##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
encryption: added new backend using cryptography + Fernet encryption....
marcink -
r3522:3910c057 default
parent child Browse files
Show More

The requested changes are too big and content was truncated. Show full diff

Show file before | Show file after | Hide comments
@@ -0,0 +1,69 b''
1 import os
2 import base64
3 from cryptography.fernet import Fernet, InvalidToken
4 from cryptography.hazmat.backends import default_backend
5 from cryptography.hazmat.primitives import hashes
6 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
7
8
9 class Encryptor(object):
10 key_format = 'enc2$salt:{}$data:{}'
11 pref_len = 5 # salt:, data:
12
13 def __init__(self, enc_key):
14 self.enc_key = enc_key
15
16 def b64_encode(self, data):
17 return base64.urlsafe_b64encode(data)
18
19 def b64_decode(self, data):
20 return base64.urlsafe_b64decode(data)
21
22 def get_encryptor(self, salt):
23 """
24 Uses Fernet as encryptor with HMAC signature
25 :param salt: random salt used for encrypting the data
26 """
27 kdf = PBKDF2HMAC(
28 algorithm=hashes.SHA512(),
29 length=32,
30 salt=salt,
31 iterations=100000,
32 backend=default_backend()
33 )
34 key = self.b64_encode(kdf.derive(self.enc_key))
35 return Fernet(key)
36
37 def _get_parts(self, enc_data):
38 parts = enc_data.split('$', 3)
39 if len(parts) != 3:
40 raise ValueError('Encrypted Data has invalid format, expected {}'.format(self.key_format))
41 prefix, salt, enc_data = parts
42
43 try:
44 salt = self.b64_decode(salt[self.pref_len:])
45 except TypeError:
46 # bad base64
47 raise ValueError('Encrypted Data salt invalid format, expected base64 format')
48
49 enc_data = enc_data[self.pref_len:]
50 return prefix, salt, enc_data
51
52 def encrypt(self, data):
53 salt = os.urandom(64)
54 encryptor = self.get_encryptor(salt)
55 enc_data = encryptor.encrypt(data)
56 return self.key_format.format(self.b64_encode(salt), enc_data)
57
58 def decrypt(self, data, safe=True):
59 parts = self._get_parts(data)
60 salt = parts[1]
61 enc_data = parts[2]
62 encryptor = self.get_encryptor(salt)
63 try:
64 return encryptor.decrypt(enc_data)
65 except (InvalidToken,):
66 if safe:
67 return ''
68 else:
69 raise
Show file before | Show file after | Hide comments
@@ -1,732 +1,737 b''
1 1
2 2
3 3 ################################################################################
4 4 ## RHODECODE COMMUNITY EDITION CONFIGURATION ##
5 5 ################################################################################
6 6
7 7 [DEFAULT]
8 8 ## Debug flag sets all loggers to debug, and enables request tracking
9 9 debug = true
10 10
11 11 ################################################################################
12 12 ## EMAIL CONFIGURATION ##
13 13 ## Uncomment and replace with the email address which should receive ##
14 14 ## any error reports after an application crash ##
15 15 ## Additionally these settings will be used by the RhodeCode mailing system ##
16 16 ################################################################################
17 17
18 18 ## prefix all emails subjects with given prefix, helps filtering out emails
19 19 #email_prefix = [RhodeCode]
20 20
21 21 ## email FROM address all mails will be sent
22 22 #app_email_from = rhodecode-noreply@localhost
23 23
24 24 #smtp_server = mail.server.com
25 25 #smtp_username =
26 26 #smtp_password =
27 27 #smtp_port =
28 28 #smtp_use_tls = false
29 29 #smtp_use_ssl = true
30 30
31 31 [server:main]
32 32 ## COMMON ##
33 33 host = 127.0.0.1
34 34 port = 5000
35 35
36 36 ###########################################################
37 37 ## WAITRESS WSGI SERVER - Recommended for Development ####
38 38 ###########################################################
39 39
40 40 use = egg:waitress#main
41 41 ## number of worker threads
42 42 threads = 5
43 43 ## MAX BODY SIZE 100GB
44 44 max_request_body_size = 107374182400
45 45 ## Use poll instead of select, fixes file descriptors limits problems.
46 46 ## May not work on old windows systems.
47 47 asyncore_use_poll = true
48 48
49 49
50 50 ##########################
51 51 ## GUNICORN WSGI SERVER ##
52 52 ##########################
53 53 ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
54 54
55 55 #use = egg:gunicorn#main
56 56 ## Sets the number of process workers. More workers means more concurrent connections
57 57 ## RhodeCode can handle at the same time. Each additional worker also it increases
58 58 ## memory usage as each has it's own set of caches.
59 59 ## Recommended value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers, but no more
60 60 ## than 8-10 unless for really big deployments .e.g 700-1000 users.
61 61 ## `instance_id = *` must be set in the [app:main] section below (which is the default)
62 62 ## when using more than 1 worker.
63 63 #workers = 2
64 64 ## process name visible in process list
65 65 #proc_name = rhodecode
66 66 ## type of worker class, one of sync, gevent
67 67 ## recommended for bigger setup is using of of other than sync one
68 68 #worker_class = gevent
69 69 ## The maximum number of simultaneous clients. Valid only for Gevent
70 70 #worker_connections = 10
71 71 ## max number of requests that worker will handle before being gracefully
72 72 ## restarted, could prevent memory leaks
73 73 #max_requests = 1000
74 74 #max_requests_jitter = 30
75 75 ## amount of time a worker can spend with handling a request before it
76 76 ## gets killed and restarted. Set to 6hrs
77 77 #timeout = 21600
78 78
79 79
80 80 ## prefix middleware for RhodeCode.
81 81 ## recommended when using proxy setup.
82 82 ## allows to set RhodeCode under a prefix in server.
83 83 ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
84 84 ## And set your prefix like: `prefix = /custom_prefix`
85 85 ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
86 86 ## to make your cookies only work on prefix url
87 87 [filter:proxy-prefix]
88 88 use = egg:PasteDeploy#prefix
89 89 prefix = /
90 90
91 91 [app:main]
92 92 ## The %(here)s variable will be replaced with the absolute path of parent directory
93 93 ## of this file
94 94 ## In addition ENVIRONMENT variables usage is possible, e.g
95 95 ## sqlalchemy.db1.url = {ENV_RC_DB_URL}
96 96
97 97 use = egg:rhodecode-enterprise-ce
98 98
99 99 ## enable proxy prefix middleware, defined above
100 100 #filter-with = proxy-prefix
101 101
102 102 # During development the we want to have the debug toolbar enabled
103 103 pyramid.includes =
104 104 pyramid_debugtoolbar
105 105 rhodecode.lib.middleware.request_wrapper
106 106
107 107 pyramid.reload_templates = true
108 108
109 109 debugtoolbar.hosts = 0.0.0.0/0
110 110 debugtoolbar.exclude_prefixes =
111 111 /css
112 112 /fonts
113 113 /images
114 114 /js
115 115
116 116 ## RHODECODE PLUGINS ##
117 117 rhodecode.includes =
118 118 rhodecode.api
119 119
120 120
121 121 # api prefix url
122 122 rhodecode.api.url = /_admin/api
123 123
124 124
125 125 ## END RHODECODE PLUGINS ##
126 126
127 127 ## encryption key used to encrypt social plugin tokens,
128 128 ## remote_urls with credentials etc, if not set it defaults to
129 129 ## `beaker.session.secret`
130 130 #rhodecode.encrypted_values.secret =
131 131
132 132 ## decryption strict mode (enabled by default). It controls if decryption raises
133 133 ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
134 134 #rhodecode.encrypted_values.strict = false
135 135
136 ## Pick algorithm for encryption. Either fernet (more secure) or aes (default)
137 ## fernet is safer, and we strongly recommend switching to it.
138 ## Due to backward compatibility aes is used as default.
139 #rhodecode.encrypted_values.algorithm = fernet
140
136 141 ## return gzipped responses from RhodeCode (static files/application)
137 142 gzip_responses = false
138 143
139 144 ## auto-generate javascript routes file on startup
140 145 generate_js_files = false
141 146
142 147 ## System global default language.
143 148 ## All available languages: en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
144 149 lang = en
145 150
146 151 ## Perform a full repository scan and import on each server start.
147 152 ## Settings this to true could lead to very long startup time.
148 153 startup.import_repos = false
149 154
150 155 ## Uncomment and set this path to use archive download cache.
151 156 ## Once enabled, generated archives will be cached at this location
152 157 ## and served from the cache during subsequent requests for the same archive of
153 158 ## the repository.
154 159 #archive_cache_dir = /tmp/tarballcache
155 160
156 161 ## URL at which the application is running. This is used for Bootstrapping
157 162 ## requests in context when no web request is available. Used in ishell, or
158 163 ## SSH calls. Set this for events to receive proper url for SSH calls.
159 164 app.base_url = http://rhodecode.local
160 165
161 166 ## Unique application ID. Should be a random unique string for security.
