Merge "Make API fixture pass roles"

nova/tests/fixtures/nova.py

@@ -958,6 +958,11 @@ class OSAPIFixture(fixtures.Fixture):
     - resp.content - the body of the response
     - resp.headers - dictionary of HTTP headers returned
 
+    This fixture also has the following clients with various differences:
+
+        self.admin_api - Project user with is_admin=True and the "admin" role
+        self.reader_api - Project user with only the "reader" role
+        self.other_api - Project user with only the "other" role
     """
 
     def __init__(
@@ -1021,9 +1026,17 @@ class OSAPIFixture(fixtures.Fixture):
             base_url += '/' + self.project_id
 
         self.api = client.TestOpenStackClient(
-            'fake', base_url, project_id=self.project_id)
+            'fake', base_url, project_id=self.project_id,
+            roles=['reader', 'member'])
         self.admin_api = client.TestOpenStackClient(
-            'admin', base_url, project_id=self.project_id)
+            'admin', base_url, project_id=self.project_id,
+            roles=['reader', 'member', 'admin'])
+        self.reader_api = client.TestOpenStackClient(
+            'reader', base_url, project_id=self.project_id,
+            roles=['reader'])
+        self.other_api = client.TestOpenStackClient(
+            'other', base_url, project_id=self.project_id,
+            roles=['other'])
         # Provide a way to access the wsgi application to tests using
         # the fixture.
         self.app = app
@@ -1040,8 +1053,9 @@ class OSAPIFixture(fixtures.Fixture):
             user_id = env['HTTP_X_AUTH_USER']
             project_id = env['HTTP_X_AUTH_PROJECT_ID']
             is_admin = user_id == 'admin'
+            roles = env['HTTP_X_ROLES'].split(',')
             return context.RequestContext(
-                user_id, project_id, is_admin=is_admin, **kwargs)
+                user_id, project_id, is_admin=is_admin, roles=roles, **kwargs)
 
         self.useFixture(fixtures.MonkeyPatch(
             'nova.api.auth.NovaKeystoneContext._create_context', fake_ctx))

nova/tests/functional/api/client.py

@@ -123,9 +123,12 @@ class TestOpenStackClient(object):
     This is a really basic OpenStack API client that is under our control,
     so we can make changes / insert hooks for testing
 
+    By default, no roles are implied and must be passed like
+    roles=['reader', 'member'] in order for the user to have
+    privileges on the project, just like in a real deployment.
     """
 
-    def __init__(self, auth_user, base_url, project_id=None):
+    def __init__(self, auth_user, base_url, project_id=None, roles=None):
         super(TestOpenStackClient, self).__init__()
         self.auth_user = auth_user
         self.base_url = base_url
@@ -134,6 +137,7 @@ class TestOpenStackClient(object):
         else:
             self.project_id = project_id
         self.microversion = None
+        self.roles = roles or []
 
     def request(self, url, method='GET', body=None, headers=None):
         _headers = {'Content-Type': 'application/json'}
@@ -169,6 +173,7 @@ class TestOpenStackClient(object):
         headers.setdefault('X-Auth-User', self.auth_user)
         headers.setdefault('X-User-Id', self.auth_user)
         headers.setdefault('X-Auth-Project-Id', self.project_id)
+        headers.setdefault('X-Roles', ','.join(self.roles))
 
         response = self.request(full_uri, **kwargs)