Don't crash on RoleCheck when roles not present

Gracefully handle the case where RoleCheck gets invoked with
credentials that do not have a roles list defined (ie, when using an
unscoped keystone token).

Change-Id: Ib6c2fb749a0eddfe3e5150e470f05ae9d77d55cc
Closes-Bug: #1529721

oslo_policy/_checks.py

@@ -218,7 +218,9 @@ class RoleCheck(Check):
             # While doing RoleCheck if key not
             # present in Target return false
             return False
-        return match.lower() in [x.lower() for x in creds['roles']]
+        if 'roles' in creds:
+            return match.lower() in [x.lower() for x in creds['roles']]
+        return False
 
 
 @register('http')

oslo_policy/tests/test_checks.py

@@ -92,6 +92,11 @@ class RoleCheckTestCase(base.PolicyBaseTestCase):
         target_dict = dict(target=dict(role=dict()))
         self.assertFalse(check(target_dict, cred_dict, self.enforcer))
 
+    def test_no_roles_case(self):
+        check = _checks.RoleCheck('role', 'spam')
+
+        self.assertFalse(check({}, {}, self.enforcer))
+
 
 class HttpCheckTestCase(base.PolicyBaseTestCase):