162 167 app_instance_uuid = rc-production
163 168
164 169 ## Cut off limit for large diffs (size in bytes). If overall diff size on
165 170 ## commit, or pull request exceeds this limit this diff will be displayed
166 171 ## partially. E.g 512000 == 512Kb
167 172 cut_off_limit_diff = 512000
168 173
169 174 ## Cut off limit for large files inside diffs (size in bytes). Each individual
170 175 ## file inside diff which exceeds this limit will be displayed partially.
171 176 ## E.g 128000 == 128Kb
172 177 cut_off_limit_file = 128000
173 178
174 179 ## use cached version of vcs repositories everywhere. Recommended to be `true`
175 180 vcs_full_cache = true
176 181
177 182 ## Force https in RhodeCode, fixes https redirects, assumes it's always https.
178 183 ## Normally this is controlled by proper http flags sent from http server
179 184 force_https = false
180 185
181 186 ## use Strict-Transport-Security headers
182 187 use_htsts = false
183 188
184 189 ## git rev filter option, --all is the default filter, if you need to
185 190 ## hide all refs in changelog switch this to --branches --tags
186 191 git_rev_filter = --branches --tags
187 192
188 193 # Set to true if your repos are exposed using the dumb protocol
189 194 git_update_server_info = false
190 195
191 196 ## RSS/ATOM feed options
192 197 rss_cut_off_limit = 256000
193 198 rss_items_per_page = 10
194 199 rss_include_diff = false
195 200
196 201 ## gist URL alias, used to create nicer urls for gist. This should be an
197 202 ## url that does rewrites to _admin/gists/{gistid}.
198 203 ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
199 204 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
200 205 gist_alias_url =
201 206
202 207 ## List of views (using glob pattern syntax) that AUTH TOKENS could be
203 208 ## used for access.
204 209 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
205 210 ## came from the the logged in user who own this authentication token.
206 211 ## Additionally @TOKEN syntax can be used to bound the view to specific
207 212 ## authentication token. Such view would be only accessible when used together
208 213 ## with this authentication token
209 214 ##
210 215 ## list of all views can be found under `/_admin/permissions/auth_token_access`
211 216 ## The list should be "," separated and on a single line.
212 217 ##
213 218 ## Most common views to enable:
214 219 # RepoCommitsView:repo_commit_download
215 220 # RepoCommitsView:repo_commit_patch
216 221 # RepoCommitsView:repo_commit_raw
217 222 # RepoCommitsView:repo_commit_raw@TOKEN
218 223 # RepoFilesView:repo_files_diff
219 224 # RepoFilesView:repo_archivefile
220 225 # RepoFilesView:repo_file_raw
221 226 # GistView:*
222 227 api_access_controllers_whitelist =
223 228
224 229 ## Default encoding used to convert from and to unicode
225 230 ## can be also a comma separated list of encoding in case of mixed encodings
226 231 default_encoding = UTF-8
227 232
228 233 ## instance-id prefix
229 234 ## a prefix key for this instance used for cache invalidation when running
230 235 ## multiple instances of RhodeCode, make sure it's globally unique for
231 236 ## all running RhodeCode instances. Leave empty if you don't use it
232 237 instance_id =
233 238
234 239 ## Fallback authentication plugin. Set this to a plugin ID to force the usage
235 240 ## of an authentication plugin also if it is disabled by it's settings.
236 241 ## This could be useful if you are unable to log in to the system due to broken
237 242 ## authentication settings. Then you can enable e.g. the internal RhodeCode auth
238 243 ## module to log in again and fix the settings.
239 244 ##
240 245 ## Available builtin plugin IDs (hash is part of the ID):
241 246 ## egg:rhodecode-enterprise-ce#rhodecode
242 247 ## egg:rhodecode-enterprise-ce#pam
243 248 ## egg:rhodecode-enterprise-ce#ldap
244 249 ## egg:rhodecode-enterprise-ce#jasig_cas
245 250 ## egg:rhodecode-enterprise-ce#headers
246 251 ## egg:rhodecode-enterprise-ce#crowd
247 252 #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
248 253
249 254 ## alternative return HTTP header for failed authentication. Default HTTP
250 255 ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
251 256 ## handling that causing a series of failed authentication calls.
252 257 ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
253 258 ## This will be served instead of default 401 on bad authentication
254 259 auth_ret_code =
255 260
256 261 ## use special detection method when serving auth_ret_code, instead of serving
257 262 ## ret_code directly, use 401 initially (Which triggers credentials prompt)
258 263 ## and then serve auth_ret_code to clients
259 264 auth_ret_code_detection = false
260 265
261 266 ## locking return code. When repository is locked return this HTTP code. 2XX
262 267 ## codes don't break the transactions while 4XX codes do
263 268 lock_ret_code = 423
264 269
265 270 ## allows to change the repository location in settings page
266 271 allow_repo_location_change = true
267 272
268 273 ## allows to setup custom hooks in settings page
269 274 allow_custom_hooks_settings = true
270 275
271 276 ## Generated license token required for EE edition license.
272 277 ## New generated token value can be found in Admin > settings > license page.
273 278 license_token =
274 279
275 280 ## supervisor connection uri, for managing supervisor and logs.
276 281 supervisor.uri =
277 282 ## supervisord group name/id we only want this RC instance to handle
278 283 supervisor.group_id = dev
279 284
280 285 ## Display extended labs settings
281 286 labs_settings_active = true
282 287
283 288 ## Custom exception store path, defaults to TMPDIR
284 289 ## This is used to store exception from RhodeCode in shared directory
285 290 #exception_tracker.store_path =
286 291
287 292 ## File store configuration. This is used to store and serve uploaded files
288 293 file_store.enabled = true
289 294 ## Storage backend, available options are: local
290 295 file_store.backend = local
291 296 ## path to store the uploaded binaries
292 297 file_store.storage_path = %(here)s/data/file_store
293 298
294 299
295 300 ####################################
296 301 ### CELERY CONFIG ####
297 302 ####################################
298 303 ## run: /path/to/celery worker \
299 304 ## -E --beat --app rhodecode.lib.celerylib.loader \
300 305 ## --scheduler rhodecode.lib.celerylib.scheduler.RcScheduler \
301 306 ## --loglevel DEBUG --ini /path/to/rhodecode.ini
302 307
303 308 use_celery = false
304 309
305 310 ## connection url to the message broker (default rabbitmq)
306 311 celery.broker_url = amqp://rabbitmq:qweqwe@localhost:5672/rabbitmqhost
307 312
308 313 ## maximum tasks to execute before worker restart
309 314 celery.max_tasks_per_child = 100
310 315
311 316 ## tasks will never be sent to the queue, but executed locally instead.
312 317 celery.task_always_eager = false
313 318
314 319 #####################################
315 320 ### DOGPILE CACHE ####
316 321 #####################################
317 322 ## Default cache dir for caches. Putting this into a ramdisk
318 323 ## can boost performance, eg. /tmpfs/data_ramdisk, however this directory might require
319 324 ## large amount of space
320 325 cache_dir = %(here)s/data
321 326
322 327 ## `cache_perms` cache settings for permission tree, auth TTL.
323 328 rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
324 329 rc_cache.cache_perms.expiration_time = 300
325 330
326 331 ## alternative `cache_perms` redis backend with distributed lock
327 332 #rc_cache.cache_perms.backend = dogpile.cache.rc.redis
328 333 #rc_cache.cache_perms.expiration_time = 300
329 334 ## redis_expiration_time needs to be greater then expiration_time
330 335 #rc_cache.cache_perms.arguments.redis_expiration_time = 7200
331 336 #rc_cache.cache_perms.arguments.socket_timeout = 30
332 337 #rc_cache.cache_perms.arguments.host = localhost
333 338 #rc_cache.cache_perms.arguments.port = 6379
334 339 #rc_cache.cache_perms.arguments.db = 0
335 340 ## more Redis options: https://dogpilecache.sqlalchemy.org/en/latest/api.html#redis-backends
336 341 #rc_cache.cache_perms.arguments.distributed_lock = true
337 342
338 343 ## `cache_repo` cache settings for FileTree, Readme, RSS FEEDS
339 344 rc_cache.cache_repo.backend = dogpile.cache.rc.file_namespace
340 345 rc_cache.cache_repo.expiration_time = 2592000
341 346
342 347 ## alternative `cache_repo` redis backend with distributed lock
343 348 #rc_cache.cache_repo.backend = dogpile.cache.rc.redis
344 349 #rc_cache.cache_repo.expiration_time = 2592000
345 350 ## redis_expiration_time needs to be greater then expiration_time
346 351 #rc_cache.cache_repo.arguments.redis_expiration_time = 2678400
347 352 #rc_cache.cache_repo.arguments.socket_timeout = 30
348 353 #rc_cache.cache_repo.arguments.host = localhost
349 354 #rc_cache.cache_repo.arguments.port = 6379
350 355 #rc_cache.cache_repo.arguments.db = 1
351 356 ## more Redis options: https://dogpilecache.sqlalchemy.org/en/latest/api.html#redis-backends
352 357 #rc_cache.cache_repo.arguments.distributed_lock = true
353 358
354 359 ## cache settings for SQL queries, this needs to use memory type backend
355 360 rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
356 361 rc_cache.sql_cache_short.expiration_time = 30
357 362
358 363 ## `cache_repo_longterm` cache for repo object instances, this needs to use memory
359 364 ## type backend as the objects kept are not pickle serializable
360 365 rc_cache.cache_repo_longterm.backend = dogpile.cache.rc.memory_lru
361 366 ## by default we use 96H, this is using invalidation on push anyway
362 367 rc_cache.cache_repo_longterm.expiration_time = 345600
363 368 ## max items in LRU cache, reduce this number to save memory, and expire last used
364 369 ## cached objects
365 370 rc_cache.cache_repo_longterm.max_size = 10000
366 371
367 372
368 373 ####################################
369 374 ### BEAKER SESSION ####
370 375 ####################################
371 376
372 377 ## .session.type is type of storage options for the session, current allowed
373 378 ## types are file, ext:memcached, ext:redis, ext:database, and memory (default).
