From ce46629661322915082ece2710bf36c46b13a15a Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Tue, 5 Jan 2016 22:41:05 +0000
Subject: [PATCH] Populate context roles when using stored context

Currently we leave the context roles empty when loading the stored
context, even though there are roles associated with e.g the trust
scoped token used via loading the stored context.  Loading the auth
ref and populating the roles from the token ensure any RBAC performed
on the context roles will work as expected.

Change-Id: I7d699bcf947940357a6eb6ae2d17027ec8d6bd04
Closes-Bug: #1529354
---
 heat/common/heat_keystoneclient.py |  4 ++++
 heat/engine/stack.py               |  2 ++
 heat/tests/fakes.py                | 16 +++++++++++++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py
index 04a417c43c..973c6224e3 100644
--- a/heat/common/heat_keystoneclient.py
+++ b/heat/common/heat_keystoneclient.py
@@ -554,6 +554,10 @@ class KeystoneClientV3(object):
     def auth_token(self):
         return self.context.auth_plugin.get_token(self.session)
 
+    @property
+    def auth_ref(self):
+        return self.context.auth_plugin.get_access(self.session)
+
 
 class KeystoneClient(object):
     """Keystone Auth Client.
diff --git a/heat/engine/stack.py b/heat/engine/stack.py
index 738b4d736c..be19afe4bf 100644
--- a/heat/engine/stack.py
+++ b/heat/engine/stack.py
@@ -191,6 +191,8 @@ class Stack(collections.Mapping):
 
         if use_stored_context:
             self.context = self.stored_context()
+            self.context.roles = self.context.clients.client(
+                'keystone').auth_ref.role_names
 
         self.clients = self.context.clients
 
diff --git a/heat/tests/fakes.py b/heat/tests/fakes.py
index 15c9e7d244..60bb4c6c55 100644
--- a/heat/tests/fakes.py
+++ b/heat/tests/fakes.py
@@ -94,7 +94,7 @@ class FakeKeystoneClient(object):
     def __init__(self, username='test_username', password='password',
                  user_id='1234', access='4567', secret='8901',
                  credential_id='abcdxyz', auth_token='abcd1234',
-                 context=None, stack_domain_id='4321'):
+                 context=None, stack_domain_id='4321', roles=None):
         self.username = username
         self.password = password
         self.user_id = user_id
@@ -106,6 +106,7 @@ class FakeKeystoneClient(object):
         self.context = context
         self.v3_endpoint = 'http://localhost:5000/v3'
         self.stack_domain_id = stack_domain_id
+        self.roles = roles or []
 
         class FakeCred(object):
             id = self.credential_id
@@ -191,6 +192,19 @@ class FakeKeystoneClient(object):
         else:
             return self.token
 
+    @property
+    def auth_ref(self):
+        return FakeAccessInfo(roles=self.roles)
+
+
+class FakeAccessInfo(object):
+    def __init__(self, roles):
+        self.roles = roles
+
+    @property
+    def role_names(self):
+        return self.roles
+
 
 class FakeEventSink(object):