Merge "make roles case-insensitive"

glance/common/context.py

@@ -100,7 +100,7 @@ class ContextMiddleware(wsgi.Middleware):
         #NOTE(bcwaldon): X-Roles is a csv string, but we need to parse
         # it into a list to be useful
         roles_header = req.headers.get('X-Roles', '')
-        roles = [r.strip() for r in roles_header.split(',')]
+        roles = [r.strip().lower() for r in roles_header.split(',')]
 
         #NOTE(bcwaldon): This header is deprecated in favor of X-Auth-Token
         deprecated_token = req.headers.get('X-Storage-Token')
@@ -109,7 +109,7 @@ class ContextMiddleware(wsgi.Middleware):
             'user': req.headers.get('X-User-Id'),
             'tenant': req.headers.get('X-Tenant-Id'),
             'roles': roles,
-            'is_admin': CONF.admin_role in roles,
+            'is_admin': CONF.admin_role.strip().lower() in roles,
             'auth_tok': req.headers.get('X-Auth-Token', deprecated_token),
             'owner_is_tenant': CONF.owner_is_tenant,
         }

glance/tests/unit/test_context_middleware.py

@@ -34,7 +34,7 @@ class TestContextMiddleware(base.IsolatedUnitTest):
         self._build_middleware().process_request(req)
         self.assertTrue(req.context.is_admin)
 
-        # without the 'admin' role, is_admin shoud be False
+        # without the 'admin' role, is_admin should be False
         req = self._build_request()
         self._build_middleware().process_request(req)
         self.assertFalse(req.context.is_admin)
@@ -45,6 +45,31 @@ class TestContextMiddleware(base.IsolatedUnitTest):
         self._build_middleware().process_request(req)
         self.assertTrue(req.context.is_admin)
 
+    def test_roles_case_insensitive(self):
+        # accept role from request
+        req = self._build_request(roles=['Admin', 'role2'])
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
+        # accept role from config
+        req = self._build_request(roles=['role1'])
+        self.config(admin_role='rOLe1')
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
+    def test_roles_stripping(self):
+        # stripping extra spaces in request
+        req = self._build_request(roles=['\trole1'])
+        self.config(admin_role='role1')
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
+        # stripping extra spaces in config
+        req = self._build_request(roles=['\trole1\n'])
+        self.config(admin_role=' role1\t')
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
     def test_anonymous_access_enabled(self):
         req = self._build_request(identity_status='Nope')
         self.config(allow_anonymous_access=True)