From 022dedd88d610ad1b997f1023db3105d53783a4e Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <kevin.kirsche@one.verizon.com>
Date: Thu, 16 Feb 2023 18:13:30 +0000
Subject: [PATCH] feat: Add support for get allowed roles

Fix: #1427
---
 languages/python/oso/oso/oso.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/languages/python/oso/oso/oso.py b/languages/python/oso/oso/oso.py
index 2881c583d6..f269b1e449 100644
--- a/languages/python/oso/oso/oso.py
+++ b/languages/python/oso/oso/oso.py
@@ -143,6 +143,25 @@ def authorize_request(self, actor: _Actor, request: _Request) -> None:
         if not self.query_rule_once("allow_request", actor, request):
             raise self.forbidden_error()
 
+    def authorized_roles(
+        self,
+        actor: _Actor,
+        resource: _Resource,
+    ) -> Set[Any]:
+        """Determine the roles ``actor`` has on ``resource``.
+
+        Collects all roles of the actor in the Polar policy for the given
+        combination of actor and resource.
+
+        :param actor: The actor for whom to collect roles.
+
+        :param resource: The resource being accessed.
+
+        :return: A set containing all assigned roles.
+        """
+        results = self.query_rule("has_role", actor, Variable("role"), resource)
+        return {result.get("bindings").get("role") for result in results}
+
     def authorized_actions(
         self, actor: _Actor, resource: _Resource, allow_wildcard: bool = False
     ) -> Set[Any]: