Merge "Ensures User is member of tenant in ec2 validation"

1 files changed, 10 insertions, 7 deletions

diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py
index 5bf40103..064474c7 100644
--- a/keystone/contrib/ec2/core.py
+++ b/keystone/contrib/ec2/core.py
@@ -168,6 +168,16 @@ class Ec2Controller(wsgi.Application):
             context=context,
             user_id=user_ref['id'],
             tenant_id=tenant_ref['id'])
+
+        # TODO(termie): optimize this call at some point and put it into the
+        #               the return for metadata
+        # fill out the roles in the metadata
+        roles = metadata_ref.get('roles', [])
+        if not roles:
+            raise exception.Unauthorized(message='User not valid for tenant.')
+        roles_ref = [self.identity_api.get_role(context, role_id)
+                     for role_id in roles]
+
         catalog_ref = self.catalog_api.get_catalog(
             context=context,
             user_id=user_ref['id'],
@@ -180,13 +190,6 @@ class Ec2Controller(wsgi.Application):
                                     tenant=tenant_ref,
                                     metadata=metadata_ref))
 
-        # TODO(termie): optimize this call at some point and put it into the
-        #               the return for metadata
-        # fill out the roles in the metadata
-        roles_ref = []
-        for role_id in metadata_ref.get('roles', []):
-            roles_ref.append(self.identity_api.get_role(context, role_id))
-
         # TODO(termie): make this a util function or something
         # TODO(termie): i don't think the ec2 middleware currently expects a
         #               full return, but it contains a note saying that it