rhodecode-enterprise-ce Commit - r2186:32d56a2c

ssh-support: don't use API calls to fetch the data....

marcink -

r2186:32d56a2c default

parent child

configs/development.ini

0 0 -8

             ################################################################################
             ##                 RHODECODE COMMUNITY EDITION CONFIGURATION                  ##
             # The %(here)s variable will be replaced with the parent directory of this file#
             ################################################################################
             [DEFAULT]
             debug = true
             ################################################################################
             ##                            EMAIL CONFIGURATION                             ##
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             ## prefix all emails subjects with given prefix, helps filtering out emails
             #email_prefix = [RhodeCode]
             ## email FROM address all mails will be sent
             #app_email_from = rhodecode-noreply@localhost
             ## Uncomment and replace with the address which should receive any error report
             ## note: using appenlight for error handling doesn't need this to be uncommented
             #email_to = admin@localhost
             ## in case of Application errors, sent an error email form
             #error_email_from = rhodecode_error@localhost
             ## additional error message to be send in case of server crash
             #error_message =
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             ## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)
             #smtp_auth =
             [server:main]
             ## COMMON ##
             host = 127.0.0.1
             port = 5000
             ##################################
             ##     WAITRESS WSGI SERVER     ##
             ## Recommended for Development  ##
             ##################################
             use = egg:waitress#main
             ## number of worker threads
             threads = 5
             ## MAX BODY SIZE 100GB
             max_request_body_size = 107374182400
             ## Use poll instead of select, fixes file descriptors limits problems.
             ## May not work on old windows systems.
             asyncore_use_poll = true
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
             #use = egg:gunicorn#main
             ## Sets the number of process workers. You must set `instance_id = *`
             ## when this option is set to more than one worker, recommended
             ## value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers
             ## The `instance_id = *` must be set in the [app:main] section below
             #workers = 2
             ## number of threads for each of the worker, must be set to 1 for gevent
             ## generally recommended to be at 1
             #threads = 1
             ## process name
             #proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             #worker_class = sync
             ## The maximum number of simultaneous clients. Valid only for Gevent
             #worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             #max_requests = 1000
             #max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             #timeout = 21600
             ## prefix middleware for RhodeCode.
             ## recommended when using proxy setup.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
             ## And set your prefix like: `prefix = /custom_prefix`
             ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
             ## to make your cookies only work on prefix url
             [filter:proxy-prefix]
             use = egg:PasteDeploy#prefix
             prefix = /
             [app:main]
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined above
             #filter-with = proxy-prefix
             # During development the we want to have the debug toolbar enabled
             pyramid.includes =
                 pyramid_debugtoolbar
                 rhodecode.lib.middleware.request_wrapper
             pyramid.reload_templates = true
             debugtoolbar.hosts = 0.0.0.0/0
             debugtoolbar.exclude_prefixes =
                 /css
                 /fonts
                 /images
                 /js
             ## RHODECODE PLUGINS ##
             rhodecode.includes =
                 rhodecode.api
             # api prefix url
             rhodecode.api.url = /_admin/api
             ## END RHODECODE PLUGINS ##
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
             ## decryption strict mode (enabled by default). It controls if decryption raises
             ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
             #rhodecode.encrypted_values.strict = false
             ## return gzipped responses from Rhodecode (static files/application)
             gzip_responses = false
             ## autogenerate javascript routes file on startup
             generate_js_files = false
             ## Optional Languages
             ## en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## perform a full repository scan on each server start, this should be
             ## set to false after first startup, to allow faster server restarts.
             startup.import_repos = false
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## change this to unique ID for security
             app_instance_uuid = rc-production
             ## cut off limit for large diffs (size in bytes). If overall diff size on
             ## commit, or pull request exceeds this limit this diff will be displayed
             ## partially. E.g 512000 == 512Kb
             cut_off_limit_diff = 512000
             ## cut off limit for large files inside diffs (size in bytes). Each individual
             ## file inside diff which exceeds this limit will be displayed partially.
             ##  E.g 128000 == 128Kb
             cut_off_limit_file = 128000
             ## use cache version of scm repo everywhere
             vcs_full_cache = true
             ## force https in RhodeCode, fixes https redirects, assumes it's always https
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## number of commits stats will parse on each iteration
             commit_parse_limit = 25
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --branches --tags
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/{gistid}.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
             gist_alias_url =
             ## List of views (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ## Additionally @TOKEN syntaxt can be used to bound the view to specific
             ## authentication token. Such view would be only accessible when used together
             ## with this authentication token
             ##
             ## list of all views can be found under `/_admin/permissions/auth_token_access`
             ## The list should be "," separated and on a single line.
             ##
             ## Most common views to enable:
             #    RepoCommitsView:repo_commit_download
             #    RepoCommitsView:repo_commit_patch
             #    RepoCommitsView:repo_commit_raw
             #    RepoCommitsView:repo_commit_raw@TOKEN
             #    RepoFilesView:repo_files_diff
             #    RepoFilesView:repo_archivefile
             #    RepoFilesView:repo_file_raw
             #    GistView:*
             api_access_controllers_whitelist =
             ## default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## generated license token, goto license page in RhodeCode settings to obtain
             ## new token
             license_token =
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = dev
             ## Display extended labs settings
             labs_settings_active = true
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             use_celery = false
             broker.host = localhost
             broker.vhost = rabbitmqhost
             broker.port = 5672
             broker.user = rabbitmq
             broker.password = qweqwe
             celery.imports = rhodecode.lib.celerylib.tasks
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             #celeryd.log.file = celeryd.log
             celeryd.log.level = debug
             celeryd.max.tasks.per.child = 1
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.always.eager = false
             ####################################
             ###         BEAKER CACHE        ####
             ####################################
             # default cache dir for templates.  Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk
             cache_dir = %(here)s/data
             ## locking and default file storage for Beaker. Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk/cache/beaker_data
             beaker.cache.data_dir = %(here)s/data/cache/beaker_data
             beaker.cache.lock_dir = %(here)s/data/cache/beaker_lock
             beaker.cache.regions = super_short_term, short_term, long_term, sql_cache_short, auth_plugins, repo_cache_long
             beaker.cache.super_short_term.type = memory
             beaker.cache.super_short_term.expire = 10
             beaker.cache.super_short_term.key_length = 256
             beaker.cache.short_term.type = memory
             beaker.cache.short_term.expire = 60
             beaker.cache.short_term.key_length = 256
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             beaker.cache.sql_cache_short.type = memory
             beaker.cache.sql_cache_short.expire = 10
             beaker.cache.sql_cache_short.key_length = 256
             ## default is memory cache, configure only if required
             ## using multi-node or multi-worker setup
             #beaker.cache.auth_plugins.type = ext:database
             #beaker.cache.auth_plugins.lock_dir = %(here)s/data/cache/auth_plugin_lock
             #beaker.cache.auth_plugins.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.cache.auth_plugins.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.cache.auth_plugins.sa.pool_recycle = 3600
             #beaker.cache.auth_plugins.sa.pool_size = 10
             #beaker.cache.auth_plugins.sa.max_overflow = 0
             beaker.cache.repo_cache_long.type = memorylru_base
             beaker.cache.repo_cache_long.max_items = 4096
             beaker.cache.repo_cache_long.expire = 2592000
             ## default is memorylru_base cache, configure only if required
             ## using multi-node or multi-worker setup
             #beaker.cache.repo_cache_long.type = ext:memcached
             #beaker.cache.repo_cache_long.url = localhost:11211
             #beaker.cache.repo_cache_long.expire = 1209600
             #beaker.cache.repo_cache_long.key_length = 256
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/data/sessions/data
             ## db based session, fast, and allows easy management over logged in users
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = develop-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = key_for_encryption
             #beaker.session.validate_key = validation_key
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             ## Path to use for the cookie. Set to prefix if you use prefix middleware
             #beaker.session.cookie_path = /custom_prefix
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             ## WHOOSH Backend, doesn't require additional services to run
             ## it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ########################################
             ###    CHANNELSTREAM CONFIG         ####
             ########################################
             ## channelstream enables persistent connections and live notification
             ## in the system. It's also used by the chat system
             channelstream.enabled = false
             ## server address for channelstream server on the backend
             channelstream.server = 127.0.0.1:9800
             ## location of the channelstream server from outside world
             ## use ws:// for http or wss:// for https. This address needs to be handled
             ## by external HTTP server such as Nginx or Apache
             ## see nginx/apache configuration examples in our docs
             channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
             channelstream.secret = secret
             channelstream.history.location = %(here)s/channelstream_history
             ## Internal application path that Javascript uses to connect into.
             ## If you use proxy-prefix the prefix should be added before /_channelstream
             channelstream.proxy_path = /_channelstream
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             ################################################################################
             ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
             ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
             ## execute malicious code after an exception is raised.                       ##
             ################################################################################
             #set debug = false
             ##############
             ## STYLING  ##
             ##############
             debug_style = true
             ###########################################
             ###   MAIN RHODECODE DATABASE CONFIG    ###
             ###########################################
             #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode
             sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this amount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9900
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `http` - use http-rpc backend (default)
             vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `http` - use http-rpc backend (default)
             ##
             vcs.scm_app_implementation = http
             ## Push/Pull operations hooks protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.hooks.protocol = http
             vcs.server.log_level = debug
             ## Start VCSServer with this instance as a subprocess, usefull for development
             vcs.start_server = true
             ## List of enabled VCS backends, available options are:
             ## `hg`  - mercurial
             ## `git` - git
             ## `svn` - subversion
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ############################################################
             ### Subversion proxy support (mod_dav_svn)               ###
             ### Maps RhodeCode repo groups into SVN paths for Apache ###
             ############################################################
             ## Enable or disable the config file generation.
             svn.proxy.generate_config = false
             ## Generate config file with `SVNListParentPath` set to `On`.
             svn.proxy.list_parent_path = true
             ## Set location and file name of generated config file.
             svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
             ## alternative mod_dav config template. This needs to be a mako template
             #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
             ## Used as a prefix to the `Location` block in the generated config file.
             ## In most cases it should be set to `/`.
             svn.proxy.location_root = /
             ## Command to reload the mod dav svn configuration on change.
             ## Example: `/etc/init.d/apache2 reload`
             #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
             ## If the timeout expires before the reload command finishes, the command will
             ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
             #svn.proxy.reload_timeout = 10
             ############################################################
             ### SSH Support Settings                                 ###
             ############################################################
             ## Defines if a custom authorized_keys file should be created and written on
             ## any change user ssh keys. Setting this to false also disables posibility
             ## of adding SSH keys by users from web interface. Super admins can still
             ## manage SSH Keys.
             ssh.generate_authorized_keyfile = false
             ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
             # ssh.authorized_keys_ssh_opts =
             ## Path to the authrozied_keys file where the generate entries are placed.
             ## It is possible to have multiple key files specified in `sshd_config` e.g.
             ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
             ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
             ## Command to execute the SSH wrapper. The binary is available in the
             ## rhodecode installation directory.
             ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
             ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
             ## Allow shell when executing the ssh-wrapper command
             ssh.wrapper_cmd_allow_shell = false
             ## Enables logging, and detailed output send back to the client during SSH
             ## operations. Usefull for debugging, shouldn't be used in production.
             ssh.enable_debug_logging = true
-            ## API KEY for user who has access to fetch other user permission information
-            ## most likely an super-admin account with some IP restrictions.
-            ssh.api_key =
-            ## API Host, the server address of RhodeCode instance that the api_key will
-            ## access
-            ssh.api_host = http://localhost
             ## Paths to binary executable, by default they are the names, but we can
             ## override them if we want to use a custom one
             ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
             ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
             ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
             ## Dummy marker to add new entries after.
             ## Add any custom entries below. Please don't remove.
             custom.conf = 1
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, sqlalchemy, beaker, rhodecode, ssh_wrapper
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_sqlalchemy]
             level = INFO
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_ssh_wrapper]
             level = DEBUG
             handlers =
             qualname = ssh_wrapper
             propagate = 1
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr, )
             level = DEBUG
             formatter = color_formatter
             [handler_console_sql]
             class = StreamHandler
             args = (sys.stderr, )
             level = DEBUG
             formatter = color_formatter_sql
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

configs/production.ini

0 0 -8

             ################################################################################
             ##                 RHODECODE COMMUNITY EDITION CONFIGURATION                  ##
             # The %(here)s variable will be replaced with the parent directory of this file#
             ################################################################################
             [DEFAULT]
             debug = true
             ################################################################################
             ##                            EMAIL CONFIGURATION                             ##
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             ## prefix all emails subjects with given prefix, helps filtering out emails
             #email_prefix = [RhodeCode]
             ## email FROM address all mails will be sent
             #app_email_from = rhodecode-noreply@localhost
             ## Uncomment and replace with the address which should receive any error report
             ## note: using appenlight for error handling doesn't need this to be uncommented
             #email_to = admin@localhost
             ## in case of Application errors, sent an error email form
             #error_email_from = rhodecode_error@localhost
             ## additional error message to be send in case of server crash
             #error_message =
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             ## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)
             #smtp_auth =
             [server:main]
             ## COMMON ##
             host = 127.0.0.1
             port = 5000
             ##################################
             ##     WAITRESS WSGI SERVER     ##
             ## Recommended for Development  ##
             ##################################
             #use = egg:waitress#main
             ## number of worker threads
             #threads = 5
             ## MAX BODY SIZE 100GB
             #max_request_body_size = 107374182400
             ## Use poll instead of select, fixes file descriptors limits problems.
             ## May not work on old windows systems.
             #asyncore_use_poll = true
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
             use = egg:gunicorn#main
             ## Sets the number of process workers. You must set `instance_id = *`
             ## when this option is set to more than one worker, recommended
             ## value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers
             ## The `instance_id = *` must be set in the [app:main] section below
             workers = 2
             ## number of threads for each of the worker, must be set to 1 for gevent
             ## generally recommended to be at 1
             #threads = 1
             ## process name
             proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             worker_class = sync
             ## The maximum number of simultaneous clients. Valid only for Gevent
             #worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             max_requests = 1000
             max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             timeout = 21600
             ## prefix middleware for RhodeCode.
             ## recommended when using proxy setup.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
             ## And set your prefix like: `prefix = /custom_prefix`
             ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
             ## to make your cookies only work on prefix url
             [filter:proxy-prefix]
             use = egg:PasteDeploy#prefix
             prefix = /
             [app:main]
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined above
             #filter-with = proxy-prefix
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
             ## decryption strict mode (enabled by default). It controls if decryption raises
             ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
             #rhodecode.encrypted_values.strict = false
             ## return gzipped responses from Rhodecode (static files/application)
             gzip_responses = false
             ## autogenerate javascript routes file on startup
             generate_js_files = false
             ## Optional Languages
             ## en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## perform a full repository scan on each server start, this should be
             ## set to false after first startup, to allow faster server restarts.
             startup.import_repos = false
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## change this to unique ID for security
             app_instance_uuid = rc-production
             ## cut off limit for large diffs (size in bytes). If overall diff size on
             ## commit, or pull request exceeds this limit this diff will be displayed
             ## partially. E.g 512000 == 512Kb
             cut_off_limit_diff = 512000
             ## cut off limit for large files inside diffs (size in bytes). Each individual
             ## file inside diff which exceeds this limit will be displayed partially.
             ##  E.g 128000 == 128Kb
             cut_off_limit_file = 128000
             ## use cache version of scm repo everywhere
             vcs_full_cache = true
             ## force https in RhodeCode, fixes https redirects, assumes it's always https
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## number of commits stats will parse on each iteration
             commit_parse_limit = 25
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --branches --tags
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/{gistid}.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
             gist_alias_url =
             ## List of views (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ## Additionally @TOKEN syntaxt can be used to bound the view to specific
             ## authentication token. Such view would be only accessible when used together
             ## with this authentication token
             ##
             ## list of all views can be found under `/_admin/permissions/auth_token_access`
             ## The list should be "," separated and on a single line.
             ##
             ## Most common views to enable:
             #    RepoCommitsView:repo_commit_download
             #    RepoCommitsView:repo_commit_patch
             #    RepoCommitsView:repo_commit_raw
             #    RepoCommitsView:repo_commit_raw@TOKEN
             #    RepoFilesView:repo_files_diff
             #    RepoFilesView:repo_archivefile
             #    RepoFilesView:repo_file_raw
             #    GistView:*
             api_access_controllers_whitelist =
             ## default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## generated license token, goto license page in RhodeCode settings to obtain
             ## new token
             license_token =
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = prod
             ## Display extended labs settings
             labs_settings_active = true
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             use_celery = false
             broker.host = localhost
             broker.vhost = rabbitmqhost
             broker.port = 5672
             broker.user = rabbitmq
             broker.password = qweqwe
             celery.imports = rhodecode.lib.celerylib.tasks
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             #celeryd.log.file = celeryd.log
             celeryd.log.level = debug
             celeryd.max.tasks.per.child = 1
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.always.eager = false
             ####################################
             ###         BEAKER CACHE        ####
             ####################################
             # default cache dir for templates.  Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk
             cache_dir = %(here)s/data
             ## locking and default file storage for Beaker. Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk/cache/beaker_data
             beaker.cache.data_dir = %(here)s/data/cache/beaker_data
             beaker.cache.lock_dir = %(here)s/data/cache/beaker_lock
             beaker.cache.regions = super_short_term, short_term, long_term, sql_cache_short, auth_plugins, repo_cache_long
             beaker.cache.super_short_term.type = memory
             beaker.cache.super_short_term.expire = 10
             beaker.cache.super_short_term.key_length = 256
             beaker.cache.short_term.type = memory
             beaker.cache.short_term.expire = 60
             beaker.cache.short_term.key_length = 256
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             beaker.cache.sql_cache_short.type = memory
             beaker.cache.sql_cache_short.expire = 10
             beaker.cache.sql_cache_short.key_length = 256
             ## default is memory cache, configure only if required
             ## using multi-node or multi-worker setup
             #beaker.cache.auth_plugins.type = ext:database
             #beaker.cache.auth_plugins.lock_dir = %(here)s/data/cache/auth_plugin_lock
             #beaker.cache.auth_plugins.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.cache.auth_plugins.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.cache.auth_plugins.sa.pool_recycle = 3600
             #beaker.cache.auth_plugins.sa.pool_size = 10
             #beaker.cache.auth_plugins.sa.max_overflow = 0
             beaker.cache.repo_cache_long.type = memorylru_base
             beaker.cache.repo_cache_long.max_items = 4096
             beaker.cache.repo_cache_long.expire = 2592000
             ## default is memorylru_base cache, configure only if required
             ## using multi-node or multi-worker setup
             #beaker.cache.repo_cache_long.type = ext:memcached
             #beaker.cache.repo_cache_long.url = localhost:11211
             #beaker.cache.repo_cache_long.expire = 1209600
             #beaker.cache.repo_cache_long.key_length = 256
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/data/sessions/data
             ## db based session, fast, and allows easy management over logged in users
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = production-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = key_for_encryption
             #beaker.session.validate_key = validation_key
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             ## Path to use for the cookie. Set to prefix if you use prefix middleware
             #beaker.session.cookie_path = /custom_prefix
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             ## WHOOSH Backend, doesn't require additional services to run
             ## it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ########################################
             ###    CHANNELSTREAM CONFIG         ####
             ########################################
             ## channelstream enables persistent connections and live notification
             ## in the system. It's also used by the chat system
             channelstream.enabled = false
             ## server address for channelstream server on the backend
             channelstream.server = 127.0.0.1:9800
             ## location of the channelstream server from outside world
             ## use ws:// for http or wss:// for https. This address needs to be handled
             ## by external HTTP server such as Nginx or Apache
             ## see nginx/apache configuration examples in our docs
             channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
             channelstream.secret = secret
             channelstream.history.location = %(here)s/channelstream_history
             ## Internal application path that Javascript uses to connect into.
             ## If you use proxy-prefix the prefix should be added before /_channelstream
             channelstream.proxy_path = /_channelstream
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             ################################################################################
             ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
             ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
             ## execute malicious code after an exception is raised.                       ##
             ################################################################################
             set debug = false
             ###########################################
             ###   MAIN RHODECODE DATABASE CONFIG    ###
             ###########################################
             #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode
             sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this amount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9900
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `http` - use http-rpc backend (default)
             vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `http` - use http-rpc backend (default)
             ##
             vcs.scm_app_implementation = http
             ## Push/Pull operations hooks protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.hooks.protocol = http
             vcs.server.log_level = info
             ## Start VCSServer with this instance as a subprocess, usefull for development
             vcs.start_server = false
             ## List of enabled VCS backends, available options are:
             ## `hg`  - mercurial
             ## `git` - git
             ## `svn` - subversion
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ############################################################
             ### Subversion proxy support (mod_dav_svn)               ###
             ### Maps RhodeCode repo groups into SVN paths for Apache ###
             ############################################################
             ## Enable or disable the config file generation.
             svn.proxy.generate_config = false
             ## Generate config file with `SVNListParentPath` set to `On`.
             svn.proxy.list_parent_path = true
             ## Set location and file name of generated config file.
             svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
             ## alternative mod_dav config template. This needs to be a mako template
             #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
             ## Used as a prefix to the `Location` block in the generated config file.
             ## In most cases it should be set to `/`.
             svn.proxy.location_root = /
             ## Command to reload the mod dav svn configuration on change.
             ## Example: `/etc/init.d/apache2 reload`
             #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
             ## If the timeout expires before the reload command finishes, the command will
             ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
             #svn.proxy.reload_timeout = 10
             ############################################################
             ### SSH Support Settings                                 ###
             ############################################################
             ## Defines if a custom authorized_keys file should be created and written on
             ## any change user ssh keys. Setting this to false also disables posibility
             ## of adding SSH keys by users from web interface. Super admins can still
             ## manage SSH Keys.
             ssh.generate_authorized_keyfile = false
             ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
             # ssh.authorized_keys_ssh_opts =
             ## Path to the authrozied_keys file where the generate entries are placed.
             ## It is possible to have multiple key files specified in `sshd_config` e.g.
             ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
             ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
             ## Command to execute the SSH wrapper. The binary is available in the
             ## rhodecode installation directory.
             ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
             ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
             ## Allow shell when executing the ssh-wrapper command
             ssh.wrapper_cmd_allow_shell = false
             ## Enables logging, and detailed output send back to the client during SSH
             ## operations. Usefull for debugging, shouldn't be used in production.
             ssh.enable_debug_logging = false
-            ## API KEY for user who has access to fetch other user permission information
-            ## most likely an super-admin account with some IP restrictions.
-            ssh.api_key =
-            ## API Host, the server address of RhodeCode instance that the api_key will
-            ## access
-            ssh.api_host = http://localhost
             ## Paths to binary executable, by default they are the names, but we can
             ## override them if we want to use a custom one
             ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
             ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
             ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
             ## Dummy marker to add new entries after.
             ## Add any custom entries below. Please don't remove.
             custom.conf = 1
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, sqlalchemy, beaker, rhodecode, ssh_wrapper
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_sqlalchemy]
             level = INFO
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_ssh_wrapper]
             level = DEBUG
             handlers =
             qualname = ssh_wrapper
             propagate = 1
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr, )
             level = INFO
             formatter = generic
             [handler_console_sql]
             class = StreamHandler
             args = (sys.stderr, )
             level = WARN
             formatter = generic
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

rhodecode/apps/ssh_support/__init__.py

0 0 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from . import config_keys
             from .events import SshKeyFileChangeEvent
             from .subscribers import generate_ssh_authorized_keys_file_subscriber
             from rhodecode.config.middleware import _bool_setting, _string_setting
             log = logging.getLogger(__name__)
             def _sanitize_settings_and_apply_defaults(settings):
                 """
                 Set defaults, convert to python types and validate settings.
                 """
                 _bool_setting(settings, config_keys.generate_authorized_keyfile, 'false')
                 _bool_setting(settings, config_keys.wrapper_allow_shell, 'false')
                 _bool_setting(settings, config_keys.enable_debug_logging, 'false')
                 _string_setting(settings, config_keys.authorized_keys_file_path,
                                 '~/.ssh/authorized_keys_rhodecode',
                                 lower=False)
                 _string_setting(settings, config_keys.wrapper_cmd, '',
                                 lower=False)
                 _string_setting(settings, config_keys.authorized_keys_line_ssh_opts, '',
                                 lower=False)
-                _string_setting(settings, config_keys.ssh_api_key, '',
-                                lower=False)
-                _string_setting(settings, config_keys.ssh_api_host, '',
-                                lower=False)
                 _string_setting(settings, config_keys.ssh_hg_bin,
                                 '~/.rccontrol/vcsserver-1/profile/bin/hg',
                                 lower=False)
                 _string_setting(settings, config_keys.ssh_git_bin,
                                 '~/.rccontrol/vcsserver-1/profile/bin/git',
                                 lower=False)
                 _string_setting(settings, config_keys.ssh_svn_bin,
                                 '~/.rccontrol/vcsserver-1/profile/bin/svnserve',
                                 lower=False)
             def includeme(config):
                 settings = config.registry.settings
                 _sanitize_settings_and_apply_defaults(settings)
                 # if we have enable generation of file, subscribe to event
                 if settings[config_keys.generate_authorized_keyfile]:
                     config.add_subscriber(
                         generate_ssh_authorized_keys_file_subscriber, SshKeyFileChangeEvent)

rhodecode/apps/ssh_support/config_keys.py

0 0 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             # Definition of setting keys used to configure this module. Defined here to
             # avoid repetition of keys throughout the module.
             generate_authorized_keyfile = 'ssh.generate_authorized_keyfile'
             authorized_keys_file_path = 'ssh.authorized_keys_file_path'
             authorized_keys_line_ssh_opts = 'ssh.authorized_keys_ssh_opts'
             wrapper_cmd = 'ssh.wrapper_cmd'
             wrapper_allow_shell = 'ssh.wrapper_cmd_allow_shell'
             enable_debug_logging = 'ssh.enable_debug_logging'
-            ssh_api_key = 'ssh.api_key'
-            ssh_api_host = 'ssh.api_host'
             ssh_hg_bin = 'ssh.executable.hg'
             ssh_git_bin = 'ssh.executable.git'
             ssh_svn_bin = 'ssh.executable.svn'

rhodecode/apps/ssh_support/lib/ssh_wrapper.py

0 +21 -547

This diff has been collapsed as it changes many lines, (568 lines changed) Show them Hide them
	@@ -1,607 +1,81 b''
	1	# -- coding: utf-8 --	1	# -- coding: utf-8 --
	2		2
	3	# Copyright (C) 2016-2017 RhodeCode GmbH	3	# Copyright (C) 2016-2017 RhodeCode GmbH
	4	#	4	#
	5	# This program is free software: you can redistribute it and/or modify	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.	7	# (only), as published by the Free Software Foundation.
	8	#	8	#
	9	# This program is distributed in the hope that it will be useful,	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.	12	# GNU General Public License for more details.
	13	#	13	#
	14	# You should have received a copy of the GNU Affero General Public License	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#	16	#
	17	# This program is dual-licensed. If you wish to learn more about the	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/	19	# and proprietary license terms, please see https://rhodecode.com/licenses/
	20		20
	21	import os	21	import os
	22	import re
	23	import sys	22	import sys
	24	import json
	25	import logging	23	import logging
	26	import random
	27	import signal
	28	import tempfile
	29	from subprocess import Popen, PIPE, check_output, CalledProcessError
	30	import ConfigParser
	31	import urllib2
	32	import urlparse
	33		24
	34	import click	25	import click
	35	import pyramid.paster
	36		26
			27	from pyramid.paster import bootstrap, setup_logging
			28	from pyramid.request import Request
			29
			30	from .backends import SshWrapper
	37		31
	38	log = logging.getLogger(__name__)	32	log = logging.getLogger(__name__)
	39		33
	40		34
	41	def setup_logging(ini_path, debug):	35	def setup_custom_logging(ini_path, debug):
	42	if debug:	36	if debug:
	43	# enabled rhodecode.ini controlled logging setup	37	# enabled rhodecode.ini controlled logging setup
	44	~~pyramid~~.~~paster~~.setup_logging(ini_path)	38	setup_logging(ini_path)
	45	else:	39	else:
	46	# configure logging in a mode that doesn't print anything.	40	# configure logging in a mode that doesn't print anything.
	47	# in case of regularly configured logging it gets printed out back	41	# in case of regularly configured logging it gets printed out back
	48	# to the client doing an SSH command.	42	# to the client doing an SSH command.
	49	logger = logging.getLogger('')	43	logger = logging.getLogger('')
	50	null = logging.NullHandler()	44	null = logging.NullHandler()
	51	# add the handler to the root logger	45	# add the handler to the root logger
	52	logger.handlers = [null]	46	logger.handlers = [null]
	53		47
	54		48
	55	class SubversionTunnelWrapper(object):
	56	process = None
	57
	58	def __init__(self, timeout, repositories_root=None, svn_path=None):
	59	self.timeout = timeout
	60	self.stdin = sys.stdin
	61	self.repositories_root = repositories_root
	62	self.svn_path = svn_path or 'svnserve'
	63	self.svn_conf_fd, self.svn_conf_path = tempfile.mkstemp()
	64	self.hooks_env_fd, self.hooks_env_path = tempfile.mkstemp()
	65	self.read_only = False
	66	self.create_svn_config()
	67
	68	def create_svn_config(self):
	69	content = (
	70	'[general]\n'
	71	'hooks-env = {}\n').format(self.hooks_env_path)
	72	with os.fdopen(self.svn_conf_fd, 'w') as config_file:
	73	config_file.write(content)
	74
	75	def create_hooks_env(self):
	76	content = (
	77	'[default]\n'
	78	'LANG = en_US.UTF-8\n')
	79	if self.read_only:
	80	content += 'SSH_READ_ONLY = 1\n'
	81	with os.fdopen(self.hooks_env_fd, 'w') as hooks_env_file:
	82	hooks_env_file.write(content)
	83
	84	def remove_configs(self):
	85	os.remove(self.svn_conf_path)
	86	os.remove(self.hooks_env_path)
	87
	88	def start(self):
	89	config = ['--config-file', self.svn_conf_path]
	90	command = [self.svn_path, '-t'] + config
	91	if self.repositories_root:
	92	command.extend(['-r', self.repositories_root])
	93	self.process = Popen(command, stdin=PIPE)
	94
	95	def sync(self):
	96	while self.process.poll() is None:
	97	next_byte = self.stdin.read(1)
	98	if not next_byte:
	99	break
	100	self.process.stdin.write(next_byte)
	101	self.remove_configs()
	102
	103	@property
	104	def return_code(self):
	105	return self.process.returncode
	106
	107	def get_first_client_response(self):
	108	signal.signal(signal.SIGALRM, self.interrupt)
	109	signal.alarm(self.timeout)
	110	first_response = self._read_first_client_response()
	111	signal.alarm(0)
	112	return (
	113	self._parse_first_client_response(first_response)
	114	if first_response else None)
	115
	116	def patch_first_client_response(self, response, **kwargs):
	117	self.create_hooks_env()
	118	data = response.copy()
	119	data.update(kwargs)
	120	data['url'] = self._svn_string(data['url'])
	121	data['ra_client'] = self._svn_string(data['ra_client'])
	122	data['client'] = data['client'] or ''
	123	buffer_ = (
	124	"( {version} ( {capabilities} ) {url}{ra_client}"
	125	"( {client}) ) ".format(**data))
	126	self.process.stdin.write(buffer_)
	127
	128	def fail(self, message):
	129	print(
	130	"( failure ( ( 210005 {message} 0: 0 ) ) )".format(
	131	message=self._svn_string(message)))
	132	self.remove_configs()
	133	self.process.kill()
	134
	135	def interrupt(self, signum, frame):
	136	self.fail("Exited by timeout")
	137
	138	def _svn_string(self, str_):
	139	if not str_:
	140	return ''
	141	return '{length}:{string} '.format(length=len(str_), string=str_)
	142
	143	def _read_first_client_response(self):
	144	buffer_ = ""
	145	brackets_stack = []
	146	while True:
	147	next_byte = self.stdin.read(1)
	148	buffer_ += next_byte
	149	if next_byte == "(":
	150	brackets_stack.append(next_byte)
	151	elif next_byte == ")":
	152	brackets_stack.pop()
	153	elif next_byte == " " and not brackets_stack:
	154	break
	155	return buffer_
	156
	157	def _parse_first_client_response(self, buffer_):
	158	"""
	159	According to the Subversion RA protocol, the first request
	160	should look like:
	161
	162	( version:number ( cap:word ... ) url:string ? ra-client:string
	163	( ? client:string ) )
	164
	165	Please check https://svn.apache.org/repos/asf/subversion/trunk/
	166	subversion/libsvn_ra_svn/protocol
	167	"""
	168	version_re = r'(?P<version>\d+)'
	169	capabilities_re = r'$\s(?P<capabilities>[\w\d\-\ ]+)\s$'
	170	url_re = r'\d+\:(?P<url>[\W\w]+)'
	171	ra_client_re = r'(\d+\:(?P<ra_client>[\W\w]+)\s)'
	172	client_re = r'(\d+\:(?P<client>[\W\w]+)\s)*'
	173	regex = re.compile(
	174	r'^\(\s{version}\s{capabilities}\s{url}\s{ra_client}'
	175	r'$\s{client}$\s\)\s*$'.format(
	176	version=version_re, capabilities=capabilities_re,
	177	url=url_re, ra_client=ra_client_re, client=client_re))
	178	matcher = regex.match(buffer_)
	179	return matcher.groupdict() if matcher else None
	180
	181
	182	class RhodeCodeApiClient(object):
	183	def __init__(self, api_key, api_host):
	184	self.api_key = api_key
	185	self.api_host = api_host
	186
	187	if not api_host:
	188	raise ValueError('api_key:{} not defined'.format(api_key))
	189	if not api_host:
	190	raise ValueError('api_host:{} not defined '.format(api_host))
	191
	192	def request(self, method, args):
	193	id_ = random.randrange(1, 9999)
	194	args = {
	195	'id': id_,
	196	'api_key': self.api_key,
	197	'method': method,
	198	'args': args
	199	}
	200	host = '{host}/_admin/api'.format(host=self.api_host)
	201
	202	log.debug('Doing API call to %s method:%s', host, method)
	203	req = urllib2.Request(
	204	host,
	205	data=json.dumps(args),
	206	headers={'content-type': 'text/plain'})
	207	ret = urllib2.urlopen(req)
	208	raw_json = ret.read()
	209	json_data = json.loads(raw_json)
	210	id_ret = json_data['id']
	211
	212	if id_ret != id_:
	213	raise Exception('something went wrong. '
	214	'ID mismatch got %s, expected %s \| %s'
	215	% (id_ret, id_, raw_json))
	216
	217	result = json_data['result']
	218	error = json_data['error']
	219	return result, error
	220
	221	def get_user_permissions(self, user, user_id):
	222	result, error = self.request('get_user', {'userid': int(user_id)})
	223	if result is None and error:
	224	raise Exception(
	225	'User "%s" not found or another error happened: %s!' % (
	226	user, error))
	227	log.debug(
	228	'Given User: `%s` Fetched User: `%s`', user, result.get('username'))
	229	return result.get('permissions').get('repositories')
	230
	231	def invalidate_cache(self, repo_name):
	232	log.debug('Invalidate cache for repo:%s', repo_name)
	233	return self.request('invalidate_cache', {'repoid': repo_name})
	234
	235	def get_repo_store(self):
	236	result, error = self.request('get_repo_store', {})
	237	return result
	238
	239
	240	class VcsServer(object):
	241
	242	def __init__(self, user, user_permissions, config):
	243	self.user = user
	244	self.user_permissions = user_permissions
	245	self.config = config
	246	self.repo_name = None
	247	self.repo_mode = None
	248	self.store = {}
	249	self.ini_path = ''
	250
	251	def run(self):
	252	raise NotImplementedError()
	253
	254	def get_root_store(self):
	255	root_store = self.store['path']
	256	if not root_store.endswith('/'):
	257	# always append trailing slash
	258	root_store = root_store + '/'
	259	return root_store
	260
	261
	262	class MercurialServer(VcsServer):
	263	read_only = False
	264
	265	def __init__(self, store, ini_path, repo_name,
	266	user, user_permissions, config):
	267	super(MercurialServer, self).__init__(user, user_permissions, config)
	268	self.store = store
	269	self.repo_name = repo_name
	270	self.ini_path = ini_path
	271	self.hg_path = config.get('app:main', 'ssh.executable.hg')
	272
	273	def run(self):
	274	if not self._check_permissions():
	275	return 2, False
	276
	277	tip_before = self.tip()
	278	exit_code = os.system(self.command)
	279	tip_after = self.tip()
	280	return exit_code, tip_before != tip_after
	281
	282	def tip(self):
	283	root = self.get_root_store()
	284	command = (
	285	'cd {root}; {hg_path} -R {root}{repo_name} tip --template "{{node}}\n"'
	286	''.format(
	287	root=root, hg_path=self.hg_path, repo_name=self.repo_name))
	288	try:
	289	tip = check_output(command, shell=True).strip()
	290	except CalledProcessError:
	291	tip = None
	292	return tip
	293
	294	@property
	295	def command(self):
	296	root = self.get_root_store()
	297	arguments = (
	298	'--config hooks.pretxnchangegroup=\"false\"'
	299	if self.read_only else '')
	300
	301	command = (
	302	"cd {root}; {hg_path} -R {root}{repo_name} serve --stdio"
	303	" {arguments}".format(
	304	root=root, hg_path=self.hg_path, repo_name=self.repo_name,
	305	arguments=arguments))
	306	log.debug("Final CMD: %s", command)
	307	return command
	308
	309	def _check_permissions(self):
	310	permission = self.user_permissions.get(self.repo_name)
	311	if permission is None or permission == 'repository.none':
	312	log.error('repo not found or no permissions')
	313	return False
	314
	315	elif permission in ['repository.admin', 'repository.write']:
	316	log.info(
	317	'Write Permissions for User "%s" granted to repo "%s"!' % (
	318	self.user, self.repo_name))
	319	else:
	320	self.read_only = True
	321	log.info(
	322	'Only Read Only access for User "%s" granted to repo "%s"!',
	323	self.user, self.repo_name)
	324	return True
	325
	326
	327	class GitServer(VcsServer):
	328	def __init__(self, store, ini_path, repo_name, repo_mode,
	329	user, user_permissions, config):
	330	super(GitServer, self).__init__(user, user_permissions, config)
	331	self.store = store
	332	self.ini_path = ini_path
	333	self.repo_name = repo_name
	334	self.repo_mode = repo_mode
	335	self.git_path = config.get('app:main', 'ssh.executable.git')
	336
	337	def run(self):
	338	exit_code = self._check_permissions()
	339	if exit_code:
	340	return exit_code, False
	341
	342	self._update_environment()
	343	exit_code = os.system(self.command)
	344	return exit_code, self.repo_mode == "receive-pack"
	345
	346	@property
	347	def command(self):
	348	root = self.get_root_store()
	349	command = "cd {root}; {git_path}-{mode} '{root}{repo_name}'".format(
	350	root=root, git_path=self.git_path, mode=self.repo_mode,
	351	repo_name=self.repo_name)
	352	log.debug("Final CMD: %s", command)
	353	return command
	354
	355	def _update_environment(self):
	356	action = "push" if self.repo_mode == "receive-pack" else "pull",
	357	scm_data = {
	358	"ip": os.environ["SSH_CLIENT"].split()[0],
	359	"username": self.user,
	360	"action": action,
	361	"repository": self.repo_name,
	362	"scm": "git",
	363	"config": self.ini_path,
	364	"make_lock": None,
	365	"locked_by": [None, None]
	366	}
	367	os.putenv("RC_SCM_DATA", json.dumps(scm_data))
	368
	369	def _check_permissions(self):
	370	permission = self.user_permissions.get(self.repo_name)
	371	log.debug(
	372	'permission for %s on %s are: %s',
	373	self.user, self.repo_name, permission)
	374
	375	if permission is None or permission == 'repository.none':
	376	log.error('repo not found or no permissions')
	377	return 2
	378	elif permission in ['repository.admin', 'repository.write']:
	379	log.info(
	380	'Write Permissions for User "%s" granted to repo "%s"!',
	381	self.user, self.repo_name)
	382	elif (permission == 'repository.read' and
	383	self.repo_mode == 'upload-pack'):
	384	log.info(
	385	'Only Read Only access for User "%s" granted to repo "%s"!',
	386	self.user, self.repo_name)
	387	elif (permission == 'repository.read'
	388	and self.repo_mode == 'receive-pack'):
	389	log.error(
	390	'Only Read Only access for User "%s" granted to repo "%s"!'
	391	' Failing!', self.user, self.repo_name)
	392	return -3
	393	else:
	394	log.error('Cannot properly fetch user permission. '
	395	'Return value is: %s', permission)
	396	return -2
	397
	398
	399	class SubversionServer(VcsServer):
	400
	401	def __init__(self, store, ini_path,
	402	user, user_permissions, config):
	403	super(SubversionServer, self).__init__(user, user_permissions, config)
	404	self.store = store
	405	self.ini_path = ini_path
	406	# this is set in .run() from input stream
	407	self.repo_name = None
	408	self.svn_path = config.get('app:main', 'ssh.executable.svn')
	409
	410	def run(self):
	411	root = self.get_root_store()
	412	log.debug("Using subversion binaries from '%s'", self.svn_path)
	413
	414	self.tunnel = SubversionTunnelWrapper(
	415	timeout=self.timeout, repositories_root=root, svn_path=self.svn_path)
	416	self.tunnel.start()
	417	first_response = self.tunnel.get_first_client_response()
	418	if not first_response:
	419	self.tunnel.fail("Repository name cannot be extracted")
	420	return 1, False
	421
	422	url_parts = urlparse.urlparse(first_response['url'])
	423	self.repo_name = url_parts.path.strip('/')
	424	if not self._check_permissions():
	425	self.tunnel.fail("Not enough permissions")
	426	return 1, False
	427
	428	self.tunnel.patch_first_client_response(first_response)
	429	self.tunnel.sync()
	430	return self.tunnel.return_code, False
	431
	432	@property
	433	def timeout(self):
	434	timeout = 30
	435	return timeout
	436
	437	def _check_permissions(self):
	438	permission = self.user_permissions.get(self.repo_name)
	439
	440	if permission in ['repository.admin', 'repository.write']:
	441	self.tunnel.read_only = False
	442	return True
	443
	444	elif permission == 'repository.read':
	445	self.tunnel.read_only = True
	446	return True
	447
	448	else:
	449	self.tunnel.fail("Not enough permissions for repository {}".format(
	450	self.repo_name))
	451	return False
	452
	453
	454	class SshWrapper(object):
	455
	456	def __init__(self, command, mode, user, user_id, shell, ini_path):
	457	self.command = command
	458	self.mode = mode
	459	self.user = user
	460	self.user_id = user_id
	461	self.shell = shell
	462	self.ini_path = ini_path
	463
	464	self.config = self.parse_config(ini_path)
	465	api_key = self.config.get('app:main', 'ssh.api_key')
	466	api_host = self.config.get('app:main', 'ssh.api_host')
	467	self.api = RhodeCodeApiClient(api_key, api_host)
	468
	469	def parse_config(self, config):
	470	parser = ConfigParser.ConfigParser()
	471	parser.read(config)
	472	return parser
	473
	474	def get_repo_details(self, mode):
	475	type_ = mode if mode in ['svn', 'hg', 'git'] else None
	476	mode = mode
	477	name = None
	478
	479	hg_pattern = r'^hg\s+\-R\s+(\S+)\s+serve\s+\-\-stdio$'
	480	hg_match = re.match(hg_pattern, self.command)
	481	if hg_match is not None:
	482	type_ = 'hg'
	483	name = hg_match.group(1).strip('/')
	484	return type_, name, mode
	485
	486	git_pattern = (
	487	r'^git-(receive-pack\|upload-pack)\s\'[/]?(\S+?)(\|\.git)\'$')
	488	git_match = re.match(git_pattern, self.command)
	489	if git_match is not None:
	490	type_ = 'git'
	491	name = git_match.group(2).strip('/')
	492	mode = git_match.group(1)
	493	return type_, name, mode
	494
	495	svn_pattern = r'^svnserve -t'
	496	svn_match = re.match(svn_pattern, self.command)
	497	if svn_match is not None:
	498	type_ = 'svn'
	499	# Repo name should be extracted from the input stream
	500	return type_, name, mode
	501
	502	return type_, name, mode
	503
	504	def serve(self, vcs, repo, mode, user, permissions):
	505	store = self.api.get_repo_store()
	506
	507	log.debug(
	508	'VCS detected:`%s` mode: `%s` repo: %s', vcs, mode, repo)
	509
	510	if vcs == 'hg':
	511	server = MercurialServer(
	512	store=store, ini_path=self.ini_path,
	513	repo_name=repo, user=user,
	514	user_permissions=permissions, config=self.config)
	515	return server.run()
	516
	517	elif vcs == 'git':
	518	server = GitServer(
	519	store=store, ini_path=self.ini_path,
	520	repo_name=repo, repo_mode=mode, user=user,
	521	user_permissions=permissions, config=self.config)
	522	return server.run()
	523
	524	elif vcs == 'svn':
	525	server = SubversionServer(
	526	store=store, ini_path=self.ini_path,
	527	user=user,
	528	user_permissions=permissions, config=self.config)
	529	return server.run()
	530
	531	else:
	532	raise Exception('Unrecognised VCS: {}'.format(vcs))
	533
	534	def wrap(self):
	535	mode = self.mode
	536	user = self.user
	537	user_id = self.user_id
	538	shell = self.shell
	539
	540	scm_detected, scm_repo, scm_mode = self.get_repo_details(mode)
	541	log.debug(
	542	'Mode: `%s` User: `%s:%s` Shell: `%s` SSH Command: `\"%s\"` '
	543	'SCM_DETECTED: `%s` SCM Mode: `%s` SCM Repo: `%s`',
	544	mode, user, user_id, shell, self.command,
	545	scm_detected, scm_mode, scm_repo)
	546
	547	try:
	548	permissions = self.api.get_user_permissions(user, user_id)
	549	except Exception as e:
	550	log.exception('Failed to fetch user permissions')
	551	return 1
	552
	553	if shell and self.command is None:
	554	log.info(
	555	'Dropping to shell, no command given and shell is allowed')
	556	os.execl('/bin/bash', '-l')
	557	exit_code = 1
	558
	559	elif scm_detected:
	560	try:
	561	exit_code, is_updated = self.serve(
	562	scm_detected, scm_repo, scm_mode, user, permissions)
	563	if exit_code == 0 and is_updated:
	564	self.api.invalidate_cache(scm_repo)
	565	except Exception:
	566	log.exception('Error occurred during execution of SshWrapper')
	567	exit_code = -1
	568
	569	elif self.command is None and shell is False:
	570	log.error('No Command given.')
	571	exit_code = -1
	572
	573	else:
	574	log.error(
	575	'Unhandled Command: "%s" Aborting.', self.command)
	576	exit_code = -1
	577
	578	return exit_code
	579
	580
	581	@click.command()	49	@click.command()
	582	@click.argument('ini_path', type=click.Path(exists=True))	50	@click.argument('ini_path', type=click.Path(exists=True))
	583	@click.option(	51	@click.option(
	584	'--mode', '-m', required=False, default='auto',	52	'--mode', '-m', required=False, default='auto',
	585	type=click.Choice(['auto', 'vcs', 'git', 'hg', 'svn', 'test']),	53	type=click.Choice(['auto', 'vcs', 'git', 'hg', 'svn', 'test']),
	586	help='mode of operation')	54	help='mode of operation')
	587	@click.option('--user', help='Username for which the command will be executed')	55	@click.option('--user', help='Username for which the command will be executed')
	588	@click.option('--user-id', help='User ID for which the command will be executed')	56	@click.option('--user-id', help='User ID for which the command will be executed')
			57	@click.option('--key-id', help='ID of the key from the database')
	589	@click.option('--shell', '-s', is_flag=True, help='Allow Shell')	58	@click.option('--shell', '-s', is_flag=True, help='Allow Shell')
	590	@click.option('--debug', is_flag=True, help='Enabled detailed output logging')	59	@click.option('--debug', is_flag=True, help='Enabled detailed output logging')
	591	def main(ini_path, mode, user, user_id, shell, debug):	60	def main(ini_path, mode, user, user_id, key_id, shell, debug):
	592	setup_logging(ini_path, debug)	61	setup_custom_logging(ini_path, debug)
	593		62
	594	command = os.environ.get('SSH_ORIGINAL_COMMAND', '')	63	command = os.environ.get('SSH_ORIGINAL_COMMAND', '')
	595	if not command and mode not in ['test']:	64	if not command and mode not in ['test']:
	596	raise ValueError(	65	raise ValueError(
	597	'Unable to fetch SSH_ORIGINAL_COMMAND from environment.'	66	'Unable to fetch SSH_ORIGINAL_COMMAND from environment.'
	598	'Please make sure this is set and available during execution '	67	'Please make sure this is set and available during execution '
	599	'of this script.')	68	'of this script.')
			69	connection_info = os.environ.get('SSH_CONNECTION', '')
			70	request = Request.blank('/', base_url='http://rhodecode-ssh-wrapper/')
			71	with bootstrap(ini_path, request=request) as env:
			72	try:
			73	ssh_wrapper = SshWrapper(
			74	command, connection_info, mode,
			75	user, user_id, key_id, shell, ini_path)
			76	except Exception:
			77	log.exception('Failed to execute SshWrapper')
			78	sys.exit(-5)
	600		79
	601	try:	80	return_code = ssh_wrapper.wrap()
	602	ssh_wrapper = SshWrapper(command, mode, user, user_id, shell, ini_path)	81	sys.exit(return_code)
	603	except Exception:
	604	log.exception('Failed to execute SshWrapper')
	605	sys.exit(-5)
	606
	607	sys.exit(ssh_wrapper.wrap()) No newline at end of file

rhodecode/apps/ssh_support/tests/test_server_git.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import json
             import pytest
-            from mock import Mock, patch, call
+            from mock import Mock, patch
-            from rhodecode.apps.ssh_support.lib.ssh_wrapper import GitServer
+            from rhodecode.apps.ssh_support.lib.backends.git import GitServer
             @pytest.fixture
             def git_server():
                 return GitServerCreator()
             class GitServerCreator(object):
                 root = '/tmp/repo/path/'
                 git_path = '/usr/local/bin/'
                 config_data = {
                     'app:main': {
                         'ssh.executable.git': git_path
                     }
                 }
                 repo_name = 'test_git'
                 repo_mode = 'receive-pack'
                 user = 'vcs'
                 def __init__(self):
                     def config_get(part, key):
                         return self.config_data.get(part, {}).get(key)
                     self.config_mock = Mock()
                     self.config_mock.get = Mock(side_effect=config_get)
                 def create(self, **kwargs):
                     parameters = {
                         'store': {'path': self.root},
                         'ini_path': '',
                         'user': self.user,
                         'repo_name': self.repo_name,
                         'repo_mode': self.repo_mode,
                         'user_permissions': {
                             self.repo_name: 'repo_admin'
                         },
                         'config': self.config_mock,
                     }
                     parameters.update(kwargs)
                     server = GitServer(**parameters)
                     return server
             class TestGitServer(object):
                 def test_command(self, git_server):
                     server = git_server.create()
                     server.read_only = False
                     expected_command = (
                         'cd {root}; {git_path}-{repo_mode}'
                         ' \'{root}{repo_name}\''.format(
                             root=git_server.root, git_path=git_server.git_path,
                             repo_mode=git_server.repo_mode, repo_name=git_server.repo_name)
                     )
                     assert expected_command == server.command
                 def test_run_returns_exit_code_2_when_no_permissions(self, git_server, caplog):
                     server = git_server.create()
                     with patch.object(server, '_check_permissions') as permissions_mock:
                         with patch.object(server, '_update_environment'):
                             permissions_mock.return_value = 2
                             exit_code = server.run()
                     assert exit_code == (2, False)
                 def test_run_returns_executes_command(self, git_server, caplog):
                     server = git_server.create()
                     with patch.object(server, '_check_permissions') as permissions_mock:
                         with patch('os.system') as system_mock:
                             with patch.object(server, '_update_environment') as (
                                     update_mock):
                                 permissions_mock.return_value = 0
                                 system_mock.return_value = 0
                                 exit_code = server.run()
                     system_mock.assert_called_once_with(server.command)
                     update_mock.assert_called_once_with()
                     assert exit_code == (0, True)
                 @pytest.mark.parametrize(
                     'repo_mode, action', [
                         ['receive-pack', 'push'],
                         ['upload-pack', 'pull']
                     ])
                 def test_update_environment(self, git_server, repo_mode, action):
                     server = git_server.create(repo_mode=repo_mode)
                     with patch('os.environ', {'SSH_CLIENT': '10.10.10.10 b'}):
                         with patch('os.putenv') as putenv_mock:
                             server._update_environment()
                     expected_data = {
                         "username": git_server.user,
                         "scm": "git",
                         "repository": git_server.repo_name,
                         "make_lock": None,
                         "action": [action],
                         "ip": "10.10.10.10",
                         "locked_by": [None, None],
                         "config": ""
                     }
                     args, kwargs = putenv_mock.call_args
                     assert json.loads(args[1]) == expected_data
             class TestGitServerCheckPermissions(object):
                 def test_returns_2_when_no_permissions_found(self, git_server, caplog):
                     user_permissions = {}
                     server = git_server.create(user_permissions=user_permissions)
                     result = server._check_permissions()
                     assert result == 2
                     log_msg = 'permission for vcs on test_git are: None'
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 def test_returns_2_when_no_permissions(self, git_server, caplog):
                     user_permissions = {git_server.repo_name: 'repository.none'}
                     server = git_server.create(user_permissions=user_permissions)
                     result = server._check_permissions()
                     assert result == 2
                     log_msg = 'repo not found or no permissions'
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 @pytest.mark.parametrize(
                     'permission', ['repository.admin', 'repository.write'])
                 def test_access_allowed_when_user_has_write_permissions(
                         self, git_server, permission, caplog):
                     user_permissions = {git_server.repo_name: permission}
                     server = git_server.create(user_permissions=user_permissions)
                     result = server._check_permissions()
                     assert result is None
                     log_msg = 'Write Permissions for User "%s" granted to repo "%s"!' % (
                         git_server.user, git_server.repo_name)
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 def test_write_access_is_not_allowed_when_user_has_read_permission(
                         self, git_server, caplog):
                     user_permissions = {git_server.repo_name: 'repository.read'}
                     server = git_server.create(
                         user_permissions=user_permissions, repo_mode='receive-pack')
                     result = server._check_permissions()
                     assert result == -3
                     log_msg = 'Only Read Only access for User "%s" granted to repo "%s"! Failing!' % (
                         git_server.user, git_server.repo_name)
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 def test_read_access_allowed_when_user_has_read_permission(
                         self, git_server, caplog):
                     user_permissions = {git_server.repo_name: 'repository.read'}
                     server = git_server.create(
                         user_permissions=user_permissions, repo_mode='upload-pack')
                     result = server._check_permissions()
                     assert result is None
                     log_msg = 'Only Read Only access for User "%s" granted to repo "%s"!' % (
                         git_server.user, git_server.repo_name)
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 def test_returns_error_when_permission_not_recognised(
                         self, git_server, caplog):
                     user_permissions = {git_server.repo_name: 'repository.whatever'}
                     server = git_server.create(
                         user_permissions=user_permissions, repo_mode='upload-pack')
                     result = server._check_permissions()
                     assert result == -2
                     log_msg = 'Cannot properly fetch user permission. ' \
                               'Return value is: repository.whatever'
                     assert log_msg in [t[2] for t in caplog.record_tuples]

rhodecode/apps/ssh_support/tests/test_server_hg.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
-            from mock import Mock, patch, call
+            from mock import Mock, patch
-            from rhodecode.apps.ssh_support.lib.ssh_wrapper import MercurialServer
+            from rhodecode.apps.ssh_support.lib.backends.hg import MercurialServer
             @pytest.fixture
             def hg_server():
                 return MercurialServerCreator()
             class MercurialServerCreator(object):
                 root = '/tmp/repo/path/'
                 hg_path = '/usr/local/bin/hg'
                 config_data = {
                     'app:main': {
                         'ssh.executable.hg': hg_path
                     }
                 }
                 repo_name = 'test_hg'
                 user = 'vcs'
                 def __init__(self):
                     def config_get(part, key):
                         return self.config_data.get(part, {}).get(key)
                     self.config_mock = Mock()
                     self.config_mock.get = Mock(side_effect=config_get)
                 def create(self, **kwargs):
                     parameters = {
                         'store': {'path': self.root},
                         'ini_path': '',
                         'user': self.user,
                         'repo_name': self.repo_name,
                         'user_permissions': {
                             'test_hg': 'repo_admin'
                         },
                         'config': self.config_mock,
                     }
                     parameters.update(kwargs)
                     server = MercurialServer(**parameters)
                     return server
             class TestMercurialServer(object):
                 def test_read_only_command(self, hg_server):
                     server = hg_server.create()
                     server.read_only = True
                     expected_command = (
                         'cd {root}; {hg_path} -R {root}{repo_name} serve --stdio'
                         ' --config hooks.pretxnchangegroup="false"'.format(
                             root=hg_server.root, hg_path=hg_server.hg_path,
                             repo_name=hg_server.repo_name)
                     )
                     assert expected_command == server.command
                 def test_normal_command(self, hg_server):
                     server = hg_server.create()
                     server.read_only = False
                     expected_command = (
                         'cd {root}; {hg_path} -R {root}{repo_name} serve --stdio '.format(
                             root=hg_server.root, hg_path=hg_server.hg_path,
                             repo_name=hg_server.repo_name)
                     )
                     assert expected_command == server.command
                 def test_access_rejected_when_permissions_are_not_found(self, hg_server, caplog):
                     user_permissions = {}
                     server = hg_server.create(user_permissions=user_permissions)
                     result = server._check_permissions()
                     assert result is False
                     log_msg = 'repo not found or no permissions'
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 def test_access_rejected_when_no_permissions(self, hg_server, caplog):
                     user_permissions = {hg_server.repo_name: 'repository.none'}
                     server = hg_server.create(user_permissions=user_permissions)
                     result = server._check_permissions()
                     assert result is False
                     log_msg = 'repo not found or no permissions'
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 @pytest.mark.parametrize(
                     'permission', ['repository.admin', 'repository.write'])
                 def test_access_allowed_when_user_has_write_permissions(
                         self, hg_server, permission, caplog):
                     user_permissions = {hg_server.repo_name: permission}
                     server = hg_server.create(user_permissions=user_permissions)
                     result = server._check_permissions()
                     assert result is True
                     assert server.read_only is False
                     log_msg = 'Write Permissions for User "vcs" granted to repo "test_hg"!'
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 def test_access_allowed_when_user_has_read_permissions(self, hg_server, caplog):
                     user_permissions = {hg_server.repo_name: 'repository.read'}
                     server = hg_server.create(user_permissions=user_permissions)
                     result = server._check_permissions()
                     assert result is True
                     assert server.read_only is True
                     log_msg = 'Only Read Only access for User "%s" granted to repo "%s"!' % (
                         hg_server.user, hg_server.repo_name)
                     assert log_msg in [t[2] for t in caplog.record_tuples]
                 def test_run_returns_exit_code_2_when_no_permissions(self, hg_server, caplog):
                     server = hg_server.create()
                     with patch.object(server, '_check_permissions') as permissions_mock:
                         permissions_mock.return_value = False
                         exit_code = server.run()
                         assert exit_code == (2, False)
                 def test_run_returns_executes_command(self, hg_server, caplog):
                     server = hg_server.create()
                     with patch.object(server, '_check_permissions') as permissions_mock:
                         with patch('os.system') as system_mock:
                             permissions_mock.return_value = True
                             system_mock.return_value = 0
                             exit_code = server.run()
                     system_mock.assert_called_once_with(server.command)
                     assert exit_code == (0, False)

rhodecode/apps/ssh_support/tests/test_server_svn.py

0 +2 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
-            from mock import Mock, patch, call
+            from mock import Mock, patch
-            from rhodecode.apps.ssh_support.lib.ssh_wrapper import SubversionServer
+            from rhodecode.apps.ssh_support.lib.backends.svn import SubversionServer
             @pytest.fixture
             def svn_server():
                 return SubversionServerCreator()
             class SubversionServerCreator(object):
                 root = '/tmp/repo/path/'
                 svn_path = '/usr/local/bin/svnserve'
                 config_data = {
                     'app:main': {
                         'ssh.executable.svn': svn_path
                     }
                 }
                 repo_name = 'test-svn'
                 user = 'vcs'
                 def __init__(self):
                     def config_get(part, key):
                         return self.config_data.get(part, {}).get(key)
                     self.config_mock = Mock()
                     self.config_mock.get = Mock(side_effect=config_get)
                 def create(self, **kwargs):
                     parameters = {
                         'store': {'path': self.root},
                         'ini_path': '',
                         'user': self.user,
                         'user_permissions': {
                             self.repo_name: 'repo_admin'
                         },
                         'config': self.config_mock,
                     }
                     parameters.update(kwargs)
                     server = SubversionServer(**parameters)
                     return server
             class TestSubversionServer(object):
                 def test_timeout_returns_value_from_config(self, svn_server):
                     server = svn_server.create()
                     assert server.timeout == 30
                 @pytest.mark.parametrize(
                     'permission', ['repository.admin', 'repository.write'])
                 def test_check_permissions_with_write_permissions(
                         self, svn_server, permission):
                     user_permissions = {svn_server.repo_name: permission}
                     server = svn_server.create(user_permissions=user_permissions)
                     server.tunnel = Mock()
                     server.repo_name = svn_server.repo_name
                     result = server._check_permissions()
                     assert result is True
                     assert server.tunnel.read_only is False
                 def test_check_permissions_with_read_permissions(self, svn_server):
                     user_permissions = {svn_server.repo_name: 'repository.read'}
                     server = svn_server.create(user_permissions=user_permissions)
                     server.tunnel = Mock()
                     server.repo_name = svn_server.repo_name
                     result = server._check_permissions()
                     assert result is True
                     assert server.tunnel.read_only is True
                 def test_check_permissions_with_no_permissions(self, svn_server, caplog):
                     tunnel_mock = Mock()
                     user_permissions = {}
                     server = svn_server.create(user_permissions=user_permissions)
                     server.tunnel = tunnel_mock
                     server.repo_name = svn_server.repo_name
                     result = server._check_permissions()
                     assert result is False
                     tunnel_mock.fail.assert_called_once_with(
                         "Not enough permissions for repository {}".format(
                             svn_server.repo_name))
                 def test_run_returns_1_when_repository_name_cannot_be_extracted(
                         self, svn_server):
                     server = svn_server.create()
                     with patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.SubversionTunnelWrapper') as tunnel_mock:
                         tunnel_mock().get_first_client_response.return_value = None
                         exit_code = server.run()
                     assert exit_code == (1, False)
                     tunnel_mock().fail.assert_called_once_with(
                         'Repository name cannot be extracted')
                 def test_run_returns_tunnel_return_code(self, svn_server, caplog):
                     server = svn_server.create()
                     fake_response = {
                         'url': 'ssh+svn://test@example.com/test-svn/'
                     }
                     with patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.SubversionTunnelWrapper') as tunnel_mock:
                         with patch.object(server, '_check_permissions') as (
                                 permissions_mock):
                             permissions_mock.return_value = True
                             tunnel = tunnel_mock()
                             tunnel.get_first_client_response.return_value = fake_response
                             tunnel.return_code = 0
                             exit_code = server.run()
                     permissions_mock.assert_called_once_with()
                     expected_log_calls = sorted([
                         "Using subversion binaries from '%s'" % svn_server.svn_path
                     ])
                     assert expected_log_calls == [t[2] for t in caplog.record_tuples]
                     assert exit_code == (0, False)
                     tunnel.patch_first_client_response.assert_called_once_with(
                         fake_response)
                     tunnel.sync.assert_called_once_with()

