rhodecode-enterprise-ce Commit - r918:30123d50

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

"""

21

"""

22

SimpleVCS middleware for handling protocol request (push/clone etc.)

22

SimpleVCS middleware for handling protocol request (push/clone etc.)

23

It's implemented with basic auth function

23

It's implemented with basic auth function

24

"""

24

"""

25

26

import os

26

import os

27

import logging

27

import logging

28

import importlib

28

import importlib

29

import re

29

import re

30

from functools import wraps

30

from functools import wraps

31

32

from paste.httpheaders import REMOTE_USER, AUTH_TYPE

32

from paste.httpheaders import REMOTE_USER, AUTH_TYPE

33

from webob.exc import (

33

from webob.exc import (

34

HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)

34

HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)

35

36

import rhodecode

36

import rhodecode

37

from rhodecode.authentication.base import authenticate, VCS_TYPE

37

from rhodecode.authentication.base import authenticate, VCS_TYPE

38

from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware

38

from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware

39

from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context

39

from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context

40

from rhodecode.lib.exceptions import (

40

from rhodecode.lib.exceptions import (

41

HTTPLockedRC, HTTPRequirementError, UserCreationError,

41

HTTPLockedRC, HTTPRequirementError, UserCreationError,

42

NotAllowedToCreateUserError)

42

NotAllowedToCreateUserError)

43

from rhodecode.lib.hooks_daemon import prepare_callback_daemon

43

from rhodecode.lib.hooks_daemon import prepare_callback_daemon

44

from rhodecode.lib.middleware import appenlight

44

from rhodecode.lib.middleware import appenlight

45

from rhodecode.lib.middleware.utils import scm_app

45

from rhodecode.lib.middleware.utils import scm_app

46

from rhodecode.lib.utils import (

46

from rhodecode.lib.utils import (

47

is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)

47

is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)

48

from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode

48

from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode

49

from rhodecode.lib.vcs.conf import settings as vcs_settings

49

from rhodecode.lib.vcs.conf import settings as vcs_settings

50

from rhodecode.lib.vcs.backends import base

50

from rhodecode.lib.vcs.backends import base

51

from rhodecode.model import meta

51

from rhodecode.model import meta

52

from rhodecode.model.db import User, Repository, PullRequest

52

from rhodecode.model.db import User, Repository, PullRequest

53

from rhodecode.model.scm import ScmModel

53

from rhodecode.model.scm import ScmModel

54

from rhodecode.model.pull_request import PullRequestModel

54

from rhodecode.model.pull_request import PullRequestModel

55

56

57

log = logging.getLogger(__name__)

57

log = logging.getLogger(__name__)

58

59

60

def initialize_generator(factory):

60

def initialize_generator(factory):

61

"""

61

"""

62

Initializes the returned generator by draining its first element.

62

Initializes the returned generator by draining its first element.

63

64

This can be used to give a generator an initializer, which is the code

64

This can be used to give a generator an initializer, which is the code

65

up to the first yield statement. This decorator enforces that the first

65

up to the first yield statement. This decorator enforces that the first

66

produced element has the value ``"__init__"`` to make its special

66

produced element has the value ``"__init__"`` to make its special

67

purpose very explicit in the using code.

67

purpose very explicit in the using code.

68

"""

68

"""

69

70

@wraps(factory)

70

@wraps(factory)

71

def wrapper(*args, **kwargs):

71

def wrapper(*args, **kwargs):

72

gen = factory(*args, **kwargs)

72

gen = factory(*args, **kwargs)

73

try:

73

try:

74

init = gen.next()

74

init = gen.next()

75

except StopIteration:

75

except StopIteration:

76

raise ValueError('Generator must yield at least one element.')

76

raise ValueError('Generator must yield at least one element.')

77

if init != "__init__":

77

if init != "__init__":

78

raise ValueError('First yielded element must be "__init__".')

78

raise ValueError('First yielded element must be "__init__".')

79

return gen

79

return gen

80

return wrapper

80

return wrapper

81

82

83

class SimpleVCS(object):

83

class SimpleVCS(object):

84

"""Common functionality for SCM HTTP handlers."""

84

"""Common functionality for SCM HTTP handlers."""

85

86

SCM = 'unknown'

86

SCM = 'unknown'

87

88

acl_repo_name = None

88

acl_repo_name = None

89

url_repo_name = None

89

url_repo_name = None

90

vcs_repo_name = None

90

vcs_repo_name = None

91

92

# We have to handle requests to shadow repositories different than requests

92

# We have to handle requests to shadow repositories different than requests

93

# to normal repositories. Therefore we have to distinguish them. To do this

93

# to normal repositories. Therefore we have to distinguish them. To do this

94

# we use this regex which will match only on URLs pointing to shadow

94

# we use this regex which will match only on URLs pointing to shadow

95

# repositories.

95

# repositories.

96

shadow_repo_re = re.compile(

96

shadow_repo_re = re.compile(

97

'(?P<groups>(?:{slug_pat}~~)(?:~~/~~{slug_pat}~~)*/)?' # repo groups

97

'(?P<groups>(?:{slug_pat}/)*)' # repo groups

98

'(?P<target>{slug_pat})/' # target repo

98

'(?P<target>{slug_pat})/' # target repo

99

'pull-request/(?P<pr_id>\d+)/' # pull request

99

'pull-request/(?P<pr_id>\d+)/' # pull request

100

'repository$' # shadow repo

100

'repository$' # shadow repo

101

.format(slug_pat=SLUG_RE.pattern))

101

.format(slug_pat=SLUG_RE.pattern))

102

103

def __init__(self, application, config, registry):

103

def __init__(self, application, config, registry):

104

self.registry = registry

104

self.registry = registry

105

self.application = application

105

self.application = application

106

self.config = config

106

self.config = config

107

# re-populated by specialized middleware

107

# re-populated by specialized middleware

108

self.repo_vcs_config = base.Config()

108

self.repo_vcs_config = base.Config()

109

110

# base path of repo locations

110

# base path of repo locations

111

self.basepath = get_rhodecode_base_path()

111

self.basepath = get_rhodecode_base_path()

112

# authenticate this VCS request using authfunc

112

# authenticate this VCS request using authfunc

113

auth_ret_code_detection = \

113

auth_ret_code_detection = \

114

str2bool(self.config.get('auth_ret_code_detection', False))

114

str2bool(self.config.get('auth_ret_code_detection', False))

115

self.authenticate = BasicAuth(

115

self.authenticate = BasicAuth(

116

'', authenticate, registry, config.get('auth_ret_code'),

116

'', authenticate, registry, config.get('auth_ret_code'),

117

auth_ret_code_detection)

117

auth_ret_code_detection)

118

self.ip_addr = '0.0.0.0'

118

self.ip_addr = '0.0.0.0'

119

120

def set_repo_names(self, environ):

120

def set_repo_names(self, environ):

121

"""

121

"""

122

This will populate the attributes acl_repo_name, url_repo_name,

122

This will populate the attributes acl_repo_name, url_repo_name,

123

vcs_repo_name and is_shadow_repo. In case of requests to normal (non

123

vcs_repo_name and is_shadow_repo. In case of requests to normal (non

124

shadow) repositories all names are equal. In case of requests to a

124

shadow) repositories all names are equal. In case of requests to a

125

shadow repository the acl-name points to the target repo of the pull

125

shadow repository the acl-name points to the target repo of the pull

126

request and the vcs-name points to the shadow repo file system path.

126

request and the vcs-name points to the shadow repo file system path.

127

The url-name is always the URL used by the vcs client program.

127

The url-name is always the URL used by the vcs client program.

128

129

Example in case of a shadow repo:

129

Example in case of a shadow repo:

130

acl_repo_name = RepoGroup/MyRepo

130

acl_repo_name = RepoGroup/MyRepo

131

url_repo_name = RepoGroup/MyRepo/pull-request/3/repository

131

url_repo_name = RepoGroup/MyRepo/pull-request/3/repository

132

vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'

132

vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'

133

"""

133

"""

134

# First we set the repo name from URL for all attributes. This is the

134

# First we set the repo name from URL for all attributes. This is the

135

# default if handling normal (non shadow) repo requests.

135

# default if handling normal (non shadow) repo requests.

136

self.url_repo_name = self._get_repository_name(environ)

136

self.url_repo_name = self._get_repository_name(environ)

137

self.acl_repo_name = self.vcs_repo_name = self.url_repo_name

137

self.acl_repo_name = self.vcs_repo_name = self.url_repo_name

138

self.is_shadow_repo = False

138

self.is_shadow_repo = False

139

140

# Check if this is a request to a shadow repository.

140

# Check if this is a request to a shadow repository.

141

match = self.shadow_repo_re.match(self.url_repo_name)

141

match = self.shadow_repo_re.match(self.url_repo_name)

142

if match:

142

if match:

143

match_dict = match.groupdict()

143

match_dict = match.groupdict()

144

145

# Build acl repo name from regex match.

145

# Build acl repo name from regex match.

146

acl_repo_name = safe_unicode('{groups}{target}'.format(

146

acl_repo_name = safe_unicode('{groups}{target}'.format(

147

groups=match_dict['groups'] or '',

147

groups=match_dict['groups'] or '',

148

target=match_dict['target']))

148

target=match_dict['target']))

149

150

# Retrieve pull request instance by ID from regex match.

150

# Retrieve pull request instance by ID from regex match.

151

pull_request = PullRequest.get(match_dict['pr_id'])

151

pull_request = PullRequest.get(match_dict['pr_id'])

152

153

# Only proceed if we got a pull request and if acl repo name from

153

# Only proceed if we got a pull request and if acl repo name from

154

# URL equals the target repo name of the pull request.

154

# URL equals the target repo name of the pull request.

155

if pull_request and (acl_repo_name ==

155

if pull_request and (acl_repo_name ==

156

pull_request.target_repo.repo_name):

156

pull_request.target_repo.repo_name):

157

# Get file system path to shadow repository.

157

# Get file system path to shadow repository.

158

workspace_id = PullRequestModel()._workspace_id(pull_request)

158

workspace_id = PullRequestModel()._workspace_id(pull_request)

159

target_vcs = pull_request.target_repo.scm_instance()

159

target_vcs = pull_request.target_repo.scm_instance()

160

vcs_repo_name = target_vcs._get_shadow_repository_path(

160

vcs_repo_name = target_vcs._get_shadow_repository_path(

161

workspace_id)

161

workspace_id)

162

163

# Store names for later usage.

163

# Store names for later usage.

164

self.vcs_repo_name = vcs_repo_name

164

self.vcs_repo_name = vcs_repo_name

165

self.acl_repo_name = acl_repo_name

165

self.acl_repo_name = acl_repo_name

166

self.is_shadow_repo = True

166

self.is_shadow_repo = True

167

168

log.debug('Repository names: %s', {

168

log.debug('Repository names: %s', {

169

'acl_repo_name': self.acl_repo_name,

169

'acl_repo_name': self.acl_repo_name,

170

'url_repo_name': self.url_repo_name,

170

'url_repo_name': self.url_repo_name,

171

'vcs_repo_name': self.vcs_repo_name,

171

'vcs_repo_name': self.vcs_repo_name,

172

})

172

})

173

174

@property

174

@property

175

def scm_app(self):

175

def scm_app(self):

176

custom_implementation = self.config.get('vcs.scm_app_implementation')

176

custom_implementation = self.config.get('vcs.scm_app_implementation')

177

if custom_implementation and custom_implementation != 'pyro4':

177

if custom_implementation and custom_implementation != 'pyro4':

178

log.info(

178

log.info(

179

"Using custom implementation of scm_app: %s",

179

"Using custom implementation of scm_app: %s",

180

custom_implementation)

180

custom_implementation)

181

scm_app_impl = importlib.import_module(custom_implementation)

181

scm_app_impl = importlib.import_module(custom_implementation)

182

else:

182

else:

183

scm_app_impl = scm_app

183

scm_app_impl = scm_app

184

return scm_app_impl

184

return scm_app_impl

185

186

def _get_by_id(self, repo_name):

186

def _get_by_id(self, repo_name):

187

"""