374 379 beaker.session.type = file
375 380 beaker.session.data_dir = %(here)s/data/sessions
376 381
377 382 ## db based session, fast, and allows easy management over logged in users
378 383 #beaker.session.type = ext:database
379 384 #beaker.session.table_name = db_session
380 385 #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
381 386 #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
382 387 #beaker.session.sa.pool_recycle = 3600
383 388 #beaker.session.sa.echo = false
384 389
385 390 beaker.session.key = rhodecode
386 391 beaker.session.secret = develop-rc-uytcxaz
387 392 beaker.session.lock_dir = %(here)s/data/sessions/lock
388 393
389 394 ## Secure encrypted cookie. Requires AES and AES python libraries
390 395 ## you must disable beaker.session.secret to use this
391 396 #beaker.session.encrypt_key = key_for_encryption
392 397 #beaker.session.validate_key = validation_key
393 398
394 399 ## sets session as invalid(also logging out user) if it haven not been
395 400 ## accessed for given amount of time in seconds
396 401 beaker.session.timeout = 2592000
397 402 beaker.session.httponly = true
398 403 ## Path to use for the cookie. Set to prefix if you use prefix middleware
399 404 #beaker.session.cookie_path = /custom_prefix
400 405
401 406 ## uncomment for https secure cookie
402 407 beaker.session.secure = false
403 408
404 409 ## auto save the session to not to use .save()
405 410 beaker.session.auto = false
406 411
407 412 ## default cookie expiration time in seconds, set to `true` to set expire
408 413 ## at browser close
409 414 #beaker.session.cookie_expires = 3600
410 415
411 416 ###################################
412 417 ## SEARCH INDEXING CONFIGURATION ##
413 418 ###################################
414 419 ## Full text search indexer is available in rhodecode-tools under
415 420 ## `rhodecode-tools index` command
416 421
417 422 ## WHOOSH Backend, doesn't require additional services to run
418 423 ## it works good with few dozen repos
419 424 search.module = rhodecode.lib.index.whoosh
420 425 search.location = %(here)s/data/index
421 426
422 427 ########################################
423 428 ### CHANNELSTREAM CONFIG ####
424 429 ########################################
425 430 ## channelstream enables persistent connections and live notification
426 431 ## in the system. It's also used by the chat system
427 432
428 433 channelstream.enabled = false
429 434
430 435 ## server address for channelstream server on the backend
431 436 channelstream.server = 127.0.0.1:9800
432 437
433 438 ## location of the channelstream server from outside world
434 439 ## use ws:// for http or wss:// for https. This address needs to be handled
435 440 ## by external HTTP server such as Nginx or Apache
436 441 ## see Nginx/Apache configuration examples in our docs
437 442 channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
438 443 channelstream.secret = secret
439 444 channelstream.history.location = %(here)s/channelstream_history
440 445
441 446 ## Internal application path that Javascript uses to connect into.
442 447 ## If you use proxy-prefix the prefix should be added before /_channelstream
443 448 channelstream.proxy_path = /_channelstream
444 449
445 450
446 451 ###################################
447 452 ## APPENLIGHT CONFIG ##
448 453 ###################################
449 454
450 455 ## Appenlight is tailored to work with RhodeCode, see
451 456 ## http://appenlight.com for details how to obtain an account
452 457
453 458 ## Appenlight integration enabled
454 459 appenlight = false
455 460
456 461 appenlight.server_url = https://api.appenlight.com
457 462 appenlight.api_key = YOUR_API_KEY
458 463 #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
459 464
460 465 ## used for JS client
461 466 appenlight.api_public_key = YOUR_API_PUBLIC_KEY
462 467
463 468 ## TWEAK AMOUNT OF INFO SENT HERE
464 469
465 470 ## enables 404 error logging (default False)
466 471 appenlight.report_404 = false
467 472
468 473 ## time in seconds after request is considered being slow (default 1)
469 474 appenlight.slow_request_time = 1
470 475
471 476 ## record slow requests in application
472 477 ## (needs to be enabled for slow datastore recording and time tracking)
473 478 appenlight.slow_requests = true
474 479
475 480 ## enable hooking to application loggers
476 481 appenlight.logging = true
477 482
478 483 ## minimum log level for log capture
479 484 appenlight.logging.level = WARNING
480 485
481 486 ## send logs only from erroneous/slow requests
482 487 ## (saves API quota for intensive logging)
483 488 appenlight.logging_on_error = false
484 489
485 490 ## list of additional keywords that should be grabbed from environ object
486 491 ## can be string with comma separated list of words in lowercase
487 492 ## (by default client will always send following info:
488 493 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
489 494 ## start with HTTP* this list be extended with additional keywords here
490 495 appenlight.environ_keys_whitelist =
491 496
492 497 ## list of keywords that should be blanked from request object
493 498 ## can be string with comma separated list of words in lowercase
494 499 ## (by default client will always blank keys that contain following words
495 500 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
496 501 ## this list be extended with additional keywords set here
497 502 appenlight.request_keys_blacklist =
498 503
499 504 ## list of namespaces that should be ignores when gathering log entries
500 505 ## can be string with comma separated list of namespaces
501 506 ## (by default the client ignores own entries: appenlight_client.client)
502 507 appenlight.log_namespace_blacklist =
503 508
504 509 # enable debug style page
505 510 debug_style = true
506 511
507 512 ###########################################
508 513 ### MAIN RHODECODE DATABASE CONFIG ###
509 514 ###########################################
510 515 #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
511 516 #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
512 517 #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode?charset=utf8
513 518 # pymysql is an alternative driver for MySQL, use in case of problems with default one
514 519 #sqlalchemy.db1.url = mysql+pymysql://root:qweqwe@localhost/rhodecode
515 520
516 521 sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
517 522
518 523 # see sqlalchemy docs for other advanced settings
519 524
520 525 ## print the sql statements to output
521 526 sqlalchemy.db1.echo = false
522 527 ## recycle the connections after this amount of seconds
523 528 sqlalchemy.db1.pool_recycle = 3600
524 529 sqlalchemy.db1.convert_unicode = true
525 530
526 531 ## the number of connections to keep open inside the connection pool.
527 532 ## 0 indicates no limit
528 533 #sqlalchemy.db1.pool_size = 5
529 534
530 535 ## the number of connections to allow in connection pool "overflow", that is
531 536 ## connections that can be opened above and beyond the pool_size setting,
532 537 ## which defaults to five.
533 538 #sqlalchemy.db1.max_overflow = 10
534 539
535 540 ## Connection check ping, used to detect broken database connections
536 541 ## could be enabled to better handle cases if MySQL has gone away errors
537 542 #sqlalchemy.db1.ping_connection = true
538 543
539 544 ##################
540 545 ### VCS CONFIG ###
541 546 ##################
542 547 vcs.server.enable = true
543 548 vcs.server = localhost:9900
544 549
545 550 ## Web server connectivity protocol, responsible for web based VCS operations
546 551 ## Available protocols are:
547 552 ## `http` - use http-rpc backend (default)
548 553 vcs.server.protocol = http
549 554
550 555 ## Push/Pull operations protocol, available options are:
551 556 ## `http` - use http-rpc backend (default)
552 557 vcs.scm_app_implementation = http
553 558
554 559 ## Push/Pull operations hooks protocol, available options are:
555 560 ## `http` - use http-rpc backend (default)
556 561 vcs.hooks.protocol = http
557 562
558 563 ## Host on which this instance is listening for hooks. If vcsserver is in other location
559 564 ## this should be adjusted.
