Strip roles in from_environ

If somehow whitespace gets into the roles coming from headers we should
remove it and only save the actual role name. This is not possible
coming from auth_token middleware but is tested by some services and is
simple to support here.

Change-Id: I11ac3959d8f8b233c8785671d7a59263a4dc36df

2 files changed, 7 insertions, 1 deletions

diff --git a/oslo_context/context.py b/oslo_context/context.py
index bfbedcb..d4902ad 100644
--- a/oslo_context/context.py
+++ b/oslo_context/context.py
@@ -173,7 +173,8 @@ class RequestContext(object):
 
         if 'roles' not in kwargs:
             roles = environ.get('HTTP_X_ROLES', environ.get('HTTP_X_ROLE'))
-            kwargs['roles'] = roles.split(',') if roles else []
+            roles = [r.strip() for r in roles.split(',')] if roles else []
+            kwargs['roles'] = roles
 
         return cls(**kwargs)
 
diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py
index f2a095a..2165608 100644
--- a/oslo_context/tests/test_context.py
+++ b/oslo_context/tests/test_context.py
@@ -209,6 +209,11 @@ class ContextTest(test_base.BaseTestCase):
                                                   tenant=override)
         self.assertEqual(ctx.tenant, override)
 
+    def test_from_environ_strip_roles(self):
+        environ = {'HTTP_X_ROLES': ' abc\t,\ndef\n,ghi\n\n'}
+        ctx = context.RequestContext.from_environ(environ=environ)
+        self.assertEqual(['abc', 'def', 'ghi'], ctx.roles)
+
     def test_from_function_and_args(self):
         ctx = context.RequestContext(user="user1")
         arg = []