rhodecode/apps/ssh_support/tests/test_ssh_authorized_keys_gen.py

0 0 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import pytest
             import mock
             from rhodecode.apps.ssh_support import utils
             from rhodecode.lib.utils2 import AttributeDict
             class TestSshKeyFileGeneration(object):
                 @pytest.mark.parametrize('ssh_wrapper_cmd', ['/tmp/sshwrapper.py'])
                 @pytest.mark.parametrize('allow_shell', [True, False])
                 @pytest.mark.parametrize('debug', [True, False])
                 @pytest.mark.parametrize('ssh_opts', [None, 'mycustom,option'])
                 def test_write_keyfile(self, tmpdir, ssh_wrapper_cmd, allow_shell, debug, ssh_opts):
                     authorized_keys_file_path = os.path.join(str(tmpdir), 'authorized_keys')
                     def keys():
                         return [
                             AttributeDict({'user': AttributeDict(username='admin'),
                                            'ssh_key_data': 'ssh-rsa ADMIN_KEY'}),
                             AttributeDict({'user': AttributeDict(username='user'),
                                            'ssh_key_data': 'ssh-rsa USER_KEY'}),
                         ]
                     with mock.patch('rhodecode.apps.ssh_support.utils.get_all_active_keys',
                                     return_value=keys()):
                         with mock.patch.dict('rhodecode.CONFIG', {'__file__': '/tmp/file.ini'}):
                             utils._generate_ssh_authorized_keys_file(
                                 authorized_keys_file_path, ssh_wrapper_cmd,
                                 allow_shell, ssh_opts, debug
                             )
                             assert os.path.isfile(authorized_keys_file_path)
                             with open(authorized_keys_file_path) as f:
                                 content = f.read()
                                 assert 'command="/tmp/sshwrapper.py' in content
                                 assert 'This file is managed by RhodeCode, ' \
                                        'please do not edit it manually.' in content
                                 if allow_shell:
                                     assert '--shell' in content
                                 if debug:
                                     assert '--debug' in content
                                 assert '--user' in content
                                 assert '--user-id' in content
                                 if ssh_opts:
                                     assert ssh_opts in content

rhodecode/apps/ssh_support/tests/test_ssh_wrapper.py

0 0 -3

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import mock
             import pytest
             import ConfigParser
             from rhodecode.apps.ssh_support.lib.ssh_wrapper import SshWrapper
             @pytest.fixture
             def dummy_conf(tmpdir):
                 conf = ConfigParser.ConfigParser()
                 conf.add_section('app:main')
                 conf.set('app:main', 'ssh.executable.hg', '/usr/bin/hg')
                 conf.set('app:main', 'ssh.executable.git', '/usr/bin/git')
                 conf.set('app:main', 'ssh.executable.svn', '/usr/bin/svnserve')
-                conf.set('app:main', 'ssh.api_key', 'xxx')
-                conf.set('app:main', 'ssh.api_host', 'http://localhost')
                 f_path = os.path.join(str(tmpdir), 'ssh_wrapper_test.ini')
                 with open(f_path, 'wb') as f:
                     conf.write(f)
                 return os.path.join(f_path)
             class TestGetRepoDetails(object):
                 @pytest.mark.parametrize(
                     'command', [
                         'hg -R test-repo serve --stdio',
                         'hg     -R      test-repo      serve       --stdio'
                     ])
                 def test_hg_command_matched(self, command, dummy_conf):
                     wrapper = SshWrapper(command, 'auto', 'admin', '3', 'False', dummy_conf)
                     type_, name, mode = wrapper.get_repo_details('auto')
                     assert type_ == 'hg'
                     assert name == 'test-repo'
                     assert mode is 'auto'
                 @pytest.mark.parametrize(
                     'command', [
                         'hg test-repo serve --stdio',
                         'hg -R test-repo serve',
                         'hg serve --stdio',
                         'hg serve -R test-repo'
                     ])
                 def test_hg_command_not_matched(self, command, dummy_conf):
                     wrapper = SshWrapper(command, 'auto', 'admin', '3', 'False', dummy_conf)
                     type_, name, mode = wrapper.get_repo_details('auto')
                     assert type_ is None
                     assert name is None
                     assert mode is 'auto'
             class TestServe(object):
                 def test_serve_raises_an_exception_when_vcs_is_not_recognized(self, dummy_conf):
                     with mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_repo_store'):
                         wrapper = SshWrapper('random command', 'auto', 'admin', '3', 'False', dummy_conf)
                         with pytest.raises(Exception) as exc_info:
                             wrapper.serve(
                                 vcs='microsoft-tfs', repo='test-repo', mode=None, user='test',
                                 permissions={})
                         assert exc_info.value.message == 'Unrecognised VCS: microsoft-tfs'
             class TestServeHg(object):
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.invalidate_cache')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_user_permissions')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_repo_store')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.MercurialServer.run')
                 def test_serve_creates_hg_instance(
                         self, mercurial_run_mock, get_repo_store_mock, get_user_mock,
                         invalidate_cache_mock, dummy_conf):
                     repo_name = None
                     mercurial_run_mock.return_value = 0, True
                     get_user_mock.return_value = {repo_name: 'repository.admin'}
                     get_repo_store_mock.return_value = {'path': '/tmp'}
                     wrapper = SshWrapper('date', 'hg', 'admin', '3', 'False',
                                          dummy_conf)
                     exit_code = wrapper.wrap()
                     assert exit_code == 0
                     assert mercurial_run_mock.called
                     assert get_repo_store_mock.called
                     assert get_user_mock.called
                     invalidate_cache_mock.assert_called_once_with(repo_name)
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.invalidate_cache')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_user_permissions')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_repo_store')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.MercurialServer.run')
                 def test_serve_hg_invalidates_cache(
                         self, mercurial_run_mock, get_repo_store_mock, get_user_mock,
                         invalidate_cache_mock, dummy_conf):
                     repo_name = None
                     mercurial_run_mock.return_value = 0, True
                     get_user_mock.return_value = {repo_name: 'repository.admin'}
                     get_repo_store_mock.return_value = {'path': '/tmp'}
                     wrapper = SshWrapper('date', 'hg', 'admin', '3', 'False',
                                          dummy_conf)
                     exit_code = wrapper.wrap()
                     assert exit_code == 0
                     assert mercurial_run_mock.called
                     assert get_repo_store_mock.called
                     assert get_user_mock.called
                     invalidate_cache_mock.assert_called_once_with(repo_name)
             class TestServeGit(object):
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.invalidate_cache')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_user_permissions')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_repo_store')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.GitServer.run')
                 def test_serve_creates_git_instance(self, git_run_mock, get_repo_store_mock, get_user_mock,
                         invalidate_cache_mock, dummy_conf):
                     repo_name = None
                     git_run_mock.return_value = 0, True
                     get_user_mock.return_value = {repo_name: 'repository.admin'}
                     get_repo_store_mock.return_value = {'path': '/tmp'}
                     wrapper = SshWrapper('date', 'git', 'admin', '3', 'False',
                                          dummy_conf)
                     exit_code = wrapper.wrap()
                     assert exit_code == 0
                     assert git_run_mock.called
                     assert get_repo_store_mock.called
                     assert get_user_mock.called
                     invalidate_cache_mock.assert_called_once_with(repo_name)
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.invalidate_cache')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_user_permissions')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_repo_store')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.GitServer.run')
                 def test_serve_git_invalidates_cache(
                         self, git_run_mock, get_repo_store_mock, get_user_mock,
                         invalidate_cache_mock, dummy_conf):
                     repo_name = None
                     git_run_mock.return_value = 0, True
                     get_user_mock.return_value = {repo_name: 'repository.admin'}
                     get_repo_store_mock.return_value = {'path': '/tmp'}
                     wrapper = SshWrapper('date', 'git', 'admin', '3', 'False', dummy_conf)
                     exit_code = wrapper.wrap()
                     assert exit_code == 0
                     assert git_run_mock.called
                     assert get_repo_store_mock.called
                     assert get_user_mock.called
                     invalidate_cache_mock.assert_called_once_with(repo_name)
             class TestServeSvn(object):
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.invalidate_cache')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_user_permissions')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.RhodeCodeApiClient.get_repo_store')
                 @mock.patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.SubversionServer.run')
                 def test_serve_creates_svn_instance(
                         self, svn_run_mock, get_repo_store_mock, get_user_mock,
                         invalidate_cache_mock, dummy_conf):
                     repo_name = None
                     svn_run_mock.return_value = 0, True
                     get_user_mock.return_value = {repo_name: 'repository.admin'}
                     get_repo_store_mock.return_value = {'path': '/tmp'}
                     wrapper = SshWrapper('date', 'svn', 'admin', '3', 'False', dummy_conf)
                     exit_code = wrapper.wrap()
                     assert exit_code == 0
                     assert svn_run_mock.called
                     assert get_repo_store_mock.called
                     assert get_user_mock.called
                     invalidate_cache_mock.assert_called_once_with(repo_name)

rhodecode/apps/ssh_support/tests/test_svn_tunnel_wrapper.py

0 +1 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import subprocess
             from io import BytesIO
             from time import sleep
             import pytest
             from mock import patch, Mock, MagicMock, call
-            from rhodecode.apps.ssh_support.lib.ssh_wrapper import SubversionTunnelWrapper
+            from rhodecode.apps.ssh_support.lib.backends.svn import SubversionTunnelWrapper
             from rhodecode.tests import no_newline_id_generator
             class TestSubversionTunnelWrapper(object):
                 @pytest.mark.parametrize(
                     'input_string, output_string', [
                         [None, ''],
                         ['abcde', '5:abcde '],
                         ['abcdefghijk', '11:abcdefghijk ']
                     ])
                 def test_svn_string(self, input_string, output_string):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     assert wrapper._svn_string(input_string) == output_string
                 def test_read_first_client_response(self):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     buffer_ = '( abcd ( efg hij ) ) '
                     wrapper.stdin = BytesIO(buffer_)
                     result = wrapper._read_first_client_response()
                     assert result == buffer_
                 def test_parse_first_client_response_returns_dict(self):
                     response = (
                         '( 2 ( edit-pipeline svndiff1 absent-entries depth mergeinfo'
                         ' log-revprops ) 26:svn+ssh://vcs@vm/hello-svn 38:SVN/1.8.11'
                         ' (x86_64-apple-darwin14.1.0) ( ) ) ')
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     result = wrapper._parse_first_client_response(response)
                     assert result['version'] == '2'
                     assert (
                         result['capabilities'] ==
                         'edit-pipeline svndiff1 absent-entries depth mergeinfo'
                         ' log-revprops')
                     assert result['url'] == 'svn+ssh://vcs@vm/hello-svn'
                     assert result['ra_client'] == 'SVN/1.8.11 (x86_64-apple-darwin14.1.0)'
                     assert result['client'] is None
                 def test_parse_first_client_response_returns_none_when_not_matched(self):
                     response = (
                         '( 2 ( edit-pipeline svndiff1 absent-entries depth mergeinfo'
                         ' log-revprops ) ) ')
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     result = wrapper._parse_first_client_response(response)
                     assert result is None
                 def test_interrupt(self):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     with patch.object(wrapper, 'fail') as fail_mock:
                         wrapper.interrupt(1, 'frame')
                         fail_mock.assert_called_once_with("Exited by timeout")
                 def test_fail(self):
                     process_mock = Mock()
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     with patch.object(wrapper, 'remove_configs') as remove_configs_mock:
                         with patch('sys.stdout', new_callable=BytesIO) as stdout_mock:
                             with patch.object(wrapper, 'process') as process_mock:
                                 wrapper.fail('test message')
                     assert (
                         stdout_mock.getvalue() ==
                         '( failure ( ( 210005 12:test message  0: 0 ) ) )\n')
                     process_mock.kill.assert_called_once_with()
                     remove_configs_mock.assert_called_once_with()
                 @pytest.mark.parametrize(
                     'client, expected_client', [
                         ['test ', 'test '],
                         ['', ''],
                         [None, '']
                     ])
                 def test_client_in_patch_first_client_response(
                         self, client, expected_client):
                     response = {
                         'version': 2,
                         'capabilities': 'edit-pipeline svndiff1 absent-entries depth',
                         'url': 'svn+ssh://example.com/svn',
                         'ra_client': 'SVN/1.8.11 (x86_64-apple-darwin14.1.0)',
                         'client': client
                     }
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     stdin = BytesIO()
                     with patch.object(wrapper, 'process') as process_mock:
                         process_mock.stdin = stdin
                         wrapper.patch_first_client_response(response)
                     assert (
                         stdin.getvalue() ==
                         '( 2 ( edit-pipeline svndiff1 absent-entries depth )'
                         ' 25:svn+ssh://example.com/svn 38:SVN/1.8.11'
                         ' (x86_64-apple-darwin14.1.0) ( {expected_client}) ) '.format(
                             expected_client=expected_client))
                 def test_kwargs_override_data_in_patch_first_client_response(self):
                     response = {
                         'version': 2,
                         'capabilities': 'edit-pipeline svndiff1 absent-entries depth',
                         'url': 'svn+ssh://example.com/svn',
                         'ra_client': 'SVN/1.8.11 (x86_64-apple-darwin14.1.0)',
                         'client': 'test'
                     }
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     stdin = BytesIO()
                     with patch.object(wrapper, 'process') as process_mock:
                         process_mock.stdin = stdin
                         wrapper.patch_first_client_response(
                             response, version=3, client='abcde ',
                             capabilities='absent-entries depth',
                             url='svn+ssh://example.org/test',
                             ra_client='SVN/1.8.12 (ubuntu 14.04)')
                     assert (
                         stdin.getvalue() ==
                         '( 3 ( absent-entries depth ) 26:svn+ssh://example.org/test'
                         ' 25:SVN/1.8.12 (ubuntu 14.04) ( abcde ) ) ')
                 def test_patch_first_client_response_sets_environment(self):
                     response = {
                         'version': 2,
                         'capabilities': 'edit-pipeline svndiff1 absent-entries depth',
                         'url': 'svn+ssh://example.com/svn',
                         'ra_client': 'SVN/1.8.11 (x86_64-apple-darwin14.1.0)',
                         'client': 'test'
                     }
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     stdin = BytesIO()
                     with patch.object(wrapper, 'create_hooks_env') as create_hooks_mock:
                         with patch.object(wrapper, 'process') as process_mock:
                             process_mock.stdin = stdin
                             wrapper.patch_first_client_response(response)
                     create_hooks_mock.assert_called_once_with()
                 def test_get_first_client_response_exits_by_signal(self):
                     wrapper = SubversionTunnelWrapper(timeout=1)
                     read_patch = patch.object(wrapper, '_read_first_client_response')
                     parse_patch = patch.object(wrapper, '_parse_first_client_response')
                     interrupt_patch = patch.object(wrapper, 'interrupt')
                     with read_patch as read_mock, parse_patch as parse_mock, \
                             interrupt_patch as interrupt_mock:
                         read_mock.side_effect = lambda: sleep(3)
                         wrapper.get_first_client_response()
                     assert parse_mock.call_count == 0
                     assert interrupt_mock.call_count == 1
                 def test_get_first_client_response_parses_data(self):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     response = (
                         '( 2 ( edit-pipeline svndiff1 absent-entries depth mergeinfo'
                         ' log-revprops ) 26:svn+ssh://vcs@vm/hello-svn 38:SVN/1.8.11'
                         ' (x86_64-apple-darwin14.1.0) ( ) ) ')
                     read_patch = patch.object(wrapper, '_read_first_client_response')
                     parse_patch = patch.object(wrapper, '_parse_first_client_response')
                     with read_patch as read_mock, parse_patch as parse_mock:
                         read_mock.return_value = response
                         wrapper.get_first_client_response()
                     parse_mock.assert_called_once_with(response)
                 def test_return_code(self):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     with patch.object(wrapper, 'process') as process_mock:
                         process_mock.returncode = 1
                         assert wrapper.return_code == 1
                 def test_sync_loop_breaks_when_process_cannot_be_polled(self):
                     self.counter = 0
                     buffer_ = 'abcdefghij'
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     wrapper.stdin = BytesIO(buffer_)
                     with patch.object(wrapper, 'remove_configs') as remove_configs_mock:
                         with patch.object(wrapper, 'process') as process_mock:
                             process_mock.poll.side_effect = self._poll
                             process_mock.stdin = BytesIO()
                             wrapper.sync()
                     assert process_mock.stdin.getvalue() == 'abcde'
                     remove_configs_mock.assert_called_once_with()
                 def test_sync_loop_breaks_when_nothing_to_read(self):
                     self.counter = 0
                     buffer_ = 'abcdefghij'
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     wrapper.stdin = BytesIO(buffer_)
                     with patch.object(wrapper, 'remove_configs') as remove_configs_mock:
                         with patch.object(wrapper, 'process') as process_mock:
                             process_mock.poll.return_value = None
                             process_mock.stdin = BytesIO()
                             wrapper.sync()
                     assert process_mock.stdin.getvalue() == buffer_
                     remove_configs_mock.assert_called_once_with()
                 def test_start_without_repositories_root(self):
                     svn_path = '/usr/local/bin/svnserve'
                     wrapper = SubversionTunnelWrapper(timeout=5, svn_path=svn_path)
                     with patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.Popen') as popen_mock:
                         wrapper.start()
                     expected_command = [
                         svn_path, '-t', '--config-file', wrapper.svn_conf_path]
                     popen_mock.assert_called_once_with(
                         expected_command, stdin=subprocess.PIPE)
                     assert wrapper.process == popen_mock()
                 def test_start_with_repositories_root(self):
                     svn_path = '/usr/local/bin/svnserve'
                     repositories_root = '/home/repos'
                     wrapper = SubversionTunnelWrapper(
                         timeout=5, svn_path=svn_path, repositories_root=repositories_root)
                     with patch('rhodecode.apps.ssh_support.lib.ssh_wrapper.Popen') as popen_mock:
                         wrapper.start()
                     expected_command = [
                         svn_path, '-t', '--config-file', wrapper.svn_conf_path,
                         '-r', repositories_root]
                     popen_mock.assert_called_once_with(
                         expected_command, stdin=subprocess.PIPE)
                     assert wrapper.process == popen_mock()
                 def test_create_svn_config(self):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     file_mock = MagicMock(spec=file)
                     with patch('os.fdopen', create=True) as open_mock:
                         open_mock.return_value = file_mock
                         wrapper.create_svn_config()
                     open_mock.assert_called_once_with(wrapper.svn_conf_fd, 'w')
                     expected_content = '[general]\nhooks-env = {}\n'.format(
                         wrapper.hooks_env_path)
                     file_handle = file_mock.__enter__.return_value
                     file_handle.write.assert_called_once_with(expected_content)
                 @pytest.mark.parametrize(
                     'read_only, expected_content', [
                         [True, '[default]\nLANG = en_US.UTF-8\nSSH_READ_ONLY = 1\n'],
                         [False, '[default]\nLANG = en_US.UTF-8\n']
                     ], ids=no_newline_id_generator)
                 def test_create_hooks_env(self, read_only, expected_content):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     wrapper.read_only = read_only
                     file_mock = MagicMock(spec=file)
                     with patch('os.fdopen', create=True) as open_mock:
                         open_mock.return_value = file_mock
                         wrapper.create_hooks_env()
                     open_mock.assert_called_once_with(wrapper.hooks_env_fd, 'w')
                     file_handle = file_mock.__enter__.return_value
                     file_handle.write.assert_called_once_with(expected_content)
                 def test_remove_configs(self):
                     wrapper = SubversionTunnelWrapper(timeout=5)
                     with patch('os.remove') as remove_mock:
                         wrapper.remove_configs()
                     expected_calls = [
                         call(wrapper.svn_conf_path), call(wrapper.hooks_env_path)]
                     assert sorted(remove_mock.call_args_list) == sorted(expected_calls)
                 def _poll(self):
                     self.counter += 1
                     return None if self.counter < 6 else 1

rhodecode/apps/ssh_support/utils.py

0 +4 -2

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2017 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import stat
             import logging
             import tempfile
             import datetime
             from . import config_keys
             from rhodecode.model.db import true, joinedload, User, UserSshKeys
             log = logging.getLogger(__name__)
             HEADER = \
                 "# This file is managed by RhodeCode, please do not edit it manually. # \n" \
                 "# Current entries: {}, create date: UTC:{}.\n"
             # Default SSH options for authorized_keys file, can be override via .ini
             SSH_OPTS = 'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding'
             def get_all_active_keys():
                 result = UserSshKeys.query() \
                     .options(joinedload(UserSshKeys.user)) \
                     .filter(UserSshKeys.user != User.get_default_user()) \
                     .filter(User.active == true()) \
                     .all()
                 return result
             def _generate_ssh_authorized_keys_file(
                     authorized_keys_file_path, ssh_wrapper_cmd, allow_shell, ssh_opts, debug):
                 import rhodecode
                 all_active_keys = get_all_active_keys()
                 if allow_shell:
                     ssh_wrapper_cmd = ssh_wrapper_cmd + ' --shell'
                 if debug:
                     ssh_wrapper_cmd = ssh_wrapper_cmd + ' --debug'
                 if not os.path.isfile(authorized_keys_file_path):
                     with open(authorized_keys_file_path, 'w'):
                         pass
                 if not os.access(authorized_keys_file_path, os.R_OK):
                     raise OSError('Access to file {} is without read access'.format(
                         authorized_keys_file_path))
-                line_tmpl = '{ssh_opts},command="{wrapper_command} {ini_path} --user-id={user_id} --user={user}" {key}\n'
+                line_tmpl = '{ssh_opts},command="{wrapper_command} {ini_path} --user-id={user_id} --user={user} --key-id={user_key_id}" {key}\n'
                 fd, tmp_authorized_keys = tempfile.mkstemp(
                     '.authorized_keys_write',
                     dir=os.path.dirname(authorized_keys_file_path))
                 now = datetime.datetime.utcnow().isoformat()
                 keys_file = os.fdopen(fd, 'wb')
                 keys_file.write(HEADER.format(len(all_active_keys), now))
                 ini_path = rhodecode.CONFIG['__file__']
                 for user_key in all_active_keys:
                     username = user_key.user.username
                     user_id = user_key.user.user_id
                     keys_file.write(
                         line_tmpl.format(
                             ssh_opts=ssh_opts or SSH_OPTS,
                             wrapper_command=ssh_wrapper_cmd,
                             ini_path=ini_path,
                             user_id=user_id,
-                            user=username, key=user_key.ssh_key_data))
+                            user=username,
+                            user_key_id=user_key.ssh_key_id,
+                            key=user_key.ssh_key_data))
                     log.debug('addkey: Key added for user: `%s`', username)
                 keys_file.close()
                 # Explicitly setting read-only permissions to authorized_keys
                 os.chmod(tmp_authorized_keys, stat.S_IRUSR | stat.S_IWUSR)
                 # Rename is atomic operation
                 os.rename(tmp_authorized_keys, authorized_keys_file_path)
             def generate_ssh_authorized_keys_file(registry):
                 log.info('Generating new authorized key file')
                 authorized_keys_file_path = registry.settings.get(
                     config_keys.authorized_keys_file_path)
                 ssh_wrapper_cmd = registry.settings.get(
                     config_keys.wrapper_cmd)
                 allow_shell = registry.settings.get(
                     config_keys.wrapper_allow_shell)
                 ssh_opts = registry.settings.get(
                     config_keys.authorized_keys_line_ssh_opts)
                 debug = registry.settings.get(
                     config_keys.enable_debug_logging)
                 _generate_ssh_authorized_keys_file(
                     authorized_keys_file_path, ssh_wrapper_cmd, allow_shell, ssh_opts,
                     debug)
                 return 0

