rhodecode-enterprise-ce Commit - r2979:095dcb4b

branch-permissions: handle vcs operations and branch permissions....

marcink -

r2979:095dcb4b default

parent child

rhodecode/tests/vcs_operations/test_vcs_operations_branch_protection.py

0 created 644 +94 0

@@ -0,0 +1,94 b''
	1	# -- coding: utf-8 --
	2
	3	# Copyright (C) 2010-2018 RhodeCode GmbH
	4	#
	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#
	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
	20
	21	import os
	22	import pytest
	23
	24	from rhodecode.tests import (
	25	TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS,
	26	TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS)
	27	from rhodecode.tests.vcs_operations import (
	28	Command, _check_proper_hg_push, _check_proper_git_push, _add_files_and_push)
	29
	30
	31	@pytest.mark.usefixtures("disable_anonymous_user")
	32	class TestVCSOperations(object):
	33
	34	@pytest.mark.parametrize('username, password', [
	35	(TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS),
	36	(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS),
	37	])
	38	@pytest.mark.parametrize('branch_perm', [
	39	'branch.none',
	40	'branch.merge',
	41	'branch.push',
	42	'branch.push_force',
	43	])
	44	def test_push_to_protected_branch_fails_with_message_hg(
	45	self, rc_web_server, tmpdir, branch_perm, user_util,
	46	branch_permission_setter, username, password):
	47	repo = user_util.create_repo(repo_type='hg')
	48	repo_name = repo.repo_name
	49	branch_permission_setter(repo_name, username, permission=branch_perm)
	50
	51	clone_url = rc_web_server.repo_clone_url(
	52	repo.repo_name, user=username, passwd=password)
	53	Command(os.path.dirname(tmpdir.strpath)).execute(
	54	'hg clone', clone_url, tmpdir.strpath)
	55
	56	stdout, stderr = _add_files_and_push(
	57	'hg', tmpdir.strpath, clone_url=clone_url)
	58	if branch_perm in ['branch.push', 'branch.push_force']:
	59	_check_proper_hg_push(stdout, stderr)
	60	else:
	61	msg = "Branch `default` changes rejected by rule `*`=>{}".format(branch_perm)
	62	assert msg in stdout
	63	assert "transaction abort" in stdout
	64
	65	@pytest.mark.parametrize('username, password', [
	66	(TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS),
	67	(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS),
	68	])
	69	@pytest.mark.parametrize('branch_perm', [
	70	'branch.none',
	71	'branch.merge',
	72	'branch.push',
	73	'branch.push_force',
	74	])
	75	def test_push_to_protected_branch_fails_with_message_git(
	76	self, rc_web_server, tmpdir, branch_perm, user_util,
	77	branch_permission_setter, username, password):
	78	repo = user_util.create_repo(repo_type='git')
	79	repo_name = repo.repo_name
	80	branch_permission_setter(repo_name, username, permission=branch_perm)
	81
	82	clone_url = rc_web_server.repo_clone_url(
	83	repo.repo_name, user=username, passwd=password)
	84	Command(os.path.dirname(tmpdir.strpath)).execute(
	85	'git clone', clone_url, tmpdir.strpath)
	86
	87	stdout, stderr = _add_files_and_push(
	88	'git', tmpdir.strpath, clone_url=clone_url)
	89	if branch_perm in ['branch.push', 'branch.push_force']:
	90	_check_proper_git_push(stdout, stderr)
	91	else:
	92	msg = "Branch `master` changes rejected by rule `*`=>{}".format(branch_perm)
	93	assert msg in stderr
	94	assert "(pre-receive hook declined)" in stderr

rhodecode/tests/vcs_operations/test_vcs_operations_force_push.py

0 created 644 +122 0

@@ -0,0 +1,122 b''
	1	# -- coding: utf-8 --
	2
	3	# Copyright (C) 2010-2018 RhodeCode GmbH
	4	#
	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#
	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
	20
	21
	22	import os
	23	import pytest
	24
	25	from rhodecode.tests import TEST_USER_ADMIN_LOGIN
	26	from rhodecode.tests.vcs_operations import (
	27	Command, _check_proper_hg_push, _check_proper_git_push,
	28	_add_files, _add_files_and_push)
	29
	30
	31	@pytest.mark.usefixtures("disable_anonymous_user")
	32	class TestVCSOperations(object):
	33
	34	def test_push_force_hg(self, rc_web_server, tmpdir, user_util):
	35	repo = user_util.create_repo(repo_type='hg')
	36	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	37	Command(os.path.dirname(tmpdir.strpath)).execute(
	38	'hg clone', clone_url, tmpdir.strpath)
	39
	40	stdout, stderr = _add_files_and_push(
	41	'hg', tmpdir.strpath, clone_url=clone_url)
	42	_check_proper_hg_push(stdout, stderr)
	43
	44	# rewrite history, and push with force
	45	Command(tmpdir.strpath).execute(
	46	'hg checkout -r 1 && hg commit -m "starting new head"')
	47	_add_files('hg', tmpdir.strpath, clone_url=clone_url)
	48
	49	stdout, stderr = Command(tmpdir.strpath).execute(
	50	'hg push --verbose -f {}'.format(clone_url))
	51
	52	_check_proper_hg_push(stdout, stderr)
	53
	54	def test_push_force_git(self, rc_web_server, tmpdir, user_util):
	55	repo = user_util.create_repo(repo_type='git')
	56	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	57	Command(os.path.dirname(tmpdir.strpath)).execute(
	58	'git clone', clone_url, tmpdir.strpath)
	59
	60	stdout, stderr = _add_files_and_push(
	61	'git', tmpdir.strpath, clone_url=clone_url)
	62	_check_proper_git_push(stdout, stderr)
	63
	64	# rewrite history, and push with force
	65	Command(tmpdir.strpath).execute(
	66	'git reset --hard HEAD~2')
	67	stdout, stderr = Command(tmpdir.strpath).execute(
	68	'git push -f {} master'.format(clone_url))
	69
	70	assert '(forced update)' in stderr
	71
	72	def test_push_force_hg_blocked_by_branch_permissions(
	73	self, rc_web_server, tmpdir, user_util, branch_permission_setter):
	74	repo = user_util.create_repo(repo_type='hg')
	75	repo_name = repo.repo_name
	76	username = TEST_USER_ADMIN_LOGIN
	77	branch_permission_setter(repo_name, username, permission='branch.push')
	78
	79	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	80	Command(os.path.dirname(tmpdir.strpath)).execute(
	81	'hg clone', clone_url, tmpdir.strpath)
	82
	83	stdout, stderr = _add_files_and_push(
	84	'hg', tmpdir.strpath, clone_url=clone_url)
	85	_check_proper_hg_push(stdout, stderr)
	86
	87	# rewrite history, and push with force
	88	Command(tmpdir.strpath).execute(
	89	'hg checkout -r 1 && hg commit -m "starting new head"')
	90	_add_files('hg', tmpdir.strpath, clone_url=clone_url)
	91
	92	stdout, stderr = Command(tmpdir.strpath).execute(
	93	'hg push --verbose -f {}'.format(clone_url))
	94
	95	assert "Branch `default` changes rejected by rule `*`=>branch.push" in stdout
	96	assert "FORCE PUSH FORBIDDEN" in stdout
	97	assert "transaction abort" in stdout
	98
	99	def test_push_force_git_blocked_by_branch_permissions(
	100	self, rc_web_server, tmpdir, user_util, branch_permission_setter):
	101	repo = user_util.create_repo(repo_type='git')
	102	repo_name = repo.repo_name
	103	username = TEST_USER_ADMIN_LOGIN
	104	branch_permission_setter(repo_name, username, permission='branch.push')
	105
	106	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	107	Command(os.path.dirname(tmpdir.strpath)).execute(
	108	'git clone', clone_url, tmpdir.strpath)
	109
	110	stdout, stderr = _add_files_and_push(
	111	'git', tmpdir.strpath, clone_url=clone_url)
	112	_check_proper_git_push(stdout, stderr)
	113
	114	# rewrite history, and push with force
	115	Command(tmpdir.strpath).execute(
	116	'git reset --hard HEAD~2')
	117	stdout, stderr = Command(tmpdir.strpath).execute(
	118	'git push -f {} master'.format(clone_url))
	119
	120	assert "Branch `master` changes rejected by rule `*`=>branch.push" in stderr
	121	assert "FORCE PUSH FORBIDDEN" in stderr
	122	assert "(pre-receive hook declined)" in stderr

rhodecode/tests/vcs_operations/test_vcs_operations_new_branch_push.py

0 created 644 +115 0

@@ -0,0 +1,115 b''
	1	# -- coding: utf-8 --
	2
	3	# Copyright (C) 2010-2018 RhodeCode GmbH
	4	#
	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#
	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
	20
	21
	22	import os
	23	import pytest
	24
	25	from rhodecode.tests import TEST_USER_ADMIN_LOGIN
	26	from rhodecode.tests.vcs_operations import (
	27	Command, _check_proper_hg_push, _check_proper_git_push, _add_files_and_push)
	28
	29
	30	@pytest.mark.usefixtures("disable_anonymous_user")
	31	class TestVCSOperations(object):
	32
	33	def test_push_new_branch_hg(self, rc_web_server, tmpdir, user_util):
	34	repo = user_util.create_repo(repo_type='hg')
	35	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	36	Command(os.path.dirname(tmpdir.strpath)).execute(
	37	'hg clone', clone_url, tmpdir.strpath)
	38
	39	stdout, stderr = _add_files_and_push(
	40	'hg', tmpdir.strpath, clone_url=clone_url)
	41	_check_proper_hg_push(stdout, stderr)
	42
	43	# start new branch, and push file into it
	44	Command(tmpdir.strpath).execute(
	45	'hg branch dev && hg commit -m "starting dev branch"')
	46	stdout, stderr = _add_files_and_push(
	47	'hg', tmpdir.strpath, clone_url=clone_url, target_branch='dev',
	48	new_branch=True)
	49
	50	_check_proper_hg_push(stdout, stderr)
	51
	52	def test_push_new_branch_git(self, rc_web_server, tmpdir, user_util):
	53	repo = user_util.create_repo(repo_type='git')
	54	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	55	Command(os.path.dirname(tmpdir.strpath)).execute(
	56	'git clone', clone_url, tmpdir.strpath)
	57
	58	stdout, stderr = _add_files_and_push(
	59	'git', tmpdir.strpath, clone_url=clone_url)
	60	_check_proper_git_push(stdout, stderr)
	61
	62	# start new branch, and push file into it
	63	Command(tmpdir.strpath).execute('git checkout -b dev')
	64	stdout, stderr = _add_files_and_push(
	65	'git', tmpdir.strpath, clone_url=clone_url, target_branch='dev',
	66	new_branch=True)
	67
	68	_check_proper_git_push(stdout, stderr, branch='dev')
	69
	70	def test_push_new_branch_hg_with_branch_permissions_no_force_push(
	71	self, rc_web_server, tmpdir, user_util, branch_permission_setter):
	72	repo = user_util.create_repo(repo_type='hg')
	73	repo_name = repo.repo_name
	74	username = TEST_USER_ADMIN_LOGIN
	75	branch_permission_setter(repo_name, username, permission='branch.push')
	76
	77	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	78	Command(os.path.dirname(tmpdir.strpath)).execute(
	79	'hg clone', clone_url, tmpdir.strpath)
	80
	81	stdout, stderr = _add_files_and_push(
	82	'hg', tmpdir.strpath, clone_url=clone_url)
	83	_check_proper_hg_push(stdout, stderr)
	84
	85	# start new branch, and push file into it
	86	Command(tmpdir.strpath).execute(
	87	'hg branch dev && hg commit -m "starting dev branch"')
	88	stdout, stderr = _add_files_and_push(
	89	'hg', tmpdir.strpath, clone_url=clone_url, target_branch='dev',
	90	new_branch=True)
	91
	92	_check_proper_hg_push(stdout, stderr)
	93
	94	def test_push_new_branch_git_with_branch_permissions_no_force_push(
	95	self, rc_web_server, tmpdir, user_util, branch_permission_setter):
	96	repo = user_util.create_repo(repo_type='git')
	97	repo_name = repo.repo_name
	98	username = TEST_USER_ADMIN_LOGIN
	99	branch_permission_setter(repo_name, username, permission='branch.push')
	100
	101	clone_url = rc_web_server.repo_clone_url(repo.repo_name)
	102	Command(os.path.dirname(tmpdir.strpath)).execute(
	103	'git clone', clone_url, tmpdir.strpath)
	104
	105	stdout, stderr = _add_files_and_push(
	106	'git', tmpdir.strpath, clone_url=clone_url)
	107	_check_proper_git_push(stdout, stderr)
	108
	109	# start new branch, and push file into it
	110	Command(tmpdir.strpath).execute('git checkout -b dev')
	111	stdout, stderr = _add_files_and_push(
	112	'git', tmpdir.strpath, clone_url=clone_url, target_branch='dev',
	113	new_branch=True)
	114
	115	_check_proper_git_push(stdout, stderr, branch='dev')

