From 50da9acaeaeeb49b82706b33e4e500a64b0cb801 Mon Sep 17 00:00:00 2001
From: Timothy Symanczyk <timothy_symanczyk@symantec.com>
Date: Fri, 25 Dec 2015 10:54:11 -0800
Subject: [PATCH] Don't crash on RoleCheck when roles not present

Gracefully handle the case where RoleCheck gets invoked with
credentials that do not have a roles list defined (ie, when using an
unscoped keystone token).

Change-Id: Ib6c2fb749a0eddfe3e5150e470f05ae9d77d55cc
Closes-Bug: #1529721
---
 oslo_policy/_checks.py           | 4 +++-
 oslo_policy/tests/test_checks.py | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/oslo_policy/_checks.py b/oslo_policy/_checks.py
index 8038b6c1..51c55292 100644
--- a/oslo_policy/_checks.py
+++ b/oslo_policy/_checks.py
@@ -218,7 +218,9 @@ class RoleCheck(Check):
             # While doing RoleCheck if key not
             # present in Target return false
             return False
-        return match.lower() in [x.lower() for x in creds['roles']]
+        if 'roles' in creds:
+            return match.lower() in [x.lower() for x in creds['roles']]
+        return False
 
 
 @register('http')
diff --git a/oslo_policy/tests/test_checks.py b/oslo_policy/tests/test_checks.py
index f438b642..3a490b9b 100644
--- a/oslo_policy/tests/test_checks.py
+++ b/oslo_policy/tests/test_checks.py
@@ -92,6 +92,11 @@ class RoleCheckTestCase(base.PolicyBaseTestCase):
         target_dict = dict(target=dict(role=dict()))
         self.assertFalse(check(target_dict, cred_dict, self.enforcer))
 
+    def test_no_roles_case(self):
+        check = _checks.RoleCheck('role', 'spam')
+
+        self.assertFalse(check({}, {}, self.enforcer))
+
 
 class HttpCheckTestCase(base.PolicyBaseTestCase):