-31a20c57a65c0cc4.yaml b/releasenotes/notes/Fix-share-zone-with-zone-owner-31a20c57a65c0cc4.yaml
new file mode 100644
index 00000000..8ddebaa6
--- /dev/null
+++ b/releasenotes/notes/Fix-share-zone-with-zone-owner-31a20c57a65c0cc4.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixed a bug that allowed users to create a zone share for the zone owner.
-- 
cgit v1.2.1