policy: Add note about keystone's expansion of roles

The 'HTTP_X_ROLES' header will include both the primary role of the user and the implied roles. Clarify this in the stub we're using to mock that out. Change-Id: I0ab16c3a4d997a0a1f86d75323beaa86979bafa3 Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2021-01-27 17:56:30 +00:00 · 2021-01-27 17:56:30 +00:00 · 6805790dda
parent 6498534c3b
commit 6805790dda
1 changed files with 7 additions and 0 deletions
--- a/placement/auth.py
+++ b/placement/auth.py
@ -49,15 +49,22 @@ class NoAuthMiddleware(Middleware):
        token = req.headers['X-Auth-Token']
        user_id, _sep, project_id = token.partition(':')
        project_id = project_id or user_id
+
+        # Real keystone expands and flattens roles to include their implied
+        # roles, e.g. admin implies member and reader, so tests should include
+        # this flattened list also
        if 'HTTP_X_ROLES' in req.environ.keys():
            roles = req.headers['X_ROLES'].split(',')
        elif user_id == 'admin':
            roles = ['admin']
        else:
            roles = []
+
        req.headers['X_USER_ID'] = user_id
+
        if not req.headers.get('OPENSTACK_SYSTEM_SCOPE'):
            req.headers['X_TENANT_ID'] = project_id
+
        req.headers['X_ROLES'] = ','.join(roles)
        return self.application