rhodecode/lib/auth.py

0 +101 -53

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             authentication and permission libraries
             """
             import os
             import time
             import inspect
             import collections
             import fnmatch
             import hashlib
             import itertools
             import logging
             import random
             import traceback
             from functools import wraps
             import ipaddress
             from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
             from sqlalchemy.orm.exc import ObjectDeletedError
             from sqlalchemy.orm import joinedload
             from zope.cachedescriptors.property import Lazy as LazyProperty
             import rhodecode
             from rhodecode.model import meta
             from rhodecode.model.meta import Session
             from rhodecode.model.user import UserModel
             from rhodecode.model.db import (
                 User, Repository, Permission, UserToPerm, UserGroupToPerm, UserGroupMember,
                 UserIpMap, UserApiKeys, RepoGroup, UserGroup)
             from rhodecode.lib import rc_cache
             from rhodecode.lib.utils2 import safe_unicode, aslist, safe_str, md5, safe_int, sha1
             from rhodecode.lib.utils import (
                 get_repo_slug, get_repo_group_slug, get_user_group_slug)
             from rhodecode.lib.caching_query import FromCache
             if rhodecode.is_unix:
                 import bcrypt
             log = logging.getLogger(__name__)
             csrf_token_key = "csrf_token"
             class PasswordGenerator(object):
                 """
                 This is a simple class for generating password from different sets of
                 characters
                 usage::
                     passwd_gen = PasswordGenerator()
                     #print 8-letter password containing only big and small letters
                         of alphabet
                     passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
                 """
                 ALPHABETS_NUM = r'''1234567890'''
                 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
                 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
                 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
                 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
                     + ALPHABETS_NUM + ALPHABETS_SPECIAL
                 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
                 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
                 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
                 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
                 def __init__(self, passwd=''):
                     self.passwd = passwd
                 def gen_password(self, length, type_=None):
                     if type_ is None:
                         type_ = self.ALPHABETS_FULL
                     self.passwd = ''.join([random.choice(type_) for _ in range(length)])
                     return self.passwd
             class _RhodeCodeCryptoBase(object):
                 ENC_PREF = None
                 def hash_create(self, str_):
                     """
                     hash the string using
                     :param str_: password to hash
                     """
                     raise NotImplementedError
                 def hash_check_with_upgrade(self, password, hashed):
                     """
                     Returns tuple in which first element is boolean that states that
                     given password matches it's hashed version, and the second is new hash
                     of the password, in case this password should be migrated to new
                     cipher.
                     """
                     checked_hash = self.hash_check(password, hashed)
                     return checked_hash, None
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     raise NotImplementedError
                 def _assert_bytes(self, value):
                     """
                     Passing in an `unicode` object can lead to hard to detect issues
                     if passwords contain non-ascii characters.  Doing a type check
                     during runtime, so that such mistakes are detected early on.
                     """
                     if not isinstance(value, str):
                         raise TypeError(
                             "Bytestring required as input, got %r." % (value, ))
             class _RhodeCodeCryptoBCrypt(_RhodeCodeCryptoBase):
                 ENC_PREF = ('$2a$10', '$2b$10')
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
                     return bcrypt.hashpw(str_, bcrypt.gensalt(10))
                 def hash_check_with_upgrade(self, password, hashed):
                     """
                     Returns tuple in which first element is boolean that states that
                     given password matches it's hashed version, and the second is new hash
                     of the password, in case this password should be migrated to new
                     cipher.
                     This implements special upgrade logic which works like that:
                      - check if the given password == bcrypted hash, if yes then we
                        properly used password and it was already in bcrypt. Proceed
                        without any changes
                      - if bcrypt hash check is not working try with sha256. If hash compare
                        is ok, it means we using correct but old hashed password. indicate
                        hash change and proceed
                     """
                     new_hash = None
                     # regular pw check
                     password_match_bcrypt = self.hash_check(password, hashed)
                     # now we want to know if the password was maybe from sha256
                     # basically calling _RhodeCodeCryptoSha256().hash_check()
                     if not password_match_bcrypt:
                         if _RhodeCodeCryptoSha256().hash_check(password, hashed):
                             new_hash = self.hash_create(password)  # make new bcrypt hash
                             password_match_bcrypt = True
                     return password_match_bcrypt, new_hash
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     self._assert_bytes(password)
                     try:
                         return bcrypt.hashpw(password, hashed) == hashed
                     except ValueError as e:
                         # we're having a invalid salt here probably, we should not crash
                         # just return with False as it would be a wrong password.
                         log.debug('Failed to check password hash using bcrypt %s',
                                   safe_str(e))
                     return False
             class _RhodeCodeCryptoSha256(_RhodeCodeCryptoBase):
                 ENC_PREF = '_'
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
                     return hashlib.sha256(str_).hexdigest()
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     self._assert_bytes(password)
                     return hashlib.sha256(password).hexdigest() == hashed
             class _RhodeCodeCryptoTest(_RhodeCodeCryptoBase):
                 ENC_PREF = '_'
                 def hash_create(self, str_):
                     self._assert_bytes(str_)
                     return sha1(str_)
                 def hash_check(self, password, hashed):
                     """
                     Checks matching password with it's hashed value.
                     :param password: password
                     :param hashed: password in hashed form
                     """
                     self._assert_bytes(password)
                     return sha1(password) == hashed
             def crypto_backend():
                 """
                 Return the matching crypto backend.
                 Selection is based on if we run tests or not, we pick sha1-test backend to run
                 tests faster since BCRYPT is expensive to calculate
                 """
                 if rhodecode.is_test:
                     RhodeCodeCrypto = _RhodeCodeCryptoTest()
                 else:
                     RhodeCodeCrypto = _RhodeCodeCryptoBCrypt()
                 return RhodeCodeCrypto
             def get_crypt_password(password):
                 """
                 Create the hash of `password` with the active crypto backend.
                 :param password: The cleartext password.
                 :type password: unicode
                 """
                 password = safe_str(password)
                 return crypto_backend().hash_create(password)
             def check_password(password, hashed):
                 """
                 Check if the value in `password` matches the hash in `hashed`.
                 :param password: The cleartext password.
                 :type password: unicode
                 :param hashed: The expected hashed version of the password.
                 :type hashed: The hash has to be passed in in text representation.
                 """
                 password = safe_str(password)
                 return crypto_backend().hash_check(password, hashed)
             def generate_auth_token(data, salt=None):
                 """
                 Generates API KEY from given string
                 """
                 if salt is None:
                     salt = os.urandom(16)
                 return hashlib.sha1(safe_str(data) + salt).hexdigest()
             def get_came_from(request):
                 """
                 get query_string+path from request sanitized after removing auth_token
                 """
                 _req = request
                 path = _req.path
                 if 'auth_token' in _req.GET:
                     # sanitize the request and remove auth_token for redirection
                     _req.GET.pop('auth_token')
                 qs = _req.query_string
                 if qs:
                     path += '?' + qs
                 return path
             class CookieStoreWrapper(object):
                 def __init__(self, cookie_store):
                     self.cookie_store = cookie_store
                 def __repr__(self):
                     return 'CookieStore<%s>' % (self.cookie_store)
                 def get(self, key, other=None):
                     if isinstance(self.cookie_store, dict):
                         return self.cookie_store.get(key, other)
                     elif isinstance(self.cookie_store, AuthUser):
                         return self.cookie_store.__dict__.get(key, other)
             def _cached_perms_data(user_id, scope, user_is_admin,
                                    user_inherit_default_permissions, explicit, algo,
                                    calculate_super_admin):
                 permissions = PermissionCalculator(
                     user_id, scope, user_is_admin, user_inherit_default_permissions,
                     explicit, algo, calculate_super_admin)
                 return permissions.calculate()
             class PermOrigin(object):
                 SUPER_ADMIN = 'superadmin'
                 REPO_USER = 'user:%s'
                 REPO_USERGROUP = 'usergroup:%s'
                 REPO_OWNER = 'repo.owner'
                 REPO_DEFAULT = 'repo.default'
                 REPO_DEFAULT_NO_INHERIT = 'repo.default.no.inherit'
                 REPO_PRIVATE = 'repo.private'
                 REPOGROUP_USER = 'user:%s'
                 REPOGROUP_USERGROUP = 'usergroup:%s'
                 REPOGROUP_OWNER = 'group.owner'
                 REPOGROUP_DEFAULT = 'group.default'
                 REPOGROUP_DEFAULT_NO_INHERIT = 'group.default.no.inherit'
                 USERGROUP_USER = 'user:%s'
                 USERGROUP_USERGROUP = 'usergroup:%s'
                 USERGROUP_OWNER = 'usergroup.owner'
                 USERGROUP_DEFAULT = 'usergroup.default'
                 USERGROUP_DEFAULT_NO_INHERIT = 'usergroup.default.no.inherit'
             class PermOriginDict(dict):
                 """
                 A special dict used for tracking permissions along with their origins.
                 `__setitem__` has been overridden to expect a tuple(perm, origin)
                 `__getitem__` will return only the perm
                 `.perm_origin_stack` will return the stack of (perm, origin) set per key
                 >>> perms = PermOriginDict()
                 >>> perms['resource'] = 'read', 'default'
                 >>> perms['resource']
                 'read'
                 >>> perms['resource'] = 'write', 'admin'
                 >>> perms['resource']
                 'write'
                 >>> perms.perm_origin_stack
                 {'resource': [('read', 'default'), ('write', 'admin')]}
                 """
                 def __init__(self, *args, **kw):
                     dict.__init__(self, *args, **kw)
                     self.perm_origin_stack = collections.OrderedDict()
                 def __setitem__(self, key, (perm, origin)):
                     self.perm_origin_stack.setdefault(key, []).append(
                         (perm, origin))
                     dict.__setitem__(self, key, perm)
             class BranchPermOriginDict(PermOriginDict):
                 """
                 Dedicated branch permissions dict, with tracking of patterns and origins.
                 >>> perms = BranchPermOriginDict()
                 >>> perms['resource'] = '*pattern', 'read', 'default'
                 >>> perms['resource']
                 {'*pattern': 'read'}
                 >>> perms['resource'] = '*pattern', 'write', 'admin'
                 >>> perms['resource']
                 {'*pattern': 'write'}
                 >>> perms.perm_origin_stack
                 {'resource': {'*pattern': [('read', 'default'), ('write', 'admin')]}}
                 """
                 def __setitem__(self, key, (pattern, perm, origin)):
                     self.perm_origin_stack.setdefault(key, {}) \
                         .setdefault(pattern, []).append((perm, origin))
                     if key in self:
                         self[key].__setitem__(pattern, perm)
                     else:
                         patterns = collections.OrderedDict()
                         patterns[pattern] = perm
                         dict.__setitem__(self, key, patterns)
             class PermissionCalculator(object):
                 def __init__(
                         self, user_id, scope, user_is_admin,
                         user_inherit_default_permissions, explicit, algo,
-                        calculate_super_admin=False):
+                        calculate_super_admin_as_user=False):
                     self.user_id = user_id
                     self.user_is_admin = user_is_admin
                     self.inherit_default_permissions = user_inherit_default_permissions
                     self.explicit = explicit
                     self.algo = algo
-                    self.calculate_super_admin = calculate_super_admin
+                    self.calculate_super_admin_as_user = calculate_super_admin_as_user
                     scope = scope or {}
                     self.scope_repo_id = scope.get('repo_id')
                     self.scope_repo_group_id = scope.get('repo_group_id')
                     self.scope_user_group_id = scope.get('user_group_id')
                     self.default_user_id = User.get_default_user(cache=True).user_id
                     self.permissions_repositories = PermOriginDict()
                     self.permissions_repository_groups = PermOriginDict()
                     self.permissions_user_groups = PermOriginDict()
                     self.permissions_repository_branches = BranchPermOriginDict()
                     self.permissions_global = set()
                     self.default_repo_perms = Permission.get_default_repo_perms(
                         self.default_user_id, self.scope_repo_id)
                     self.default_repo_groups_perms = Permission.get_default_group_perms(
                         self.default_user_id, self.scope_repo_group_id)
                     self.default_user_group_perms = \
                         Permission.get_default_user_group_perms(
                             self.default_user_id, self.scope_user_group_id)
                     # default branch perms
                     self.default_branch_repo_perms = \
                         Permission.get_default_repo_branch_perms(
                             self.default_user_id, self.scope_repo_id)
                 def calculate(self):
-                    if self.user_is_admin and not self.calculate_super_admin:
+                    if self.user_is_admin and not self.calculate_super_admin_as_user:
-                        return self._admin_permissions()
+                        return self._calculate_admin_permissions()
                     self._calculate_global_default_permissions()
                     self._calculate_global_permissions()
                     self._calculate_default_permissions()
                     self._calculate_repository_permissions()
                     self._calculate_repository_branch_permissions()
                     self._calculate_repository_group_permissions()
                     self._calculate_user_group_permissions()
                     return self._permission_structure()
-                def _admin_permissions(self):
+                def _calculate_admin_permissions(self):
                     """
                     admin user have all default rights for repositories
                     and groups set to admin
                     """
                     self.permissions_global.add('hg.admin')
                     self.permissions_global.add('hg.create.write_on_repogroup.true')
                     # repositories
                     for perm in self.default_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = 'repository.admin'
                         self.permissions_repositories[r_k] = p, PermOrigin.SUPER_ADMIN
                     # repository groups
                     for perm in self.default_repo_groups_perms:
                         rg_k = perm.UserRepoGroupToPerm.group.group_name
                         p = 'group.admin'
                         self.permissions_repository_groups[rg_k] = p, PermOrigin.SUPER_ADMIN
                     # user groups
                     for perm in self.default_user_group_perms:
                         u_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         p = 'usergroup.admin'
                         self.permissions_user_groups[u_k] = p, PermOrigin.SUPER_ADMIN
                     # branch permissions
-                    # TODO(marcink): validate this, especially
+                    # since super-admin also can have custom rule permissions
-                    # how this should work using multiple patterns specified ??
+                    # we *always* need to calculate those inherited from default, and also explicit
-                    # looks ok, but still needs double check !!
+                    self._calculate_default_permissions_repository_branches(
-                    for perm in self.default_branch_repo_perms:
+                        user_inherit_object_permissions=False)
-                        r_k = perm.UserRepoToPerm.repository.repo_name
+                    self._calculate_repository_branch_permissions()
-                        p = 'branch.push_force'
-                        self.permissions_repository_branches[r_k] = '*', p, PermOrigin.SUPER_ADMIN
                     return self._permission_structure()
                 def _calculate_global_default_permissions(self):
                     """
                     global permissions taken from the default user
                     """
                     default_global_perms = UserToPerm.query()\
                         .filter(UserToPerm.user_id == self.default_user_id)\
                         .options(joinedload(UserToPerm.permission))
                     for perm in default_global_perms:
                         self.permissions_global.add(perm.permission.permission_name)
                     if self.user_is_admin:
                         self.permissions_global.add('hg.admin')
                         self.permissions_global.add('hg.create.write_on_repogroup.true')
                 def _calculate_global_permissions(self):
                     """
                     Set global system permissions with user permissions or permissions
                     taken from the user groups of the current user.
                     The permissions include repo creating, repo group creating, forking
                     etc.
                     """
                     # now we read the defined permissions and overwrite what we have set
                     # before those can be configured from groups or users explicitly.
                     # In case we want to extend this list we should make sure
                     # this is in sync with User.DEFAULT_USER_PERMISSIONS definitions
                     _configurable = frozenset([
                         'hg.fork.none', 'hg.fork.repository',
                         'hg.create.none', 'hg.create.repository',
                         'hg.usergroup.create.false', 'hg.usergroup.create.true',
                         'hg.repogroup.create.false', 'hg.repogroup.create.true',
                         'hg.create.write_on_repogroup.false', 'hg.create.write_on_repogroup.true',
                         'hg.inherit_default_perms.false', 'hg.inherit_default_perms.true'
                     ])
                     # USER GROUPS comes first user group global permissions
                     user_perms_from_users_groups = Session().query(UserGroupToPerm)\
                         .options(joinedload(UserGroupToPerm.permission))\
                         .join((UserGroupMember, UserGroupToPerm.users_group_id ==
                                UserGroupMember.users_group_id))\
                         .filter(UserGroupMember.user_id == self.user_id)\
                         .order_by(UserGroupToPerm.users_group_id)\
                         .all()
                     # need to group here by groups since user can be in more than
                     # one group, so we get all groups
                     _explicit_grouped_perms = [
                         [x, list(y)] for x, y in
                         itertools.groupby(user_perms_from_users_groups,
                                           lambda _x: _x.users_group)]
                     for gr, perms in _explicit_grouped_perms:
                         # since user can be in multiple groups iterate over them and
                         # select the lowest permissions first (more explicit)
                         # TODO(marcink): do this^^
                         # group doesn't inherit default permissions so we actually set them
                         if not gr.inherit_default_permissions:
                             # NEED TO IGNORE all previously set configurable permissions
                             # and replace them with explicitly set from this user
                             # group permissions
                             self.permissions_global = self.permissions_global.difference(
                                 _configurable)
                             for perm in perms:
                                 self.permissions_global.add(perm.permission.permission_name)
                     # user explicit global permissions
                     user_perms = Session().query(UserToPerm)\
                         .options(joinedload(UserToPerm.permission))\
                         .filter(UserToPerm.user_id == self.user_id).all()
                     if not self.inherit_default_permissions:
                         # NEED TO IGNORE all configurable permissions and
                         # replace them with explicitly set from this user permissions
                         self.permissions_global = self.permissions_global.difference(
                             _configurable)
                         for perm in user_perms:
                             self.permissions_global.add(perm.permission.permission_name)
-                def _calculate_default_permissions(self):
+                def _calculate_default_permissions_repositories(self, user_inherit_object_permissions):
-                    """
-                    Set default user permissions for repositories, repository branches,
-                    repository groups, user groups taken from the default user.
-                    Calculate inheritance of object permissions based on what we have now
-                    in GLOBAL permissions. We check if .false is in GLOBAL since this is
-                    explicitly set. Inherit is the opposite of .false being there.
-                    .. note::
-                       the syntax is little bit odd but what we need to check here is
-                       the opposite of .false permission being in the list so even for
-                       inconsistent state when both .true/.false is there
-                       .false is more important
-                    """
-                    user_inherit_object_permissions = not ('hg.inherit_default_perms.false'
-                                                           in self.permissions_global)
-                    # default permissions for repositories, taken from `default` user permissions
                     for perm in self.default_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPO_DEFAULT
                         self.permissions_repositories[r_k] = p, o
                         # if we decide this user isn't inheriting permissions from
                         # default user we set him to .none so only explicit
                         # permissions work
                         if not user_inherit_object_permissions:
                             p = 'repository.none'
                             o = PermOrigin.REPO_DEFAULT_NO_INHERIT
                             self.permissions_repositories[r_k] = p, o
                         if perm.Repository.private and not (
                                 perm.Repository.user_id == self.user_id):
                             # disable defaults for private repos,
                             p = 'repository.none'
                             o = PermOrigin.REPO_PRIVATE
                             self.permissions_repositories[r_k] = p, o
                         elif perm.Repository.user_id == self.user_id:
                             # set admin if owner
                             p = 'repository.admin'
                             o = PermOrigin.REPO_OWNER
                             self.permissions_repositories[r_k] = p, o
                         if self.user_is_admin:
                             p = 'repository.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repositories[r_k] = p, o
-                    # default permissions branch for repositories, taken from `default` user permissions
+                def _calculate_default_permissions_repository_branches(self, user_inherit_object_permissions):
                     for perm in self.default_branch_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         pattern = perm.UserToRepoBranchPermission.branch_pattern
                         o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
                         if not self.explicit:
                             # TODO(marcink): fix this for multiple entries
                             cur_perm = self.permissions_repository_branches.get(r_k) or 'branch.none'
                             p = self._choose_permission(p, cur_perm)
                         # NOTE(marcink): register all pattern/perm instances in this
                         # special dict that aggregates entries
                         self.permissions_repository_branches[r_k] = pattern, p, o
-                    # default permissions for repository groups taken from `default` user permission
+                def _calculate_default_permissions_repository_groups(self, user_inherit_object_permissions):
                     for perm in self.default_repo_groups_perms:
                         rg_k = perm.UserRepoGroupToPerm.group.group_name
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPOGROUP_DEFAULT
                         self.permissions_repository_groups[rg_k] = p, o
                         # if we decide this user isn't inheriting permissions from default
                         # user we set him to .none so only explicit permissions work
                         if not user_inherit_object_permissions:
                             p = 'group.none'
                             o = PermOrigin.REPOGROUP_DEFAULT_NO_INHERIT
                             self.permissions_repository_groups[rg_k] = p, o
                         if perm.RepoGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'group.admin'
                             o = PermOrigin.REPOGROUP_OWNER
                             self.permissions_repository_groups[rg_k] = p, o
                         if self.user_is_admin:
                             p = 'group.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repository_groups[rg_k] = p, o
-                    # default permissions for user groups taken from `default` user permission
+                def _calculate_default_permissions_user_groups(self, user_inherit_object_permissions):
                     for perm in self.default_user_group_perms:
                         u_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         p = perm.Permission.permission_name
                         o = PermOrigin.USERGROUP_DEFAULT
                         self.permissions_user_groups[u_k] = p, o
                         # if we decide this user isn't inheriting permissions from default
                         # user we set him to .none so only explicit permissions work
                         if not user_inherit_object_permissions:
                             p = 'usergroup.none'
                             o = PermOrigin.USERGROUP_DEFAULT_NO_INHERIT
                             self.permissions_user_groups[u_k] = p, o
                         if perm.UserGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'usergroup.admin'
                             o = PermOrigin.USERGROUP_OWNER
                             self.permissions_user_groups[u_k] = p, o
                         if self.user_is_admin:
                             p = 'usergroup.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_user_groups[u_k] = p, o
+                def _calculate_default_permissions(self):
+                    """
+                    Set default user permissions for repositories, repository branches,
+                    repository groups, user groups taken from the default user.
+                    Calculate inheritance of object permissions based on what we have now
+                    in GLOBAL permissions. We check if .false is in GLOBAL since this is
+                    explicitly set. Inherit is the opposite of .false being there.
+                    .. note::
+                       the syntax is little bit odd but what we need to check here is
+                       the opposite of .false permission being in the list so even for
+                       inconsistent state when both .true/.false is there
+                       .false is more important
+                    """
+                    user_inherit_object_permissions = not ('hg.inherit_default_perms.false'
+                                                           in self.permissions_global)
+                    # default permissions inherited from `default` user permissions
+                    self._calculate_default_permissions_repositories(
+                        user_inherit_object_permissions)
+                    self._calculate_default_permissions_repository_branches(
+                        user_inherit_object_permissions)
+                    self._calculate_default_permissions_repository_groups(
+                        user_inherit_object_permissions)
+                    self._calculate_default_permissions_user_groups(
+                        user_inherit_object_permissions)
                 def _calculate_repository_permissions(self):
                     """
                     Repository permissions for the current user.
                     Check if the user is part of user groups for this repository and
                     fill in the permission from it. `_choose_permission` decides of which
                     permission should be selected based on selected method.
                     """
                     # user group for repositories permissions
                     user_repo_perms_from_user_group = Permission\
                         .get_default_repo_perms_from_user_group(
                             self.user_id, self.scope_repo_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_repo_perms_from_user_group:
                         r_k = perm.UserGroupRepoToPerm.repository.repo_name
                         multiple_counter[r_k] += 1
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
                             .users_group.users_group_name
                         if multiple_counter[r_k] > 1:
                             cur_perm = self.permissions_repositories[r_k]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repositories[r_k] = p, o
                         if perm.Repository.user_id == self.user_id:
                             # set admin if owner
                             p = 'repository.admin'
                             o = PermOrigin.REPO_OWNER
                             self.permissions_repositories[r_k] = p, o
                         if self.user_is_admin:
                             p = 'repository.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repositories[r_k] = p, o
                     # user explicit permissions for repositories, overrides any specified
                     # by the group permission
                     user_repo_perms = Permission.get_default_repo_perms(
                         self.user_id, self.scope_repo_id)
                     for perm in user_repo_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
                         if not self.explicit:
                             cur_perm = self.permissions_repositories.get(
                                 r_k, 'repository.none')
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repositories[r_k] = p, o
                         if perm.Repository.user_id == self.user_id:
                             # set admin if owner
                             p = 'repository.admin'
                             o = PermOrigin.REPO_OWNER
                             self.permissions_repositories[r_k] = p, o
                         if self.user_is_admin:
                             p = 'repository.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repositories[r_k] = p, o
                 def _calculate_repository_branch_permissions(self):
                     # user group for repositories permissions
                     user_repo_branch_perms_from_user_group = Permission\
                         .get_default_repo_branch_perms_from_user_group(
                             self.user_id, self.scope_repo_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_repo_branch_perms_from_user_group:
                         r_k = perm.UserGroupRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         pattern = perm.UserGroupToRepoBranchPermission.branch_pattern
                         o = PermOrigin.REPO_USERGROUP % perm.UserGroupRepoToPerm\
                             .users_group.users_group_name
                         multiple_counter[r_k] += 1
                         if multiple_counter[r_k] > 1:
                             # TODO(marcink): fix this for multi branch support, and multiple entries
                             cur_perm = self.permissions_repository_branches[r_k]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repository_branches[r_k] = pattern, p, o
                     # user explicit branch permissions for repositories, overrides
                     # any specified by the group permission
                     user_repo_branch_perms = Permission.get_default_repo_branch_perms(
                         self.user_id, self.scope_repo_id)
                     for perm in user_repo_branch_perms:
                         r_k = perm.UserRepoToPerm.repository.repo_name
                         p = perm.Permission.permission_name
                         pattern = perm.UserToRepoBranchPermission.branch_pattern
                         o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
                         if not self.explicit:
                             # TODO(marcink): fix this for multiple entries
                             cur_perm = self.permissions_repository_branches.get(r_k) or 'branch.none'
                             p = self._choose_permission(p, cur_perm)
                         # NOTE(marcink): register all pattern/perm instances in this
                         # special dict that aggregates entries
                         self.permissions_repository_branches[r_k] = pattern, p, o
                 def _calculate_repository_group_permissions(self):
                     """
                     Repository group permissions for the current user.
                     Check if the user is part of user groups for repository groups and
                     fill in the permissions from it. `_choose_permission` decides of which
                     permission should be selected based on selected method.
                     """
                     # user group for repo groups permissions
                     user_repo_group_perms_from_user_group = Permission\
                         .get_default_group_perms_from_user_group(
                             self.user_id, self.scope_repo_group_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_repo_group_perms_from_user_group:
                         rg_k = perm.UserGroupRepoGroupToPerm.group.group_name
                         multiple_counter[rg_k] += 1
                         o = PermOrigin.REPOGROUP_USERGROUP % perm.UserGroupRepoGroupToPerm\
                             .users_group.users_group_name
                         p = perm.Permission.permission_name
                         if multiple_counter[rg_k] > 1:
                             cur_perm = self.permissions_repository_groups[rg_k]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repository_groups[rg_k] = p, o
                         if perm.RepoGroup.user_id == self.user_id:
                             # set admin if owner, even for member of other user group
                             p = 'group.admin'
                             o = PermOrigin.REPOGROUP_OWNER
                             self.permissions_repository_groups[rg_k] = p, o
                         if self.user_is_admin:
                             p = 'group.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repository_groups[rg_k] = p, o
                     # user explicit permissions for repository groups
                     user_repo_groups_perms = Permission.get_default_group_perms(
                         self.user_id, self.scope_repo_group_id)
                     for perm in user_repo_groups_perms:
                         rg_k = perm.UserRepoGroupToPerm.group.group_name
                         o = PermOrigin.REPOGROUP_USER % perm.UserRepoGroupToPerm\
                             .user.username
                         p = perm.Permission.permission_name
                         if not self.explicit:
                             cur_perm = self.permissions_repository_groups.get(
                                 rg_k, 'group.none')
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_repository_groups[rg_k] = p, o
                         if perm.RepoGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'group.admin'
                             o = PermOrigin.REPOGROUP_OWNER
                             self.permissions_repository_groups[rg_k] = p, o
                         if self.user_is_admin:
                             p = 'group.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_repository_groups[rg_k] = p, o
                 def _calculate_user_group_permissions(self):
                     """
                     User group permissions for the current user.
                     """
                     # user group for user group permissions
                     user_group_from_user_group = Permission\
                         .get_default_user_group_perms_from_user_group(
                             self.user_id, self.scope_user_group_id)
                     multiple_counter = collections.defaultdict(int)
                     for perm in user_group_from_user_group:
                         ug_k = perm.UserGroupUserGroupToPerm\
                             .target_user_group.users_group_name
                         multiple_counter[ug_k] += 1
                         o = PermOrigin.USERGROUP_USERGROUP % perm.UserGroupUserGroupToPerm\
                             .user_group.users_group_name
                         p = perm.Permission.permission_name
                         if multiple_counter[ug_k] > 1:
                             cur_perm = self.permissions_user_groups[ug_k]
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_user_groups[ug_k] = p, o
                         if perm.UserGroup.user_id == self.user_id:
                             # set admin if owner, even for member of other user group
                             p = 'usergroup.admin'
                             o = PermOrigin.USERGROUP_OWNER
                             self.permissions_user_groups[ug_k] = p, o
                         if self.user_is_admin:
                             p = 'usergroup.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_user_groups[ug_k] = p, o
                     # user explicit permission for user groups
                     user_user_groups_perms = Permission.get_default_user_group_perms(
                         self.user_id, self.scope_user_group_id)
                     for perm in user_user_groups_perms:
                         ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
                         o = PermOrigin.USERGROUP_USER % perm.UserUserGroupToPerm\
                             .user.username
                         p = perm.Permission.permission_name
                         if not self.explicit:
                             cur_perm = self.permissions_user_groups.get(
                                 ug_k, 'usergroup.none')
                             p = self._choose_permission(p, cur_perm)
                         self.permissions_user_groups[ug_k] = p, o
                         if perm.UserGroup.user_id == self.user_id:
                             # set admin if owner
                             p = 'usergroup.admin'
                             o = PermOrigin.USERGROUP_OWNER
                             self.permissions_user_groups[ug_k] = p, o
                         if self.user_is_admin:
                             p = 'usergroup.admin'
                             o = PermOrigin.SUPER_ADMIN
                             self.permissions_user_groups[ug_k] = p, o
                 def _choose_permission(self, new_perm, cur_perm):
                     new_perm_val = Permission.PERM_WEIGHTS[new_perm]
                     cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
                     if self.algo == 'higherwin':
                         if new_perm_val > cur_perm_val:
                             return new_perm
                         return cur_perm
                     elif self.algo == 'lowerwin':
                         if new_perm_val < cur_perm_val:
                             return new_perm
                         return cur_perm
                 def _permission_structure(self):
                     return {
                         'global': self.permissions_global,
                         'repositories': self.permissions_repositories,
                         'repository_branches': self.permissions_repository_branches,
                         'repositories_groups': self.permissions_repository_groups,
                         'user_groups': self.permissions_user_groups,
                     }
             def allowed_auth_token_access(view_name, auth_token, whitelist=None):
                 """
                 Check if given controller_name is in whitelist of auth token access
                 """
                 if not whitelist:
                     from rhodecode import CONFIG
                     whitelist = aslist(
                         CONFIG.get('api_access_controllers_whitelist'), sep=',')
                 # backward compat translation
                 compat = {
                     # old controller, new VIEW
                     'ChangesetController:*': 'RepoCommitsView:*',
                     'ChangesetController:changeset_patch': 'RepoCommitsView:repo_commit_patch',
                     'ChangesetController:changeset_raw': 'RepoCommitsView:repo_commit_raw',
                     'FilesController:raw': 'RepoCommitsView:repo_commit_raw',
                     'FilesController:archivefile': 'RepoFilesView:repo_archivefile',
                     'GistsController:*': 'GistView:*',
                 }
                 log.debug(
                     'Allowed views for AUTH TOKEN access: %s' % (whitelist,))
                 auth_token_access_valid = False
                 for entry in whitelist:
                     token_match = True
                     if entry in compat:
                         # translate from old Controllers to Pyramid Views
                         entry = compat[entry]
                     if '@' in entry:
                         # specific AuthToken
                         entry, allowed_token = entry.split('@', 1)
                         token_match = auth_token == allowed_token
                     if fnmatch.fnmatch(view_name, entry) and token_match:
                         auth_token_access_valid = True
                         break
                 if auth_token_access_valid:
                     log.debug('view: `%s` matches entry in whitelist: %s'
                               % (view_name, whitelist))
                 else:
                     msg = ('view: `%s` does *NOT* match any entry in whitelist: %s'
                            % (view_name, whitelist))
                     if auth_token:
                         # if we use auth token key and don't have access it's a warning
                         log.warning(msg)
                     else:
                         log.debug(msg)
                 return auth_token_access_valid
             class AuthUser(object):
                 """
                 A simple object that handles all attributes of user in RhodeCode
                 It does lookup based on API key,given user, or user present in session
                 Then it fills all required information for such user. It also checks if
                 anonymous access is enabled and if so, it returns default user as logged in
                 """
                 GLOBAL_PERMS = [x[0] for x in Permission.PERMS]
                 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
                     self.user_id = user_id
                     self._api_key = api_key
                     self.api_key = None
                     self.username = username
                     self.ip_addr = ip_addr
                     self.name = ''
                     self.lastname = ''
                     self.first_name = ''
                     self.last_name = ''
                     self.email = ''
                     self.is_authenticated = False
                     self.admin = False
                     self.inherit_default_permissions = False
                     self.password = ''
                     self.anonymous_user = None  # propagated on propagate_data
                     self.propagate_data()
                     self._instance = None
                     self._permissions_scoped_cache = {}  # used to bind scoped calculation
                 @LazyProperty
                 def permissions(self):
-                    return self.get_perms(user=self, cache=False)
+                    return self.get_perms(user=self, cache=None)
                 @LazyProperty
                 def permissions_safe(self):
                     """
                     Filtered permissions excluding not allowed repositories
                     """
-                    perms = self.get_perms(user=self, cache=False)
+                    perms = self.get_perms(user=self, cache=None)
                     perms['repositories'] = {
                         k: v for k, v in perms['repositories'].items()
                         if v != 'repository.none'}
                     perms['repositories_groups'] = {
                         k: v for k, v in perms['repositories_groups'].items()
                         if v != 'group.none'}
                     perms['user_groups'] = {
                         k: v for k, v in perms['user_groups'].items()
                         if v != 'usergroup.none'}
                     perms['repository_branches'] = {
                         k: v for k, v in perms['repository_branches'].iteritems()
                         if v != 'branch.none'}
                     return perms
                 @LazyProperty
                 def permissions_full_details(self):
                     return self.get_perms(
-                        user=self, cache=False, calculate_super_admin=True)
+                        user=self, cache=None, calculate_super_admin=True)
                 def permissions_with_scope(self, scope):
                     """
                     Call the get_perms function with scoped data. The scope in that function
                     narrows the SQL calls to the given ID of objects resulting in fetching
                     Just particular permission we want to obtain. If scope is an empty dict
                     then it basically narrows the scope to GLOBAL permissions only.
                     :param scope: dict
                     """
                     if 'repo_name' in scope:
                         obj = Repository.get_by_repo_name(scope['repo_name'])
                         if obj:
                             scope['repo_id'] = obj.repo_id
                     _scope = collections.OrderedDict()
                     _scope['repo_id'] = -1
                     _scope['user_group_id'] = -1
                     _scope['repo_group_id'] = -1
                     for k in sorted(scope.keys()):
                         _scope[k] = scope[k]
                     # store in cache to mimic how the @LazyProperty works,
