This file is indexed.

/usr/share/pyshared/melange/common/auth.py is in python-melange 1:2012.1-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# vim: tabstop=4 shiftwidth=4 softtabstop=4

# Copyright 2011 OpenStack LLC.
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import httplib2
import json
import logging
import re
import urlparse
import webob.exc
import wsgi


LOG = logging.getLogger("melange.common.auth")


class AuthorizationMiddleware(wsgi.Middleware):

    def __init__(self, application, auth_providers, **local_config):
        self.auth_providers = auth_providers
        LOG.debug("Auth middleware providers: %s" % auth_providers)
        super(AuthorizationMiddleware, self).__init__(application,
                                                      **local_config)

    def process_request(self, request):
        roles = request.headers.get('X_ROLE', '').split(',')
        LOG.debug("Processing auth request with roles: %s" % roles)
        tenant_id = request.headers.get('X_TENANT', None)
        LOG.debug("Processing auth request with tenant_id: %s" % tenant_id)
        for provider in self.auth_providers:
            provider.authorize(request, tenant_id, roles)

    @classmethod
    def factory(cls, global_config, **local_config):
        def _factory(app):
            LOG.debug("Created auth middleware with config: %s" % local_config)
            return cls(app, [TenantBasedAuth()],
                       **local_config)
        return _factory


class TenantBasedAuth(object):

    tenant_scoped_url = re.compile(".*/tenants/(?P<tenant_id>.*?)/.*")

    def authorize(self, request, tenant_id, roles):
        if 'admin' in [role.lower() for role in roles]:
            LOG.debug("Authorized admin request: %s" % request)
            return True
        match_for_tenant = self.tenant_scoped_url.match(request.path_info)
        if (match_for_tenant and
            tenant_id == match_for_tenant.group('tenant_id')):
            LOG.debug("Authorized tenant '%(tenant_id)s' request: "
                      "%(request)s" % locals())
            return True
        raise webob.exc.HTTPForbidden(_("User with tenant id %s cannot "
                                        "access this resource") % tenant_id)