rhodecode-enterprise-ce Commit - r911:0a696e69

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

"""

21

"""

22

SimpleVCS middleware for handling protocol request (push/clone etc.)

22

SimpleVCS middleware for handling protocol request (push/clone etc.)

23

It's implemented with basic auth function

23

It's implemented with basic auth function

24

"""

24

"""

25

26

import os

26

import os

27

import logging

27

import logging

28

import importlib

28

import importlib

29

import re

29

import re

30

from functools import wraps

30

from functools import wraps

31

32

from paste.httpheaders import REMOTE_USER, AUTH_TYPE

32

from paste.httpheaders import REMOTE_USER, AUTH_TYPE

33

from webob.exc import (

33

from webob.exc import (

34

HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)

34

HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)

35

36

import rhodecode

36

import rhodecode

37

from rhodecode.authentication.base import authenticate, VCS_TYPE

37

from rhodecode.authentication.base import authenticate, VCS_TYPE

38

from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware

38

from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware

39

from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context

39

from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context

40

from rhodecode.lib.exceptions import (

40

from rhodecode.lib.exceptions import (

41

HTTPLockedRC, HTTPRequirementError, UserCreationError,

41

HTTPLockedRC, HTTPRequirementError, UserCreationError,

42

NotAllowedToCreateUserError)

42

NotAllowedToCreateUserError)

43

from rhodecode.lib.hooks_daemon import prepare_callback_daemon

43

from rhodecode.lib.hooks_daemon import prepare_callback_daemon

44

from rhodecode.lib.middleware import appenlight

44

from rhodecode.lib.middleware import appenlight

45

from rhodecode.lib.middleware.utils import scm_app

45

from rhodecode.lib.middleware.utils import scm_app

46

from rhodecode.lib.utils import (

46

from rhodecode.lib.utils import (

47

is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)

47

is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)

48

from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode

48

from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode

49

from rhodecode.lib.vcs.conf import settings as vcs_settings

49

from rhodecode.lib.vcs.conf import settings as vcs_settings

50

from rhodecode.lib.vcs.backends import base

50

from rhodecode.lib.vcs.backends import base

51

from rhodecode.model import meta

51

from rhodecode.model import meta

52

from rhodecode.model.db import User, Repository, PullRequest

52

from rhodecode.model.db import User, Repository, PullRequest

53

from rhodecode.model.scm import ScmModel

53

from rhodecode.model.scm import ScmModel

54

from rhodecode.model.pull_request import PullRequestModel

54

from rhodecode.model.pull_request import PullRequestModel

55

56

57

log = logging.getLogger(__name__)

57

log = logging.getLogger(__name__)

58

59

60

def initialize_generator(factory):

60

def initialize_generator(factory):

61

"""

61

"""

62

Initializes the returned generator by draining its first element.

62

Initializes the returned generator by draining its first element.

63

64

This can be used to give a generator an initializer, which is the code

64

This can be used to give a generator an initializer, which is the code

65

up to the first yield statement. This decorator enforces that the first

65

up to the first yield statement. This decorator enforces that the first

66

produced element has the value ``"__init__"`` to make its special

66

produced element has the value ``"__init__"`` to make its special

67

purpose very explicit in the using code.

67

purpose very explicit in the using code.

68

"""

68

"""

69

70

@wraps(factory)

70

@wraps(factory)

71

def wrapper(*args, **kwargs):

71

def wrapper(*args, **kwargs):

72

gen = factory(*args, **kwargs)

72

gen = factory(*args, **kwargs)

73

try:

73

try:

74

init = gen.next()

74

init = gen.next()

75

except StopIteration:

75

except StopIteration:

76

raise ValueError('Generator must yield at least one element.')

76

raise ValueError('Generator must yield at least one element.')

77

if init != "__init__":

77

if init != "__init__":

78

raise ValueError('First yielded element must be "__init__".')

78

raise ValueError('First yielded element must be "__init__".')

79

return gen

79

return gen

80

return wrapper

80

return wrapper

81

82

83

class SimpleVCS(object):

83

class SimpleVCS(object):

84

"""Common functionality for SCM HTTP handlers."""

84

"""Common functionality for SCM HTTP handlers."""

85

86

SCM = 'unknown'

86

SCM = 'unknown'

87

88

acl_repo_name = None

88

acl_repo_name = None

89

url_repo_name = None

89

url_repo_name = None

90

vcs_repo_name = None

90

vcs_repo_name = None

91

92

# We have to handle requests to shadow repositories different than requests

92

# We have to handle requests to shadow repositories different than requests

93

# to normal repositories. Therefore we have to distinguish them. To do this

93

# to normal repositories. Therefore we have to distinguish them. To do this

94

# we use this regex which will match only on URLs pointing to shadow

94

# we use this regex which will match only on URLs pointing to shadow

95

# repositories.

95

# repositories.

96

shadow_repo_re = re.compile(

96

shadow_repo_re = re.compile(

97

'(?P<groups>(?:{slug_pat})(?:/{slug_pat})*)' # repo groups

97

'(?P<groups>(?:{slug_pat})(?:/{slug_pat})*/)?' # repo groups

98

'/(?P<target>{slug_pat})' # target repo

98

'(?P<target>{slug_pat})/' # target repo

99

'/pull-request/(?P<pr_id>\d+)' # pull request

99

'pull-request/(?P<pr_id>\d+)/' # pull request

100

'/repository$' # shadow repo

100

'repository$' # shadow repo

101

.format(slug_pat=SLUG_RE.pattern))

101

.format(slug_pat=SLUG_RE.pattern))

102

103

def __init__(self, application, config, registry):

103

def __init__(self, application, config, registry):

104

self.registry = registry

104

self.registry = registry

105

self.application = application

105

self.application = application

106

self.config = config

106

self.config = config

107

# re-populated by specialized middleware

107

# re-populated by specialized middleware

108

self.repo_vcs_config = base.Config()

108

self.repo_vcs_config = base.Config()

109

110

# base path of repo locations

110

# base path of repo locations

111

self.basepath = get_rhodecode_base_path()

111

self.basepath = get_rhodecode_base_path()

112

# authenticate this VCS request using authfunc

112

# authenticate this VCS request using authfunc

113

auth_ret_code_detection = \

113

auth_ret_code_detection = \

114

str2bool(self.config.get('auth_ret_code_detection', False))

114

str2bool(self.config.get('auth_ret_code_detection', False))

115

self.authenticate = BasicAuth(

115

self.authenticate = BasicAuth(

116

'', authenticate, registry, config.get('auth_ret_code'),

116

'', authenticate, registry, config.get('auth_ret_code'),

117

auth_ret_code_detection)

117

auth_ret_code_detection)

118

self.ip_addr = '0.0.0.0'

118

self.ip_addr = '0.0.0.0'

119

120

def set_repo_names(self, environ):

120

def set_repo_names(self, environ):

121

"""

121

"""

122

This will populate the attributes acl_repo_name, url_repo_name,

122

This will populate the attributes acl_repo_name, url_repo_name,

123

vcs_repo_name and is_shadow_repo. In case of requests to normal (non

123

vcs_repo_name and is_shadow_repo. In case of requests to normal (non

124

shadow) repositories all names are equal. In case of requests to a

124

shadow) repositories all names are equal. In case of requests to a

125

shadow repository the acl-name points to the target repo of the pull

125

shadow repository the acl-name points to the target repo of the pull

126

request and the vcs-name points to the shadow repo file system path.

126

request and the vcs-name points to the shadow repo file system path.

127

The url-name is always the URL used by the vcs client program.

127

The url-name is always the URL used by the vcs client program.

128

129

Example in case of a shadow repo:

129

Example in case of a shadow repo:

130

acl_repo_name = RepoGroup/MyRepo

130

acl_repo_name = RepoGroup/MyRepo

131

url_repo_name = RepoGroup/MyRepo/pull-request/3/repository

131

url_repo_name = RepoGroup/MyRepo/pull-request/3/repository

132

vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'

132

vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'

133

"""

133

"""

134

# First we set the repo name from URL for all attributes. This is the

134

# First we set the repo name from URL for all attributes. This is the

135

# default if handling normal (non shadow) repo requests.

135

# default if handling normal (non shadow) repo requests.

136

self.url_repo_name = self._get_repository_name(environ)

136

self.url_repo_name = self._get_repository_name(environ)

137

self.acl_repo_name = self.vcs_repo_name = self.url_repo_name

137

self.acl_repo_name = self.vcs_repo_name = self.url_repo_name

138

self.is_shadow_repo = False

138

self.is_shadow_repo = False

139

140

# Check if this is a request to a shadow repository.

140

# Check if this is a request to a shadow repository.

141

match = self.shadow_repo_re.match(self.url_repo_name)

141

match = self.shadow_repo_re.match(self.url_repo_name)

142

if match:

142

if match:

143

match_dict = match.groupdict()

143

match_dict = match.groupdict()

144

145

# Build acl repo name from regex match.

145

# Build acl repo name from regex match.

146

acl_repo_name = safe_unicode(

146

acl_repo_name = safe_unicode('{groups}{target}'.format(

147

'{groups}/{target}'.format(**match_dict))

147

groups=match_dict['groups'] or '',

148

target=match_dict['target']))

148

149

# Retrieve pull request instance by ID from regex match.

150

# Retrieve pull request instance by ID from regex match.

150

pull_request = PullRequest.get(match_dict['pr_id'])

151

pull_request = PullRequest.get(match_dict['pr_id'])

151

152

# Only proceed if we got a pull request and if acl repo name from

153

# Only proceed if we got a pull request and if acl repo name from

153

# URL equals the target repo name of the pull request.

154

# URL equals the target repo name of the pull request.

154

if pull_request and acl_repo_name == ~~pull_request~~.~~target_repo~~.~~repo_name~~:

155

if pull_request and (acl_repo_name ==

156

pull_request.target_repo.repo_name):

155

# Get file system path to shadow repository.

157

# Get file system path to shadow repository.

156

workspace_id = PullRequestModel()._workspace_id(pull_request)

158

workspace_id = PullRequestModel()._workspace_id(pull_request)

157

target_vcs = pull_request.target_repo.scm_instance()

159

target_vcs = pull_request.target_repo.scm_instance()

158

vcs_repo_name = target_vcs._get_shadow_repository_path(

160

vcs_repo_name = target_vcs._get_shadow_repository_path(

159

workspace_id)

161

workspace_id)

160

162

161

# Store names for later usage.

163

# Store names for later usage.

162

self.vcs_repo_name = vcs_repo_name

164

self.vcs_repo_name = vcs_repo_name

163

self.acl_repo_name = acl_repo_name

165

self.acl_repo_name = acl_repo_name

164

self.is_shadow_repo = True

166

self.is_shadow_repo = True

165

167

166

log.debug('Repository names: %s', {

168

log.debug('Repository names: %s', {

167

'acl_repo_name': self.acl_repo_name,

169

'acl_repo_name': self.acl_repo_name,

168

'url_repo_name': self.url_repo_name,

170

'url_repo_name': self.url_repo_name,

169

'vcs_repo_name': self.vcs_repo_name,

171

'vcs_repo_name': self.vcs_repo_name,

170

})

172

})

171

173

172

@property

174

@property

173

def scm_app(self):

175

def scm_app(self):

174

custom_implementation = self.config.get('vcs.scm_app_implementation')

176

custom_implementation = self.config.get('vcs.scm_app_implementation')

175

if custom_implementation and custom_implementation != 'pyro4':

177

if custom_implementation and custom_implementation != 'pyro4':

176

log.info(

178

log.info(

177

"Using custom implementation of scm_app: %s",

179

"Using custom implementation of scm_app: %s",

178

custom_implementation)

180

custom_implementation)

179

scm_app_impl = importlib.import_module(custom_implementation)

181

scm_app_impl = importlib.import_module(custom_implementation)

180

else:

182

else:

181

scm_app_impl = scm_app

183

scm_app_impl = scm_app

182

return scm_app_impl

184

return scm_app_impl

183

185

184

def _get_by_id(self, repo_name):

186

def _get_by_id(self, repo_name):

185

"""

187

"""

186

Gets a special pattern _<ID> from clone url and tries to replace it

188

Gets a special pattern _<ID> from clone url and tries to replace it

187

with a repository_name for support of _<ID> non changeable urls

189

with a repository_name for support of _<ID> non changeable urls

188

"""

190

"""

189

191

190

data = repo_name.split('/')

192

data = repo_name.split('/')

191

if len(data) >= 2:

193

if len(data) >= 2:

192

from rhodecode.model.repo import RepoModel

194

from rhodecode.model.repo import RepoModel

193

by_id_match = RepoModel().get_repo_by_id(repo_name)

195

by_id_match = RepoModel().get_repo_by_id(repo_name)

194

if by_id_match:

196

if by_id_match:

195

data[1] = by_id_match.repo_name

197

data[1] = by_id_match.repo_name

196

198

197

return safe_str('/'.join(data))

199

return safe_str('/'.join(data))

198

200

199

def _invalidate_cache(self, repo_name):

201

def _invalidate_cache(self, repo_name):

200

"""

202

"""

201

Set's cache for this repository for invalidation on next access

203

Set's cache for this repository for invalidation on next access

202

204

203

:param repo_name: full repo name, also a cache key

205

:param repo_name: full repo name, also a cache key

204

"""

206

"""

205

ScmModel().mark_for_invalidation(repo_name)

207

ScmModel().mark_for_invalidation(repo_name)

206

208

207

def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):

209

def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):

208

db_repo = Repository.get_by_repo_name(repo_name)

210

db_repo = Repository.get_by_repo_name(repo_name)

209

if not db_repo:

211

if not db_repo:

210

log.debug('Repository `%s` not found inside the database.',

212

log.debug('Repository `%s` not found inside the database.',

211

repo_name)

213

repo_name)

212

return False

214

return False

213

215

214

if db_repo.repo_type != scm_type:

216

if db_repo.repo_type != scm_type:

215

log.warning(

217

log.warning(

216

'Repository `%s` have incorrect scm_type, expected %s got %s',

218

'Repository `%s` have incorrect scm_type, expected %s got %s',

217

repo_name, db_repo.repo_type, scm_type)

219

repo_name, db_repo.repo_type, scm_type)

218

return False

220

return False

219

221

220

return is_valid_repo(repo_name, base_path, expect_scm=scm_type)

222

return is_valid_repo(repo_name, base_path, expect_scm=scm_type)

221

223

222

def valid_and_active_user(self, user):

224

def valid_and_active_user(self, user):

223

"""

225

"""

224

Checks if that user is not empty, and if it's actually object it checks

226

Checks if that user is not empty, and if it's actually object it checks

225

if he's active.

227

if he's active.

226

228

227

:param user: user object or None

229

:param user: user object or None

228

:return: boolean

230

:return: boolean

229

"""

231

"""

230

if user is None:

232

if user is None:

231

return False

233

return False

232

234

233

elif user.active:

235

elif user.active:

234

return True

236

return True

235

237

236

return False

238

return False

237

239

238

def _check_permission(self, action, user, repo_name, ip_addr=None):

240

def _check_permission(self, action, user, repo_name, ip_addr=None):

239

"""

241

"""

240

Checks permissions using action (push/pull) user and repository

242

Checks permissions using action (push/pull) user and repository

241

name

243

name

242

244

243

:param action: push or pull action

245

:param action: push or pull action

244

:param user: user instance

246

:param user: user instance

245

:param repo_name: repository name

247

:param repo_name: repository name

246

"""

248

"""

247

# check IP

249

# check IP

248

inherit = user.inherit_default_permissions

250

inherit = user.inherit_default_permissions

249

ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,

251

ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,

250

inherit_from_default=inherit)

252

inherit_from_default=inherit)

251

if ip_allowed:

253

if ip_allowed:

252

log.info('Access for IP:%s allowed', ip_addr)

254

log.info('Access for IP:%s allowed', ip_addr)

253

else:

255

else:

254

return False

256

return False

255

257

256

if action == 'push':

258

if action == 'push':

257

if not HasPermissionAnyMiddleware('repository.write',

259

if not HasPermissionAnyMiddleware('repository.write',

258

'repository.admin')(user,

260

'repository.admin')(user,

259

repo_name):

261

repo_name):

260

return False

262

return False

261

263

262

else:

264

else:

263

# any other action need at least read permission

265

# any other action need at least read permission

264

if not HasPermissionAnyMiddleware('repository.read',

266

if not HasPermissionAnyMiddleware('repository.read',

265

'repository.write',

267

'repository.write',

266

'repository.admin')(user,

268

'repository.admin')(user,

267

repo_name):

269

repo_name):

268

return False

270

return False

269

271

270

return True

272

return True

271

273

272

def _check_ssl(self, environ, start_response):

274

def _check_ssl(self, environ, start_response):

273

"""

275

"""

274

Checks the SSL check flag and returns False if SSL is not present

276

Checks the SSL check flag and returns False if SSL is not present

275

and required True otherwise

277

and required True otherwise

276

"""

278

"""

277

org_proto = environ['wsgi._org_proto']

279

org_proto = environ['wsgi._org_proto']

278

# check if we have SSL required ! if not it's a bad request !

280

# check if we have SSL required ! if not it's a bad request !

279

require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))

281

require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))

280

if require_ssl and org_proto == 'http':

282

if require_ssl and org_proto == 'http':

281

log.debug('proto is %s and SSL is required BAD REQUEST !',

283

log.debug('proto is %s and SSL is required BAD REQUEST !',

282

org_proto)

284

org_proto)

283

return False

285

return False

284

return True

286

return True

285

287

286

def __call__(self, environ, start_response):

288

def __call__(self, environ, start_response):

287

try:

289

try:

288

return self._handle_request(environ, start_response)

290

return self._handle_request(environ, start_response)

289

except Exception:

291

except Exception:

290

log.exception("Exception while handling request")

292

log.exception("Exception while handling request")

291

appenlight.track_exception(environ)

293

appenlight.track_exception(environ)

292

return HTTPInternalServerError()(environ, start_response)

294

return HTTPInternalServerError()(environ, start_response)

293

finally:

295

finally:

294

meta.Session.remove()

296

meta.Session.remove()

295

297

296

def _handle_request(self, environ, start_response):

298

def _handle_request(self, environ, start_response):

297

299

298

if not self._check_ssl(environ, start_response):

300

if not self._check_ssl(environ, start_response):

299

reason = ('SSL required, while RhodeCode was unable '

301

reason = ('SSL required, while RhodeCode was unable '

300

'to detect this as SSL request')

302

'to detect this as SSL request')

301

log.debug('User not allowed to proceed, %s', reason)

303

log.debug('User not allowed to proceed, %s', reason)

302

return HTTPNotAcceptable(reason)(environ, start_response)

304

return HTTPNotAcceptable(reason)(environ, start_response)

303

305

304

if not self.url_repo_name:

306

if not self.url_repo_name:

305

log.warning('Repository name is empty: %s', self.url_repo_name)

307

log.warning('Repository name is empty: %s', self.url_repo_name)

306

# failed to get repo name, we fail now

308

# failed to get repo name, we fail now

307

return HTTPNotFound()(environ, start_response)

309

return HTTPNotFound()(environ, start_response)

308

log.debug('Extracted repo name is %s', self.url_repo_name)

310

log.debug('Extracted repo name is %s', self.url_repo_name)

309

311

310

ip_addr = get_ip_addr(environ)

312

ip_addr = get_ip_addr(environ)

311

username = None

313

username = None

312

314

313

# skip passing error to error controller

315

# skip passing error to error controller

314

environ['pylons.status_code_redirect'] = True

316

environ['pylons.status_code_redirect'] = True

315

317

316

# ======================================================================

318

# ======================================================================

317

# GET ACTION PULL or PUSH

319

# GET ACTION PULL or PUSH

318

# ======================================================================

320

# ======================================================================

319

action = self._get_action(environ)

321

action = self._get_action(environ)

320

322

321

# ======================================================================

323

# ======================================================================

322

# Check if this is a request to a shadow repository of a pull request.

324

# Check if this is a request to a shadow repository of a pull request.

323

# In this case only pull action is allowed.

325

# In this case only pull action is allowed.

324

# ======================================================================

326

# ======================================================================

325

if self.is_shadow_repo and action != 'pull':

327

if self.is_shadow_repo and action != 'pull':

326

reason = 'Only pull action is allowed for shadow repositories.'

328

reason = 'Only pull action is allowed for shadow repositories.'

327

log.debug('User not allowed to proceed, %s', reason)

329

log.debug('User not allowed to proceed, %s', reason)

328

return HTTPNotAcceptable(reason)(environ, start_response)

330

return HTTPNotAcceptable(reason)(environ, start_response)

329

331

330

# ======================================================================

332

# ======================================================================

331

# CHECK ANONYMOUS PERMISSION

333

# CHECK ANONYMOUS PERMISSION

332

# ======================================================================

334

# ======================================================================

333

if action in ['pull', 'push']:

335

if action in ['pull', 'push']:

334

anonymous_user = User.get_default_user()

336

anonymous_user = User.get_default_user()

335

username = anonymous_user.username

337

username = anonymous_user.username

336

if anonymous_user.active:

338

if anonymous_user.active:

337

# ONLY check permissions if the user is activated

339

# ONLY check permissions if the user is activated

338

anonymous_perm = self._check_permission(

340

anonymous_perm = self._check_permission(

339

action, anonymous_user, self.acl_repo_name, ip_addr)

341

action, anonymous_user, self.acl_repo_name, ip_addr)

340

else:

342

else:

341

anonymous_perm = False

343

anonymous_perm = False

342

344

343

if not anonymous_user.active or not anonymous_perm:

345

if not anonymous_user.active or not anonymous_perm:

344

if not anonymous_user.active:

346

if not anonymous_user.active:

345

log.debug('Anonymous access is disabled, running '

347

log.debug('Anonymous access is disabled, running '

346

'authentication')

348

'authentication')

347

349

348

if not anonymous_perm:

350

if not anonymous_perm:

349

log.debug('Not enough credentials to access this '

351

log.debug('Not enough credentials to access this '

350

'repository as anonymous user')

352

'repository as anonymous user')

351

353

352

username = None

354

username = None

353

# ==============================================================

355

# ==============================================================

354

# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

356

# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

355

# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

357

# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

356

# ==============================================================

358

# ==============================================================

357

359

358

# try to auth based on environ, container auth methods

360

# try to auth based on environ, container auth methods

359

log.debug('Running PRE-AUTH for container based authentication')

361

log.debug('Running PRE-AUTH for container based authentication')

360

pre_auth = authenticate(

362

pre_auth = authenticate(

361

'', '', environ, VCS_TYPE, registry=self.registry)

363

'', '', environ, VCS_TYPE, registry=self.registry)

362

if pre_auth and pre_auth.get('username'):

364

if pre_auth and pre_auth.get('username'):

363

username = pre_auth['username']

365

username = pre_auth['username']

364

log.debug('PRE-AUTH got %s as username', username)

366

log.debug('PRE-AUTH got %s as username', username)

365

367

366

# If not authenticated by the container, running basic auth

368

# If not authenticated by the container, running basic auth

367

if not username:

369

if not username:

368

self.authenticate.realm = get_rhodecode_realm()

370

self.authenticate.realm = get_rhodecode_realm()

369

371

370

try:

372

try:

371

result = self.authenticate(environ)

373

result = self.authenticate(environ)

372

except (UserCreationError, NotAllowedToCreateUserError) as e:

374

except (UserCreationError, NotAllowedToCreateUserError) as e:

373

log.error(e)

375

log.error(e)

374

reason = safe_str(e)

376

reason = safe_str(e)

375

return HTTPNotAcceptable(reason)(environ, start_response)

377

return HTTPNotAcceptable(reason)(environ, start_response)

376

378

377

if isinstance(result, str):

379

if isinstance(result, str):

378

AUTH_TYPE.update(environ, 'basic')

380

AUTH_TYPE.update(environ, 'basic')

379

REMOTE_USER.update(environ, result)

381

REMOTE_USER.update(environ, result)

380

username = result

382

username = result

381

else:

383

else:

382

return result.wsgi_application(environ, start_response)

384

return result.wsgi_application(environ, start_response)

383

385

384

# ==============================================================

386

# ==============================================================

385

# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

387

# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

386

# ==============================================================

388

# ==============================================================

387

user = User.get_by_username(username)

389

user = User.get_by_username(username)

388

if not self.valid_and_active_user(user):

390

if not self.valid_and_active_user(user):

389

return HTTPForbidden()(environ, start_response)

391

return HTTPForbidden()(environ, start_response)

390

username = user.username

392

username = user.username

391

user.update_lastactivity()

393

user.update_lastactivity()

392

meta.Session().commit()

394

meta.Session().commit()

393

395

394

# check user attributes for password change flag

396

# check user attributes for password change flag

395

user_obj = user

397

user_obj = user

396

if user_obj and user_obj.username != User.DEFAULT_USER and \

398

if user_obj and user_obj.username != User.DEFAULT_USER and \

397

user_obj.user_data.get('force_password_change'):

399

user_obj.user_data.get('force_password_change'):

398

reason = 'password change required'

400

reason = 'password change required'

399

log.debug('User not allowed to authenticate, %s', reason)

401

log.debug('User not allowed to authenticate, %s', reason)

400

return HTTPNotAcceptable(reason)(environ, start_response)

402

return HTTPNotAcceptable(reason)(environ, start_response)

401

403

402

# check permissions for this repository

404

# check permissions for this repository

403

perm = self._check_permission(

405

perm = self._check_permission(

404

action, user, self.acl_repo_name, ip_addr)

406

action, user, self.acl_repo_name, ip_addr)

405

if not perm:

407

if not perm:

406

return HTTPForbidden()(environ, start_response)

408

return HTTPForbidden()(environ, start_response)

407

409

408

# extras are injected into UI object and later available

410

# extras are injected into UI object and later available

409

# in hooks executed by rhodecode

411

# in hooks executed by rhodecode

410

check_locking = _should_check_locking(environ.get('QUERY_STRING'))

412

check_locking = _should_check_locking(environ.get('QUERY_STRING'))

411

extras = vcs_operation_context(

413

extras = vcs_operation_context(

412

environ, repo_name=self.acl_repo_name, username=username,

414

environ, repo_name=self.acl_repo_name, username=username,

413

action=action, scm=self.SCM, check_locking=check_locking,

415

action=action, scm=self.SCM, check_locking=check_locking,

414

is_shadow_repo=self.is_shadow_repo

416

is_shadow_repo=self.is_shadow_repo

415

)

417

)

416

418

417

# ======================================================================

419

# ======================================================================

418

# REQUEST HANDLING

420

# REQUEST HANDLING

419

# ======================================================================

421

# ======================================================================

420

repo_path = os.path.join(

422

repo_path = os.path.join(

421

safe_str(self.basepath), safe_str(self.vcs_repo_name))

423

safe_str(self.basepath), safe_str(self.vcs_repo_name))

422

log.debug('Repository path is %s', repo_path)

424

log.debug('Repository path is %s', repo_path)

423

425

424

fix_PATH()

426

fix_PATH()

425

427

426

log.info(

428

log.info(

427

'%s action on %s repo "%s" by "%s" from %s',

429

'%s action on %s repo "%s" by "%s" from %s',

428

action, self.SCM, safe_str(self.url_repo_name),

430

action, self.SCM, safe_str(self.url_repo_name),

429

safe_str(username), ip_addr)

431

safe_str(username), ip_addr)

430

432

431

return self._generate_vcs_response(

433

return self._generate_vcs_response(

432

environ, start_response, repo_path, extras, action)

434

environ, start_response, repo_path, extras, action)

433

435

434

@initialize_generator

436

@initialize_generator

435

def _generate_vcs_response(

437

def _generate_vcs_response(

436

self, environ, start_response, repo_path, extras, action):

438

self, environ, start_response, repo_path, extras, action):

437

"""

439

"""

438

Returns a generator for the response content.

440

Returns a generator for the response content.

439

441

440

This method is implemented as a generator, so that it can trigger

442

This method is implemented as a generator, so that it can trigger

441

the cache validation after all content sent back to the client. It

443

the cache validation after all content sent back to the client. It

442

also handles the locking exceptions which will be triggered when

444

also handles the locking exceptions which will be triggered when

443

the first chunk is produced by the underlying WSGI application.

445

the first chunk is produced by the underlying WSGI application.

444

"""

446

"""

445

callback_daemon, extras = self._prepare_callback_daemon(extras)

447

callback_daemon, extras = self._prepare_callback_daemon(extras)

446

config = self._create_config(extras, self.acl_repo_name)

448

config = self._create_config(extras, self.acl_repo_name)

447

log.debug('HOOKS extras is %s', extras)

449

log.debug('HOOKS extras is %s', extras)

448

app = self._create_wsgi_app(repo_path, self.url_repo_name, config)

450

app = self._create_wsgi_app(repo_path, self.url_repo_name, config)

449

451

450

try:

452

try:

451

with callback_daemon:

453

with callback_daemon:

452

try:

454

try:

453

response = app(environ, start_response)

455

response = app(environ, start_response)

454

finally:

456

finally:

455

# This statement works together with the decorator

457

# This statement works together with the decorator

456

# "initialize_generator" above. The decorator ensures that

458

# "initialize_generator" above. The decorator ensures that

457

# we hit the first yield statement before the generator is

459

# we hit the first yield statement before the generator is

458

# returned back to the WSGI server. This is needed to

460

# returned back to the WSGI server. This is needed to

459

# ensure that the call to "app" above triggers the

461

# ensure that the call to "app" above triggers the

460

# needed callback to "start_response" before the

462

# needed callback to "start_response" before the

461

# generator is actually used.

463

# generator is actually used.

462

yield "__init__"

464

yield "__init__"

463

465

464

for chunk in response:

466

for chunk in response:

465

yield chunk

467

yield chunk

466

except Exception as exc:

468

except Exception as exc:

467

# TODO: johbo: Improve "translating" back the exception.

469

# TODO: johbo: Improve "translating" back the exception.

468

if getattr(exc, '_vcs_kind', None) == 'repo_locked':

470

if getattr(exc, '_vcs_kind', None) == 'repo_locked':

469

exc = HTTPLockedRC(*exc.args)

471

exc = HTTPLockedRC(*exc.args)

470

_code = rhodecode.CONFIG.get('lock_ret_code')

472

_code = rhodecode.CONFIG.get('lock_ret_code')

471

log.debug('Repository LOCKED ret code %s!', (_code,))

473

log.debug('Repository LOCKED ret code %s!', (_code,))

472

elif getattr(exc, '_vcs_kind', None) == 'requirement':

474

elif getattr(exc, '_vcs_kind', None) == 'requirement':

473

log.debug(

475

log.debug(

474

'Repository requires features unknown to this Mercurial')

476

'Repository requires features unknown to this Mercurial')

475

exc = HTTPRequirementError(*exc.args)

477

exc = HTTPRequirementError(*exc.args)

476

else:

478

else:

477

raise

479

raise

478

480

479

for chunk in exc(environ, start_response):

481

for chunk in exc(environ, start_response):

480

yield chunk

482

yield chunk

481

finally:

483

finally:

482

# invalidate cache on push

484

# invalidate cache on push

483

try:

485

try:

484

if action == 'push':

486

if action == 'push':

485

self._invalidate_cache(self.url_repo_name)

487

self._invalidate_cache(self.url_repo_name)

486

finally:

488

finally:

487

meta.Session.remove()

489

meta.Session.remove()

488

490

489

def _get_repository_name(self, environ):

491

def _get_repository_name(self, environ):

490

"""Get repository name out of the environmnent

492

"""Get repository name out of the environmnent

491

493

492

:param environ: WSGI environment

494

:param environ: WSGI environment

493

"""

495

"""

494

raise NotImplementedError()

496

raise NotImplementedError()

495

497

496

def _get_action(self, environ):

498

def _get_action(self, environ):

497

"""Map request commands into a pull or push command.

499

"""Map request commands into a pull or push command.

498

500

499

:param environ: WSGI environment

501

:param environ: WSGI environment

500

"""

502

"""

501

raise NotImplementedError()

503

raise NotImplementedError()

502

504

503

def _create_wsgi_app(self, repo_path, repo_name, config):

505

def _create_wsgi_app(self, repo_path, repo_name, config):

504

"""Return the WSGI app that will finally handle the request."""

506

"""Return the WSGI app that will finally handle the request."""

505

raise NotImplementedError()

507

raise NotImplementedError()

506

508

507

def _create_config(self, extras, repo_name):

509

def _create_config(self, extras, repo_name):

508

"""Create a Pyro safe config representation."""

510

"""Create a Pyro safe config representation."""

509

raise NotImplementedError()

511

raise NotImplementedError()

510

512

511

def _prepare_callback_daemon(self, extras):

513

def _prepare_callback_daemon(self, extras):

512

return prepare_callback_daemon(

514

return prepare_callback_daemon(

513

extras, protocol=vcs_settings.HOOKS_PROTOCOL,

515

extras, protocol=vcs_settings.HOOKS_PROTOCOL,

514

use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)

516

use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)

515

517

516

518

517

def _should_check_locking(query_string):

519

def _should_check_locking(query_string):

518

# this is kind of hacky, but due to how mercurial handles client-server

520

# this is kind of hacky, but due to how mercurial handles client-server

519

# server see all operation on commit; bookmarks, phases and

521

# server see all operation on commit; bookmarks, phases and

520

# obsolescence marker in different transaction, we don't want to check

522

# obsolescence marker in different transaction, we don't want to check

521

# locking on those

523

# locking on those

522

return query_string not in ['cmd=listkeys']

524

return query_string not in ['cmd=listkeys']

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             SimpleVCS middleware for handling protocol request (push/clone etc.)
             It's implemented with basic auth function
             """
             import os
             import logging
             import importlib
             import re
             from functools import wraps
             from paste.httpheaders import REMOTE_USER, AUTH_TYPE
             from webob.exc import (
                 HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)
             import rhodecode
             from rhodecode.authentication.base import authenticate, VCS_TYPE
             from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context
             from rhodecode.lib.exceptions import (
                 HTTPLockedRC, HTTPRequirementError, UserCreationError,
                 NotAllowedToCreateUserError)
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.middleware import appenlight
             from rhodecode.lib.middleware.utils import scm_app
             from rhodecode.lib.utils import (
                 is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)
             from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository, PullRequest
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.pull_request import PullRequestModel
             log = logging.getLogger(__name__)
             def initialize_generator(factory):
                 """
                 Initializes the returned generator by draining its first element.
                 This can be used to give a generator an initializer, which is the code
                 up to the first yield statement. This decorator enforces that the first
                 produced element has the value ``"__init__"`` to make its special
                 purpose very explicit in the using code.
                 """
                 @wraps(factory)
                 def wrapper(*args, **kwargs):
                     gen = factory(*args, **kwargs)
                     try:
                         init = gen.next()
                     except StopIteration:
                         raise ValueError('Generator must yield at least one element.')
                     if init != "__init__":
                         raise ValueError('First yielded element must be "__init__".')
                     return gen
                 return wrapper
             class SimpleVCS(object):
                 """Common functionality for SCM HTTP handlers."""
                 SCM = 'unknown'
                 acl_repo_name = None
                 url_repo_name = None
                 vcs_repo_name = None
                 # We have to handle requests to shadow repositories different than requests
                 # to normal repositories. Therefore we have to distinguish them. To do this
                 # we use this regex which will match only on URLs pointing to shadow
                 # repositories.
                 shadow_repo_re = re.compile(
-                    '(?P<groups>(?:{slug_pat})(?:/{slug_pat})*)'  # repo groups
+                    '(?P<groups>(?:{slug_pat})(?:/{slug_pat})*/)?'  # repo groups
-                    '/(?P<target>{slug_pat})'                     # target repo
+                    '(?P<target>{slug_pat})/'                       # target repo
-                    '/pull-request/(?P<pr_id>\d+)'                # pull request
+                    'pull-request/(?P<pr_id>\d+)/'                  # pull request
-                    '/repository$'                                # shadow repo
+                    'repository$'                                   # shadow repo
                     .format(slug_pat=SLUG_RE.pattern))
                 def __init__(self, application, config, registry):
                     self.registry = registry
                     self.application = application
                     self.config = config
                     # re-populated by specialized middleware
                     self.repo_vcs_config = base.Config()
                     # base path of repo locations
                     self.basepath = get_rhodecode_base_path()
                     # authenticate this VCS request using authfunc
                     auth_ret_code_detection = \
                         str2bool(self.config.get('auth_ret_code_detection', False))
                     self.authenticate = BasicAuth(
                         '', authenticate, registry, config.get('auth_ret_code'),
                         auth_ret_code_detection)
                     self.ip_addr = '0.0.0.0'
                 def set_repo_names(self, environ):
                     """
                     This will populate the attributes acl_repo_name, url_repo_name,
                     vcs_repo_name and is_shadow_repo. In case of requests to normal (non
                     shadow) repositories all names are equal. In case of requests to a
                     shadow repository the acl-name points to the target repo of the pull
                     request and the vcs-name points to the shadow repo file system path.
                     The url-name is always the URL used by the vcs client program.
                     Example in case of a shadow repo:
                         acl_repo_name = RepoGroup/MyRepo
                         url_repo_name = RepoGroup/MyRepo/pull-request/3/repository
                         vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'
                     """
                     # First we set the repo name from URL for all attributes. This is the
                     # default if handling normal (non shadow) repo requests.
                     self.url_repo_name = self._get_repository_name(environ)
                     self.acl_repo_name = self.vcs_repo_name = self.url_repo_name
                     self.is_shadow_repo = False
                     # Check if this is a request to a shadow repository.
                     match = self.shadow_repo_re.match(self.url_repo_name)
                     if match:
                         match_dict = match.groupdict()
                         # Build acl repo name from regex match.
-                        acl_repo_name = safe_unicode(
+                        acl_repo_name = safe_unicode('{groups}{target}'.format(
-                            '{groups}/{target}'.format(**match_dict))
+                            groups=match_dict['groups'] or '',
+                            target=match_dict['target']))
                         # Retrieve pull request instance by ID from regex match.
                         pull_request = PullRequest.get(match_dict['pr_id'])
                         # Only proceed if we got a pull request and if acl repo name from
                         # URL equals the target repo name of the pull request.
-                        if pull_request and acl_repo_name == pull_request.target_repo.repo_name:
+                        if pull_request and (acl_repo_name ==
+                                             pull_request.target_repo.repo_name):
                             # Get file system path to shadow repository.
                             workspace_id = PullRequestModel()._workspace_id(pull_request)
                             target_vcs = pull_request.target_repo.scm_instance()
                             vcs_repo_name = target_vcs._get_shadow_repository_path(
                                 workspace_id)
                             # Store names for later usage.
                             self.vcs_repo_name = vcs_repo_name
                             self.acl_repo_name = acl_repo_name
                             self.is_shadow_repo = True
                     log.debug('Repository names: %s', {
                         'acl_repo_name': self.acl_repo_name,
                         'url_repo_name': self.url_repo_name,
                         'vcs_repo_name': self.vcs_repo_name,
                     })
                 @property
                 def scm_app(self):
                     custom_implementation = self.config.get('vcs.scm_app_implementation')
                     if custom_implementation and custom_implementation != 'pyro4':
                         log.info(
                             "Using custom implementation of scm_app: %s",
                             custom_implementation)
                         scm_app_impl = importlib.import_module(custom_implementation)
                     else:
                         scm_app_impl = scm_app
                     return scm_app_impl
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> non changeable urls
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from rhodecode.model.repo import RepoModel
                         by_id_match = RepoModel().get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match.repo_name
                     return safe_str('/'.join(data))
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if not db_repo:
                         log.debug('Repository `%s` not found inside the database.',
                                   repo_name)
                         return False
                     if db_repo.repo_type != scm_type:
                         log.warning(
                             'Repository `%s` have incorrect scm_type, expected %s got %s',
                             repo_name, db_repo.repo_type, scm_type)
                         return False
                     return is_valid_repo(repo_name, base_path, expect_scm=scm_type)
                 def valid_and_active_user(self, user):
                     """
                     Checks if that user is not empty, and if it's actually object it checks
                     if he's active.
                     :param user: user object or None
                     :return: boolean
                     """
                     if user is None:
                         return False
                     elif user.active:
                         return True
                     return False
                 def _check_permission(self, action, user, repo_name, ip_addr=None):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
                     # check IP
                     inherit = user.inherit_default_permissions
                     ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,
                                                            inherit_from_default=inherit)
                     if ip_allowed:
                         log.info('Access for IP:%s allowed', ip_addr)
                     else:
                         return False
                     if action == 'push':
                         if not HasPermissionAnyMiddleware('repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     else:
                         # any other action need at least read permission
                         if not HasPermissionAnyMiddleware('repository.read',
                                                           'repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     return True
                 def _check_ssl(self, environ, start_response):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     org_proto = environ['wsgi._org_proto']
                     # check if we have SSL required  ! if not it's a bad request !
                     require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))
                     if require_ssl and org_proto == 'http':
                         log.debug('proto is %s and SSL is required BAD REQUEST !',
                                   org_proto)
                         return False
                     return True
                 def __call__(self, environ, start_response):
                     try:
                         return self._handle_request(environ, start_response)
                     except Exception:
                         log.exception("Exception while handling request")
                         appenlight.track_exception(environ)
                         return HTTPInternalServerError()(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     if not self._check_ssl(environ, start_response):
                         reason = ('SSL required, while RhodeCode was unable '
                                   'to detect this as SSL request')
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     if not self.url_repo_name:
                         log.warning('Repository name is empty: %s', self.url_repo_name)
                         # failed to get repo name, we fail now
                         return HTTPNotFound()(environ, start_response)
                     log.debug('Extracted repo name is %s', self.url_repo_name)
                     ip_addr = get_ip_addr(environ)
                     username = None
                     # skip passing error to error controller
                     environ['pylons.status_code_redirect'] = True
                     # ======================================================================
                     # GET ACTION PULL or PUSH
                     # ======================================================================
                     action = self._get_action(environ)
                     # ======================================================================
                     # Check if this is a request to a shadow repository of a pull request.
                     # In this case only pull action is allowed.
                     # ======================================================================
                     if self.is_shadow_repo and action != 'pull':
                         reason = 'Only pull action is allowed for shadow repositories.'
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     # ======================================================================
                     # CHECK ANONYMOUS PERMISSION
                     # ======================================================================
                     if action in ['pull', 'push']:
                         anonymous_user = User.get_default_user()
                         username = anonymous_user.username
                         if anonymous_user.active:
                             # ONLY check permissions if the user is activated
                             anonymous_perm = self._check_permission(
                                 action, anonymous_user, self.acl_repo_name, ip_addr)
                         else:
                             anonymous_perm = False
                         if not anonymous_user.active or not anonymous_perm:
                             if not anonymous_user.active:
                                 log.debug('Anonymous access is disabled, running '
                                           'authentication')
                             if not anonymous_perm:
                                 log.debug('Not enough credentials to access this '
                                           'repository as anonymous user')
                             username = None
                             # ==============================================================
                             # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                             # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                             # ==============================================================
                             # try to auth based on environ, container auth methods
                             log.debug('Running PRE-AUTH for container based authentication')
                             pre_auth = authenticate(
                                 '', '', environ, VCS_TYPE, registry=self.registry)
                             if pre_auth and pre_auth.get('username'):
                                 username = pre_auth['username']
                             log.debug('PRE-AUTH got %s as username', username)
                             # If not authenticated by the container, running basic auth
                             if not username:
                                 self.authenticate.realm = get_rhodecode_realm()
                                 try:
                                     result = self.authenticate(environ)
                                 except (UserCreationError, NotAllowedToCreateUserError) as e:
                                     log.error(e)
                                     reason = safe_str(e)
                                     return HTTPNotAcceptable(reason)(environ, start_response)
                                 if isinstance(result, str):
                                     AUTH_TYPE.update(environ, 'basic')
                                     REMOTE_USER.update(environ, result)
                                     username = result
                                 else:
                                     return result.wsgi_application(environ, start_response)
                             # ==============================================================
                             # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                             # ==============================================================
                             user = User.get_by_username(username)
                             if not self.valid_and_active_user(user):
                                 return HTTPForbidden()(environ, start_response)
                             username = user.username
                             user.update_lastactivity()
                             meta.Session().commit()
                             # check user attributes for password change flag
                             user_obj = user
                             if user_obj and user_obj.username != User.DEFAULT_USER and \
                                     user_obj.user_data.get('force_password_change'):
                                 reason = 'password change required'
                                 log.debug('User not allowed to authenticate, %s', reason)
                                 return HTTPNotAcceptable(reason)(environ, start_response)
                             # check permissions for this repository
                             perm = self._check_permission(
                                 action, user, self.acl_repo_name, ip_addr)
                             if not perm:
                                 return HTTPForbidden()(environ, start_response)
                     # extras are injected into UI object and later available
                     # in hooks executed by rhodecode
                     check_locking = _should_check_locking(environ.get('QUERY_STRING'))
                     extras = vcs_operation_context(
                         environ, repo_name=self.acl_repo_name, username=username,
                         action=action, scm=self.SCM, check_locking=check_locking,
                         is_shadow_repo=self.is_shadow_repo
                     )
                     # ======================================================================
                     # REQUEST HANDLING
                     # ======================================================================
                     repo_path = os.path.join(
                         safe_str(self.basepath), safe_str(self.vcs_repo_name))
                     log.debug('Repository path is %s', repo_path)
                     fix_PATH()
                     log.info(
                         '%s action on %s repo "%s" by "%s" from %s',
                         action, self.SCM, safe_str(self.url_repo_name),
                         safe_str(username), ip_addr)
                     return self._generate_vcs_response(
                         environ, start_response, repo_path, extras, action)
                 @initialize_generator
                 def _generate_vcs_response(
                         self, environ, start_response, repo_path, extras, action):
                     """
                     Returns a generator for the response content.
                     This method is implemented as a generator, so that it can trigger
                     the cache validation after all content sent back to the client. It
                     also handles the locking exceptions which will be triggered when
                     the first chunk is produced by the underlying WSGI application.
                     """
                     callback_daemon, extras = self._prepare_callback_daemon(extras)
                     config = self._create_config(extras, self.acl_repo_name)
                     log.debug('HOOKS extras is %s', extras)
                     app = self._create_wsgi_app(repo_path, self.url_repo_name, config)
                     try:
                         with callback_daemon:
                             try:
                                 response = app(environ, start_response)
                             finally:
                                 # This statement works together with the decorator
                                 # "initialize_generator" above. The decorator ensures that
                                 # we hit the first yield statement before the generator is
                                 # returned back to the WSGI server. This is needed to
                                 # ensure that the call to "app" above triggers the
                                 # needed callback to "start_response" before the
                                 # generator is actually used.
                                 yield "__init__"
                             for chunk in response:
                                 yield chunk
                     except Exception as exc:
                         # TODO: johbo: Improve "translating" back the exception.
                         if getattr(exc, '_vcs_kind', None) == 'repo_locked':
                             exc = HTTPLockedRC(*exc.args)
                             _code = rhodecode.CONFIG.get('lock_ret_code')
                             log.debug('Repository LOCKED ret code %s!', (_code,))
                         elif getattr(exc, '_vcs_kind', None) == 'requirement':
                             log.debug(
                                 'Repository requires features unknown to this Mercurial')
                             exc = HTTPRequirementError(*exc.args)
                         else:
                             raise
                         for chunk in exc(environ, start_response):
                             yield chunk
                     finally:
                         # invalidate cache on push
                         try:
                             if action == 'push':
                                 self._invalidate_cache(self.url_repo_name)
                         finally:
                             meta.Session.remove()
                 def _get_repository_name(self, environ):
                     """Get repository name out of the environmnent
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _get_action(self, environ):
                     """Map request commands into a pull or push command.
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _create_wsgi_app(self, repo_path, repo_name, config):
                     """Return the WSGI app that will finally handle the request."""
                     raise NotImplementedError()
                 def _create_config(self, extras, repo_name):
                     """Create a Pyro safe config representation."""
                     raise NotImplementedError()
                 def _prepare_callback_daemon(self, extras):
                     return prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)
             def _should_check_locking(query_string):
                 # this is kind of hacky, but due to how mercurial handles client-server
                 # server see all operation on commit; bookmarks, phases and
                 # obsolescence marker in different transaction, we don't want to check
                 # locking on those
                 return query_string not in ['cmd=listkeys']