From 9d68b40cb9ea818c48152e6c712ff41586ad9653 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Tue, 13 Nov 2012 15:49:19 -0800 Subject: Ensures User is member of tenant in ec2 validation It is possible that a user is no longer a member of a tenant when they attempt to use an ec2 token. This checks to make sure that the user still has at least one valid role in the tenant before authenticating them. This should automatically work for the s3 version as well since it is a subclass. Fixes bug 1064914 Change-Id: Ieb237bae936a7b00ce7ba4d4c59aec6c7a69ec21 --- keystone/contrib/ec2/core.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py index 5bf40103..064474c7 100644 --- a/keystone/contrib/ec2/core.py +++ b/keystone/contrib/ec2/core.py @@ -168,6 +168,16 @@ class Ec2Controller(wsgi.Application): context=context, user_id=user_ref['id'], tenant_id=tenant_ref['id']) + + # TODO(termie): optimize this call at some point and put it into the + # the return for metadata + # fill out the roles in the metadata + roles = metadata_ref.get('roles', []) + if not roles: + raise exception.Unauthorized(message='User not valid for tenant.') + roles_ref = [self.identity_api.get_role(context, role_id) + for role_id in roles] + catalog_ref = self.catalog_api.get_catalog( context=context, user_id=user_ref['id'], @@ -180,13 +190,6 @@ class Ec2Controller(wsgi.Application): tenant=tenant_ref, metadata=metadata_ref)) - # TODO(termie): optimize this call at some point and put it into the - # the return for metadata - # fill out the roles in the metadata - roles_ref = [] - for role_id in metadata_ref.get('roles', []): - roles_ref.append(self.identity_api.get_role(context, role_id)) - # TODO(termie): make this a util function or something # TODO(termie): i don't think the ec2 middleware currently expects a # full return, but it contains a note saying that it -- cgit