560 565 vcs.hooks.host = 127.0.0.1
561 566
562 567 vcs.server.log_level = debug
563 568 ## Start VCSServer with this instance as a subprocess, useful for development
564 569 vcs.start_server = false
565 570
566 571 ## List of enabled VCS backends, available options are:
567 572 ## `hg` - mercurial
568 573 ## `git` - git
569 574 ## `svn` - subversion
570 575 vcs.backends = hg, git, svn
571 576
572 577 vcs.connection_timeout = 3600
573 578 ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
574 579 ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
575 580 #vcs.svn.compatible_version = pre-1.8-compatible
576 581
577 582
578 583 ############################################################
579 584 ### Subversion proxy support (mod_dav_svn) ###
580 585 ### Maps RhodeCode repo groups into SVN paths for Apache ###
581 586 ############################################################
582 587 ## Enable or disable the config file generation.
583 588 svn.proxy.generate_config = false
584 589 ## Generate config file with `SVNListParentPath` set to `On`.
585 590 svn.proxy.list_parent_path = true
586 591 ## Set location and file name of generated config file.
587 592 svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
588 593 ## alternative mod_dav config template. This needs to be a mako template
589 594 #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
590 595 ## Used as a prefix to the `Location` block in the generated config file.
591 596 ## In most cases it should be set to `/`.
592 597 svn.proxy.location_root = /
593 598 ## Command to reload the mod dav svn configuration on change.
594 599 ## Example: `/etc/init.d/apache2 reload` or /home/USER/apache_reload.sh
595 600 ## Make sure user who runs RhodeCode process is allowed to reload Apache
596 601 #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
597 602 ## If the timeout expires before the reload command finishes, the command will
598 603 ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
599 604 #svn.proxy.reload_timeout = 10
600 605
601 606 ############################################################
602 607 ### SSH Support Settings ###
603 608 ############################################################
604 609
605 610 ## Defines if a custom authorized_keys file should be created and written on
606 611 ## any change user ssh keys. Setting this to false also disables possibility
607 612 ## of adding SSH keys by users from web interface. Super admins can still
608 613 ## manage SSH Keys.
609 614 ssh.generate_authorized_keyfile = false
610 615
611 616 ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
612 617 # ssh.authorized_keys_ssh_opts =
613 618
614 619 ## Path to the authorized_keys file where the generate entries are placed.
615 620 ## It is possible to have multiple key files specified in `sshd_config` e.g.
616 621 ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
617 622 ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
618 623
619 624 ## Command to execute the SSH wrapper. The binary is available in the
620 625 ## RhodeCode installation directory.
621 626 ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
622 627 ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
623 628
624 629 ## Allow shell when executing the ssh-wrapper command
625 630 ssh.wrapper_cmd_allow_shell = false
626 631
627 632 ## Enables logging, and detailed output send back to the client during SSH
628 633 ## operations. Useful for debugging, shouldn't be used in production.
629 634 ssh.enable_debug_logging = true
630 635
631 636 ## Paths to binary executable, by default they are the names, but we can
632 637 ## override them if we want to use a custom one
633 638 ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
634 639 ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
635 640 ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
636 641
637 642 ## Enables SSH key generator web interface. Disabling this still allows users
638 643 ## to add their own keys.
639 644 ssh.enable_ui_key_generator = true
640 645
641 646
642 647 ## Dummy marker to add new entries after.
643 648 ## Add any custom entries below. Please don't remove.
644 649 custom.conf = 1
645 650
646 651
647 652 ################################
648 653 ### LOGGING CONFIGURATION ####
649 654 ################################
650 655 [loggers]
651 656 keys = root, sqlalchemy, beaker, celery, rhodecode, ssh_wrapper
652 657
653 658 [handlers]
654 659 keys = console, console_sql
655 660
656 661 [formatters]
657 662 keys = generic, color_formatter, color_formatter_sql
658 663
659 664 #############
660 665 ## LOGGERS ##
661 666 #############
662 667 [logger_root]
663 668 level = NOTSET
664 669 handlers = console
665 670
666 671 [logger_sqlalchemy]
667 672 level = INFO
668 673 handlers = console_sql
669 674 qualname = sqlalchemy.engine
670 675 propagate = 0
671 676
672 677 [logger_beaker]
673 678 level = DEBUG
674 679 handlers =
675 680 qualname = beaker.container
676 681 propagate = 1
677 682
678 683 [logger_rhodecode]
679 684 level = DEBUG
680 685 handlers =
681 686 qualname = rhodecode
682 687 propagate = 1
683 688
684 689 [logger_ssh_wrapper]
685 690 level = DEBUG
686 691 handlers =
687 692 qualname = ssh_wrapper
688 693 propagate = 1
689 694
690 695 [logger_celery]
691 696 level = DEBUG
692 697 handlers =
693 698 qualname = celery
694 699
695 700
696 701 ##############
697 702 ## HANDLERS ##
698 703 ##############
699 704
700 705 [handler_console]
701 706 class = StreamHandler
702 707 args = (sys.stderr, )
703 708 level = DEBUG
704 709 formatter = color_formatter
705 710
706 711 [handler_console_sql]
707 712 # "level = DEBUG" logs SQL queries and results.
708 713 # "level = INFO" logs SQL queries.
709 714 # "level = WARN" logs neither. (Recommended for production systems.)
710 715 class = StreamHandler
711 716 args = (sys.stderr, )
712 717 level = WARN
713 718 formatter = color_formatter_sql
714 719
715 720 ################
716 721 ## FORMATTERS ##
717 722 ################
718 723
719 724 [formatter_generic]
720 725 class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
721 726 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
722 727 datefmt = %Y-%m-%d %H:%M:%S
723 728
724 729 [formatter_color_formatter]
725 730 class = rhodecode.lib.logging_formatter.ColorFormatter
726 731 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
727 732 datefmt = %Y-%m-%d %H:%M:%S
728 733
729 734 [formatter_color_formatter_sql]
730 735 class = rhodecode.lib.logging_formatter.ColorFormatterSql
731 736 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
732 737 datefmt = %Y-%m-%d %H:%M:%S
Show file before | Show file after | Hide comments
@@ -1,705 +1,710 b''
1 1
2 2
3 3 ################################################################################
4 4 ## RHODECODE COMMUNITY EDITION CONFIGURATION ##
5 5 ################################################################################
6 6
7 7 [DEFAULT]
8 8 ## Debug flag sets all loggers to debug, and enables request tracking
9 9 debug = false
10 10
11 11 ################################################################################
12 12 ## EMAIL CONFIGURATION ##
13 13 ## Uncomment and replace with the email address which should receive ##
14 14 ## any error reports after an application crash ##
15 15 ## Additionally these settings will be used by the RhodeCode mailing system ##
16 16 ################################################################################
17 17
18 18 ## prefix all emails subjects with given prefix, helps filtering out emails
19 19 #email_prefix = [RhodeCode]
20 20
21 21 ## email FROM address all mails will be sent
22 22 #app_email_from = rhodecode-noreply@localhost
23 23
24 24 #smtp_server = mail.server.com
25 25 #smtp_username =
26 26 #smtp_password =
27 27 #smtp_port =
28 28 #smtp_use_tls = false
29 29 #smtp_use_ssl = true
30 30
31 31 [server:main]
32 32 ## COMMON ##
33 33 host = 127.0.0.1
34 34 port = 5000
35 35
36 36 ###########################################################
37 37 ## WAITRESS WSGI SERVER - Recommended for Development ####
38 38 ###########################################################
39 39
40 40 #use = egg:waitress#main
41 41 ## number of worker threads
42 42 #threads = 5
43 43 ## MAX BODY SIZE 100GB
44 44 #max_request_body_size = 107374182400
45 45 ## Use poll instead of select, fixes file descriptors limits problems.
46 46 ## May not work on old windows systems.
47 47 #asyncore_use_poll = true
48 48
49 49
50 50 ##########################
51 51 ## GUNICORN WSGI SERVER ##
52 52 ##########################
53 53 ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
54 54
55 55 use = egg:gunicorn#main
56 56 ## Sets the number of process workers. More workers means more concurrent connections
57 57 ## RhodeCode can handle at the same time. Each additional worker also it increases
58 58 ## memory usage as each has it's own set of caches.
59 59 ## Recommended value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers, but no more
60 60 ## than 8-10 unless for really big deployments .e.g 700-1000 users.
61 61 ## `instance_id = *` must be set in the [app:main] section below (which is the default)
62 62 ## when using more than 1 worker.
63 63 workers = 2
64 64 ## process name visible in process list
65 65 proc_name = rhodecode
66 66 ## type of worker class, one of sync, gevent
67 67 ## recommended for bigger setup is using of of other than sync one
68 68 worker_class = gevent
69 69 ## The maximum number of simultaneous clients. Valid only for Gevent
70 70 worker_connections = 10
71 71 ## max number of requests that worker will handle before being gracefully
72 72 ## restarted, could prevent memory leaks
73 73 max_requests = 1000
74 74 max_requests_jitter = 30
75 75 ## amount of time a worker can spend with handling a request before it
76 76 ## gets killed and restarted. Set to 6hrs
77 77 timeout = 21600
78 78
79 79
80 80 ## prefix middleware for RhodeCode.
81 81 ## recommended when using proxy setup.
82 82 ## allows to set RhodeCode under a prefix in server.
83 83 ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
84 84 ## And set your prefix like: `prefix = /custom_prefix`
85 85 ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
86 86 ## to make your cookies only work on prefix url
87 87 [filter:proxy-prefix]
88 88 use = egg:PasteDeploy#prefix
89 89 prefix = /
90 90
91 91 [app:main]
92 92 ## The %(here)s variable will be replaced with the absolute path of parent directory
93 93 ## of this file
94 94 ## In addition ENVIRONMENT variables usage is possible, e.g
95 95 ## sqlalchemy.db1.url = {ENV_RC_DB_URL}
96 96
97 97 use = egg:rhodecode-enterprise-ce
98 98
99 99 ## enable proxy prefix middleware, defined above
100 100 #filter-with = proxy-prefix
101 101
102 102 ## encryption key used to encrypt social plugin tokens,
103 103 ## remote_urls with credentials etc, if not set it defaults to
104 104 ## `beaker.session.secret`
105 105 #rhodecode.encrypted_values.secret =
106 106
107 107 ## decryption strict mode (enabled by default). It controls if decryption raises
108 108 ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
109 109 #rhodecode.encrypted_values.strict = false
110 110
111 ## Pick algorithm for encryption. Either fernet (more secure) or aes (default)
112 ## fernet is safer, and we strongly recommend switching to it.
113 ## Due to backward compatibility aes is used as default.
114 #rhodecode.encrypted_values.algorithm = fernet
115
111 116 ## return gzipped responses from RhodeCode (static files/application)
112 117 gzip_responses = false
113 118
114 119 ## auto-generate javascript routes file on startup
115 120 generate_js_files = false
116 121
117 122 ## System global default language.
118 123 ## All available languages: en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
119 124 lang = en
120 125
121 126 ## Perform a full repository scan and import on each server start.
122 127 ## Settings this to true could lead to very long startup time.
123 128 startup.import_repos = false
124 129
125 130 ## Uncomment and set this path to use archive download cache.
126 131 ## Once enabled, generated archives will be cached at this location
127 132 ## and served from the cache during subsequent requests for the same archive of
128 133 ## the repository.
129 134 #archive_cache_dir = /tmp/tarballcache
130 135
131 136 ## URL at which the application is running. This is used for Bootstrapping
132 137 ## requests in context when no web request is available. Used in ishell, or
133 138 ## SSH calls. Set this for events to receive proper url for SSH calls.
134 139 app.base_url = http://rhodecode.local
135 140
136 141 ## Unique application ID. Should be a random unique string for security.
137 142 app_instance_uuid = rc-production
138 143
139 144 ## Cut off limit for large diffs (size in bytes). If overall diff size on
140 145 ## commit, or pull request exceeds this limit this diff will be displayed
141 146 ## partially. E.g 512000 == 512Kb
142 147 cut_off_limit_diff = 512000
143 148
144 149 ## Cut off limit for large files inside diffs (size in bytes). Each individual
145 150 ## file inside diff which exceeds this limit will be displayed partially.
146 151 ## E.g 128000 == 128Kb
147 152 cut_off_limit_file = 128000
148 153
149 154 ## use cached version of vcs repositories everywhere. Recommended to be `true`
150 155 vcs_full_cache = true
151 156
152 157 ## Force https in RhodeCode, fixes https redirects, assumes it's always https.
153 158 ## Normally this is controlled by proper http flags sent from http server
154 159 force_https = false
155 160
156 161 ## use Strict-Transport-Security headers
157 162 use_htsts = false
158 163
159 164 ## git rev filter option, --all is the default filter, if you need to
160 165 ## hide all refs in changelog switch this to --branches --tags
161 166 git_rev_filter = --branches --tags
162 167
163 168 # Set to true if your repos are exposed using the dumb protocol
164 169 git_update_server_info = false
165 170
166 171 ## RSS/ATOM feed options
167 172 rss_cut_off_limit = 256000
168 173 rss_items_per_page = 10
169 174 rss_include_diff = false
170 175
171 176 ## gist URL alias, used to create nicer urls for gist. This should be an
172 177 ## url that does rewrites to _admin/gists/{gistid}.
173 178 ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
174 179 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
175 180 gist_alias_url =
176 181
177 182 ## List of views (using glob pattern syntax) that AUTH TOKENS could be
178 183 ## used for access.
179 184 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
180 185 ## came from the the logged in user who own this authentication token.
181 186 ## Additionally @TOKEN syntax can be used to bound the view to specific
182 187 ## authentication token. Such view would be only accessible when used together
183 188 ## with this authentication token
184 189 ##
185 190 ## list of all views can be found under `/_admin/permissions/auth_token_access`
186 191 ## The list should be "," separated and on a single line.
187 192 ##
188 193 ## Most common views to enable:
189 194 # RepoCommitsView:repo_commit_download
190 195 # RepoCommitsView:repo_commit_patch
191 196 # RepoCommitsView:repo_commit_raw
192 197 # RepoCommitsView:repo_commit_raw@TOKEN
193 198 # RepoFilesView:repo_files_diff
194 199 # RepoFilesView:repo_archivefile
195 200 # RepoFilesView:repo_file_raw
196 201 # GistView:*
197 202 api_access_controllers_whitelist =
198 203
199 204 ## Default encoding used to convert from and to unicode
200 205 ## can be also a comma separated list of encoding in case of mixed encodings
201 206 default_encoding = UTF-8
202 207
203 208 ## instance-id prefix
204 209 ## a prefix key for this instance used for cache invalidation when running
205 210 ## multiple instances of RhodeCode, make sure it's globally unique for
206 211 ## all running RhodeCode instances. Leave empty if you don't use it
207 212 instance_id =
208 213
209 214 ## Fallback authentication plugin. Set this to a plugin ID to force the usage
210 215 ## of an authentication plugin also if it is disabled by it's settings.
211 216 ## This could be useful if you are unable to log in to the system due to broken
212 217 ## authentication settings. Then you can enable e.g. the internal RhodeCode auth
213 218 ## module to log in again and fix the settings.
214 219 ##
215 220 ## Available builtin plugin IDs (hash is part of the ID):
216 221 ## egg:rhodecode-enterprise-ce#rhodecode
217 222 ## egg:rhodecode-enterprise-ce#pam
218 223 ## egg:rhodecode-enterprise-ce#ldap
219 224 ## egg:rhodecode-enterprise-ce#jasig_cas
220 225 ## egg:rhodecode-enterprise-ce#headers
221 226 ## egg:rhodecode-enterprise-ce#crowd
222 227 #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
223 228
224 229 ## alternative return HTTP header for failed authentication. Default HTTP
225 230 ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
226 231 ## handling that causing a series of failed authentication calls.
227 232 ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
228 233 ## This will be served instead of default 401 on bad authentication
229 234 auth_ret_code =
230 235
231 236 ## use special detection method when serving auth_ret_code, instead of serving
232 237 ## ret_code directly, use 401 initially (Which triggers credentials prompt)
233 238 ## and then serve auth_ret_code to clients
234 239 auth_ret_code_detection = false
235 240
236 241 ## locking return code. When repository is locked return this HTTP code. 2XX
237 242 ## codes don't break the transactions while 4XX codes do
238 243 lock_ret_code = 423
239 244
240 245 ## allows to change the repository location in settings page
241 246 allow_repo_location_change = true
242 247
243 248 ## allows to setup custom hooks in settings page
244 249 allow_custom_hooks_settings = true
245 250
246 251 ## Generated license token required for EE edition license.
247 252 ## New generated token value can be found in Admin > settings > license page.
248 253 license_token =
249 254
250 255 ## supervisor connection uri, for managing supervisor and logs.
251 256 supervisor.uri =
252 257 ## supervisord group name/id we only want this RC instance to handle
253 258 supervisor.group_id = prod
254 259
255 260 ## Display extended labs settings
256 261 labs_settings_active = true
257 262
258 263 ## Custom exception store path, defaults to TMPDIR
259 264 ## This is used to store exception from RhodeCode in shared directory
260 265 #exception_tracker.store_path =
261 266
262 267 ## File store configuration. This is used to store and serve uploaded files
263 268 file_store.enabled = true
264 269 ## Storage backend, available options are: local
265 270 file_store.backend = local
266 271 ## path to store the uploaded binaries
267 272 file_store.storage_path = %(here)s/data/file_store
268 273
269 274
270 275 ####################################
271 276 ### CELERY CONFIG ####
272 277 ####################################
273 278 ## run: /path/to/celery worker \
274 279 ## -E --beat --app rhodecode.lib.celerylib.loader \
275 280 ## --scheduler rhodecode.lib.celerylib.scheduler.RcScheduler \
276 281 ## --loglevel DEBUG --ini /path/to/rhodecode.ini
277 282
278 283 use_celery = false
279 284
280 285 ## connection url to the message broker (default rabbitmq)
281 286 celery.broker_url = amqp://rabbitmq:qweqwe@localhost:5672/rabbitmqhost
282 287
283 288 ## maximum tasks to execute before worker restart
284 289 celery.max_tasks_per_child = 100
285 290
286 291 ## tasks will never be sent to the queue, but executed locally instead.
