Merge "Add string format rendering to RoleCheck.__call__()"

oslo_policy/_checks.py

@@ -212,7 +212,13 @@ class RoleCheck(Check):
     """Check that there is a matching role in the ``creds`` dict."""
 
     def __call__(self, target, creds, enforcer):
-        return self.match.lower() in [x.lower() for x in creds['roles']]
+        try:
+            match = self.match % target
+        except KeyError:
+            # While doing RoleCheck if key not
+            # present in Target return false
+            return False
+        return match.lower() in [x.lower() for x in creds['roles']]
 
 
 @register('http')

oslo_policy/tests/test_checks.py

@@ -72,12 +72,25 @@ class RoleCheckTestCase(base.PolicyBaseTestCase):
     def test_accept(self):
         check = _checks.RoleCheck('role', 'sPaM')
 
-        self.assertTrue(check('target', dict(roles=['SpAm']), self.enforcer))
+        self.assertTrue(check({}, dict(roles=['SpAm']), self.enforcer))
 
     def test_reject(self):
         check = _checks.RoleCheck('role', 'spam')
 
-        self.assertFalse(check('target', dict(roles=[]), self.enforcer))
+        self.assertFalse(check({}, dict(roles=[]), self.enforcer))
+
+    def test_format_value(self):
+        check = _checks.RoleCheck('role', '%(target.role.name)s')
+
+        target_dict = {'target.role.name': 'a'}
+        cred_dict = dict(user='user', roles=['a', 'b', 'c'])
+        self.assertTrue(check(target_dict, cred_dict, self.enforcer))
+
+        target_dict = {'target.role.name': 'd'}
+        self.assertFalse(check(target_dict, cred_dict, self.enforcer))
+
+        target_dict = dict(target=dict(role=dict()))
+        self.assertFalse(check(target_dict, cred_dict, self.enforcer))
 
 
 class HttpCheckTestCase(base.PolicyBaseTestCase):