Use role in insensitive case in keystoneauth.

Using insensitive case could tolerate human error. For example,
user maybe set like this "operator_roles = Admin, swiftoperator"

- also fix a mistake in test, ['admin'] is correct value for roles, not
  'admin' (it will be looped as ['a', 'd', 'm', 'i', 'n'])
- add test for insensitive cases

Fixes: bug #1013120
Change-Id: I56d71da8bc503e48e92dd743692ba6fc237f029e

swift/common/middleware/keystoneauth.py

@@ -81,9 +81,9 @@ class KeystoneAuth(object):
         self.logger = swift_utils.get_logger(conf, log_route='keystoneauth')
         self.reseller_prefix = conf.get('reseller_prefix', 'AUTH_').strip()
         self.operator_roles = conf.get('operator_roles',
-                                       'admin, swiftoperator')
+                                       'admin, swiftoperator').lower()
         self.reseller_admin_role = conf.get('reseller_admin_role',
-                                            'ResellerAdmin')
+                                            'ResellerAdmin').lower()
         config_is_admin = conf.get('is_admin', "false").lower()
         self.is_admin = swift_utils.config_true_value(config_is_admin)
         config_overrides = conf.get('allow_overrides', 't').lower()
@@ -106,7 +106,8 @@ class KeystoneAuth(object):
             environ['keystone.identity'] = identity
             environ['REMOTE_USER'] = identity.get('tenant')
             environ['swift.authorize'] = self.authorize
-            if self.reseller_admin_role in identity.get('roles', []):
+            user_roles = (r.lower() for r in identity.get('roles', []))
+            if self.reseller_admin_role in user_roles:
                 environ['reseller_request'] = True
         else:
             self.logger.debug('Authorizing as anonymous')
@@ -175,7 +176,7 @@ class KeystoneAuth(object):
         except ValueError:
             return HTTPNotFound(request=req)
 
-        user_roles = env_identity.get('roles', [])
+        user_roles = [r.lower() for r in env_identity.get('roles', [])]
 
         # Give unconditional access to a user with the reseller_admin
         # role.
@@ -230,7 +231,7 @@ class KeystoneAuth(object):
 
         # Check if we have the role in the userroles and allow it
         for user_role in user_roles:
-            if user_role in roles:
+            if user_role in (r.lower() for r in roles):
                 log_msg = 'user %s:%s allowed in ACL: %s authorizing'
                 self.logger.debug(log_msg % (tenant_name, user, user_role))
                 return

test/unit/common/middleware/test_keystoneauth.py

@@ -206,8 +206,20 @@ class TestAuthorize(unittest.TestCase):
         req = self._check_authenticate(identity=identity)
         self.assertTrue(req.environ.get('swift_owner'))
 
+    def test_authorize_succeeds_for_insensitive_reseller_admin(self):
+        roles = [self.test_auth.reseller_admin_role.upper()]
+        identity = self._get_identity(roles=roles)
+        req = self._check_authenticate(identity=identity)
+        self.assertTrue(req.environ.get('swift_owner'))
+
     def test_authorize_succeeds_as_owner_for_operator_role(self):
-        roles = self.test_auth.operator_roles.split(',')[0]
+        roles = self.test_auth.operator_roles.split(',')
+        identity = self._get_identity(roles=roles)
+        req = self._check_authenticate(identity=identity)
+        self.assertTrue(req.environ.get('swift_owner'))
+
+    def test_authorize_succeeds_as_owner_for_insensitive_operator_role(self):
+        roles = [r.upper() for r in self.test_auth.operator_roles.split(',')]
         identity = self._get_identity(roles=roles)
         req = self._check_authenticate(identity=identity)
         self.assertTrue(req.environ.get('swift_owner'))