287 292 celery.task_always_eager = false
288 293
289 294 #####################################
290 295 ### DOGPILE CACHE ####
291 296 #####################################
292 297 ## Default cache dir for caches. Putting this into a ramdisk
293 298 ## can boost performance, eg. /tmpfs/data_ramdisk, however this directory might require
294 299 ## large amount of space
295 300 cache_dir = %(here)s/data
296 301
297 302 ## `cache_perms` cache settings for permission tree, auth TTL.
298 303 rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
299 304 rc_cache.cache_perms.expiration_time = 300
300 305
301 306 ## alternative `cache_perms` redis backend with distributed lock
302 307 #rc_cache.cache_perms.backend = dogpile.cache.rc.redis
303 308 #rc_cache.cache_perms.expiration_time = 300
304 309 ## redis_expiration_time needs to be greater then expiration_time
305 310 #rc_cache.cache_perms.arguments.redis_expiration_time = 7200
306 311 #rc_cache.cache_perms.arguments.socket_timeout = 30
307 312 #rc_cache.cache_perms.arguments.host = localhost
308 313 #rc_cache.cache_perms.arguments.port = 6379
309 314 #rc_cache.cache_perms.arguments.db = 0
310 315 ## more Redis options: https://dogpilecache.sqlalchemy.org/en/latest/api.html#redis-backends
311 316 #rc_cache.cache_perms.arguments.distributed_lock = true
312 317
313 318 ## `cache_repo` cache settings for FileTree, Readme, RSS FEEDS
314 319 rc_cache.cache_repo.backend = dogpile.cache.rc.file_namespace
315 320 rc_cache.cache_repo.expiration_time = 2592000
316 321
317 322 ## alternative `cache_repo` redis backend with distributed lock
318 323 #rc_cache.cache_repo.backend = dogpile.cache.rc.redis
319 324 #rc_cache.cache_repo.expiration_time = 2592000
320 325 ## redis_expiration_time needs to be greater then expiration_time
321 326 #rc_cache.cache_repo.arguments.redis_expiration_time = 2678400
322 327 #rc_cache.cache_repo.arguments.socket_timeout = 30
323 328 #rc_cache.cache_repo.arguments.host = localhost
324 329 #rc_cache.cache_repo.arguments.port = 6379
325 330 #rc_cache.cache_repo.arguments.db = 1
326 331 ## more Redis options: https://dogpilecache.sqlalchemy.org/en/latest/api.html#redis-backends
327 332 #rc_cache.cache_repo.arguments.distributed_lock = true
328 333
329 334 ## cache settings for SQL queries, this needs to use memory type backend
330 335 rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
331 336 rc_cache.sql_cache_short.expiration_time = 30
332 337
333 338 ## `cache_repo_longterm` cache for repo object instances, this needs to use memory
334 339 ## type backend as the objects kept are not pickle serializable
335 340 rc_cache.cache_repo_longterm.backend = dogpile.cache.rc.memory_lru
336 341 ## by default we use 96H, this is using invalidation on push anyway
337 342 rc_cache.cache_repo_longterm.expiration_time = 345600
338 343 ## max items in LRU cache, reduce this number to save memory, and expire last used
339 344 ## cached objects
340 345 rc_cache.cache_repo_longterm.max_size = 10000
341 346
342 347
343 348 ####################################
344 349 ### BEAKER SESSION ####
345 350 ####################################
346 351
347 352 ## .session.type is type of storage options for the session, current allowed
348 353 ## types are file, ext:memcached, ext:redis, ext:database, and memory (default).
349 354 beaker.session.type = file
350 355 beaker.session.data_dir = %(here)s/data/sessions
351 356
352 357 ## db based session, fast, and allows easy management over logged in users
353 358 #beaker.session.type = ext:database
354 359 #beaker.session.table_name = db_session
355 360 #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
356 361 #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
357 362 #beaker.session.sa.pool_recycle = 3600
358 363 #beaker.session.sa.echo = false
359 364
360 365 beaker.session.key = rhodecode
361 366 beaker.session.secret = production-rc-uytcxaz
362 367 beaker.session.lock_dir = %(here)s/data/sessions/lock
363 368
364 369 ## Secure encrypted cookie. Requires AES and AES python libraries
365 370 ## you must disable beaker.session.secret to use this
366 371 #beaker.session.encrypt_key = key_for_encryption
367 372 #beaker.session.validate_key = validation_key
368 373
369 374 ## sets session as invalid(also logging out user) if it haven not been
370 375 ## accessed for given amount of time in seconds
371 376 beaker.session.timeout = 2592000
372 377 beaker.session.httponly = true
373 378 ## Path to use for the cookie. Set to prefix if you use prefix middleware
374 379 #beaker.session.cookie_path = /custom_prefix
375 380
376 381 ## uncomment for https secure cookie
377 382 beaker.session.secure = false
378 383
379 384 ## auto save the session to not to use .save()
380 385 beaker.session.auto = false
381 386
382 387 ## default cookie expiration time in seconds, set to `true` to set expire
383 388 ## at browser close
384 389 #beaker.session.cookie_expires = 3600
385 390
386 391 ###################################
387 392 ## SEARCH INDEXING CONFIGURATION ##
388 393 ###################################
389 394 ## Full text search indexer is available in rhodecode-tools under
390 395 ## `rhodecode-tools index` command
391 396
392 397 ## WHOOSH Backend, doesn't require additional services to run
393 398 ## it works good with few dozen repos
394 399 search.module = rhodecode.lib.index.whoosh
395 400 search.location = %(here)s/data/index
396 401
397 402 ########################################
398 403 ### CHANNELSTREAM CONFIG ####
399 404 ########################################
400 405 ## channelstream enables persistent connections and live notification
401 406 ## in the system. It's also used by the chat system
402 407
403 408 channelstream.enabled = false
404 409
405 410 ## server address for channelstream server on the backend
406 411 channelstream.server = 127.0.0.1:9800
407 412
408 413 ## location of the channelstream server from outside world
409 414 ## use ws:// for http or wss:// for https. This address needs to be handled
410 415 ## by external HTTP server such as Nginx or Apache
411 416 ## see Nginx/Apache configuration examples in our docs
412 417 channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
413 418 channelstream.secret = secret
414 419 channelstream.history.location = %(here)s/channelstream_history
415 420
416 421 ## Internal application path that Javascript uses to connect into.
417 422 ## If you use proxy-prefix the prefix should be added before /_channelstream
418 423 channelstream.proxy_path = /_channelstream
419 424
420 425
421 426 ###################################
422 427 ## APPENLIGHT CONFIG ##
423 428 ###################################
424 429
425 430 ## Appenlight is tailored to work with RhodeCode, see
426 431 ## http://appenlight.com for details how to obtain an account
427 432
428 433 ## Appenlight integration enabled
429 434 appenlight = false
430 435
431 436 appenlight.server_url = https://api.appenlight.com
432 437 appenlight.api_key = YOUR_API_KEY
433 438 #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
434 439
435 440 ## used for JS client
436 441 appenlight.api_public_key = YOUR_API_PUBLIC_KEY
437 442
438 443 ## TWEAK AMOUNT OF INFO SENT HERE
439 444
440 445 ## enables 404 error logging (default False)
441 446 appenlight.report_404 = false
442 447
443 448 ## time in seconds after request is considered being slow (default 1)
444 449 appenlight.slow_request_time = 1
445 450
446 451 ## record slow requests in application
447 452 ## (needs to be enabled for slow datastore recording and time tracking)
448 453 appenlight.slow_requests = true
449 454
450 455 ## enable hooking to application loggers
451 456 appenlight.logging = true
452 457
453 458 ## minimum log level for log capture
454 459 appenlight.logging.level = WARNING
455 460
456 461 ## send logs only from erroneous/slow requests
457 462 ## (saves API quota for intensive logging)
458 463 appenlight.logging_on_error = false
459 464
460 465 ## list of additional keywords that should be grabbed from environ object
461 466 ## can be string with comma separated list of words in lowercase
462 467 ## (by default client will always send following info:
463 468 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
464 469 ## start with HTTP* this list be extended with additional keywords here
465 470 appenlight.environ_keys_whitelist =
466 471
467 472 ## list of keywords that should be blanked from request object
468 473 ## can be string with comma separated list of words in lowercase
469 474 ## (by default client will always blank keys that contain following words
470 475 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
471 476 ## this list be extended with additional keywords set here
472 477 appenlight.request_keys_blacklist =
473 478
474 479 ## list of namespaces that should be ignores when gathering log entries
475 480 ## can be string with comma separated list of namespaces
476 481 ## (by default the client ignores own entries: appenlight_client.client)
477 482 appenlight.log_namespace_blacklist =
478 483
479 484
480 485 ###########################################
481 486 ### MAIN RHODECODE DATABASE CONFIG ###
482 487 ###########################################
483 488 #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
484 489 #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
485 490 #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode?charset=utf8
486 491 # pymysql is an alternative driver for MySQL, use in case of problems with default one
487 492 #sqlalchemy.db1.url = mysql+pymysql://root:qweqwe@localhost/rhodecode
488 493
489 494 sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
490 495
491 496 # see sqlalchemy docs for other advanced settings
492 497
493 498 ## print the sql statements to output
494 499 sqlalchemy.db1.echo = false
495 500 ## recycle the connections after this amount of seconds
496 501 sqlalchemy.db1.pool_recycle = 3600
497 502 sqlalchemy.db1.convert_unicode = true
498 503
499 504 ## the number of connections to keep open inside the connection pool.
500 505 ## 0 indicates no limit
501 506 #sqlalchemy.db1.pool_size = 5
502 507
503 508 ## the number of connections to allow in connection pool "overflow", that is
504 509 ## connections that can be opened above and beyond the pool_size setting,
505 510 ## which defaults to five.
506 511 #sqlalchemy.db1.max_overflow = 10
507 512
508 513 ## Connection check ping, used to detect broken database connections
509 514 ## could be enabled to better handle cases if MySQL has gone away errors
510 515 #sqlalchemy.db1.ping_connection = true
511 516
512 517 ##################
513 518 ### VCS CONFIG ###
514 519 ##################
515 520 vcs.server.enable = true
516 521 vcs.server = localhost:9900
517 522
518 523 ## Web server connectivity protocol, responsible for web based VCS operations
519 524 ## Available protocols are:
520 525 ## `http` - use http-rpc backend (default)
521 526 vcs.server.protocol = http
522 527
523 528 ## Push/Pull operations protocol, available options are:
524 529 ## `http` - use http-rpc backend (default)
525 530 vcs.scm_app_implementation = http
526 531
527 532 ## Push/Pull operations hooks protocol, available options are:
528 533 ## `http` - use http-rpc backend (default)
529 534 vcs.hooks.protocol = http
530 535
531 536 ## Host on which this instance is listening for hooks. If vcsserver is in other location
532 537 ## this should be adjusted.
533 538 vcs.hooks.host = 127.0.0.1
534 539
535 540 vcs.server.log_level = info
536 541 ## Start VCSServer with this instance as a subprocess, useful for development
537 542 vcs.start_server = false
538 543
539 544 ## List of enabled VCS backends, available options are:
540 545 ## `hg` - mercurial
541 546 ## `git` - git
542 547 ## `svn` - subversion
543 548 vcs.backends = hg, git, svn
544 549
545 550 vcs.connection_timeout = 3600
546 551 ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
547 552 ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
548 553 #vcs.svn.compatible_version = pre-1.8-compatible
549 554
550 555
551 556 ############################################################
552 557 ### Subversion proxy support (mod_dav_svn) ###
553 558 ### Maps RhodeCode repo groups into SVN paths for Apache ###
554 559 ############################################################
555 560 ## Enable or disable the config file generation.
556 561 svn.proxy.generate_config = false
557 562 ## Generate config file with `SVNListParentPath` set to `On`.
558 563 svn.proxy.list_parent_path = true
559 564 ## Set location and file name of generated config file.
560 565 svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
561 566 ## alternative mod_dav config template. This needs to be a mako template
562 567 #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
563 568 ## Used as a prefix to the `Location` block in the generated config file.
564 569 ## In most cases it should be set to `/`.
565 570 svn.proxy.location_root = /
566 571 ## Command to reload the mod dav svn configuration on change.
567 572 ## Example: `/etc/init.d/apache2 reload` or /home/USER/apache_reload.sh
568 573 ## Make sure user who runs RhodeCode process is allowed to reload Apache
569 574 #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
570 575 ## If the timeout expires before the reload command finishes, the command will
571 576 ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
572 577 #svn.proxy.reload_timeout = 10
573 578
574 579 ############################################################
575 580 ### SSH Support Settings ###
576 581 ############################################################
577 582
578 583 ## Defines if a custom authorized_keys file should be created and written on
579 584 ## any change user ssh keys. Setting this to false also disables possibility
580 585 ## of adding SSH keys by users from web interface. Super admins can still
581 586 ## manage SSH Keys.
582 587 ssh.generate_authorized_keyfile = false
583 588
584 589 ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
585 590 # ssh.authorized_keys_ssh_opts =
586 591
587 592 ## Path to the authorized_keys file where the generate entries are placed.
588 593 ## It is possible to have multiple key files specified in `sshd_config` e.g.
589 594 ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
590 595 ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
591 596
592 597 ## Command to execute the SSH wrapper. The binary is available in the
593 598 ## RhodeCode installation directory.
594 599 ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
595 600 ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
596 601
597 602 ## Allow shell when executing the ssh-wrapper command
598 603 ssh.wrapper_cmd_allow_shell = false
599 604
600 605 ## Enables logging, and detailed output send back to the client during SSH
601 606 ## operations. Useful for debugging, shouldn't be used in production.
602 607 ssh.enable_debug_logging = false
603 608
604 609 ## Paths to binary executable, by default they are the names, but we can
605 610 ## override them if we want to use a custom one
606 611 ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
607 612 ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
608 613 ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
609 614
610 615 ## Enables SSH key generator web interface. Disabling this still allows users
611 616 ## to add their own keys.
612 617 ssh.enable_ui_key_generator = true
613 618
614 619
615 620 ## Dummy marker to add new entries after.
616 621 ## Add any custom entries below. Please don't remove.
617 622 custom.conf = 1
618 623
619 624
620 625 ################################
621 626 ### LOGGING CONFIGURATION ####
622 627 ################################
623 628 [loggers]
624 629 keys = root, sqlalchemy, beaker, celery, rhodecode, ssh_wrapper
625 630
626 631 [handlers]
627 632 keys = console, console_sql
628 633
629 634 [formatters]
630 635 keys = generic, color_formatter, color_formatter_sql
631 636
632 637 #############
633 638 ## LOGGERS ##
634 639 #############
635 640 [logger_root]
636 641 level = NOTSET
637 642 handlers = console
638 643
639 644 [logger_sqlalchemy]
640 645 level = INFO
641 646 handlers = console_sql
642 647 qualname = sqlalchemy.engine
643 648 propagate = 0
644 649
645 650 [logger_beaker]
646 651 level = DEBUG
647 652 handlers =
648 653 qualname = beaker.container
649 654 propagate = 1
650 655
651 656 [logger_rhodecode]
652 657 level = DEBUG
653 658 handlers =
654 659 qualname = rhodecode
655 660 propagate = 1
656 661
657 662 [logger_ssh_wrapper]
658 663 level = DEBUG
659 664 handlers =
660 665 qualname = ssh_wrapper
661 666 propagate = 1
662 667
663 668 [logger_celery]
664 669 level = DEBUG
665 670 handlers =
666 671 qualname = celery
667 672
668 673
669 674 ##############
670 675 ## HANDLERS ##
671 676 ##############
672 677
673 678 [handler_console]
674 679 class = StreamHandler
675 680 args = (sys.stderr, )
676 681 level = INFO
677 682 formatter = generic
678 683
679 684 [handler_console_sql]
680 685 # "level = DEBUG" logs SQL queries and results.
681 686 # "level = INFO" logs SQL queries.
682 687 # "level = WARN" logs neither. (Recommended for production systems.)
