From 00d85b589a0c2dd70aeeb938986e55fa65271535 Mon Sep 17 00:00:00 2001
From: Pawel Kopiczko <pawel.kopiczko@goteleport.com>
Date: Wed, 27 Nov 2024 21:23:35 +0000
Subject: [PATCH] Update test plan for reason.mode feature (#49493)

---
 .github/ISSUE_TEMPLATE/testplan.md              | 12 +++++++++++-
 ...ionally-require-reason-for-access-request.md | 17 ++++++++---------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/testplan.md b/.github/ISSUE_TEMPLATE/testplan.md
index f1c391df91b26..7c3a507b43a01 100644
--- a/.github/ISSUE_TEMPLATE/testplan.md
+++ b/.github/ISSUE_TEMPLATE/testplan.md
@@ -1586,12 +1586,22 @@ Docs: [IP Pinning](https://goteleport.com/docs/access-controls/guides/ip-pinning
   - [ ] Verify that users can run custom audit queries.
   - [ ] Verify that the Privileged Access Report is generated and periodically refreshed.
 
+- [ ] Access Requests
+  - [ ] Verify when role.spec.allow.request.reason.mode: "required":
+    - [ ] CLI fails to create Access Request displaying a message that reason is required.
+    - [ ] Web UI fails to create Access Request displaying a message that reason is required.
+    - [ ] Other roles allowing requesting the same resources/roles without reason.mode set or with reason.mode: "optional" don't affect the behaviour.
+    - [ ] Non-affected resources/roles don't require reason.
+    - [ ] When there is a role with spec.options.request_access: always it effectively becomes role.spec.options.request_access: reason (i.e.) requires reason:
+      - [ ] For CLI.
+      - [ ] For Web UI.
+
 - [ ] Access Lists
   - [ ] Verify Access List membership/ownership/expiration date.
   - [ ] Verify permissions granted by Access List membership.
   - [ ] Verify permissions granted by Access List ownership.
   - [ ] Verify Access List Review.
-  - [ ] verify Access LIst Promotion.
+  - [ ] Verify Access List Promotion.
   - [ ] Verify that owners can only add/remove members and not change other properties.
   - [ ] Nested Access Lists
     - [ ] Verify that Access Lists can be added as members or owners of other Access Lists.
diff --git a/rfd/0186-optionally-require-reason-for-access-request.md b/rfd/0186-optionally-require-reason-for-access-request.md
index be54f8de828ee..eeca95046737b 100644
--- a/rfd/0186-optionally-require-reason-for-access-request.md
+++ b/rfd/0186-optionally-require-reason-for-access-request.md
@@ -334,15 +334,14 @@ reason` in any of the roles.
 The IGS section of the test plan needs to be extended with these items:
 
 - [ ] Access Requests
-    - [ ] Verify when `role.spec.allow.request.reason.mode: "rquired"`:
-        - [ ] Web UI displays user-friendly error when reason is not provided
-        - [ ] CLI fails to create an access request when reason is not provided
-        - [ ] Other roles allowing requesting the same resources/roles without
-          `reason.required` set or with `reason.required: false` don't affect
-          the behaviour.
-        - [ ] Non-affected resources/roles don't require reason.
-        - [ ] When there is a role with `spec.options.request_access: always`
-          it effectively becomes `role.spec.options.request_access: reason`
+  - [ ] Verify when role.spec.allow.request.reason.mode: "required":
+    - [ ] CLI fails to create Access Request displaying a message that reason is required.
+    - [ ] Web UI fails to create Access Request displaying a message that reason is required.
+    - [ ] Other roles allowing requesting the same resources/roles without reason.mode set or with reason.mode: "optional" don't affect the behaviour.
+    - [ ] Non-affected resources/roles don't require reason.
+    - [ ] When there is a role with spec.options.request_access: always it effectively becomes role.spec.options.request_access: reason (i.e.) requires reason:
+      - [ ] For CLI.
+      - [ ] For Web UI.
 
 
 ### References