From d2c6e88200bb33708a0861da4d1a10c0f7984895 Mon Sep 17 00:00:00 2001
From: Dolph Mathews <dolph.mathews@gmail.com>
Date: Tue, 13 Mar 2012 22:06:34 -0500
Subject: [PATCH] Raising unauthorized instead of 500 (bug 954547)

Change-Id: I557ff1ca51261edf0824aeb4565816216c59c76e
---
 keystone/common/wsgi.py | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py
index 73cc3ad909..6f65c1fbb3 100644
--- a/keystone/common/wsgi.py
+++ b/keystone/common/wsgi.py
@@ -207,17 +207,26 @@ class Application(BaseApplication):
                         context=context, token_id=context['token_id'])
             except exception.TokenNotFound:
                 raise exception.Unauthorized()
+
             creds = user_token_ref['metadata'].copy()
-            creds['user_id'] = user_token_ref['user'].get('id')
-            creds['tenant_id'] = user_token_ref['tenant'].get('id')
+
+            try:
+                creds['user_id'] = user_token_ref['user'].get('id')
+            except AttributeError:
+                logging.debug('Invalid user')
+                raise exception.Unauthorized()
+
+            try:
+                creds['tenant_id'] = user_token_ref['tenant'].get('id')
+            except AttributeError:
+                logging.debug('Invalid tenant')
+                raise exception.Unauthorized()
+
             # NOTE(vish): this is pretty inefficient
             creds['roles'] = [self.identity_api.get_role(context, role)['name']
                               for role in creds.get('roles', [])]
             # Accept either is_admin or the admin role
-            self.policy_api.enforce(context,
-                                    creds,
-                                    'admin_required',
-                                    {})
+            self.policy_api.enforce(context, creds, 'admin_required', {})
 
 
 class Middleware(Application):