From 6805790dda992cf9119368c41bbbc4c2557603bc Mon Sep 17 00:00:00 2001
From: Stephen Finucane <stephenfin@redhat.com>
Date: Wed, 27 Jan 2021 17:56:30 +0000
Subject: [PATCH] policy: Add note about keystone's expansion of roles

The 'HTTP_X_ROLES' header will include both the primary role of the user
and the implied roles. Clarify this in the stub we're using to mock that
out.

Change-Id: I0ab16c3a4d997a0a1f86d75323beaa86979bafa3
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
---
 placement/auth.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/placement/auth.py b/placement/auth.py
index e5f263713..a3523b856 100644
--- a/placement/auth.py
+++ b/placement/auth.py
@@ -49,15 +49,22 @@ class NoAuthMiddleware(Middleware):
         token = req.headers['X-Auth-Token']
         user_id, _sep, project_id = token.partition(':')
         project_id = project_id or user_id
+
+        # Real keystone expands and flattens roles to include their implied
+        # roles, e.g. admin implies member and reader, so tests should include
+        # this flattened list also
         if 'HTTP_X_ROLES' in req.environ.keys():
             roles = req.headers['X_ROLES'].split(',')
         elif user_id == 'admin':
             roles = ['admin']
         else:
             roles = []
+
         req.headers['X_USER_ID'] = user_id
+
         if not req.headers.get('OPENSTACK_SYSTEM_SCOPE'):
             req.headers['X_TENANT_ID'] = project_id
+
         req.headers['X_ROLES'] = ','.join(roles)
         return self.application