187

"""

188

Gets a special pattern _<ID> from clone url and tries to replace it

188

Gets a special pattern _<ID> from clone url and tries to replace it

189

with a repository_name for support of _<ID> non changeable urls

189

with a repository_name for support of _<ID> non changeable urls

190

"""

190

"""

191

192

data = repo_name.split('/')

192

data = repo_name.split('/')

193

if len(data) >= 2:

193

if len(data) >= 2:

194

from rhodecode.model.repo import RepoModel

194

from rhodecode.model.repo import RepoModel

195

by_id_match = RepoModel().get_repo_by_id(repo_name)

195

by_id_match = RepoModel().get_repo_by_id(repo_name)

196

if by_id_match:

196

if by_id_match:

197

data[1] = by_id_match.repo_name

197

data[1] = by_id_match.repo_name

198

199

return safe_str('/'.join(data))

199

return safe_str('/'.join(data))

200

201

def _invalidate_cache(self, repo_name):

201

def _invalidate_cache(self, repo_name):

202

"""

202

"""

203

Set's cache for this repository for invalidation on next access

203

Set's cache for this repository for invalidation on next access

204

205

:param repo_name: full repo name, also a cache key

205

:param repo_name: full repo name, also a cache key

206

"""

206

"""

207

ScmModel().mark_for_invalidation(repo_name)

207

ScmModel().mark_for_invalidation(repo_name)

208

209

def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):

209

def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):

210

db_repo = Repository.get_by_repo_name(repo_name)

210

db_repo = Repository.get_by_repo_name(repo_name)

211

if not db_repo:

211

if not db_repo:

212

log.debug('Repository `%s` not found inside the database.',

212

log.debug('Repository `%s` not found inside the database.',

213

repo_name)

213

repo_name)

214

return False

214

return False

215

216

if db_repo.repo_type != scm_type:

216

if db_repo.repo_type != scm_type:

217

log.warning(

217

log.warning(

218

'Repository `%s` have incorrect scm_type, expected %s got %s',

218

'Repository `%s` have incorrect scm_type, expected %s got %s',

219

repo_name, db_repo.repo_type, scm_type)

219

repo_name, db_repo.repo_type, scm_type)

220

return False

220

return False

221

222

return is_valid_repo(repo_name, base_path, expect_scm=scm_type)

222

return is_valid_repo(repo_name, base_path, expect_scm=scm_type)

223

224

def valid_and_active_user(self, user):

224

def valid_and_active_user(self, user):

225

"""

225

"""

226

Checks if that user is not empty, and if it's actually object it checks

226

Checks if that user is not empty, and if it's actually object it checks

227

if he's active.

227

if he's active.

228

229

:param user: user object or None

229

:param user: user object or None

230

:return: boolean

230

:return: boolean

231

"""

231

"""

232

if user is None:

232

if user is None:

233

return False

233

return False

234

235

elif user.active:

235

elif user.active:

236

return True

236

return True

237

238

return False

238

return False

239

240

def _check_permission(self, action, user, repo_name, ip_addr=None):

240

def _check_permission(self, action, user, repo_name, ip_addr=None):

241

"""

241

"""

242

Checks permissions using action (push/pull) user and repository

242

Checks permissions using action (push/pull) user and repository

243

name

243

name

244

245

:param action: push or pull action

245

:param action: push or pull action

246

:param user: user instance

246

:param user: user instance

247

:param repo_name: repository name

247

:param repo_name: repository name

248

"""

248

"""

249

# check IP

249

# check IP

250

inherit = user.inherit_default_permissions

250

inherit = user.inherit_default_permissions

251

ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,

251

ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,

252

inherit_from_default=inherit)

252

inherit_from_default=inherit)

253

if ip_allowed:

253

if ip_allowed:

254

log.info('Access for IP:%s allowed', ip_addr)

254

log.info('Access for IP:%s allowed', ip_addr)

255

else:

255

else:

256

return False

256

return False

257

258

if action == 'push':

258

if action == 'push':

259

if not HasPermissionAnyMiddleware('repository.write',

259

if not HasPermissionAnyMiddleware('repository.write',

260

'repository.admin')(user,

260

'repository.admin')(user,

261

repo_name):

261

repo_name):

262

return False

262

return False

263

264

else:

264

else:

265

# any other action need at least read permission

265

# any other action need at least read permission

266

if not HasPermissionAnyMiddleware('repository.read',

266

if not HasPermissionAnyMiddleware('repository.read',

267

'repository.write',

267

'repository.write',

268

'repository.admin')(user,

268

'repository.admin')(user,

269

repo_name):

269

repo_name):

270

return False

270

return False

271

272

return True

272

return True

273

274

def _check_ssl(self, environ, start_response):

274

def _check_ssl(self, environ, start_response):

275

"""

275

"""

276

Checks the SSL check flag and returns False if SSL is not present

276

Checks the SSL check flag and returns False if SSL is not present

277

and required True otherwise

277

and required True otherwise

278

"""

278

"""

279

org_proto = environ['wsgi._org_proto']

279

org_proto = environ['wsgi._org_proto']

280

# check if we have SSL required ! if not it's a bad request !

280

# check if we have SSL required ! if not it's a bad request !

281

require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))

281

require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))

282

if require_ssl and org_proto == 'http':

282

if require_ssl and org_proto == 'http':

283

log.debug('proto is %s and SSL is required BAD REQUEST !',

283

log.debug('proto is %s and SSL is required BAD REQUEST !',

284

org_proto)

284

org_proto)

285

return False

285

return False

286

return True

286

return True

287

288

def __call__(self, environ, start_response):

288

def __call__(self, environ, start_response):

289

try:

289

try:

290

return self._handle_request(environ, start_response)

290

return self._handle_request(environ, start_response)

291

except Exception:

291

except Exception:

292

log.exception("Exception while handling request")

292

log.exception("Exception while handling request")

293

appenlight.track_exception(environ)

293

appenlight.track_exception(environ)

294

return HTTPInternalServerError()(environ, start_response)

294

return HTTPInternalServerError()(environ, start_response)

295

finally:

295

finally:

296

meta.Session.remove()

296

meta.Session.remove()

297

298

def _handle_request(self, environ, start_response):

298

def _handle_request(self, environ, start_response):

299

300

if not self._check_ssl(environ, start_response):

300

if not self._check_ssl(environ, start_response):

301

reason = ('SSL required, while RhodeCode was unable '

301

reason = ('SSL required, while RhodeCode was unable '

302

'to detect this as SSL request')

302

'to detect this as SSL request')

303

log.debug('User not allowed to proceed, %s', reason)

303

log.debug('User not allowed to proceed, %s', reason)

304

return HTTPNotAcceptable(reason)(environ, start_response)

304

return HTTPNotAcceptable(reason)(environ, start_response)

305

306

if not self.url_repo_name:

306

if not self.url_repo_name:

307

log.warning('Repository name is empty: %s', self.url_repo_name)

307

log.warning('Repository name is empty: %s', self.url_repo_name)

308

# failed to get repo name, we fail now

308

# failed to get repo name, we fail now

309

return HTTPNotFound()(environ, start_response)

309

return HTTPNotFound()(environ, start_response)

310

log.debug('Extracted repo name is %s', self.url_repo_name)

310

log.debug('Extracted repo name is %s', self.url_repo_name)

311

312

ip_addr = get_ip_addr(environ)

312

ip_addr = get_ip_addr(environ)

313

username = None

313

username = None

314

315

# skip passing error to error controller

315

# skip passing error to error controller

316

environ['pylons.status_code_redirect'] = True

316

environ['pylons.status_code_redirect'] = True

317

318

# ======================================================================

318

# ======================================================================

319

# GET ACTION PULL or PUSH

319

# GET ACTION PULL or PUSH

320

# ======================================================================

320

# ======================================================================

321

action = self._get_action(environ)

321

action = self._get_action(environ)

322

323

# ======================================================================

323

# ======================================================================

324

# Check if this is a request to a shadow repository of a pull request.

324

# Check if this is a request to a shadow repository of a pull request.

325

# In this case only pull action is allowed.

325

# In this case only pull action is allowed.

326

# ======================================================================

326

# ======================================================================

327

if self.is_shadow_repo and action != 'pull':

327

if self.is_shadow_repo and action != 'pull':

328

reason = 'Only pull action is allowed for shadow repositories.'

328

reason = 'Only pull action is allowed for shadow repositories.'

329

log.debug('User not allowed to proceed, %s', reason)

329

log.debug('User not allowed to proceed, %s', reason)

330

return HTTPNotAcceptable(reason)(environ, start_response)

330

return HTTPNotAcceptable(reason)(environ, start_response)

331

332

# ======================================================================

332

# ======================================================================

333

# CHECK ANONYMOUS PERMISSION

333

# CHECK ANONYMOUS PERMISSION

334

# ======================================================================

334

# ======================================================================

335

if action in ['pull', 'push']:

335

if action in ['pull', 'push']:

336

anonymous_user = User.get_default_user()

336

anonymous_user = User.get_default_user()

337

username = anonymous_user.username

337

username = anonymous_user.username

338

if anonymous_user.active:

338

if anonymous_user.active:

339

# ONLY check permissions if the user is activated

339

# ONLY check permissions if the user is activated

340

anonymous_perm = self._check_permission(

340

anonymous_perm = self._check_permission(

341

action, anonymous_user, self.acl_repo_name, ip_addr)

341

action, anonymous_user, self.acl_repo_name, ip_addr)

342

else:

342

else:

343

anonymous_perm = False

343

anonymous_perm = False

344

345

if not anonymous_user.active or not anonymous_perm:

345

if not anonymous_user.active or not anonymous_perm:

346

if not anonymous_user.active:

346

if not anonymous_user.active:

347

log.debug('Anonymous access is disabled, running '

347

log.debug('Anonymous access is disabled, running '

348

'authentication')

348

'authentication')

349

350

if not anonymous_perm:

350

if not anonymous_perm:

351

log.debug('Not enough credentials to access this '

351

log.debug('Not enough credentials to access this '

352

'repository as anonymous user')

352

'repository as anonymous user')

353

354

username = None

354

username = None

355

# ==============================================================

355

# ==============================================================

356

# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

356

# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

357

# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

357

# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

358

# ==============================================================

358

# ==============================================================

359

360

# try to auth based on environ, container auth methods

360

# try to auth based on environ, container auth methods

361

log.debug('Running PRE-AUTH for container based authentication')

361

log.debug('Running PRE-AUTH for container based authentication')

362

pre_auth = authenticate(

362

pre_auth = authenticate(

363

'', '', environ, VCS_TYPE, registry=self.registry)

363

'', '', environ, VCS_TYPE, registry=self.registry)

364

if pre_auth and pre_auth.get('username'):

364

if pre_auth and pre_auth.get('username'):

365

username = pre_auth['username']

365

username = pre_auth['username']

366

log.debug('PRE-AUTH got %s as username', username)

366

log.debug('PRE-AUTH got %s as username', username)

367

368

# If not authenticated by the container, running basic auth

368

# If not authenticated by the container, running basic auth

369

if not username:

369

if not username:

370

self.authenticate.realm = get_rhodecode_realm()

370

self.authenticate.realm = get_rhodecode_realm()

371

372

try:

372

try:

373

result = self.authenticate(environ)

373

result = self.authenticate(environ)

374

except (UserCreationError, NotAllowedToCreateUserError) as e:

374

except (UserCreationError, NotAllowedToCreateUserError) as e:

375

log.error(e)

375

log.error(e)

376

reason = safe_str(e)

376

reason = safe_str(e)

377

return HTTPNotAcceptable(reason)(environ, start_response)

377

return HTTPNotAcceptable(reason)(environ, start_response)

378

379

if isinstance(result, str):

379

if isinstance(result, str):

380

AUTH_TYPE.update(environ, 'basic')

380

AUTH_TYPE.update(environ, 'basic')

381

REMOTE_USER.update(environ, result)

381

REMOTE_USER.update(environ, result)

382

username = result

382

username = result

383

else:

383

else:

384

return result.wsgi_application(environ, start_response)

384

return result.wsgi_application(environ, start_response)

385

386

# ==============================================================

386

# ==============================================================

387

# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

387

# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

388

# ==============================================================

388

# ==============================================================

389

user = User.get_by_username(username)

389

user = User.get_by_username(username)

390

if not self.valid_and_active_user(user):

390

if not self.valid_and_active_user(user):

391

return HTTPForbidden()(environ, start_response)

391

return HTTPForbidden()(environ, start_response)

392

username = user.username

392

username = user.username

393

user.update_lastactivity()

393

user.update_lastactivity()

394

meta.Session().commit()

394

meta.Session().commit()

395

396

# check user attributes for password change flag

396

# check user attributes for password change flag

397

user_obj = user

397

user_obj = user

398

if user_obj and user_obj.username != User.DEFAULT_USER and \

398

if user_obj and user_obj.username != User.DEFAULT_USER and \

399

user_obj.user_data.get('force_password_change'):

399

user_obj.user_data.get('force_password_change'):

400

reason = 'password change required'

400

reason = 'password change required'

401

log.debug('User not allowed to authenticate, %s', reason)

401

log.debug('User not allowed to authenticate, %s', reason)

402

return HTTPNotAcceptable(reason)(environ, start_response)

402

return HTTPNotAcceptable(reason)(environ, start_response)

403

404

# check permissions for this repository

404

# check permissions for this repository

405

perm = self._check_permission(

405

perm = self._check_permission(

406

action, user, self.acl_repo_name, ip_addr)

406

action, user, self.acl_repo_name, ip_addr)

407

if not perm:

407

if not perm:

408

return HTTPForbidden()(environ, start_response)

408

return HTTPForbidden()(environ, start_response)

409

410

# extras are injected into UI object and later available

410

# extras are injected into UI object and later available

411

# in hooks executed by rhodecode

411

# in hooks executed by rhodecode

412

check_locking = _should_check_locking(environ.get('QUERY_STRING'))

412

check_locking = _should_check_locking(environ.get('QUERY_STRING'))

413

extras = vcs_operation_context(

413

extras = vcs_operation_context(

414

environ, repo_name=self.acl_repo_name, username=username,

414

environ, repo_name=self.acl_repo_name, username=username,

415

action=action, scm=self.SCM, check_locking=check_locking,

415

action=action, scm=self.SCM, check_locking=check_locking,

416

is_shadow_repo=self.is_shadow_repo

416

is_shadow_repo=self.is_shadow_repo

417

)

417

)

418

419

# ======================================================================

419

# ======================================================================

420

# REQUEST HANDLING

420

# REQUEST HANDLING

421

# ======================================================================

421

# ======================================================================

422

repo_path = os.path.join(

422

repo_path = os.path.join(

423

safe_str(self.basepath), safe_str(self.vcs_repo_name))

423

safe_str(self.basepath), safe_str(self.vcs_repo_name))

424

log.debug('Repository path is %s', repo_path)

424

log.debug('Repository path is %s', repo_path)

425

426

fix_PATH()

426

fix_PATH()

427

428

log.info(

428

log.info(

429

'%s action on %s repo "%s" by "%s" from %s',

429

'%s action on %s repo "%s" by "%s" from %s',

430

action, self.SCM, safe_str(self.url_repo_name),

430

action, self.SCM, safe_str(self.url_repo_name),

431

safe_str(username), ip_addr)

431

safe_str(username), ip_addr)

432

433

return self._generate_vcs_response(

433

return self._generate_vcs_response(

434

environ, start_response, repo_path, extras, action)

434

environ, start_response, repo_path, extras, action)

435

436

@initialize_generator

436

@initialize_generator

437

def _generate_vcs_response(

437

def _generate_vcs_response(

438

self, environ, start_response, repo_path, extras, action):

438

self, environ, start_response, repo_path, extras, action):

439

"""

439

"""

440

Returns a generator for the response content.

440

Returns a generator for the response content.

441

442

This method is implemented as a generator, so that it can trigger

442

This method is implemented as a generator, so that it can trigger

443

the cache validation after all content sent back to the client. It

443

the cache validation after all content sent back to the client. It

444

also handles the locking exceptions which will be triggered when

444

also handles the locking exceptions which will be triggered when

445

the first chunk is produced by the underlying WSGI application.

445

the first chunk is produced by the underlying WSGI application.

446

"""

446

"""

447

callback_daemon, extras = self._prepare_callback_daemon(extras)

447

callback_daemon, extras = self._prepare_callback_daemon(extras)

448

config = self._create_config(extras, self.acl_repo_name)

448

config = self._create_config(extras, self.acl_repo_name)

449

log.debug('HOOKS extras is %s', extras)

449

log.debug('HOOKS extras is %s', extras)

450

app = self._create_wsgi_app(repo_path, self.url_repo_name, config)

450

app = self._create_wsgi_app(repo_path, self.url_repo_name, config)

451

452

try:

452

try:

453

with callback_daemon:

453

with callback_daemon:

454

try:

454

try:

455

response = app(environ, start_response)

455

response = app(environ, start_response)

456

finally:

456

finally:

457

# This statement works together with the decorator

457

# This statement works together with the decorator

458

# "initialize_generator" above. The decorator ensures that

458

# "initialize_generator" above. The decorator ensures that

459

# we hit the first yield statement before the generator is

459

# we hit the first yield statement before the generator is

460

# returned back to the WSGI server. This is needed to

460

# returned back to the WSGI server. This is needed to

461

# ensure that the call to "app" above triggers the

461

# ensure that the call to "app" above triggers the

462

# needed callback to "start_response" before the

462

# needed callback to "start_response" before the

463

# generator is actually used.

463

# generator is actually used.

464

yield "__init__"

464

yield "__init__"

465

466

for chunk in response:

466

for chunk in response:

467

yield chunk

467

yield chunk

468

except Exception as exc:

468

except Exception as exc:

469

# TODO: johbo: Improve "translating" back the exception.

469

# TODO: johbo: Improve "translating" back the exception.

470

if getattr(exc, '_vcs_kind', None) == 'repo_locked':

470

if getattr(exc, '_vcs_kind', None) == 'repo_locked':

471

exc = HTTPLockedRC(*exc.args)

471

exc = HTTPLockedRC(*exc.args)

472

_code = rhodecode.CONFIG.get('lock_ret_code')

472

_code = rhodecode.CONFIG.get('lock_ret_code')

473

log.debug('Repository LOCKED ret code %s!', (_code,))

473

log.debug('Repository LOCKED ret code %s!', (_code,))

474

elif getattr(exc, '_vcs_kind', None) == 'requirement':

474

elif getattr(exc, '_vcs_kind', None) == 'requirement':

475

log.debug(

475

log.debug(

476

'Repository requires features unknown to this Mercurial')

476

'Repository requires features unknown to this Mercurial')

477

exc = HTTPRequirementError(*exc.args)

477

exc = HTTPRequirementError(*exc.args)

478

else:

478

else:

479

raise

479

raise

480

481

for chunk in exc(environ, start_response):

481

for chunk in exc(environ, start_response):

482

yield chunk

482

yield chunk

483

finally:

483

finally:

484

# invalidate cache on push

484

# invalidate cache on push

485

try:

485

try:

486

if action == 'push':

486

if action == 'push':

487

self._invalidate_cache(self.url_repo_name)

487

self._invalidate_cache(self.url_repo_name)

488

finally:

488

finally:

489

meta.Session.remove()

489

meta.Session.remove()

490

491

def _get_repository_name(self, environ):

491

def _get_repository_name(self, environ):

492

"""Get repository name out of the environmnent

492

"""Get repository name out of the environmnent

493

494

:param environ: WSGI environment

494

:param environ: WSGI environment

495

"""

495

"""

496

raise NotImplementedError()

496

raise NotImplementedError()

497

498

def _get_action(self, environ):

498

def _get_action(self, environ):

499

"""Map request commands into a pull or push command.

499

"""Map request commands into a pull or push command.

500

501

:param environ: WSGI environment

501

:param environ: WSGI environment

502

"""

502

"""

503

raise NotImplementedError()

503

raise NotImplementedError()

504

505

def _create_wsgi_app(self, repo_path, repo_name, config):

505

def _create_wsgi_app(self, repo_path, repo_name, config):

506

"""Return the WSGI app that will finally handle the request."""

506

"""Return the WSGI app that will finally handle the request."""

507

raise NotImplementedError()

507

raise NotImplementedError()

508

509

def _create_config(self, extras, repo_name):

509

def _create_config(self, extras, repo_name):

510

"""Create a Pyro safe config representation."""

510

"""Create a Pyro safe config representation."""

511

raise NotImplementedError()

511

raise NotImplementedError()

512

513

def _prepare_callback_daemon(self, extras):

513

def _prepare_callback_daemon(self, extras):

514

return prepare_callback_daemon(

514

return prepare_callback_daemon(

515

extras, protocol=vcs_settings.HOOKS_PROTOCOL,

515

extras, protocol=vcs_settings.HOOKS_PROTOCOL,

516

use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)

516

use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)

517

518

519

def _should_check_locking(query_string):

519

def _should_check_locking(query_string):

520

# this is kind of hacky, but due to how mercurial handles client-server

520

# this is kind of hacky, but due to how mercurial handles client-server

521

# server see all operation on commit; bookmarks, phases and

521

# server see all operation on commit; bookmarks, phases and

522

# obsolescence marker in different transaction, we don't want to check

522

# obsolescence marker in different transaction, we don't want to check

523

# locking on those

523

# locking on those

524

return query_string not in ['cmd=listkeys']

524

return query_string not in ['cmd=listkeys']

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             SimpleVCS middleware for handling protocol request (push/clone etc.)
             It's implemented with basic auth function
             """
             import os
             import logging
             import importlib
             import re
             from functools import wraps
             from paste.httpheaders import REMOTE_USER, AUTH_TYPE
             from webob.exc import (
                 HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)
             import rhodecode
             from rhodecode.authentication.base import authenticate, VCS_TYPE
             from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context
             from rhodecode.lib.exceptions import (
                 HTTPLockedRC, HTTPRequirementError, UserCreationError,
                 NotAllowedToCreateUserError)
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.middleware import appenlight
             from rhodecode.lib.middleware.utils import scm_app
             from rhodecode.lib.utils import (
                 is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)
             from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository, PullRequest
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.pull_request import PullRequestModel
             log = logging.getLogger(__name__)
             def initialize_generator(factory):
                 """
                 Initializes the returned generator by draining its first element.
                 This can be used to give a generator an initializer, which is the code
                 up to the first yield statement. This decorator enforces that the first
                 produced element has the value ``"__init__"`` to make its special
                 purpose very explicit in the using code.
                 """
                 @wraps(factory)
                 def wrapper(*args, **kwargs):
                     gen = factory(*args, **kwargs)
                     try:
                         init = gen.next()
                     except StopIteration:
                         raise ValueError('Generator must yield at least one element.')
                     if init != "__init__":
                         raise ValueError('First yielded element must be "__init__".')
                     return gen
                 return wrapper
             class SimpleVCS(object):
                 """Common functionality for SCM HTTP handlers."""
                 SCM = 'unknown'
                 acl_repo_name = None
                 url_repo_name = None
                 vcs_repo_name = None
                 # We have to handle requests to shadow repositories different than requests
                 # to normal repositories. Therefore we have to distinguish them. To do this
                 # we use this regex which will match only on URLs pointing to shadow
                 # repositories.
                 shadow_repo_re = re.compile(
-                    '(?P<groups>(?:{slug_pat})(?:/{slug_pat})*/)?'  # repo groups
+                    '(?P<groups>(?:{slug_pat}/)*)'  # repo groups
                     '(?P<target>{slug_pat})/'       # target repo
                     'pull-request/(?P<pr_id>\d+)/'  # pull request
                     'repository$'                   # shadow repo
                     .format(slug_pat=SLUG_RE.pattern))
                 def __init__(self, application, config, registry):
                     self.registry = registry
                     self.application = application
                     self.config = config
                     # re-populated by specialized middleware
                     self.repo_vcs_config = base.Config()
                     # base path of repo locations
                     self.basepath = get_rhodecode_base_path()
                     # authenticate this VCS request using authfunc
                     auth_ret_code_detection = \
                         str2bool(self.config.get('auth_ret_code_detection', False))
                     self.authenticate = BasicAuth(
                         '', authenticate, registry, config.get('auth_ret_code'),
                         auth_ret_code_detection)
                     self.ip_addr = '0.0.0.0'
                 def set_repo_names(self, environ):
                     """
                     This will populate the attributes acl_repo_name, url_repo_name,
                     vcs_repo_name and is_shadow_repo. In case of requests to normal (non
                     shadow) repositories all names are equal. In case of requests to a
                     shadow repository the acl-name points to the target repo of the pull
                     request and the vcs-name points to the shadow repo file system path.
                     The url-name is always the URL used by the vcs client program.
                     Example in case of a shadow repo:
                         acl_repo_name = RepoGroup/MyRepo
                         url_repo_name = RepoGroup/MyRepo/pull-request/3/repository
                         vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'
                     """
                     # First we set the repo name from URL for all attributes. This is the
                     # default if handling normal (non shadow) repo requests.
                     self.url_repo_name = self._get_repository_name(environ)
                     self.acl_repo_name = self.vcs_repo_name = self.url_repo_name
                     self.is_shadow_repo = False
                     # Check if this is a request to a shadow repository.
                     match = self.shadow_repo_re.match(self.url_repo_name)
                     if match:
                         match_dict = match.groupdict()
                         # Build acl repo name from regex match.
                         acl_repo_name = safe_unicode('{groups}{target}'.format(
                             groups=match_dict['groups'] or '',
                             target=match_dict['target']))
                         # Retrieve pull request instance by ID from regex match.
                         pull_request = PullRequest.get(match_dict['pr_id'])
                         # Only proceed if we got a pull request and if acl repo name from
                         # URL equals the target repo name of the pull request.
                         if pull_request and (acl_repo_name ==
                                              pull_request.target_repo.repo_name):
                             # Get file system path to shadow repository.
                             workspace_id = PullRequestModel()._workspace_id(pull_request)
                             target_vcs = pull_request.target_repo.scm_instance()
                             vcs_repo_name = target_vcs._get_shadow_repository_path(
                                 workspace_id)
                             # Store names for later usage.
                             self.vcs_repo_name = vcs_repo_name
                             self.acl_repo_name = acl_repo_name
                             self.is_shadow_repo = True
                     log.debug('Repository names: %s', {
                         'acl_repo_name': self.acl_repo_name,
                         'url_repo_name': self.url_repo_name,
                         'vcs_repo_name': self.vcs_repo_name,
                     })
                 @property
                 def scm_app(self):
                     custom_implementation = self.config.get('vcs.scm_app_implementation')
                     if custom_implementation and custom_implementation != 'pyro4':
                         log.info(
                             "Using custom implementation of scm_app: %s",
                             custom_implementation)
                         scm_app_impl = importlib.import_module(custom_implementation)
                     else:
                         scm_app_impl = scm_app
                     return scm_app_impl
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> non changeable urls
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from rhodecode.model.repo import RepoModel
                         by_id_match = RepoModel().get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match.repo_name
                     return safe_str('/'.join(data))
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if not db_repo:
                         log.debug('Repository `%s` not found inside the database.',
                                   repo_name)
                         return False
                     if db_repo.repo_type != scm_type:
                         log.warning(
                             'Repository `%s` have incorrect scm_type, expected %s got %s',
                             repo_name, db_repo.repo_type, scm_type)
                         return False
                     return is_valid_repo(repo_name, base_path, expect_scm=scm_type)
                 def valid_and_active_user(self, user):
                     """
                     Checks if that user is not empty, and if it's actually object it checks
                     if he's active.
                     :param user: user object or None
                     :return: boolean
                     """
                     if user is None:
                         return False
                     elif user.active:
                         return True
                     return False
                 def _check_permission(self, action, user, repo_name, ip_addr=None):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
                     # check IP
                     inherit = user.inherit_default_permissions
                     ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,
                                                            inherit_from_default=inherit)
                     if ip_allowed:
                         log.info('Access for IP:%s allowed', ip_addr)
                     else:
                         return False
                     if action == 'push':
                         if not HasPermissionAnyMiddleware('repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     else:
                         # any other action need at least read permission
                         if not HasPermissionAnyMiddleware('repository.read',
                                                           'repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     return True
                 def _check_ssl(self, environ, start_response):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     org_proto = environ['wsgi._org_proto']
                     # check if we have SSL required  ! if not it's a bad request !
                     require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))
                     if require_ssl and org_proto == 'http':
                         log.debug('proto is %s and SSL is required BAD REQUEST !',
                                   org_proto)
                         return False
                     return True
                 def __call__(self, environ, start_response):
                     try:
                         return self._handle_request(environ, start_response)
                     except Exception:
                         log.exception("Exception while handling request")
                         appenlight.track_exception(environ)
                         return HTTPInternalServerError()(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     if not self._check_ssl(environ, start_response):
                         reason = ('SSL required, while RhodeCode was unable '
                                   'to detect this as SSL request')
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     if not self.url_repo_name:
                         log.warning('Repository name is empty: %s', self.url_repo_name)
                         # failed to get repo name, we fail now
                         return HTTPNotFound()(environ, start_response)
                     log.debug('Extracted repo name is %s', self.url_repo_name)
                     ip_addr = get_ip_addr(environ)
                     username = None
                     # skip passing error to error controller
                     environ['pylons.status_code_redirect'] = True
                     # ======================================================================
                     # GET ACTION PULL or PUSH
                     # ======================================================================
                     action = self._get_action(environ)
                     # ======================================================================
                     # Check if this is a request to a shadow repository of a pull request.
                     # In this case only pull action is allowed.
                     # ======================================================================
                     if self.is_shadow_repo and action != 'pull':
                         reason = 'Only pull action is allowed for shadow repositories.'
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     # ======================================================================
                     # CHECK ANONYMOUS PERMISSION
                     # ======================================================================
                     if action in ['pull', 'push']:
                         anonymous_user = User.get_default_user()
                         username = anonymous_user.username
                         if anonymous_user.active:
                             # ONLY check permissions if the user is activated
                             anonymous_perm = self._check_permission(
                                 action, anonymous_user, self.acl_repo_name, ip_addr)
                         else:
                             anonymous_perm = False
                         if not anonymous_user.active or not anonymous_perm:
                             if not anonymous_user.active:
                                 log.debug('Anonymous access is disabled, running '
                                           'authentication')
                             if not anonymous_perm:
                                 log.debug('Not enough credentials to access this '
                                           'repository as anonymous user')
                             username = None
                             # ==============================================================
                             # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                             # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                             # ==============================================================
                             # try to auth based on environ, container auth methods
                             log.debug('Running PRE-AUTH for container based authentication')
                             pre_auth = authenticate(
                                 '', '', environ, VCS_TYPE, registry=self.registry)
                             if pre_auth and pre_auth.get('username'):
                                 username = pre_auth['username']
                             log.debug('PRE-AUTH got %s as username', username)
                             # If not authenticated by the container, running basic auth
                             if not username:
                                 self.authenticate.realm = get_rhodecode_realm()
                                 try:
                                     result = self.authenticate(environ)
                                 except (UserCreationError, NotAllowedToCreateUserError) as e:
                                     log.error(e)
                                     reason = safe_str(e)
                                     return HTTPNotAcceptable(reason)(environ, start_response)
                                 if isinstance(result, str):
                                     AUTH_TYPE.update(environ, 'basic')
                                     REMOTE_USER.update(environ, result)
                                     username = result
                                 else:
                                     return result.wsgi_application(environ, start_response)
                             # ==============================================================
                             # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                             # ==============================================================
                             user = User.get_by_username(username)
                             if not self.valid_and_active_user(user):
                                 return HTTPForbidden()(environ, start_response)
                             username = user.username
                             user.update_lastactivity()
                             meta.Session().commit()
                             # check user attributes for password change flag
                             user_obj = user
                             if user_obj and user_obj.username != User.DEFAULT_USER and \
                                     user_obj.user_data.get('force_password_change'):
                                 reason = 'password change required'
                                 log.debug('User not allowed to authenticate, %s', reason)
                                 return HTTPNotAcceptable(reason)(environ, start_response)
                             # check permissions for this repository
                             perm = self._check_permission(
                                 action, user, self.acl_repo_name, ip_addr)
                             if not perm:
                                 return HTTPForbidden()(environ, start_response)
                     # extras are injected into UI object and later available
                     # in hooks executed by rhodecode
                     check_locking = _should_check_locking(environ.get('QUERY_STRING'))
                     extras = vcs_operation_context(
                         environ, repo_name=self.acl_repo_name, username=username,
                         action=action, scm=self.SCM, check_locking=check_locking,
                         is_shadow_repo=self.is_shadow_repo
                     )
                     # ======================================================================
                     # REQUEST HANDLING
                     # ======================================================================
                     repo_path = os.path.join(
                         safe_str(self.basepath), safe_str(self.vcs_repo_name))
                     log.debug('Repository path is %s', repo_path)
                     fix_PATH()
                     log.info(
                         '%s action on %s repo "%s" by "%s" from %s',
                         action, self.SCM, safe_str(self.url_repo_name),
                         safe_str(username), ip_addr)
                     return self._generate_vcs_response(
                         environ, start_response, repo_path, extras, action)
                 @initialize_generator
                 def _generate_vcs_response(
                         self, environ, start_response, repo_path, extras, action):
                     """
                     Returns a generator for the response content.
                     This method is implemented as a generator, so that it can trigger
                     the cache validation after all content sent back to the client. It
                     also handles the locking exceptions which will be triggered when
                     the first chunk is produced by the underlying WSGI application.
                     """
                     callback_daemon, extras = self._prepare_callback_daemon(extras)
                     config = self._create_config(extras, self.acl_repo_name)
                     log.debug('HOOKS extras is %s', extras)
                     app = self._create_wsgi_app(repo_path, self.url_repo_name, config)
                     try:
                         with callback_daemon:
                             try:
                                 response = app(environ, start_response)
                             finally:
                                 # This statement works together with the decorator
                                 # "initialize_generator" above. The decorator ensures that
                                 # we hit the first yield statement before the generator is
                                 # returned back to the WSGI server. This is needed to
                                 # ensure that the call to "app" above triggers the
                                 # needed callback to "start_response" before the
                                 # generator is actually used.
                                 yield "__init__"
                             for chunk in response:
                                 yield chunk
                     except Exception as exc:
                         # TODO: johbo: Improve "translating" back the exception.
                         if getattr(exc, '_vcs_kind', None) == 'repo_locked':
                             exc = HTTPLockedRC(*exc.args)
                             _code = rhodecode.CONFIG.get('lock_ret_code')
                             log.debug('Repository LOCKED ret code %s!', (_code,))
                         elif getattr(exc, '_vcs_kind', None) == 'requirement':
                             log.debug(
                                 'Repository requires features unknown to this Mercurial')
                             exc = HTTPRequirementError(*exc.args)
                         else:
                             raise
                         for chunk in exc(environ, start_response):
                             yield chunk
                     finally:
                         # invalidate cache on push
                         try:
                             if action == 'push':
                                 self._invalidate_cache(self.url_repo_name)
                         finally:
                             meta.Session.remove()
                 def _get_repository_name(self, environ):
                     """Get repository name out of the environmnent
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _get_action(self, environ):
                     """Map request commands into a pull or push command.
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _create_wsgi_app(self, repo_path, repo_name, config):
                     """Return the WSGI app that will finally handle the request."""
                     raise NotImplementedError()
                 def _create_config(self, extras, repo_name):
                     """Create a Pyro safe config representation."""
                     raise NotImplementedError()
                 def _prepare_callback_daemon(self, extras):
                     return prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)
             def _should_check_locking(query_string):
                 # this is kind of hacky, but due to how mercurial handles client-server
                 # server see all operation on commit; bookmarks, phases and
                 # obsolescence marker in different transaction, we don't want to check
                 # locking on those
                 return query_string not in ['cmd=listkeys']