                     # the difference here is that we use the unique key calculated
                     # from params and values
-                    return self.get_perms(user=self, cache=False, scope=_scope)
+                    return self.get_perms(user=self, cache=None, scope=_scope)
                 def get_instance(self):
                     return User.get(self.user_id)
                 def propagate_data(self):
                     """
                     Fills in user data and propagates values to this instance. Maps fetched
                     user attributes to this class instance attributes
                     """
                     log.debug('AuthUser: starting data propagation for new potential user')
                     user_model = UserModel()
                     anon_user = self.anonymous_user = User.get_default_user(cache=True)
                     is_user_loaded = False
                     # lookup by userid
                     if self.user_id is not None and self.user_id != anon_user.user_id:
                         log.debug('Trying Auth User lookup by USER ID: `%s`', self.user_id)
                         is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
                     # try go get user by api key
                     elif self._api_key and self._api_key != anon_user.api_key:
                         log.debug('Trying Auth User lookup by API KEY: `%s`', self._api_key)
                         is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
                     # lookup by username
                     elif self.username:
                         log.debug('Trying Auth User lookup by USER NAME: `%s`', self.username)
                         is_user_loaded = user_model.fill_data(self, username=self.username)
                     else:
                         log.debug('No data in %s that could been used to log in', self)
                     if not is_user_loaded:
                         log.debug(
                             'Failed to load user. Fallback to default user %s', anon_user)
                         # if we cannot authenticate user try anonymous
                         if anon_user.active:
                             log.debug('default user is active, using it as a session user')
                             user_model.fill_data(self, user_id=anon_user.user_id)
                             # then we set this user is logged in
                             self.is_authenticated = True
                         else:
                             log.debug('default user is NOT active')
                             # in case of disabled anonymous user we reset some of the
                             # parameters so such user is "corrupted", skipping the fill_data
                             for attr in ['user_id', 'username', 'admin', 'active']:
                                 setattr(self, attr, None)
                             self.is_authenticated = False
                     if not self.username:
                         self.username = 'None'
                     log.debug('AuthUser: propagated user is now %s', self)
                 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
-                              calculate_super_admin=False, cache=False):
+                              calculate_super_admin=False, cache=None):
                     """
                     Fills user permission attribute with permissions taken from database
                     works for permissions given for repositories, and for permissions that
                     are granted to groups
                     :param user: instance of User object from database
                     :param explicit: In case there are permissions both for user and a group
                         that user is part of, explicit flag will defiine if user will
                         explicitly override permissions from group, if it's False it will
                         make decision based on the algo
                     :param algo: algorithm to decide what permission should be choose if
                         it's multiple defined, eg user in two different groups. It also
                         decides if explicit flag is turned off how to specify the permission
                         for case when user is in a group + have defined separate permission
+                    :param calculate_super_admin: calculate permissions for super-admin in the
+                        same way as for regular user without speedups
+                    :param cache: Use caching for calculation, None = let the cache backend decide
                     """
                     user_id = user.user_id
                     user_is_admin = user.is_admin
                     # inheritance of global permissions like create repo/fork repo etc
                     user_inherit_default_permissions = user.inherit_default_permissions
                     cache_seconds = safe_int(
                         rhodecode.CONFIG.get('rc_cache.cache_perms.expiration_time'))
-                    cache_on = cache or cache_seconds > 0
+                    if cache is None:
+                        # let the backend cache decide
+                        cache_on = cache_seconds > 0
+                    else:
+                        cache_on = cache
                     log.debug(
                         'Computing PERMISSION tree for user %s scope `%s` '
                         'with caching: %s[TTL: %ss]' % (user, scope, cache_on, cache_seconds or 0))
                     cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            condition=cache_on)
                     def compute_perm_tree(cache_name,
                             user_id, scope, user_is_admin,user_inherit_default_permissions,
                             explicit, algo, calculate_super_admin):
                         return _cached_perms_data(
                             user_id, scope, user_is_admin, user_inherit_default_permissions,
                             explicit, algo, calculate_super_admin)
                     start = time.time()
-                    result = compute_perm_tree('permissions', user_id, scope, user_is_admin,
+                    result = compute_perm_tree(
-                                     user_inherit_default_permissions, explicit, algo,
+                        'permissions', user_id, scope, user_is_admin,
-                                     calculate_super_admin)
+                         user_inherit_default_permissions, explicit, algo,
+                         calculate_super_admin)
                     result_repr = []
                     for k in result:
                         result_repr.append((k, len(result[k])))
                     total = time.time() - start
                     log.debug('PERMISSION tree for user %s computed in %.3fs: %s' % (
                         user, total, result_repr))
                     return result
                 @property
                 def is_default(self):
                     return self.username == User.DEFAULT_USER
                 @property
                 def is_admin(self):
                     return self.admin
                 @property
                 def is_user_object(self):
                     return self.user_id is not None
                 @property
                 def repositories_admin(self):
                     """
                     Returns list of repositories you're an admin of
                     """
                     return [
                         x[0] for x in self.permissions['repositories'].items()
                         if x[1] == 'repository.admin']
                 @property
                 def repository_groups_admin(self):
                     """
                     Returns list of repository groups you're an admin of
                     """
                     return [
                         x[0] for x in self.permissions['repositories_groups'].items()
                         if x[1] == 'group.admin']
                 @property
                 def user_groups_admin(self):
                     """
                     Returns list of user groups you're an admin of
                     """
                     return [
                         x[0] for x in self.permissions['user_groups'].items()
                         if x[1] == 'usergroup.admin']
                 def repo_acl_ids(self, perms=None, name_filter=None, cache=False):
                     """
                     Returns list of repository ids that user have access to based on given
                     perms. The cache flag should be only used in cases that are used for
                     display purposes, NOT IN ANY CASE for permission checks.
                     """
                     from rhodecode.model.scm import RepoList
                     if not perms:
                         perms = [
                             'repository.read', 'repository.write', 'repository.admin']
                     def _cached_repo_acl(user_id, perm_def, _name_filter):
                         qry = Repository.query()
                         if _name_filter:
                             ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
                             qry = qry.filter(
                                 Repository.repo_name.ilike(ilike_expression))
                         return [x.repo_id for x in
                                 RepoList(qry, perm_set=perm_def)]
                     return _cached_repo_acl(self.user_id, perms, name_filter)
                 def repo_group_acl_ids(self, perms=None, name_filter=None, cache=False):
                     """
                     Returns list of repository group ids that user have access to based on given
                     perms. The cache flag should be only used in cases that are used for
                     display purposes, NOT IN ANY CASE for permission checks.
                     """
                     from rhodecode.model.scm import RepoGroupList
                     if not perms:
                         perms = [
                             'group.read', 'group.write', 'group.admin']
                     def _cached_repo_group_acl(user_id, perm_def, _name_filter):
                         qry = RepoGroup.query()
                         if _name_filter:
                             ilike_expression = u'%{}%'.format(safe_unicode(_name_filter))
                             qry = qry.filter(
                                 RepoGroup.group_name.ilike(ilike_expression))
                         return [x.group_id for x in
                                 RepoGroupList(qry, perm_set=perm_def)]
                     return _cached_repo_group_acl(self.user_id, perms, name_filter)
                 def user_group_acl_ids(self, perms=None, name_filter=None, cache=False):
                     """
                     Returns list of user group ids that user have access to based on given
                     perms. The cache flag should be only used in cases that are used for
                     display purposes, NOT IN ANY CASE for permission checks.
                     """
                     from rhodecode.model.scm import UserGroupList
                     if not perms:
                         perms = [
                             'usergroup.read', 'usergroup.write', 'usergroup.admin']
                     def _cached_user_group_acl(user_id, perm_def, name_filter):
                         qry = UserGroup.query()
                         if name_filter:
                             ilike_expression = u'%{}%'.format(safe_unicode(name_filter))
                             qry = qry.filter(
                                 UserGroup.users_group_name.ilike(ilike_expression))
                         return [x.users_group_id for x in
                                 UserGroupList(qry, perm_set=perm_def)]
                     return _cached_user_group_acl(self.user_id, perms, name_filter)
                 @property
                 def ip_allowed(self):
                     """
                     Checks if ip_addr used in constructor is allowed from defined list of
                     allowed ip_addresses for user
                     :returns: boolean, True if ip is in allowed ip range
                     """
                     # check IP
                     inherit = self.inherit_default_permissions
                     return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
                                                      inherit_from_default=inherit)
                 @property
                 def personal_repo_group(self):
                     return RepoGroup.get_user_personal_repo_group(self.user_id)
                 @LazyProperty
                 def feed_token(self):
                     return self.get_instance().feed_token
                 @classmethod
                 def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
                     allowed_ips = AuthUser.get_allowed_ips(
                         user_id, cache=True, inherit_from_default=inherit_from_default)
                     if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
                         log.debug('IP:%s for user %s is in range of %s' % (
                             ip_addr, user_id, allowed_ips))
                         return True
                     else:
                         log.info('Access for IP:%s forbidden for user %s, '
                                  'not in %s' % (ip_addr, user_id, allowed_ips))
                         return False
+                def get_branch_permissions(self, repo_name, perms=None):
+                    perms = perms or self.permissions_with_scope({'repo_name': repo_name})
+                    branch_perms = perms.get('repository_branches')
+                    return branch_perms
+                def get_rule_and_branch_permission(self, repo_name, branch_name):
+                    """
+                    Check if this AuthUser has defined any permissions for branches. If any of
+                    the rules match in order, we return the matching permissions
+                    """
+                    rule = default_perm = ''
+                    branch_perms = self.get_branch_permissions(repo_name=repo_name)
+                    if not branch_perms:
+                        return rule, default_perm
+                    repo_branch_perms = branch_perms.get(repo_name)
+                    if not repo_branch_perms:
+                        return rule, default_perm
+                    # now calculate the permissions
+                    for pattern, branch_perm in repo_branch_perms.items():
+                        if fnmatch.fnmatch(branch_name, pattern):
+                            rule = '`{}`=>{}'.format(pattern, branch_perm)
+                            return rule, branch_perm
+                    return rule, default_perm
                 def __repr__(self):
                     return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
                         % (self.user_id, self.username, self.ip_addr, self.is_authenticated)
                 def set_authenticated(self, authenticated=True):
                     if self.user_id != self.anonymous_user.user_id:
                         self.is_authenticated = authenticated
                 def get_cookie_store(self):
                     return {
                         'username': self.username,
                         'password': md5(self.password or ''),
                         'user_id': self.user_id,
                         'is_authenticated': self.is_authenticated
                     }
                 @classmethod
                 def from_cookie_store(cls, cookie_store):
                     """
                     Creates AuthUser from a cookie store
                     :param cls:
                     :param cookie_store:
                     """
                     user_id = cookie_store.get('user_id')
                     username = cookie_store.get('username')
                     api_key = cookie_store.get('api_key')
                     return AuthUser(user_id, api_key, username)
                 @classmethod
                 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
                     _set = set()
                     if inherit_from_default:
                         def_user_id = User.get_default_user(cache=True).user_id
                         default_ips = UserIpMap.query().filter(UserIpMap.user_id == def_user_id)
                         if cache:
                             default_ips = default_ips.options(
                                 FromCache("sql_cache_short", "get_user_ips_default"))
                         # populate from default user
                         for ip in default_ips:
                             try:
                                 _set.add(ip.ip_addr)
                             except ObjectDeletedError:
                                 # since we use heavy caching sometimes it happens that
                                 # we get deleted objects here, we just skip them
                                 pass
                     # NOTE:(marcink) we don't want to load any rules for empty
                     # user_id which is the case of access of non logged users when anonymous
                     # access is disabled
                     user_ips = []
                     if user_id:
                         user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
                         if cache:
                             user_ips = user_ips.options(
                                 FromCache("sql_cache_short", "get_user_ips_%s" % user_id))
                     for ip in user_ips:
                         try:
                             _set.add(ip.ip_addr)
                         except ObjectDeletedError:
                             # since we use heavy caching sometimes it happens that we get
                             # deleted objects here, we just skip them
                             pass
                     return _set or {ip for ip in ['0.0.0.0/0', '::/0']}
             def set_available_permissions(settings):
                 """
                 This function will propagate pyramid settings with all available defined
                 permission given in db. We don't want to check each time from db for new
                 permissions since adding a new permission also requires application restart
                 ie. to decorate new views with the newly created permission
                 :param settings: current pyramid registry.settings
                 """
                 log.debug('auth: getting information about all available permissions')
                 try:
                     sa = meta.Session
                     all_perms = sa.query(Permission).all()
                     settings.setdefault('available_permissions',
                                         [x.permission_name for x in all_perms])
                     log.debug('auth: set available permissions')
                 except Exception:
                     log.exception('Failed to fetch permissions from the database.')
                     raise
             def get_csrf_token(session, force_new=False, save_if_missing=True):
                 """
                 Return the current authentication token, creating one if one doesn't
                 already exist and the save_if_missing flag is present.
                 :param session: pass in the pyramid session, else we use the global ones
                 :param force_new: force to re-generate the token and store it in session
                 :param save_if_missing: save the newly generated token if it's missing in
                     session
                 """
                 # NOTE(marcink): probably should be replaced with below one from pyramid 1.9
                 # from pyramid.csrf import get_csrf_token
                 if (csrf_token_key not in session and save_if_missing) or force_new:
                     token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
                     session[csrf_token_key] = token
                     if hasattr(session, 'save'):
                         session.save()
                 return session.get(csrf_token_key)
             def get_request(perm_class_instance):
                 from pyramid.threadlocal import get_current_request
                 pyramid_request = get_current_request()
                 return pyramid_request
             # CHECK DECORATORS
             class CSRFRequired(object):
                 """
                 Decorator for authenticating a form
                 This decorator uses an authorization token stored in the client's
                 session for prevention of certain Cross-site request forgery (CSRF)
                 attacks (See
                 http://en.wikipedia.org/wiki/Cross-site_request_forgery for more
                 information).
                 For use with the ``webhelpers.secure_form`` helper functions.
                 """
                 def __init__(self, token=csrf_token_key, header='X-CSRF-Token',
                     except_methods=None):
                     self.token = token
                     self.header = header
                     self.except_methods = except_methods or []
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_csrf(self, _request):
                     return _request.POST.get(self.token, _request.headers.get(self.header))
                 def check_csrf(self, _request, cur_token):
                     supplied_token = self._get_csrf(_request)
                     return supplied_token and supplied_token == cur_token
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     request = self._get_request()
                     if request.method in self.except_methods:
                         return func(*fargs, **fkwargs)
                     cur_token = get_csrf_token(request.session, save_if_missing=False)
                     if self.check_csrf(request, cur_token):
                         if request.POST.get(self.token):
                             del request.POST[self.token]
                         return func(*fargs, **fkwargs)
                     else:
                         reason = 'token-missing'
                         supplied_token = self._get_csrf(request)
                         if supplied_token and cur_token != supplied_token:
                             reason = 'token-mismatch [%s:%s]' % (
                                 cur_token or ''[:6], supplied_token or ''[:6])
                         csrf_message = \
                             ("Cross-site request forgery detected, request denied. See "
                              "http://en.wikipedia.org/wiki/Cross-site_request_forgery for "
                              "more information.")
                     log.warn('Cross-site request forgery detected, request %r DENIED: %s '
                              'REMOTE_ADDR:%s, HEADERS:%s' % (
                                  request, reason, request.remote_addr, request.headers))
                     raise HTTPForbidden(explanation=csrf_message)
             class LoginRequired(object):
                 """
                 Must be logged in to execute this function else
                 redirect to login page
                 :param api_access: if enabled this checks only for valid auth token
                     and grants access based on valid token
                 """
                 def __init__(self, auth_token_access=None):
                     self.auth_token_access = auth_token_access
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     from rhodecode.lib import helpers as h
                     cls = fargs[0]
                     user = cls._rhodecode_user
                     request = self._get_request()
                     _ = request.translate
                     loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
                     log.debug('Starting login restriction checks for user: %s' % (user,))
                     # check if our IP is allowed
                     ip_access_valid = True
                     if not user.ip_allowed:
                         h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr,))),
                                 category='warning')
                         ip_access_valid = False
                     # check if we used an APIKEY and it's a valid one
                     # defined white-list of controllers which API access will be enabled
                     _auth_token = request.GET.get(
                         'auth_token', '') or request.GET.get('api_key', '')
                     auth_token_access_valid = allowed_auth_token_access(
                         loc, auth_token=_auth_token)
                     # explicit controller is enabled or API is in our whitelist
                     if self.auth_token_access or auth_token_access_valid:
                         log.debug('Checking AUTH TOKEN access for %s' % (cls,))
                         db_user = user.get_instance()
                         if db_user:
                             if self.auth_token_access:
                                 roles = self.auth_token_access
                             else:
                                 roles = [UserApiKeys.ROLE_HTTP]
                             token_match = db_user.authenticate_by_token(
                                 _auth_token, roles=roles)
                         else:
                             log.debug('Unable to fetch db instance for auth user: %s', user)
                             token_match = False
                         if _auth_token and token_match:
                             auth_token_access_valid = True
                             log.debug('AUTH TOKEN ****%s is VALID' % (_auth_token[-4:],))
                         else:
                             auth_token_access_valid = False
                             if not _auth_token:
                                 log.debug("AUTH TOKEN *NOT* present in request")
                             else:
                                 log.warning(
                                     "AUTH TOKEN ****%s *NOT* valid" % _auth_token[-4:])
                     log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
                     reason = 'RHODECODE_AUTH' if user.is_authenticated \
                         else 'AUTH_TOKEN_AUTH'
                     if ip_access_valid and (
                             user.is_authenticated or auth_token_access_valid):
                         log.info(
                             'user %s authenticating with:%s IS authenticated on func %s'
                             % (user, reason, loc))
                         return func(*fargs, **fkwargs)
                     else:
                         log.warning(
                             'user %s authenticating with:%s NOT authenticated on '
                             'func: %s: IP_ACCESS:%s AUTH_TOKEN_ACCESS:%s'
                             % (user, reason, loc, ip_access_valid,
                                auth_token_access_valid))
                         # we preserve the get PARAM
                         came_from = get_came_from(request)
                         log.debug('redirecting to login page with %s' % (came_from,))
                         raise HTTPFound(
                             h.route_path('login', _query={'came_from': came_from}))
             class NotAnonymous(object):
                 """
                 Must be logged in to execute this function else
                 redirect to login page
                 """
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     import rhodecode.lib.helpers as h
                     cls = fargs[0]
                     self.user = cls._rhodecode_user
                     request = self._get_request()
                     _ = request.translate
                     log.debug('Checking if user is not anonymous @%s' % cls)
                     anonymous = self.user.username == User.DEFAULT_USER
                     if anonymous:
                         came_from = get_came_from(request)
                         h.flash(_('You need to be a registered user to '
                                   'perform this action'),
                                 category='warning')
                         raise HTTPFound(
                             h.route_path('login', _query={'came_from': came_from}))
                     else:
                         return func(*fargs, **fkwargs)
             class PermsDecorator(object):
                 """
                 Base class for controller decorators, we extract the current user from
                 the class itself, which has it stored in base controllers
                 """
                 def __init__(self, *required_perms):
                     self.required_perms = set(required_perms)
                 def __call__(self, func):
                     return get_cython_compat_decorator(self.__wrapper, func)
                 def _get_request(self):
                     return get_request(self)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     import rhodecode.lib.helpers as h
                     cls = fargs[0]
                     _user = cls._rhodecode_user
                     request = self._get_request()
                     _ = request.translate
                     log.debug('checking %s permissions %s for %s %s',
                               self.__class__.__name__, self.required_perms, cls, _user)
                     if self.check_permissions(_user):
                         log.debug('Permission granted for %s %s', cls, _user)
                         return func(*fargs, **fkwargs)
                     else:
                         log.debug('Permission denied for %s %s', cls, _user)
                         anonymous = _user.username == User.DEFAULT_USER
                         if anonymous:
                             came_from = get_came_from(self._get_request())
                             h.flash(_('You need to be signed in to view this page'),
                                     category='warning')
                             raise HTTPFound(
                                 h.route_path('login', _query={'came_from': came_from}))
                         else:
                             # redirect with 404 to prevent resource discovery
                             raise HTTPNotFound()
                 def check_permissions(self, user):
                     """Dummy function for overriding"""
                     raise NotImplementedError(
                         'You have to write this function in child class')
             class HasPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates. All of them
                 have to be meet in order to fulfill the request
                 """
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.issubset(perms['global']):
                         return True
                     return False
             class HasPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates. In order to
                 fulfill the request any of predicates must be meet
                 """
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.intersection(perms['global']):
                         return True
                     return False
             class HasRepoPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 repository. All of them have to be meet in order to fulfill the request
                 """
                 def _get_repo_name(self):
                     _request = self._get_request()
                     return get_repo_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     repo_name = self._get_repo_name()
                     try:
                         user_perms = {perms['repositories'][repo_name]}
                     except KeyError:
                         log.debug('cannot locate repo with name: `%s` in permissions defs',
                                   repo_name)
                         return False
                     log.debug('checking `%s` permissions for repo `%s`',
                               user_perms, repo_name)
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 repository. In order to fulfill the request any of predicates must be meet
                 """
                 def _get_repo_name(self):
                     _request = self._get_request()
                     return get_repo_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     repo_name = self._get_repo_name()
                     try:
                         user_perms = {perms['repositories'][repo_name]}
                     except KeyError:
                         log.debug(
                             'cannot locate repo with name: `%s` in permissions defs',
                             repo_name)
                         return False
                     log.debug('checking `%s` permissions for repo `%s`',
                               user_perms, repo_name)
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 repository group. All of them have to be meet in order to
                 fulfill the request
                 """
                 def _get_repo_group_name(self):
                     _request = self._get_request()
                     return get_repo_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_repo_group_name()
                     try:
                         user_perms = {perms['repositories_groups'][group_name]}
                     except KeyError:
                         log.debug(
                             'cannot locate repo group with name: `%s` in permissions defs',
                             group_name)
                         return False
                     log.debug('checking `%s` permissions for repo group `%s`',
                               user_perms, group_name)
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 repository group. In order to fulfill the request any
                 of predicates must be met
                 """
                 def _get_repo_group_name(self):
                     _request = self._get_request()
                     return get_repo_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_repo_group_name()
                     try:
                         user_perms = {perms['repositories_groups'][group_name]}
                     except KeyError:
                         log.debug(
                             'cannot locate repo group with name: `%s` in permissions defs',
                             group_name)
                         return False
                     log.debug('checking `%s` permissions for repo group `%s`',
                               user_perms, group_name)
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAllDecorator(PermsDecorator):
                 """
                 Checks for access permission for all given predicates for specific
                 user group. All of them have to be meet in order to fulfill the request
                 """
                 def _get_user_group_name(self):
                     _request = self._get_request()
                     return get_user_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_user_group_name()
                     try:
                         user_perms = {perms['user_groups'][group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAnyDecorator(PermsDecorator):
                 """
                 Checks for access permission for any of given predicates for specific
                 user group. In order to fulfill the request any of predicates must be meet
                 """
                 def _get_user_group_name(self):
                     _request = self._get_request()
                     return get_user_group_slug(_request)
                 def check_permissions(self, user):
                     perms = user.permissions
                     group_name = self._get_user_group_name()
                     try:
                         user_perms = {perms['user_groups'][group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             # CHECK FUNCTIONS
             class PermsFunction(object):
                 """Base function for other check functions"""
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                     self.repo_name = None
                     self.repo_group_name = None
                     self.user_group_name = None
                 def __bool__(self):
                     frame = inspect.currentframe()
                     stack_trace = traceback.format_stack(frame)
                     log.error('Checking bool value on a class instance of perm '
                               'function is not allowed: %s' % ''.join(stack_trace))
                     # rather than throwing errors, here we always return False so if by
                     # accident someone checks truth for just an instance it will always end
                     # up in returning False
                     return False
                 __nonzero__ = __bool__
                 def __call__(self, check_location='', user=None):
                     if not user:
                         log.debug('Using user attribute from global request')
                         request = self._get_request()
                         user = request.user
                     # init auth user if not already given
                     if not isinstance(user, AuthUser):
                         log.debug('Wrapping user %s into AuthUser', user)
                         user = AuthUser(user.user_id)
                     cls_name = self.__class__.__name__
                     check_scope = self._get_check_scope(cls_name)
                     check_location = check_location or 'unspecified location'
                     log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
                               self.required_perms, user, check_scope, check_location)
                     if not user:
                         log.warning('Empty user given for permission check')
                         return False
                     if self.check_permissions(user):
                         log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return True
                     else:
                         log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return False
                 def _get_request(self):
                     return get_request(self)
                 def _get_check_scope(self, cls_name):
                     return {
                         'HasPermissionAll':          'GLOBAL',
                         'HasPermissionAny':          'GLOBAL',
                         'HasRepoPermissionAll':      'repo:%s' % self.repo_name,
                         'HasRepoPermissionAny':      'repo:%s' % self.repo_name,
                         'HasRepoGroupPermissionAll': 'repo_group:%s' % self.repo_group_name,
                         'HasRepoGroupPermissionAny': 'repo_group:%s' % self.repo_group_name,
                         'HasUserGroupPermissionAll': 'user_group:%s' % self.user_group_name,
                         'HasUserGroupPermissionAny': 'user_group:%s' % self.user_group_name,
                     }.get(cls_name, '?:%s' % cls_name)
                 def check_permissions(self, user):
                     """Dummy function for overriding"""
                     raise Exception('You have to write this function in child class')
             class HasPermissionAll(PermsFunction):
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.issubset(perms.get('global')):
                         return True
                     return False
             class HasPermissionAny(PermsFunction):
                 def check_permissions(self, user):
                     perms = user.permissions_with_scope({})
                     if self.required_perms.intersection(perms.get('global')):
                         return True
                     return False
             class HasRepoPermissionAll(PermsFunction):
                 def __call__(self, repo_name=None, check_location='', user=None):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAll, self).__call__(check_location, user)
                 def _get_repo_name(self):
                     if not self.repo_name:
                         _request = self._get_request()
                         self.repo_name = get_repo_slug(_request)
                     return self.repo_name
                 def check_permissions(self, user):
                     self.repo_name = self._get_repo_name()
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories'][self.repo_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasRepoPermissionAny(PermsFunction):
                 def __call__(self, repo_name=None, check_location='', user=None):
                     self.repo_name = repo_name
                     return super(HasRepoPermissionAny, self).__call__(check_location, user)
                 def _get_repo_name(self):
                     if not self.repo_name:
                         _request = self._get_request()
                         self.repo_name = get_repo_slug(_request)
                     return self.repo_name
                 def check_permissions(self, user):
                     self.repo_name = self._get_repo_name()
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories'][self.repo_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAny(PermsFunction):
                 def __call__(self, group_name=None, check_location='', user=None):
                     self.repo_group_name = group_name
                     return super(HasRepoGroupPermissionAny, self).__call__(
                         check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories_groups'][self.repo_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAll(PermsFunction):
                 def __call__(self, group_name=None, check_location='', user=None):
                     self.repo_group_name = group_name
                     return super(HasRepoGroupPermissionAll, self).__call__(
                         check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['repositories_groups'][self.repo_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAny(PermsFunction):
                 def __call__(self, user_group_name=None, check_location='', user=None):
                     self.user_group_name = user_group_name
                     return super(HasUserGroupPermissionAny, self).__call__(
                         check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['user_groups'][self.user_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAll(PermsFunction):
                 def __call__(self, user_group_name=None, check_location='', user=None):
                     self.user_group_name = user_group_name
                     return super(HasUserGroupPermissionAll, self).__call__(
                         check_location, user)
                 def check_permissions(self, user):
                     perms = user.permissions
                     try:
                         user_perms = {perms['user_groups'][self.user_group_name]}
                     except KeyError:
                         return False
                     if self.required_perms.issubset(user_perms):
                         return True
                     return False
             # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
             class HasPermissionAnyMiddleware(object):
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
-                def __call__(self, user, repo_name):
+                def __call__(self, auth_user, repo_name):
                     # repo_name MUST be unicode, since we handle keys in permission
                     # dict by unicode
                     repo_name = safe_unicode(repo_name)
-                    user = AuthUser(user.user_id)
                     log.debug(
                         'Checking VCS protocol permissions %s for user:%s repo:`%s`',
-                        self.required_perms, user, repo_name)
+                        self.required_perms, auth_user, repo_name)
-                    if self.check_permissions(user, repo_name):
+                    if self.check_permissions(auth_user, repo_name):
                         log.debug('Permission to repo:`%s` GRANTED for user:%s @ %s',
-                                  repo_name, user, 'PermissionMiddleware')
+                                  repo_name, auth_user, 'PermissionMiddleware')
                         return True
                     else:
                         log.debug('Permission to repo:`%s` DENIED for user:%s @ %s',
-                                  repo_name, user, 'PermissionMiddleware')
+                                  repo_name, auth_user, 'PermissionMiddleware')
                         return False
                 def check_permissions(self, user, repo_name):
                     perms = user.permissions_with_scope({'repo_name': repo_name})
                     try:
                         user_perms = {perms['repositories'][repo_name]}
                     except Exception:
                         log.exception('Error while accessing user permissions')
                         return False
                     if self.required_perms.intersection(user_perms):
                         return True
                     return False
             # SPECIAL VERSION TO HANDLE API AUTH
             class _BaseApiPerm(object):
                 def __init__(self, *perms):
                     self.required_perms = set(perms)
                 def __call__(self, check_location=None, user=None, repo_name=None,
                              group_name=None, user_group_name=None):
                     cls_name = self.__class__.__name__
                     check_scope = 'global:%s' % (self.required_perms,)
                     if repo_name:
                         check_scope += ', repo_name:%s' % (repo_name,)
                     if group_name:
                         check_scope += ', repo_group_name:%s' % (group_name,)
                     if user_group_name:
                         check_scope += ', user_group_name:%s' % (user_group_name,)
                     log.debug(
                         'checking cls:%s %s %s @ %s'
                         % (cls_name, self.required_perms, check_scope, check_location))
                     if not user:
                         log.debug('Empty User passed into arguments')
                         return False
                     # process user
                     if not isinstance(user, AuthUser):
                         user = AuthUser(user.user_id)
                     if not check_location:
                         check_location = 'unspecified'
                     if self.check_permissions(user.permissions, repo_name, group_name,
                                               user_group_name):
                         log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return True
                     else:
                         log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
                                   check_scope, user, check_location)
                         return False
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     """
                     implement in child class should return True if permissions are ok,
                     False otherwise
                     :param perm_defs: dict with permission definitions
                     :param repo_name: repo name
                     """
                     raise NotImplementedError()
             class HasPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     if self.required_perms.issubset(perm_defs.get('global')):
                         return True
                     return False
             class HasPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     if self.required_perms.intersection(perm_defs.get('global')):
                         return True
                     return False
             class HasRepoPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories'][repo_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.issubset(_user_perms):
                         return True
                     return False
             class HasRepoPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories'][repo_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories_groups'][group_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             class HasRepoGroupPermissionAllApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['repositories_groups'][group_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.issubset(_user_perms):
                         return True
                     return False
             class HasUserGroupPermissionAnyApi(_BaseApiPerm):
                 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
                                       user_group_name=None):
                     try:
                         _user_perms = {perm_defs['user_groups'][user_group_name]}
                     except KeyError:
                         log.warning(traceback.format_exc())
                         return False
                     if self.required_perms.intersection(_user_perms):
                         return True
                     return False
             def check_ip_access(source_ip, allowed_ips=None):
                 """
                 Checks if source_ip is a subnet of any of allowed_ips.
                 :param source_ip:
                 :param allowed_ips: list of allowed ips together with mask
                 """
                 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))
                 source_ip_address = ipaddress.ip_address(safe_unicode(source_ip))
                 if isinstance(allowed_ips, (tuple, list, set)):
                     for ip in allowed_ips:
                         ip = safe_unicode(ip)
                         try:
                             network_address = ipaddress.ip_network(ip, strict=False)
                             if source_ip_address in network_address:
                                 log.debug('IP %s is network %s' %
                                           (source_ip_address, network_address))
                                 return True
                             # for any case we cannot determine the IP, don't crash just
                             # skip it and log as error, we want to say forbidden still when
                             # sending bad IP
                         except Exception:
                             log.error(traceback.format_exc())
                             continue
                 return False
             def get_cython_compat_decorator(wrapper, func):
                 """
                 Creates a cython compatible decorator. The previously used
                 decorator.decorator() function seems to be incompatible with cython.
                 :param wrapper: __wrapper method of the decorator class
                 :param func: decorated function
                 """
                 @wraps(func)
                 def local_wrapper(*args, **kwds):
                     return wrapper(func, *args, **kwds)
                 local_wrapper.__wrapped__ = func
                 return local_wrapper

rhodecode/lib/base.py

0 +3 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             The base Controller API
             Provides the BaseController class for subclassing. And usage in different
             controllers
             """
             import logging
             import socket
             import markupsafe
             import ipaddress
             from paste.auth.basic import AuthBasicAuthenticator
             from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden, get_exception
             from paste.httpheaders import WWW_AUTHENTICATE, AUTHORIZATION
             import rhodecode
             from rhodecode.authentication.base import VCS_TYPE
             from rhodecode.lib import auth, utils2
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import AuthUser, CookieStoreWrapper
             from rhodecode.lib.exceptions import UserCreationError
             from rhodecode.lib.utils import (password_changed, get_enabled_hook_classes)
             from rhodecode.lib.utils2 import (
                 str2bool, safe_unicode, AttributeDict, safe_int, sha1, aslist, safe_str)
             from rhodecode.model.db import Repository, User, ChangesetComment
             from rhodecode.model.notification import NotificationModel
             from rhodecode.model.settings import VcsSettingsModel, SettingsModel
             log = logging.getLogger(__name__)
             def _filter_proxy(ip):
                 """
                 Passed in IP addresses in HEADERS can be in a special format of multiple
                 ips. Those comma separated IPs are passed from various proxies in the
                 chain of request processing. The left-most being the original client.
                 We only care about the first IP which came from the org. client.
                 :param ip: ip string from headers
                 """
                 if ',' in ip:
                     _ips = ip.split(',')
                     _first_ip = _ips[0].strip()
                     log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
                     return _first_ip
                 return ip
             def _filter_port(ip):
                 """
                 Removes a port from ip, there are 4 main cases to handle here.
                 - ipv4 eg. 127.0.0.1
                 - ipv6 eg. ::1
                 - ipv4+port eg. 127.0.0.1:8080
                 - ipv6+port eg. [::1]:8080
                 :param ip:
                 """
                 def is_ipv6(ip_addr):
                     if hasattr(socket, 'inet_pton'):
                         try:
                             socket.inet_pton(socket.AF_INET6, ip_addr)
                         except socket.error:
                             return False
                     else:
                         # fallback to ipaddress
                         try:
                             ipaddress.IPv6Address(safe_unicode(ip_addr))
                         except Exception:
                             return False
                     return True
                 if ':' not in ip:  # must be ipv4 pure ip
                     return ip
                 if '[' in ip and ']' in ip:  # ipv6 with port
                     return ip.split(']')[0][1:].lower()
                 # must be ipv6 or ipv4 with port
                 if is_ipv6(ip):
                     return ip
                 else:
                     ip, _port = ip.split(':')[:2]  # means ipv4+port
                     return ip
             def get_ip_addr(environ):
                 proxy_key = 'HTTP_X_REAL_IP'
                 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
                 def_key = 'REMOTE_ADDR'
                 _filters = lambda x: _filter_port(_filter_proxy(x))
                 ip = environ.get(proxy_key)
                 if ip:
                     return _filters(ip)
                 ip = environ.get(proxy_key2)
                 if ip:
                     return _filters(ip)
                 ip = environ.get(def_key, '0.0.0.0')
                 return _filters(ip)
             def get_server_ip_addr(environ, log_errors=True):
                 hostname = environ.get('SERVER_NAME')
                 try:
                     return socket.gethostbyname(hostname)
                 except Exception as e:
                     if log_errors:
                         # in some cases this lookup is not possible, and we don't want to
                         # make it an exception in logs
                         log.exception('Could not retrieve server ip address: %s', e)
                     return hostname
             def get_server_port(environ):
                 return environ.get('SERVER_PORT')
             def get_access_path(environ):
                 path = environ.get('PATH_INFO')
                 org_req = environ.get('pylons.original_request')
                 if org_req:
                     path = org_req.environ.get('PATH_INFO')
                 return path
             def get_user_agent(environ):
                 return environ.get('HTTP_USER_AGENT')
             def vcs_operation_context(
                     environ, repo_name, username, action, scm, check_locking=True,
-                    is_shadow_repo=False):
+                    is_shadow_repo=False, check_branch_perms=False, detect_force_push=False):
                 """
                 Generate the context for a vcs operation, e.g. push or pull.
                 This context is passed over the layers so that hooks triggered by the
                 vcs operation know details like the user, the user's IP address etc.
                 :param check_locking: Allows to switch of the computation of the locking
                     data. This serves mainly the need of the simplevcs middleware to be
                     able to disable this for certain operations.
                 """
                 # Tri-state value: False: unlock, None: nothing, True: lock
                 make_lock = None
                 locked_by = [None, None, None]
                 is_anonymous = username == User.DEFAULT_USER
                 user = User.get_by_username(username)
                 if not is_anonymous and check_locking:
                     log.debug('Checking locking on repository "%s"', repo_name)
                     repo = Repository.get_by_repo_name(repo_name)
                     make_lock, __, locked_by = repo.get_locking_state(
                         action, user.user_id)
                 user_id = user.user_id
                 settings_model = VcsSettingsModel(repo=repo_name)
                 ui_settings = settings_model.get_ui_settings()
                 extras = {
                     'ip': get_ip_addr(environ),
                     'username': username,
                     'user_id': user_id,
                     'action': action,
                     'repository': repo_name,
                     'scm': scm,
                     'config': rhodecode.CONFIG['__file__'],
                     'make_lock': make_lock,
                     'locked_by': locked_by,
                     'server_url': utils2.get_server_url(environ),
                     'user_agent': get_user_agent(environ),
                     'hooks': get_enabled_hook_classes(ui_settings),
                     'is_shadow_repo': is_shadow_repo,
+                    'detect_force_push': detect_force_push,
+                    'check_branch_perms': check_branch_perms,
                 }
                 return extras
             class BasicAuth(AuthBasicAuthenticator):
                 def __init__(self, realm, authfunc, registry, auth_http_code=None,
                              initial_call_detection=False, acl_repo_name=None):
                     self.realm = realm
                     self.initial_call = initial_call_detection
                     self.authfunc = authfunc
                     self.registry = registry
                     self.acl_repo_name = acl_repo_name
                     self._rc_auth_http_code = auth_http_code
                 def _get_response_from_code(self, http_code):
                     try:
                         return get_exception(safe_int(http_code))
                     except Exception:
                         log.exception('Failed to fetch response for code %s' % http_code)
                         return HTTPForbidden
                 def get_rc_realm(self):
                     return safe_str(self.registry.rhodecode_settings.get('rhodecode_realm'))
                 def build_authentication(self):
                     head = WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
                     if self._rc_auth_http_code and not self.initial_call:
                         # return alternative HTTP code if alternative http return code
                         # is specified in RhodeCode config, but ONLY if it's not the
                         # FIRST call
                         custom_response_klass = self._get_response_from_code(
                             self._rc_auth_http_code)
                         return custom_response_klass(headers=head)
                     return HTTPUnauthorized(headers=head)
                 def authenticate(self, environ):
                     authorization = AUTHORIZATION(environ)
                     if not authorization:
                         return self.build_authentication()
                     (authmeth, auth) = authorization.split(' ', 1)
                     if 'basic' != authmeth.lower():
                         return self.build_authentication()
                     auth = auth.strip().decode('base64')
                     _parts = auth.split(':', 1)
                     if len(_parts) == 2:
                         username, password = _parts
                         auth_data = self.authfunc(
                                 username, password, environ, VCS_TYPE,
                                 registry=self.registry, acl_repo_name=self.acl_repo_name)
                         if auth_data:
                             return {'username': username, 'auth_data': auth_data}
                         if username and password:
                             # we mark that we actually executed authentication once, at
                             # that point we can use the alternative auth code
                             self.initial_call = False
                     return self.build_authentication()
                 __call__ = authenticate
             def calculate_version_hash(config):
                 return sha1(
                     config.get('beaker.session.secret', '') +
                     rhodecode.__version__)[:8]
             def get_current_lang(request):
                 # NOTE(marcink): remove after pyramid move
                 try:
                     return translation.get_lang()[0]
                 except:
                     pass
                 return getattr(request, '_LOCALE_', request.locale_name)
             def attach_context_attributes(context, request, user_id):
                 """
                 Attach variables into template context called `c`.
                 """
                 config = request.registry.settings
                 rc_config = SettingsModel().get_all_settings(cache=True)
                 context.rhodecode_version = rhodecode.__version__
                 context.rhodecode_edition = config.get('rhodecode.edition')
                 # unique secret + version does not leak the version but keep consistency
                 context.rhodecode_version_hash = calculate_version_hash(config)
                 # Default language set for the incoming request
                 context.language = get_current_lang(request)
                 # Visual options
                 context.visual = AttributeDict({})
                 # DB stored Visual Items
                 context.visual.show_public_icon = str2bool(
                     rc_config.get('rhodecode_show_public_icon'))
                 context.visual.show_private_icon = str2bool(
                     rc_config.get('rhodecode_show_private_icon'))
                 context.visual.stylify_metatags = str2bool(
                     rc_config.get('rhodecode_stylify_metatags'))
                 context.visual.dashboard_items = safe_int(
                     rc_config.get('rhodecode_dashboard_items', 100))
                 context.visual.admin_grid_items = safe_int(
                     rc_config.get('rhodecode_admin_grid_items', 100))
                 context.visual.repository_fields = str2bool(
                     rc_config.get('rhodecode_repository_fields'))
                 context.visual.show_version = str2bool(
                     rc_config.get('rhodecode_show_version'))
                 context.visual.use_gravatar = str2bool(
                     rc_config.get('rhodecode_use_gravatar'))
                 context.visual.gravatar_url = rc_config.get('rhodecode_gravatar_url')
                 context.visual.default_renderer = rc_config.get(
                     'rhodecode_markup_renderer', 'rst')
                 context.visual.comment_types = ChangesetComment.COMMENT_TYPES
                 context.visual.rhodecode_support_url = \
                     rc_config.get('rhodecode_support_url') or h.route_url('rhodecode_support')
                 context.visual.affected_files_cut_off = 60
                 context.pre_code = rc_config.get('rhodecode_pre_code')
                 context.post_code = rc_config.get('rhodecode_post_code')
                 context.rhodecode_name = rc_config.get('rhodecode_title')
                 context.default_encodings = aslist(config.get('default_encoding'), sep=',')
                 # if we have specified default_encoding in the request, it has more
                 # priority
                 if request.GET.get('default_encoding'):
                     context.default_encodings.insert(0, request.GET.get('default_encoding'))
                 context.clone_uri_tmpl = rc_config.get('rhodecode_clone_uri_tmpl')
                 context.clone_uri_ssh_tmpl = rc_config.get('rhodecode_clone_uri_ssh_tmpl')
                 # INI stored
                 context.labs_active = str2bool(
                     config.get('labs_settings_active', 'false'))
                 context.ssh_enabled = str2bool(
                     config.get('ssh.generate_authorized_keyfile', 'false'))
                 context.visual.allow_repo_location_change = str2bool(
                     config.get('allow_repo_location_change', True))
                 context.visual.allow_custom_hooks_settings = str2bool(
                     config.get('allow_custom_hooks_settings', True))
                 context.debug_style = str2bool(config.get('debug_style', False))
                 context.rhodecode_instanceid = config.get('instance_id')
                 context.visual.cut_off_limit_diff = safe_int(
                     config.get('cut_off_limit_diff'))
                 context.visual.cut_off_limit_file = safe_int(
                     config.get('cut_off_limit_file'))
                 # AppEnlight
                 context.appenlight_enabled = str2bool(config.get('appenlight', 'false'))
                 context.appenlight_api_public_key = config.get(
                     'appenlight.api_public_key', '')
                 context.appenlight_server_url = config.get('appenlight.server_url', '')
                 # JS template context
                 context.template_context = {
                     'repo_name': None,
                     'repo_type': None,
                     'repo_landing_commit': None,
                     'rhodecode_user': {
                         'username': None,
                         'email': None,
                         'notification_status': False
                     },
                     'visual': {
                         'default_renderer': None
                     },
                     'commit_data': {
                         'commit_id': None
                     },
                     'pull_request_data': {'pull_request_id': None},
                     'timeago': {
                         'refresh_time': 120 * 1000,
                         'cutoff_limit': 1000 * 60 * 60 * 24 * 7
                     },
                     'pyramid_dispatch': {
                     },
                     'extra': {'plugins': {}}
                 }
                 # END CONFIG VARS
                 diffmode = 'sideside'
                 if request.GET.get('diffmode'):
                     if request.GET['diffmode'] == 'unified':
                         diffmode = 'unified'
                 elif request.session.get('diffmode'):
                     diffmode = request.session['diffmode']
                 context.diffmode = diffmode
                 if request.session.get('diffmode') != diffmode:
                     request.session['diffmode'] = diffmode
                 context.csrf_token = auth.get_csrf_token(session=request.session)
                 context.backends = rhodecode.BACKENDS.keys()
                 context.backends.sort()
                 context.unread_notifications = NotificationModel().get_unread_cnt_for_user(user_id)
                 # web case
                 if hasattr(request, 'user'):
                     context.auth_user = request.user
                     context.rhodecode_user = request.user
                 # api case
                 if hasattr(request, 'rpc_user'):
                     context.auth_user = request.rpc_user
                     context.rhodecode_user = request.rpc_user
                 # attach the whole call context to the request
                 request.call_context = context
             def get_auth_user(request):
                 environ = request.environ
                 session = request.session
                 ip_addr = get_ip_addr(environ)
                 # make sure that we update permissions each time we call controller
                 _auth_token = (request.GET.get('auth_token', '') or
                                request.GET.get('api_key', ''))
                 if _auth_token:
                     # when using API_KEY we assume user exists, and
                     # doesn't need auth based on cookies.
                     auth_user = AuthUser(api_key=_auth_token, ip_addr=ip_addr)
                     authenticated = False
                 else:
                     cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
                     try:
                         auth_user = AuthUser(user_id=cookie_store.get('user_id', None),
                                              ip_addr=ip_addr)
                     except UserCreationError as e:
                         h.flash(e, 'error')
                         # container auth or other auth functions that create users
                         # on the fly can throw this exception signaling that there's
                         # issue with user creation, explanation should be provided
                         # in Exception itself. We then create a simple blank
                         # AuthUser
                         auth_user = AuthUser(ip_addr=ip_addr)
                     # in case someone changes a password for user it triggers session
                     # flush and forces a re-login
                     if password_changed(auth_user, session):
                         session.invalidate()
                         cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
                         auth_user = AuthUser(ip_addr=ip_addr)
                     authenticated = cookie_store.get('is_authenticated')
                 if not auth_user.is_authenticated and auth_user.is_user_object:
                     # user is not authenticated and not empty
                     auth_user.set_authenticated(authenticated)
                 return auth_user
             def h_filter(s):
                 """
                 Custom filter for Mako templates. Mako by standard uses `markupsafe.escape`
                 we wrap this with additional functionality that converts None to empty
                 strings
                 """
                 if s is None:
                     return markupsafe.Markup()
                 return markupsafe.escape(s)
             def add_events_routes(config):
                 """
                 Adds routing that can be used in events. Because some events are triggered
                 outside of pyramid context, we need to bootstrap request with some
                 routing registered
                 """
                 from rhodecode.apps._base import ADMIN_PREFIX
                 config.add_route(name='home', pattern='/')
                 config.add_route(name='login', pattern=ADMIN_PREFIX + '/login')
                 config.add_route(name='logout', pattern=ADMIN_PREFIX + '/logout')
                 config.add_route(name='repo_summary', pattern='/{repo_name}')
                 config.add_route(name='repo_summary_explicit', pattern='/{repo_name}/summary')
                 config.add_route(name='repo_group_home', pattern='/{repo_group_name}')
                 config.add_route(name='pullrequest_show',
                                  pattern='/{repo_name}/pull-request/{pull_request_id}')
                 config.add_route(name='pull_requests_global',
                                  pattern='/pull-request/{pull_request_id}')
                 config.add_route(name='repo_commit',
                                  pattern='/{repo_name}/changeset/{commit_id}')
                 config.add_route(name='repo_files',
                                  pattern='/{repo_name}/files/{commit_id}/{f_path}')
             def bootstrap_config(request):
                 import pyramid.testing
                 registry = pyramid.testing.Registry('RcTestRegistry')
                 config = pyramid.testing.setUp(registry=registry, request=request)
                 # allow pyramid lookup in testing
                 config.include('pyramid_mako')
                 config.include('pyramid_beaker')
                 config.include('rhodecode.lib.rc_cache')
                 add_events_routes(config)
                 return config
             def bootstrap_request(**kwargs):
                 import pyramid.testing
                 class TestRequest(pyramid.testing.DummyRequest):
                     application_url = kwargs.pop('application_url', 'http://example.com')
                     host = kwargs.pop('host', 'example.com:80')
                     domain = kwargs.pop('domain', 'example.com')
                     def translate(self, msg):
                         return msg
                     def plularize(self, singular, plural, n):
                         return singular
                     def get_partial_renderer(self, tmpl_name):
                         from rhodecode.lib.partial_renderer import get_partial_renderer
                         return get_partial_renderer(request=self, tmpl_name=tmpl_name)
                     _call_context = {}
                     @property
                     def call_context(self):
                         return self._call_context
                 class TestDummySession(pyramid.testing.DummySession):
                     def save(*arg, **kw):
                         pass
                 request = TestRequest(**kwargs)
                 request.session = TestDummySession()
                 return request

rhodecode/lib/exceptions.py

0 +15 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Set of custom exceptions used in RhodeCode
             """
             from webob.exc import HTTPClientError
             from pyramid.httpexceptions import HTTPBadGateway
             class LdapUsernameError(Exception):
                 pass
             class LdapPasswordError(Exception):
                 pass
             class LdapConnectionError(Exception):
                 pass
             class LdapImportError(Exception):
                 pass
             class DefaultUserException(Exception):
                 pass
             class UserOwnsReposException(Exception):
                 pass
             class UserOwnsRepoGroupsException(Exception):
                 pass
             class UserOwnsUserGroupsException(Exception):
                 pass
             class UserGroupAssignedException(Exception):
                 pass
             class StatusChangeOnClosedPullRequestError(Exception):
                 pass
             class AttachedForksError(Exception):
                 pass
             class RepoGroupAssignmentError(Exception):
                 pass
             class NonRelativePathError(Exception):
                 pass
             class HTTPRequirementError(HTTPClientError):
                 title = explanation = 'Repository Requirement Missing'
                 reason = None
                 def __init__(self, message, *args, **kwargs):
                     self.title = self.explanation = message
                     super(HTTPRequirementError, self).__init__(*args, **kwargs)
                     self.args = (message, )
             class HTTPLockedRC(HTTPClientError):
                 """
                 Special Exception For locked Repos in RhodeCode, the return code can
                 be overwritten by _code keyword argument passed into constructors
                 """
                 code = 423
                 title = explanation = 'Repository Locked'
                 reason = None
                 def __init__(self, message, *args, **kwargs):
                     from rhodecode import CONFIG
                     from rhodecode.lib.utils2 import safe_int
                     _code = CONFIG.get('lock_ret_code')
                     self.code = safe_int(_code, self.code)
                     self.title = self.explanation = message
                     super(HTTPLockedRC, self).__init__(*args, **kwargs)
                     self.args = (message, )
+            class HTTPBranchProtected(HTTPClientError):
+                """
+                Special Exception For Indicating that branch is protected in RhodeCode, the
+                return code can be overwritten by _code keyword argument passed into constructors
+                """
+                code = 403
+                title = explanation = 'Branch Protected'
+                reason = None
+                def __init__(self, message, *args, **kwargs):
+                    self.title = self.explanation = message
+                    super(HTTPBranchProtected, self).__init__(*args, **kwargs)
+                    self.args = (message, )
             class IMCCommitError(Exception):
                 pass
             class UserCreationError(Exception):
                 pass
             class NotAllowedToCreateUserError(Exception):
                 pass
             class RepositoryCreationError(Exception):
                 pass
             class VCSServerUnavailable(HTTPBadGateway):
                 """ HTTP Exception class for VCS Server errors """
                 code = 502
                 title = 'VCS Server Error'
                 causes = [
                     'VCS Server is not running',
                     'Incorrect vcs.server=host:port',
                     'Incorrect vcs.server.protocol',
                 ]
                 def __init__(self, message=''):
                     self.explanation = 'Could not connect to VCS Server'
                     if message:
                         self.explanation += ': ' + message
                     super(VCSServerUnavailable, self).__init__()

rhodecode/lib/hooks_base.py

0 +45 -5

             # -*- coding: utf-8 -*-
             # Copyright (C) 2013-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Set of hooks run by RhodeCode Enterprise
             """
             import os
             import collections
             import logging
             import rhodecode
             from rhodecode import events
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.utils2 import safe_str
-            from rhodecode.lib.exceptions import HTTPLockedRC, UserCreationError
+            from rhodecode.lib.exceptions import (
+                HTTPLockedRC, HTTPBranchProtected, UserCreationError)
             from rhodecode.model.db import Repository, User
             log = logging.getLogger(__name__)
             HookResponse = collections.namedtuple('HookResponse', ('status', 'output'))
             def is_shadow_repo(extras):
                 """
                 Returns ``True`` if this is an action executed against a shadow repository.
                 """
                 return extras['is_shadow_repo']
             def _get_scm_size(alias, root_path):
                 if not alias.startswith('.'):
                     alias += '.'
                 size_scm, size_root = 0, 0
                 for path, unused_dirs, files in os.walk(safe_str(root_path)):
                     if path.find(alias) != -1:
                         for f in files:
                             try:
                                 size_scm += os.path.getsize(os.path.join(path, f))
                             except OSError:
                                 pass
                     else:
                         for f in files:
                             try:
                                 size_root += os.path.getsize(os.path.join(path, f))
                             except OSError:
                                 pass
                 size_scm_f = h.format_byte_size_binary(size_scm)
                 size_root_f = h.format_byte_size_binary(size_root)
                 size_total_f = h.format_byte_size_binary(size_root + size_scm)
                 return size_scm_f, size_root_f, size_total_f
             # actual hooks called by Mercurial internally, and GIT by our Python Hooks
             def repo_size(extras):
                 """Present size of repository after push."""
                 repo = Repository.get_by_repo_name(extras.repository)
                 vcs_part = safe_str(u'.%s' % repo.repo_type)
                 size_vcs, size_root, size_total = _get_scm_size(vcs_part,
                                                                 repo.repo_full_path)
                 msg = ('Repository `%s` size summary %s:%s repo:%s total:%s\n'
                        % (repo.repo_name, vcs_part, size_vcs, size_root, size_total))
                 return HookResponse(0, msg)
             def pre_push(extras):
                 """
                 Hook executed before pushing code.
                 It bans pushing when the repository is locked.
                 """
-                usr = User.get_by_username(extras.username)
+                user = User.get_by_username(extras.username)
                 output = ''
-                if extras.locked_by[0] and usr.user_id != int(extras.locked_by[0]):
+                if extras.locked_by[0] and user.user_id != int(extras.locked_by[0]):
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     # this exception is interpreted in git/hg middlewares and based
                     # on that proper return code is server to client
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output = _http_ret.title
                     else:
                         raise _http_ret
-                # Propagate to external components. This is done after checking the
-                # lock, for consistent behavior.
                 if not is_shadow_repo(extras):
+                    if extras.commit_ids and extras.check_branch_perms:
+                        auth_user = user.AuthUser()
+                        repo = Repository.get_by_repo_name(extras.repository)
+                        affected_branches = []
+                        if repo.repo_type == 'hg':
+                            for entry in extras.commit_ids:
+                                if entry['type'] == 'branch':
+                                    is_forced = bool(entry['multiple_heads'])
+                                    affected_branches.append([entry['name'], is_forced])
+                        elif repo.repo_type == 'git':
+                            for entry in extras.commit_ids:
+                                if entry['type'] == 'heads':
+                                    is_forced = bool(entry['pruned_sha'])
+                                    affected_branches.append([entry['name'], is_forced])
+                        for branch_name, is_forced in affected_branches:
+                            rule, branch_perm = auth_user.get_rule_and_branch_permission(
+                                extras.repository, branch_name)
+                            if not branch_perm:
+                                # no branch permission found for this branch, just keep checking
+                                continue
+                            if branch_perm == 'branch.push_force':
+                                continue
+                            elif branch_perm == 'branch.push' and is_forced is False:
+                                continue
+                            elif branch_perm == 'branch.push' and is_forced is True:
+                                halt_message = 'Branch `{}` changes rejected by rule {}. ' \
+                                               'FORCE PUSH FORBIDDEN.'.format(branch_name, rule)
+                            else:
+                                halt_message = 'Branch `{}` changes rejected by rule {}.'.format(
+                                    branch_name, rule)
+                            if halt_message:
+                                _http_ret = HTTPBranchProtected(halt_message)
+                                raise _http_ret
+                    # Propagate to external components. This is done after checking the
+                    # lock, for consistent behavior.
                     pre_push_extension(repo_store_path=Repository.base_path(), **extras)
                     events.trigger(events.RepoPrePushEvent(
                         repo_name=extras.repository, extras=extras))
                 return HookResponse(0, output)
             def pre_pull(extras):
                 """
                 Hook executed before pulling the code.
                 It bans pulling when the repository is locked.
                 """
                 output = ''
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     # this exception is interpreted in git/hg middlewares and based
                     # on that proper return code is server to client
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output = _http_ret.title
                     else:
                         raise _http_ret
                 # Propagate to external components. This is done after checking the
                 # lock, for consistent behavior.
                 if not is_shadow_repo(extras):
                     pre_pull_extension(**extras)
                     events.trigger(events.RepoPrePullEvent(
                         repo_name=extras.repository, extras=extras))
                 return HookResponse(0, output)
             def post_pull(extras):
                 """Hook executed after client pulls the code."""
                 audit_user = audit_logger.UserWrap(
                     username=extras.username,
                     ip_addr=extras.ip)
                 repo = audit_logger.RepoWrap(repo_name=extras.repository)
                 audit_logger.store(
                     'user.pull', action_data={
                         'user_agent': extras.user_agent},
                     user=audit_user, repo=repo, commit=True)
                 # Propagate to external components.
                 if not is_shadow_repo(extras):
                     post_pull_extension(**extras)
                     events.trigger(events.RepoPullEvent(
                         repo_name=extras.repository, extras=extras))
                 output = ''
                 # make lock is a tri state False, True, None. We only make lock on True
                 if extras.make_lock is True and not is_shadow_repo(extras):
                     user = User.get_by_username(extras.username)
                     Repository.lock(Repository.get_by_repo_name(extras.repository),
                                     user.user_id,
                                     lock_reason=Repository.LOCK_PULL)
                     msg = 'Made lock on repo `%s`' % (extras.repository,)
                     output += msg
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output += _http_ret.title
                 return HookResponse(0, output)
             def post_push(extras):
                 """Hook executed after user pushes to the repository."""
                 commit_ids = extras.commit_ids
                 # log the push call
                 audit_user = audit_logger.UserWrap(
                     username=extras.username, ip_addr=extras.ip)
                 repo = audit_logger.RepoWrap(repo_name=extras.repository)
                 audit_logger.store(
                     'user.push', action_data={
                         'user_agent': extras.user_agent,
                         'commit_ids': commit_ids[:400]},
                     user=audit_user, repo=repo, commit=True)
                 # Propagate to external components.
                 if not is_shadow_repo(extras):
                     post_push_extension(
                         repo_store_path=Repository.base_path(),
                         pushed_revs=commit_ids,
                         **extras)
                     events.trigger(events.RepoPushEvent(
                         repo_name=extras.repository,
                         pushed_commit_ids=commit_ids,
                         extras=extras))
                 output = ''
                 # make lock is a tri state False, True, None. We only release lock on False
                 if extras.make_lock is False and not is_shadow_repo(extras):
                     Repository.unlock(Repository.get_by_repo_name(extras.repository))
                     msg = 'Released lock on repo `%s`\n' % extras.repository
                     output += msg
                 if extras.locked_by[0]:
                     locked_by = User.get(extras.locked_by[0]).username
                     reason = extras.locked_by[2]
                     _http_ret = HTTPLockedRC(
                         _locked_by_explanation(extras.repository, locked_by, reason))
                     # TODO: johbo: if not?
                     if str(_http_ret.code).startswith('2'):
                         # 2xx Codes don't raise exceptions
                         output += _http_ret.title
                 if extras.new_refs:
                     tmpl = \
                         extras.server_url + '/' + \
                         extras.repository + \
                         "/pull-request/new?{ref_type}={ref_name}"
                     for branch_name in extras.new_refs['branches']:
                         output += 'RhodeCode: open pull request link: {}\n'.format(
                             tmpl.format(ref_type='branch', ref_name=branch_name))
                     for book_name in extras.new_refs['bookmarks']:
                         output += 'RhodeCode: open pull request link: {}\n'.format(
                             tmpl.format(ref_type='bookmark', ref_name=book_name))
                 output += 'RhodeCode: push completed\n'
                 return HookResponse(0, output)
             def _locked_by_explanation(repo_name, user_name, reason):
                 message = (
                     'Repository `%s` locked by user `%s`. Reason:`%s`'
                     % (repo_name, user_name, reason))
                 return message
             def check_allowed_create_user(user_dict, created_by, **kwargs):
                 # pre create hooks
                 if pre_create_user.is_active():
                     allowed, reason = pre_create_user(created_by=created_by, **user_dict)
                     if not allowed:
                         raise UserCreationError(reason)
             class ExtensionCallback(object):
                 """
                 Forwards a given call to rcextensions, sanitizes keyword arguments.
                 Does check if there is an extension active for that hook. If it is
                 there, it will forward all `kwargs_keys` keyword arguments to the
                 extension callback.
                 """
                 def __init__(self, hook_name, kwargs_keys):
                     self._hook_name = hook_name
                     self._kwargs_keys = set(kwargs_keys)
                 def __call__(self, *args, **kwargs):
                     log.debug('Calling extension callback for %s', self._hook_name)
                     kwargs_to_pass = dict((key, kwargs[key]) for key in self._kwargs_keys)
                     # backward compat for removed api_key for old hooks. THis was it works
                     # with older rcextensions that require api_key present
                     if self._hook_name in ['CREATE_USER_HOOK', 'DELETE_USER_HOOK']:
                         kwargs_to_pass['api_key'] = '_DEPRECATED_'
                     callback = self._get_callback()
                     if callback:
                         return callback(**kwargs_to_pass)
                     else:
                         log.debug('extensions callback not found skipping...')
                 def is_active(self):
                     return hasattr(rhodecode.EXTENSIONS, self._hook_name)
                 def _get_callback(self):
                     return getattr(rhodecode.EXTENSIONS, self._hook_name, None)
             pre_pull_extension = ExtensionCallback(
                 hook_name='PRE_PULL_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository'))
             post_pull_extension = ExtensionCallback(
                 hook_name='PULL_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository'))
             pre_push_extension = ExtensionCallback(
                 hook_name='PRE_PUSH_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'repo_store_path', 'commit_ids'))
             post_push_extension = ExtensionCallback(
                 hook_name='PUSH_HOOK',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'repo_store_path', 'pushed_revs'))
             pre_create_user = ExtensionCallback(
                 hook_name='PRE_CREATE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'password', 'email', 'firstname', 'lastname', 'active',
                     'admin', 'created_by'))
             log_create_pull_request = ExtensionCallback(
                 hook_name='CREATE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_merge_pull_request = ExtensionCallback(
                 hook_name='MERGE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_close_pull_request = ExtensionCallback(
                 hook_name='CLOSE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_review_pull_request = ExtensionCallback(
                 hook_name='REVIEW_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_update_pull_request = ExtensionCallback(
                 hook_name='UPDATE_PULL_REQUEST',
                 kwargs_keys=(
                     'server_url', 'config', 'scm', 'username', 'ip', 'action',
                     'repository', 'pull_request_id', 'url', 'title', 'description',
                     'status', 'created_on', 'updated_on', 'commit_ids', 'review_status',
                     'mergeable', 'source', 'target', 'author', 'reviewers'))
             log_create_user = ExtensionCallback(
                 hook_name='CREATE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'full_name_or_username', 'full_contact', 'user_id',
                     'name', 'firstname', 'short_contact', 'admin', 'lastname',
                     'ip_addresses', 'extern_type', 'extern_name',
                     'email', 'api_keys', 'last_login',
                     'full_name', 'active', 'password', 'emails',
                     'inherit_default_permissions', 'created_by', 'created_on'))
             log_delete_user = ExtensionCallback(
                 hook_name='DELETE_USER_HOOK',
                 kwargs_keys=(
                     'username', 'full_name_or_username', 'full_contact', 'user_id',
                     'name', 'firstname', 'short_contact', 'admin', 'lastname',
                     'ip_addresses',
                     'email', 'last_login',
                     'full_name', 'active', 'password', 'emails',
                     'inherit_default_permissions', 'deleted_by'))
             log_create_repository = ExtensionCallback(
                 hook_name='CREATE_REPO_HOOK',
                 kwargs_keys=(
                     'repo_name', 'repo_type', 'description', 'private', 'created_on',
                     'enable_downloads', 'repo_id', 'user_id', 'enable_statistics',
                     'clone_uri', 'fork_id', 'group_id', 'created_by'))
             log_delete_repository = ExtensionCallback(
                 hook_name='DELETE_REPO_HOOK',
                 kwargs_keys=(
                     'repo_name', 'repo_type', 'description', 'private', 'created_on',
                     'enable_downloads', 'repo_id', 'user_id', 'enable_statistics',
                     'clone_uri', 'fork_id', 'group_id', 'deleted_by', 'deleted_on'))
             log_create_repository_group = ExtensionCallback(
                 hook_name='CREATE_REPO_GROUP_HOOK',
                 kwargs_keys=(
                     'group_name', 'group_parent_id', 'group_description',
                     'group_id', 'user_id', 'created_by', 'created_on',
                     'enable_locking'))

rhodecode/lib/hooks_daemon.py

0 +15 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import time
             import logging
             import tempfile
             import traceback
             import threading
             from BaseHTTPServer import BaseHTTPRequestHandler
             from SocketServer import TCPServer
             import rhodecode
+            from rhodecode.lib.exceptions import HTTPLockedRC, HTTPBranchProtected
             from rhodecode.model import meta
             from rhodecode.lib.base import bootstrap_request, bootstrap_config
             from rhodecode.lib import hooks_base
             from rhodecode.lib.utils2 import AttributeDict
             from rhodecode.lib.ext_json import json
             from rhodecode.lib import rc_cache
             log = logging.getLogger(__name__)
             class HooksHttpHandler(BaseHTTPRequestHandler):
                 def do_POST(self):
                     method, extras = self._read_request()
                     txn_id = getattr(self.server, 'txn_id', None)
                     if txn_id:
                         log.debug('Computing TXN_ID based on `%s`:`%s`',
                                   extras['repository'], extras['txn_id'])
                         computed_txn_id = rc_cache.utils.compute_key_from_params(
                             extras['repository'], extras['txn_id'])
                         if txn_id != computed_txn_id:
                             raise Exception(
                                 'TXN ID fail: expected {} got {} instead'.format(
                                     txn_id, computed_txn_id))
                     try:
                         result = self._call_hook(method, extras)
                     except Exception as e:
                         exc_tb = traceback.format_exc()
                         result = {
                             'exception': e.__class__.__name__,
                             'exception_traceback': exc_tb,
                             'exception_args': e.args
                         }
                     self._write_response(result)
                 def _read_request(self):
                     length = int(self.headers['Content-Length'])
                     body = self.rfile.read(length).decode('utf-8')
                     data = json.loads(body)
                     return data['method'], data['extras']
                 def _write_response(self, result):
                     self.send_response(200)
                     self.send_header("Content-type", "text/json")
                     self.end_headers()
                     self.wfile.write(json.dumps(result))
                 def _call_hook(self, method, extras):
                     hooks = Hooks()
                     try:
                         result = getattr(hooks, method)(extras)
                     finally:
                         meta.Session.remove()
                     return result
                 def log_message(self, format, *args):
                     """
                     This is an overridden method of BaseHTTPRequestHandler which logs using
                     logging library instead of writing directly to stderr.
                     """
                     message = format % args
                     log.debug(
                         "%s - - [%s] %s", self.client_address[0],
                         self.log_date_time_string(), message)
             class DummyHooksCallbackDaemon(object):
                 hooks_uri = ''
                 def __init__(self):
                     self.hooks_module = Hooks.__module__
                 def __enter__(self):
                     log.debug('Running dummy hooks callback daemon')
                     return self
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     log.debug('Exiting dummy hooks callback daemon')
             class ThreadedHookCallbackDaemon(object):
                 _callback_thread = None
                 _daemon = None
                 _done = False
                 def __init__(self, txn_id=None, host=None, port=None):
                     self._prepare(txn_id=txn_id, host=None, port=port)
                 def __enter__(self):
                     self._run()
                     return self
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     log.debug('Callback daemon exiting now...')
                     self._stop()
                 def _prepare(self, txn_id=None, host=None, port=None):
                     raise NotImplementedError()
                 def _run(self):
                     raise NotImplementedError()
                 def _stop(self):
                     raise NotImplementedError()
             class HttpHooksCallbackDaemon(ThreadedHookCallbackDaemon):
                 """
                 Context manager which will run a callback daemon in a background thread.
                 """
                 hooks_uri = None
                 # From Python docs: Polling reduces our responsiveness to a shutdown
                 # request and wastes cpu at all other times.
                 POLL_INTERVAL = 0.01
                 def _prepare(self, txn_id=None, host=None, port=None):
                     host = host or '127.0.0.1'
                     self._done = False
                     self._daemon = TCPServer((host, port or 0), HooksHttpHandler)
                     _, port = self._daemon.server_address
                     self.hooks_uri = '{}:{}'.format(host, port)
                     self.txn_id = txn_id
                     # inject transaction_id for later verification
                     self._daemon.txn_id = self.txn_id
                     log.debug(
                         "Preparing HTTP callback daemon at `%s` and registering hook object",
                         self.hooks_uri)
                 def _run(self):
                     log.debug("Running event loop of callback daemon in background thread")
                     callback_thread = threading.Thread(
                         target=self._daemon.serve_forever,
                         kwargs={'poll_interval': self.POLL_INTERVAL})
                     callback_thread.daemon = True
                     callback_thread.start()
                     self._callback_thread = callback_thread
                 def _stop(self):
                     log.debug("Waiting for background thread to finish.")
                     self._daemon.shutdown()
                     self._callback_thread.join()
                     self._daemon = None
                     self._callback_thread = None
                     if self.txn_id:
                         txn_id_file = get_txn_id_data_path(self.txn_id)
                         log.debug('Cleaning up TXN ID %s', txn_id_file)
                         if os.path.isfile(txn_id_file):
                             os.remove(txn_id_file)
                     log.debug("Background thread done.")
             def get_txn_id_data_path(txn_id):
                 root = tempfile.gettempdir()
                 return os.path.join(root, 'rc_txn_id_{}'.format(txn_id))
             def store_txn_id_data(txn_id, data_dict):
                 if not txn_id:
                     log.warning('Cannot store txn_id because it is empty')
                     return
                 path = get_txn_id_data_path(txn_id)
                 try:
                     with open(path, 'wb') as f:
                         f.write(json.dumps(data_dict))
                 except Exception:
                     log.exception('Failed to write txn_id metadata')
             def get_txn_id_from_store(txn_id):
                 """
                 Reads txn_id from store and if present returns the data for callback manager
                 """
                 path = get_txn_id_data_path(txn_id)
                 try:
                     with open(path, 'rb') as f:
                         return json.loads(f.read())
                 except Exception:
                     return {}
             def prepare_callback_daemon(extras, protocol, host, use_direct_calls, txn_id=None):
                 txn_details = get_txn_id_from_store(txn_id)
                 port = txn_details.get('port', 0)
                 if use_direct_calls:
                     callback_daemon = DummyHooksCallbackDaemon()
                     extras['hooks_module'] = callback_daemon.hooks_module
                 else:
                     if protocol == 'http':
                         callback_daemon = HttpHooksCallbackDaemon(
                             txn_id=txn_id, host=host, port=port)
                     else:
                         log.error('Unsupported callback daemon protocol "%s"', protocol)
                         raise Exception('Unsupported callback daemon protocol.')
                 extras['hooks_uri'] = callback_daemon.hooks_uri
                 extras['hooks_protocol'] = protocol
                 extras['time'] = time.time()
                 # register txn_id
                 extras['txn_id'] = txn_id
                 log.debug('Prepared a callback daemon: %s at url `%s`',
                           callback_daemon.__class__.__name__, callback_daemon.hooks_uri)
                 return callback_daemon, extras
             class Hooks(object):
                 """
                 Exposes the hooks for remote call backs
                 """
                 def repo_size(self, extras):
                     log.debug("Called repo_size of %s object", self)
                     return self._call_hook(hooks_base.repo_size, extras)
                 def pre_pull(self, extras):
                     log.debug("Called pre_pull of %s object", self)
                     return self._call_hook(hooks_base.pre_pull, extras)
                 def post_pull(self, extras):
                     log.debug("Called post_pull of %s object", self)
                     return self._call_hook(hooks_base.post_pull, extras)
                 def pre_push(self, extras):
                     log.debug("Called pre_push of %s object", self)
                     return self._call_hook(hooks_base.pre_push, extras)
                 def post_push(self, extras):
                     log.debug("Called post_push of %s object", self)
                     return self._call_hook(hooks_base.post_push, extras)
                 def _call_hook(self, hook, extras):
                     extras = AttributeDict(extras)
                     server_url = extras['server_url']
                     request = bootstrap_request(application_url=server_url)
                     bootstrap_config(request)  # inject routes and other interfaces
                     # inject the user for usage in hooks
                     request.user = AttributeDict({'username': extras.username,
                                                   'ip_addr': extras.ip,
                                                   'user_id': extras.user_id})
                     extras.request = request
                     try:
                         result = hook(extras)
-                    except Exception as error:
+                    except HTTPBranchProtected as handled_error:
-                        exc_tb = traceback.format_exc()
+                        # Those special cases doesn't need error reporting. It's a case of
-                        log.exception('Exception when handling hook %s', hook)
+                        # locked repo or protected branch
+                        result = AttributeDict({
+                            'status': handled_error.code,
+                            'output': handled_error.explanation
+                        })
+                    except (HTTPLockedRC, Exception) as error:
+                        # locked needs different handling since we need to also
+                        # handle PULL operations
+                        exc_tb = ''
+                        if not isinstance(error, HTTPLockedRC):
+                            exc_tb = traceback.format_exc()
+                            log.exception('Exception when handling hook %s', hook)
                         error_args = error.args
                         return {
                             'status': 128,
                             'output': '',
                             'exception': type(error).__name__,
                             'exception_traceback': exc_tb,
                             'exception_args': error_args,
                         }
                     finally:
                         meta.Session.remove()
                     log.debug('Got hook call response %s', result)
                     return {
                         'status': result.status,
                         'output': result.output,
                     }
                 def __enter__(self):
                     return self
                 def __exit__(self, exc_type, exc_val, exc_tb):
                     pass

rhodecode/lib/middleware/simplevcs.py

0 +19 -7

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             SimpleVCS middleware for handling protocol request (push/clone etc.)
             It's implemented with basic auth function
             """
             import os
             import re
             import logging
             import importlib
             from functools import wraps
             from StringIO import StringIO
             from lxml import etree
             import time
             from paste.httpheaders import REMOTE_USER, AUTH_TYPE
             from pyramid.httpexceptions import (
                 HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)
             from zope.cachedescriptors.property import Lazy as LazyProperty
             import rhodecode
             from rhodecode.authentication.base import authenticate, VCS_TYPE, loadplugin
             from rhodecode.lib import rc_cache
             from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from rhodecode.lib.base import (
                 BasicAuth, get_ip_addr, get_user_agent, vcs_operation_context)
             from rhodecode.lib.exceptions import (UserCreationError, NotAllowedToCreateUserError)
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.middleware import appenlight
             from rhodecode.lib.middleware.utils import scm_app_http
             from rhodecode.lib.utils import is_valid_repo, SLUG_RE
             from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository, PullRequest
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.pull_request import PullRequestModel
             from rhodecode.model.settings import SettingsModel, VcsSettingsModel
             log = logging.getLogger(__name__)
             def extract_svn_txn_id(acl_repo_name, data):
                 """
                 Helper method for extraction of svn txn_id from submitted XML data during
                 POST operations
                 """
                 try:
                     root = etree.fromstring(data)
                     pat = re.compile(r'/txn/(?P<txn_id>.*)')
                     for el in root:
                         if el.tag == '{DAV:}source':
                             for sub_el in el:
                                 if sub_el.tag == '{DAV:}href':
                                     match = pat.search(sub_el.text)
                                     if match:
                                         svn_tx_id = match.groupdict()['txn_id']
                                         txn_id = rc_cache.utils.compute_key_from_params(
                                             acl_repo_name, svn_tx_id)
                                         return txn_id
                 except Exception:
                     log.exception('Failed to extract txn_id')
             def initialize_generator(factory):
                 """
                 Initializes the returned generator by draining its first element.
                 This can be used to give a generator an initializer, which is the code
                 up to the first yield statement. This decorator enforces that the first
                 produced element has the value ``"__init__"`` to make its special
                 purpose very explicit in the using code.
                 """
                 @wraps(factory)
                 def wrapper(*args, **kwargs):
                     gen = factory(*args, **kwargs)
                     try:
                         init = gen.next()
                     except StopIteration:
                         raise ValueError('Generator must yield at least one element.')
                     if init != "__init__":
                         raise ValueError('First yielded element must be "__init__".')
                     return gen
                 return wrapper
             class SimpleVCS(object):
                 """Common functionality for SCM HTTP handlers."""
                 SCM = 'unknown'
                 acl_repo_name = None
                 url_repo_name = None
                 vcs_repo_name = None
                 rc_extras = {}
                 # We have to handle requests to shadow repositories different than requests
                 # to normal repositories. Therefore we have to distinguish them. To do this
                 # we use this regex which will match only on URLs pointing to shadow
                 # repositories.
                 shadow_repo_re = re.compile(
                     '(?P<groups>(?:{slug_pat}/)*)'  # repo groups
                     '(?P<target>{slug_pat})/'       # target repo
                     'pull-request/(?P<pr_id>\d+)/'  # pull request
                     'repository$'                   # shadow repo
                     .format(slug_pat=SLUG_RE.pattern))
                 def __init__(self, config, registry):
                     self.registry = registry
                     self.config = config
                     # re-populated by specialized middleware
                     self.repo_vcs_config = base.Config()
                     self.rhodecode_settings = SettingsModel().get_all_settings(cache=True)
                     registry.rhodecode_settings = self.rhodecode_settings
                     # authenticate this VCS request using authfunc
                     auth_ret_code_detection = \
                         str2bool(self.config.get('auth_ret_code_detection', False))
                     self.authenticate = BasicAuth(
                         '', authenticate, registry, config.get('auth_ret_code'),
                         auth_ret_code_detection)
                     self.ip_addr = '0.0.0.0'
                 @LazyProperty
                 def global_vcs_config(self):
                     try:
                         return VcsSettingsModel().get_ui_settings_as_config_obj()
                     except Exception:
                         return base.Config()
                 @property
                 def base_path(self):
                     settings_path = self.repo_vcs_config.get(
                         *VcsSettingsModel.PATH_SETTING)
                     if not settings_path:
                         settings_path = self.global_vcs_config.get(
                         *VcsSettingsModel.PATH_SETTING)
                     if not settings_path:
                         # try, maybe we passed in explicitly as config option
                         settings_path = self.config.get('base_path')
                     if not settings_path:
                         raise ValueError('FATAL: base_path is empty')
                     return settings_path
                 def set_repo_names(self, environ):
                     """
                     This will populate the attributes acl_repo_name, url_repo_name,
                     vcs_repo_name and is_shadow_repo. In case of requests to normal (non
                     shadow) repositories all names are equal. In case of requests to a
                     shadow repository the acl-name points to the target repo of the pull
                     request and the vcs-name points to the shadow repo file system path.
                     The url-name is always the URL used by the vcs client program.
                     Example in case of a shadow repo:
                         acl_repo_name = RepoGroup/MyRepo
                         url_repo_name = RepoGroup/MyRepo/pull-request/3/repository
                         vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'
                     """
                     # First we set the repo name from URL for all attributes. This is the
                     # default if handling normal (non shadow) repo requests.
                     self.url_repo_name = self._get_repository_name(environ)
                     self.acl_repo_name = self.vcs_repo_name = self.url_repo_name
                     self.is_shadow_repo = False
                     # Check if this is a request to a shadow repository.
                     match = self.shadow_repo_re.match(self.url_repo_name)
                     if match:
                         match_dict = match.groupdict()
                         # Build acl repo name from regex match.
                         acl_repo_name = safe_unicode('{groups}{target}'.format(
                             groups=match_dict['groups'] or '',
                             target=match_dict['target']))
                         # Retrieve pull request instance by ID from regex match.
                         pull_request = PullRequest.get(match_dict['pr_id'])
                         # Only proceed if we got a pull request and if acl repo name from
                         # URL equals the target repo name of the pull request.
                         if pull_request and \
                                 (acl_repo_name == pull_request.target_repo.repo_name):
                             repo_id = pull_request.target_repo.repo_id
                             # Get file system path to shadow repository.
                             workspace_id = PullRequestModel()._workspace_id(pull_request)
                             target_vcs = pull_request.target_repo.scm_instance()
                             vcs_repo_name = target_vcs._get_shadow_repository_path(
                                 repo_id, workspace_id)
                             # Store names for later usage.
                             self.vcs_repo_name = vcs_repo_name
                             self.acl_repo_name = acl_repo_name
                             self.is_shadow_repo = True
                     log.debug('Setting all VCS repository names: %s', {
                         'acl_repo_name': self.acl_repo_name,
                         'url_repo_name': self.url_repo_name,
                         'vcs_repo_name': self.vcs_repo_name,
                     })
                 @property
                 def scm_app(self):
                     custom_implementation = self.config['vcs.scm_app_implementation']
                     if custom_implementation == 'http':
                         log.info('Using HTTP implementation of scm app.')
                         scm_app_impl = scm_app_http
                     else:
                         log.info('Using custom implementation of scm_app: "{}"'.format(
                             custom_implementation))
                         scm_app_impl = importlib.import_module(custom_implementation)
                     return scm_app_impl
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> non changeable urls
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from rhodecode.model.repo import RepoModel
                         by_id_match = RepoModel().get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match.repo_name
                     return safe_str('/'.join(data))
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if not db_repo:
                         log.debug('Repository `%s` not found inside the database.',
                                   repo_name)
                         return False
                     if db_repo.repo_type != scm_type:
                         log.warning(
                             'Repository `%s` have incorrect scm_type, expected %s got %s',
                             repo_name, db_repo.repo_type, scm_type)
                         return False
                     config = db_repo._config
                     config.set('extensions', 'largefiles', '')
                     return is_valid_repo(
                         repo_name, base_path,
                         explicit_scm=scm_type, expect_scm=scm_type, config=config)
                 def valid_and_active_user(self, user):
                     """
                     Checks if that user is not empty, and if it's actually object it checks
                     if he's active.
                     :param user: user object or None
                     :return: boolean
                     """
                     if user is None:
                         return False
                     elif user.active:
                         return True
                     return False
                 @property
                 def is_shadow_repo_dir(self):
                     return os.path.isdir(self.vcs_repo_name)
-                def _check_permission(self, action, user, repo_name, ip_addr=None,
+                def _check_permission(self, action, user, auth_user, repo_name, ip_addr=None,
                                       plugin_id='', plugin_cache_active=False, cache_ttl=0):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name. If plugin_cache and ttl is set it will use the plugin which
                     authenticated the user to store the cached permissions result for N
                     amount of seconds as in cache_ttl
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
                     log.debug('AUTH_CACHE_TTL for permissions `%s` active: %s (TTL: %s)',
                               plugin_id, plugin_cache_active, cache_ttl)
                     user_id = user.user_id
                     cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            expiration_time=cache_ttl,
                                                            condition=plugin_cache_active)
                     def compute_perm_vcs(
                             cache_name, plugin_id, action, user_id, repo_name, ip_addr):
                         log.debug('auth: calculating permission access now...')
                         # check IP
                         inherit = user.inherit_default_permissions
                         ip_allowed = AuthUser.check_ip_allowed(
                             user_id, ip_addr, inherit_from_default=inherit)
                         if ip_allowed:
                             log.info('Access for IP:%s allowed', ip_addr)
                         else:
                             return False
                         if action == 'push':
                             perms = ('repository.write', 'repository.admin')
-                            if not HasPermissionAnyMiddleware(*perms)(user, repo_name):
+                            if not HasPermissionAnyMiddleware(*perms)(auth_user, repo_name):
                                 return False
                         else:
                             # any other action need at least read permission
                             perms = (
                                 'repository.read', 'repository.write', 'repository.admin')
-                            if not HasPermissionAnyMiddleware(*perms)(user, repo_name):
+                            if not HasPermissionAnyMiddleware(*perms)(auth_user, repo_name):
                                 return False
                         return True
                     start = time.time()
                     log.debug('Running plugin `%s` permissions check', plugin_id)
                     # for environ based auth, password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
                     perm_result = compute_perm_vcs(
                         'vcs_permissions', plugin_id, action, user.user_id, repo_name, ip_addr)
                     auth_time = time.time() - start
                     log.debug('Permissions for plugin `%s` completed in %.3fs, '
                               'expiration time of fetched cache %.1fs.',
                               plugin_id, auth_time, cache_ttl)
                     return perm_result
                 def _check_ssl(self, environ, start_response):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     org_proto = environ['wsgi._org_proto']
                     # check if we have SSL required  ! if not it's a bad request !
                     require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))
                     if require_ssl and org_proto == 'http':
                         log.debug(
                             'Bad request: detected protocol is `%s` and '
                             'SSL/HTTPS is required.', org_proto)
                         return False
                     return True
                 def _get_default_cache_ttl(self):
                     # take AUTH_CACHE_TTL from the `rhodecode` auth plugin
                     plugin = loadplugin('egg:rhodecode-enterprise-ce#rhodecode')
                     plugin_settings = plugin.get_settings()
                     plugin_cache_active, cache_ttl = plugin.get_ttl_cache(
                         plugin_settings) or (False, 0)
                     return plugin_cache_active, cache_ttl
                 def __call__(self, environ, start_response):
                     try:
                         return self._handle_request(environ, start_response)
                     except Exception:
                         log.exception("Exception while handling request")
                         appenlight.track_exception(environ)
                         return HTTPInternalServerError()(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     if not self._check_ssl(environ, start_response):
                         reason = ('SSL required, while RhodeCode was unable '
                                   'to detect this as SSL request')
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     if not self.url_repo_name:
                         log.warning('Repository name is empty: %s', self.url_repo_name)
                         # failed to get repo name, we fail now
                         return HTTPNotFound()(environ, start_response)
                     log.debug('Extracted repo name is %s', self.url_repo_name)
                     ip_addr = get_ip_addr(environ)
                     user_agent = get_user_agent(environ)
                     username = None
                     # skip passing error to error controller
                     environ['pylons.status_code_redirect'] = True
                     # ======================================================================
                     # GET ACTION PULL or PUSH
                     # ======================================================================
                     action = self._get_action(environ)
                     # ======================================================================
                     # Check if this is a request to a shadow repository of a pull request.
                     # In this case only pull action is allowed.
                     # ======================================================================
                     if self.is_shadow_repo and action != 'pull':
                         reason = 'Only pull action is allowed for shadow repositories.'
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     # Check if the shadow repo actually exists, in case someone refers
                     # to it, and it has been deleted because of successful merge.
                     if self.is_shadow_repo and not self.is_shadow_repo_dir:
                         log.debug(
                             'Shadow repo detected, and shadow repo dir `%s` is missing',
                             self.is_shadow_repo_dir)
                         return HTTPNotFound()(environ, start_response)
                     # ======================================================================
                     # CHECK ANONYMOUS PERMISSION
                     # ======================================================================
+                    detect_force_push = False
+                    check_branch_perms = False
                     if action in ['pull', 'push']:
-                        anonymous_user = User.get_default_user()
+                        user_obj = anonymous_user = User.get_default_user()
+                        auth_user = user_obj.AuthUser()
                         username = anonymous_user.username
                         if anonymous_user.active:
                             plugin_cache_active, cache_ttl = self._get_default_cache_ttl()
                             # ONLY check permissions if the user is activated
                             anonymous_perm = self._check_permission(
-                                action, anonymous_user, self.acl_repo_name, ip_addr,
+                                action, anonymous_user, auth_user, self.acl_repo_name, ip_addr,
                                 plugin_id='anonymous_access',
                                 plugin_cache_active=plugin_cache_active,
                                 cache_ttl=cache_ttl,
                             )
                         else:
                             anonymous_perm = False
                         if not anonymous_user.active or not anonymous_perm:
                             if not anonymous_user.active:
                                 log.debug('Anonymous access is disabled, running '
                                           'authentication')
                             if not anonymous_perm:
                                 log.debug('Not enough credentials to access this '
                                           'repository as anonymous user')
                             username = None
                             # ==============================================================
                             # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                             # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                             # ==============================================================
                             # try to auth based on environ, container auth methods
                             log.debug('Running PRE-AUTH for container based authentication')
                             pre_auth = authenticate(
                                 '', '', environ, VCS_TYPE, registry=self.registry,
                                 acl_repo_name=self.acl_repo_name)
                             if pre_auth and pre_auth.get('username'):
                                 username = pre_auth['username']
                             log.debug('PRE-AUTH got %s as username', username)
                             if pre_auth:
                                 log.debug('PRE-AUTH successful from %s',
                                           pre_auth.get('auth_data', {}).get('_plugin'))
                             # If not authenticated by the container, running basic auth
                             # before inject the calling repo_name for special scope checks
                             self.authenticate.acl_repo_name = self.acl_repo_name
                             plugin_cache_active, cache_ttl = False, 0
                             plugin = None
                             if not username:
                                 self.authenticate.realm = self.authenticate.get_rc_realm()
                                 try:
                                     auth_result = self.authenticate(environ)
                                 except (UserCreationError, NotAllowedToCreateUserError) as e:
                                     log.error(e)
                                     reason = safe_str(e)
                                     return HTTPNotAcceptable(reason)(environ, start_response)
                                 if isinstance(auth_result, dict):
                                     AUTH_TYPE.update(environ, 'basic')
                                     REMOTE_USER.update(environ, auth_result['username'])
                                     username = auth_result['username']
                                     plugin = auth_result.get('auth_data', {}).get('_plugin')
                                     log.info(
                                         'MAIN-AUTH successful for user `%s` from %s plugin',
                                         username, plugin)
                                     plugin_cache_active, cache_ttl = auth_result.get(
                                         'auth_data', {}).get('_ttl_cache') or (False, 0)
                                 else:
                                     return auth_result.wsgi_application(
                                         environ, start_response)
                             # ==============================================================
                             # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                             # ==============================================================
                             user = User.get_by_username(username)
                             if not self.valid_and_active_user(user):
                                 return HTTPForbidden()(environ, start_response)
                             username = user.username
                             user_id = user.user_id
                             # check user attributes for password change flag
                             user_obj = user
+                            auth_user = user_obj.AuthUser()
                             if user_obj and user_obj.username != User.DEFAULT_USER and \
                                     user_obj.user_data.get('force_password_change'):
                                 reason = 'password change required'
                                 log.debug('User not allowed to authenticate, %s', reason)
                                 return HTTPNotAcceptable(reason)(environ, start_response)
                             # check permissions for this repository
                             perm = self._check_permission(
-                                action, user, self.acl_repo_name, ip_addr,
+                                action, user, auth_user, self.acl_repo_name, ip_addr,
                                 plugin, plugin_cache_active, cache_ttl)
                             if not perm:
                                 return HTTPForbidden()(environ, start_response)
                             environ['rc_auth_user_id'] = user_id
+                        if action == 'push':
+                            perms = auth_user.get_branch_permissions(self.acl_repo_name)
+                            if perms:
+                                check_branch_perms = True
+                                detect_force_push = True
                     # extras are injected into UI object and later available
                     # in hooks executed by RhodeCode
                     check_locking = _should_check_locking(environ.get('QUERY_STRING'))
                     extras = vcs_operation_context(
                         environ, repo_name=self.acl_repo_name, username=username,
                         action=action, scm=self.SCM, check_locking=check_locking,
-                        is_shadow_repo=self.is_shadow_repo
+                        is_shadow_repo=self.is_shadow_repo, check_branch_perms=check_branch_perms,
+                        detect_force_push=detect_force_push
                     )
                     # ======================================================================
                     # REQUEST HANDLING
                     # ======================================================================
                     repo_path = os.path.join(
                         safe_str(self.base_path), safe_str(self.vcs_repo_name))
                     log.debug('Repository path is %s', repo_path)
                     fix_PATH()
                     log.info(
                         '%s action on %s repo "%s" by "%s" from %s %s',
                         action, self.SCM, safe_str(self.url_repo_name),
                         safe_str(username), ip_addr, user_agent)
                     return self._generate_vcs_response(
                         environ, start_response, repo_path, extras, action)
                 @initialize_generator
                 def _generate_vcs_response(
                         self, environ, start_response, repo_path, extras, action):
                     """
                     Returns a generator for the response content.
                     This method is implemented as a generator, so that it can trigger
                     the cache validation after all content sent back to the client. It
                     also handles the locking exceptions which will be triggered when
                     the first chunk is produced by the underlying WSGI application.
                     """
                     txn_id = ''
                     if 'CONTENT_LENGTH' in environ and environ['REQUEST_METHOD'] == 'MERGE':
                         # case for SVN, we want to re-use the callback daemon port
                         # so we use the txn_id, for this we peek the body, and still save
                         # it as wsgi.input
                         data = environ['wsgi.input'].read()
                         environ['wsgi.input'] = StringIO(data)
                         txn_id = extract_svn_txn_id(self.acl_repo_name, data)
                     callback_daemon, extras = self._prepare_callback_daemon(
                         extras, environ, action, txn_id=txn_id)
                     log.debug('HOOKS extras is %s', extras)
                     config = self._create_config(extras, self.acl_repo_name)
                     app = self._create_wsgi_app(repo_path, self.url_repo_name, config)
                     with callback_daemon:
                         app.rc_extras = extras
                         try:
                             response = app(environ, start_response)
                         finally:
                             # This statement works together with the decorator
                             # "initialize_generator" above. The decorator ensures that
                             # we hit the first yield statement before the generator is
                             # returned back to the WSGI server. This is needed to
                             # ensure that the call to "app" above triggers the
                             # needed callback to "start_response" before the
                             # generator is actually used.
                             yield "__init__"
                         # iter content
                         for chunk in response:
                             yield chunk
                         try:
                             # invalidate cache on push
                             if action == 'push':
                                 self._invalidate_cache(self.url_repo_name)
                         finally:
                             meta.Session.remove()
                 def _get_repository_name(self, environ):
                     """Get repository name out of the environmnent
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _get_action(self, environ):
                     """Map request commands into a pull or push command.
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _create_wsgi_app(self, repo_path, repo_name, config):
                     """Return the WSGI app that will finally handle the request."""
                     raise NotImplementedError()
                 def _create_config(self, extras, repo_name):
                     """Create a safe config representation."""
                     raise NotImplementedError()
                 def _should_use_callback_daemon(self, extras, environ, action):
                     return True
                 def _prepare_callback_daemon(self, extras, environ, action, txn_id=None):
                     direct_calls = vcs_settings.HOOKS_DIRECT_CALLS
                     if not self._should_use_callback_daemon(extras, environ, action):
                         # disable callback daemon for actions that don't require it
                         direct_calls = True
                     return prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         host=vcs_settings.HOOKS_HOST, use_direct_calls=direct_calls, txn_id=txn_id)
             def _should_check_locking(query_string):
                 # this is kind of hacky, but due to how mercurial handles client-server
                 # server see all operation on commit; bookmarks, phases and
                 # obsolescence marker in different transaction, we don't want to check
                 # locking on those
                 return query_string not in ['cmd=listkeys']

rhodecode/tests/lib/test_auth.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             from hashlib import sha1
             import pytest
             from mock import patch
             from rhodecode.lib import auth
             from rhodecode.lib.utils2 import md5
             from rhodecode.model.auth_token import AuthTokenModel
             from rhodecode.model.db import User
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.user import UserModel
             from rhodecode.model.user_group import UserGroupModel
             def test_perm_origin_dict():
                 pod = auth.PermOriginDict()
                 pod['thing'] = 'read', 'default'
                 assert pod['thing'] == 'read'
                 assert pod.perm_origin_stack == {
                     'thing': [('read', 'default')]}
                 pod['thing'] = 'write', 'admin'
                 assert pod['thing'] == 'write'
                 assert pod.perm_origin_stack == {
                     'thing': [('read', 'default'), ('write', 'admin')]}
                 pod['other'] = 'write', 'default'
                 assert pod.perm_origin_stack == {
                     'other': [('write', 'default')],
                     'thing': [('read', 'default'), ('write', 'admin')]}
                 pod['other'] = 'none', 'override'
                 assert pod.perm_origin_stack == {
                     'other': [('write', 'default'), ('none', 'override')],
                     'thing': [('read', 'default'), ('write', 'admin')]}
                 with pytest.raises(ValueError):
                     pod['thing'] = 'read'
             def test_cached_perms_data(user_regular, backend_random):
                 permissions = get_permissions(user_regular)
                 repo_name = backend_random.repo.repo_name
                 expected_global_permissions = {
                     'repository.read', 'group.read', 'usergroup.read'}
                 assert expected_global_permissions.issubset(permissions['global'])
                 assert permissions['repositories'][repo_name] == 'repository.read'
             def test_cached_perms_data_with_admin_user(user_regular, backend_random):
                 permissions = get_permissions(user_regular, user_is_admin=True)
                 repo_name = backend_random.repo.repo_name
                 assert 'hg.admin' in permissions['global']
                 assert permissions['repositories'][repo_name] == 'repository.admin'
             def test_cached_perms_data_with_admin_user_extended_calculation(user_regular, backend_random):
                 permissions = get_permissions(user_regular, user_is_admin=True,
                                               calculate_super_admin=True)
                 repo_name = backend_random.repo.repo_name
                 assert 'hg.admin' in permissions['global']
                 assert permissions['repositories'][repo_name] == 'repository.admin'
             def test_cached_perms_data_user_group_global_permissions(user_util):
                 user, user_group = user_util.create_user_with_group()
                 user_group.inherit_default_permissions = False
                 granted_permission = 'repository.write'
                 UserGroupModel().grant_perm(user_group, granted_permission)
                 permissions = get_permissions(user)
                 assert granted_permission in permissions['global']
             @pytest.mark.xfail(reason="Not implemented, see TODO note")
             def test_cached_perms_data_user_group_global_permissions_(user_util):
                 user, user_group = user_util.create_user_with_group()
                 granted_permission = 'repository.write'
                 UserGroupModel().grant_perm(user_group, granted_permission)
                 permissions = get_permissions(user)
                 assert granted_permission in permissions['global']
             def test_cached_perms_data_user_global_permissions(user_util):
                 user = user_util.create_user()
                 UserModel().grant_perm(user, 'repository.none')
                 permissions = get_permissions(user, user_inherit_default_permissions=True)
                 assert 'repository.read' in permissions['global']
             def test_cached_perms_data_repository_permissions_on_private_repository(
                     backend_random, user_util):
                 user, user_group = user_util.create_user_with_group()
                 repo = backend_random.create_repo()
                 repo.private = True
                 granted_permission = 'repository.write'
                 RepoModel().grant_user_group_permission(
                     repo, user_group.users_group_name, granted_permission)
                 permissions = get_permissions(user)
                 assert permissions['repositories'][repo.repo_name] == granted_permission
             def test_cached_perms_data_repository_permissions_for_owner(
                     backend_random, user_util):
                 user = user_util.create_user()
                 repo = backend_random.create_repo()
                 repo.user_id = user.user_id
                 permissions = get_permissions(user)
                 assert permissions['repositories'][repo.repo_name] == 'repository.admin'
                 # TODO: johbo: Make cleanup in UserUtility smarter, then remove this hack
                 repo.user_id = User.get_default_user().user_id
             def test_cached_perms_data_repository_permissions_not_inheriting_defaults(
                     backend_random, user_util):
                 user = user_util.create_user()
                 repo = backend_random.create_repo()
                 # Don't inherit default object permissions
                 UserModel().grant_perm(user, 'hg.inherit_default_perms.false')
                 permissions = get_permissions(user)
                 assert permissions['repositories'][repo.repo_name] == 'repository.none'
             def test_cached_perms_data_default_permissions_on_repository_group(user_util):
                 # Have a repository group with default permissions set
                 repo_group = user_util.create_repo_group()
                 default_user = User.get_default_user()
                 user_util.grant_user_permission_to_repo_group(
                     repo_group, default_user, 'repository.write')
                 user = user_util.create_user()
                 permissions = get_permissions(user)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'repository.write'
             def test_cached_perms_data_default_permissions_on_repository_group_owner(
                     user_util):
                 # Have a repository group
                 repo_group = user_util.create_repo_group()
                 default_user = User.get_default_user()
                 # Add a permission for the default user to hit the code path
                 user_util.grant_user_permission_to_repo_group(
                     repo_group, default_user, 'repository.write')
                 # Have an owner of the group
                 user = user_util.create_user()
                 repo_group.user_id = user.user_id
                 permissions = get_permissions(user)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.admin'
             def test_cached_perms_data_default_permissions_on_repository_group_no_inherit(
                     user_util):
                 # Have a repository group
                 repo_group = user_util.create_repo_group()
                 default_user = User.get_default_user()
                 # Add a permission for the default user to hit the code path
                 user_util.grant_user_permission_to_repo_group(
                     repo_group, default_user, 'repository.write')
                 # Don't inherit default object permissions
                 user = user_util.create_user()
                 UserModel().grant_perm(user, 'hg.inherit_default_perms.false')
                 permissions = get_permissions(user)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.none'
             def test_cached_perms_data_repository_permissions_from_user_group(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 # Needs a second user group to make sure that we select the right
                 # permissions.
                 user_group2 = user_util.create_user_group()
                 UserGroupModel().add_user_to_group(user_group2, user)
                 repo = backend_random.create_repo()
                 RepoModel().grant_user_group_permission(
                     repo, user_group.users_group_name, 'repository.read')
                 RepoModel().grant_user_group_permission(
                     repo, user_group2.users_group_name, 'repository.write')
                 permissions = get_permissions(user)
                 assert permissions['repositories'][repo.repo_name] == 'repository.write'
             def test_cached_perms_data_repository_permissions_from_user_group_owner(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 repo = backend_random.create_repo()
                 repo.user_id = user.user_id
                 RepoModel().grant_user_group_permission(
                     repo, user_group.users_group_name, 'repository.write')
                 permissions = get_permissions(user)
                 assert permissions['repositories'][repo.repo_name] == 'repository.admin'
             def test_cached_perms_data_user_repository_permissions(
                     user_util, backend_random):
                 user = user_util.create_user()
                 repo = backend_random.create_repo()
                 granted_permission = 'repository.write'
                 RepoModel().grant_user_permission(repo, user, granted_permission)
                 permissions = get_permissions(user)
                 assert permissions['repositories'][repo.repo_name] == granted_permission
             def test_cached_perms_data_user_repository_permissions_explicit(
                     user_util, backend_random):
                 user = user_util.create_user()
                 repo = backend_random.create_repo()
                 granted_permission = 'repository.none'
                 RepoModel().grant_user_permission(repo, user, granted_permission)
                 permissions = get_permissions(user, explicit=True)
                 assert permissions['repositories'][repo.repo_name] == granted_permission
             def test_cached_perms_data_user_repository_permissions_owner(
                     user_util, backend_random):
                 user = user_util.create_user()
                 repo = backend_random.create_repo()
                 repo.user_id = user.user_id
                 RepoModel().grant_user_permission(repo, user, 'repository.write')
                 permissions = get_permissions(user)
                 assert permissions['repositories'][repo.repo_name] == 'repository.admin'
             def test_cached_perms_data_repository_groups_permissions_inherited(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 # Needs a second group to hit the last condition
                 user_group2 = user_util.create_user_group()
                 UserGroupModel().add_user_to_group(user_group2, user)
                 repo_group = user_util.create_repo_group()
                 user_util.grant_user_group_permission_to_repo_group(
                     repo_group, user_group, 'group.read')
                 user_util.grant_user_group_permission_to_repo_group(
                     repo_group, user_group2, 'group.write')
                 permissions = get_permissions(user)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.write'
             def test_cached_perms_data_repository_groups_permissions_inherited_owner(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 repo_group = user_util.create_repo_group()
                 repo_group.user_id = user.user_id
                 granted_permission = 'group.write'
                 user_util.grant_user_group_permission_to_repo_group(
                     repo_group, user_group, granted_permission)
                 permissions = get_permissions(user)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.admin'
             def test_cached_perms_data_repository_groups_permissions(
                     user_util, backend_random):
                 user = user_util.create_user()
                 repo_group = user_util.create_repo_group()
                 granted_permission = 'group.write'
                 user_util.grant_user_permission_to_repo_group(
                     repo_group, user, granted_permission)
                 permissions = get_permissions(user)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.write'
             def test_cached_perms_data_repository_groups_permissions_explicit(
                     user_util, backend_random):
                 user = user_util.create_user()
                 repo_group = user_util.create_repo_group()
                 granted_permission = 'group.none'
                 user_util.grant_user_permission_to_repo_group(
                     repo_group, user, granted_permission)
                 permissions = get_permissions(user, explicit=True)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.none'
             def test_cached_perms_data_repository_groups_permissions_owner(
                     user_util, backend_random):
                 user = user_util.create_user()
                 repo_group = user_util.create_repo_group()
                 repo_group.user_id = user.user_id
                 granted_permission = 'group.write'
                 user_util.grant_user_permission_to_repo_group(
                     repo_group, user, granted_permission)
                 permissions = get_permissions(user)
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.admin'
             def test_cached_perms_data_user_group_permissions_inherited(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 user_group2 = user_util.create_user_group()
                 UserGroupModel().add_user_to_group(user_group2, user)
                 target_user_group = user_util.create_user_group()
                 user_util.grant_user_group_permission_to_user_group(
                     target_user_group, user_group, 'usergroup.read')
                 user_util.grant_user_group_permission_to_user_group(
                     target_user_group, user_group2, 'usergroup.write')
                 permissions = get_permissions(user)
                 assert permissions['user_groups'][target_user_group.users_group_name] == \
                     'usergroup.write'
             def test_cached_perms_data_user_group_permissions(
                     user_util, backend_random):
                 user = user_util.create_user()
                 user_group = user_util.create_user_group()
                 UserGroupModel().grant_user_permission(user_group, user, 'usergroup.write')
                 permissions = get_permissions(user)
                 assert permissions['user_groups'][user_group.users_group_name] == \
                     'usergroup.write'
             def test_cached_perms_data_user_group_permissions_explicit(
                     user_util, backend_random):
                 user = user_util.create_user()
                 user_group = user_util.create_user_group()
                 UserGroupModel().grant_user_permission(user_group, user, 'usergroup.none')
                 permissions = get_permissions(user, explicit=True)
                 assert permissions['user_groups'][user_group.users_group_name] == \
                     'usergroup.none'
             def test_cached_perms_data_user_group_permissions_not_inheriting_defaults(
                     user_util, backend_random):
                 user = user_util.create_user()
                 user_group = user_util.create_user_group()
                 # Don't inherit default object permissions
                 UserModel().grant_perm(user, 'hg.inherit_default_perms.false')
                 permissions = get_permissions(user)
                 assert permissions['user_groups'][user_group.users_group_name] == \
                     'usergroup.none'
             def test_permission_calculator_admin_permissions(
                     user_util, backend_random):
                 user = user_util.create_user()
                 user_group = user_util.create_user_group()
                 repo = backend_random.repo
                 repo_group = user_util.create_repo_group()
                 calculator = auth.PermissionCalculator(
                     user.user_id, {}, False, False, True, 'higherwin')
-                permissions = calculator._admin_permissions()
+                permissions = calculator._calculate_admin_permissions()
                 assert permissions['repositories_groups'][repo_group.group_name] == \
                     'group.admin'
                 assert permissions['user_groups'][user_group.users_group_name] == \
                     'usergroup.admin'
                 assert permissions['repositories'][repo.repo_name] == 'repository.admin'
                 assert 'hg.admin' in permissions['global']
             def test_permission_calculator_repository_permissions_robustness_from_group(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 RepoModel().grant_user_group_permission(
                     backend_random.repo, user_group.users_group_name, 'repository.write')
                 calculator = auth.PermissionCalculator(
                     user.user_id, {}, False, False, False, 'higherwin')
                 calculator._calculate_repository_permissions()
             def test_permission_calculator_repository_permissions_robustness_from_user(
                     user_util, backend_random):
                 user = user_util.create_user()
                 RepoModel().grant_user_permission(
                     backend_random.repo, user, 'repository.write')
                 calculator = auth.PermissionCalculator(
                     user.user_id, {}, False, False, False, 'higherwin')
                 calculator._calculate_repository_permissions()
             def test_permission_calculator_repo_group_permissions_robustness_from_group(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 repo_group = user_util.create_repo_group()
                 user_util.grant_user_group_permission_to_repo_group(
                     repo_group, user_group, 'group.write')
                 calculator = auth.PermissionCalculator(
                     user.user_id, {}, False, False, False, 'higherwin')
                 calculator._calculate_repository_group_permissions()
             def test_permission_calculator_repo_group_permissions_robustness_from_user(
                     user_util, backend_random):
                 user = user_util.create_user()
                 repo_group = user_util.create_repo_group()
                 user_util.grant_user_permission_to_repo_group(
                     repo_group, user, 'group.write')
                 calculator = auth.PermissionCalculator(
                     user.user_id, {}, False, False, False, 'higherwin')
                 calculator._calculate_repository_group_permissions()
             def test_permission_calculator_user_group_permissions_robustness_from_group(
                     user_util, backend_random):
                 user, user_group = user_util.create_user_with_group()
                 target_user_group = user_util.create_user_group()
                 user_util.grant_user_group_permission_to_user_group(
                     target_user_group, user_group, 'usergroup.write')
                 calculator = auth.PermissionCalculator(
                     user.user_id, {}, False, False, False, 'higherwin')
                 calculator._calculate_user_group_permissions()
             def test_permission_calculator_user_group_permissions_robustness_from_user(
                     user_util, backend_random):
                 user = user_util.create_user()
                 target_user_group = user_util.create_user_group()
                 user_util.grant_user_permission_to_user_group(
                     target_user_group, user, 'usergroup.write')
                 calculator = auth.PermissionCalculator(
                     user.user_id, {}, False, False, False, 'higherwin')
                 calculator._calculate_user_group_permissions()
             @pytest.mark.parametrize("algo, new_permission, old_permission, expected", [
                 ('higherwin', 'repository.none', 'repository.none', 'repository.none'),
                 ('higherwin', 'repository.read', 'repository.none', 'repository.read'),
                 ('lowerwin', 'repository.write', 'repository.write', 'repository.write'),
                 ('lowerwin', 'repository.read', 'repository.write', 'repository.read'),
             ])
             def test_permission_calculator_choose_permission(
                     user_regular, algo, new_permission, old_permission, expected):
                 calculator = auth.PermissionCalculator(
                     user_regular.user_id, {}, False, False, False, algo)
                 result = calculator._choose_permission(new_permission, old_permission)
                 assert result == expected
             def test_permission_calculator_choose_permission_raises_on_wrong_algo(
                     user_regular):
                 calculator = auth.PermissionCalculator(
                     user_regular.user_id, {}, False, False, False, 'invalid')
                 result = calculator._choose_permission(
                     'repository.read', 'repository.read')
                 # TODO: johbo: This documents the existing behavior. Think of an
                 # improvement.
                 assert result is None
             def test_auth_user_get_cookie_store_for_normal_user(user_util):
                 user = user_util.create_user()
                 auth_user = auth.AuthUser(user_id=user.user_id)
                 expected_data = {
                     'username': user.username,
                     'user_id': user.user_id,
                     'password': md5(user.password),
                     'is_authenticated': False
                 }
                 assert auth_user.get_cookie_store() == expected_data
             def test_auth_user_get_cookie_store_for_default_user():
                 default_user = User.get_default_user()
                 auth_user = auth.AuthUser()
                 expected_data = {
                     'username': User.DEFAULT_USER,
                     'user_id': default_user.user_id,
                     'password': md5(default_user.password),
                     'is_authenticated': True
                 }
                 assert auth_user.get_cookie_store() == expected_data
             def get_permissions(user, **kwargs):
                 """
                 Utility filling in useful defaults into the call to `_cached_perms_data`.
                 Fill in `**kwargs` if specific values are needed for a test.
                 """
                 call_args = {
                     'user_id': user.user_id,
                     'scope': {},
                     'user_is_admin': False,
                     'user_inherit_default_permissions': False,
                     'explicit': False,
                     'algo': 'higherwin',
                     'calculate_super_admin': False,
                 }
                 call_args.update(kwargs)
                 permissions = auth._cached_perms_data(**call_args)
                 return permissions
             class TestGenerateAuthToken(object):
                 def test_salt_is_used_when_specified(self):
                     salt = 'abcde'
                     user_name = 'test_user'
                     result = auth.generate_auth_token(user_name, salt)
                     expected_result = sha1(user_name + salt).hexdigest()
                     assert result == expected_result
                 def test_salt_is_geneated_when_not_specified(self):
                     user_name = 'test_user'
                     random_salt = os.urandom(16)
                     with patch.object(auth, 'os') as os_mock:
                         os_mock.urandom.return_value = random_salt
                         result = auth.generate_auth_token(user_name)
                     expected_result = sha1(user_name + random_salt).hexdigest()
                     assert result == expected_result
             @pytest.mark.parametrize("test_token, test_roles, auth_result, expected_tokens", [
                 ('', None, False,
                  []),
                 ('wrongtoken', None, False,
                  []),
                 ('abracadabra_vcs', [AuthTokenModel.cls.ROLE_API], False,
                  [('abracadabra_api', AuthTokenModel.cls.ROLE_API, -1)]),
                 ('abracadabra_api', [AuthTokenModel.cls.ROLE_API], True,
                  [('abracadabra_api', AuthTokenModel.cls.ROLE_API, -1)]),
                 ('abracadabra_api', [AuthTokenModel.cls.ROLE_API], True,
                  [('abracadabra_api', AuthTokenModel.cls.ROLE_API, -1),
                   ('abracadabra_http', AuthTokenModel.cls.ROLE_HTTP, -1)]),
             ])
             def test_auth_by_token(test_token, test_roles, auth_result, expected_tokens,
                                    user_util):
                 user = user_util.create_user()
                 user_id = user.user_id
                 for token, role, expires in expected_tokens:
                     new_token = AuthTokenModel().create(user_id, 'test-token', expires, role)
                     new_token.api_key = token  # inject known name for testing...
                 assert auth_result == user.authenticate_by_token(
                     test_token, roles=test_roles)

rhodecode/tests/vcs_operations/__init__.py

0 +38 -17

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Base for test suite for making push/pull operations.
             .. important::
                You must have git >= 1.8.5 for tests to work fine. With 68b939b git started
                to redirect things to stderr instead of stdout.
             """
             from os.path import join as jn
             from subprocess32 import Popen, PIPE
             import logging
             import os
             import tempfile
             from rhodecode.tests import GIT_REPO, HG_REPO
             DEBUG = True
             RC_LOG = os.path.join(tempfile.gettempdir(), 'rc.log')
             REPO_GROUP = 'a_repo_group'
             HG_REPO_WITH_GROUP = '%s/%s' % (REPO_GROUP, HG_REPO)
             GIT_REPO_WITH_GROUP = '%s/%s' % (REPO_GROUP, GIT_REPO)
             log = logging.getLogger(__name__)
             class Command(object):
                 def __init__(self, cwd):
                     self.cwd = cwd
                     self.process = None
                 def execute(self, cmd, *args):
                     """
                     Runs command on the system with given ``args``.
                     """
                     command = cmd + ' ' + ' '.join(args)
                     if DEBUG:
                         log.debug('*** CMD %s ***' % (command,))
                     env = dict(os.environ)
                     # Delete coverage variables, as they make the test fail for Mercurial
                     for key in env.keys():
                         if key.startswith('COV_CORE_'):
                             del env[key]
                     self.process = Popen(command, shell=True, stdout=PIPE, stderr=PIPE,
                                          cwd=self.cwd, env=env)
                     stdout, stderr = self.process.communicate()
                     if DEBUG:
                         log.debug('STDOUT:%s' % (stdout,))
                         log.debug('STDERR:%s' % (stderr,))
                     return stdout, stderr
                 def assert_returncode_success(self):
                     assert self.process.returncode == 0
-            def _add_files_and_push(vcs, dest, clone_url=None, tags=None, **kwargs):
+            def _add_files(vcs, dest, clone_url=None, tags=None, target_branch=None,
-                """
+                                    new_branch=False, **kwargs):
-                Generate some files, add it to DEST repo and push back
+                git_ident = "git config user.name {} && git config user.email {}".format(
-                vcs is git or hg and defines what VCS we want to make those files for
+                        'Marcin Kuźminski', 'me@email.com')
-                """
+                cwd = path = jn(dest)
-                # commit some stuff into this repo
                 tags = tags or []
-                cwd = path = jn(dest)
                 added_file = jn(path, '%ssetup.py' % tempfile._RandomNameSequence().next())
                 Command(cwd).execute('touch %s' % added_file)
                 Command(cwd).execute('%s add %s' % (vcs, added_file))
                 author_str = 'Marcin Kuźminski <me@email.com>'
-                git_ident = "git config user.name {} && git config user.email {}".format(
-                        'Marcin Kuźminski', 'me@email.com')
                 for i in range(kwargs.get('files_no', 3)):
                     cmd = """echo 'added_line%s' >> %s""" % (i, added_file)
                     Command(cwd).execute(cmd)
                     if vcs == 'hg':
                         cmd = """hg commit -m 'commited new %s' -u '%s' %s """ % (
                             i, author_str, added_file
                         )
                     elif vcs == 'git':
                         cmd = """%s && git commit -m 'commited new %s' %s""" % (
                             git_ident, i, added_file)
                     Command(cwd).execute(cmd)
                 for tag in tags:
                     if vcs == 'hg':
-                        stdout, stderr = Command(cwd).execute(
+                        Command(cwd).execute(
                             'hg tag', tag['name'])
                     elif vcs == 'git':
                         if tag['commit']:
                             # annotated tag
-                            stdout, stderr = Command(cwd).execute(
+                            _stdout, _stderr = Command(cwd).execute(
                                 """%s && git tag -a %s -m "%s" """ % (
                                     git_ident, tag['name'], tag['commit']))
                         else:
                             # lightweight tag
-                            stdout, stderr = Command(cwd).execute(
+                            _stdout, _stderr = Command(cwd).execute(
                                 """%s && git tag %s""" % (
                                     git_ident, tag['name']))
+            def _add_files_and_push(vcs, dest, clone_url=None, tags=None, target_branch=None,
+                                    new_branch=False, **kwargs):
+                """
+                Generate some files, add it to DEST repo and push back
+                vcs is git or hg and defines what VCS we want to make those files for
+                """
+                git_ident = "git config user.name {} && git config user.email {}".format(
+                        'Marcin Kuźminski', 'me@email.com')
+                cwd = path = jn(dest)
+                # commit some stuff into this repo
+                _add_files(vcs, dest, clone_url, tags, target_branch, new_branch, **kwargs)
+                default_target_branch = {
+                    'git': 'master',
+                    'hg': 'default'
+                }.get(vcs)
+                target_branch = target_branch or default_target_branch
                 # PUSH it back
                 stdout = stderr = None
                 if vcs == 'hg':
+                    maybe_new_branch = ''
+                    if new_branch:
+                        maybe_new_branch = '--new-branch'
                     stdout, stderr = Command(cwd).execute(
-                        'hg push --verbose', clone_url)
+                        'hg push --verbose {} -r {} {}'.format(maybe_new_branch, target_branch, clone_url)
+                    )
                 elif vcs == 'git':
                     stdout, stderr = Command(cwd).execute(
-                        """%s &&
+                        """{} &&
-                        git push --verbose --tags %s master""" % (
+                        git push --verbose --tags {} {}""".format(git_ident, clone_url, target_branch)
-                            git_ident, clone_url))
                 return stdout, stderr
             def _check_proper_git_push(
                     stdout, stderr, branch='master', should_set_default_branch=False):
                 # Note: Git is writing most information to stderr intentionally
                 assert 'fatal' not in stderr
                 assert 'rejected' not in stderr
                 assert 'Pushing to' in stderr
                 assert '%s -> %s' % (branch, branch) in stderr
                 if should_set_default_branch:
                     assert "Setting default branch to %s" % branch in stderr
                 else:
                     assert "Setting default branch" not in stderr
             def _check_proper_hg_push(stdout, stderr, branch='default'):
                 assert 'pushing to' in stdout
                 assert 'searching for changes' in stdout
                 assert 'abort:' not in stderr
             def _check_proper_clone(stdout, stderr, vcs):
                 if vcs == 'hg':
                     assert 'requesting all changes' in stdout
                     assert 'adding changesets' in stdout
                     assert 'adding manifests' in stdout
                     assert 'adding file changes' in stdout
                     assert stderr == ''
                 if vcs == 'git':
                     assert '' == stdout
                     assert 'Cloning into' in stderr
                     assert 'abort:' not in stderr
                     assert 'fatal:' not in stderr

rhodecode/tests/vcs_operations/conftest.py

0 +73 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             py.test config for test suite for making push/pull operations.
             .. important::
                You must have git >= 1.8.5 for tests to work fine. With 68b939b git started
                to redirect things to stderr instead of stdout.
             """
             import os
             import tempfile
             import textwrap
             import pytest
             from rhodecode import events
-            from rhodecode.model.db import Integration
+            from rhodecode.model.db import Integration, UserRepoToPerm, Permission, \
+                UserToRepoBranchPermission, User
             from rhodecode.model.integration import IntegrationModel
             from rhodecode.model.db import Repository
             from rhodecode.model.meta import Session
             from rhodecode.model.settings import SettingsModel
             from rhodecode.integrations.types.webhook import WebhookIntegrationType
             from rhodecode.tests import GIT_REPO, HG_REPO
             from rhodecode.tests.fixture import Fixture
             from rhodecode.tests.server_utils import RcWebServer
             REPO_GROUP = 'a_repo_group'
             HG_REPO_WITH_GROUP = '%s/%s' % (REPO_GROUP, HG_REPO)
             GIT_REPO_WITH_GROUP = '%s/%s' % (REPO_GROUP, GIT_REPO)
             @pytest.fixture(scope="module")
             def rcextensions(request, db_connection, tmpdir_factory):
                 """
                 Installs a testing rcextensions pack to ensure they work as expected.
                 """
                 init_content = textwrap.dedent("""
                     # Forward import the example rcextensions to make it
                     # active for our tests.
                     from rhodecode.tests.other.example_rcextensions import *
                 """)
                 # Note: rcextensions are looked up based on the path of the ini file
                 root_path = tmpdir_factory.getbasetemp()
                 rcextensions_path = root_path.join('rcextensions')
                 init_path = rcextensions_path.join('__init__.py')
                 if rcextensions_path.check():
                     pytest.fail(
                         "Path for rcextensions already exists, please clean up before "
                         "test run this path: %s" % (rcextensions_path, ))
                     return
                 request.addfinalizer(rcextensions_path.remove)
                 init_path.write_binary(init_content, ensure=True)
             @pytest.fixture(scope="module")
             def repos(request, db_connection):
                 """Create a copy of each test repo in a repo group."""
                 fixture = Fixture()
                 repo_group = fixture.create_repo_group(REPO_GROUP)
                 repo_group_id = repo_group.group_id
                 fixture.create_fork(HG_REPO, HG_REPO,
                                     repo_name_full=HG_REPO_WITH_GROUP,
                                     repo_group=repo_group_id)
                 fixture.create_fork(GIT_REPO, GIT_REPO,
                                     repo_name_full=GIT_REPO_WITH_GROUP,
                                     repo_group=repo_group_id)
                 @request.addfinalizer
                 def cleanup():
                     fixture.destroy_repo(HG_REPO_WITH_GROUP)
                     fixture.destroy_repo(GIT_REPO_WITH_GROUP)
                     fixture.destroy_repo_group(repo_group_id)
             @pytest.fixture(scope="module")
             def rc_web_server_config_modification():
                 return []
             @pytest.fixture(scope="module")
             def rc_web_server_config_factory(testini_factory, rc_web_server_config_modification):
                 """
                 Configuration file used for the fixture `rc_web_server`.
                 """
                 def factory(rcweb_port, vcsserver_port):
                     custom_params = [
                         {'handler_console': {'level': 'DEBUG'}},
                         {'server:main': {'port': rcweb_port}},
                         {'app:main': {'vcs.server': 'localhost:%s' % vcsserver_port}}
                     ]
                     custom_params.extend(rc_web_server_config_modification)
                     return testini_factory(custom_params)
                 return factory
             @pytest.fixture(scope="module")
             def rc_web_server(
                     request, vcsserver_factory, available_port_factory,
                     rc_web_server_config_factory, repos, rcextensions):
                 """
                 Run the web server as a subprocess. with it's own instance of vcsserver
                 """
                 rcweb_port = available_port_factory()
                 print('Using rcweb ops test port {}'.format(rcweb_port))
                 vcsserver_port = available_port_factory()
                 print('Using vcsserver ops test port {}'.format(vcsserver_port))
                 vcs_log = os.path.join(tempfile.gettempdir(), 'rc_op_vcs.log')
                 vcsserver_factory(
                         request, vcsserver_port=vcsserver_port,
                         log_file=vcs_log,
                         overrides=(
                             {'server:main': {'workers': 2}},
                             {'server:main': {'graceful_timeout': 10}},
                         ))
                 rc_log = os.path.join(tempfile.gettempdir(), 'rc_op_web.log')
                 rc_web_server_config = rc_web_server_config_factory(
                     rcweb_port=rcweb_port,
                     vcsserver_port=vcsserver_port)
                 server = RcWebServer(rc_web_server_config, log_file=rc_log)
                 server.start()
                 @request.addfinalizer
                 def cleanup():
                     server.shutdown()
                 server.wait_until_ready()
                 return server
             @pytest.fixture
             def disable_locking(baseapp):
                 r = Repository.get_by_repo_name(GIT_REPO)
                 Repository.unlock(r)
                 r.enable_locking = False
                 Session().add(r)
                 Session().commit()
                 r = Repository.get_by_repo_name(HG_REPO)
                 Repository.unlock(r)
                 r.enable_locking = False
                 Session().add(r)
                 Session().commit()
             @pytest.fixture
             def enable_auth_plugins(request, baseapp, csrf_token):
                 """
                 Return a factory object that when called, allows to control which
                 authentication plugins are enabled.
                 """
                 def _enable_plugins(plugins_list, override=None):
                     override = override or {}
                     params = {
                         'auth_plugins': ','.join(plugins_list),
                     }
                     # helper translate some names to others
                     name_map = {
                         'token': 'authtoken'
                     }
                     for module in plugins_list:
                         plugin_name = module.partition('#')[-1]
                         if plugin_name in name_map:
                             plugin_name = name_map[plugin_name]
                         enabled_plugin = 'auth_%s_enabled' % plugin_name
                         cache_ttl = 'auth_%s_cache_ttl' % plugin_name
                         # default params that are needed for each plugin,
                         # `enabled` and `cache_ttl`
                         params.update({
                             enabled_plugin: True,
                             cache_ttl: 0
                         })
                         if override.get:
                             params.update(override.get(module, {}))
                         validated_params = params
                         for k, v in validated_params.items():
                             setting = SettingsModel().create_or_update_setting(k, v)
                             Session().add(setting)
                         Session().commit()
                 def cleanup():
                     _enable_plugins(['egg:rhodecode-enterprise-ce#rhodecode'])
                 request.addfinalizer(cleanup)
                 return _enable_plugins
             @pytest.fixture
             def fs_repo_only(request, rhodecode_fixtures):
                 def fs_repo_fabric(repo_name, repo_type):
                     rhodecode_fixtures.create_repo(repo_name, repo_type=repo_type)
                     rhodecode_fixtures.destroy_repo(repo_name, fs_remove=False)
                     def cleanup():
                         rhodecode_fixtures.destroy_repo(repo_name, fs_remove=True)
                         rhodecode_fixtures.destroy_repo_on_filesystem(repo_name)
                     request.addfinalizer(cleanup)
                 return fs_repo_fabric
             @pytest.fixture
             def enable_webhook_push_integration(request):
                 integration = Integration()
                 integration.integration_type = WebhookIntegrationType.key
                 Session().add(integration)
                 settings = dict(
                     url='http://httpbin.org/post',
                     secret_token='secret',
                     username=None,
                     password=None,
                     custom_header_key=None,
                     custom_header_val=None,
                     method_type='post',
                     events=[events.RepoPushEvent.name],
                     log_data=True
                 )
                 IntegrationModel().update_integration(
                     integration,
                     name='IntegrationWebhookTest',
                     enabled=True,
                     settings=settings,
                     repo=None,
                     repo_group=None,
                     child_repos_only=False,
                 )
                 Session().commit()
                 integration_id = integration.integration_id
                 @request.addfinalizer
                 def cleanup():
                     integration = Integration.get(integration_id)
                     Session().delete(integration)
                     Session().commit()
+            @pytest.fixture
+            def branch_permission_setter(request):
+                """
+                def my_test(branch_permission_setter)
+                    branch_permission_setter(repo_name, username, pattern='*', permission='branch.push')
+                """
+                rule_id = None
+                write_perm_id = None
+                def _branch_permissions_setter(
+                        repo_name, username, pattern='*', permission='branch.push_force'):
+                    global rule_id, write_perm_id
+                    repo = Repository.get_by_repo_name(repo_name)
+                    repo_id = repo.repo_id
+                    user = User.get_by_username(username)
+                    user_id = user.user_id
+                    rule_perm_obj = Permission.get_by_key(permission)
+                    write_perm = None
+                    # add new entry, based on existing perm entry
+                    perm = UserRepoToPerm.query() \
+                        .filter(UserRepoToPerm.repository_id == repo_id) \
+                        .filter(UserRepoToPerm.user_id == user_id) \
+                        .first()
+                    if not perm:
+                        # such user isn't defined in Permissions for repository
+                        # we now on-the-fly add new permission
+                        write_perm = UserRepoToPerm()
+                        write_perm.permission = Permission.get_by_key('repository.write')
+                        write_perm.repository_id = repo_id
+                        write_perm.user_id = user_id
+                        Session().add(write_perm)
+                        Session().flush()
+                        perm = write_perm
+                    rule = UserToRepoBranchPermission()
+                    rule.rule_to_perm_id = perm.repo_to_perm_id
+                    rule.branch_pattern = pattern
+                    rule.rule_order = 10
+                    rule.permission = rule_perm_obj
+                    rule.repository_id = repo_id
+                    Session().add(rule)
+                    Session().commit()
+                    global rule, write_perm
+                    return rule
+                @request.addfinalizer
+                def cleanup():
+                    if rule:
+                        Session().delete(rule)
+                        Session().commit()
+                    if write_perm:
+                        Session().delete(write_perm)
+                        Session().commit()
+                return _branch_permissions_setter

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages