Update horizon tests to use the RBAC new roles

Horizon openstack dashboard rest API unit tests only
pass the project_id to oslo.policy to vrify the service
policy rule RBAC. This was passing till now as services
allow 'owner' (which only check project_id) to pass
the policy checks.

As per new RBAC, project_id is not enough and proper
role should be passed. For example 'owner' means in new
RBAC is either 'member' or 'reader' role with project_id.

oslo.policy 4.4.0 enable the new RBAC by default
- https://review.opendev.org/c/openstack/releases/+/925032

and requirement change to use the oslo.policy 4.4.0 in
upper-constraints is blocked with the horizon failure
- https://review.opendev.org/c/openstack/requirements/+/925464

This commit fixes the test to use the right role along with
the project_id so that policy rules can be checked correctly.

Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464
Change-Id: I840996fd2635bca853da02c630a7ab3761576821

openstack_auth/policy.py

@@ -199,11 +199,21 @@ def check(actions, request, target=None):
     # the service APIs will correct us if we are too permissive.
     if target.get('project_id') is None:
         target['project_id'] = user.project_id
+    # (gmann): Keystone use some of the policy rule as
+    # 'target.project.id' so we need to set the project.id
+    # attribute also.
+    if target.get('project.id') is None:
+        target['project.id'] = user.project_id
     if target.get('tenant_id') is None:
         target['tenant_id'] = target['project_id']
     # same for user_id
     if target.get('user_id') is None:
         target['user_id'] = user.id
+    # (gmann): Keystone use some of the policy rule as
+    # 'target.user.id' so we need to set the user.id
+    # attribute also.
+    if target.get('user.id') is None:
+        target['user.id'] = user.id
 
     domain_id_keys = [
         'domain_id',

openstack_dashboard/test/helpers.py

@@ -236,7 +236,9 @@ class TestCase(horizon_helpers.TestCase):
             'user_domain_name': self.domain.name,
             'tenant_id': self.tenant.id,
             'service_catalog': self.service_catalog,
-            'authorized_tenants': tenants
+            'authorized_tenants': tenants,
+            'roles': [{'id': '2', 'name': 'member'},
+                      {'id': '3', 'name': 'reader'}]
         }
         base_kwargs.update(kwargs)
         self.setActiveUser(**base_kwargs)
@@ -462,6 +464,8 @@ class BaseAdminViewTests(TestCase):
     def setActiveUser(self, *args, **kwargs):
         if "roles" not in kwargs:
             kwargs['roles'] = [self.roles.admin._info]
+        else:
+            kwargs['roles'].append(self.roles.admin._info)
         super().setActiveUser(*args, **kwargs)
 
     def setSessionValues(self, **kwargs):
@@ -556,6 +560,8 @@ class SeleniumAdminTestCase(SeleniumTestCase):
     def setActiveUser(self, *args, **kwargs):
         if "roles" not in kwargs:
             kwargs['roles'] = [self.roles.admin._info]
+        else:
+            kwargs['roles'].append(self.roles.admin._info)
         super().setActiveUser(*args, **kwargs)
 
 

openstack_dashboard/test/unit/api/rest/test_policy.py

@@ -86,6 +86,10 @@ class AdminPolicyRestTestCase(test.BaseAdminViewTests):
         super().setUp()
         mock.patch('horizon.utils.http.is_ajax', return_value=True).start()
 
+    def _setup_user(self, **kwargs):
+        kwargs.update({'roles': [{'name': 'admin'}]})
+        super()._setup_user(**kwargs)
+
     @override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
     def test_rule_with_target(self):
         body = json.dumps(