This file is indexed.

/usr/lib/ruby/vendor_ruby/chef_zero/endpoints/authenticate_user_endpoint.rb is in chef-zero 4.5.0-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
require 'ffi_yajl'
require 'chef_zero/rest_base'

module ChefZero
  module Endpoints
    # /authenticate_user
    class AuthenticateUserEndpoint < RestBase
      def post(request)
        request_json = FFI_Yajl::Parser.parse(request.body, :create_additions => false)
        name = request_json['username']
        password = request_json['password']
        begin
          user = data_store.get(['users', name])
        rescue ChefZero::DataStore::DataNotFoundError
          raise RestErrorResponse.new(401, "Bad username or password")
        end
        user = FFI_Yajl::Parser.parse(user, :create_additions => false)
        user = ChefData::DataNormalizer.normalize_user(user, name, [ 'username' ], server.options[:osc_compat])
        if user['password'] != password
          raise RestErrorResponse.new(401, "Bad username or password")
        end
        # Include only particular user data in the response
        user.keep_if { |key,value| %w(first_name last_name display_name email username).include?(key) }
        json_response(200, {
          'status' => 'linked',
          'user' => user
        })
      end
    end
  end
end