1 files changed, 12 insertions, 8 deletions

diff --git a/keystone-moon/keystone/token/controllers.py b/keystone-moon/keystone/token/controllers.py
index 3304acb5..ff65e733 100644
--- a/keystone-moon/keystone/token/controllers.py
+++ b/keystone-moon/keystone/token/controllers.py
@@ -15,6 +15,7 @@
 import datetime
 import sys
 
+from keystone.common import utils
 from keystoneclient.common import cms
 from oslo_config import cfg
 from oslo_log import log
@@ -118,7 +119,8 @@ class Auth(controller.V2Controller):
         # format.
         user_ref = self.v3_to_v2_user(user_ref)
         if tenant_ref:
-            tenant_ref = self.filter_domain_id(tenant_ref)
+            tenant_ref = self.v3_to_v2_project(tenant_ref)
+
         auth_token_data = self._get_auth_token_data(user_ref,
                                                     tenant_ref,
                                                     metadata_ref,
@@ -193,8 +195,9 @@ class Auth(controller.V2Controller):
         if not CONF.trust.enabled and 'trust_id' in auth:
             raise exception.Forbidden('Trusts are disabled.')
         elif CONF.trust.enabled and 'trust_id' in auth:
-            trust_ref = self.trust_api.get_trust(auth['trust_id'])
-            if trust_ref is None:
+            try:
+                trust_ref = self.trust_api.get_trust(auth['trust_id'])
+            except exception.TrustNotFound:
                 raise exception.Forbidden()
             if user_id != trust_ref['trustee_user_id']:
                 raise exception.Forbidden()
@@ -203,7 +206,7 @@ class Auth(controller.V2Controller):
                 raise exception.Forbidden()
             if ('expires' in trust_ref) and (trust_ref['expires']):
                 expiry = trust_ref['expires']
-                if expiry < timeutils.parse_isotime(timeutils.isotime()):
+                if expiry < timeutils.parse_isotime(utils.isotime()):
                     raise exception.Forbidden()
             user_id = trust_ref['trustor_user_id']
             trustor_user_ref = self.identity_api.get_user(
@@ -385,7 +388,8 @@ class Auth(controller.V2Controller):
                 role_list = self.assignment_api.get_roles_for_user_and_project(
                     user_id, tenant_id)
             except exception.ProjectNotFound:
-                pass
+                msg = _('Project ID not found: %(t_id)s') % {'t_id': tenant_id}
+                raise exception.Unauthorized(msg)
 
             if not role_list:
                 msg = _('User %(u_id)s is unauthorized for tenant %(t_id)s')
@@ -460,7 +464,7 @@ class Auth(controller.V2Controller):
         for t in tokens:
             expires = t['expires']
             if expires and isinstance(expires, datetime.datetime):
-                t['expires'] = timeutils.isotime(expires)
+                t['expires'] = utils.isotime(expires)
         data = {'revoked': tokens}
         json_data = jsonutils.dumps(data)
         signed_text = cms.cms_sign_text(json_data,
@@ -508,8 +512,8 @@ class Auth(controller.V2Controller):
             return {}
 
         endpoints = []
-        for region_name, region_ref in six.iteritems(catalog_ref):
-            for service_type, service_ref in six.iteritems(region_ref):
+        for region_name, region_ref in catalog_ref.items():
+            for service_type, service_ref in region_ref.items():
                 endpoints.append({
                     'id': service_ref.get('id'),
                     'name': service_ref.get('name'),