683 688 class = StreamHandler
684 689 args = (sys.stderr, )
685 690 level = WARN
686 691 formatter = generic
687 692
688 693 ################
689 694 ## FORMATTERS ##
690 695 ################
691 696
692 697 [formatter_generic]
693 698 class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
694 699 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
695 700 datefmt = %Y-%m-%d %H:%M:%S
696 701
697 702 [formatter_color_formatter]
698 703 class = rhodecode.lib.logging_formatter.ColorFormatter
699 704 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
700 705 datefmt = %Y-%m-%d %H:%M:%S
701 706
702 707 [formatter_color_formatter_sql]
703 708 class = rhodecode.lib.logging_formatter.ColorFormatterSql
704 709 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
705 710 datefmt = %Y-%m-%d %H:%M:%S
Show file before | Show file after | Hide comments
@@ -1,114 +1,138 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2014-2019 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21
22 22 """
23 23 Generic encryption library for RhodeCode
24 24 """
25 25
26 26 import base64
27 27
28 28 from Crypto.Cipher import AES
29 29 from Crypto import Random
30 30 from Crypto.Hash import HMAC, SHA256
31 31
32 32 from rhodecode.lib.utils2 import safe_str
33 33
34 34
35 35 class SignatureVerificationError(Exception):
36 36 pass
37 37
38 38
39 39 class InvalidDecryptedValue(str):
40 40
41 41 def __new__(cls, content):
42 42 """
43 43 This will generate something like this::
44 44 <InvalidDecryptedValue(QkWusFgLJXR6m42v...)>
45 45 And represent a safe indicator that encryption key is broken
46 46 """
47 47 content = '<{}({}...)>'.format(cls.__name__, content[:16])
48 48 return str.__new__(cls, content)
49 49
50 50
51 51 class AESCipher(object):
52 52 def __init__(self, key, hmac=False, strict_verification=True):
53 53 if not key:
54 54 raise ValueError('passed key variable is empty')
55 55 self.strict_verification = strict_verification
56 56 self.block_size = 32
57 57 self.hmac_size = 32
58 58 self.hmac = hmac
59 59
60 60 self.key = SHA256.new(safe_str(key)).digest()
61 61 self.hmac_key = SHA256.new(self.key).digest()
62 62
63 63 def verify_hmac_signature(self, raw_data):
64 64 org_hmac_signature = raw_data[-self.hmac_size:]
65 65 data_without_sig = raw_data[:-self.hmac_size]
66 66 recomputed_hmac = HMAC.new(
67 67 self.hmac_key, data_without_sig, digestmod=SHA256).digest()
68 68 return org_hmac_signature == recomputed_hmac
69 69
70 70 def encrypt(self, raw):
71 71 raw = self._pad(raw)
72 72 iv = Random.new().read(AES.block_size)
73 73 cipher = AES.new(self.key, AES.MODE_CBC, iv)
74 74 enc_value = cipher.encrypt(raw)
75 75
76 76 hmac_signature = ''
77 77 if self.hmac:
78 78 # compute hmac+sha256 on iv + enc text, we use
79 79 # encrypt then mac method to create the signature
80 80 hmac_signature = HMAC.new(
81 81 self.hmac_key, iv + enc_value, digestmod=SHA256).digest()
82 82
83 83 return base64.b64encode(iv + enc_value + hmac_signature)
84 84
85 85 def decrypt(self, enc):
86 86 enc_org = enc
87 87 enc = base64.b64decode(enc)
88 88
89 89 if self.hmac and len(enc) > self.hmac_size:
90 90 if self.verify_hmac_signature(enc):
91 91 # cut off the HMAC verification digest
92 92 enc = enc[:-self.hmac_size]
93 93 else:
94 94 if self.strict_verification:
95 95 raise SignatureVerificationError(
96 96 "Encryption signature verification failed. "
97 97 "Please check your secret key, and/or encrypted value. "
98 98 "Secret key is stored as "
99 99 "`rhodecode.encrypted_values.secret` or "
100 100 "`beaker.session.secret` inside .ini file")
101 101
102 102 return InvalidDecryptedValue(enc_org)
103 103
104 104 iv = enc[:AES.block_size]
105 105 cipher = AES.new(self.key, AES.MODE_CBC, iv)
106 106 return self._unpad(cipher.decrypt(enc[AES.block_size:]))
107 107
108 108 def _pad(self, s):
109 109 return (s + (self.block_size - len(s) % self.block_size)
110 110 * chr(self.block_size - len(s) % self.block_size))
111 111
112 112 @staticmethod
113 113 def _unpad(s):
114 return s[:-ord(s[len(s)-1:])] No newline at end of file
114 return s[:-ord(s[len(s)-1:])]
115
116
117 def validate_and_get_enc_data(enc_data, enc_key, enc_strict_mode):
118 parts = enc_data.split('$', 3)
119 if not len(parts) == 3:
120 # probably not encrypted values
121 return enc_data
122 else:
123 if parts[0] != 'enc':
124 # parts ok but without our header ?
125 return enc_data
126
127 # at that stage we know it's our encryption
128 if parts[1] == 'aes':
129 decrypted_data = AESCipher(enc_key).decrypt(parts[2])
130 elif parts[1] == 'aes_hmac':
131 decrypted_data = AESCipher(
132 enc_key, hmac=True,
133 strict_verification=enc_strict_mode).decrypt(parts[2])
134 else:
135 raise ValueError(
136 'Encryption type part is wrong, must be `aes` '
137 'or `aes_hmac`, got `%s` instead' % (parts[1]))
138 return decrypted_data
Show file before | Show file after | Hide comments
1 NO CONTENT: modified file
The requested commit or file is too big and content was truncated. Show full diff
Show file before | Show file after | Hide comments
@@ -1,76 +1,133 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2010-2019 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import pytest
22 22
23 23 from rhodecode.lib.encrypt import (
24 24 AESCipher, SignatureVerificationError, InvalidDecryptedValue)
25 from rhodecode.lib.encrypt2 import (Encryptor, InvalidToken)
25 26
26 27
27 28 class TestEncryptModule(object):
28 29
29 30 @pytest.mark.parametrize(
30 31 "key, text",
31 32 [
32 33 ('a', 'short'),
33 34 ('a'*64, 'too long(trimmed to 32)'),
34 35 ('a'*32, 'just enough'),
35 36 ('Δ…Δ‡Δ™Δ‡Δ™', 'non asci'),
36 37 ('$asa$asa', 'special $ used'),
37 38 ]
38 39 )
39 40 def test_encryption(self, key, text):
40 41 enc = AESCipher(key).encrypt(text)
41 42 assert AESCipher(key).decrypt(enc) == text
42 43
43 44 def test_encryption_with_hmac(self):
44 45 key = 'secret'
45 46 text = 'ihatemysql'
46 47 enc = AESCipher(key, hmac=True).encrypt(text)
47 48 assert AESCipher(key, hmac=True).decrypt(enc) == text
48 49
49 50 def test_encryption_with_hmac_with_bad_key(self):
50 51 key = 'secretstring'
51 52 text = 'ihatemysql'
52 53 enc = AESCipher(key, hmac=True).encrypt(text)
53 54
54 55 with pytest.raises(SignatureVerificationError) as e:
55 56 assert AESCipher('differentsecret', hmac=True).decrypt(enc) == ''
56 57
57 58 assert 'Encryption signature verification failed' in str(e)
58 59
59 60 def test_encryption_with_hmac_with_bad_data(self):
60 61 key = 'secret'
61 62 text = 'ihatemysql'
62 63 enc = AESCipher(key, hmac=True).encrypt(text)
63 64 enc = 'xyz' + enc[3:]
64 65 with pytest.raises(SignatureVerificationError) as e:
65 66 assert AESCipher(key, hmac=True).decrypt(enc) == text
66 67
67 68 assert 'Encryption signature verification failed' in str(e)
68 69
69 70 def test_encryption_with_hmac_with_bad_key_not_strict(self):
70 71 key = 'secretstring'
71 72 text = 'ihatemysql'
72 73 enc = AESCipher(key, hmac=True).encrypt(text)
73 74
74 75 assert isinstance(AESCipher(
75 76 'differentsecret', hmac=True, strict_verification=False
76 77 ).decrypt(enc), InvalidDecryptedValue)
78
79
80 class TestEncryptModule2(object):
81
82 @pytest.mark.parametrize(
83 "key, text",
84 [
85 ('a', 'short'),
86 ('a'*64, 'too long(trimmed to 32)'),
87 ('a'*32, 'just enough'),
88 ('Δ…Δ‡Δ™Δ‡Δ™', 'non asci'),
89 ('$asa$asa', 'special $ used'),
90 ]
91 )
92 def test_encryption(self, key, text):
93 enc = Encryptor(key).encrypt(text)
94 assert Encryptor(key).decrypt(enc) == text
95
96 def test_encryption_with_bad_key(self):
97 key = 'secretstring'
98 text = 'ihatemysql'
99 enc = Encryptor(key).encrypt(text)
100
101 assert Encryptor('differentsecret').decrypt(enc) == ''
102
103 def test_encryption_with_bad_key_raises(self):
104 key = 'secretstring'
105 text = 'ihatemysql'
106 enc = Encryptor(key).encrypt(text)
107
108 with pytest.raises(InvalidToken) as e:
109 Encryptor('differentsecret').decrypt(enc, safe=False)
110
111 assert 'InvalidToken' in str(e)
112
113 def test_encryption_with_bad_format_data(self):
114 key = 'secret'
115 text = 'ihatemysql'
116 enc = Encryptor(key).encrypt(text)
117 enc = '$xyz' + enc[3:]
118
119 with pytest.raises(ValueError) as e:
120 Encryptor(key).decrypt(enc, safe=False)
121
122 assert 'Encrypted Data has invalid format' in str(e)
123
124 def test_encryption_with_bad_data(self):
125 key = 'secret'
126 text = 'ihatemysql'
127 enc = Encryptor(key).encrypt(text)
128 enc = enc[:-5]
129
130 with pytest.raises(InvalidToken) as e:
131 Encryptor(key).decrypt(enc, safe=False)
132
133 assert 'InvalidToken' in str(e)
General Comments 0
You need to be logged in to leave comments. Login now