rhodecode/tests/rhodecode.ini

0 0 -8

             ################################################################################
             ##                 RHODECODE COMMUNITY EDITION CONFIGURATION                  ##
             # The %(here)s variable will be replaced with the parent directory of this file#
             ################################################################################
             [DEFAULT]
             debug = true
             ################################################################################
             ##                            EMAIL CONFIGURATION                             ##
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             ## prefix all emails subjects with given prefix, helps filtering out emails
             #email_prefix = [RhodeCode]
             ## email FROM address all mails will be sent
             #app_email_from = rhodecode-noreply@localhost
             ## Uncomment and replace with the address which should receive any error report
             ## note: using appenlight for error handling doesn't need this to be uncommented
             #email_to = admin@localhost
             ## in case of Application errors, sent an error email form
             #error_email_from = rhodecode_error@localhost
             ## additional error message to be send in case of server crash
             #error_message =
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             ## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)
             #smtp_auth =
             [server:main]
             ## COMMON ##
             host = 0.0.0.0
             port = 5000
             ##################################
             ##     WAITRESS WSGI SERVER     ##
             ## Recommended for Development  ##
             ##################################
             use = egg:waitress#main
             ## number of worker threads
             threads = 5
             ## MAX BODY SIZE 100GB
             max_request_body_size = 107374182400
             ## Use poll instead of select, fixes file descriptors limits problems.
             ## May not work on old windows systems.
             asyncore_use_poll = true
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
             #use = egg:gunicorn#main
             ## Sets the number of process workers. You must set `instance_id = *`
             ## when this option is set to more than one worker, recommended
             ## value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers
             ## The `instance_id = *` must be set in the [app:main] section below
             #workers = 2
             ## number of threads for each of the worker, must be set to 1 for gevent
             ## generally recommened to be at 1
             #threads = 1
             ## process name
             #proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             #worker_class = sync
             ## The maximum number of simultaneous clients. Valid only for Gevent
             #worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             #max_requests = 1000
             #max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             #timeout = 21600
             ## UWSGI ##
             ## run with uwsgi --ini-paste-logged <inifile.ini>
             #[uwsgi]
             #socket = /tmp/uwsgi.sock
             #master = true
             #http = 127.0.0.1:5000
             ## set as deamon and redirect all output to file
             #daemonize = ./uwsgi_rhodecode.log
             ## master process PID
             #pidfile = ./uwsgi_rhodecode.pid
             ## stats server with workers statistics, use uwsgitop
             ## for monitoring, `uwsgitop 127.0.0.1:1717`
             #stats = 127.0.0.1:1717
             #memory-report = true
             ## log 5XX errors
             #log-5xx = true
             ## Set the socket listen queue size.
             #listen = 256
             ## Gracefully Reload workers after the specified amount of managed requests
             ## (avoid memory leaks).
             #max-requests = 1000
             ## enable large buffers
             #buffer-size=65535
             ## socket and http timeouts ##
             #http-timeout=3600
             #socket-timeout=3600
             ## Log requests slower than the specified number of milliseconds.
             #log-slow = 10
             ## Exit if no app can be loaded.
             #need-app = true
             ## Set lazy mode (load apps in workers instead of master).
             #lazy = true
             ## scaling ##
             ## set cheaper algorithm to use, if not set default will be used
             #cheaper-algo = spare
             ## minimum number of workers to keep at all times
             #cheaper = 1
             ## number of workers to spawn at startup
             #cheaper-initial = 1
             ## maximum number of workers that can be spawned
             #workers = 4
             ## how many workers should be spawned at a time
             #cheaper-step = 1
             ## prefix middleware for RhodeCode.
             ## recommended when using proxy setup.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
             ## And set your prefix like: `prefix = /custom_prefix`
             ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
             ## to make your cookies only work on prefix url
             [filter:proxy-prefix]
             use = egg:PasteDeploy#prefix
             prefix = /
             [app:main]
             is_test = True
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined above
             #filter-with = proxy-prefix
             ## RHODECODE PLUGINS ##
             rhodecode.includes = rhodecode.api
             # api prefix url
             rhodecode.api.url = /_admin/api
             ## END RHODECODE PLUGINS ##
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
             ## decryption strict mode (enabled by default). It controls if decryption raises
             ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
             #rhodecode.encrypted_values.strict = false
             ## return gzipped responses from Rhodecode (static files/application)
             gzip_responses = false
             ## autogenerate javascript routes file on startup
             generate_js_files = false
             ## Optional Languages
             ## en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## perform a full repository scan on each server start, this should be
             ## set to false after first startup, to allow faster server restarts.
             startup.import_repos = true
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## change this to unique ID for security
             app_instance_uuid = rc-production
             ## cut off limit for large diffs (size in bytes)
             cut_off_limit_diff = 1024000
             cut_off_limit_file = 256000
             ## use cache version of scm repo everywhere
             vcs_full_cache = false
             ## force https in RhodeCode, fixes https redirects, assumes it's always https
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## number of commits stats will parse on each iteration
             commit_parse_limit = 25
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --all
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/{gistid}.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
             gist_alias_url =
             ## List of views (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ## Additionally @TOKEN syntaxt can be used to bound the view to specific
             ## authentication token. Such view would be only accessible when used together
             ## with this authentication token
             ##
             ## list of all views can be found under `/_admin/permissions/auth_token_access`
             ## The list should be "," separated and on a single line.
             ##
             ## Most common views to enable:
             #    RepoCommitsView:repo_commit_download
             #    RepoCommitsView:repo_commit_patch
             #    RepoCommitsView:repo_commit_raw
             #    RepoCommitsView:repo_commit_raw@TOKEN
             #    RepoFilesView:repo_files_diff
             #    RepoFilesView:repo_archivefile
             #    RepoFilesView:repo_file_raw
             #    GistView:*
             api_access_controllers_whitelist =
             ## default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## generated license token, goto license page in RhodeCode settings to obtain
             ## new token
             license_token = abra-cada-bra1-rce3
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = dev
             ## Display extended labs settings
             labs_settings_active = true
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             use_celery = false
             broker.host = localhost
             broker.vhost = rabbitmqhost
             broker.port = 5672
             broker.user = rabbitmq
             broker.password = qweqwe
             celery.imports = rhodecode.lib.celerylib.tasks
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             #celeryd.log.file = celeryd.log
             celeryd.log.level = debug
             celeryd.max.tasks.per.child = 1
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.always.eager = false
             ####################################
             ###         BEAKER CACHE        ####
             ####################################
             # default cache dir for templates.  Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk
             cache_dir = %(here)s/data
             ## locking and default file storage for Beaker. Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk/cache/beaker_data
             beaker.cache.data_dir = %(here)s/rc/data/cache/beaker_data
             beaker.cache.lock_dir = %(here)s/rc/data/cache/beaker_lock
             beaker.cache.regions = super_short_term, short_term, long_term, sql_cache_short, auth_plugins, repo_cache_long
             beaker.cache.super_short_term.type = memory
             beaker.cache.super_short_term.expire = 1
             beaker.cache.super_short_term.key_length = 256
             beaker.cache.short_term.type = memory
             beaker.cache.short_term.expire = 60
             beaker.cache.short_term.key_length = 256
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             beaker.cache.sql_cache_short.type = memory
             beaker.cache.sql_cache_short.expire = 1
             beaker.cache.sql_cache_short.key_length = 256
             ## default is memory cache, configure only if required
             ## using multi-node or multi-worker setup
             #beaker.cache.auth_plugins.type = ext:database
             #beaker.cache.auth_plugins.lock_dir = %(here)s/data/cache/auth_plugin_lock
             #beaker.cache.auth_plugins.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.cache.auth_plugins.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.cache.auth_plugins.sa.pool_recycle = 3600
             #beaker.cache.auth_plugins.sa.pool_size = 10
             #beaker.cache.auth_plugins.sa.max_overflow = 0
             beaker.cache.repo_cache_long.type = memorylru_base
             beaker.cache.repo_cache_long.max_items = 4096
             beaker.cache.repo_cache_long.expire = 2592000
             ## default is memorylru_base cache, configure only if required
             ## using multi-node or multi-worker setup
             #beaker.cache.repo_cache_long.type = ext:memcached
             #beaker.cache.repo_cache_long.url = localhost:11211
             #beaker.cache.repo_cache_long.expire = 1209600
             #beaker.cache.repo_cache_long.key_length = 256
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/rc/data/sessions/data
             ## db based session, fast, and allows easy management over logged in users
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = test-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/rc/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = key_for_encryption
             #beaker.session.validate_key = validation_key
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             ## Path to use for the cookie. Set to prefix if you use prefix middleware
             #beaker.session.cookie_path = /custom_prefix
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             ## WHOOSH Backend, doesn't require additional services to run
             ## it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ########################################
             ###    CHANNELSTREAM CONFIG         ####
             ########################################
             ## channelstream enables persistent connections and live notification
             ## in the system. It's also used by the chat system
             channelstream.enabled = false
             ## server address for channelstream server on the backend
             channelstream.server = 127.0.0.1:9800
             ## location of the channelstream server from outside world
             ## use ws:// for http or wss:// for https. This address needs to be handled
             ## by external HTTP server such as Nginx or Apache
             ## see nginx/apache configuration examples in our docs
             channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
             channelstream.secret = secret
             channelstream.history.location = %(here)s/channelstream_history
             ## Internal application path that Javascript uses to connect into.
             ## If you use proxy-prefix the prefix should be added before /_channelstream
             channelstream.proxy_path = /_channelstream
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             ################################################################################
             ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
             ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
             ## execute malicious code after an exception is raised.                       ##
             ################################################################################
             set debug = false
             ##############
             ## STYLING  ##
             ##############
             debug_style = false
             ###########################################
             ###   MAIN RHODECODE DATABASE CONFIG    ###
             ###########################################
             #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode_test.db?timeout=30
             #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode_test
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode_test
             sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode_test.db?timeout=30
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this amount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9901
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `http` - use http-rpc backend (default)
             vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `http` - use http-rpc backend (default)
             ## `vcsserver.scm_app` - internal app (EE only)
             vcs.scm_app_implementation = http
             ## Push/Pull operations hooks protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.hooks.protocol = http
             vcs.server.log_level = debug
             ## Start VCSServer with this instance as a subprocess, usefull for development
             vcs.start_server = false
             ## List of enabled VCS backends, available options are:
             ## `hg`  - mercurial
             ## `git` - git
             ## `svn` - subversion
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ############################################################
             ### Subversion proxy support (mod_dav_svn)               ###
             ### Maps RhodeCode repo groups into SVN paths for Apache ###
             ############################################################
             ## Enable or disable the config file generation.
             svn.proxy.generate_config = false
             ## Generate config file with `SVNListParentPath` set to `On`.
             svn.proxy.list_parent_path = true
             ## Set location and file name of generated config file.
             svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
             ## Used as a prefix to the `Location` block in the generated config file.
             ## In most cases it should be set to `/`.
             svn.proxy.location_root = /
             ## Command to reload the mod dav svn configuration on change.
             ## Example: `/etc/init.d/apache2 reload`
             #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
             ## If the timeout expires before the reload command finishes, the command will
             ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
             #svn.proxy.reload_timeout = 10
             ############################################################
             ### SSH Support Settings                                 ###
             ############################################################
             ## Defines if the authorized_keys file should be written on any change of
             ## user ssh keys, setting this to false also disables posibility of adding
             ## ssh keys for users from web interface.
             ssh.generate_authorized_keyfile = true
             ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
             # ssh.authorized_keys_ssh_opts =
             ## File to generate the authorized keys together with options
             ## It is possible to have multiple key files specified in `sshd_config` e.g.
             ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
             ssh.authorized_keys_file_path = %(here)s/rc/authorized_keys_rhodecode
             ## Command to execute the SSH wrapper. The binary is available in the
             ## rhodecode installation directory.
             ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
             ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
             ## Allow shell when executing the ssh-wrapper command
             ssh.wrapper_cmd_allow_shell = false
             ## Enables logging, and detailed output send back to the client. Usefull for
             ## debugging, shouldn't be used in production.
             ssh.enable_debug_logging = false
-            ## API KEY for user who has access to fetch other user permission information
-            ## most likely an super-admin account with some IP restrictions.
-            ssh.api_key =
-            ## API Host, the server address of RhodeCode instance that the api_key will
-            ## access
-            ssh.api_host = http://localhost
             ## Paths to binary executrables, by default they are the names, but we can
             ## override them if we want to use a custom one
             ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
             ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
             ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
             ## Dummy marker to add new entries after.
             ## Add any custom entries below. Please don't remove.
             custom.conf = 1
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, routes, rhodecode, sqlalchemy, beaker, templates, ssh_wrapper
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_routes]
             level = DEBUG
             handlers =
             qualname = routes.middleware
             ## "level = DEBUG" logs the route matched and routing variables.
             propagate = 1
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_templates]
             level = INFO
             handlers =
             qualname = pylons.templating
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_sqlalchemy]
             level = ERROR
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_ssh_wrapper]
             level = DEBUG
             handlers =
             qualname = ssh_wrapper
             propagate = 1
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr,)
             level = DEBUG
             formatter = generic
             [handler_console_sql]
             class = StreamHandler
             args = (sys.stderr,)
             level = WARN
             formatter = generic
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages