##// END OF EJS Templates
feat(2fa): added 2fa for more auth plugins and moved 2fa forced functionality to ee edition. Fixes: RCCE-68
ilin.s -
r5397:46138ab9 default
parent child Browse files
Show More
@@ -1,987 +1,984 b''
1 1 # Copyright (C) 2016-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 import time
20 20 import logging
21 21 import operator
22 22
23 23 from pyramid.httpexceptions import HTTPFound, HTTPForbidden, HTTPBadRequest
24 24
25 25 from rhodecode.lib import helpers as h, diffs, rc_cache
26 26 from rhodecode.lib.str_utils import safe_str
27 27 from rhodecode.lib.utils import repo_name_slug
28 28 from rhodecode.lib.utils2 import (
29 29 StrictAttributeDict,
30 30 str2bool,
31 31 safe_int,
32 32 datetime_to_time,
33 33 )
34 34 from rhodecode.lib.markup_renderer import MarkupRenderer, relative_links
35 35 from rhodecode.lib.vcs.backends.base import EmptyCommit
36 36 from rhodecode.lib.vcs.exceptions import RepositoryRequirementError
37 37 from rhodecode.model import repo
38 38 from rhodecode.model import repo_group
39 39 from rhodecode.model import user_group
40 40 from rhodecode.model import user
41 41 from rhodecode.model.db import User
42 42 from rhodecode.model.scm import ScmModel
43 43 from rhodecode.model.settings import VcsSettingsModel, IssueTrackerSettingsModel
44 44 from rhodecode.model.repo import ReadmeFinder
45 45
46 46 log = logging.getLogger(__name__)
47 47
48 48
49 49 ADMIN_PREFIX: str = "/_admin"
50 50 STATIC_FILE_PREFIX: str = "/_static"
51 51
52 52 URL_NAME_REQUIREMENTS = {
53 53 # group name can have a slash in them, but they must not end with a slash
54 54 "group_name": r".*?[^/]",
55 55 "repo_group_name": r".*?[^/]",
56 56 # repo names can have a slash in them, but they must not end with a slash
57 57 "repo_name": r".*?[^/]",
58 58 # file path eats up everything at the end
59 59 "f_path": r".*",
60 60 # reference types
61 61 "source_ref_type": r"(branch|book|tag|rev|\%\(source_ref_type\)s)",
62 62 "target_ref_type": r"(branch|book|tag|rev|\%\(target_ref_type\)s)",
63 63 }
64 64
65 65
66 66 def add_route_with_slash(config, name, pattern, **kw):
67 67 config.add_route(name, pattern, **kw)
68 68 if not pattern.endswith("/"):
69 69 config.add_route(name + "_slash", pattern + "/", **kw)
70 70
71 71
72 72 def add_route_requirements(route_path, requirements=None):
73 73 """
74 74 Adds regex requirements to pyramid routes using a mapping dict
75 75 e.g::
76 76 add_route_requirements('{repo_name}/settings')
77 77 """
78 78 requirements = requirements or URL_NAME_REQUIREMENTS
79 79 for key, regex in list(requirements.items()):
80 80 route_path = route_path.replace("{%s}" % key, "{%s:%s}" % (key, regex))
81 81 return route_path
82 82
83 83
84 84 def get_format_ref_id(repo):
85 85 """Returns a `repo` specific reference formatter function"""
86 86 if h.is_svn(repo):
87 87 return _format_ref_id_svn
88 88 else:
89 89 return _format_ref_id
90 90
91 91
92 92 def _format_ref_id(name, raw_id):
93 93 """Default formatting of a given reference `name`"""
94 94 return name
95 95
96 96
97 97 def _format_ref_id_svn(name, raw_id):
98 98 """Special way of formatting a reference for Subversion including path"""
99 99 return f"{name}@{raw_id}"
100 100
101 101
102 102 class TemplateArgs(StrictAttributeDict):
103 103 pass
104 104
105 105
106 106 class BaseAppView(object):
107 107 DONT_CHECKOUT_VIEWS = ["channelstream_connect", "ops_ping"]
108 108 EXTRA_VIEWS_TO_IGNORE = ['login', 'register', 'logout']
109 109 SETUP_2FA_VIEW = 'setup_2fa'
110 110 VERIFY_2FA_VIEW = 'check_2fa'
111 111
112 112 def __init__(self, context, request):
113 113 self.request = request
114 114 self.context = context
115 115 self.session = request.session
116 116 if not hasattr(request, "user"):
117 117 # NOTE(marcink): edge case, we ended up in matched route
118 118 # but probably of web-app context, e.g API CALL/VCS CALL
119 119 if hasattr(request, "vcs_call") or hasattr(request, "rpc_method"):
120 120 log.warning("Unable to process request `%s` in this scope", request)
121 121 raise HTTPBadRequest()
122 122
123 123 self._rhodecode_user = request.user # auth user
124 124 self._rhodecode_db_user = self._rhodecode_user.get_instance()
125 125 self.user_data = self._rhodecode_db_user.user_data if self._rhodecode_db_user else {}
126 126 self._maybe_needs_password_change(
127 127 request.matched_route.name, self._rhodecode_db_user
128 128 )
129 129 self._maybe_needs_2fa_configuration(
130 130 request.matched_route.name, self._rhodecode_db_user
131 131 )
132 132 self._maybe_needs_2fa_check(
133 133 request.matched_route.name, self._rhodecode_db_user
134 134 )
135 135
136 136 def _maybe_needs_password_change(self, view_name, user_obj):
137 137 if view_name in self.DONT_CHECKOUT_VIEWS:
138 138 return
139 139
140 140 log.debug(
141 141 "Checking if user %s needs password change on view %s", user_obj, view_name
142 142 )
143 143
144 144 skip_user_views = [
145 145 "logout",
146 146 "login",
147 147 "check_2fa",
148 148 "my_account_password",
149 149 "my_account_password_update",
150 150 ]
151 151
152 152 if not user_obj:
153 153 return
154 154
155 155 if user_obj.username == User.DEFAULT_USER:
156 156 return
157 157
158 158 now = time.time()
159 159 should_change = self.user_data.get("force_password_change")
160 160 change_after = safe_int(should_change) or 0
161 161 if should_change and now > change_after:
162 162 log.debug("User %s requires password change", user_obj)
163 163 h.flash(
164 164 "You are required to change your password",
165 165 "warning",
166 166 ignore_duplicate=True,
167 167 )
168 168
169 169 if view_name not in skip_user_views:
170 170 raise HTTPFound(self.request.route_path("my_account_password"))
171 171
172 172 def _maybe_needs_2fa_configuration(self, view_name, user_obj):
173 173 if view_name in self.DONT_CHECKOUT_VIEWS + self.EXTRA_VIEWS_TO_IGNORE:
174 174 return
175 175
176 176 if not user_obj:
177 177 return
178 178
179 if user_obj.has_forced_2fa and user_obj.extern_type != 'rhodecode':
180 return
181
182 179 if user_obj.needs_2fa_configure and view_name != self.SETUP_2FA_VIEW:
183 180 h.flash(
184 181 "You are required to configure 2FA",
185 182 "warning",
186 183 ignore_duplicate=False,
187 184 )
188 185 raise HTTPFound(self.request.route_path(self.SETUP_2FA_VIEW))
189 186
190 187 def _maybe_needs_2fa_check(self, view_name, user_obj):
191 188 if view_name in self.DONT_CHECKOUT_VIEWS + self.EXTRA_VIEWS_TO_IGNORE:
192 189 return
193 190
194 191 if not user_obj:
195 192 return
196 193
197 194 if user_obj.check_2fa_required and view_name != self.VERIFY_2FA_VIEW:
198 195 raise HTTPFound(self.request.route_path(self.VERIFY_2FA_VIEW))
199 196
200 197 def _log_creation_exception(self, e, repo_name):
201 198 _ = self.request.translate
202 199 reason = None
203 200 if len(e.args) == 2:
204 201 reason = e.args[1]
205 202
206 203 if reason == "INVALID_CERTIFICATE":
207 204 log.exception("Exception creating a repository: invalid certificate")
208 205 msg = _("Error creating repository %s: invalid certificate") % repo_name
209 206 else:
210 207 log.exception("Exception creating a repository")
211 208 msg = _("Error creating repository %s") % repo_name
212 209 return msg
213 210
214 211 def _get_local_tmpl_context(self, include_app_defaults=True):
215 212 c = TemplateArgs()
216 213 c.auth_user = self.request.user
217 214 # TODO(marcink): migrate the usage of c.rhodecode_user to c.auth_user
218 215 c.rhodecode_user = self.request.user
219 216
220 217 if include_app_defaults:
221 218 from rhodecode.lib.base import attach_context_attributes
222 219
223 220 attach_context_attributes(c, self.request, self.request.user.user_id)
224 221
225 222 c.is_super_admin = c.auth_user.is_admin
226 223
227 224 c.can_create_repo = c.is_super_admin
228 225 c.can_create_repo_group = c.is_super_admin
229 226 c.can_create_user_group = c.is_super_admin
230 227
231 228 c.is_delegated_admin = False
232 229
233 230 if not c.auth_user.is_default and not c.is_super_admin:
234 231 c.can_create_repo = h.HasPermissionAny("hg.create.repository")(
235 232 user=self.request.user
236 233 )
237 234 repositories = c.auth_user.repositories_admin or c.can_create_repo
238 235
239 236 c.can_create_repo_group = h.HasPermissionAny("hg.repogroup.create.true")(
240 237 user=self.request.user
241 238 )
242 239 repository_groups = (
243 240 c.auth_user.repository_groups_admin or c.can_create_repo_group
244 241 )
245 242
246 243 c.can_create_user_group = h.HasPermissionAny("hg.usergroup.create.true")(
247 244 user=self.request.user
248 245 )
249 246 user_groups = c.auth_user.user_groups_admin or c.can_create_user_group
250 247 # delegated admin can create, or manage some objects
251 248 c.is_delegated_admin = repositories or repository_groups or user_groups
252 249 return c
253 250
254 251 def _get_template_context(self, tmpl_args, **kwargs):
255 252 local_tmpl_args = {"defaults": {}, "errors": {}, "c": tmpl_args}
256 253 local_tmpl_args.update(kwargs)
257 254 return local_tmpl_args
258 255
259 256 def load_default_context(self):
260 257 """
261 258 example:
262 259
263 260 def load_default_context(self):
264 261 c = self._get_local_tmpl_context()
265 262 c.custom_var = 'foobar'
266 263
267 264 return c
268 265 """
269 266 raise NotImplementedError("Needs implementation in view class")
270 267
271 268
272 269 class RepoAppView(BaseAppView):
273 270 def __init__(self, context, request):
274 271 super().__init__(context, request)
275 272 self.db_repo = request.db_repo
276 273 self.db_repo_name = self.db_repo.repo_name
277 274 self.db_repo_pull_requests = ScmModel().get_pull_requests(self.db_repo)
278 275 self.db_repo_artifacts = ScmModel().get_artifacts(self.db_repo)
279 276 self.db_repo_patterns = IssueTrackerSettingsModel(repo=self.db_repo)
280 277
281 278 def _handle_missing_requirements(self, error):
282 279 log.error(
283 280 "Requirements are missing for repository %s: %s",
284 281 self.db_repo_name,
285 282 safe_str(error),
286 283 )
287 284
288 285 def _prepare_and_set_clone_url(self, c):
289 286 username = ""
290 287 if self._rhodecode_user.username != User.DEFAULT_USER:
291 288 username = self._rhodecode_user.username
292 289
293 290 _def_clone_uri = c.clone_uri_tmpl
294 291 _def_clone_uri_id = c.clone_uri_id_tmpl
295 292 _def_clone_uri_ssh = c.clone_uri_ssh_tmpl
296 293
297 294 c.clone_repo_url = self.db_repo.clone_url(
298 295 user=username, uri_tmpl=_def_clone_uri
299 296 )
300 297 c.clone_repo_url_id = self.db_repo.clone_url(
301 298 user=username, uri_tmpl=_def_clone_uri_id
302 299 )
303 300 c.clone_repo_url_ssh = self.db_repo.clone_url(
304 301 uri_tmpl=_def_clone_uri_ssh, ssh=True
305 302 )
306 303
307 304 def _get_local_tmpl_context(self, include_app_defaults=True):
308 305 _ = self.request.translate
309 306 c = super()._get_local_tmpl_context(include_app_defaults=include_app_defaults)
310 307
311 308 # register common vars for this type of view
312 309 c.rhodecode_db_repo = self.db_repo
313 310 c.repo_name = self.db_repo_name
314 311 c.repository_pull_requests = self.db_repo_pull_requests
315 312 c.repository_artifacts = self.db_repo_artifacts
316 313 c.repository_is_user_following = ScmModel().is_following_repo(
317 314 self.db_repo_name, self._rhodecode_user.user_id
318 315 )
319 316 self.path_filter = PathFilter(None)
320 317
321 318 c.repository_requirements_missing = {}
322 319 try:
323 320 self.rhodecode_vcs_repo = self.db_repo.scm_instance()
324 321 # NOTE(marcink):
325 322 # comparison to None since if it's an object __bool__ is expensive to
326 323 # calculate
327 324 if self.rhodecode_vcs_repo is not None:
328 325 path_perms = self.rhodecode_vcs_repo.get_path_permissions(
329 326 c.auth_user.username
330 327 )
331 328 self.path_filter = PathFilter(path_perms)
332 329 except RepositoryRequirementError as e:
333 330 c.repository_requirements_missing = {"error": str(e)}
334 331 self._handle_missing_requirements(e)
335 332 self.rhodecode_vcs_repo = None
336 333
337 334 c.path_filter = self.path_filter # used by atom_feed_entry.mako
338 335
339 336 if self.rhodecode_vcs_repo is None:
340 337 # unable to fetch this repo as vcs instance, report back to user
341 338 log.debug(
342 339 "Repository was not found on filesystem, check if it exists or is not damaged"
343 340 )
344 341 h.flash(
345 342 _(
346 343 "The repository `%(repo_name)s` cannot be loaded in filesystem. "
347 344 "Please check if it exist, or is not damaged."
348 345 )
349 346 % {"repo_name": c.repo_name},
350 347 category="error",
351 348 ignore_duplicate=True,
352 349 )
353 350 if c.repository_requirements_missing:
354 351 route = self.request.matched_route.name
355 352 if route.startswith(("edit_repo", "repo_summary")):
356 353 # allow summary and edit repo on missing requirements
357 354 return c
358 355
359 356 raise HTTPFound(
360 357 h.route_path("repo_summary", repo_name=self.db_repo_name)
361 358 )
362 359
363 360 else: # redirect if we don't show missing requirements
364 361 raise HTTPFound(h.route_path("home"))
365 362
366 363 c.has_origin_repo_read_perm = False
367 364 if self.db_repo.fork:
368 365 c.has_origin_repo_read_perm = h.HasRepoPermissionAny(
369 366 "repository.write", "repository.read", "repository.admin"
370 367 )(self.db_repo.fork.repo_name, "summary fork link")
371 368
372 369 return c
373 370
374 371 def _get_f_path_unchecked(self, matchdict, default=None):
375 372 """
376 373 Should only be used by redirects, everything else should call _get_f_path
377 374 """
378 375 f_path = matchdict.get("f_path")
379 376 if f_path:
380 377 # fix for multiple initial slashes that causes errors for GIT
381 378 return f_path.lstrip("/")
382 379
383 380 return default
384 381
385 382 def _get_f_path(self, matchdict, default=None):
386 383 f_path_match = self._get_f_path_unchecked(matchdict, default)
387 384 return self.path_filter.assert_path_permissions(f_path_match)
388 385
389 386 def _get_general_setting(self, target_repo, settings_key, default=False):
390 387 settings_model = VcsSettingsModel(repo=target_repo)
391 388 settings = settings_model.get_general_settings()
392 389 return settings.get(settings_key, default)
393 390
394 391 def _get_repo_setting(self, target_repo, settings_key, default=False):
395 392 settings_model = VcsSettingsModel(repo=target_repo)
396 393 settings = settings_model.get_repo_settings_inherited()
397 394 return settings.get(settings_key, default)
398 395
399 396 def _get_readme_data(self, db_repo, renderer_type, commit_id=None, path="/"):
400 397 log.debug("Looking for README file at path %s", path)
401 398 if commit_id:
402 399 landing_commit_id = commit_id
403 400 else:
404 401 landing_commit = db_repo.get_landing_commit()
405 402 if isinstance(landing_commit, EmptyCommit):
406 403 return None, None
407 404 landing_commit_id = landing_commit.raw_id
408 405
409 406 cache_namespace_uid = f"repo.{db_repo.repo_id}"
410 407 region = rc_cache.get_or_create_region(
411 408 "cache_repo", cache_namespace_uid, use_async_runner=False
412 409 )
413 410 start = time.time()
414 411
415 412 @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
416 413 def generate_repo_readme(
417 414 repo_id, _commit_id, _repo_name, _readme_search_path, _renderer_type
418 415 ):
419 416 readme_data = None
420 417 readme_filename = None
421 418
422 419 commit = db_repo.get_commit(_commit_id)
423 420 log.debug("Searching for a README file at commit %s.", _commit_id)
424 421 readme_node = ReadmeFinder(_renderer_type).search(
425 422 commit, path=_readme_search_path
426 423 )
427 424
428 425 if readme_node:
429 426 log.debug("Found README node: %s", readme_node)
430 427
431 428 relative_urls = {
432 429 "raw": h.route_path(
433 430 "repo_file_raw",
434 431 repo_name=_repo_name,
435 432 commit_id=commit.raw_id,
436 433 f_path=readme_node.path,
437 434 ),
438 435 "standard": h.route_path(
439 436 "repo_files",
440 437 repo_name=_repo_name,
441 438 commit_id=commit.raw_id,
442 439 f_path=readme_node.path,
443 440 ),
444 441 }
445 442
446 443 readme_data = self._render_readme_or_none(
447 444 commit, readme_node, relative_urls
448 445 )
449 446 readme_filename = readme_node.str_path
450 447
451 448 return readme_data, readme_filename
452 449
453 450 readme_data, readme_filename = generate_repo_readme(
454 451 db_repo.repo_id,
455 452 landing_commit_id,
456 453 db_repo.repo_name,
457 454 path,
458 455 renderer_type,
459 456 )
460 457
461 458 compute_time = time.time() - start
462 459 log.debug(
463 460 "Repo README for path %s generated and computed in %.4fs",
464 461 path,
465 462 compute_time,
466 463 )
467 464 return readme_data, readme_filename
468 465
469 466 def _render_readme_or_none(self, commit, readme_node, relative_urls):
470 467 log.debug("Found README file `%s` rendering...", readme_node.path)
471 468 renderer = MarkupRenderer()
472 469 try:
473 470 html_source = renderer.render(
474 471 readme_node.str_content, filename=readme_node.path
475 472 )
476 473 if relative_urls:
477 474 return relative_links(html_source, relative_urls)
478 475 return html_source
479 476 except Exception:
480 477 log.exception("Exception while trying to render the README")
481 478
482 479 def get_recache_flag(self):
483 480 for flag_name in ["force_recache", "force-recache", "no-cache"]:
484 481 flag_val = self.request.GET.get(flag_name)
485 482 if str2bool(flag_val):
486 483 return True
487 484 return False
488 485
489 486 def get_commit_preload_attrs(cls):
490 487 pre_load = [
491 488 "author",
492 489 "branch",
493 490 "date",
494 491 "message",
495 492 "parents",
496 493 "obsolete",
497 494 "phase",
498 495 "hidden",
499 496 ]
500 497 return pre_load
501 498
502 499
503 500 class PathFilter(object):
504 501 # Expects and instance of BasePathPermissionChecker or None
505 502 def __init__(self, permission_checker):
506 503 self.permission_checker = permission_checker
507 504
508 505 def assert_path_permissions(self, path):
509 506 if self.path_access_allowed(path):
510 507 return path
511 508 raise HTTPForbidden()
512 509
513 510 def path_access_allowed(self, path):
514 511 log.debug("Checking ACL permissions for PathFilter for `%s`", path)
515 512 if self.permission_checker:
516 513 has_access = path and self.permission_checker.has_access(path)
517 514 log.debug(
518 515 "ACL Permissions checker enabled, ACL Check has_access: %s", has_access
519 516 )
520 517 return has_access
521 518
522 519 log.debug("ACL permissions checker not enabled, skipping...")
523 520 return True
524 521
525 522 def filter_patchset(self, patchset):
526 523 if not self.permission_checker or not patchset:
527 524 return patchset, False
528 525 had_filtered = False
529 526 filtered_patchset = []
530 527 for patch in patchset:
531 528 filename = patch.get("filename", None)
532 529 if not filename or self.permission_checker.has_access(filename):
533 530 filtered_patchset.append(patch)
534 531 else:
535 532 had_filtered = True
536 533 if had_filtered:
537 534 if isinstance(patchset, diffs.LimitedDiffContainer):
538 535 filtered_patchset = diffs.LimitedDiffContainer(
539 536 patchset.diff_limit, patchset.cur_diff_size, filtered_patchset
540 537 )
541 538 return filtered_patchset, True
542 539 else:
543 540 return patchset, False
544 541
545 542 def render_patchset_filtered(
546 543 self, diffset, patchset, source_ref=None, target_ref=None
547 544 ):
548 545 filtered_patchset, has_hidden_changes = self.filter_patchset(patchset)
549 546 result = diffset.render_patchset(
550 547 filtered_patchset, source_ref=source_ref, target_ref=target_ref
551 548 )
552 549 result.has_hidden_changes = has_hidden_changes
553 550 return result
554 551
555 552 def get_raw_patch(self, diff_processor):
556 553 if self.permission_checker is None:
557 554 return diff_processor.as_raw()
558 555 elif self.permission_checker.has_full_access:
559 556 return diff_processor.as_raw()
560 557 else:
561 558 return "# Repository has user-specific filters, raw patch generation is disabled."
562 559
563 560 @property
564 561 def is_enabled(self):
565 562 return self.permission_checker is not None
566 563
567 564
568 565 class RepoGroupAppView(BaseAppView):
569 566 def __init__(self, context, request):
570 567 super().__init__(context, request)
571 568 self.db_repo_group = request.db_repo_group
572 569 self.db_repo_group_name = self.db_repo_group.group_name
573 570
574 571 def _get_local_tmpl_context(self, include_app_defaults=True):
575 572 _ = self.request.translate
576 573 c = super()._get_local_tmpl_context(include_app_defaults=include_app_defaults)
577 574 c.repo_group = self.db_repo_group
578 575 return c
579 576
580 577 def _revoke_perms_on_yourself(self, form_result):
581 578 _updates = [
582 579 u
583 580 for u in form_result["perm_updates"]
584 581 if self._rhodecode_user.user_id == int(u[0])
585 582 ]
586 583 _additions = [
587 584 u
588 585 for u in form_result["perm_additions"]
589 586 if self._rhodecode_user.user_id == int(u[0])
590 587 ]
591 588 _deletions = [
592 589 u
593 590 for u in form_result["perm_deletions"]
594 591 if self._rhodecode_user.user_id == int(u[0])
595 592 ]
596 593 admin_perm = "group.admin"
597 594 if (
598 595 _updates
599 596 and _updates[0][1] != admin_perm
600 597 or _additions
601 598 and _additions[0][1] != admin_perm
602 599 or _deletions
603 600 and _deletions[0][1] != admin_perm
604 601 ):
605 602 return True
606 603 return False
607 604
608 605
609 606 class UserGroupAppView(BaseAppView):
610 607 def __init__(self, context, request):
611 608 super().__init__(context, request)
612 609 self.db_user_group = request.db_user_group
613 610 self.db_user_group_name = self.db_user_group.users_group_name
614 611
615 612
616 613 class UserAppView(BaseAppView):
617 614 def __init__(self, context, request):
618 615 super().__init__(context, request)
619 616 self.db_user = request.db_user
620 617 self.db_user_id = self.db_user.user_id
621 618
622 619 _ = self.request.translate
623 620 if not request.db_user_supports_default:
624 621 if self.db_user.username == User.DEFAULT_USER:
625 622 h.flash(
626 623 _("Editing user `{}` is disabled.".format(User.DEFAULT_USER)),
627 624 category="warning",
628 625 )
629 626 raise HTTPFound(h.route_path("users"))
630 627
631 628
632 629 class DataGridAppView(object):
633 630 """
634 631 Common class to have re-usable grid rendering components
635 632 """
636 633
637 634 def _extract_ordering(self, request, column_map=None):
638 635 column_map = column_map or {}
639 636 column_index = safe_int(request.GET.get("order[0][column]"))
640 637 order_dir = request.GET.get("order[0][dir]", "desc")
641 638 order_by = request.GET.get("columns[%s][data][sort]" % column_index, "name_raw")
642 639
643 640 # translate datatable to DB columns
644 641 order_by = column_map.get(order_by) or order_by
645 642
646 643 search_q = request.GET.get("search[value]")
647 644 return search_q, order_by, order_dir
648 645
649 646 def _extract_chunk(self, request):
650 647 start = safe_int(request.GET.get("start"), 0)
651 648 length = safe_int(request.GET.get("length"), 25)
652 649 draw = safe_int(request.GET.get("draw"))
653 650 return draw, start, length
654 651
655 652 def _get_order_col(self, order_by, model):
656 653 if isinstance(order_by, str):
657 654 try:
658 655 return operator.attrgetter(order_by)(model)
659 656 except AttributeError:
660 657 return None
661 658 else:
662 659 return order_by
663 660
664 661
665 662 class BaseReferencesView(RepoAppView):
666 663 """
667 664 Base for reference view for branches, tags and bookmarks.
668 665 """
669 666
670 667 def load_default_context(self):
671 668 c = self._get_local_tmpl_context()
672 669 return c
673 670
674 671 def load_refs_context(self, ref_items, partials_template):
675 672 _render = self.request.get_partial_renderer(partials_template)
676 673 pre_load = ["author", "date", "message", "parents"]
677 674
678 675 is_svn = h.is_svn(self.rhodecode_vcs_repo)
679 676 is_hg = h.is_hg(self.rhodecode_vcs_repo)
680 677
681 678 format_ref_id = get_format_ref_id(self.rhodecode_vcs_repo)
682 679
683 680 closed_refs = {}
684 681 if is_hg:
685 682 closed_refs = self.rhodecode_vcs_repo.branches_closed
686 683
687 684 data = []
688 685 for ref_name, commit_id in ref_items:
689 686 commit = self.rhodecode_vcs_repo.get_commit(
690 687 commit_id=commit_id, pre_load=pre_load
691 688 )
692 689 closed = ref_name in closed_refs
693 690
694 691 # TODO: johbo: Unify generation of reference links
695 692 use_commit_id = "/" in ref_name or is_svn
696 693
697 694 if use_commit_id:
698 695 files_url = h.route_path(
699 696 "repo_files",
700 697 repo_name=self.db_repo_name,
701 698 f_path=ref_name if is_svn else "",
702 699 commit_id=commit_id,
703 700 _query=dict(at=ref_name),
704 701 )
705 702
706 703 else:
707 704 files_url = h.route_path(
708 705 "repo_files",
709 706 repo_name=self.db_repo_name,
710 707 f_path=ref_name if is_svn else "",
711 708 commit_id=ref_name,
712 709 _query=dict(at=ref_name),
713 710 )
714 711
715 712 data.append(
716 713 {
717 714 "name": _render("name", ref_name, files_url, closed),
718 715 "name_raw": ref_name,
719 716 "date": _render("date", commit.date),
720 717 "date_raw": datetime_to_time(commit.date),
721 718 "author": _render("author", commit.author),
722 719 "commit": _render(
723 720 "commit", commit.message, commit.raw_id, commit.idx
724 721 ),
725 722 "commit_raw": commit.idx,
726 723 "compare": _render(
727 724 "compare", format_ref_id(ref_name, commit.raw_id)
728 725 ),
729 726 }
730 727 )
731 728
732 729 return data
733 730
734 731
735 732 class RepoRoutePredicate(object):
736 733 def __init__(self, val, config):
737 734 self.val = val
738 735
739 736 def text(self):
740 737 return f"repo_route = {self.val}"
741 738
742 739 phash = text
743 740
744 741 def __call__(self, info, request):
745 742 if hasattr(request, "vcs_call"):
746 743 # skip vcs calls
747 744 return
748 745
749 746 repo_name = info["match"]["repo_name"]
750 747
751 748 repo_name_parts = repo_name.split("/")
752 749 repo_slugs = [x for x in (repo_name_slug(x) for x in repo_name_parts)]
753 750
754 751 if repo_name_parts != repo_slugs:
755 752 # short-skip if the repo-name doesn't follow slug rule
756 753 log.warning(
757 754 "repo_name: %s is different than slug %s", repo_name_parts, repo_slugs
758 755 )
759 756 return False
760 757
761 758 repo_model = repo.RepoModel()
762 759
763 760 by_name_match = repo_model.get_by_repo_name(repo_name, cache=False)
764 761
765 762 def redirect_if_creating(route_info, db_repo):
766 763 skip_views = ["edit_repo_advanced_delete"]
767 764 route = route_info["route"]
768 765 # we should skip delete view so we can actually "remove" repositories
769 766 # if they get stuck in creating state.
770 767 if route.name in skip_views:
771 768 return
772 769
773 770 if db_repo.repo_state in [repo.Repository.STATE_PENDING]:
774 771 repo_creating_url = request.route_path(
775 772 "repo_creating", repo_name=db_repo.repo_name
776 773 )
777 774 raise HTTPFound(repo_creating_url)
778 775
779 776 if by_name_match:
780 777 # register this as request object we can re-use later
781 778 request.db_repo = by_name_match
782 779 request.db_repo_name = request.db_repo.repo_name
783 780
784 781 redirect_if_creating(info, by_name_match)
785 782 return True
786 783
787 784 by_id_match = repo_model.get_repo_by_id(repo_name)
788 785 if by_id_match:
789 786 request.db_repo = by_id_match
790 787 request.db_repo_name = request.db_repo.repo_name
791 788 redirect_if_creating(info, by_id_match)
792 789 return True
793 790
794 791 return False
795 792
796 793
797 794 class RepoForbidArchivedRoutePredicate(object):
798 795 def __init__(self, val, config):
799 796 self.val = val
800 797
801 798 def text(self):
802 799 return f"repo_forbid_archived = {self.val}"
803 800
804 801 phash = text
805 802
806 803 def __call__(self, info, request):
807 804 _ = request.translate
808 805 rhodecode_db_repo = request.db_repo
809 806
810 807 log.debug(
811 808 "%s checking if archived flag for repo for %s",
812 809 self.__class__.__name__,
813 810 rhodecode_db_repo.repo_name,
814 811 )
815 812
816 813 if rhodecode_db_repo.archived:
817 814 log.warning(
818 815 "Current view is not supported for archived repo:%s",
819 816 rhodecode_db_repo.repo_name,
820 817 )
821 818
822 819 h.flash(
823 820 h.literal(_("Action not supported for archived repository.")),
824 821 category="warning",
825 822 )
826 823 summary_url = request.route_path(
827 824 "repo_summary", repo_name=rhodecode_db_repo.repo_name
828 825 )
829 826 raise HTTPFound(summary_url)
830 827 return True
831 828
832 829
833 830 class RepoTypeRoutePredicate(object):
834 831 def __init__(self, val, config):
835 832 self.val = val or ["hg", "git", "svn"]
836 833
837 834 def text(self):
838 835 return f"repo_accepted_type = {self.val}"
839 836
840 837 phash = text
841 838
842 839 def __call__(self, info, request):
843 840 if hasattr(request, "vcs_call"):
844 841 # skip vcs calls
845 842 return
846 843
847 844 rhodecode_db_repo = request.db_repo
848 845
849 846 log.debug(
850 847 "%s checking repo type for %s in %s",
851 848 self.__class__.__name__,
852 849 rhodecode_db_repo.repo_type,
853 850 self.val,
854 851 )
855 852
856 853 if rhodecode_db_repo.repo_type in self.val:
857 854 return True
858 855 else:
859 856 log.warning(
860 857 "Current view is not supported for repo type:%s",
861 858 rhodecode_db_repo.repo_type,
862 859 )
863 860 return False
864 861
865 862
866 863 class RepoGroupRoutePredicate(object):
867 864 def __init__(self, val, config):
868 865 self.val = val
869 866
870 867 def text(self):
871 868 return f"repo_group_route = {self.val}"
872 869
873 870 phash = text
874 871
875 872 def __call__(self, info, request):
876 873 if hasattr(request, "vcs_call"):
877 874 # skip vcs calls
878 875 return
879 876
880 877 repo_group_name = info["match"]["repo_group_name"]
881 878
882 879 repo_group_name_parts = repo_group_name.split("/")
883 880 repo_group_slugs = [
884 881 x for x in [repo_name_slug(x) for x in repo_group_name_parts]
885 882 ]
886 883 if repo_group_name_parts != repo_group_slugs:
887 884 # short-skip if the repo-name doesn't follow slug rule
888 885 log.warning(
889 886 "repo_group_name: %s is different than slug %s",
890 887 repo_group_name_parts,
891 888 repo_group_slugs,
892 889 )
893 890 return False
894 891
895 892 repo_group_model = repo_group.RepoGroupModel()
896 893 by_name_match = repo_group_model.get_by_group_name(repo_group_name, cache=False)
897 894
898 895 if by_name_match:
899 896 # register this as request object we can re-use later
900 897 request.db_repo_group = by_name_match
901 898 request.db_repo_group_name = request.db_repo_group.group_name
902 899 return True
903 900
904 901 return False
905 902
906 903
907 904 class UserGroupRoutePredicate(object):
908 905 def __init__(self, val, config):
909 906 self.val = val
910 907
911 908 def text(self):
912 909 return f"user_group_route = {self.val}"
913 910
914 911 phash = text
915 912
916 913 def __call__(self, info, request):
917 914 if hasattr(request, "vcs_call"):
918 915 # skip vcs calls
919 916 return
920 917
921 918 user_group_id = info["match"]["user_group_id"]
922 919 user_group_model = user_group.UserGroup()
923 920 by_id_match = user_group_model.get(user_group_id, cache=False)
924 921
925 922 if by_id_match:
926 923 # register this as request object we can re-use later
927 924 request.db_user_group = by_id_match
928 925 return True
929 926
930 927 return False
931 928
932 929
933 930 class UserRoutePredicateBase(object):
934 931 supports_default = None
935 932
936 933 def __init__(self, val, config):
937 934 self.val = val
938 935
939 936 def text(self):
940 937 raise NotImplementedError()
941 938
942 939 def __call__(self, info, request):
943 940 if hasattr(request, "vcs_call"):
944 941 # skip vcs calls
945 942 return
946 943
947 944 user_id = info["match"]["user_id"]
948 945 user_model = user.User()
949 946 by_id_match = user_model.get(user_id, cache=False)
950 947
951 948 if by_id_match:
952 949 # register this as request object we can re-use later
953 950 request.db_user = by_id_match
954 951 request.db_user_supports_default = self.supports_default
955 952 return True
956 953
957 954 return False
958 955
959 956
960 957 class UserRoutePredicate(UserRoutePredicateBase):
961 958 supports_default = False
962 959
963 960 def text(self):
964 961 return f"user_route = {self.val}"
965 962
966 963 phash = text
967 964
968 965
969 966 class UserRouteWithDefaultPredicate(UserRoutePredicateBase):
970 967 supports_default = True
971 968
972 969 def text(self):
973 970 return f"user_with_default_route = {self.val}"
974 971
975 972 phash = text
976 973
977 974
978 975 def includeme(config):
979 976 config.add_route_predicate("repo_route", RepoRoutePredicate)
980 977 config.add_route_predicate("repo_accepted_types", RepoTypeRoutePredicate)
981 978 config.add_route_predicate(
982 979 "repo_forbid_when_archived", RepoForbidArchivedRoutePredicate
983 980 )
984 981 config.add_route_predicate("repo_group_route", RepoGroupRoutePredicate)
985 982 config.add_route_predicate("user_group_route", UserGroupRoutePredicate)
986 983 config.add_route_predicate("user_route_with_default", UserRouteWithDefaultPredicate)
987 984 config.add_route_predicate("user_route", UserRoutePredicate)
@@ -1,295 +1,295 b''
1 1 # Copyright (C) 2012-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 """
20 20 RhodeCode authentication plugin for Atlassian CROWD
21 21 """
22 22
23 23
24 24 import colander
25 25 import base64
26 26 import logging
27 27 import urllib.request
28 28 import urllib.error
29 29 import urllib.parse
30 30
31 31 from rhodecode.translation import _
32 32 from rhodecode.authentication.base import (
33 33 RhodeCodeExternalAuthPlugin, hybrid_property)
34 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
34 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase, TwoFactorAuthnPluginSettingsSchemaMixin
35 35 from rhodecode.authentication.routes import AuthnPluginResourceBase
36 36 from rhodecode.lib.colander_utils import strip_whitespace
37 37 from rhodecode.lib.ext_json import json, formatted_json
38 38 from rhodecode.model.db import User
39 39
40 40 log = logging.getLogger(__name__)
41 41
42 42
43 43 def plugin_factory(plugin_id, *args, **kwargs):
44 44 """
45 45 Factory function that is called during plugin discovery.
46 46 It returns the plugin instance.
47 47 """
48 48 plugin = RhodeCodeAuthPlugin(plugin_id)
49 49 return plugin
50 50
51 51
52 52 class CrowdAuthnResource(AuthnPluginResourceBase):
53 53 pass
54 54
55 55
56 class CrowdSettingsSchema(AuthnPluginSettingsSchemaBase):
56 class CrowdSettingsSchema(TwoFactorAuthnPluginSettingsSchemaMixin, AuthnPluginSettingsSchemaBase):
57 57 host = colander.SchemaNode(
58 58 colander.String(),
59 59 default='127.0.0.1',
60 60 description=_('The FQDN or IP of the Atlassian CROWD Server'),
61 61 preparer=strip_whitespace,
62 62 title=_('Host'),
63 63 widget='string')
64 64 port = colander.SchemaNode(
65 65 colander.Int(),
66 66 default=8095,
67 67 description=_('The Port in use by the Atlassian CROWD Server'),
68 68 preparer=strip_whitespace,
69 69 title=_('Port'),
70 70 validator=colander.Range(min=0, max=65536),
71 71 widget='int')
72 72 app_name = colander.SchemaNode(
73 73 colander.String(),
74 74 default='',
75 75 description=_('The Application Name to authenticate to CROWD'),
76 76 preparer=strip_whitespace,
77 77 title=_('Application Name'),
78 78 widget='string')
79 79 app_password = colander.SchemaNode(
80 80 colander.String(),
81 81 default='',
82 82 description=_('The password to authenticate to CROWD'),
83 83 preparer=strip_whitespace,
84 84 title=_('Application Password'),
85 85 widget='password')
86 86 admin_groups = colander.SchemaNode(
87 87 colander.String(),
88 88 default='',
89 89 description=_('A comma separated list of group names that identify '
90 90 'users as RhodeCode Administrators'),
91 91 missing='',
92 92 preparer=strip_whitespace,
93 93 title=_('Admin Groups'),
94 94 widget='string')
95 95
96 96
97 97 class CrowdServer(object):
98 98 def __init__(self, *args, **kwargs):
99 99 """
100 100 Create a new CrowdServer object that points to IP/Address 'host',
101 101 on the given port, and using the given method (https/http). user and
102 102 passwd can be set here or with set_credentials. If unspecified,
103 103 "version" defaults to "latest".
104 104
105 105 example::
106 106
107 107 cserver = CrowdServer(host="127.0.0.1",
108 108 port="8095",
109 109 user="some_app",
110 110 passwd="some_passwd",
111 111 version="1")
112 112 """
113 113 if 'port' not in kwargs:
114 114 kwargs["port"] = "8095"
115 115 self._logger = kwargs.get("logger", logging.getLogger(__name__))
116 116 self._uri = "%s://%s:%s/crowd" % (kwargs.get("method", "http"),
117 117 kwargs.get("host", "127.0.0.1"),
118 118 kwargs.get("port", "8095"))
119 119 self.set_credentials(kwargs.get("user", ""),
120 120 kwargs.get("passwd", ""))
121 121 self._version = kwargs.get("version", "latest")
122 122 self._url_list = None
123 123 self._appname = "crowd"
124 124
125 125 def set_credentials(self, user, passwd):
126 126 self.user = user
127 127 self.passwd = passwd
128 128 self._make_opener()
129 129
130 130 def _make_opener(self):
131 131 mgr = urllib.request.HTTPPasswordMgrWithDefaultRealm()
132 132 mgr.add_password(None, self._uri, self.user, self.passwd)
133 133 handler = urllib.request.HTTPBasicAuthHandler(mgr)
134 134 self.opener = urllib.request.build_opener(handler)
135 135
136 136 def _request(self, url, body=None, headers=None,
137 137 method=None, noformat=False,
138 138 empty_response_ok=False):
139 139 _headers = {"Content-type": "application/json",
140 140 "Accept": "application/json"}
141 141 if self.user and self.passwd:
142 142 authstring = base64.b64encode("{}:{}".format(self.user, self.passwd))
143 143 _headers["Authorization"] = "Basic %s" % authstring
144 144 if headers:
145 145 _headers.update(headers)
146 146 log.debug("Sent crowd: \n%s"
147 147 % (formatted_json({"url": url, "body": body,
148 148 "headers": _headers})))
149 149 request = urllib.request.Request(url, body, _headers)
150 150 if method:
151 151 request.get_method = lambda: method
152 152
153 153 global msg
154 154 msg = ""
155 155 try:
156 156 ret_doc = self.opener.open(request)
157 157 msg = ret_doc.read()
158 158 if not msg and empty_response_ok:
159 159 ret_val = {}
160 160 ret_val["status"] = True
161 161 ret_val["error"] = "Response body was empty"
162 162 elif not noformat:
163 163 ret_val = json.loads(msg)
164 164 ret_val["status"] = True
165 165 else:
166 166 ret_val = msg
167 167 except Exception as e:
168 168 if not noformat:
169 169 ret_val = {"status": False,
170 170 "body": body,
171 171 "error": f"{e}\n{msg}"}
172 172 else:
173 173 ret_val = None
174 174 return ret_val
175 175
176 176 def user_auth(self, username, password):
177 177 """Authenticate a user against crowd. Returns brief information about
178 178 the user."""
179 179 url = ("%s/rest/usermanagement/%s/authentication?username=%s"
180 180 % (self._uri, self._version, username))
181 181 body = json.dumps({"value": password})
182 182 return self._request(url, body)
183 183
184 184 def user_groups(self, username):
185 185 """Retrieve a list of groups to which this user belongs."""
186 186 url = ("%s/rest/usermanagement/%s/user/group/nested?username=%s"
187 187 % (self._uri, self._version, username))
188 188 return self._request(url)
189 189
190 190
191 191 class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):
192 192 uid = 'crowd'
193 193 _settings_unsafe_keys = ['app_password']
194 194
195 195 def includeme(self, config):
196 196 config.add_authn_plugin(self)
197 197 config.add_authn_resource(self.get_id(), CrowdAuthnResource(self))
198 198 config.add_view(
199 199 'rhodecode.authentication.views.AuthnPluginViewBase',
200 200 attr='settings_get',
201 201 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
202 202 request_method='GET',
203 203 route_name='auth_home',
204 204 context=CrowdAuthnResource)
205 205 config.add_view(
206 206 'rhodecode.authentication.views.AuthnPluginViewBase',
207 207 attr='settings_post',
208 208 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
209 209 request_method='POST',
210 210 route_name='auth_home',
211 211 context=CrowdAuthnResource)
212 212
213 213 def get_settings_schema(self):
214 214 return CrowdSettingsSchema()
215 215
216 216 def get_display_name(self, load_from_settings=False):
217 217 return _('CROWD')
218 218
219 219 @classmethod
220 220 def docs(cls):
221 221 return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth-crowd.html"
222 222
223 223 @hybrid_property
224 224 def name(self):
225 225 return "crowd"
226 226
227 227 def use_fake_password(self):
228 228 return True
229 229
230 230 def user_activation_state(self):
231 231 def_user_perms = User.get_default_user().AuthUser().permissions['global']
232 232 return 'hg.extern_activate.auto' in def_user_perms
233 233
234 234 def auth(self, userobj, username, password, settings, **kwargs):
235 235 """
236 236 Given a user object (which may be null), username, a plaintext password,
237 237 and a settings object (containing all the keys needed as listed in settings()),
238 238 authenticate this user's login attempt.
239 239
240 240 Return None on failure. On success, return a dictionary of the form:
241 241
242 242 see: RhodeCodeAuthPluginBase.auth_func_attrs
243 243 This is later validated for correctness
244 244 """
245 245 if not username or not password:
246 246 log.debug('Empty username or password skipping...')
247 247 return None
248 248
249 249 log.debug("Crowd settings: \n%s", formatted_json(settings))
250 250 server = CrowdServer(**settings)
251 251 server.set_credentials(settings["app_name"], settings["app_password"])
252 252 crowd_user = server.user_auth(username, password)
253 253 log.debug("Crowd returned: \n%s", formatted_json(crowd_user))
254 254 if not crowd_user["status"]:
255 255 return None
256 256
257 257 res = server.user_groups(crowd_user["name"])
258 258 log.debug("Crowd groups: \n%s", formatted_json(res))
259 259 crowd_user["groups"] = [x["name"] for x in res["groups"]]
260 260
261 261 # old attrs fetched from RhodeCode database
262 262 admin = getattr(userobj, 'admin', False)
263 263 active = getattr(userobj, 'active', True)
264 264 email = getattr(userobj, 'email', '')
265 265 username = getattr(userobj, 'username', username)
266 266 firstname = getattr(userobj, 'firstname', '')
267 267 lastname = getattr(userobj, 'lastname', '')
268 268 extern_type = getattr(userobj, 'extern_type', '')
269 269
270 270 user_attrs = {
271 271 'username': username,
272 272 'firstname': crowd_user["first-name"] or firstname,
273 273 'lastname': crowd_user["last-name"] or lastname,
274 274 'groups': crowd_user["groups"],
275 275 'user_group_sync': True,
276 276 'email': crowd_user["email"] or email,
277 277 'admin': admin,
278 278 'active': active,
279 279 'active_from_extern': crowd_user.get('active'),
280 280 'extern_name': crowd_user["name"],
281 281 'extern_type': extern_type,
282 282 }
283 283
284 284 # set an admin if we're in admin_groups of crowd
285 285 for group in settings["admin_groups"]:
286 286 if group in user_attrs["groups"]:
287 287 user_attrs["admin"] = True
288 288 log.debug("Final crowd user object: \n%s", formatted_json(user_attrs))
289 289 log.info('user `%s` authenticated correctly', user_attrs['username'])
290 290 return user_attrs
291 291
292 292
293 293 def includeme(config):
294 294 plugin_id = f'egg:rhodecode-enterprise-ce#{RhodeCodeAuthPlugin.uid}'
295 295 plugin_factory(plugin_id).includeme(config)
@@ -1,173 +1,173 b''
1 1 # Copyright (C) 2012-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 """
20 20 RhodeCode authentication plugin for Jasig CAS
21 21 http://www.jasig.org/cas
22 22 """
23 23
24 24
25 25 import colander
26 26 import logging
27 27 import rhodecode
28 28 import urllib.request
29 29 import urllib.parse
30 30 import urllib.error
31 31
32 32
33 33 from rhodecode.translation import _
34 34 from rhodecode.authentication.base import (
35 35 RhodeCodeExternalAuthPlugin, hybrid_property)
36 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
36 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase, TwoFactorAuthnPluginSettingsSchemaMixin
37 37 from rhodecode.authentication.routes import AuthnPluginResourceBase
38 38 from rhodecode.lib.colander_utils import strip_whitespace
39 39 from rhodecode.model.db import User
40 40 from rhodecode.lib.str_utils import safe_str
41 41
42 42 log = logging.getLogger(__name__)
43 43
44 44
45 45 def plugin_factory(plugin_id, *args, **kwargs):
46 46 """
47 47 Factory function that is called during plugin discovery.
48 48 It returns the plugin instance.
49 49 """
50 50 plugin = RhodeCodeAuthPlugin(plugin_id)
51 51 return plugin
52 52
53 53
54 54 class JasigCasAuthnResource(AuthnPluginResourceBase):
55 55 pass
56 56
57 57
58 class JasigCasSettingsSchema(AuthnPluginSettingsSchemaBase):
58 class JasigCasSettingsSchema(TwoFactorAuthnPluginSettingsSchemaMixin, AuthnPluginSettingsSchemaBase):
59 59 service_url = colander.SchemaNode(
60 60 colander.String(),
61 61 default='https://domain.com/cas/v1/tickets',
62 62 description=_('The url of the Jasig CAS REST service'),
63 63 preparer=strip_whitespace,
64 64 title=_('URL'),
65 65 widget='string')
66 66
67 67
68 68 class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):
69 69 uid = 'jasig_cas'
70 70
71 71 def includeme(self, config):
72 72 config.add_authn_plugin(self)
73 73 config.add_authn_resource(self.get_id(), JasigCasAuthnResource(self))
74 74 config.add_view(
75 75 'rhodecode.authentication.views.AuthnPluginViewBase',
76 76 attr='settings_get',
77 77 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
78 78 request_method='GET',
79 79 route_name='auth_home',
80 80 context=JasigCasAuthnResource)
81 81 config.add_view(
82 82 'rhodecode.authentication.views.AuthnPluginViewBase',
83 83 attr='settings_post',
84 84 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
85 85 request_method='POST',
86 86 route_name='auth_home',
87 87 context=JasigCasAuthnResource)
88 88
89 89 def get_settings_schema(self):
90 90 return JasigCasSettingsSchema()
91 91
92 92 def get_display_name(self, load_from_settings=False):
93 93 return _('Jasig-CAS')
94 94
95 95 @hybrid_property
96 96 def name(self):
97 97 return "jasig-cas"
98 98
99 99 @property
100 100 def is_headers_auth(self):
101 101 return True
102 102
103 103 def use_fake_password(self):
104 104 return True
105 105
106 106 def user_activation_state(self):
107 107 def_user_perms = User.get_default_user().AuthUser().permissions['global']
108 108 return 'hg.extern_activate.auto' in def_user_perms
109 109
110 110 def auth(self, userobj, username, password, settings, **kwargs):
111 111 """
112 112 Given a user object (which may be null), username, a plaintext password,
113 113 and a settings object (containing all the keys needed as listed in settings()),
114 114 authenticate this user's login attempt.
115 115
116 116 Return None on failure. On success, return a dictionary of the form:
117 117
118 118 see: RhodeCodeAuthPluginBase.auth_func_attrs
119 119 This is later validated for correctness
120 120 """
121 121 if not username or not password:
122 122 log.debug('Empty username or password skipping...')
123 123 return None
124 124
125 125 log.debug("Jasig CAS settings: %s", settings)
126 126 params = urllib.parse.urlencode({'username': username, 'password': password})
127 127 headers = {"Content-type": "application/x-www-form-urlencoded",
128 128 "Accept": "text/plain",
129 129 "User-Agent": "RhodeCode-auth-%s" % rhodecode.__version__}
130 130 url = settings["service_url"]
131 131
132 132 log.debug("Sent Jasig CAS: \n%s",
133 133 {"url": url, "body": params, "headers": headers})
134 134 request = urllib.request.Request(url, params, headers)
135 135 try:
136 136 urllib.request.urlopen(request)
137 137 except urllib.error.HTTPError as e:
138 138 log.debug("HTTPError when requesting Jasig CAS (status code: %d)", e.code)
139 139 return None
140 140 except urllib.error.URLError as e:
141 141 log.debug("URLError when requesting Jasig CAS url: %s %s", url, e)
142 142 return None
143 143
144 144 # old attrs fetched from RhodeCode database
145 145 admin = getattr(userobj, 'admin', False)
146 146 active = getattr(userobj, 'active', True)
147 147 email = getattr(userobj, 'email', '')
148 148 username = getattr(userobj, 'username', username)
149 149 firstname = getattr(userobj, 'firstname', '')
150 150 lastname = getattr(userobj, 'lastname', '')
151 151 extern_type = getattr(userobj, 'extern_type', '')
152 152
153 153 user_attrs = {
154 154 'username': username,
155 155 'firstname': safe_str(firstname or username),
156 156 'lastname': safe_str(lastname or ''),
157 157 'groups': [],
158 158 'user_group_sync': False,
159 159 'email': email or '',
160 160 'admin': admin or False,
161 161 'active': active,
162 162 'active_from_extern': True,
163 163 'extern_name': username,
164 164 'extern_type': extern_type,
165 165 }
166 166
167 167 log.info('user `%s` authenticated correctly', user_attrs['username'])
168 168 return user_attrs
169 169
170 170
171 171 def includeme(config):
172 172 plugin_id = f'egg:rhodecode-enterprise-ce#{RhodeCodeAuthPlugin.uid}'
173 173 plugin_factory(plugin_id).includeme(config)
@@ -1,550 +1,550 b''
1 1 # Copyright (C) 2010-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 """
20 20 RhodeCode authentication plugin for LDAP
21 21 """
22 22
23 23 import logging
24 24 import traceback
25 25
26 26 import colander
27 27 from rhodecode.translation import _
28 28 from rhodecode.authentication.base import (
29 29 RhodeCodeExternalAuthPlugin, AuthLdapBase, hybrid_property)
30 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
30 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase, TwoFactorAuthnPluginSettingsSchemaMixin
31 31 from rhodecode.authentication.routes import AuthnPluginResourceBase
32 32 from rhodecode.lib.colander_utils import strip_whitespace
33 33 from rhodecode.lib.exceptions import (
34 34 LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError
35 35 )
36 36 from rhodecode.lib.str_utils import safe_str
37 37 from rhodecode.model.db import User
38 38 from rhodecode.model.validators import Missing
39 39
40 40 log = logging.getLogger(__name__)
41 41
42 42 try:
43 43 import ldap
44 44 except ImportError:
45 45 # means that python-ldap is not installed, we use Missing object to mark
46 46 # ldap lib is Missing
47 47 ldap = Missing
48 48
49 49
50 50 class LdapError(Exception):
51 51 pass
52 52
53 53
54 54 def plugin_factory(plugin_id, *args, **kwargs):
55 55 """
56 56 Factory function that is called during plugin discovery.
57 57 It returns the plugin instance.
58 58 """
59 59 plugin = RhodeCodeAuthPlugin(plugin_id)
60 60 return plugin
61 61
62 62
63 63 class LdapAuthnResource(AuthnPluginResourceBase):
64 64 pass
65 65
66 66
67 67 class AuthLdap(AuthLdapBase):
68 68 default_tls_cert_dir = '/etc/openldap/cacerts'
69 69
70 70 scope_labels = {
71 71 ldap.SCOPE_BASE: 'SCOPE_BASE',
72 72 ldap.SCOPE_ONELEVEL: 'SCOPE_ONELEVEL',
73 73 ldap.SCOPE_SUBTREE: 'SCOPE_SUBTREE',
74 74 }
75 75
76 76 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
77 77 tls_kind='PLAIN', tls_reqcert='DEMAND', tls_cert_file=None,
78 78 tls_cert_dir=None, ldap_version=3,
79 79 search_scope='SUBTREE', attr_login='uid',
80 80 ldap_filter='', timeout=None):
81 81 if ldap == Missing:
82 82 raise LdapImportError("Missing or incompatible ldap library")
83 83
84 84 self.debug = False
85 85 self.timeout = timeout or 60 * 5
86 86 self.ldap_version = ldap_version
87 87 self.ldap_server_type = 'ldap'
88 88
89 89 self.TLS_KIND = tls_kind
90 90
91 91 if self.TLS_KIND == 'LDAPS':
92 92 port = port or 636
93 93 self.ldap_server_type += 's'
94 94
95 95 OPT_X_TLS_DEMAND = 2
96 96 self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, OPT_X_TLS_DEMAND)
97 97 self.TLS_CERT_FILE = tls_cert_file or ''
98 98 self.TLS_CERT_DIR = tls_cert_dir or self.default_tls_cert_dir
99 99
100 100 # split server into list
101 101 self.SERVER_ADDRESSES = self._get_server_list(server)
102 102 self.LDAP_SERVER_PORT = port
103 103
104 104 # USE FOR READ ONLY BIND TO LDAP SERVER
105 105 self.attr_login = attr_login
106 106
107 107 self.LDAP_BIND_DN = safe_str(bind_dn)
108 108 self.LDAP_BIND_PASS = safe_str(bind_pass)
109 109
110 110 self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
111 111 self.BASE_DN = safe_str(base_dn)
112 112 self.LDAP_FILTER = safe_str(ldap_filter)
113 113
114 114 def _get_ldap_conn(self):
115 115
116 116 if self.debug:
117 117 ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
118 118
119 119 if self.TLS_CERT_FILE and hasattr(ldap, 'OPT_X_TLS_CACERTFILE'):
120 120 ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.TLS_CERT_FILE)
121 121
122 122 elif hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
123 123 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.TLS_CERT_DIR)
124 124
125 125 if self.TLS_KIND != 'PLAIN':
126 126 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
127 127
128 128 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
129 129 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
130 130
131 131 # init connection now
132 132 ldap_servers = self._build_servers(
133 133 self.ldap_server_type, self.SERVER_ADDRESSES, self.LDAP_SERVER_PORT)
134 134 log.debug('initializing LDAP connection to:%s', ldap_servers)
135 135 ldap_conn = ldap.initialize(ldap_servers)
136 136 ldap_conn.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)
137 137 ldap_conn.set_option(ldap.OPT_TIMEOUT, self.timeout)
138 138 ldap_conn.timeout = self.timeout
139 139
140 140 if self.ldap_version == 2:
141 141 ldap_conn.protocol = ldap.VERSION2
142 142 else:
143 143 ldap_conn.protocol = ldap.VERSION3
144 144
145 145 if self.TLS_KIND == 'START_TLS':
146 146 ldap_conn.start_tls_s()
147 147
148 148 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
149 149 log.debug('Trying simple_bind with password and given login DN: %r',
150 150 self.LDAP_BIND_DN)
151 151 ldap_conn.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
152 152 log.debug('simple_bind successful')
153 153 return ldap_conn
154 154
155 155 def fetch_attrs_from_simple_bind(self, ldap_conn, dn, username, password):
156 156 scope = ldap.SCOPE_BASE
157 157 scope_label = self.scope_labels.get(scope)
158 158 ldap_filter = '(objectClass=*)'
159 159
160 160 try:
161 161 log.debug('Trying authenticated search bind with dn: %r SCOPE: %s (and filter: %s)',
162 162 dn, scope_label, ldap_filter)
163 163 ldap_conn.simple_bind_s(dn, safe_str(password))
164 164 response = ldap_conn.search_ext_s(dn, scope, ldap_filter, attrlist=['*', '+'])
165 165
166 166 if not response:
167 167 log.error('search bind returned empty results: %r', response)
168 168 return {}
169 169 else:
170 170 _dn, attrs = response[0]
171 171 return attrs
172 172
173 173 except ldap.INVALID_CREDENTIALS:
174 174 log.debug("LDAP rejected password for user '%s': %s, org_exc:",
175 175 username, dn, exc_info=True)
176 176
177 177 def authenticate_ldap(self, username, password):
178 178 """
179 179 Authenticate a user via LDAP and return his/her LDAP properties.
180 180
181 181 Raises AuthenticationError if the credentials are rejected, or
182 182 EnvironmentError if the LDAP server can't be reached.
183 183
184 184 :param username: username
185 185 :param password: password
186 186 """
187 187
188 188 uid = self.get_uid(username, self.SERVER_ADDRESSES)
189 189 user_attrs = {}
190 190 dn = ''
191 191
192 192 self.validate_password(username, password)
193 193 self.validate_username(username)
194 194 scope_label = self.scope_labels.get(self.SEARCH_SCOPE)
195 195
196 196 ldap_conn = None
197 197 try:
198 198 ldap_conn = self._get_ldap_conn()
199 199 filter_ = '(&{}({}={}))'.format(
200 200 self.LDAP_FILTER, self.attr_login, username)
201 201 log.debug("Authenticating %r filter %s and scope: %s",
202 202 self.BASE_DN, filter_, scope_label)
203 203
204 204 ldap_objects = ldap_conn.search_ext_s(
205 205 self.BASE_DN, self.SEARCH_SCOPE, filter_, attrlist=['*', '+'])
206 206
207 207 if not ldap_objects:
208 208 log.debug("No matching LDAP objects for authentication "
209 209 "of UID:'%s' username:(%s)", uid, username)
210 210 raise ldap.NO_SUCH_OBJECT()
211 211
212 212 log.debug('Found %s matching ldap object[s], trying to authenticate on each one now...', len(ldap_objects))
213 213 for (dn, _attrs) in ldap_objects:
214 214 if dn is None:
215 215 continue
216 216
217 217 user_attrs = self.fetch_attrs_from_simple_bind(
218 218 ldap_conn, dn, username, password)
219 219
220 220 if user_attrs:
221 221 log.debug('Got authenticated user attributes from DN:%s', dn)
222 222 break
223 223 else:
224 224 raise LdapPasswordError(
225 225 f'Failed to authenticate user `{username}` with given password')
226 226
227 227 except ldap.NO_SUCH_OBJECT:
228 228 log.debug("LDAP says no such user '%s' (%s), org_exc:",
229 229 uid, username, exc_info=True)
230 230 raise LdapUsernameError('Unable to find user')
231 231 except ldap.SERVER_DOWN:
232 232 org_exc = traceback.format_exc()
233 233 raise LdapConnectionError(
234 234 "LDAP can't access authentication server, org_exc:%s" % org_exc)
235 235 finally:
236 236 if ldap_conn:
237 237 log.debug('ldap: connection release')
238 238 try:
239 239 ldap_conn.unbind_s()
240 240 except Exception:
241 241 # for any reason this can raise exception we must catch it
242 242 # to not crush the server
243 243 pass
244 244
245 245 return dn, user_attrs
246 246
247 247
248 class LdapSettingsSchema(AuthnPluginSettingsSchemaBase):
248 class LdapSettingsSchema(TwoFactorAuthnPluginSettingsSchemaMixin, AuthnPluginSettingsSchemaBase):
249 249 tls_kind_choices = ['PLAIN', 'LDAPS', 'START_TLS']
250 250 tls_reqcert_choices = ['NEVER', 'ALLOW', 'TRY', 'DEMAND', 'HARD']
251 251 search_scope_choices = ['BASE', 'ONELEVEL', 'SUBTREE']
252 252
253 253 host = colander.SchemaNode(
254 254 colander.String(),
255 255 default='',
256 256 description=_('Host[s] of the LDAP Server \n'
257 257 '(e.g., 192.168.2.154, or ldap-server.domain.com.\n '
258 258 'Multiple servers can be specified using commas'),
259 259 preparer=strip_whitespace,
260 260 title=_('LDAP Host'),
261 261 widget='string')
262 262 port = colander.SchemaNode(
263 263 colander.Int(),
264 264 default=389,
265 265 description=_('Custom port that the LDAP server is listening on. '
266 266 'Default value is: 389, use 636 for LDAPS (SSL)'),
267 267 preparer=strip_whitespace,
268 268 title=_('Port'),
269 269 validator=colander.Range(min=0, max=65536),
270 270 widget='int')
271 271
272 272 timeout = colander.SchemaNode(
273 273 colander.Int(),
274 274 default=60 * 5,
275 275 description=_('Timeout for LDAP connection'),
276 276 preparer=strip_whitespace,
277 277 title=_('Connection timeout'),
278 278 validator=colander.Range(min=1),
279 279 widget='int')
280 280
281 281 dn_user = colander.SchemaNode(
282 282 colander.String(),
283 283 default='',
284 284 description=_('Optional user DN/account to connect to LDAP if authentication is required. \n'
285 285 'e.g., cn=admin,dc=mydomain,dc=com, or '
286 286 'uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com'),
287 287 missing='',
288 288 preparer=strip_whitespace,
289 289 title=_('Bind account'),
290 290 widget='string')
291 291 dn_pass = colander.SchemaNode(
292 292 colander.String(),
293 293 default='',
294 294 description=_('Password to authenticate for given user DN.'),
295 295 missing='',
296 296 preparer=strip_whitespace,
297 297 title=_('Bind account password'),
298 298 widget='password')
299 299 tls_kind = colander.SchemaNode(
300 300 colander.String(),
301 301 default=tls_kind_choices[0],
302 302 description=_('TLS Type'),
303 303 title=_('Connection Security'),
304 304 validator=colander.OneOf(tls_kind_choices),
305 305 widget='select')
306 306 tls_reqcert = colander.SchemaNode(
307 307 colander.String(),
308 308 default=tls_reqcert_choices[0],
309 309 description=_('Require Cert over TLS?. Self-signed and custom '
310 310 'certificates can be used when\n `RhodeCode Certificate` '
311 311 'found in admin > settings > system info page is extended.'),
312 312 title=_('Certificate Checks'),
313 313 validator=colander.OneOf(tls_reqcert_choices),
314 314 widget='select')
315 315 tls_cert_file = colander.SchemaNode(
316 316 colander.String(),
317 317 default='',
318 318 description=_('This specifies the PEM-format file path containing '
319 319 'certificates for use in TLS connection.\n'
320 320 'If not specified `TLS Cert dir` will be used'),
321 321 title=_('TLS Cert file'),
322 322 missing='',
323 323 widget='string')
324 324 tls_cert_dir = colander.SchemaNode(
325 325 colander.String(),
326 326 default=AuthLdap.default_tls_cert_dir,
327 327 description=_('This specifies the path of a directory that contains individual '
328 328 'CA certificates in separate files.'),
329 329 title=_('TLS Cert dir'),
330 330 widget='string')
331 331 base_dn = colander.SchemaNode(
332 332 colander.String(),
333 333 default='',
334 334 description=_('Base DN to search. Dynamic bind is supported. Add `$login` marker '
335 335 'in it to be replaced with current user username \n'
336 336 '(e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com)'),
337 337 missing='',
338 338 preparer=strip_whitespace,
339 339 title=_('Base DN'),
340 340 widget='string')
341 341 filter = colander.SchemaNode(
342 342 colander.String(),
343 343 default='',
344 344 description=_('Filter to narrow results \n'
345 345 '(e.g., (&(objectCategory=Person)(objectClass=user)), or \n'
346 346 '(memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com)))'),
347 347 missing='',
348 348 preparer=strip_whitespace,
349 349 title=_('LDAP Search Filter'),
350 350 widget='string')
351 351
352 352 search_scope = colander.SchemaNode(
353 353 colander.String(),
354 354 default=search_scope_choices[2],
355 355 description=_('How deep to search LDAP. If unsure set to SUBTREE'),
356 356 title=_('LDAP Search Scope'),
357 357 validator=colander.OneOf(search_scope_choices),
358 358 widget='select')
359 359 attr_login = colander.SchemaNode(
360 360 colander.String(),
361 361 default='uid',
362 362 description=_('LDAP Attribute to map to user name (e.g., uid, or sAMAccountName)'),
363 363 preparer=strip_whitespace,
364 364 title=_('Login Attribute'),
365 365 missing_msg=_('The LDAP Login attribute of the CN must be specified'),
366 366 widget='string')
367 367 attr_email = colander.SchemaNode(
368 368 colander.String(),
369 369 default='',
370 370 description=_('LDAP Attribute to map to email address (e.g., mail).\n'
371 371 'Emails are a crucial part of RhodeCode. \n'
372 372 'If possible add a valid email attribute to ldap users.'),
373 373 missing='',
374 374 preparer=strip_whitespace,
375 375 title=_('Email Attribute'),
376 376 widget='string')
377 377 attr_firstname = colander.SchemaNode(
378 378 colander.String(),
379 379 default='',
380 380 description=_('LDAP Attribute to map to first name (e.g., givenName)'),
381 381 missing='',
382 382 preparer=strip_whitespace,
383 383 title=_('First Name Attribute'),
384 384 widget='string')
385 385 attr_lastname = colander.SchemaNode(
386 386 colander.String(),
387 387 default='',
388 388 description=_('LDAP Attribute to map to last name (e.g., sn)'),
389 389 missing='',
390 390 preparer=strip_whitespace,
391 391 title=_('Last Name Attribute'),
392 392 widget='string')
393 393
394 394
395 395 class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):
396 396 uid = 'ldap'
397 397 # used to define dynamic binding in the
398 398 DYNAMIC_BIND_VAR = '$login'
399 399 _settings_unsafe_keys = ['dn_pass']
400 400
401 401 def includeme(self, config):
402 402 config.add_authn_plugin(self)
403 403 config.add_authn_resource(self.get_id(), LdapAuthnResource(self))
404 404 config.add_view(
405 405 'rhodecode.authentication.views.AuthnPluginViewBase',
406 406 attr='settings_get',
407 407 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
408 408 request_method='GET',
409 409 route_name='auth_home',
410 410 context=LdapAuthnResource)
411 411 config.add_view(
412 412 'rhodecode.authentication.views.AuthnPluginViewBase',
413 413 attr='settings_post',
414 414 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
415 415 request_method='POST',
416 416 route_name='auth_home',
417 417 context=LdapAuthnResource)
418 418
419 419 def get_settings_schema(self):
420 420 return LdapSettingsSchema()
421 421
422 422 def get_display_name(self, load_from_settings=False):
423 423 return _('LDAP')
424 424
425 425 @classmethod
426 426 def docs(cls):
427 427 return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth-ldap.html"
428 428
429 429 @hybrid_property
430 430 def name(self):
431 431 return "ldap"
432 432
433 433 def use_fake_password(self):
434 434 return True
435 435
436 436 def user_activation_state(self):
437 437 def_user_perms = User.get_default_user().AuthUser().permissions['global']
438 438 return 'hg.extern_activate.auto' in def_user_perms
439 439
440 440 def try_dynamic_binding(self, username, password, current_args):
441 441 """
442 442 Detects marker inside our original bind, and uses dynamic auth if
443 443 present
444 444 """
445 445
446 446 org_bind = current_args['bind_dn']
447 447 passwd = current_args['bind_pass']
448 448
449 449 def has_bind_marker(_username):
450 450 if self.DYNAMIC_BIND_VAR in _username:
451 451 return True
452 452
453 453 # we only passed in user with "special" variable
454 454 if org_bind and has_bind_marker(org_bind) and not passwd:
455 455 log.debug('Using dynamic user/password binding for ldap '
456 456 'authentication. Replacing `%s` with username',
457 457 self.DYNAMIC_BIND_VAR)
458 458 current_args['bind_dn'] = org_bind.replace(
459 459 self.DYNAMIC_BIND_VAR, username)
460 460 current_args['bind_pass'] = password
461 461
462 462 return current_args
463 463
464 464 def auth(self, userobj, username, password, settings, **kwargs):
465 465 """
466 466 Given a user object (which may be null), username, a plaintext password,
467 467 and a settings object (containing all the keys needed as listed in
468 468 settings()), authenticate this user's login attempt.
469 469
470 470 Return None on failure. On success, return a dictionary of the form:
471 471
472 472 see: RhodeCodeAuthPluginBase.auth_func_attrs
473 473 This is later validated for correctness
474 474 """
475 475
476 476 if not username or not password:
477 477 log.debug('Empty username or password skipping...')
478 478 return None
479 479
480 480 ldap_args = {
481 481 'server': settings.get('host', ''),
482 482 'base_dn': settings.get('base_dn', ''),
483 483 'port': settings.get('port'),
484 484 'bind_dn': settings.get('dn_user'),
485 485 'bind_pass': settings.get('dn_pass'),
486 486 'tls_kind': settings.get('tls_kind'),
487 487 'tls_reqcert': settings.get('tls_reqcert'),
488 488 'tls_cert_file': settings.get('tls_cert_file'),
489 489 'tls_cert_dir': settings.get('tls_cert_dir'),
490 490 'search_scope': settings.get('search_scope'),
491 491 'attr_login': settings.get('attr_login'),
492 492 'ldap_version': 3,
493 493 'ldap_filter': settings.get('filter'),
494 494 'timeout': settings.get('timeout')
495 495 }
496 496
497 497 ldap_attrs = self.try_dynamic_binding(username, password, ldap_args)
498 498
499 499 log.debug('Checking for ldap authentication.')
500 500
501 501 try:
502 502 auth_ldap = AuthLdap(**ldap_args)
503 503 (user_dn, ldap_attrs) = auth_ldap.authenticate_ldap(username, password)
504 504 log.debug('Got ldap DN response %s', user_dn)
505 505
506 506 def get_ldap_attr(k) -> str:
507 507 return safe_str(ldap_attrs.get(settings.get(k), [b''])[0])
508 508
509 509 # old attrs fetched from RhodeCode database
510 510 admin = getattr(userobj, 'admin', False)
511 511 active = getattr(userobj, 'active', True)
512 512 email = getattr(userobj, 'email', '')
513 513 username = getattr(userobj, 'username', username)
514 514 firstname = getattr(userobj, 'firstname', '')
515 515 lastname = getattr(userobj, 'lastname', '')
516 516 extern_type = getattr(userobj, 'extern_type', '')
517 517
518 518 groups = []
519 519
520 520 user_attrs = {
521 521 'username': username,
522 522 'firstname': get_ldap_attr('attr_firstname') or firstname,
523 523 'lastname': get_ldap_attr('attr_lastname') or lastname,
524 524 'groups': groups,
525 525 'user_group_sync': False,
526 526 'email': get_ldap_attr('attr_email') or email,
527 527 'admin': admin,
528 528 'active': active,
529 529 'active_from_extern': None,
530 530 'extern_name': user_dn,
531 531 'extern_type': extern_type,
532 532 }
533 533
534 534 log.debug('ldap user: %s', user_attrs)
535 535 log.info('user `%s` authenticated correctly', user_attrs['username'],
536 536 extra={"action": "user_auth_ok", "auth_module": "auth_ldap", "username": user_attrs["username"]})
537 537
538 538 return user_attrs
539 539
540 540 except (LdapUsernameError, LdapPasswordError, LdapImportError):
541 541 log.exception("LDAP related exception")
542 542 return None
543 543 except (Exception,):
544 544 log.exception("Other exception")
545 545 return None
546 546
547 547
548 548 def includeme(config):
549 549 plugin_id = f'egg:rhodecode-enterprise-ce#{RhodeCodeAuthPlugin.uid}'
550 550 plugin_factory(plugin_id).includeme(config)
@@ -1,170 +1,170 b''
1 1 # Copyright (C) 2012-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 """
20 20 RhodeCode authentication library for PAM
21 21 """
22 22
23 23 import colander
24 24 import grp
25 25 import logging
26 26 import pam
27 27 import pwd
28 28 import re
29 29 import socket
30 30
31 31 from rhodecode.translation import _
32 32 from rhodecode.authentication.base import (
33 33 RhodeCodeExternalAuthPlugin, hybrid_property)
34 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
34 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase, TwoFactorAuthnPluginSettingsSchemaMixin
35 35 from rhodecode.authentication.routes import AuthnPluginResourceBase
36 36 from rhodecode.lib.colander_utils import strip_whitespace
37 37
38 38 log = logging.getLogger(__name__)
39 39
40 40
41 41 def plugin_factory(plugin_id, *args, **kwargs):
42 42 """
43 43 Factory function that is called during plugin discovery.
44 44 It returns the plugin instance.
45 45 """
46 46 plugin = RhodeCodeAuthPlugin(plugin_id)
47 47 return plugin
48 48
49 49
50 50 class PamAuthnResource(AuthnPluginResourceBase):
51 51 pass
52 52
53 53
54 class PamSettingsSchema(AuthnPluginSettingsSchemaBase):
54 class PamSettingsSchema(TwoFactorAuthnPluginSettingsSchemaMixin, AuthnPluginSettingsSchemaBase):
55 55 service = colander.SchemaNode(
56 56 colander.String(),
57 57 default='login',
58 58 description=_('PAM service name to use for authentication.'),
59 59 preparer=strip_whitespace,
60 60 title=_('PAM service name'),
61 61 widget='string')
62 62 gecos = colander.SchemaNode(
63 63 colander.String(),
64 64 default=r'(?P<last_name>.+),\s*(?P<first_name>\w+)',
65 65 description=_('Regular expression for extracting user name/email etc. '
66 66 'from Unix userinfo.'),
67 67 preparer=strip_whitespace,
68 68 title=_('Gecos Regex'),
69 69 widget='string')
70 70
71 71
72 72 class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):
73 73 uid = 'pam'
74 74 # PAM authentication can be slow. Repository operations involve a lot of
75 75 # auth calls. Little caching helps speedup push/pull operations significantly
76 76 AUTH_CACHE_TTL = 4
77 77
78 78 def includeme(self, config):
79 79 config.add_authn_plugin(self)
80 80 config.add_authn_resource(self.get_id(), PamAuthnResource(self))
81 81 config.add_view(
82 82 'rhodecode.authentication.views.AuthnPluginViewBase',
83 83 attr='settings_get',
84 84 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
85 85 request_method='GET',
86 86 route_name='auth_home',
87 87 context=PamAuthnResource)
88 88 config.add_view(
89 89 'rhodecode.authentication.views.AuthnPluginViewBase',
90 90 attr='settings_post',
91 91 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
92 92 request_method='POST',
93 93 route_name='auth_home',
94 94 context=PamAuthnResource)
95 95
96 96 def get_display_name(self, load_from_settings=False):
97 97 return _('PAM')
98 98
99 99 @classmethod
100 100 def docs(cls):
101 101 return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth-pam.html"
102 102
103 103 @hybrid_property
104 104 def name(self):
105 105 return "pam"
106 106
107 107 def get_settings_schema(self):
108 108 return PamSettingsSchema()
109 109
110 110 def use_fake_password(self):
111 111 return True
112 112
113 113 def auth(self, userobj, username, password, settings, **kwargs):
114 114 if not username or not password:
115 115 log.debug('Empty username or password skipping...')
116 116 return None
117 117 _pam = pam.pam()
118 118 auth_result = _pam.authenticate(username, password, settings["service"])
119 119
120 120 if not auth_result:
121 121 log.error("PAM was unable to authenticate user: %s", username)
122 122 return None
123 123
124 124 log.debug('Got PAM response %s', auth_result)
125 125
126 126 # old attrs fetched from RhodeCode database
127 127 default_email = "{}@{}".format(username, socket.gethostname())
128 128 admin = getattr(userobj, 'admin', False)
129 129 active = getattr(userobj, 'active', True)
130 130 email = getattr(userobj, 'email', '') or default_email
131 131 username = getattr(userobj, 'username', username)
132 132 firstname = getattr(userobj, 'firstname', '')
133 133 lastname = getattr(userobj, 'lastname', '')
134 134 extern_type = getattr(userobj, 'extern_type', '')
135 135
136 136 user_attrs = {
137 137 'username': username,
138 138 'firstname': firstname,
139 139 'lastname': lastname,
140 140 'groups': [g.gr_name for g in grp.getgrall()
141 141 if username in g.gr_mem],
142 142 'user_group_sync': True,
143 143 'email': email,
144 144 'admin': admin,
145 145 'active': active,
146 146 'active_from_extern': None,
147 147 'extern_name': username,
148 148 'extern_type': extern_type,
149 149 }
150 150
151 151 try:
152 152 user_data = pwd.getpwnam(username)
153 153 regex = settings["gecos"]
154 154 match = re.search(regex, user_data.pw_gecos)
155 155 if match:
156 156 user_attrs["firstname"] = match.group('first_name')
157 157 user_attrs["lastname"] = match.group('last_name')
158 158 except Exception:
159 159 log.warning("Cannot extract additional info for PAM user")
160 160 pass
161 161
162 162 log.debug("pamuser: %s", user_attrs)
163 163 log.info('user `%s` authenticated correctly', user_attrs['username'],
164 164 extra={"action": "user_auth_ok", "auth_module": "auth_pam", "username": user_attrs["username"]})
165 165 return user_attrs
166 166
167 167
168 168 def includeme(config):
169 169 plugin_id = f'egg:rhodecode-enterprise-ce#{RhodeCodeAuthPlugin.uid}'
170 170 plugin_factory(plugin_id).includeme(config)
@@ -1,228 +1,219 b''
1 1 # Copyright (C) 2012-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 """
20 20 RhodeCode authentication plugin for built in internal auth
21 21 """
22 22
23 23 import logging
24 24
25 25 import colander
26 26
27 27 from rhodecode.translation import _
28 28 from rhodecode.lib.utils2 import safe_bytes
29 29 from rhodecode.model.db import User
30 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
30 from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase, TwoFactorAuthnPluginSettingsSchemaMixin
31 31 from rhodecode.authentication.base import (
32 32 RhodeCodeAuthPluginBase, hybrid_property, HTTP_TYPE, VCS_TYPE)
33 33 from rhodecode.authentication.routes import AuthnPluginResourceBase
34 34
35 35 log = logging.getLogger(__name__)
36 36
37 37
38 38 def plugin_factory(plugin_id, *args, **kwargs):
39 39 plugin = RhodeCodeAuthPlugin(plugin_id)
40 40 return plugin
41 41
42 42
43 43 class RhodecodeAuthnResource(AuthnPluginResourceBase):
44 44 pass
45 45
46 46
47 47 class RhodeCodeAuthPlugin(RhodeCodeAuthPluginBase):
48 48 uid = 'rhodecode'
49 49 AUTH_RESTRICTION_NONE = 'user_all'
50 50 AUTH_RESTRICTION_SUPER_ADMIN = 'user_super_admin'
51 51 AUTH_RESTRICTION_SCOPE_ALL = 'scope_all'
52 52 AUTH_RESTRICTION_SCOPE_HTTP = 'scope_http'
53 53 AUTH_RESTRICTION_SCOPE_VCS = 'scope_vcs'
54 54
55 55 def includeme(self, config):
56 56 config.add_authn_plugin(self)
57 57 config.add_authn_resource(self.get_id(), RhodecodeAuthnResource(self))
58 58 config.add_view(
59 59 'rhodecode.authentication.views.AuthnPluginViewBase',
60 60 attr='settings_get',
61 61 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
62 62 request_method='GET',
63 63 route_name='auth_home',
64 64 context=RhodecodeAuthnResource)
65 65 config.add_view(
66 66 'rhodecode.authentication.views.AuthnPluginViewBase',
67 67 attr='settings_post',
68 68 renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
69 69 request_method='POST',
70 70 route_name='auth_home',
71 71 context=RhodecodeAuthnResource)
72 72
73 73 def get_settings_schema(self):
74 74 return RhodeCodeSettingsSchema()
75 75
76 76 def get_display_name(self, load_from_settings=False):
77 77 return _('RhodeCode Internal')
78 78
79 79 @classmethod
80 80 def docs(cls):
81 81 return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth.html"
82 82
83 83 @hybrid_property
84 84 def name(self):
85 85 return "rhodecode"
86 86
87 87 def user_activation_state(self):
88 88 def_user_perms = User.get_default_user().AuthUser().permissions['global']
89 89 return 'hg.register.auto_activate' in def_user_perms
90 90
91 91 def allows_authentication_from(
92 92 self, user, allows_non_existing_user=True,
93 93 allowed_auth_plugins=None, allowed_auth_sources=None):
94 94 """
95 95 Custom method for this auth that doesn't accept non existing users.
96 96 We know that user exists in our database.
97 97 """
98 98 allows_non_existing_user = False
99 99 return super().allows_authentication_from(
100 100 user, allows_non_existing_user=allows_non_existing_user)
101 101
102 102 def auth(self, userobj, username, password, settings, **kwargs):
103 103 if not userobj:
104 104 log.debug('userobj was:%s skipping', userobj)
105 105 return None
106 106
107 107 if userobj.extern_type != self.name:
108 108 log.warning("userobj:%s extern_type mismatch got:`%s` expected:`%s`",
109 109 userobj, userobj.extern_type, self.name)
110 110 return None
111 111
112 112 # check scope of auth
113 113 scope_restriction = settings.get('scope_restriction', '')
114 114
115 115 if scope_restriction == self.AUTH_RESTRICTION_SCOPE_HTTP \
116 116 and self.auth_type != HTTP_TYPE:
117 117 log.warning("userobj:%s tried scope type %s and scope restriction is set to %s",
118 118 userobj, self.auth_type, scope_restriction)
119 119 return None
120 120
121 121 if scope_restriction == self.AUTH_RESTRICTION_SCOPE_VCS \
122 122 and self.auth_type != VCS_TYPE:
123 123 log.warning("userobj:%s tried scope type %s and scope restriction is set to %s",
124 124 userobj, self.auth_type, scope_restriction)
125 125 return None
126 126
127 127 # check super-admin restriction
128 128 auth_restriction = settings.get('auth_restriction', '')
129 129
130 130 if auth_restriction == self.AUTH_RESTRICTION_SUPER_ADMIN \
131 131 and userobj.admin is False:
132 132 log.warning("userobj:%s is not super-admin and auth restriction is set to %s",
133 133 userobj, auth_restriction)
134 134 return None
135 135
136 136 user_attrs = {
137 137 "username": userobj.username,
138 138 "firstname": userobj.firstname,
139 139 "lastname": userobj.lastname,
140 140 "groups": [],
141 141 'user_group_sync': False,
142 142 "email": userobj.email,
143 143 "admin": userobj.admin,
144 144 "active": userobj.active,
145 145 "active_from_extern": userobj.active,
146 146 "extern_name": userobj.user_id,
147 147 "extern_type": userobj.extern_type,
148 148 }
149 149
150 150 log.debug("User attributes:%s", user_attrs)
151 151 if userobj.active:
152 152 from rhodecode.lib import auth
153 153 crypto_backend = auth.crypto_backend()
154 154 password_encoded = safe_bytes(password)
155 155 password_match, new_hash = crypto_backend.hash_check_with_upgrade(
156 156 password_encoded, userobj.password or '')
157 157
158 158 if password_match and new_hash:
159 159 log.debug('user %s properly authenticated, but '
160 160 'requires hash change to bcrypt', userobj)
161 161 # if password match, and we use OLD deprecated hash,
162 162 # we should migrate this user hash password to the new hash
163 163 # we store the new returned by hash_check_with_upgrade function
164 164 user_attrs['_hash_migrate'] = new_hash
165 165
166 166 if userobj.username == User.DEFAULT_USER and userobj.active:
167 167 log.info('user `%s` authenticated correctly as anonymous user',
168 168 userobj.username,
169 169 extra={"action": "user_auth_ok", "auth_module": "auth_rhodecode_anon", "username": userobj.username})
170 170 return user_attrs
171 171
172 172 elif (userobj.username == username or userobj.email == username) and password_match:
173 173 log.info('user `%s` authenticated correctly', userobj.username,
174 174 extra={"action": "user_auth_ok", "auth_module": "auth_rhodecode", "username": userobj.username})
175 175 return user_attrs
176 176 log.warning("user `%s` used a wrong password when "
177 177 "authenticating on this plugin", userobj.username)
178 178 return None
179 179 else:
180 180 log.warning('user `%s` failed to authenticate via %s, reason: account not '
181 181 'active.', username, self.name)
182 182 return None
183 183
184 184
185 class RhodeCodeSettingsSchema(AuthnPluginSettingsSchemaBase):
186 global_2fa = colander.SchemaNode(
187 colander.Bool(),
188 default=False,
189 description=_('Force all users to use two factor authentication by enabling this.'),
190 missing=False,
191 title=_('Global 2FA'),
192 widget='bool',
193 )
194
185 class RhodeCodeSettingsSchema(TwoFactorAuthnPluginSettingsSchemaMixin, AuthnPluginSettingsSchemaBase):
195 186 auth_restriction_choices = [
196 187 (RhodeCodeAuthPlugin.AUTH_RESTRICTION_NONE, 'All users'),
197 188 (RhodeCodeAuthPlugin.AUTH_RESTRICTION_SUPER_ADMIN, 'Super admins only'),
198 189 ]
199 190
200 191 auth_scope_choices = [
201 192 (RhodeCodeAuthPlugin.AUTH_RESTRICTION_SCOPE_ALL, 'HTTP and VCS'),
202 193 (RhodeCodeAuthPlugin.AUTH_RESTRICTION_SCOPE_HTTP, 'HTTP only'),
203 194 ]
204 195
205 196 auth_restriction = colander.SchemaNode(
206 197 colander.String(),
207 198 default=auth_restriction_choices[0],
208 199 description=_('Allowed user types for authentication using this plugin.'),
209 200 title=_('User restriction'),
210 201 validator=colander.OneOf([x[0] for x in auth_restriction_choices]),
211 202 widget='select_with_labels',
212 203 choices=auth_restriction_choices
213 204 )
214 205 scope_restriction = colander.SchemaNode(
215 206 colander.String(),
216 207 default=auth_scope_choices[0],
217 208 description=_('Allowed protocols for authentication using this plugin. '
218 209 'VCS means GIT/HG/SVN. HTTP is web based login.'),
219 210 title=_('Scope restriction'),
220 211 validator=colander.OneOf([x[0] for x in auth_scope_choices]),
221 212 widget='select_with_labels',
222 213 choices=auth_scope_choices
223 214 )
224 215
225 216
226 217 def includeme(config):
227 218 plugin_id = f'egg:rhodecode-enterprise-ce#{RhodeCodeAuthPlugin.uid}'
228 219 plugin_factory(plugin_id).includeme(config)
@@ -1,50 +1,64 b''
1 1 # Copyright (C) 2012-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 import colander
20 20
21 21 from rhodecode.authentication import plugin_default_auth_ttl
22 22 from rhodecode.translation import _
23 23
24 24
25 25 class AuthnPluginSettingsSchemaBase(colander.MappingSchema):
26 26 """
27 27 This base schema is intended for use in authentication plugins.
28 28 It adds a few default settings (e.g., "enabled"), so that plugin
29 29 authors don't have to maintain a bunch of boilerplate.
30 30 """
31 31 enabled = colander.SchemaNode(
32 32 colander.Bool(),
33 33 default=False,
34 34 description=_('Enable or disable this authentication plugin.'),
35 35 missing=False,
36 36 title=_('Enabled'),
37 37 widget='bool',
38 38 )
39 39 cache_ttl = colander.SchemaNode(
40 40 colander.Int(),
41 41 default=plugin_default_auth_ttl,
42 42 description=_('Amount of seconds to cache the authentication and '
43 43 'permissions check response call for this plugin. \n'
44 44 'Useful for expensive calls like LDAP to improve the '
45 45 'performance of the system (0 means disabled).'),
46 46 missing=0,
47 47 title=_('Auth Cache TTL'),
48 48 validator=colander.Range(min=0, max=None),
49 49 widget='int',
50 50 )
51
52
53 class TwoFactorAuthnPluginSettingsSchemaMixin(colander.MappingSchema):
54 """
55 Mixin for extending plugins with two-factor authentication option.
56 """
57 global_2fa = colander.SchemaNode(
58 colander.Bool(),
59 default=False,
60 description=_('Force all users to use two factor authentication with this plugin.'),
61 missing=False,
62 title=_('enforce 2FA for users'),
63 widget='bool',
64 )
@@ -1,6038 +1,6037 b''
1 1 # Copyright (C) 2010-2023 RhodeCode GmbH
2 2 #
3 3 # This program is free software: you can redistribute it and/or modify
4 4 # it under the terms of the GNU Affero General Public License, version 3
5 5 # (only), as published by the Free Software Foundation.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU Affero General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 #
15 15 # This program is dual-licensed. If you wish to learn more about the
16 16 # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 """
20 20 Database Models for RhodeCode Enterprise
21 21 """
22 22
23 23 import re
24 24 import os
25 25 import time
26 26 import string
27 27 import logging
28 28 import datetime
29 29 import uuid
30 30 import warnings
31 31 import ipaddress
32 32 import functools
33 33 import traceback
34 34 import collections
35 35
36 36 import pyotp
37 37 from sqlalchemy import (
38 38 or_, and_, not_, func, cast, TypeDecorator, event, select,
39 39 true, false, null, union_all,
40 40 Index, Sequence, UniqueConstraint, ForeignKey, CheckConstraint, Column,
41 41 Boolean, String, Unicode, UnicodeText, DateTime, Integer, LargeBinary,
42 42 Text, Float, PickleType, BigInteger)
43 43 from sqlalchemy.sql.expression import case
44 44 from sqlalchemy.sql.functions import coalesce, count # pragma: no cover
45 45 from sqlalchemy.orm import (
46 46 relationship, lazyload, joinedload, class_mapper, validates, aliased, load_only)
47 47 from sqlalchemy.ext.declarative import declared_attr
48 48 from sqlalchemy.ext.hybrid import hybrid_property
49 49 from sqlalchemy.exc import IntegrityError # pragma: no cover
50 50 from sqlalchemy.dialects.mysql import LONGTEXT
51 51 from zope.cachedescriptors.property import Lazy as LazyProperty
52 52 from pyramid.threadlocal import get_current_request
53 53 from webhelpers2.text import remove_formatting
54 54
55 55 from rhodecode import ConfigGet
56 56 from rhodecode.lib.str_utils import safe_bytes
57 57 from rhodecode.translation import _
58 58 from rhodecode.lib.vcs import get_vcs_instance, VCSError
59 59 from rhodecode.lib.vcs.backends.base import (
60 60 EmptyCommit, Reference, unicode_to_reference, reference_to_unicode)
61 61 from rhodecode.lib.utils2 import (
62 62 str2bool, safe_str, get_commit_safe, sha1_safe,
63 63 time_to_datetime, aslist, Optional, safe_int, get_clone_url, AttributeDict,
64 64 glob2re, StrictAttributeDict, cleaned_uri, datetime_to_time)
65 65 from rhodecode.lib.jsonalchemy import (
66 66 MutationObj, MutationList, JsonType, JsonRaw)
67 67 from rhodecode.lib.hash_utils import sha1
68 68 from rhodecode.lib import ext_json
69 69 from rhodecode.lib import enc_utils
70 70 from rhodecode.lib.ext_json import json, str_json
71 71 from rhodecode.lib.caching_query import FromCache
72 72 from rhodecode.lib.exceptions import (
73 73 ArtifactMetadataDuplicate, ArtifactMetadataBadValueType)
74 74 from rhodecode.model.meta import Base, Session
75 75
76 76 URL_SEP = '/'
77 77 log = logging.getLogger(__name__)
78 78
79 79 # =============================================================================
80 80 # BASE CLASSES
81 81 # =============================================================================
82 82
83 83 # this is propagated from .ini file rhodecode.encrypted_values.secret or
84 84 # beaker.session.secret if first is not set.
85 85 # and initialized at environment.py
86 86 ENCRYPTION_KEY: bytes = b''
87 87
88 88 # used to sort permissions by types, '#' used here is not allowed to be in
89 89 # usernames, and it's very early in sorted string.printable table.
90 90 PERMISSION_TYPE_SORT = {
91 91 'admin': '####',
92 92 'write': '###',
93 93 'read': '##',
94 94 'none': '#',
95 95 }
96 96
97 97
98 98 def display_user_sort(obj):
99 99 """
100 100 Sort function used to sort permissions in .permissions() function of
101 101 Repository, RepoGroup, UserGroup. Also it put the default user in front
102 102 of all other resources
103 103 """
104 104
105 105 if obj.username == User.DEFAULT_USER:
106 106 return '#####'
107 107 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
108 108 extra_sort_num = '1' # default
109 109
110 110 # NOTE(dan): inactive duplicates goes last
111 111 if getattr(obj, 'duplicate_perm', None):
112 112 extra_sort_num = '9'
113 113 return prefix + extra_sort_num + obj.username
114 114
115 115
116 116 def display_user_group_sort(obj):
117 117 """
118 118 Sort function used to sort permissions in .permissions() function of
119 119 Repository, RepoGroup, UserGroup. Also it put the default user in front
120 120 of all other resources
121 121 """
122 122
123 123 prefix = PERMISSION_TYPE_SORT.get(obj.permission.split('.')[-1], '')
124 124 return prefix + obj.users_group_name
125 125
126 126
127 127 def _hash_key(k):
128 128 return sha1_safe(k)
129 129
130 130
131 131 def in_filter_generator(qry, items, limit=500):
132 132 """
133 133 Splits IN() into multiple with OR
134 134 e.g.::
135 135 cnt = Repository.query().filter(
136 136 or_(
137 137 *in_filter_generator(Repository.repo_id, range(100000))
138 138 )).count()
139 139 """
140 140 if not items:
141 141 # empty list will cause empty query which might cause security issues
142 142 # this can lead to hidden unpleasant results
143 143 items = [-1]
144 144
145 145 parts = []
146 146 for chunk in range(0, len(items), limit):
147 147 parts.append(
148 148 qry.in_(items[chunk: chunk + limit])
149 149 )
150 150
151 151 return parts
152 152
153 153
154 154 base_table_args = {
155 155 'extend_existing': True,
156 156 'mysql_engine': 'InnoDB',
157 157 'mysql_charset': 'utf8',
158 158 'sqlite_autoincrement': True
159 159 }
160 160
161 161
162 162 class EncryptedTextValue(TypeDecorator):
163 163 """
164 164 Special column for encrypted long text data, use like::
165 165
166 166 value = Column("encrypted_value", EncryptedValue(), nullable=False)
167 167
168 168 This column is intelligent so if value is in unencrypted form it return
169 169 unencrypted form, but on save it always encrypts
170 170 """
171 171 cache_ok = True
172 172 impl = Text
173 173
174 174 def process_bind_param(self, value, dialect):
175 175 """
176 176 Setter for storing value
177 177 """
178 178 import rhodecode
179 179 if not value:
180 180 return value
181 181
182 182 # protect against double encrypting if values is already encrypted
183 183 if value.startswith('enc$aes$') \
184 184 or value.startswith('enc$aes_hmac$') \
185 185 or value.startswith('enc2$'):
186 186 raise ValueError('value needs to be in unencrypted format, '
187 187 'ie. not starting with enc$ or enc2$')
188 188
189 189 algo = rhodecode.CONFIG.get('rhodecode.encrypted_values.algorithm') or 'aes'
190 190 bytes_val = enc_utils.encrypt_value(value, enc_key=ENCRYPTION_KEY, algo=algo)
191 191 return safe_str(bytes_val)
192 192
193 193 def process_result_value(self, value, dialect):
194 194 """
195 195 Getter for retrieving value
196 196 """
197 197
198 198 import rhodecode
199 199 if not value:
200 200 return value
201 201
202 202 bytes_val = enc_utils.decrypt_value(value, enc_key=ENCRYPTION_KEY)
203 203
204 204 return safe_str(bytes_val)
205 205
206 206
207 207 class BaseModel(object):
208 208 """
209 209 Base Model for all classes
210 210 """
211 211
212 212 @classmethod
213 213 def _get_keys(cls):
214 214 """return column names for this model """
215 215 return class_mapper(cls).c.keys()
216 216
217 217 def get_dict(self):
218 218 """
219 219 return dict with keys and values corresponding
220 220 to this model data """
221 221
222 222 d = {}
223 223 for k in self._get_keys():
224 224 d[k] = getattr(self, k)
225 225
226 226 # also use __json__() if present to get additional fields
227 227 _json_attr = getattr(self, '__json__', None)
228 228 if _json_attr:
229 229 # update with attributes from __json__
230 230 if callable(_json_attr):
231 231 _json_attr = _json_attr()
232 232 for k, val in _json_attr.items():
233 233 d[k] = val
234 234 return d
235 235
236 236 def get_appstruct(self):
237 237 """return list with keys and values tuples corresponding
238 238 to this model data """
239 239
240 240 lst = []
241 241 for k in self._get_keys():
242 242 lst.append((k, getattr(self, k),))
243 243 return lst
244 244
245 245 def populate_obj(self, populate_dict):
246 246 """populate model with data from given populate_dict"""
247 247
248 248 for k in self._get_keys():
249 249 if k in populate_dict:
250 250 setattr(self, k, populate_dict[k])
251 251
252 252 @classmethod
253 253 def query(cls):
254 254 return Session().query(cls)
255 255
256 256 @classmethod
257 257 def select(cls, custom_cls=None):
258 258 """
259 259 stmt = cls.select().where(cls.user_id==1)
260 260 # optionally
261 261 stmt = cls.select(User.user_id).where(cls.user_id==1)
262 262 result = cls.execute(stmt) | cls.scalars(stmt)
263 263 """
264 264
265 265 if custom_cls:
266 266 stmt = select(custom_cls)
267 267 else:
268 268 stmt = select(cls)
269 269 return stmt
270 270
271 271 @classmethod
272 272 def execute(cls, stmt):
273 273 return Session().execute(stmt)
274 274
275 275 @classmethod
276 276 def scalars(cls, stmt):
277 277 return Session().scalars(stmt)
278 278
279 279 @classmethod
280 280 def get(cls, id_):
281 281 if id_:
282 282 return cls.query().get(id_)
283 283
284 284 @classmethod
285 285 def get_or_404(cls, id_):
286 286 from pyramid.httpexceptions import HTTPNotFound
287 287
288 288 try:
289 289 id_ = int(id_)
290 290 except (TypeError, ValueError):
291 291 raise HTTPNotFound()
292 292
293 293 res = cls.query().get(id_)
294 294 if not res:
295 295 raise HTTPNotFound()
296 296 return res
297 297
298 298 @classmethod
299 299 def getAll(cls):
300 300 # deprecated and left for backward compatibility
301 301 return cls.get_all()
302 302
303 303 @classmethod
304 304 def get_all(cls):
305 305 return cls.query().all()
306 306
307 307 @classmethod
308 308 def delete(cls, id_):
309 309 obj = cls.query().get(id_)
310 310 Session().delete(obj)
311 311
312 312 @classmethod
313 313 def identity_cache(cls, session, attr_name, value):
314 314 exist_in_session = []
315 315 for (item_cls, pkey), instance in session.identity_map.items():
316 316 if cls == item_cls and getattr(instance, attr_name) == value:
317 317 exist_in_session.append(instance)
318 318 if exist_in_session:
319 319 if len(exist_in_session) == 1:
320 320 return exist_in_session[0]
321 321 log.exception(
322 322 'multiple objects with attr %s and '
323 323 'value %s found with same name: %r',
324 324 attr_name, value, exist_in_session)
325 325
326 326 @property
327 327 def cls_name(self):
328 328 return self.__class__.__name__
329 329
330 330 def __repr__(self):
331 331 return f'<DB:{self.cls_name}>'
332 332
333 333
334 334 class RhodeCodeSetting(Base, BaseModel):
335 335 __tablename__ = 'rhodecode_settings'
336 336 __table_args__ = (
337 337 UniqueConstraint('app_settings_name'),
338 338 base_table_args
339 339 )
340 340
341 341 SETTINGS_TYPES = {
342 342 'str': safe_str,
343 343 'int': safe_int,
344 344 'unicode': safe_str,
345 345 'bool': str2bool,
346 346 'list': functools.partial(aslist, sep=',')
347 347 }
348 348 DEFAULT_UPDATE_URL = 'https://rhodecode.com/api/v1/info/versions'
349 349 GLOBAL_CONF_KEY = 'app_settings'
350 350
351 351 app_settings_id = Column("app_settings_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
352 352 app_settings_name = Column("app_settings_name", String(255), nullable=True, unique=None, default=None)
353 353 _app_settings_value = Column("app_settings_value", String(4096), nullable=True, unique=None, default=None)
354 354 _app_settings_type = Column("app_settings_type", String(255), nullable=True, unique=None, default=None)
355 355
356 356 def __init__(self, key='', val='', type='unicode'):
357 357 self.app_settings_name = key
358 358 self.app_settings_type = type
359 359 self.app_settings_value = val
360 360
361 361 @validates('_app_settings_value')
362 362 def validate_settings_value(self, key, val):
363 363 assert type(val) == str
364 364 return val
365 365
366 366 @hybrid_property
367 367 def app_settings_value(self):
368 368 v = self._app_settings_value
369 369 _type = self.app_settings_type
370 370 if _type:
371 371 _type = self.app_settings_type.split('.')[0]
372 372 # decode the encrypted value
373 373 if 'encrypted' in self.app_settings_type:
374 374 cipher = EncryptedTextValue()
375 375 v = safe_str(cipher.process_result_value(v, None))
376 376
377 377 converter = self.SETTINGS_TYPES.get(_type) or \
378 378 self.SETTINGS_TYPES['unicode']
379 379 return converter(v)
380 380
381 381 @app_settings_value.setter
382 382 def app_settings_value(self, val):
383 383 """
384 384 Setter that will always make sure we use unicode in app_settings_value
385 385
386 386 :param val:
387 387 """
388 388 val = safe_str(val)
389 389 # encode the encrypted value
390 390 if 'encrypted' in self.app_settings_type:
391 391 cipher = EncryptedTextValue()
392 392 val = safe_str(cipher.process_bind_param(val, None))
393 393 self._app_settings_value = val
394 394
395 395 @hybrid_property
396 396 def app_settings_type(self):
397 397 return self._app_settings_type
398 398
399 399 @app_settings_type.setter
400 400 def app_settings_type(self, val):
401 401 if val.split('.')[0] not in self.SETTINGS_TYPES:
402 402 raise Exception('type must be one of %s got %s'
403 403 % (self.SETTINGS_TYPES.keys(), val))
404 404 self._app_settings_type = val
405 405
406 406 @classmethod
407 407 def get_by_prefix(cls, prefix):
408 408 return RhodeCodeSetting.query()\
409 409 .filter(RhodeCodeSetting.app_settings_name.startswith(prefix))\
410 410 .all()
411 411
412 412 def __repr__(self):
413 413 return "<%s('%s:%s[%s]')>" % (
414 414 self.cls_name,
415 415 self.app_settings_name, self.app_settings_value,
416 416 self.app_settings_type
417 417 )
418 418
419 419
420 420 class RhodeCodeUi(Base, BaseModel):
421 421 __tablename__ = 'rhodecode_ui'
422 422 __table_args__ = (
423 423 UniqueConstraint('ui_key'),
424 424 base_table_args
425 425 )
426 426 # Sync those values with vcsserver.config.hooks
427 427
428 428 HOOK_REPO_SIZE = 'changegroup.repo_size'
429 429 # HG
430 430 HOOK_PRE_PULL = 'preoutgoing.pre_pull'
431 431 HOOK_PULL = 'outgoing.pull_logger'
432 432 HOOK_PRE_PUSH = 'prechangegroup.pre_push'
433 433 HOOK_PRETX_PUSH = 'pretxnchangegroup.pre_push'
434 434 HOOK_PUSH = 'changegroup.push_logger'
435 435 HOOK_PUSH_KEY = 'pushkey.key_push'
436 436
437 437 HOOKS_BUILTIN = [
438 438 HOOK_PRE_PULL,
439 439 HOOK_PULL,
440 440 HOOK_PRE_PUSH,
441 441 HOOK_PRETX_PUSH,
442 442 HOOK_PUSH,
443 443 HOOK_PUSH_KEY,
444 444 ]
445 445
446 446 # TODO: johbo: Unify way how hooks are configured for git and hg,
447 447 # git part is currently hardcoded.
448 448
449 449 # SVN PATTERNS
450 450 SVN_BRANCH_ID = 'vcs_svn_branch'
451 451 SVN_TAG_ID = 'vcs_svn_tag'
452 452
453 453 ui_id = Column(
454 454 "ui_id", Integer(), nullable=False, unique=True, default=None,
455 455 primary_key=True)
456 456 ui_section = Column(
457 457 "ui_section", String(255), nullable=True, unique=None, default=None)
458 458 ui_key = Column(
459 459 "ui_key", String(255), nullable=True, unique=None, default=None)
460 460 ui_value = Column(
461 461 "ui_value", String(255), nullable=True, unique=None, default=None)
462 462 ui_active = Column(
463 463 "ui_active", Boolean(), nullable=True, unique=None, default=True)
464 464
465 465 def __repr__(self):
466 466 return '<%s[%s]%s=>%s]>' % (self.cls_name, self.ui_section,
467 467 self.ui_key, self.ui_value)
468 468
469 469
470 470 class RepoRhodeCodeSetting(Base, BaseModel):
471 471 __tablename__ = 'repo_rhodecode_settings'
472 472 __table_args__ = (
473 473 UniqueConstraint(
474 474 'app_settings_name', 'repository_id',
475 475 name='uq_repo_rhodecode_setting_name_repo_id'),
476 476 base_table_args
477 477 )
478 478
479 479 repository_id = Column(
480 480 "repository_id", Integer(), ForeignKey('repositories.repo_id'),
481 481 nullable=False)
482 482 app_settings_id = Column(
483 483 "app_settings_id", Integer(), nullable=False, unique=True,
484 484 default=None, primary_key=True)
485 485 app_settings_name = Column(
486 486 "app_settings_name", String(255), nullable=True, unique=None,
487 487 default=None)
488 488 _app_settings_value = Column(
489 489 "app_settings_value", String(4096), nullable=True, unique=None,
490 490 default=None)
491 491 _app_settings_type = Column(
492 492 "app_settings_type", String(255), nullable=True, unique=None,
493 493 default=None)
494 494
495 495 repository = relationship('Repository', viewonly=True)
496 496
497 497 def __init__(self, repository_id, key='', val='', type='unicode'):
498 498 self.repository_id = repository_id
499 499 self.app_settings_name = key
500 500 self.app_settings_type = type
501 501 self.app_settings_value = val
502 502
503 503 @validates('_app_settings_value')
504 504 def validate_settings_value(self, key, val):
505 505 assert type(val) == str
506 506 return val
507 507
508 508 @hybrid_property
509 509 def app_settings_value(self):
510 510 v = self._app_settings_value
511 511 type_ = self.app_settings_type
512 512 SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
513 513 converter = SETTINGS_TYPES.get(type_) or SETTINGS_TYPES['unicode']
514 514 return converter(v)
515 515
516 516 @app_settings_value.setter
517 517 def app_settings_value(self, val):
518 518 """
519 519 Setter that will always make sure we use unicode in app_settings_value
520 520
521 521 :param val:
522 522 """
523 523 self._app_settings_value = safe_str(val)
524 524
525 525 @hybrid_property
526 526 def app_settings_type(self):
527 527 return self._app_settings_type
528 528
529 529 @app_settings_type.setter
530 530 def app_settings_type(self, val):
531 531 SETTINGS_TYPES = RhodeCodeSetting.SETTINGS_TYPES
532 532 if val not in SETTINGS_TYPES:
533 533 raise Exception('type must be one of %s got %s'
534 534 % (SETTINGS_TYPES.keys(), val))
535 535 self._app_settings_type = val
536 536
537 537 def __repr__(self):
538 538 return "<%s('%s:%s:%s[%s]')>" % (
539 539 self.cls_name, self.repository.repo_name,
540 540 self.app_settings_name, self.app_settings_value,
541 541 self.app_settings_type
542 542 )
543 543
544 544
545 545 class RepoRhodeCodeUi(Base, BaseModel):
546 546 __tablename__ = 'repo_rhodecode_ui'
547 547 __table_args__ = (
548 548 UniqueConstraint(
549 549 'repository_id', 'ui_section', 'ui_key',
550 550 name='uq_repo_rhodecode_ui_repository_id_section_key'),
551 551 base_table_args
552 552 )
553 553
554 554 repository_id = Column(
555 555 "repository_id", Integer(), ForeignKey('repositories.repo_id'),
556 556 nullable=False)
557 557 ui_id = Column(
558 558 "ui_id", Integer(), nullable=False, unique=True, default=None,
559 559 primary_key=True)
560 560 ui_section = Column(
561 561 "ui_section", String(255), nullable=True, unique=None, default=None)
562 562 ui_key = Column(
563 563 "ui_key", String(255), nullable=True, unique=None, default=None)
564 564 ui_value = Column(
565 565 "ui_value", String(255), nullable=True, unique=None, default=None)
566 566 ui_active = Column(
567 567 "ui_active", Boolean(), nullable=True, unique=None, default=True)
568 568
569 569 repository = relationship('Repository', viewonly=True)
570 570
571 571 def __repr__(self):
572 572 return '<%s[%s:%s]%s=>%s]>' % (
573 573 self.cls_name, self.repository.repo_name,
574 574 self.ui_section, self.ui_key, self.ui_value)
575 575
576 576
577 577 class User(Base, BaseModel):
578 578 __tablename__ = 'users'
579 579 __table_args__ = (
580 580 UniqueConstraint('username'), UniqueConstraint('email'),
581 581 Index('u_username_idx', 'username'),
582 582 Index('u_email_idx', 'email'),
583 583 base_table_args
584 584 )
585 585
586 586 DEFAULT_USER = 'default'
587 587 DEFAULT_USER_EMAIL = 'anonymous@rhodecode.org'
588 588 DEFAULT_GRAVATAR_URL = 'https://secure.gravatar.com/avatar/{md5email}?d=identicon&s={size}'
589 589 RECOVERY_CODES_COUNT = 10
590 590
591 591 user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
592 592 username = Column("username", String(255), nullable=True, unique=None, default=None)
593 593 password = Column("password", String(255), nullable=True, unique=None, default=None)
594 594 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
595 595 admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)
596 596 name = Column("firstname", String(255), nullable=True, unique=None, default=None)
597 597 lastname = Column("lastname", String(255), nullable=True, unique=None, default=None)
598 598 _email = Column("email", String(255), nullable=True, unique=None, default=None)
599 599 last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)
600 600 last_activity = Column('last_activity', DateTime(timezone=False), nullable=True, unique=None, default=None)
601 601 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
602 602
603 603 extern_type = Column("extern_type", String(255), nullable=True, unique=None, default=None)
604 604 extern_name = Column("extern_name", String(255), nullable=True, unique=None, default=None)
605 605 _api_key = Column("api_key", String(255), nullable=True, unique=None, default=None)
606 606 inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
607 607 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
608 608 _user_data = Column("user_data", LargeBinary(), nullable=True) # JSON data
609 609
610 610 user_log = relationship('UserLog', back_populates='user')
611 611 user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all, delete-orphan')
612 612
613 613 repositories = relationship('Repository', back_populates='user')
614 614 repository_groups = relationship('RepoGroup', back_populates='user')
615 615 user_groups = relationship('UserGroup', back_populates='user')
616 616
617 617 user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all', back_populates='follows_user')
618 618 followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all', back_populates='user')
619 619
620 620 repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all, delete-orphan')
621 621 repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all, delete-orphan', back_populates='user')
622 622 user_group_to_perm = relationship('UserUserGroupToPerm', primaryjoin='UserUserGroupToPerm.user_id==User.user_id', cascade='all, delete-orphan', back_populates='user')
623 623
624 624 group_member = relationship('UserGroupMember', cascade='all', back_populates='user')
625 625
626 626 notifications = relationship('UserNotification', cascade='all', back_populates='user')
627 627 # notifications assigned to this user
628 628 user_created_notifications = relationship('Notification', cascade='all', back_populates='created_by_user')
629 629 # comments created by this user
630 630 user_comments = relationship('ChangesetComment', cascade='all', back_populates='author')
631 631 # user profile extra info
632 632 user_emails = relationship('UserEmailMap', cascade='all', back_populates='user')
633 633 user_ip_map = relationship('UserIpMap', cascade='all', back_populates='user')
634 634 user_auth_tokens = relationship('UserApiKeys', cascade='all', back_populates='user')
635 635 user_ssh_keys = relationship('UserSshKeys', cascade='all', back_populates='user')
636 636
637 637 # gists
638 638 user_gists = relationship('Gist', cascade='all', back_populates='owner')
639 639 # user pull requests
640 640 user_pull_requests = relationship('PullRequest', cascade='all', back_populates='author')
641 641
642 642 # external identities
643 643 external_identities = relationship('ExternalIdentity', primaryjoin="User.user_id==ExternalIdentity.local_user_id", cascade='all')
644 644 # review rules
645 645 user_review_rules = relationship('RepoReviewRuleUser', cascade='all', back_populates='user')
646 646
647 647 # artifacts owned
648 648 artifacts = relationship('FileStore', primaryjoin='FileStore.user_id==User.user_id', back_populates='upload_user')
649 649
650 650 # no cascade, set NULL
651 651 scope_artifacts = relationship('FileStore', primaryjoin='FileStore.scope_user_id==User.user_id', cascade='', back_populates='user')
652 652
653 653 def __repr__(self):
654 654 return f"<{self.cls_name}('id={self.user_id}, username={self.username}')>"
655 655
656 656 @hybrid_property
657 657 def email(self):
658 658 return self._email
659 659
660 660 @email.setter
661 661 def email(self, val):
662 662 self._email = val.lower() if val else None
663 663
664 664 @hybrid_property
665 665 def first_name(self):
666 666 from rhodecode.lib import helpers as h
667 667 if self.name:
668 668 return h.escape(self.name)
669 669 return self.name
670 670
671 671 @hybrid_property
672 672 def last_name(self):
673 673 from rhodecode.lib import helpers as h
674 674 if self.lastname:
675 675 return h.escape(self.lastname)
676 676 return self.lastname
677 677
678 678 @hybrid_property
679 679 def api_key(self):
680 680 """
681 681 Fetch if exist an auth-token with role ALL connected to this user
682 682 """
683 683 user_auth_token = UserApiKeys.query()\
684 684 .filter(UserApiKeys.user_id == self.user_id)\
685 685 .filter(or_(UserApiKeys.expires == -1,
686 686 UserApiKeys.expires >= time.time()))\
687 687 .filter(UserApiKeys.role == UserApiKeys.ROLE_ALL).first()
688 688 if user_auth_token:
689 689 user_auth_token = user_auth_token.api_key
690 690
691 691 return user_auth_token
692 692
693 693 @api_key.setter
694 694 def api_key(self, val):
695 695 # don't allow to set API key this is deprecated for now
696 696 self._api_key = None
697 697
698 698 @property
699 699 def reviewer_pull_requests(self):
700 700 return PullRequestReviewers.query() \
701 701 .options(joinedload(PullRequestReviewers.pull_request)) \
702 702 .filter(PullRequestReviewers.user_id == self.user_id) \
703 703 .all()
704 704
705 705 @property
706 706 def firstname(self):
707 707 # alias for future
708 708 return self.name
709 709
710 710 @property
711 711 def emails(self):
712 712 other = UserEmailMap.query()\
713 713 .filter(UserEmailMap.user == self) \
714 714 .order_by(UserEmailMap.email_id.asc()) \
715 715 .all()
716 716 return [self.email] + [x.email for x in other]
717 717
718 718 def emails_cached(self):
719 719 emails = []
720 720 if self.user_id != self.get_default_user_id():
721 721 emails = UserEmailMap.query()\
722 722 .filter(UserEmailMap.user == self) \
723 723 .order_by(UserEmailMap.email_id.asc())
724 724
725 725 emails = emails.options(
726 726 FromCache("sql_cache_short", f"get_user_{self.user_id}_emails")
727 727 )
728 728
729 729 return [self.email] + [x.email for x in emails]
730 730
731 731 @property
732 732 def auth_tokens(self):
733 733 auth_tokens = self.get_auth_tokens()
734 734 return [x.api_key for x in auth_tokens]
735 735
736 736 def get_auth_tokens(self):
737 737 return UserApiKeys.query()\
738 738 .filter(UserApiKeys.user == self)\
739 739 .order_by(UserApiKeys.user_api_key_id.asc())\
740 740 .all()
741 741
742 742 @LazyProperty
743 743 def feed_token(self):
744 744 return self.get_feed_token()
745 745
746 746 def get_feed_token(self, cache=True):
747 747 feed_tokens = UserApiKeys.query()\
748 748 .filter(UserApiKeys.user == self)\
749 749 .filter(UserApiKeys.role == UserApiKeys.ROLE_FEED)
750 750 if cache:
751 751 feed_tokens = feed_tokens.options(
752 752 FromCache("sql_cache_short", f"get_user_feed_token_{self.user_id}"))
753 753
754 754 feed_tokens = feed_tokens.all()
755 755 if feed_tokens:
756 756 return feed_tokens[0].api_key
757 757 return 'NO_FEED_TOKEN_AVAILABLE'
758 758
759 759 @LazyProperty
760 760 def artifact_token(self):
761 761 return self.get_artifact_token()
762 762
763 763 def get_artifact_token(self, cache=True):
764 764 artifacts_tokens = UserApiKeys.query()\
765 765 .filter(UserApiKeys.user == self) \
766 766 .filter(or_(UserApiKeys.expires == -1,
767 767 UserApiKeys.expires >= time.time())) \
768 768 .filter(UserApiKeys.role == UserApiKeys.ROLE_ARTIFACT_DOWNLOAD)
769 769
770 770 if cache:
771 771 artifacts_tokens = artifacts_tokens.options(
772 772 FromCache("sql_cache_short", f"get_user_artifact_token_{self.user_id}"))
773 773
774 774 artifacts_tokens = artifacts_tokens.all()
775 775 if artifacts_tokens:
776 776 return artifacts_tokens[0].api_key
777 777 return 'NO_ARTIFACT_TOKEN_AVAILABLE'
778 778
779 779 def get_or_create_artifact_token(self):
780 780 artifacts_tokens = UserApiKeys.query()\
781 781 .filter(UserApiKeys.user == self) \
782 782 .filter(or_(UserApiKeys.expires == -1,
783 783 UserApiKeys.expires >= time.time())) \
784 784 .filter(UserApiKeys.role == UserApiKeys.ROLE_ARTIFACT_DOWNLOAD)
785 785
786 786 artifacts_tokens = artifacts_tokens.all()
787 787 if artifacts_tokens:
788 788 return artifacts_tokens[0].api_key
789 789 else:
790 790 from rhodecode.model.auth_token import AuthTokenModel
791 791 artifact_token = AuthTokenModel().create(
792 792 self, 'auto-generated-artifact-token',
793 793 lifetime=-1, role=UserApiKeys.ROLE_ARTIFACT_DOWNLOAD)
794 794 Session.commit()
795 795 return artifact_token.api_key
796 796
797 797 def is_totp_valid(self, received_code, secret):
798 798 totp = pyotp.TOTP(secret)
799 799 return totp.verify(received_code)
800 800
801 801 def is_2fa_recovery_code_valid(self, received_code, secret):
802 802 encrypted_recovery_codes = self.user_data.get('recovery_codes_2fa', [])
803 803 recovery_codes = self.get_2fa_recovery_codes()
804 804 if received_code in recovery_codes:
805 805 encrypted_recovery_codes.pop(recovery_codes.index(received_code))
806 806 self.update_userdata(recovery_codes_2fa=encrypted_recovery_codes)
807 807 return True
808 808 return False
809 809
810 810 @hybrid_property
811 811 def has_forced_2fa(self):
812 812 """
813 Checks if 2fa was forced for ALL users (including current one)
813 Checks if 2fa was forced for current user
814 814 """
815 815 from rhodecode.model.settings import SettingsModel
816 # So now we're supporting only auth_rhodecode_global_2fa
817 if value := SettingsModel().get_setting_by_name('auth_rhodecode_global_2fa'):
816 if value := SettingsModel().get_setting_by_name(f'{self.extern_type}_global_2fa'):
818 817 return value.app_settings_value
819 818 return False
820 819
821 820 @hybrid_property
822 821 def has_enabled_2fa(self):
823 822 """
824 823 Checks if user enabled 2fa
825 824 """
826 825 if value := self.has_forced_2fa:
827 826 return value
828 827 return self.user_data.get('enabled_2fa', False)
829 828
830 829 @has_enabled_2fa.setter
831 830 def has_enabled_2fa(self, val):
832 831 val = str2bool(val)
833 832 self.update_userdata(enabled_2fa=val)
834 833 if not val:
835 834 # NOTE: setting to false we clear the user_data to not store any 2fa artifacts
836 835 self.update_userdata(secret_2fa=None, recovery_codes_2fa=[], check_2fa=False)
837 836 Session().commit()
838 837
839 838 @hybrid_property
840 839 def check_2fa_required(self):
841 840 """
842 841 Check if check 2fa flag is set for this user
843 842 """
844 843 value = self.user_data.get('check_2fa', False)
845 844 return value
846 845
847 846 @check_2fa_required.setter
848 847 def check_2fa_required(self, val):
849 848 val = str2bool(val)
850 849 self.update_userdata(check_2fa=val)
851 850 Session().commit()
852 851
853 852 @hybrid_property
854 853 def has_seen_2fa_codes(self):
855 854 """
856 855 get the flag about if user has seen 2fa recovery codes
857 856 """
858 857 value = self.user_data.get('recovery_codes_2fa_seen', False)
859 858 return value
860 859
861 860 @has_seen_2fa_codes.setter
862 861 def has_seen_2fa_codes(self, val):
863 862 val = str2bool(val)
864 863 self.update_userdata(recovery_codes_2fa_seen=val)
865 864 Session().commit()
866 865
867 866 @hybrid_property
868 867 def needs_2fa_configure(self):
869 868 """
870 869 Determines if setup2fa has completed for this user. Means he has all needed data for 2fa to work.
871 870
872 871 Currently this is 2fa enabled and secret exists
873 872 """
874 873 if self.has_enabled_2fa:
875 874 return not self.user_data.get('secret_2fa')
876 875 return False
877 876
878 877 def init_2fa_recovery_codes(self, persist=True, force=False):
879 878 """
880 879 Creates 2fa recovery codes
881 880 """
882 881 recovery_codes = self.user_data.get('recovery_codes_2fa', [])
883 882 encrypted_codes = []
884 883 if not recovery_codes or force:
885 884 for _ in range(self.RECOVERY_CODES_COUNT):
886 885 recovery_code = pyotp.random_base32()
887 886 recovery_codes.append(recovery_code)
888 887 encrypted_code = enc_utils.encrypt_value(safe_bytes(recovery_code), enc_key=ENCRYPTION_KEY)
889 888 encrypted_codes.append(safe_str(encrypted_code))
890 889 if persist:
891 890 self.update_userdata(recovery_codes_2fa=encrypted_codes, recovery_codes_2fa_seen=False)
892 891 return recovery_codes
893 892 # User should not check the same recovery codes more than once
894 893 return []
895 894
896 895 def get_2fa_recovery_codes(self):
897 896 encrypted_recovery_codes = self.user_data.get('recovery_codes_2fa', [])
898 897
899 898 recovery_codes = list(map(
900 899 lambda val: safe_str(
901 900 enc_utils.decrypt_value(
902 901 val,
903 902 enc_key=ENCRYPTION_KEY
904 903 )),
905 904 encrypted_recovery_codes))
906 905 return recovery_codes
907 906
908 907 def init_secret_2fa(self, persist=True, force=False):
909 908 secret_2fa = self.user_data.get('secret_2fa')
910 909 if not secret_2fa or force:
911 910 secret = pyotp.random_base32()
912 911 if persist:
913 912 self.update_userdata(secret_2fa=safe_str(enc_utils.encrypt_value(safe_bytes(secret), enc_key=ENCRYPTION_KEY)))
914 913 return secret
915 914 return ''
916 915
917 916 @hybrid_property
918 917 def secret_2fa(self) -> str:
919 918 """
920 919 get stored secret for 2fa
921 920 """
922 921 secret_2fa = self.user_data.get('secret_2fa')
923 922 if secret_2fa:
924 923 return safe_str(
925 924 enc_utils.decrypt_value(secret_2fa, enc_key=ENCRYPTION_KEY))
926 925 return ''
927 926
928 927 @secret_2fa.setter
929 928 def secret_2fa(self, value: str) -> None:
930 929 encrypted_value = enc_utils.encrypt_value(safe_bytes(value), enc_key=ENCRYPTION_KEY)
931 930 self.update_userdata(secret_2fa=safe_str(encrypted_value))
932 931
933 932 def regenerate_2fa_recovery_codes(self):
934 933 """
935 934 Regenerates 2fa recovery codes upon request
936 935 """
937 936 new_recovery_codes = self.init_2fa_recovery_codes(force=True)
938 937 Session().commit()
939 938 return new_recovery_codes
940 939
941 940 @classmethod
942 941 def extra_valid_auth_tokens(cls, user, role=None):
943 942 tokens = UserApiKeys.query().filter(UserApiKeys.user == user)\
944 943 .filter(or_(UserApiKeys.expires == -1,
945 944 UserApiKeys.expires >= time.time()))
946 945 if role:
947 946 tokens = tokens.filter(or_(UserApiKeys.role == role,
948 947 UserApiKeys.role == UserApiKeys.ROLE_ALL))
949 948 return tokens.all()
950 949
951 950 def authenticate_by_token(self, auth_token, roles=None, scope_repo_id=None):
952 951 from rhodecode.lib import auth
953 952
954 953 log.debug('Trying to authenticate user: %s via auth-token, '
955 954 'and roles: %s', self, roles)
956 955
957 956 if not auth_token:
958 957 return False
959 958
960 959 roles = (roles or []) + [UserApiKeys.ROLE_ALL]
961 960 tokens_q = UserApiKeys.query()\
962 961 .filter(UserApiKeys.user_id == self.user_id)\
963 962 .filter(or_(UserApiKeys.expires == -1,
964 963 UserApiKeys.expires >= time.time()))
965 964
966 965 tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
967 966
968 967 crypto_backend = auth.crypto_backend()
969 968 enc_token_map = {}
970 969 plain_token_map = {}
971 970 for token in tokens_q:
972 971 if token.api_key.startswith(crypto_backend.ENC_PREF):
973 972 enc_token_map[token.api_key] = token
974 973 else:
975 974 plain_token_map[token.api_key] = token
976 975 log.debug(
977 976 'Found %s plain and %s encrypted tokens to check for authentication for this user',
978 977 len(plain_token_map), len(enc_token_map))
979 978
980 979 # plain token match comes first
981 980 match = plain_token_map.get(auth_token)
982 981
983 982 # check encrypted tokens now
984 983 if not match:
985 984 for token_hash, token in enc_token_map.items():
986 985 # NOTE(marcink): this is expensive to calculate, but most secure
987 986 if crypto_backend.hash_check(auth_token, token_hash):
988 987 match = token
989 988 break
990 989
991 990 if match:
992 991 log.debug('Found matching token %s', match)
993 992 if match.repo_id:
994 993 log.debug('Found scope, checking for scope match of token %s', match)
995 994 if match.repo_id == scope_repo_id:
996 995 return True
997 996 else:
998 997 log.debug(
999 998 'AUTH_TOKEN: scope mismatch, token has a set repo scope: %s, '
1000 999 'and calling scope is:%s, skipping further checks',
1001 1000 match.repo, scope_repo_id)
1002 1001 return False
1003 1002 else:
1004 1003 return True
1005 1004
1006 1005 return False
1007 1006
1008 1007 @property
1009 1008 def ip_addresses(self):
1010 1009 ret = UserIpMap.query().filter(UserIpMap.user == self).all()
1011 1010 return [x.ip_addr for x in ret]
1012 1011
1013 1012 @property
1014 1013 def username_and_name(self):
1015 1014 return f'{self.username} ({self.first_name} {self.last_name})'
1016 1015
1017 1016 @property
1018 1017 def username_or_name_or_email(self):
1019 1018 full_name = self.full_name if self.full_name != ' ' else None
1020 1019 return self.username or full_name or self.email
1021 1020
1022 1021 @property
1023 1022 def full_name(self):
1024 1023 return f'{self.first_name} {self.last_name}'
1025 1024
1026 1025 @property
1027 1026 def full_name_or_username(self):
1028 1027 return (f'{self.first_name} {self.last_name}'
1029 1028 if (self.first_name and self.last_name) else self.username)
1030 1029
1031 1030 @property
1032 1031 def full_contact(self):
1033 1032 return f'{self.first_name} {self.last_name} <{self.email}>'
1034 1033
1035 1034 @property
1036 1035 def short_contact(self):
1037 1036 return f'{self.first_name} {self.last_name}'
1038 1037
1039 1038 @property
1040 1039 def is_admin(self):
1041 1040 return self.admin
1042 1041
1043 1042 @property
1044 1043 def language(self):
1045 1044 return self.user_data.get('language')
1046 1045
1047 1046 def AuthUser(self, **kwargs):
1048 1047 """
1049 1048 Returns instance of AuthUser for this user
1050 1049 """
1051 1050 from rhodecode.lib.auth import AuthUser
1052 1051 return AuthUser(user_id=self.user_id, username=self.username, **kwargs)
1053 1052
1054 1053 @hybrid_property
1055 1054 def user_data(self):
1056 1055 if not self._user_data:
1057 1056 return {}
1058 1057
1059 1058 try:
1060 1059 return json.loads(self._user_data) or {}
1061 1060 except TypeError:
1062 1061 return {}
1063 1062
1064 1063 @user_data.setter
1065 1064 def user_data(self, val):
1066 1065 if not isinstance(val, dict):
1067 1066 raise Exception(f'user_data must be dict, got {type(val)}')
1068 1067 try:
1069 1068 self._user_data = safe_bytes(json.dumps(val))
1070 1069 except Exception:
1071 1070 log.error(traceback.format_exc())
1072 1071
1073 1072 @classmethod
1074 1073 def get(cls, user_id, cache=False):
1075 1074 if not user_id:
1076 1075 return
1077 1076
1078 1077 user = cls.query()
1079 1078 if cache:
1080 1079 user = user.options(
1081 1080 FromCache("sql_cache_short", f"get_users_{user_id}"))
1082 1081 return user.get(user_id)
1083 1082
1084 1083 @classmethod
1085 1084 def get_by_username(cls, username, case_insensitive=False,
1086 1085 cache=False):
1087 1086
1088 1087 if case_insensitive:
1089 1088 q = cls.select().where(
1090 1089 func.lower(cls.username) == func.lower(username))
1091 1090 else:
1092 1091 q = cls.select().where(cls.username == username)
1093 1092
1094 1093 if cache:
1095 1094 hash_key = _hash_key(username)
1096 1095 q = q.options(
1097 1096 FromCache("sql_cache_short", f"get_user_by_name_{hash_key}"))
1098 1097
1099 1098 return cls.execute(q).scalar_one_or_none()
1100 1099
1101 1100 @classmethod
1102 1101 def get_by_username_or_primary_email(cls, user_identifier):
1103 1102 qs = union_all(cls.select().where(func.lower(cls.username) == func.lower(user_identifier)),
1104 1103 cls.select().where(func.lower(cls.email) == func.lower(user_identifier)))
1105 1104 return cls.execute(cls.select(User).from_statement(qs)).scalar_one_or_none()
1106 1105
1107 1106 @classmethod
1108 1107 def get_by_auth_token(cls, auth_token, cache=False):
1109 1108
1110 1109 q = cls.select(User)\
1111 1110 .join(UserApiKeys)\
1112 1111 .where(UserApiKeys.api_key == auth_token)\
1113 1112 .where(or_(UserApiKeys.expires == -1,
1114 1113 UserApiKeys.expires >= time.time()))
1115 1114
1116 1115 if cache:
1117 1116 q = q.options(
1118 1117 FromCache("sql_cache_short", f"get_auth_token_{auth_token}"))
1119 1118
1120 1119 matched_user = cls.execute(q).scalar_one_or_none()
1121 1120
1122 1121 return matched_user
1123 1122
1124 1123 @classmethod
1125 1124 def get_by_email(cls, email, case_insensitive=False, cache=False):
1126 1125
1127 1126 if case_insensitive:
1128 1127 q = cls.select().where(func.lower(cls.email) == func.lower(email))
1129 1128 else:
1130 1129 q = cls.select().where(cls.email == email)
1131 1130
1132 1131 if cache:
1133 1132 email_key = _hash_key(email)
1134 1133 q = q.options(
1135 1134 FromCache("sql_cache_short", f"get_email_key_{email_key}"))
1136 1135
1137 1136 ret = cls.execute(q).scalar_one_or_none()
1138 1137
1139 1138 if ret is None:
1140 1139 q = cls.select(UserEmailMap)
1141 1140 # try fetching in alternate email map
1142 1141 if case_insensitive:
1143 1142 q = q.where(func.lower(UserEmailMap.email) == func.lower(email))
1144 1143 else:
1145 1144 q = q.where(UserEmailMap.email == email)
1146 1145 q = q.options(joinedload(UserEmailMap.user))
1147 1146 if cache:
1148 1147 q = q.options(
1149 1148 FromCache("sql_cache_short", f"get_email_map_key_{email_key}"))
1150 1149
1151 1150 result = cls.execute(q).scalar_one_or_none()
1152 1151 ret = getattr(result, 'user', None)
1153 1152
1154 1153 return ret
1155 1154
1156 1155 @classmethod
1157 1156 def get_from_cs_author(cls, author):
1158 1157 """
1159 1158 Tries to get User objects out of commit author string
1160 1159
1161 1160 :param author:
1162 1161 """
1163 1162 from rhodecode.lib.helpers import email, author_name
1164 1163 # Valid email in the attribute passed, see if they're in the system
1165 1164 _email = email(author)
1166 1165 if _email:
1167 1166 user = cls.get_by_email(_email, case_insensitive=True)
1168 1167 if user:
1169 1168 return user
1170 1169 # Maybe we can match by username?
1171 1170 _author = author_name(author)
1172 1171 user = cls.get_by_username(_author, case_insensitive=True)
1173 1172 if user:
1174 1173 return user
1175 1174
1176 1175 def update_userdata(self, **kwargs):
1177 1176 usr = self
1178 1177 old = usr.user_data
1179 1178 old.update(**kwargs)
1180 1179 usr.user_data = old
1181 1180 Session().add(usr)
1182 1181 log.debug('updated userdata with %s', kwargs)
1183 1182
1184 1183 def update_lastlogin(self):
1185 1184 """Update user lastlogin"""
1186 1185 self.last_login = datetime.datetime.now()
1187 1186 Session().add(self)
1188 1187 log.debug('updated user %s lastlogin', self.username)
1189 1188
1190 1189 def update_password(self, new_password):
1191 1190 from rhodecode.lib.auth import get_crypt_password
1192 1191
1193 1192 self.password = get_crypt_password(new_password)
1194 1193 Session().add(self)
1195 1194
1196 1195 @classmethod
1197 1196 def get_first_super_admin(cls):
1198 1197 stmt = cls.select().where(User.admin == true()).order_by(User.user_id.asc())
1199 1198 user = cls.scalars(stmt).first()
1200 1199
1201 1200 if user is None:
1202 1201 raise Exception('FATAL: Missing administrative account!')
1203 1202 return user
1204 1203
1205 1204 @classmethod
1206 1205 def get_all_super_admins(cls, only_active=False):
1207 1206 """
1208 1207 Returns all admin accounts sorted by username
1209 1208 """
1210 1209 qry = User.query().filter(User.admin == true()).order_by(User.username.asc())
1211 1210 if only_active:
1212 1211 qry = qry.filter(User.active == true())
1213 1212 return qry.all()
1214 1213
1215 1214 @classmethod
1216 1215 def get_all_user_ids(cls, only_active=True):
1217 1216 """
1218 1217 Returns all users IDs
1219 1218 """
1220 1219 qry = Session().query(User.user_id)
1221 1220
1222 1221 if only_active:
1223 1222 qry = qry.filter(User.active == true())
1224 1223 return [x.user_id for x in qry]
1225 1224
1226 1225 @classmethod
1227 1226 def get_default_user(cls, cache=False, refresh=False):
1228 1227 user = User.get_by_username(User.DEFAULT_USER, cache=cache)
1229 1228 if user is None:
1230 1229 raise Exception('FATAL: Missing default account!')
1231 1230 if refresh:
1232 1231 # The default user might be based on outdated state which
1233 1232 # has been loaded from the cache.
1234 1233 # A call to refresh() ensures that the
1235 1234 # latest state from the database is used.
1236 1235 Session().refresh(user)
1237 1236
1238 1237 return user
1239 1238
1240 1239 @classmethod
1241 1240 def get_default_user_id(cls):
1242 1241 import rhodecode
1243 1242 return rhodecode.CONFIG['default_user_id']
1244 1243
1245 1244 def _get_default_perms(self, user, suffix=''):
1246 1245 from rhodecode.model.permission import PermissionModel
1247 1246 return PermissionModel().get_default_perms(user.user_perms, suffix)
1248 1247
1249 1248 def get_default_perms(self, suffix=''):
1250 1249 return self._get_default_perms(self, suffix)
1251 1250
1252 1251 def get_api_data(self, include_secrets=False, details='full'):
1253 1252 """
1254 1253 Common function for generating user related data for API
1255 1254
1256 1255 :param include_secrets: By default secrets in the API data will be replaced
1257 1256 by a placeholder value to prevent exposing this data by accident. In case
1258 1257 this data shall be exposed, set this flag to ``True``.
1259 1258
1260 1259 :param details: details can be 'basic|full' basic gives only a subset of
1261 1260 the available user information that includes user_id, name and emails.
1262 1261 """
1263 1262 user = self
1264 1263 user_data = self.user_data
1265 1264 data = {
1266 1265 'user_id': user.user_id,
1267 1266 'username': user.username,
1268 1267 'firstname': user.name,
1269 1268 'lastname': user.lastname,
1270 1269 'description': user.description,
1271 1270 'email': user.email,
1272 1271 'emails': user.emails,
1273 1272 }
1274 1273 if details == 'basic':
1275 1274 return data
1276 1275
1277 1276 auth_token_length = 40
1278 1277 auth_token_replacement = '*' * auth_token_length
1279 1278
1280 1279 extras = {
1281 1280 'auth_tokens': [auth_token_replacement],
1282 1281 'active': user.active,
1283 1282 'admin': user.admin,
1284 1283 'extern_type': user.extern_type,
1285 1284 'extern_name': user.extern_name,
1286 1285 'last_login': user.last_login,
1287 1286 'last_activity': user.last_activity,
1288 1287 'ip_addresses': user.ip_addresses,
1289 1288 'language': user_data.get('language')
1290 1289 }
1291 1290 data.update(extras)
1292 1291
1293 1292 if include_secrets:
1294 1293 data['auth_tokens'] = user.auth_tokens
1295 1294 return data
1296 1295
1297 1296 def __json__(self):
1298 1297 data = {
1299 1298 'full_name': self.full_name,
1300 1299 'full_name_or_username': self.full_name_or_username,
1301 1300 'short_contact': self.short_contact,
1302 1301 'full_contact': self.full_contact,
1303 1302 }
1304 1303 data.update(self.get_api_data())
1305 1304 return data
1306 1305
1307 1306
1308 1307 class UserApiKeys(Base, BaseModel):
1309 1308 __tablename__ = 'user_api_keys'
1310 1309 __table_args__ = (
1311 1310 Index('uak_api_key_idx', 'api_key'),
1312 1311 Index('uak_api_key_expires_idx', 'api_key', 'expires'),
1313 1312 base_table_args
1314 1313 )
1315 1314
1316 1315 # ApiKey role
1317 1316 ROLE_ALL = 'token_role_all'
1318 1317 ROLE_VCS = 'token_role_vcs'
1319 1318 ROLE_API = 'token_role_api'
1320 1319 ROLE_HTTP = 'token_role_http'
1321 1320 ROLE_FEED = 'token_role_feed'
1322 1321 ROLE_ARTIFACT_DOWNLOAD = 'role_artifact_download'
1323 1322 # The last one is ignored in the list as we only
1324 1323 # use it for one action, and cannot be created by users
1325 1324 ROLE_PASSWORD_RESET = 'token_password_reset'
1326 1325
1327 1326 ROLES = [ROLE_ALL, ROLE_VCS, ROLE_API, ROLE_HTTP, ROLE_FEED, ROLE_ARTIFACT_DOWNLOAD]
1328 1327
1329 1328 user_api_key_id = Column("user_api_key_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
1330 1329 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
1331 1330 api_key = Column("api_key", String(255), nullable=False, unique=True)
1332 1331 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
1333 1332 expires = Column('expires', Float(53), nullable=False)
1334 1333 role = Column('role', String(255), nullable=True)
1335 1334 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
1336 1335
1337 1336 # scope columns
1338 1337 repo_id = Column(
1339 1338 'repo_id', Integer(), ForeignKey('repositories.repo_id'),
1340 1339 nullable=True, unique=None, default=None)
1341 1340 repo = relationship('Repository', lazy='joined', back_populates='scoped_tokens')
1342 1341
1343 1342 repo_group_id = Column(
1344 1343 'repo_group_id', Integer(), ForeignKey('groups.group_id'),
1345 1344 nullable=True, unique=None, default=None)
1346 1345 repo_group = relationship('RepoGroup', lazy='joined')
1347 1346
1348 1347 user = relationship('User', lazy='joined', back_populates='user_auth_tokens')
1349 1348
1350 1349 def __repr__(self):
1351 1350 return f"<{self.cls_name}('{self.role}')>"
1352 1351
1353 1352 def __json__(self):
1354 1353 data = {
1355 1354 'auth_token': self.api_key,
1356 1355 'role': self.role,
1357 1356 'scope': self.scope_humanized,
1358 1357 'expired': self.expired
1359 1358 }
1360 1359 return data
1361 1360
1362 1361 def get_api_data(self, include_secrets=False):
1363 1362 data = self.__json__()
1364 1363 if include_secrets:
1365 1364 return data
1366 1365 else:
1367 1366 data['auth_token'] = self.token_obfuscated
1368 1367 return data
1369 1368
1370 1369 @hybrid_property
1371 1370 def description_safe(self):
1372 1371 from rhodecode.lib import helpers as h
1373 1372 return h.escape(self.description)
1374 1373
1375 1374 @property
1376 1375 def expired(self):
1377 1376 if self.expires == -1:
1378 1377 return False
1379 1378 return time.time() > self.expires
1380 1379
1381 1380 @classmethod
1382 1381 def _get_role_name(cls, role):
1383 1382 return {
1384 1383 cls.ROLE_ALL: _('all'),
1385 1384 cls.ROLE_HTTP: _('http/web interface'),
1386 1385 cls.ROLE_VCS: _('vcs (git/hg/svn protocol)'),
1387 1386 cls.ROLE_API: _('api calls'),
1388 1387 cls.ROLE_FEED: _('feed access'),
1389 1388 cls.ROLE_ARTIFACT_DOWNLOAD: _('artifacts downloads'),
1390 1389 }.get(role, role)
1391 1390
1392 1391 @classmethod
1393 1392 def _get_role_description(cls, role):
1394 1393 return {
1395 1394 cls.ROLE_ALL: _('Token for all actions.'),
1396 1395 cls.ROLE_HTTP: _('Token to access RhodeCode pages via web interface without '
1397 1396 'login using `api_access_controllers_whitelist` functionality.'),
1398 1397 cls.ROLE_VCS: _('Token to interact over git/hg/svn protocols. '
1399 1398 'Requires auth_token authentication plugin to be active. <br/>'
1400 1399 'Such Token should be used then instead of a password to '
1401 1400 'interact with a repository, and additionally can be '
1402 1401 'limited to single repository using repo scope.'),
1403 1402 cls.ROLE_API: _('Token limited to api calls.'),
1404 1403 cls.ROLE_FEED: _('Token to read RSS/ATOM feed.'),
1405 1404 cls.ROLE_ARTIFACT_DOWNLOAD: _('Token for artifacts downloads.'),
1406 1405 }.get(role, role)
1407 1406
1408 1407 @property
1409 1408 def role_humanized(self):
1410 1409 return self._get_role_name(self.role)
1411 1410
1412 1411 def _get_scope(self):
1413 1412 if self.repo:
1414 1413 return 'Repository: {}'.format(self.repo.repo_name)
1415 1414 if self.repo_group:
1416 1415 return 'RepositoryGroup: {} (recursive)'.format(self.repo_group.group_name)
1417 1416 return 'Global'
1418 1417
1419 1418 @property
1420 1419 def scope_humanized(self):
1421 1420 return self._get_scope()
1422 1421
1423 1422 @property
1424 1423 def token_obfuscated(self):
1425 1424 if self.api_key:
1426 1425 return self.api_key[:4] + "****"
1427 1426
1428 1427
1429 1428 class UserEmailMap(Base, BaseModel):
1430 1429 __tablename__ = 'user_email_map'
1431 1430 __table_args__ = (
1432 1431 Index('uem_email_idx', 'email'),
1433 1432 Index('uem_user_id_idx', 'user_id'),
1434 1433 UniqueConstraint('email'),
1435 1434 base_table_args
1436 1435 )
1437 1436
1438 1437 email_id = Column("email_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
1439 1438 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
1440 1439 _email = Column("email", String(255), nullable=True, unique=False, default=None)
1441 1440 user = relationship('User', lazy='joined', back_populates='user_emails')
1442 1441
1443 1442 @validates('_email')
1444 1443 def validate_email(self, key, email):
1445 1444 # check if this email is not main one
1446 1445 main_email = Session().query(User).filter(User.email == email).scalar()
1447 1446 if main_email is not None:
1448 1447 raise AttributeError('email %s is present is user table' % email)
1449 1448 return email
1450 1449
1451 1450 @hybrid_property
1452 1451 def email(self):
1453 1452 return self._email
1454 1453
1455 1454 @email.setter
1456 1455 def email(self, val):
1457 1456 self._email = val.lower() if val else None
1458 1457
1459 1458
1460 1459 class UserIpMap(Base, BaseModel):
1461 1460 __tablename__ = 'user_ip_map'
1462 1461 __table_args__ = (
1463 1462 UniqueConstraint('user_id', 'ip_addr'),
1464 1463 base_table_args
1465 1464 )
1466 1465
1467 1466 ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
1468 1467 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
1469 1468 ip_addr = Column("ip_addr", String(255), nullable=True, unique=False, default=None)
1470 1469 active = Column("active", Boolean(), nullable=True, unique=None, default=True)
1471 1470 description = Column("description", String(10000), nullable=True, unique=None, default=None)
1472 1471 user = relationship('User', lazy='joined', back_populates='user_ip_map')
1473 1472
1474 1473 @hybrid_property
1475 1474 def description_safe(self):
1476 1475 from rhodecode.lib import helpers as h
1477 1476 return h.escape(self.description)
1478 1477
1479 1478 @classmethod
1480 1479 def _get_ip_range(cls, ip_addr):
1481 1480 net = ipaddress.ip_network(safe_str(ip_addr), strict=False)
1482 1481 return [str(net.network_address), str(net.broadcast_address)]
1483 1482
1484 1483 def __json__(self):
1485 1484 return {
1486 1485 'ip_addr': self.ip_addr,
1487 1486 'ip_range': self._get_ip_range(self.ip_addr),
1488 1487 }
1489 1488
1490 1489 def __repr__(self):
1491 1490 return f"<{self.cls_name}('user_id={self.user_id} => ip={self.ip_addr}')>"
1492 1491
1493 1492
1494 1493 class UserSshKeys(Base, BaseModel):
1495 1494 __tablename__ = 'user_ssh_keys'
1496 1495 __table_args__ = (
1497 1496 Index('usk_ssh_key_fingerprint_idx', 'ssh_key_fingerprint'),
1498 1497
1499 1498 UniqueConstraint('ssh_key_fingerprint'),
1500 1499
1501 1500 base_table_args
1502 1501 )
1503 1502
1504 1503 ssh_key_id = Column('ssh_key_id', Integer(), nullable=False, unique=True, default=None, primary_key=True)
1505 1504 ssh_key_data = Column('ssh_key_data', String(10240), nullable=False, unique=None, default=None)
1506 1505 ssh_key_fingerprint = Column('ssh_key_fingerprint', String(255), nullable=False, unique=None, default=None)
1507 1506
1508 1507 description = Column('description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
1509 1508
1510 1509 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
1511 1510 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True, default=None)
1512 1511 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
1513 1512
1514 1513 user = relationship('User', lazy='joined', back_populates='user_ssh_keys')
1515 1514
1516 1515 def __json__(self):
1517 1516 data = {
1518 1517 'ssh_fingerprint': self.ssh_key_fingerprint,
1519 1518 'description': self.description,
1520 1519 'created_on': self.created_on
1521 1520 }
1522 1521 return data
1523 1522
1524 1523 def get_api_data(self):
1525 1524 data = self.__json__()
1526 1525 return data
1527 1526
1528 1527
1529 1528 class UserLog(Base, BaseModel):
1530 1529 __tablename__ = 'user_logs'
1531 1530 __table_args__ = (
1532 1531 base_table_args,
1533 1532 )
1534 1533
1535 1534 VERSION_1 = 'v1'
1536 1535 VERSION_2 = 'v2'
1537 1536 VERSIONS = [VERSION_1, VERSION_2]
1538 1537
1539 1538 user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
1540 1539 user_id = Column("user_id", Integer(), ForeignKey('users.user_id',ondelete='SET NULL'), nullable=True, unique=None, default=None)
1541 1540 username = Column("username", String(255), nullable=True, unique=None, default=None)
1542 1541 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id', ondelete='SET NULL'), nullable=True, unique=None, default=None)
1543 1542 repository_name = Column("repository_name", String(255), nullable=True, unique=None, default=None)
1544 1543 user_ip = Column("user_ip", String(255), nullable=True, unique=None, default=None)
1545 1544 action = Column("action", Text().with_variant(Text(1200000), 'mysql'), nullable=True, unique=None, default=None)
1546 1545 action_date = Column("action_date", DateTime(timezone=False), nullable=True, unique=None, default=None)
1547 1546
1548 1547 version = Column("version", String(255), nullable=True, default=VERSION_1)
1549 1548 user_data = Column('user_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
1550 1549 action_data = Column('action_data_json', MutationObj.as_mutable(JsonType(dialect_map=dict(mysql=LONGTEXT()))))
1551 1550 user = relationship('User', cascade='', back_populates='user_log')
1552 1551 repository = relationship('Repository', cascade='', back_populates='logs')
1553 1552
1554 1553 def __repr__(self):
1555 1554 return f"<{self.cls_name}('id:{self.repository_name}:{self.action}')>"
1556 1555
1557 1556 def __json__(self):
1558 1557 return {
1559 1558 'user_id': self.user_id,
1560 1559 'username': self.username,
1561 1560 'repository_id': self.repository_id,
1562 1561 'repository_name': self.repository_name,
1563 1562 'user_ip': self.user_ip,
1564 1563 'action_date': self.action_date,
1565 1564 'action': self.action,
1566 1565 }
1567 1566
1568 1567 @hybrid_property
1569 1568 def entry_id(self):
1570 1569 return self.user_log_id
1571 1570
1572 1571 @property
1573 1572 def action_as_day(self):
1574 1573 return datetime.date(*self.action_date.timetuple()[:3])
1575 1574
1576 1575
1577 1576 class UserGroup(Base, BaseModel):
1578 1577 __tablename__ = 'users_groups'
1579 1578 __table_args__ = (
1580 1579 base_table_args,
1581 1580 )
1582 1581
1583 1582 users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
1584 1583 users_group_name = Column("users_group_name", String(255), nullable=False, unique=True, default=None)
1585 1584 user_group_description = Column("user_group_description", String(10000), nullable=True, unique=None, default=None)
1586 1585 users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)
1587 1586 inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)
1588 1587 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
1589 1588 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
1590 1589 _group_data = Column("group_data", LargeBinary(), nullable=True) # JSON data
1591 1590
1592 1591 members = relationship('UserGroupMember', cascade="all, delete-orphan", lazy="joined", back_populates='users_group')
1593 1592 users_group_to_perm = relationship('UserGroupToPerm', cascade='all', back_populates='users_group')
1594 1593 users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all', back_populates='users_group')
1595 1594 users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all', back_populates='users_group')
1596 1595 user_user_group_to_perm = relationship('UserUserGroupToPerm', cascade='all', back_populates='user_group')
1597 1596
1598 1597 user_group_user_group_to_perm = relationship('UserGroupUserGroupToPerm', primaryjoin="UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id", cascade='all', back_populates='target_user_group')
1599 1598
1600 1599 user_group_review_rules = relationship('RepoReviewRuleUserGroup', cascade='all', back_populates='users_group')
1601 1600 user = relationship('User', primaryjoin="User.user_id==UserGroup.user_id", back_populates='user_groups')
1602 1601
1603 1602 @classmethod
1604 1603 def _load_group_data(cls, column):
1605 1604 if not column:
1606 1605 return {}
1607 1606
1608 1607 try:
1609 1608 return json.loads(column) or {}
1610 1609 except TypeError:
1611 1610 return {}
1612 1611
1613 1612 @hybrid_property
1614 1613 def description_safe(self):
1615 1614 from rhodecode.lib import helpers as h
1616 1615 return h.escape(self.user_group_description)
1617 1616
1618 1617 @hybrid_property
1619 1618 def group_data(self):
1620 1619 return self._load_group_data(self._group_data)
1621 1620
1622 1621 @group_data.expression
1623 1622 def group_data(self, **kwargs):
1624 1623 return self._group_data
1625 1624
1626 1625 @group_data.setter
1627 1626 def group_data(self, val):
1628 1627 try:
1629 1628 self._group_data = json.dumps(val)
1630 1629 except Exception:
1631 1630 log.error(traceback.format_exc())
1632 1631
1633 1632 @classmethod
1634 1633 def _load_sync(cls, group_data):
1635 1634 if group_data:
1636 1635 return group_data.get('extern_type')
1637 1636
1638 1637 @property
1639 1638 def sync(self):
1640 1639 return self._load_sync(self.group_data)
1641 1640
1642 1641 def __repr__(self):
1643 1642 return f"<{self.cls_name}('id:{self.users_group_id}:{self.users_group_name}')>"
1644 1643
1645 1644 @classmethod
1646 1645 def get_by_group_name(cls, group_name, cache=False,
1647 1646 case_insensitive=False):
1648 1647 if case_insensitive:
1649 1648 q = cls.query().filter(func.lower(cls.users_group_name) ==
1650 1649 func.lower(group_name))
1651 1650
1652 1651 else:
1653 1652 q = cls.query().filter(cls.users_group_name == group_name)
1654 1653 if cache:
1655 1654 name_key = _hash_key(group_name)
1656 1655 q = q.options(
1657 1656 FromCache("sql_cache_short", f"get_group_{name_key}"))
1658 1657 return q.scalar()
1659 1658
1660 1659 @classmethod
1661 1660 def get(cls, user_group_id, cache=False):
1662 1661 if not user_group_id:
1663 1662 return
1664 1663
1665 1664 user_group = cls.query()
1666 1665 if cache:
1667 1666 user_group = user_group.options(
1668 1667 FromCache("sql_cache_short", f"get_users_group_{user_group_id}"))
1669 1668 return user_group.get(user_group_id)
1670 1669
1671 1670 def permissions(self, with_admins=True, with_owner=True,
1672 1671 expand_from_user_groups=False):
1673 1672 """
1674 1673 Permissions for user groups
1675 1674 """
1676 1675 _admin_perm = 'usergroup.admin'
1677 1676
1678 1677 owner_row = []
1679 1678 if with_owner:
1680 1679 usr = AttributeDict(self.user.get_dict())
1681 1680 usr.owner_row = True
1682 1681 usr.permission = _admin_perm
1683 1682 owner_row.append(usr)
1684 1683
1685 1684 super_admin_ids = []
1686 1685 super_admin_rows = []
1687 1686 if with_admins:
1688 1687 for usr in User.get_all_super_admins():
1689 1688 super_admin_ids.append(usr.user_id)
1690 1689 # if this admin is also owner, don't double the record
1691 1690 if usr.user_id == owner_row[0].user_id:
1692 1691 owner_row[0].admin_row = True
1693 1692 else:
1694 1693 usr = AttributeDict(usr.get_dict())
1695 1694 usr.admin_row = True
1696 1695 usr.permission = _admin_perm
1697 1696 super_admin_rows.append(usr)
1698 1697
1699 1698 q = UserUserGroupToPerm.query().filter(UserUserGroupToPerm.user_group == self)
1700 1699 q = q.options(joinedload(UserUserGroupToPerm.user_group),
1701 1700 joinedload(UserUserGroupToPerm.user),
1702 1701 joinedload(UserUserGroupToPerm.permission),)
1703 1702
1704 1703 # get owners and admins and permissions. We do a trick of re-writing
1705 1704 # objects from sqlalchemy to named-tuples due to sqlalchemy session
1706 1705 # has a global reference and changing one object propagates to all
1707 1706 # others. This means if admin is also an owner admin_row that change
1708 1707 # would propagate to both objects
1709 1708 perm_rows = []
1710 1709 for _usr in q.all():
1711 1710 usr = AttributeDict(_usr.user.get_dict())
1712 1711 # if this user is also owner/admin, mark as duplicate record
1713 1712 if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
1714 1713 usr.duplicate_perm = True
1715 1714 usr.permission = _usr.permission.permission_name
1716 1715 perm_rows.append(usr)
1717 1716
1718 1717 # filter the perm rows by 'default' first and then sort them by
1719 1718 # admin,write,read,none permissions sorted again alphabetically in
1720 1719 # each group
1721 1720 perm_rows = sorted(perm_rows, key=display_user_sort)
1722 1721
1723 1722 user_groups_rows = []
1724 1723 if expand_from_user_groups:
1725 1724 for ug in self.permission_user_groups(with_members=True):
1726 1725 for user_data in ug.members:
1727 1726 user_groups_rows.append(user_data)
1728 1727
1729 1728 return super_admin_rows + owner_row + perm_rows + user_groups_rows
1730 1729
1731 1730 def permission_user_groups(self, with_members=False):
1732 1731 q = UserGroupUserGroupToPerm.query()\
1733 1732 .filter(UserGroupUserGroupToPerm.target_user_group == self)
1734 1733 q = q.options(joinedload(UserGroupUserGroupToPerm.user_group),
1735 1734 joinedload(UserGroupUserGroupToPerm.target_user_group),
1736 1735 joinedload(UserGroupUserGroupToPerm.permission),)
1737 1736
1738 1737 perm_rows = []
1739 1738 for _user_group in q.all():
1740 1739 entry = AttributeDict(_user_group.user_group.get_dict())
1741 1740 entry.permission = _user_group.permission.permission_name
1742 1741 if with_members:
1743 1742 entry.members = [x.user.get_dict()
1744 1743 for x in _user_group.user_group.members]
1745 1744 perm_rows.append(entry)
1746 1745
1747 1746 perm_rows = sorted(perm_rows, key=display_user_group_sort)
1748 1747 return perm_rows
1749 1748
1750 1749 def _get_default_perms(self, user_group, suffix=''):
1751 1750 from rhodecode.model.permission import PermissionModel
1752 1751 return PermissionModel().get_default_perms(user_group.users_group_to_perm, suffix)
1753 1752
1754 1753 def get_default_perms(self, suffix=''):
1755 1754 return self._get_default_perms(self, suffix)
1756 1755
1757 1756 def get_api_data(self, with_group_members=True, include_secrets=False):
1758 1757 """
1759 1758 :param include_secrets: See :meth:`User.get_api_data`, this parameter is
1760 1759 basically forwarded.
1761 1760
1762 1761 """
1763 1762 user_group = self
1764 1763 data = {
1765 1764 'users_group_id': user_group.users_group_id,
1766 1765 'group_name': user_group.users_group_name,
1767 1766 'group_description': user_group.user_group_description,
1768 1767 'active': user_group.users_group_active,
1769 1768 'owner': user_group.user.username,
1770 1769 'sync': user_group.sync,
1771 1770 'owner_email': user_group.user.email,
1772 1771 }
1773 1772
1774 1773 if with_group_members:
1775 1774 users = []
1776 1775 for user in user_group.members:
1777 1776 user = user.user
1778 1777 users.append(user.get_api_data(include_secrets=include_secrets))
1779 1778 data['users'] = users
1780 1779
1781 1780 return data
1782 1781
1783 1782
1784 1783 class UserGroupMember(Base, BaseModel):
1785 1784 __tablename__ = 'users_groups_members'
1786 1785 __table_args__ = (
1787 1786 base_table_args,
1788 1787 )
1789 1788
1790 1789 users_group_member_id = Column("users_group_member_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
1791 1790 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
1792 1791 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
1793 1792
1794 1793 user = relationship('User', lazy='joined', back_populates='group_member')
1795 1794 users_group = relationship('UserGroup', back_populates='members')
1796 1795
1797 1796 def __init__(self, gr_id='', u_id=''):
1798 1797 self.users_group_id = gr_id
1799 1798 self.user_id = u_id
1800 1799
1801 1800
1802 1801 class RepositoryField(Base, BaseModel):
1803 1802 __tablename__ = 'repositories_fields'
1804 1803 __table_args__ = (
1805 1804 UniqueConstraint('repository_id', 'field_key'), # no-multi field
1806 1805 base_table_args,
1807 1806 )
1808 1807
1809 1808 PREFIX = 'ex_' # prefix used in form to not conflict with already existing fields
1810 1809
1811 1810 repo_field_id = Column("repo_field_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
1812 1811 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
1813 1812 field_key = Column("field_key", String(250))
1814 1813 field_label = Column("field_label", String(1024), nullable=False)
1815 1814 field_value = Column("field_value", String(10000), nullable=False)
1816 1815 field_desc = Column("field_desc", String(1024), nullable=False)
1817 1816 field_type = Column("field_type", String(255), nullable=False, unique=None)
1818 1817 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
1819 1818
1820 1819 repository = relationship('Repository', back_populates='extra_fields')
1821 1820
1822 1821 @property
1823 1822 def field_key_prefixed(self):
1824 1823 return 'ex_%s' % self.field_key
1825 1824
1826 1825 @classmethod
1827 1826 def un_prefix_key(cls, key):
1828 1827 if key.startswith(cls.PREFIX):
1829 1828 return key[len(cls.PREFIX):]
1830 1829 return key
1831 1830
1832 1831 @classmethod
1833 1832 def get_by_key_name(cls, key, repo):
1834 1833 row = cls.query()\
1835 1834 .filter(cls.repository == repo)\
1836 1835 .filter(cls.field_key == key).scalar()
1837 1836 return row
1838 1837
1839 1838
1840 1839 class Repository(Base, BaseModel):
1841 1840 __tablename__ = 'repositories'
1842 1841 __table_args__ = (
1843 1842 Index('r_repo_name_idx', 'repo_name', mysql_length=255),
1844 1843 base_table_args,
1845 1844 )
1846 1845 DEFAULT_CLONE_URI = '{scheme}://{user}@{netloc}/{repo}'
1847 1846 DEFAULT_CLONE_URI_ID = '{scheme}://{user}@{netloc}/_{repoid}'
1848 1847 DEFAULT_CLONE_URI_SSH = 'ssh://{sys_user}@{hostname}/{repo}'
1849 1848
1850 1849 STATE_CREATED = 'repo_state_created'
1851 1850 STATE_PENDING = 'repo_state_pending'
1852 1851 STATE_ERROR = 'repo_state_error'
1853 1852
1854 1853 LOCK_AUTOMATIC = 'lock_auto'
1855 1854 LOCK_API = 'lock_api'
1856 1855 LOCK_WEB = 'lock_web'
1857 1856 LOCK_PULL = 'lock_pull'
1858 1857
1859 1858 NAME_SEP = URL_SEP
1860 1859
1861 1860 repo_id = Column(
1862 1861 "repo_id", Integer(), nullable=False, unique=True, default=None,
1863 1862 primary_key=True)
1864 1863 _repo_name = Column(
1865 1864 "repo_name", Text(), nullable=False, default=None)
1866 1865 repo_name_hash = Column(
1867 1866 "repo_name_hash", String(255), nullable=False, unique=True)
1868 1867 repo_state = Column("repo_state", String(255), nullable=True)
1869 1868
1870 1869 clone_uri = Column(
1871 1870 "clone_uri", EncryptedTextValue(), nullable=True, unique=False,
1872 1871 default=None)
1873 1872 push_uri = Column(
1874 1873 "push_uri", EncryptedTextValue(), nullable=True, unique=False,
1875 1874 default=None)
1876 1875 repo_type = Column(
1877 1876 "repo_type", String(255), nullable=False, unique=False, default=None)
1878 1877 user_id = Column(
1879 1878 "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
1880 1879 unique=False, default=None)
1881 1880 private = Column(
1882 1881 "private", Boolean(), nullable=True, unique=None, default=None)
1883 1882 archived = Column(
1884 1883 "archived", Boolean(), nullable=True, unique=None, default=None)
1885 1884 enable_statistics = Column(
1886 1885 "statistics", Boolean(), nullable=True, unique=None, default=True)
1887 1886 enable_downloads = Column(
1888 1887 "downloads", Boolean(), nullable=True, unique=None, default=True)
1889 1888 description = Column(
1890 1889 "description", String(10000), nullable=True, unique=None, default=None)
1891 1890 created_on = Column(
1892 1891 'created_on', DateTime(timezone=False), nullable=True, unique=None,
1893 1892 default=datetime.datetime.now)
1894 1893 updated_on = Column(
1895 1894 'updated_on', DateTime(timezone=False), nullable=True, unique=None,
1896 1895 default=datetime.datetime.now)
1897 1896 _landing_revision = Column(
1898 1897 "landing_revision", String(255), nullable=False, unique=False,
1899 1898 default=None)
1900 1899 enable_locking = Column(
1901 1900 "enable_locking", Boolean(), nullable=False, unique=None,
1902 1901 default=False)
1903 1902 _locked = Column(
1904 1903 "locked", String(255), nullable=True, unique=False, default=None)
1905 1904 _changeset_cache = Column(
1906 1905 "changeset_cache", LargeBinary(), nullable=True) # JSON data
1907 1906
1908 1907 fork_id = Column(
1909 1908 "fork_id", Integer(), ForeignKey('repositories.repo_id'),
1910 1909 nullable=True, unique=False, default=None)
1911 1910 group_id = Column(
1912 1911 "group_id", Integer(), ForeignKey('groups.group_id'), nullable=True,
1913 1912 unique=False, default=None)
1914 1913
1915 1914 user = relationship('User', lazy='joined', back_populates='repositories')
1916 1915 fork = relationship('Repository', remote_side=repo_id, lazy='joined')
1917 1916 group = relationship('RepoGroup', lazy='joined')
1918 1917 repo_to_perm = relationship('UserRepoToPerm', cascade='all', order_by='UserRepoToPerm.repo_to_perm_id')
1919 1918 users_group_to_perm = relationship('UserGroupRepoToPerm', cascade='all', back_populates='repository')
1920 1919 stats = relationship('Statistics', cascade='all', uselist=False)
1921 1920
1922 1921 followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_repo_id==Repository.repo_id', cascade='all', back_populates='follows_repository')
1923 1922 extra_fields = relationship('RepositoryField', cascade="all, delete-orphan", back_populates='repository')
1924 1923
1925 1924 logs = relationship('UserLog', back_populates='repository')
1926 1925
1927 1926 comments = relationship('ChangesetComment', cascade="all, delete-orphan", back_populates='repo')
1928 1927
1929 1928 pull_requests_source = relationship(
1930 1929 'PullRequest',
1931 1930 primaryjoin='PullRequest.source_repo_id==Repository.repo_id',
1932 1931 cascade="all, delete-orphan",
1933 1932 overlaps="source_repo"
1934 1933 )
1935 1934 pull_requests_target = relationship(
1936 1935 'PullRequest',
1937 1936 primaryjoin='PullRequest.target_repo_id==Repository.repo_id',
1938 1937 cascade="all, delete-orphan",
1939 1938 overlaps="target_repo"
1940 1939 )
1941 1940
1942 1941 ui = relationship('RepoRhodeCodeUi', cascade="all")
1943 1942 settings = relationship('RepoRhodeCodeSetting', cascade="all")
1944 1943 integrations = relationship('Integration', cascade="all, delete-orphan", back_populates='repo')
1945 1944
1946 1945 scoped_tokens = relationship('UserApiKeys', cascade="all", back_populates='repo')
1947 1946
1948 1947 # no cascade, set NULL
1949 1948 artifacts = relationship('FileStore', primaryjoin='FileStore.scope_repo_id==Repository.repo_id', viewonly=True)
1950 1949
1951 1950 review_rules = relationship('RepoReviewRule')
1952 1951 user_branch_perms = relationship('UserToRepoBranchPermission')
1953 1952 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission')
1954 1953
1955 1954 def __repr__(self):
1956 1955 return "<%s('%s:%s')>" % (self.cls_name, self.repo_id, self.repo_name)
1957 1956
1958 1957 @hybrid_property
1959 1958 def description_safe(self):
1960 1959 from rhodecode.lib import helpers as h
1961 1960 return h.escape(self.description)
1962 1961
1963 1962 @hybrid_property
1964 1963 def landing_rev(self):
1965 1964 # always should return [rev_type, rev], e.g ['branch', 'master']
1966 1965 if self._landing_revision:
1967 1966 _rev_info = self._landing_revision.split(':')
1968 1967 if len(_rev_info) < 2:
1969 1968 _rev_info.insert(0, 'rev')
1970 1969 return [_rev_info[0], _rev_info[1]]
1971 1970 return [None, None]
1972 1971
1973 1972 @property
1974 1973 def landing_ref_type(self):
1975 1974 return self.landing_rev[0]
1976 1975
1977 1976 @property
1978 1977 def landing_ref_name(self):
1979 1978 return self.landing_rev[1]
1980 1979
1981 1980 @landing_rev.setter
1982 1981 def landing_rev(self, val):
1983 1982 if ':' not in val:
1984 1983 raise ValueError('value must be delimited with `:` and consist '
1985 1984 'of <rev_type>:<rev>, got %s instead' % val)
1986 1985 self._landing_revision = val
1987 1986
1988 1987 @hybrid_property
1989 1988 def locked(self):
1990 1989 if self._locked:
1991 1990 user_id, timelocked, reason = self._locked.split(':')
1992 1991 lock_values = int(user_id), timelocked, reason
1993 1992 else:
1994 1993 lock_values = [None, None, None]
1995 1994 return lock_values
1996 1995
1997 1996 @locked.setter
1998 1997 def locked(self, val):
1999 1998 if val and isinstance(val, (list, tuple)):
2000 1999 self._locked = ':'.join(map(str, val))
2001 2000 else:
2002 2001 self._locked = None
2003 2002
2004 2003 @classmethod
2005 2004 def _load_changeset_cache(cls, repo_id, changeset_cache_raw):
2006 2005 from rhodecode.lib.vcs.backends.base import EmptyCommit
2007 2006 dummy = EmptyCommit().__json__()
2008 2007 if not changeset_cache_raw:
2009 2008 dummy['source_repo_id'] = repo_id
2010 2009 return json.loads(json.dumps(dummy))
2011 2010
2012 2011 try:
2013 2012 return json.loads(changeset_cache_raw)
2014 2013 except TypeError:
2015 2014 return dummy
2016 2015 except Exception:
2017 2016 log.error(traceback.format_exc())
2018 2017 return dummy
2019 2018
2020 2019 @hybrid_property
2021 2020 def changeset_cache(self):
2022 2021 return self._load_changeset_cache(self.repo_id, self._changeset_cache)
2023 2022
2024 2023 @changeset_cache.setter
2025 2024 def changeset_cache(self, val):
2026 2025 try:
2027 2026 self._changeset_cache = json.dumps(val)
2028 2027 except Exception:
2029 2028 log.error(traceback.format_exc())
2030 2029
2031 2030 @hybrid_property
2032 2031 def repo_name(self):
2033 2032 return self._repo_name
2034 2033
2035 2034 @repo_name.setter
2036 2035 def repo_name(self, value):
2037 2036 self._repo_name = value
2038 2037 self.repo_name_hash = sha1(safe_bytes(value))
2039 2038
2040 2039 @classmethod
2041 2040 def normalize_repo_name(cls, repo_name):
2042 2041 """
2043 2042 Normalizes os specific repo_name to the format internally stored inside
2044 2043 database using URL_SEP
2045 2044
2046 2045 :param cls:
2047 2046 :param repo_name:
2048 2047 """
2049 2048 return cls.NAME_SEP.join(repo_name.split(os.sep))
2050 2049
2051 2050 @classmethod
2052 2051 def get_by_repo_name(cls, repo_name, cache=False, identity_cache=False):
2053 2052 session = Session()
2054 2053 q = session.query(cls).filter(cls.repo_name == repo_name)
2055 2054
2056 2055 if cache:
2057 2056 if identity_cache:
2058 2057 val = cls.identity_cache(session, 'repo_name', repo_name)
2059 2058 if val:
2060 2059 return val
2061 2060 else:
2062 2061 cache_key = f"get_repo_by_name_{_hash_key(repo_name)}"
2063 2062 q = q.options(
2064 2063 FromCache("sql_cache_short", cache_key))
2065 2064
2066 2065 return q.scalar()
2067 2066
2068 2067 @classmethod
2069 2068 def get_by_id_or_repo_name(cls, repoid):
2070 2069 if isinstance(repoid, int):
2071 2070 try:
2072 2071 repo = cls.get(repoid)
2073 2072 except ValueError:
2074 2073 repo = None
2075 2074 else:
2076 2075 repo = cls.get_by_repo_name(repoid)
2077 2076 return repo
2078 2077
2079 2078 @classmethod
2080 2079 def get_by_full_path(cls, repo_full_path):
2081 2080 repo_name = repo_full_path.split(cls.base_path(), 1)[-1]
2082 2081 repo_name = cls.normalize_repo_name(repo_name)
2083 2082 return cls.get_by_repo_name(repo_name.strip(URL_SEP))
2084 2083
2085 2084 @classmethod
2086 2085 def get_repo_forks(cls, repo_id):
2087 2086 return cls.query().filter(Repository.fork_id == repo_id)
2088 2087
2089 2088 @classmethod
2090 2089 def base_path(cls):
2091 2090 """
2092 2091 Returns base path when all repos are stored
2093 2092
2094 2093 :param cls:
2095 2094 """
2096 2095 from rhodecode.lib.utils import get_rhodecode_repo_store_path
2097 2096 return get_rhodecode_repo_store_path()
2098 2097
2099 2098 @classmethod
2100 2099 def get_all_repos(cls, user_id=Optional(None), group_id=Optional(None),
2101 2100 case_insensitive=True, archived=False):
2102 2101 q = Repository.query()
2103 2102
2104 2103 if not archived:
2105 2104 q = q.filter(Repository.archived.isnot(true()))
2106 2105
2107 2106 if not isinstance(user_id, Optional):
2108 2107 q = q.filter(Repository.user_id == user_id)
2109 2108
2110 2109 if not isinstance(group_id, Optional):
2111 2110 q = q.filter(Repository.group_id == group_id)
2112 2111
2113 2112 if case_insensitive:
2114 2113 q = q.order_by(func.lower(Repository.repo_name))
2115 2114 else:
2116 2115 q = q.order_by(Repository.repo_name)
2117 2116
2118 2117 return q.all()
2119 2118
2120 2119 @property
2121 2120 def repo_uid(self):
2122 2121 return '_{}'.format(self.repo_id)
2123 2122
2124 2123 @property
2125 2124 def forks(self):
2126 2125 """
2127 2126 Return forks of this repo
2128 2127 """
2129 2128 return Repository.get_repo_forks(self.repo_id)
2130 2129
2131 2130 @property
2132 2131 def parent(self):
2133 2132 """
2134 2133 Returns fork parent
2135 2134 """
2136 2135 return self.fork
2137 2136
2138 2137 @property
2139 2138 def just_name(self):
2140 2139 return self.repo_name.split(self.NAME_SEP)[-1]
2141 2140
2142 2141 @property
2143 2142 def groups_with_parents(self):
2144 2143 groups = []
2145 2144 if self.group is None:
2146 2145 return groups
2147 2146
2148 2147 cur_gr = self.group
2149 2148 groups.insert(0, cur_gr)
2150 2149 while 1:
2151 2150 gr = getattr(cur_gr, 'parent_group', None)
2152 2151 cur_gr = cur_gr.parent_group
2153 2152 if gr is None:
2154 2153 break
2155 2154 groups.insert(0, gr)
2156 2155
2157 2156 return groups
2158 2157
2159 2158 @property
2160 2159 def groups_and_repo(self):
2161 2160 return self.groups_with_parents, self
2162 2161
2163 2162 @property
2164 2163 def repo_path(self):
2165 2164 """
2166 2165 Returns base full path for that repository means where it actually
2167 2166 exists on a filesystem
2168 2167 """
2169 2168 return self.base_path()
2170 2169
2171 2170 @property
2172 2171 def repo_full_path(self):
2173 2172 p = [self.repo_path]
2174 2173 # we need to split the name by / since this is how we store the
2175 2174 # names in the database, but that eventually needs to be converted
2176 2175 # into a valid system path
2177 2176 p += self.repo_name.split(self.NAME_SEP)
2178 2177 return os.path.join(*map(safe_str, p))
2179 2178
2180 2179 @property
2181 2180 def cache_keys(self):
2182 2181 """
2183 2182 Returns associated cache keys for that repo
2184 2183 """
2185 2184 repo_namespace_key = CacheKey.REPO_INVALIDATION_NAMESPACE.format(repo_id=self.repo_id)
2186 2185 return CacheKey.query()\
2187 2186 .filter(CacheKey.cache_key == repo_namespace_key)\
2188 2187 .order_by(CacheKey.cache_key)\
2189 2188 .all()
2190 2189
2191 2190 @property
2192 2191 def cached_diffs_relative_dir(self):
2193 2192 """
2194 2193 Return a relative to the repository store path of cached diffs
2195 2194 used for safe display for users, who shouldn't know the absolute store
2196 2195 path
2197 2196 """
2198 2197 return os.path.join(
2199 2198 os.path.dirname(self.repo_name),
2200 2199 self.cached_diffs_dir.split(os.path.sep)[-1])
2201 2200
2202 2201 @property
2203 2202 def cached_diffs_dir(self):
2204 2203 path = self.repo_full_path
2205 2204 return os.path.join(
2206 2205 os.path.dirname(path),
2207 2206 f'.__shadow_diff_cache_repo_{self.repo_id}')
2208 2207
2209 2208 def cached_diffs(self):
2210 2209 diff_cache_dir = self.cached_diffs_dir
2211 2210 if os.path.isdir(diff_cache_dir):
2212 2211 return os.listdir(diff_cache_dir)
2213 2212 return []
2214 2213
2215 2214 def shadow_repos(self):
2216 2215 shadow_repos_pattern = f'.__shadow_repo_{self.repo_id}'
2217 2216 return [
2218 2217 x for x in os.listdir(os.path.dirname(self.repo_full_path))
2219 2218 if x.startswith(shadow_repos_pattern)
2220 2219 ]
2221 2220
2222 2221 def get_new_name(self, repo_name):
2223 2222 """
2224 2223 returns new full repository name based on assigned group and new new
2225 2224
2226 2225 :param repo_name:
2227 2226 """
2228 2227 path_prefix = self.group.full_path_splitted if self.group else []
2229 2228 return self.NAME_SEP.join(path_prefix + [repo_name])
2230 2229
2231 2230 @property
2232 2231 def _config(self):
2233 2232 """
2234 2233 Returns db based config object.
2235 2234 """
2236 2235 from rhodecode.lib.utils import make_db_config
2237 2236 return make_db_config(clear_session=False, repo=self)
2238 2237
2239 2238 def permissions(self, with_admins=True, with_owner=True,
2240 2239 expand_from_user_groups=False):
2241 2240 """
2242 2241 Permissions for repositories
2243 2242 """
2244 2243 _admin_perm = 'repository.admin'
2245 2244
2246 2245 owner_row = []
2247 2246 if with_owner:
2248 2247 usr = AttributeDict(self.user.get_dict())
2249 2248 usr.owner_row = True
2250 2249 usr.permission = _admin_perm
2251 2250 usr.permission_id = None
2252 2251 owner_row.append(usr)
2253 2252
2254 2253 super_admin_ids = []
2255 2254 super_admin_rows = []
2256 2255 if with_admins:
2257 2256 for usr in User.get_all_super_admins():
2258 2257 super_admin_ids.append(usr.user_id)
2259 2258 # if this admin is also owner, don't double the record
2260 2259 if usr.user_id == owner_row[0].user_id:
2261 2260 owner_row[0].admin_row = True
2262 2261 else:
2263 2262 usr = AttributeDict(usr.get_dict())
2264 2263 usr.admin_row = True
2265 2264 usr.permission = _admin_perm
2266 2265 usr.permission_id = None
2267 2266 super_admin_rows.append(usr)
2268 2267
2269 2268 q = UserRepoToPerm.query().filter(UserRepoToPerm.repository == self)
2270 2269 q = q.options(joinedload(UserRepoToPerm.repository),
2271 2270 joinedload(UserRepoToPerm.user),
2272 2271 joinedload(UserRepoToPerm.permission),)
2273 2272
2274 2273 # get owners and admins and permissions. We do a trick of re-writing
2275 2274 # objects from sqlalchemy to named-tuples due to sqlalchemy session
2276 2275 # has a global reference and changing one object propagates to all
2277 2276 # others. This means if admin is also an owner admin_row that change
2278 2277 # would propagate to both objects
2279 2278 perm_rows = []
2280 2279 for _usr in q.all():
2281 2280 usr = AttributeDict(_usr.user.get_dict())
2282 2281 # if this user is also owner/admin, mark as duplicate record
2283 2282 if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
2284 2283 usr.duplicate_perm = True
2285 2284 # also check if this permission is maybe used by branch_permissions
2286 2285 if _usr.branch_perm_entry:
2287 2286 usr.branch_rules = [x.branch_rule_id for x in _usr.branch_perm_entry]
2288 2287
2289 2288 usr.permission = _usr.permission.permission_name
2290 2289 usr.permission_id = _usr.repo_to_perm_id
2291 2290 perm_rows.append(usr)
2292 2291
2293 2292 # filter the perm rows by 'default' first and then sort them by
2294 2293 # admin,write,read,none permissions sorted again alphabetically in
2295 2294 # each group
2296 2295 perm_rows = sorted(perm_rows, key=display_user_sort)
2297 2296
2298 2297 user_groups_rows = []
2299 2298 if expand_from_user_groups:
2300 2299 for ug in self.permission_user_groups(with_members=True):
2301 2300 for user_data in ug.members:
2302 2301 user_groups_rows.append(user_data)
2303 2302
2304 2303 return super_admin_rows + owner_row + perm_rows + user_groups_rows
2305 2304
2306 2305 def permission_user_groups(self, with_members=True):
2307 2306 q = UserGroupRepoToPerm.query()\
2308 2307 .filter(UserGroupRepoToPerm.repository == self)
2309 2308 q = q.options(joinedload(UserGroupRepoToPerm.repository),
2310 2309 joinedload(UserGroupRepoToPerm.users_group),
2311 2310 joinedload(UserGroupRepoToPerm.permission),)
2312 2311
2313 2312 perm_rows = []
2314 2313 for _user_group in q.all():
2315 2314 entry = AttributeDict(_user_group.users_group.get_dict())
2316 2315 entry.permission = _user_group.permission.permission_name
2317 2316 if with_members:
2318 2317 entry.members = [x.user.get_dict()
2319 2318 for x in _user_group.users_group.members]
2320 2319 perm_rows.append(entry)
2321 2320
2322 2321 perm_rows = sorted(perm_rows, key=display_user_group_sort)
2323 2322 return perm_rows
2324 2323
2325 2324 def get_api_data(self, include_secrets=False):
2326 2325 """
2327 2326 Common function for generating repo api data
2328 2327
2329 2328 :param include_secrets: See :meth:`User.get_api_data`.
2330 2329
2331 2330 """
2332 2331 # TODO: mikhail: Here there is an anti-pattern, we probably need to
2333 2332 # move this methods on models level.
2334 2333 from rhodecode.model.settings import SettingsModel
2335 2334 from rhodecode.model.repo import RepoModel
2336 2335
2337 2336 repo = self
2338 2337 _user_id, _time, _reason = self.locked
2339 2338
2340 2339 data = {
2341 2340 'repo_id': repo.repo_id,
2342 2341 'repo_name': repo.repo_name,
2343 2342 'repo_type': repo.repo_type,
2344 2343 'clone_uri': repo.clone_uri or '',
2345 2344 'push_uri': repo.push_uri or '',
2346 2345 'url': RepoModel().get_url(self),
2347 2346 'private': repo.private,
2348 2347 'created_on': repo.created_on,
2349 2348 'description': repo.description_safe,
2350 2349 'landing_rev': repo.landing_rev,
2351 2350 'owner': repo.user.username,
2352 2351 'fork_of': repo.fork.repo_name if repo.fork else None,
2353 2352 'fork_of_id': repo.fork.repo_id if repo.fork else None,
2354 2353 'enable_statistics': repo.enable_statistics,
2355 2354 'enable_locking': repo.enable_locking,
2356 2355 'enable_downloads': repo.enable_downloads,
2357 2356 'last_changeset': repo.changeset_cache,
2358 2357 'locked_by': User.get(_user_id).get_api_data(
2359 2358 include_secrets=include_secrets) if _user_id else None,
2360 2359 'locked_date': time_to_datetime(_time) if _time else None,
2361 2360 'lock_reason': _reason if _reason else None,
2362 2361 }
2363 2362
2364 2363 # TODO: mikhail: should be per-repo settings here
2365 2364 rc_config = SettingsModel().get_all_settings()
2366 2365 repository_fields = str2bool(
2367 2366 rc_config.get('rhodecode_repository_fields'))
2368 2367 if repository_fields:
2369 2368 for f in self.extra_fields:
2370 2369 data[f.field_key_prefixed] = f.field_value
2371 2370
2372 2371 return data
2373 2372
2374 2373 @classmethod
2375 2374 def lock(cls, repo, user_id, lock_time=None, lock_reason=None):
2376 2375 if not lock_time:
2377 2376 lock_time = time.time()
2378 2377 if not lock_reason:
2379 2378 lock_reason = cls.LOCK_AUTOMATIC
2380 2379 repo.locked = [user_id, lock_time, lock_reason]
2381 2380 Session().add(repo)
2382 2381 Session().commit()
2383 2382
2384 2383 @classmethod
2385 2384 def unlock(cls, repo):
2386 2385 repo.locked = None
2387 2386 Session().add(repo)
2388 2387 Session().commit()
2389 2388
2390 2389 @classmethod
2391 2390 def getlock(cls, repo):
2392 2391 return repo.locked
2393 2392
2394 2393 def get_locking_state(self, action, user_id, only_when_enabled=True):
2395 2394 """
2396 2395 Checks locking on this repository, if locking is enabled and lock is
2397 2396 present returns a tuple of make_lock, locked, locked_by.
2398 2397 make_lock can have 3 states None (do nothing) True, make lock
2399 2398 False release lock, This value is later propagated to hooks, which
2400 2399 do the locking. Think about this as signals passed to hooks what to do.
2401 2400
2402 2401 """
2403 2402 # TODO: johbo: This is part of the business logic and should be moved
2404 2403 # into the RepositoryModel.
2405 2404
2406 2405 if action not in ('push', 'pull'):
2407 2406 raise ValueError("Invalid action value: %s" % repr(action))
2408 2407
2409 2408 # defines if locked error should be thrown to user
2410 2409 currently_locked = False
2411 2410 # defines if new lock should be made, tri-state
2412 2411 make_lock = None
2413 2412 repo = self
2414 2413 user = User.get(user_id)
2415 2414
2416 2415 lock_info = repo.locked
2417 2416
2418 2417 if repo and (repo.enable_locking or not only_when_enabled):
2419 2418 if action == 'push':
2420 2419 # check if it's already locked !, if it is compare users
2421 2420 locked_by_user_id = lock_info[0]
2422 2421 if user.user_id == locked_by_user_id:
2423 2422 log.debug(
2424 2423 'Got `push` action from user %s, now unlocking', user)
2425 2424 # unlock if we have push from user who locked
2426 2425 make_lock = False
2427 2426 else:
2428 2427 # we're not the same user who locked, ban with
2429 2428 # code defined in settings (default is 423 HTTP Locked) !
2430 2429 log.debug('Repo %s is currently locked by %s', repo, user)
2431 2430 currently_locked = True
2432 2431 elif action == 'pull':
2433 2432 # [0] user [1] date
2434 2433 if lock_info[0] and lock_info[1]:
2435 2434 log.debug('Repo %s is currently locked by %s', repo, user)
2436 2435 currently_locked = True
2437 2436 else:
2438 2437 log.debug('Setting lock on repo %s by %s', repo, user)
2439 2438 make_lock = True
2440 2439
2441 2440 else:
2442 2441 log.debug('Repository %s do not have locking enabled', repo)
2443 2442
2444 2443 log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
2445 2444 make_lock, currently_locked, lock_info)
2446 2445
2447 2446 from rhodecode.lib.auth import HasRepoPermissionAny
2448 2447 perm_check = HasRepoPermissionAny('repository.write', 'repository.admin')
2449 2448 if make_lock and not perm_check(repo_name=repo.repo_name, user=user):
2450 2449 # if we don't have at least write permission we cannot make a lock
2451 2450 log.debug('lock state reset back to FALSE due to lack '
2452 2451 'of at least read permission')
2453 2452 make_lock = False
2454 2453
2455 2454 return make_lock, currently_locked, lock_info
2456 2455
2457 2456 @property
2458 2457 def last_commit_cache_update_diff(self):
2459 2458 return time.time() - (safe_int(self.changeset_cache.get('updated_on')) or 0)
2460 2459
2461 2460 @classmethod
2462 2461 def _load_commit_change(cls, last_commit_cache):
2463 2462 from rhodecode.lib.vcs.utils.helpers import parse_datetime
2464 2463 empty_date = datetime.datetime.fromtimestamp(0)
2465 2464 date_latest = last_commit_cache.get('date', empty_date)
2466 2465 try:
2467 2466 return parse_datetime(date_latest)
2468 2467 except Exception:
2469 2468 return empty_date
2470 2469
2471 2470 @property
2472 2471 def last_commit_change(self):
2473 2472 return self._load_commit_change(self.changeset_cache)
2474 2473
2475 2474 @property
2476 2475 def last_db_change(self):
2477 2476 return self.updated_on
2478 2477
2479 2478 @property
2480 2479 def clone_uri_hidden(self):
2481 2480 clone_uri = self.clone_uri
2482 2481 if clone_uri:
2483 2482 import urlobject
2484 2483 url_obj = urlobject.URLObject(cleaned_uri(clone_uri))
2485 2484 if url_obj.password:
2486 2485 clone_uri = url_obj.with_password('*****')
2487 2486 return clone_uri
2488 2487
2489 2488 @property
2490 2489 def push_uri_hidden(self):
2491 2490 push_uri = self.push_uri
2492 2491 if push_uri:
2493 2492 import urlobject
2494 2493 url_obj = urlobject.URLObject(cleaned_uri(push_uri))
2495 2494 if url_obj.password:
2496 2495 push_uri = url_obj.with_password('*****')
2497 2496 return push_uri
2498 2497
2499 2498 def clone_url(self, **override):
2500 2499 from rhodecode.model.settings import SettingsModel
2501 2500
2502 2501 uri_tmpl = None
2503 2502 if 'with_id' in override:
2504 2503 uri_tmpl = self.DEFAULT_CLONE_URI_ID
2505 2504 del override['with_id']
2506 2505
2507 2506 if 'uri_tmpl' in override:
2508 2507 uri_tmpl = override['uri_tmpl']
2509 2508 del override['uri_tmpl']
2510 2509
2511 2510 ssh = False
2512 2511 if 'ssh' in override:
2513 2512 ssh = True
2514 2513 del override['ssh']
2515 2514
2516 2515 # we didn't override our tmpl from **overrides
2517 2516 request = get_current_request()
2518 2517 if not uri_tmpl:
2519 2518 if hasattr(request, 'call_context') and hasattr(request.call_context, 'rc_config'):
2520 2519 rc_config = request.call_context.rc_config
2521 2520 else:
2522 2521 rc_config = SettingsModel().get_all_settings(cache=True)
2523 2522
2524 2523 if ssh:
2525 2524 uri_tmpl = rc_config.get(
2526 2525 'rhodecode_clone_uri_ssh_tmpl') or self.DEFAULT_CLONE_URI_SSH
2527 2526
2528 2527 else:
2529 2528 uri_tmpl = rc_config.get(
2530 2529 'rhodecode_clone_uri_tmpl') or self.DEFAULT_CLONE_URI
2531 2530
2532 2531 return get_clone_url(request=request,
2533 2532 uri_tmpl=uri_tmpl,
2534 2533 repo_name=self.repo_name,
2535 2534 repo_id=self.repo_id,
2536 2535 repo_type=self.repo_type,
2537 2536 **override)
2538 2537
2539 2538 def set_state(self, state):
2540 2539 self.repo_state = state
2541 2540 Session().add(self)
2542 2541 #==========================================================================
2543 2542 # SCM PROPERTIES
2544 2543 #==========================================================================
2545 2544
2546 2545 def get_commit(self, commit_id=None, commit_idx=None, pre_load=None, maybe_unreachable=False, reference_obj=None):
2547 2546 return get_commit_safe(
2548 2547 self.scm_instance(), commit_id, commit_idx, pre_load=pre_load,
2549 2548 maybe_unreachable=maybe_unreachable, reference_obj=reference_obj)
2550 2549
2551 2550 def get_changeset(self, rev=None, pre_load=None):
2552 2551 warnings.warn("Use get_commit", DeprecationWarning)
2553 2552 commit_id = None
2554 2553 commit_idx = None
2555 2554 if isinstance(rev, str):
2556 2555 commit_id = rev
2557 2556 else:
2558 2557 commit_idx = rev
2559 2558 return self.get_commit(commit_id=commit_id, commit_idx=commit_idx,
2560 2559 pre_load=pre_load)
2561 2560
2562 2561 def get_landing_commit(self):
2563 2562 """
2564 2563 Returns landing commit, or if that doesn't exist returns the tip
2565 2564 """
2566 2565 _rev_type, _rev = self.landing_rev
2567 2566 commit = self.get_commit(_rev)
2568 2567 if isinstance(commit, EmptyCommit):
2569 2568 return self.get_commit()
2570 2569 return commit
2571 2570
2572 2571 def flush_commit_cache(self):
2573 2572 self.update_commit_cache(cs_cache={'raw_id':'0'})
2574 2573 self.update_commit_cache()
2575 2574
2576 2575 def update_commit_cache(self, cs_cache=None, config=None):
2577 2576 """
2578 2577 Update cache of last commit for repository
2579 2578 cache_keys should be::
2580 2579
2581 2580 source_repo_id
2582 2581 short_id
2583 2582 raw_id
2584 2583 revision
2585 2584 parents
2586 2585 message
2587 2586 date
2588 2587 author
2589 2588 updated_on
2590 2589
2591 2590 """
2592 2591 from rhodecode.lib.vcs.backends.base import BaseCommit
2593 2592 from rhodecode.lib.vcs.utils.helpers import parse_datetime
2594 2593 empty_date = datetime.datetime.fromtimestamp(0)
2595 2594 repo_commit_count = 0
2596 2595
2597 2596 if cs_cache is None:
2598 2597 # use no-cache version here
2599 2598 try:
2600 2599 scm_repo = self.scm_instance(cache=False, config=config)
2601 2600 except VCSError:
2602 2601 scm_repo = None
2603 2602 empty = scm_repo is None or scm_repo.is_empty()
2604 2603
2605 2604 if not empty:
2606 2605 cs_cache = scm_repo.get_commit(
2607 2606 pre_load=["author", "date", "message", "parents", "branch"])
2608 2607 repo_commit_count = scm_repo.count()
2609 2608 else:
2610 2609 cs_cache = EmptyCommit()
2611 2610
2612 2611 if isinstance(cs_cache, BaseCommit):
2613 2612 cs_cache = cs_cache.__json__()
2614 2613
2615 2614 def is_outdated(new_cs_cache):
2616 2615 if (new_cs_cache['raw_id'] != self.changeset_cache['raw_id'] or
2617 2616 new_cs_cache['revision'] != self.changeset_cache['revision']):
2618 2617 return True
2619 2618 return False
2620 2619
2621 2620 # check if we have maybe already latest cached revision
2622 2621 if is_outdated(cs_cache) or not self.changeset_cache:
2623 2622 _current_datetime = datetime.datetime.utcnow()
2624 2623 last_change = cs_cache.get('date') or _current_datetime
2625 2624 # we check if last update is newer than the new value
2626 2625 # if yes, we use the current timestamp instead. Imagine you get
2627 2626 # old commit pushed 1y ago, we'd set last update 1y to ago.
2628 2627 last_change_timestamp = datetime_to_time(last_change)
2629 2628 current_timestamp = datetime_to_time(last_change)
2630 2629 if last_change_timestamp > current_timestamp and not empty:
2631 2630 cs_cache['date'] = _current_datetime
2632 2631
2633 2632 # also store size of repo
2634 2633 cs_cache['repo_commit_count'] = repo_commit_count
2635 2634
2636 2635 _date_latest = parse_datetime(cs_cache.get('date') or empty_date)
2637 2636 cs_cache['updated_on'] = time.time()
2638 2637 self.changeset_cache = cs_cache
2639 2638 self.updated_on = last_change
2640 2639 Session().add(self)
2641 2640 Session().commit()
2642 2641
2643 2642 else:
2644 2643 if empty:
2645 2644 cs_cache = EmptyCommit().__json__()
2646 2645 else:
2647 2646 cs_cache = self.changeset_cache
2648 2647
2649 2648 _date_latest = parse_datetime(cs_cache.get('date') or empty_date)
2650 2649
2651 2650 cs_cache['updated_on'] = time.time()
2652 2651 self.changeset_cache = cs_cache
2653 2652 self.updated_on = _date_latest
2654 2653 Session().add(self)
2655 2654 Session().commit()
2656 2655
2657 2656 log.debug('updated repo `%s` with new commit cache %s, and last update_date: %s',
2658 2657 self.repo_name, cs_cache, _date_latest)
2659 2658
2660 2659 @property
2661 2660 def tip(self):
2662 2661 return self.get_commit('tip')
2663 2662
2664 2663 @property
2665 2664 def author(self):
2666 2665 return self.tip.author
2667 2666
2668 2667 @property
2669 2668 def last_change(self):
2670 2669 return self.scm_instance().last_change
2671 2670
2672 2671 def get_comments(self, revisions=None):
2673 2672 """
2674 2673 Returns comments for this repository grouped by revisions
2675 2674
2676 2675 :param revisions: filter query by revisions only
2677 2676 """
2678 2677 cmts = ChangesetComment.query()\
2679 2678 .filter(ChangesetComment.repo == self)
2680 2679 if revisions:
2681 2680 cmts = cmts.filter(ChangesetComment.revision.in_(revisions))
2682 2681 grouped = collections.defaultdict(list)
2683 2682 for cmt in cmts.all():
2684 2683 grouped[cmt.revision].append(cmt)
2685 2684 return grouped
2686 2685
2687 2686 def statuses(self, revisions=None):
2688 2687 """
2689 2688 Returns statuses for this repository
2690 2689
2691 2690 :param revisions: list of revisions to get statuses for
2692 2691 """
2693 2692 statuses = ChangesetStatus.query()\
2694 2693 .filter(ChangesetStatus.repo == self)\
2695 2694 .filter(ChangesetStatus.version == 0)
2696 2695
2697 2696 if revisions:
2698 2697 # Try doing the filtering in chunks to avoid hitting limits
2699 2698 size = 500
2700 2699 status_results = []
2701 2700 for chunk in range(0, len(revisions), size):
2702 2701 status_results += statuses.filter(
2703 2702 ChangesetStatus.revision.in_(
2704 2703 revisions[chunk: chunk+size])
2705 2704 ).all()
2706 2705 else:
2707 2706 status_results = statuses.all()
2708 2707
2709 2708 grouped = {}
2710 2709
2711 2710 # maybe we have open new pullrequest without a status?
2712 2711 stat = ChangesetStatus.STATUS_UNDER_REVIEW
2713 2712 status_lbl = ChangesetStatus.get_status_lbl(stat)
2714 2713 for pr in PullRequest.query().filter(PullRequest.source_repo == self).all():
2715 2714 for rev in pr.revisions:
2716 2715 pr_id = pr.pull_request_id
2717 2716 pr_repo = pr.target_repo.repo_name
2718 2717 grouped[rev] = [stat, status_lbl, pr_id, pr_repo]
2719 2718
2720 2719 for stat in status_results:
2721 2720 pr_id = pr_repo = None
2722 2721 if stat.pull_request:
2723 2722 pr_id = stat.pull_request.pull_request_id
2724 2723 pr_repo = stat.pull_request.target_repo.repo_name
2725 2724 grouped[stat.revision] = [str(stat.status), stat.status_lbl,
2726 2725 pr_id, pr_repo]
2727 2726 return grouped
2728 2727
2729 2728 # ==========================================================================
2730 2729 # SCM CACHE INSTANCE
2731 2730 # ==========================================================================
2732 2731
2733 2732 def scm_instance(self, **kwargs):
2734 2733 import rhodecode
2735 2734
2736 2735 # Passing a config will not hit the cache currently only used
2737 2736 # for repo2dbmapper
2738 2737 config = kwargs.pop('config', None)
2739 2738 cache = kwargs.pop('cache', None)
2740 2739 vcs_full_cache = kwargs.pop('vcs_full_cache', None)
2741 2740 if vcs_full_cache is not None:
2742 2741 # allows override global config
2743 2742 full_cache = vcs_full_cache
2744 2743 else:
2745 2744 full_cache = rhodecode.ConfigGet().get_bool('vcs_full_cache')
2746 2745 # if cache is NOT defined use default global, else we have a full
2747 2746 # control over cache behaviour
2748 2747 if cache is None and full_cache and not config:
2749 2748 log.debug('Initializing pure cached instance for %s', self.repo_path)
2750 2749 return self._get_instance_cached()
2751 2750
2752 2751 # cache here is sent to the "vcs server"
2753 2752 return self._get_instance(cache=bool(cache), config=config)
2754 2753
2755 2754 def _get_instance_cached(self):
2756 2755 from rhodecode.lib import rc_cache
2757 2756
2758 2757 cache_namespace_uid = f'repo_instance.{self.repo_id}'
2759 2758 region = rc_cache.get_or_create_region('cache_repo_longterm', cache_namespace_uid)
2760 2759
2761 2760 # we must use thread scoped cache here,
2762 2761 # because each thread of gevent needs it's own not shared connection and cache
2763 2762 # we also alter `args` so the cache key is individual for every green thread.
2764 2763 repo_namespace_key = CacheKey.REPO_INVALIDATION_NAMESPACE.format(repo_id=self.repo_id)
2765 2764 inv_context_manager = rc_cache.InvalidationContext(key=repo_namespace_key, thread_scoped=True)
2766 2765
2767 2766 # our wrapped caching function that takes state_uid to save the previous state in
2768 2767 def cache_generator(_state_uid):
2769 2768
2770 2769 @region.conditional_cache_on_arguments(namespace=cache_namespace_uid)
2771 2770 def get_instance_cached(_repo_id, _process_context_id):
2772 2771 # we save in cached func the generation state so we can detect a change and invalidate caches
2773 2772 return _state_uid, self._get_instance(repo_state_uid=_state_uid)
2774 2773
2775 2774 return get_instance_cached
2776 2775
2777 2776 with inv_context_manager as invalidation_context:
2778 2777 cache_state_uid = invalidation_context.state_uid
2779 2778 cache_func = cache_generator(cache_state_uid)
2780 2779
2781 2780 args = self.repo_id, inv_context_manager.proc_key
2782 2781
2783 2782 previous_state_uid, instance = cache_func(*args)
2784 2783
2785 2784 # now compare keys, the "cache" state vs expected state.
2786 2785 if previous_state_uid != cache_state_uid:
2787 2786 log.warning('Cached state uid %s is different than current state uid %s',
2788 2787 previous_state_uid, cache_state_uid)
2789 2788 _, instance = cache_func.refresh(*args)
2790 2789
2791 2790 log.debug('Repo instance fetched in %.4fs', inv_context_manager.compute_time)
2792 2791 return instance
2793 2792
2794 2793 def _get_instance(self, cache=True, config=None, repo_state_uid=None):
2795 2794 log.debug('Initializing %s instance `%s` with cache flag set to: %s',
2796 2795 self.repo_type, self.repo_path, cache)
2797 2796 config = config or self._config
2798 2797 custom_wire = {
2799 2798 'cache': cache, # controls the vcs.remote cache
2800 2799 'repo_state_uid': repo_state_uid
2801 2800 }
2802 2801
2803 2802 repo = get_vcs_instance(
2804 2803 repo_path=safe_str(self.repo_full_path),
2805 2804 config=config,
2806 2805 with_wire=custom_wire,
2807 2806 create=False,
2808 2807 _vcs_alias=self.repo_type)
2809 2808 if repo is not None:
2810 2809 repo.count() # cache rebuild
2811 2810
2812 2811 return repo
2813 2812
2814 2813 def get_shadow_repository_path(self, workspace_id):
2815 2814 from rhodecode.lib.vcs.backends.base import BaseRepository
2816 2815 shadow_repo_path = BaseRepository._get_shadow_repository_path(
2817 2816 self.repo_full_path, self.repo_id, workspace_id)
2818 2817 return shadow_repo_path
2819 2818
2820 2819 def __json__(self):
2821 2820 return {'landing_rev': self.landing_rev}
2822 2821
2823 2822 def get_dict(self):
2824 2823
2825 2824 # Since we transformed `repo_name` to a hybrid property, we need to
2826 2825 # keep compatibility with the code which uses `repo_name` field.
2827 2826
2828 2827 result = super(Repository, self).get_dict()
2829 2828 result['repo_name'] = result.pop('_repo_name', None)
2830 2829 result.pop('_changeset_cache', '')
2831 2830 return result
2832 2831
2833 2832
2834 2833 class RepoGroup(Base, BaseModel):
2835 2834 __tablename__ = 'groups'
2836 2835 __table_args__ = (
2837 2836 UniqueConstraint('group_name', 'group_parent_id'),
2838 2837 base_table_args,
2839 2838 )
2840 2839
2841 2840 CHOICES_SEPARATOR = '/' # used to generate select2 choices for nested groups
2842 2841
2843 2842 group_id = Column("group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
2844 2843 _group_name = Column("group_name", String(255), nullable=False, unique=True, default=None)
2845 2844 group_name_hash = Column("repo_group_name_hash", String(1024), nullable=False, unique=False)
2846 2845 group_parent_id = Column("group_parent_id", Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
2847 2846 group_description = Column("group_description", String(10000), nullable=True, unique=None, default=None)
2848 2847 enable_locking = Column("enable_locking", Boolean(), nullable=False, unique=None, default=False)
2849 2848 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)
2850 2849 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
2851 2850 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
2852 2851 personal = Column('personal', Boolean(), nullable=True, unique=None, default=None)
2853 2852 _changeset_cache = Column("changeset_cache", LargeBinary(), nullable=True) # JSON data
2854 2853
2855 2854 repo_group_to_perm = relationship('UserRepoGroupToPerm', cascade='all', order_by='UserRepoGroupToPerm.group_to_perm_id', back_populates='group')
2856 2855 users_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all', back_populates='group')
2857 2856 parent_group = relationship('RepoGroup', remote_side=group_id)
2858 2857 user = relationship('User', back_populates='repository_groups')
2859 2858 integrations = relationship('Integration', cascade="all, delete-orphan", back_populates='repo_group')
2860 2859
2861 2860 # no cascade, set NULL
2862 2861 scope_artifacts = relationship('FileStore', primaryjoin='FileStore.scope_repo_group_id==RepoGroup.group_id', viewonly=True)
2863 2862
2864 2863 def __init__(self, group_name='', parent_group=None):
2865 2864 self.group_name = group_name
2866 2865 self.parent_group = parent_group
2867 2866
2868 2867 def __repr__(self):
2869 2868 return f"<{self.cls_name}('id:{self.group_id}:{self.group_name}')>"
2870 2869
2871 2870 @hybrid_property
2872 2871 def group_name(self):
2873 2872 return self._group_name
2874 2873
2875 2874 @group_name.setter
2876 2875 def group_name(self, value):
2877 2876 self._group_name = value
2878 2877 self.group_name_hash = self.hash_repo_group_name(value)
2879 2878
2880 2879 @classmethod
2881 2880 def _load_changeset_cache(cls, repo_id, changeset_cache_raw):
2882 2881 from rhodecode.lib.vcs.backends.base import EmptyCommit
2883 2882 dummy = EmptyCommit().__json__()
2884 2883 if not changeset_cache_raw:
2885 2884 dummy['source_repo_id'] = repo_id
2886 2885 return json.loads(json.dumps(dummy))
2887 2886
2888 2887 try:
2889 2888 return json.loads(changeset_cache_raw)
2890 2889 except TypeError:
2891 2890 return dummy
2892 2891 except Exception:
2893 2892 log.error(traceback.format_exc())
2894 2893 return dummy
2895 2894
2896 2895 @hybrid_property
2897 2896 def changeset_cache(self):
2898 2897 return self._load_changeset_cache('', self._changeset_cache)
2899 2898
2900 2899 @changeset_cache.setter
2901 2900 def changeset_cache(self, val):
2902 2901 try:
2903 2902 self._changeset_cache = json.dumps(val)
2904 2903 except Exception:
2905 2904 log.error(traceback.format_exc())
2906 2905
2907 2906 @validates('group_parent_id')
2908 2907 def validate_group_parent_id(self, key, val):
2909 2908 """
2910 2909 Check cycle references for a parent group to self
2911 2910 """
2912 2911 if self.group_id and val:
2913 2912 assert val != self.group_id
2914 2913
2915 2914 return val
2916 2915
2917 2916 @hybrid_property
2918 2917 def description_safe(self):
2919 2918 from rhodecode.lib import helpers as h
2920 2919 return h.escape(self.group_description)
2921 2920
2922 2921 @classmethod
2923 2922 def hash_repo_group_name(cls, repo_group_name):
2924 2923 val = remove_formatting(repo_group_name)
2925 2924 val = safe_str(val).lower()
2926 2925 chars = []
2927 2926 for c in val:
2928 2927 if c not in string.ascii_letters:
2929 2928 c = str(ord(c))
2930 2929 chars.append(c)
2931 2930
2932 2931 return ''.join(chars)
2933 2932
2934 2933 @classmethod
2935 2934 def _generate_choice(cls, repo_group):
2936 2935 from webhelpers2.html import literal as _literal
2937 2936
2938 2937 def _name(k):
2939 2938 return _literal(cls.CHOICES_SEPARATOR.join(k))
2940 2939
2941 2940 return repo_group.group_id, _name(repo_group.full_path_splitted)
2942 2941
2943 2942 @classmethod
2944 2943 def groups_choices(cls, groups=None, show_empty_group=True):
2945 2944 if not groups:
2946 2945 groups = cls.query().all()
2947 2946
2948 2947 repo_groups = []
2949 2948 if show_empty_group:
2950 2949 repo_groups = [(-1, '-- %s --' % _('No parent'))]
2951 2950
2952 2951 repo_groups.extend([cls._generate_choice(x) for x in groups])
2953 2952
2954 2953 repo_groups = sorted(
2955 2954 repo_groups, key=lambda t: t[1].split(cls.CHOICES_SEPARATOR)[0])
2956 2955 return repo_groups
2957 2956
2958 2957 @classmethod
2959 2958 def url_sep(cls):
2960 2959 return URL_SEP
2961 2960
2962 2961 @classmethod
2963 2962 def get_by_group_name(cls, group_name, cache=False, case_insensitive=False):
2964 2963 if case_insensitive:
2965 2964 gr = cls.query().filter(func.lower(cls.group_name)
2966 2965 == func.lower(group_name))
2967 2966 else:
2968 2967 gr = cls.query().filter(cls.group_name == group_name)
2969 2968 if cache:
2970 2969 name_key = _hash_key(group_name)
2971 2970 gr = gr.options(
2972 2971 FromCache("sql_cache_short", f"get_group_{name_key}"))
2973 2972 return gr.scalar()
2974 2973
2975 2974 @classmethod
2976 2975 def get_user_personal_repo_group(cls, user_id):
2977 2976 user = User.get(user_id)
2978 2977 if user.username == User.DEFAULT_USER:
2979 2978 return None
2980 2979
2981 2980 return cls.query()\
2982 2981 .filter(cls.personal == true()) \
2983 2982 .filter(cls.user == user) \
2984 2983 .order_by(cls.group_id.asc()) \
2985 2984 .first()
2986 2985
2987 2986 @classmethod
2988 2987 def get_all_repo_groups(cls, user_id=Optional(None), group_id=Optional(None),
2989 2988 case_insensitive=True):
2990 2989 q = RepoGroup.query()
2991 2990
2992 2991 if not isinstance(user_id, Optional):
2993 2992 q = q.filter(RepoGroup.user_id == user_id)
2994 2993
2995 2994 if not isinstance(group_id, Optional):
2996 2995 q = q.filter(RepoGroup.group_parent_id == group_id)
2997 2996
2998 2997 if case_insensitive:
2999 2998 q = q.order_by(func.lower(RepoGroup.group_name))
3000 2999 else:
3001 3000 q = q.order_by(RepoGroup.group_name)
3002 3001 return q.all()
3003 3002
3004 3003 @property
3005 3004 def parents(self, parents_recursion_limit=10):
3006 3005 groups = []
3007 3006 if self.parent_group is None:
3008 3007 return groups
3009 3008 cur_gr = self.parent_group
3010 3009 groups.insert(0, cur_gr)
3011 3010 cnt = 0
3012 3011 while 1:
3013 3012 cnt += 1
3014 3013 gr = getattr(cur_gr, 'parent_group', None)
3015 3014 cur_gr = cur_gr.parent_group
3016 3015 if gr is None:
3017 3016 break
3018 3017 if cnt == parents_recursion_limit:
3019 3018 # this will prevent accidental infinit loops
3020 3019 log.error('more than %s parents found for group %s, stopping '
3021 3020 'recursive parent fetching', parents_recursion_limit, self)
3022 3021 break
3023 3022
3024 3023 groups.insert(0, gr)
3025 3024 return groups
3026 3025
3027 3026 @property
3028 3027 def last_commit_cache_update_diff(self):
3029 3028 return time.time() - (safe_int(self.changeset_cache.get('updated_on')) or 0)
3030 3029
3031 3030 @classmethod
3032 3031 def _load_commit_change(cls, last_commit_cache):
3033 3032 from rhodecode.lib.vcs.utils.helpers import parse_datetime
3034 3033 empty_date = datetime.datetime.fromtimestamp(0)
3035 3034 date_latest = last_commit_cache.get('date', empty_date)
3036 3035 try:
3037 3036 return parse_datetime(date_latest)
3038 3037 except Exception:
3039 3038 return empty_date
3040 3039
3041 3040 @property
3042 3041 def last_commit_change(self):
3043 3042 return self._load_commit_change(self.changeset_cache)
3044 3043
3045 3044 @property
3046 3045 def last_db_change(self):
3047 3046 return self.updated_on
3048 3047
3049 3048 @property
3050 3049 def children(self):
3051 3050 return RepoGroup.query().filter(RepoGroup.parent_group == self)
3052 3051
3053 3052 @property
3054 3053 def name(self):
3055 3054 return self.group_name.split(RepoGroup.url_sep())[-1]
3056 3055
3057 3056 @property
3058 3057 def full_path(self):
3059 3058 return self.group_name
3060 3059
3061 3060 @property
3062 3061 def full_path_splitted(self):
3063 3062 return self.group_name.split(RepoGroup.url_sep())
3064 3063
3065 3064 @property
3066 3065 def repositories(self):
3067 3066 return Repository.query()\
3068 3067 .filter(Repository.group == self)\
3069 3068 .order_by(Repository.repo_name)
3070 3069
3071 3070 @property
3072 3071 def repositories_recursive_count(self):
3073 3072 cnt = self.repositories.count()
3074 3073
3075 3074 def children_count(group):
3076 3075 cnt = 0
3077 3076 for child in group.children:
3078 3077 cnt += child.repositories.count()
3079 3078 cnt += children_count(child)
3080 3079 return cnt
3081 3080
3082 3081 return cnt + children_count(self)
3083 3082
3084 3083 def _recursive_objects(self, include_repos=True, include_groups=True):
3085 3084 all_ = []
3086 3085
3087 3086 def _get_members(root_gr):
3088 3087 if include_repos:
3089 3088 for r in root_gr.repositories:
3090 3089 all_.append(r)
3091 3090 childs = root_gr.children.all()
3092 3091 if childs:
3093 3092 for gr in childs:
3094 3093 if include_groups:
3095 3094 all_.append(gr)
3096 3095 _get_members(gr)
3097 3096
3098 3097 root_group = []
3099 3098 if include_groups:
3100 3099 root_group = [self]
3101 3100
3102 3101 _get_members(self)
3103 3102 return root_group + all_
3104 3103
3105 3104 def recursive_groups_and_repos(self):
3106 3105 """
3107 3106 Recursive return all groups, with repositories in those groups
3108 3107 """
3109 3108 return self._recursive_objects()
3110 3109
3111 3110 def recursive_groups(self):
3112 3111 """
3113 3112 Returns all children groups for this group including children of children
3114 3113 """
3115 3114 return self._recursive_objects(include_repos=False)
3116 3115
3117 3116 def recursive_repos(self):
3118 3117 """
3119 3118 Returns all children repositories for this group
3120 3119 """
3121 3120 return self._recursive_objects(include_groups=False)
3122 3121
3123 3122 def get_new_name(self, group_name):
3124 3123 """
3125 3124 returns new full group name based on parent and new name
3126 3125
3127 3126 :param group_name:
3128 3127 """
3129 3128 path_prefix = (self.parent_group.full_path_splitted if
3130 3129 self.parent_group else [])
3131 3130 return RepoGroup.url_sep().join(path_prefix + [group_name])
3132 3131
3133 3132 def update_commit_cache(self, config=None):
3134 3133 """
3135 3134 Update cache of last commit for newest repository inside this repository group.
3136 3135 cache_keys should be::
3137 3136
3138 3137 source_repo_id
3139 3138 short_id
3140 3139 raw_id
3141 3140 revision
3142 3141 parents
3143 3142 message
3144 3143 date
3145 3144 author
3146 3145
3147 3146 """
3148 3147 from rhodecode.lib.vcs.utils.helpers import parse_datetime
3149 3148 empty_date = datetime.datetime.fromtimestamp(0)
3150 3149
3151 3150 def repo_groups_and_repos(root_gr):
3152 3151 for _repo in root_gr.repositories:
3153 3152 yield _repo
3154 3153 for child_group in root_gr.children.all():
3155 3154 yield child_group
3156 3155
3157 3156 latest_repo_cs_cache = {}
3158 3157 for obj in repo_groups_and_repos(self):
3159 3158 repo_cs_cache = obj.changeset_cache
3160 3159 date_latest = latest_repo_cs_cache.get('date', empty_date)
3161 3160 date_current = repo_cs_cache.get('date', empty_date)
3162 3161 current_timestamp = datetime_to_time(parse_datetime(date_latest))
3163 3162 if current_timestamp < datetime_to_time(parse_datetime(date_current)):
3164 3163 latest_repo_cs_cache = repo_cs_cache
3165 3164 if hasattr(obj, 'repo_id'):
3166 3165 latest_repo_cs_cache['source_repo_id'] = obj.repo_id
3167 3166 else:
3168 3167 latest_repo_cs_cache['source_repo_id'] = repo_cs_cache.get('source_repo_id')
3169 3168
3170 3169 _date_latest = parse_datetime(latest_repo_cs_cache.get('date') or empty_date)
3171 3170
3172 3171 latest_repo_cs_cache['updated_on'] = time.time()
3173 3172 self.changeset_cache = latest_repo_cs_cache
3174 3173 self.updated_on = _date_latest
3175 3174 Session().add(self)
3176 3175 Session().commit()
3177 3176
3178 3177 log.debug('updated repo group `%s` with new commit cache %s, and last update_date: %s',
3179 3178 self.group_name, latest_repo_cs_cache, _date_latest)
3180 3179
3181 3180 def permissions(self, with_admins=True, with_owner=True,
3182 3181 expand_from_user_groups=False):
3183 3182 """
3184 3183 Permissions for repository groups
3185 3184 """
3186 3185 _admin_perm = 'group.admin'
3187 3186
3188 3187 owner_row = []
3189 3188 if with_owner:
3190 3189 usr = AttributeDict(self.user.get_dict())
3191 3190 usr.owner_row = True
3192 3191 usr.permission = _admin_perm
3193 3192 owner_row.append(usr)
3194 3193
3195 3194 super_admin_ids = []
3196 3195 super_admin_rows = []
3197 3196 if with_admins:
3198 3197 for usr in User.get_all_super_admins():
3199 3198 super_admin_ids.append(usr.user_id)
3200 3199 # if this admin is also owner, don't double the record
3201 3200 if usr.user_id == owner_row[0].user_id:
3202 3201 owner_row[0].admin_row = True
3203 3202 else:
3204 3203 usr = AttributeDict(usr.get_dict())
3205 3204 usr.admin_row = True
3206 3205 usr.permission = _admin_perm
3207 3206 super_admin_rows.append(usr)
3208 3207
3209 3208 q = UserRepoGroupToPerm.query().filter(UserRepoGroupToPerm.group == self)
3210 3209 q = q.options(joinedload(UserRepoGroupToPerm.group),
3211 3210 joinedload(UserRepoGroupToPerm.user),
3212 3211 joinedload(UserRepoGroupToPerm.permission),)
3213 3212
3214 3213 # get owners and admins and permissions. We do a trick of re-writing
3215 3214 # objects from sqlalchemy to named-tuples due to sqlalchemy session
3216 3215 # has a global reference and changing one object propagates to all
3217 3216 # others. This means if admin is also an owner admin_row that change
3218 3217 # would propagate to both objects
3219 3218 perm_rows = []
3220 3219 for _usr in q.all():
3221 3220 usr = AttributeDict(_usr.user.get_dict())
3222 3221 # if this user is also owner/admin, mark as duplicate record
3223 3222 if usr.user_id == owner_row[0].user_id or usr.user_id in super_admin_ids:
3224 3223 usr.duplicate_perm = True
3225 3224 usr.permission = _usr.permission.permission_name
3226 3225 perm_rows.append(usr)
3227 3226
3228 3227 # filter the perm rows by 'default' first and then sort them by
3229 3228 # admin,write,read,none permissions sorted again alphabetically in
3230 3229 # each group
3231 3230 perm_rows = sorted(perm_rows, key=display_user_sort)
3232 3231
3233 3232 user_groups_rows = []
3234 3233 if expand_from_user_groups:
3235 3234 for ug in self.permission_user_groups(with_members=True):
3236 3235 for user_data in ug.members:
3237 3236 user_groups_rows.append(user_data)
3238 3237
3239 3238 return super_admin_rows + owner_row + perm_rows + user_groups_rows
3240 3239
3241 3240 def permission_user_groups(self, with_members=False):
3242 3241 q = UserGroupRepoGroupToPerm.query()\
3243 3242 .filter(UserGroupRepoGroupToPerm.group == self)
3244 3243 q = q.options(joinedload(UserGroupRepoGroupToPerm.group),
3245 3244 joinedload(UserGroupRepoGroupToPerm.users_group),
3246 3245 joinedload(UserGroupRepoGroupToPerm.permission),)
3247 3246
3248 3247 perm_rows = []
3249 3248 for _user_group in q.all():
3250 3249 entry = AttributeDict(_user_group.users_group.get_dict())
3251 3250 entry.permission = _user_group.permission.permission_name
3252 3251 if with_members:
3253 3252 entry.members = [x.user.get_dict()
3254 3253 for x in _user_group.users_group.members]
3255 3254 perm_rows.append(entry)
3256 3255
3257 3256 perm_rows = sorted(perm_rows, key=display_user_group_sort)
3258 3257 return perm_rows
3259 3258
3260 3259 def get_api_data(self):
3261 3260 """
3262 3261 Common function for generating api data
3263 3262
3264 3263 """
3265 3264 group = self
3266 3265 data = {
3267 3266 'group_id': group.group_id,
3268 3267 'group_name': group.group_name,
3269 3268 'group_description': group.description_safe,
3270 3269 'parent_group': group.parent_group.group_name if group.parent_group else None,
3271 3270 'repositories': [x.repo_name for x in group.repositories],
3272 3271 'owner': group.user.username,
3273 3272 }
3274 3273 return data
3275 3274
3276 3275 def get_dict(self):
3277 3276 # Since we transformed `group_name` to a hybrid property, we need to
3278 3277 # keep compatibility with the code which uses `group_name` field.
3279 3278 result = super(RepoGroup, self).get_dict()
3280 3279 result['group_name'] = result.pop('_group_name', None)
3281 3280 result.pop('_changeset_cache', '')
3282 3281 return result
3283 3282
3284 3283
3285 3284 class Permission(Base, BaseModel):
3286 3285 __tablename__ = 'permissions'
3287 3286 __table_args__ = (
3288 3287 Index('p_perm_name_idx', 'permission_name'),
3289 3288 base_table_args,
3290 3289 )
3291 3290
3292 3291 PERMS = [
3293 3292 ('hg.admin', _('RhodeCode Super Administrator')),
3294 3293
3295 3294 ('repository.none', _('Repository no access')),
3296 3295 ('repository.read', _('Repository read access')),
3297 3296 ('repository.write', _('Repository write access')),
3298 3297 ('repository.admin', _('Repository admin access')),
3299 3298
3300 3299 ('group.none', _('Repository group no access')),
3301 3300 ('group.read', _('Repository group read access')),
3302 3301 ('group.write', _('Repository group write access')),
3303 3302 ('group.admin', _('Repository group admin access')),
3304 3303
3305 3304 ('usergroup.none', _('User group no access')),
3306 3305 ('usergroup.read', _('User group read access')),
3307 3306 ('usergroup.write', _('User group write access')),
3308 3307 ('usergroup.admin', _('User group admin access')),
3309 3308
3310 3309 ('branch.none', _('Branch no permissions')),
3311 3310 ('branch.merge', _('Branch access by web merge')),
3312 3311 ('branch.push', _('Branch access by push')),
3313 3312 ('branch.push_force', _('Branch access by push with force')),
3314 3313
3315 3314 ('hg.repogroup.create.false', _('Repository Group creation disabled')),
3316 3315 ('hg.repogroup.create.true', _('Repository Group creation enabled')),
3317 3316
3318 3317 ('hg.usergroup.create.false', _('User Group creation disabled')),
3319 3318 ('hg.usergroup.create.true', _('User Group creation enabled')),
3320 3319
3321 3320 ('hg.create.none', _('Repository creation disabled')),
3322 3321 ('hg.create.repository', _('Repository creation enabled')),
3323 3322 ('hg.create.write_on_repogroup.true', _('Repository creation enabled with write permission to a repository group')),
3324 3323 ('hg.create.write_on_repogroup.false', _('Repository creation disabled with write permission to a repository group')),
3325 3324
3326 3325 ('hg.fork.none', _('Repository forking disabled')),
3327 3326 ('hg.fork.repository', _('Repository forking enabled')),
3328 3327
3329 3328 ('hg.register.none', _('Registration disabled')),
3330 3329 ('hg.register.manual_activate', _('User Registration with manual account activation')),
3331 3330 ('hg.register.auto_activate', _('User Registration with automatic account activation')),
3332 3331
3333 3332 ('hg.password_reset.enabled', _('Password reset enabled')),
3334 3333 ('hg.password_reset.hidden', _('Password reset hidden')),
3335 3334 ('hg.password_reset.disabled', _('Password reset disabled')),
3336 3335
3337 3336 ('hg.extern_activate.manual', _('Manual activation of external account')),
3338 3337 ('hg.extern_activate.auto', _('Automatic activation of external account')),
3339 3338
3340 3339 ('hg.inherit_default_perms.false', _('Inherit object permissions from default user disabled')),
3341 3340 ('hg.inherit_default_perms.true', _('Inherit object permissions from default user enabled')),
3342 3341 ]
3343 3342
3344 3343 # definition of system default permissions for DEFAULT user, created on
3345 3344 # system setup
3346 3345 DEFAULT_USER_PERMISSIONS = [
3347 3346 # object perms
3348 3347 'repository.read',
3349 3348 'group.read',
3350 3349 'usergroup.read',
3351 3350 # branch, for backward compat we need same value as before so forced pushed
3352 3351 'branch.push_force',
3353 3352 # global
3354 3353 'hg.create.repository',
3355 3354 'hg.repogroup.create.false',
3356 3355 'hg.usergroup.create.false',
3357 3356 'hg.create.write_on_repogroup.true',
3358 3357 'hg.fork.repository',
3359 3358 'hg.register.manual_activate',
3360 3359 'hg.password_reset.enabled',
3361 3360 'hg.extern_activate.auto',
3362 3361 'hg.inherit_default_perms.true',
3363 3362 ]
3364 3363
3365 3364 # defines which permissions are more important higher the more important
3366 3365 # Weight defines which permissions are more important.
3367 3366 # The higher number the more important.
3368 3367 PERM_WEIGHTS = {
3369 3368 'repository.none': 0,
3370 3369 'repository.read': 1,
3371 3370 'repository.write': 3,
3372 3371 'repository.admin': 4,
3373 3372
3374 3373 'group.none': 0,
3375 3374 'group.read': 1,
3376 3375 'group.write': 3,
3377 3376 'group.admin': 4,
3378 3377
3379 3378 'usergroup.none': 0,
3380 3379 'usergroup.read': 1,
3381 3380 'usergroup.write': 3,
3382 3381 'usergroup.admin': 4,
3383 3382
3384 3383 'branch.none': 0,
3385 3384 'branch.merge': 1,
3386 3385 'branch.push': 3,
3387 3386 'branch.push_force': 4,
3388 3387
3389 3388 'hg.repogroup.create.false': 0,
3390 3389 'hg.repogroup.create.true': 1,
3391 3390
3392 3391 'hg.usergroup.create.false': 0,
3393 3392 'hg.usergroup.create.true': 1,
3394 3393
3395 3394 'hg.fork.none': 0,
3396 3395 'hg.fork.repository': 1,
3397 3396 'hg.create.none': 0,
3398 3397 'hg.create.repository': 1
3399 3398 }
3400 3399
3401 3400 permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3402 3401 permission_name = Column("permission_name", String(255), nullable=True, unique=None, default=None)
3403 3402 permission_longname = Column("permission_longname", String(255), nullable=True, unique=None, default=None)
3404 3403
3405 3404 def __repr__(self):
3406 3405 return "<%s('%s:%s')>" % (
3407 3406 self.cls_name, self.permission_id, self.permission_name
3408 3407 )
3409 3408
3410 3409 @classmethod
3411 3410 def get_by_key(cls, key):
3412 3411 return cls.query().filter(cls.permission_name == key).scalar()
3413 3412
3414 3413 @classmethod
3415 3414 def get_default_repo_perms(cls, user_id, repo_id=None):
3416 3415 q = Session().query(UserRepoToPerm, Repository, Permission)\
3417 3416 .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\
3418 3417 .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\
3419 3418 .filter(UserRepoToPerm.user_id == user_id)
3420 3419 if repo_id:
3421 3420 q = q.filter(UserRepoToPerm.repository_id == repo_id)
3422 3421 return q.all()
3423 3422
3424 3423 @classmethod
3425 3424 def get_default_repo_branch_perms(cls, user_id, repo_id=None):
3426 3425 q = Session().query(UserToRepoBranchPermission, UserRepoToPerm, Permission) \
3427 3426 .join(
3428 3427 Permission,
3429 3428 UserToRepoBranchPermission.permission_id == Permission.permission_id) \
3430 3429 .join(
3431 3430 UserRepoToPerm,
3432 3431 UserToRepoBranchPermission.rule_to_perm_id == UserRepoToPerm.repo_to_perm_id) \
3433 3432 .filter(UserRepoToPerm.user_id == user_id)
3434 3433
3435 3434 if repo_id:
3436 3435 q = q.filter(UserToRepoBranchPermission.repository_id == repo_id)
3437 3436 return q.order_by(UserToRepoBranchPermission.rule_order).all()
3438 3437
3439 3438 @classmethod
3440 3439 def get_default_repo_perms_from_user_group(cls, user_id, repo_id=None):
3441 3440 q = Session().query(UserGroupRepoToPerm, Repository, Permission)\
3442 3441 .join(
3443 3442 Permission,
3444 3443 UserGroupRepoToPerm.permission_id == Permission.permission_id)\
3445 3444 .join(
3446 3445 Repository,
3447 3446 UserGroupRepoToPerm.repository_id == Repository.repo_id)\
3448 3447 .join(
3449 3448 UserGroup,
3450 3449 UserGroupRepoToPerm.users_group_id ==
3451 3450 UserGroup.users_group_id)\
3452 3451 .join(
3453 3452 UserGroupMember,
3454 3453 UserGroupRepoToPerm.users_group_id ==
3455 3454 UserGroupMember.users_group_id)\
3456 3455 .filter(
3457 3456 UserGroupMember.user_id == user_id,
3458 3457 UserGroup.users_group_active == true())
3459 3458 if repo_id:
3460 3459 q = q.filter(UserGroupRepoToPerm.repository_id == repo_id)
3461 3460 return q.all()
3462 3461
3463 3462 @classmethod
3464 3463 def get_default_repo_branch_perms_from_user_group(cls, user_id, repo_id=None):
3465 3464 q = Session().query(UserGroupToRepoBranchPermission, UserGroupRepoToPerm, Permission) \
3466 3465 .join(
3467 3466 Permission,
3468 3467 UserGroupToRepoBranchPermission.permission_id == Permission.permission_id) \
3469 3468 .join(
3470 3469 UserGroupRepoToPerm,
3471 3470 UserGroupToRepoBranchPermission.rule_to_perm_id == UserGroupRepoToPerm.users_group_to_perm_id) \
3472 3471 .join(
3473 3472 UserGroup,
3474 3473 UserGroupRepoToPerm.users_group_id == UserGroup.users_group_id) \
3475 3474 .join(
3476 3475 UserGroupMember,
3477 3476 UserGroupRepoToPerm.users_group_id == UserGroupMember.users_group_id) \
3478 3477 .filter(
3479 3478 UserGroupMember.user_id == user_id,
3480 3479 UserGroup.users_group_active == true())
3481 3480
3482 3481 if repo_id:
3483 3482 q = q.filter(UserGroupToRepoBranchPermission.repository_id == repo_id)
3484 3483 return q.order_by(UserGroupToRepoBranchPermission.rule_order).all()
3485 3484
3486 3485 @classmethod
3487 3486 def get_default_group_perms(cls, user_id, repo_group_id=None):
3488 3487 q = Session().query(UserRepoGroupToPerm, RepoGroup, Permission)\
3489 3488 .join(
3490 3489 Permission,
3491 3490 UserRepoGroupToPerm.permission_id == Permission.permission_id)\
3492 3491 .join(
3493 3492 RepoGroup,
3494 3493 UserRepoGroupToPerm.group_id == RepoGroup.group_id)\
3495 3494 .filter(UserRepoGroupToPerm.user_id == user_id)
3496 3495 if repo_group_id:
3497 3496 q = q.filter(UserRepoGroupToPerm.group_id == repo_group_id)
3498 3497 return q.all()
3499 3498
3500 3499 @classmethod
3501 3500 def get_default_group_perms_from_user_group(
3502 3501 cls, user_id, repo_group_id=None):
3503 3502 q = Session().query(UserGroupRepoGroupToPerm, RepoGroup, Permission)\
3504 3503 .join(
3505 3504 Permission,
3506 3505 UserGroupRepoGroupToPerm.permission_id ==
3507 3506 Permission.permission_id)\
3508 3507 .join(
3509 3508 RepoGroup,
3510 3509 UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)\
3511 3510 .join(
3512 3511 UserGroup,
3513 3512 UserGroupRepoGroupToPerm.users_group_id ==
3514 3513 UserGroup.users_group_id)\
3515 3514 .join(
3516 3515 UserGroupMember,
3517 3516 UserGroupRepoGroupToPerm.users_group_id ==
3518 3517 UserGroupMember.users_group_id)\
3519 3518 .filter(
3520 3519 UserGroupMember.user_id == user_id,
3521 3520 UserGroup.users_group_active == true())
3522 3521 if repo_group_id:
3523 3522 q = q.filter(UserGroupRepoGroupToPerm.group_id == repo_group_id)
3524 3523 return q.all()
3525 3524
3526 3525 @classmethod
3527 3526 def get_default_user_group_perms(cls, user_id, user_group_id=None):
3528 3527 q = Session().query(UserUserGroupToPerm, UserGroup, Permission)\
3529 3528 .join((Permission, UserUserGroupToPerm.permission_id == Permission.permission_id))\
3530 3529 .join((UserGroup, UserUserGroupToPerm.user_group_id == UserGroup.users_group_id))\
3531 3530 .filter(UserUserGroupToPerm.user_id == user_id)
3532 3531 if user_group_id:
3533 3532 q = q.filter(UserUserGroupToPerm.user_group_id == user_group_id)
3534 3533 return q.all()
3535 3534
3536 3535 @classmethod
3537 3536 def get_default_user_group_perms_from_user_group(
3538 3537 cls, user_id, user_group_id=None):
3539 3538 TargetUserGroup = aliased(UserGroup, name='target_user_group')
3540 3539 q = Session().query(UserGroupUserGroupToPerm, UserGroup, Permission)\
3541 3540 .join(
3542 3541 Permission,
3543 3542 UserGroupUserGroupToPerm.permission_id ==
3544 3543 Permission.permission_id)\
3545 3544 .join(
3546 3545 TargetUserGroup,
3547 3546 UserGroupUserGroupToPerm.target_user_group_id ==
3548 3547 TargetUserGroup.users_group_id)\
3549 3548 .join(
3550 3549 UserGroup,
3551 3550 UserGroupUserGroupToPerm.user_group_id ==
3552 3551 UserGroup.users_group_id)\
3553 3552 .join(
3554 3553 UserGroupMember,
3555 3554 UserGroupUserGroupToPerm.user_group_id ==
3556 3555 UserGroupMember.users_group_id)\
3557 3556 .filter(
3558 3557 UserGroupMember.user_id == user_id,
3559 3558 UserGroup.users_group_active == true())
3560 3559 if user_group_id:
3561 3560 q = q.filter(
3562 3561 UserGroupUserGroupToPerm.user_group_id == user_group_id)
3563 3562
3564 3563 return q.all()
3565 3564
3566 3565
3567 3566 class UserRepoToPerm(Base, BaseModel):
3568 3567 __tablename__ = 'repo_to_perm'
3569 3568 __table_args__ = (
3570 3569 UniqueConstraint('user_id', 'repository_id', 'permission_id'),
3571 3570 base_table_args
3572 3571 )
3573 3572
3574 3573 repo_to_perm_id = Column("repo_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3575 3574 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
3576 3575 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3577 3576 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
3578 3577
3579 3578 user = relationship('User', back_populates="repo_to_perm")
3580 3579 repository = relationship('Repository', back_populates="repo_to_perm")
3581 3580 permission = relationship('Permission')
3582 3581
3583 3582 branch_perm_entry = relationship('UserToRepoBranchPermission', cascade="all, delete-orphan", lazy='joined', back_populates='user_repo_to_perm')
3584 3583
3585 3584 @classmethod
3586 3585 def create(cls, user, repository, permission):
3587 3586 n = cls()
3588 3587 n.user = user
3589 3588 n.repository = repository
3590 3589 n.permission = permission
3591 3590 Session().add(n)
3592 3591 return n
3593 3592
3594 3593 def __repr__(self):
3595 3594 return f'<{self.user} => {self.repository} >'
3596 3595
3597 3596
3598 3597 class UserUserGroupToPerm(Base, BaseModel):
3599 3598 __tablename__ = 'user_user_group_to_perm'
3600 3599 __table_args__ = (
3601 3600 UniqueConstraint('user_id', 'user_group_id', 'permission_id'),
3602 3601 base_table_args
3603 3602 )
3604 3603
3605 3604 user_user_group_to_perm_id = Column("user_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3606 3605 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
3607 3606 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3608 3607 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
3609 3608
3610 3609 user = relationship('User', back_populates='user_group_to_perm')
3611 3610 user_group = relationship('UserGroup', back_populates='user_user_group_to_perm')
3612 3611 permission = relationship('Permission')
3613 3612
3614 3613 @classmethod
3615 3614 def create(cls, user, user_group, permission):
3616 3615 n = cls()
3617 3616 n.user = user
3618 3617 n.user_group = user_group
3619 3618 n.permission = permission
3620 3619 Session().add(n)
3621 3620 return n
3622 3621
3623 3622 def __repr__(self):
3624 3623 return f'<{self.user} => {self.user_group} >'
3625 3624
3626 3625
3627 3626 class UserToPerm(Base, BaseModel):
3628 3627 __tablename__ = 'user_to_perm'
3629 3628 __table_args__ = (
3630 3629 UniqueConstraint('user_id', 'permission_id'),
3631 3630 base_table_args
3632 3631 )
3633 3632
3634 3633 user_to_perm_id = Column("user_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3635 3634 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
3636 3635 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3637 3636
3638 3637 user = relationship('User', back_populates='user_perms')
3639 3638 permission = relationship('Permission', lazy='joined')
3640 3639
3641 3640 def __repr__(self):
3642 3641 return f'<{self.user} => {self.permission} >'
3643 3642
3644 3643
3645 3644 class UserGroupRepoToPerm(Base, BaseModel):
3646 3645 __tablename__ = 'users_group_repo_to_perm'
3647 3646 __table_args__ = (
3648 3647 UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),
3649 3648 base_table_args
3650 3649 )
3651 3650
3652 3651 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3653 3652 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
3654 3653 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3655 3654 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
3656 3655
3657 3656 users_group = relationship('UserGroup', back_populates='users_group_repo_to_perm')
3658 3657 permission = relationship('Permission')
3659 3658 repository = relationship('Repository', back_populates='users_group_to_perm')
3660 3659 user_group_branch_perms = relationship('UserGroupToRepoBranchPermission', cascade='all', back_populates='user_group_repo_to_perm')
3661 3660
3662 3661 @classmethod
3663 3662 def create(cls, users_group, repository, permission):
3664 3663 n = cls()
3665 3664 n.users_group = users_group
3666 3665 n.repository = repository
3667 3666 n.permission = permission
3668 3667 Session().add(n)
3669 3668 return n
3670 3669
3671 3670 def __repr__(self):
3672 3671 return f'<UserGroupRepoToPerm:{self.users_group} => {self.repository} >'
3673 3672
3674 3673
3675 3674 class UserGroupUserGroupToPerm(Base, BaseModel):
3676 3675 __tablename__ = 'user_group_user_group_to_perm'
3677 3676 __table_args__ = (
3678 3677 UniqueConstraint('target_user_group_id', 'user_group_id', 'permission_id'),
3679 3678 CheckConstraint('target_user_group_id != user_group_id'),
3680 3679 base_table_args
3681 3680 )
3682 3681
3683 3682 user_group_user_group_to_perm_id = Column("user_group_user_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3684 3683 target_user_group_id = Column("target_user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
3685 3684 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3686 3685 user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
3687 3686
3688 3687 target_user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.target_user_group_id==UserGroup.users_group_id', back_populates='user_group_user_group_to_perm')
3689 3688 user_group = relationship('UserGroup', primaryjoin='UserGroupUserGroupToPerm.user_group_id==UserGroup.users_group_id')
3690 3689 permission = relationship('Permission')
3691 3690
3692 3691 @classmethod
3693 3692 def create(cls, target_user_group, user_group, permission):
3694 3693 n = cls()
3695 3694 n.target_user_group = target_user_group
3696 3695 n.user_group = user_group
3697 3696 n.permission = permission
3698 3697 Session().add(n)
3699 3698 return n
3700 3699
3701 3700 def __repr__(self):
3702 3701 return f'<UserGroupUserGroup:{self.target_user_group} => {self.user_group} >'
3703 3702
3704 3703
3705 3704 class UserGroupToPerm(Base, BaseModel):
3706 3705 __tablename__ = 'users_group_to_perm'
3707 3706 __table_args__ = (
3708 3707 UniqueConstraint('users_group_id', 'permission_id',),
3709 3708 base_table_args
3710 3709 )
3711 3710
3712 3711 users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3713 3712 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
3714 3713 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3715 3714
3716 3715 users_group = relationship('UserGroup', back_populates='users_group_to_perm')
3717 3716 permission = relationship('Permission')
3718 3717
3719 3718
3720 3719 class UserRepoGroupToPerm(Base, BaseModel):
3721 3720 __tablename__ = 'user_repo_group_to_perm'
3722 3721 __table_args__ = (
3723 3722 UniqueConstraint('user_id', 'group_id', 'permission_id'),
3724 3723 base_table_args
3725 3724 )
3726 3725
3727 3726 group_to_perm_id = Column("group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3728 3727 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
3729 3728 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
3730 3729 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3731 3730
3732 3731 user = relationship('User', back_populates='repo_group_to_perm')
3733 3732 group = relationship('RepoGroup', back_populates='repo_group_to_perm')
3734 3733 permission = relationship('Permission')
3735 3734
3736 3735 @classmethod
3737 3736 def create(cls, user, repository_group, permission):
3738 3737 n = cls()
3739 3738 n.user = user
3740 3739 n.group = repository_group
3741 3740 n.permission = permission
3742 3741 Session().add(n)
3743 3742 return n
3744 3743
3745 3744
3746 3745 class UserGroupRepoGroupToPerm(Base, BaseModel):
3747 3746 __tablename__ = 'users_group_repo_group_to_perm'
3748 3747 __table_args__ = (
3749 3748 UniqueConstraint('users_group_id', 'group_id'),
3750 3749 base_table_args
3751 3750 )
3752 3751
3753 3752 users_group_repo_group_to_perm_id = Column("users_group_repo_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3754 3753 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)
3755 3754 group_id = Column("group_id", Integer(), ForeignKey('groups.group_id'), nullable=False, unique=None, default=None)
3756 3755 permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
3757 3756
3758 3757 users_group = relationship('UserGroup', back_populates='users_group_repo_group_to_perm')
3759 3758 permission = relationship('Permission')
3760 3759 group = relationship('RepoGroup', back_populates='users_group_to_perm')
3761 3760
3762 3761 @classmethod
3763 3762 def create(cls, user_group, repository_group, permission):
3764 3763 n = cls()
3765 3764 n.users_group = user_group
3766 3765 n.group = repository_group
3767 3766 n.permission = permission
3768 3767 Session().add(n)
3769 3768 return n
3770 3769
3771 3770 def __repr__(self):
3772 3771 return '<UserGroupRepoGroupToPerm:%s => %s >' % (self.users_group, self.group)
3773 3772
3774 3773
3775 3774 class Statistics(Base, BaseModel):
3776 3775 __tablename__ = 'statistics'
3777 3776 __table_args__ = (
3778 3777 base_table_args
3779 3778 )
3780 3779
3781 3780 stat_id = Column("stat_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3782 3781 repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=True, default=None)
3783 3782 stat_on_revision = Column("stat_on_revision", Integer(), nullable=False)
3784 3783 commit_activity = Column("commit_activity", LargeBinary(1000000), nullable=False) #JSON data
3785 3784 commit_activity_combined = Column("commit_activity_combined", LargeBinary(), nullable=False) #JSON data
3786 3785 languages = Column("languages", LargeBinary(1000000), nullable=False) #JSON data
3787 3786
3788 3787 repository = relationship('Repository', single_parent=True, viewonly=True)
3789 3788
3790 3789
3791 3790 class UserFollowing(Base, BaseModel):
3792 3791 __tablename__ = 'user_followings'
3793 3792 __table_args__ = (
3794 3793 UniqueConstraint('user_id', 'follows_repository_id'),
3795 3794 UniqueConstraint('user_id', 'follows_user_id'),
3796 3795 base_table_args
3797 3796 )
3798 3797
3799 3798 user_following_id = Column("user_following_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3800 3799 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
3801 3800 follows_repo_id = Column("follows_repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
3802 3801 follows_user_id = Column("follows_user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)
3803 3802 follows_from = Column('follows_from', DateTime(timezone=False), nullable=True, unique=None, default=datetime.datetime.now)
3804 3803
3805 3804 user = relationship('User', primaryjoin='User.user_id==UserFollowing.user_id', back_populates='followings')
3806 3805
3807 3806 follows_user = relationship('User', primaryjoin='User.user_id==UserFollowing.follows_user_id')
3808 3807 follows_repository = relationship('Repository', order_by='Repository.repo_name', back_populates='followers')
3809 3808
3810 3809 @classmethod
3811 3810 def get_repo_followers(cls, repo_id):
3812 3811 return cls.query().filter(cls.follows_repo_id == repo_id)
3813 3812
3814 3813
3815 3814 class CacheKey(Base, BaseModel):
3816 3815 __tablename__ = 'cache_invalidation'
3817 3816 __table_args__ = (
3818 3817 UniqueConstraint('cache_key'),
3819 3818 Index('key_idx', 'cache_key'),
3820 3819 Index('cache_args_idx', 'cache_args'),
3821 3820 base_table_args,
3822 3821 )
3823 3822
3824 3823 CACHE_TYPE_FEED = 'FEED'
3825 3824
3826 3825 # namespaces used to register process/thread aware caches
3827 3826 REPO_INVALIDATION_NAMESPACE = 'repo_cache.v1:{repo_id}'
3828 3827
3829 3828 cache_id = Column("cache_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
3830 3829 cache_key = Column("cache_key", String(255), nullable=True, unique=None, default=None)
3831 3830 cache_args = Column("cache_args", String(255), nullable=True, unique=None, default=None)
3832 3831 cache_state_uid = Column("cache_state_uid", String(255), nullable=True, unique=None, default=None)
3833 3832 cache_active = Column("cache_active", Boolean(), nullable=True, unique=None, default=False)
3834 3833
3835 3834 def __init__(self, cache_key, cache_args='', cache_state_uid=None, cache_active=False):
3836 3835 self.cache_key = cache_key
3837 3836 self.cache_args = cache_args
3838 3837 self.cache_active = cache_active
3839 3838 # first key should be same for all entries, since all workers should share it
3840 3839 self.cache_state_uid = cache_state_uid or self.generate_new_state_uid()
3841 3840
3842 3841 def __repr__(self):
3843 3842 return "<%s('%s:%s[%s]')>" % (
3844 3843 self.cls_name,
3845 3844 self.cache_id, self.cache_key, self.cache_active)
3846 3845
3847 3846 def _cache_key_partition(self):
3848 3847 prefix, repo_name, suffix = self.cache_key.partition(self.cache_args)
3849 3848 return prefix, repo_name, suffix
3850 3849
3851 3850 def get_prefix(self):
3852 3851 """
3853 3852 Try to extract prefix from existing cache key. The key could consist
3854 3853 of prefix, repo_name, suffix
3855 3854 """
3856 3855 # this returns prefix, repo_name, suffix
3857 3856 return self._cache_key_partition()[0]
3858 3857
3859 3858 def get_suffix(self):
3860 3859 """
3861 3860 get suffix that might have been used in _get_cache_key to
3862 3861 generate self.cache_key. Only used for informational purposes
3863 3862 in repo_edit.mako.
3864 3863 """
3865 3864 # prefix, repo_name, suffix
3866 3865 return self._cache_key_partition()[2]
3867 3866
3868 3867 @classmethod
3869 3868 def generate_new_state_uid(cls, based_on=None):
3870 3869 if based_on:
3871 3870 return str(uuid.uuid5(uuid.NAMESPACE_URL, safe_str(based_on)))
3872 3871 else:
3873 3872 return str(uuid.uuid4())
3874 3873
3875 3874 @classmethod
3876 3875 def delete_all_cache(cls):
3877 3876 """
3878 3877 Delete all cache keys from database.
3879 3878 Should only be run when all instances are down and all entries
3880 3879 thus stale.
3881 3880 """
3882 3881 cls.query().delete()
3883 3882 Session().commit()
3884 3883
3885 3884 @classmethod
3886 3885 def set_invalidate(cls, cache_uid, delete=False):
3887 3886 """
3888 3887 Mark all caches of a repo as invalid in the database.
3889 3888 """
3890 3889 try:
3891 3890 qry = Session().query(cls).filter(cls.cache_key == cache_uid)
3892 3891 if delete:
3893 3892 qry.delete()
3894 3893 log.debug('cache objects deleted for cache args %s',
3895 3894 safe_str(cache_uid))
3896 3895 else:
3897 3896 new_uid = cls.generate_new_state_uid()
3898 3897 qry.update({"cache_state_uid": new_uid,
3899 3898 "cache_args": f"repo_state:{time.time()}"})
3900 3899 log.debug('cache object %s set new UID %s',
3901 3900 safe_str(cache_uid), new_uid)
3902 3901
3903 3902 Session().commit()
3904 3903 except Exception:
3905 3904 log.exception(
3906 3905 'Cache key invalidation failed for cache args %s',
3907 3906 safe_str(cache_uid))
3908 3907 Session().rollback()
3909 3908
3910 3909 @classmethod
3911 3910 def get_active_cache(cls, cache_key):
3912 3911 inv_obj = cls.query().filter(cls.cache_key == cache_key).scalar()
3913 3912 if inv_obj:
3914 3913 return inv_obj
3915 3914 return None
3916 3915
3917 3916 @classmethod
3918 3917 def get_namespace_map(cls, namespace):
3919 3918 return {
3920 3919 x.cache_key: x
3921 3920 for x in cls.query().filter(cls.cache_args == namespace)}
3922 3921
3923 3922
3924 3923 class ChangesetComment(Base, BaseModel):
3925 3924 __tablename__ = 'changeset_comments'
3926 3925 __table_args__ = (
3927 3926 Index('cc_revision_idx', 'revision'),
3928 3927 base_table_args,
3929 3928 )
3930 3929
3931 3930 COMMENT_OUTDATED = 'comment_outdated'
3932 3931 COMMENT_TYPE_NOTE = 'note'
3933 3932 COMMENT_TYPE_TODO = 'todo'
3934 3933 COMMENT_TYPES = [COMMENT_TYPE_NOTE, COMMENT_TYPE_TODO]
3935 3934
3936 3935 OP_IMMUTABLE = 'immutable'
3937 3936 OP_CHANGEABLE = 'changeable'
3938 3937
3939 3938 comment_id = Column('comment_id', Integer(), nullable=False, primary_key=True)
3940 3939 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
3941 3940 revision = Column('revision', String(40), nullable=True)
3942 3941 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
3943 3942 pull_request_version_id = Column("pull_request_version_id", Integer(), ForeignKey('pull_request_versions.pull_request_version_id'), nullable=True)
3944 3943 line_no = Column('line_no', Unicode(10), nullable=True)
3945 3944 hl_lines = Column('hl_lines', Unicode(512), nullable=True)
3946 3945 f_path = Column('f_path', Unicode(1000), nullable=True)
3947 3946 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
3948 3947 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
3949 3948 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
3950 3949 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
3951 3950 renderer = Column('renderer', Unicode(64), nullable=True)
3952 3951 display_state = Column('display_state', Unicode(128), nullable=True)
3953 3952 immutable_state = Column('immutable_state', Unicode(128), nullable=True, default=OP_CHANGEABLE)
3954 3953 draft = Column('draft', Boolean(), nullable=True, default=False)
3955 3954
3956 3955 comment_type = Column('comment_type', Unicode(128), nullable=True, default=COMMENT_TYPE_NOTE)
3957 3956 resolved_comment_id = Column('resolved_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=True)
3958 3957
3959 3958 resolved_comment = relationship('ChangesetComment', remote_side=comment_id, back_populates='resolved_by')
3960 3959 resolved_by = relationship('ChangesetComment', back_populates='resolved_comment')
3961 3960
3962 3961 author = relationship('User', lazy='select', back_populates='user_comments')
3963 3962 repo = relationship('Repository', back_populates='comments')
3964 3963 status_change = relationship('ChangesetStatus', cascade="all, delete-orphan", lazy='select', back_populates='comment')
3965 3964 pull_request = relationship('PullRequest', lazy='select', back_populates='comments')
3966 3965 pull_request_version = relationship('PullRequestVersion', lazy='select')
3967 3966 history = relationship('ChangesetCommentHistory', cascade='all, delete-orphan', lazy='select', order_by='ChangesetCommentHistory.version', back_populates="comment")
3968 3967
3969 3968 @classmethod
3970 3969 def get_users(cls, revision=None, pull_request_id=None):
3971 3970 """
3972 3971 Returns user associated with this ChangesetComment. ie those
3973 3972 who actually commented
3974 3973
3975 3974 :param cls:
3976 3975 :param revision:
3977 3976 """
3978 3977 q = Session().query(User).join(ChangesetComment.author)
3979 3978 if revision:
3980 3979 q = q.filter(cls.revision == revision)
3981 3980 elif pull_request_id:
3982 3981 q = q.filter(cls.pull_request_id == pull_request_id)
3983 3982 return q.all()
3984 3983
3985 3984 @classmethod
3986 3985 def get_index_from_version(cls, pr_version, versions=None, num_versions=None) -> int:
3987 3986 if pr_version is None:
3988 3987 return 0
3989 3988
3990 3989 if versions is not None:
3991 3990 num_versions = [x.pull_request_version_id for x in versions]
3992 3991
3993 3992 num_versions = num_versions or []
3994 3993 try:
3995 3994 return num_versions.index(pr_version) + 1
3996 3995 except (IndexError, ValueError):
3997 3996 return 0
3998 3997
3999 3998 @property
4000 3999 def outdated(self):
4001 4000 return self.display_state == self.COMMENT_OUTDATED
4002 4001
4003 4002 @property
4004 4003 def outdated_js(self):
4005 4004 return str_json(self.display_state == self.COMMENT_OUTDATED)
4006 4005
4007 4006 @property
4008 4007 def immutable(self):
4009 4008 return self.immutable_state == self.OP_IMMUTABLE
4010 4009
4011 4010 def outdated_at_version(self, version: int) -> bool:
4012 4011 """
4013 4012 Checks if comment is outdated for given pull request version
4014 4013 """
4015 4014
4016 4015 def version_check():
4017 4016 return self.pull_request_version_id and self.pull_request_version_id != version
4018 4017
4019 4018 if self.is_inline:
4020 4019 return self.outdated and version_check()
4021 4020 else:
4022 4021 # general comments don't have .outdated set, also latest don't have a version
4023 4022 return version_check()
4024 4023
4025 4024 def outdated_at_version_js(self, version):
4026 4025 """
4027 4026 Checks if comment is outdated for given pull request version
4028 4027 """
4029 4028 return str_json(self.outdated_at_version(version))
4030 4029
4031 4030 def older_than_version(self, version: int) -> bool:
4032 4031 """
4033 4032 Checks if comment is made from a previous version than given.
4034 4033 Assumes self.pull_request_version.pull_request_version_id is an integer if not None.
4035 4034 """
4036 4035
4037 4036 # If version is None, return False as the current version cannot be less than None
4038 4037 if version is None:
4039 4038 return False
4040 4039
4041 4040 # Ensure that the version is an integer to prevent TypeError on comparison
4042 4041 if not isinstance(version, int):
4043 4042 raise ValueError("The provided version must be an integer.")
4044 4043
4045 4044 # Initialize current version to 0 or pull_request_version_id if it's available
4046 4045 cur_ver = 0
4047 4046 if self.pull_request_version and self.pull_request_version.pull_request_version_id is not None:
4048 4047 cur_ver = self.pull_request_version.pull_request_version_id
4049 4048
4050 4049 # Return True if the current version is less than the given version
4051 4050 return cur_ver < version
4052 4051
4053 4052 def older_than_version_js(self, version):
4054 4053 """
4055 4054 Checks if comment is made from previous version than given
4056 4055 """
4057 4056 return str_json(self.older_than_version(version))
4058 4057
4059 4058 @property
4060 4059 def commit_id(self):
4061 4060 """New style naming to stop using .revision"""
4062 4061 return self.revision
4063 4062
4064 4063 @property
4065 4064 def resolved(self):
4066 4065 return self.resolved_by[0] if self.resolved_by else None
4067 4066
4068 4067 @property
4069 4068 def is_todo(self):
4070 4069 return self.comment_type == self.COMMENT_TYPE_TODO
4071 4070
4072 4071 @property
4073 4072 def is_inline(self):
4074 4073 if self.line_no and self.f_path:
4075 4074 return True
4076 4075 return False
4077 4076
4078 4077 @property
4079 4078 def last_version(self):
4080 4079 version = 0
4081 4080 if self.history:
4082 4081 version = self.history[-1].version
4083 4082 return version
4084 4083
4085 4084 def get_index_version(self, versions):
4086 4085 return self.get_index_from_version(
4087 4086 self.pull_request_version_id, versions)
4088 4087
4089 4088 @property
4090 4089 def review_status(self):
4091 4090 if self.status_change:
4092 4091 return self.status_change[0].status
4093 4092
4094 4093 @property
4095 4094 def review_status_lbl(self):
4096 4095 if self.status_change:
4097 4096 return self.status_change[0].status_lbl
4098 4097
4099 4098 def __repr__(self):
4100 4099 if self.comment_id:
4101 4100 return f'<DB:Comment #{self.comment_id}>'
4102 4101 else:
4103 4102 return f'<DB:Comment at {id(self)!r}>'
4104 4103
4105 4104 def get_api_data(self):
4106 4105 comment = self
4107 4106
4108 4107 data = {
4109 4108 'comment_id': comment.comment_id,
4110 4109 'comment_type': comment.comment_type,
4111 4110 'comment_text': comment.text,
4112 4111 'comment_status': comment.status_change,
4113 4112 'comment_f_path': comment.f_path,
4114 4113 'comment_lineno': comment.line_no,
4115 4114 'comment_author': comment.author,
4116 4115 'comment_created_on': comment.created_on,
4117 4116 'comment_resolved_by': self.resolved,
4118 4117 'comment_commit_id': comment.revision,
4119 4118 'comment_pull_request_id': comment.pull_request_id,
4120 4119 'comment_last_version': self.last_version
4121 4120 }
4122 4121 return data
4123 4122
4124 4123 def __json__(self):
4125 4124 data = dict()
4126 4125 data.update(self.get_api_data())
4127 4126 return data
4128 4127
4129 4128
4130 4129 class ChangesetCommentHistory(Base, BaseModel):
4131 4130 __tablename__ = 'changeset_comments_history'
4132 4131 __table_args__ = (
4133 4132 Index('cch_comment_id_idx', 'comment_id'),
4134 4133 base_table_args,
4135 4134 )
4136 4135
4137 4136 comment_history_id = Column('comment_history_id', Integer(), nullable=False, primary_key=True)
4138 4137 comment_id = Column('comment_id', Integer(), ForeignKey('changeset_comments.comment_id'), nullable=False)
4139 4138 version = Column("version", Integer(), nullable=False, default=0)
4140 4139 created_by_user_id = Column('created_by_user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
4141 4140 text = Column('text', UnicodeText().with_variant(UnicodeText(25000), 'mysql'), nullable=False)
4142 4141 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
4143 4142 deleted = Column('deleted', Boolean(), default=False)
4144 4143
4145 4144 author = relationship('User', lazy='joined')
4146 4145 comment = relationship('ChangesetComment', cascade="all, delete", back_populates="history")
4147 4146
4148 4147 @classmethod
4149 4148 def get_version(cls, comment_id):
4150 4149 q = Session().query(ChangesetCommentHistory).filter(
4151 4150 ChangesetCommentHistory.comment_id == comment_id).order_by(ChangesetCommentHistory.version.desc())
4152 4151 if q.count() == 0:
4153 4152 return 1
4154 4153 elif q.count() >= q[0].version:
4155 4154 return q.count() + 1
4156 4155 else:
4157 4156 return q[0].version + 1
4158 4157
4159 4158
4160 4159 class ChangesetStatus(Base, BaseModel):
4161 4160 __tablename__ = 'changeset_statuses'
4162 4161 __table_args__ = (
4163 4162 Index('cs_revision_idx', 'revision'),
4164 4163 Index('cs_version_idx', 'version'),
4165 4164 UniqueConstraint('repo_id', 'revision', 'version'),
4166 4165 base_table_args
4167 4166 )
4168 4167
4169 4168 STATUS_NOT_REVIEWED = DEFAULT = 'not_reviewed'
4170 4169 STATUS_APPROVED = 'approved'
4171 4170 STATUS_REJECTED = 'rejected'
4172 4171 STATUS_UNDER_REVIEW = 'under_review'
4173 4172
4174 4173 STATUSES = [
4175 4174 (STATUS_NOT_REVIEWED, _("Not Reviewed")), # (no icon) and default
4176 4175 (STATUS_APPROVED, _("Approved")),
4177 4176 (STATUS_REJECTED, _("Rejected")),
4178 4177 (STATUS_UNDER_REVIEW, _("Under Review")),
4179 4178 ]
4180 4179
4181 4180 changeset_status_id = Column('changeset_status_id', Integer(), nullable=False, primary_key=True)
4182 4181 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False)
4183 4182 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None)
4184 4183 revision = Column('revision', String(40), nullable=False)
4185 4184 status = Column('status', String(128), nullable=False, default=DEFAULT)
4186 4185 changeset_comment_id = Column('changeset_comment_id', Integer(), ForeignKey('changeset_comments.comment_id'))
4187 4186 modified_at = Column('modified_at', DateTime(), nullable=False, default=datetime.datetime.now)
4188 4187 version = Column('version', Integer(), nullable=False, default=0)
4189 4188 pull_request_id = Column("pull_request_id", Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=True)
4190 4189
4191 4190 author = relationship('User', lazy='select')
4192 4191 repo = relationship('Repository', lazy='select')
4193 4192 comment = relationship('ChangesetComment', lazy='select', back_populates='status_change')
4194 4193 pull_request = relationship('PullRequest', lazy='select', back_populates='statuses')
4195 4194
4196 4195 def __repr__(self):
4197 4196 return f"<{self.cls_name}('{self.status}[v{self.version}]:{self.author}')>"
4198 4197
4199 4198 @classmethod
4200 4199 def get_status_lbl(cls, value):
4201 4200 return dict(cls.STATUSES).get(value)
4202 4201
4203 4202 @property
4204 4203 def status_lbl(self):
4205 4204 return ChangesetStatus.get_status_lbl(self.status)
4206 4205
4207 4206 def get_api_data(self):
4208 4207 status = self
4209 4208 data = {
4210 4209 'status_id': status.changeset_status_id,
4211 4210 'status': status.status,
4212 4211 }
4213 4212 return data
4214 4213
4215 4214 def __json__(self):
4216 4215 data = dict()
4217 4216 data.update(self.get_api_data())
4218 4217 return data
4219 4218
4220 4219
4221 4220 class _SetState(object):
4222 4221 """
4223 4222 Context processor allowing changing state for sensitive operation such as
4224 4223 pull request update or merge
4225 4224 """
4226 4225
4227 4226 def __init__(self, pull_request, pr_state, back_state=None):
4228 4227 self._pr = pull_request
4229 4228 self._org_state = back_state or pull_request.pull_request_state
4230 4229 self._pr_state = pr_state
4231 4230 self._current_state = None
4232 4231
4233 4232 def __enter__(self):
4234 4233 log.debug('StateLock: entering set state context of pr %s, setting state to: `%s`',
4235 4234 self._pr, self._pr_state)
4236 4235 self.set_pr_state(self._pr_state)
4237 4236 return self
4238 4237
4239 4238 def __exit__(self, exc_type, exc_val, exc_tb):
4240 4239 if exc_val is not None or exc_type is not None:
4241 4240 log.error(traceback.format_tb(exc_tb))
4242 4241 return None
4243 4242
4244 4243 self.set_pr_state(self._org_state)
4245 4244 log.debug('StateLock: exiting set state context of pr %s, setting state to: `%s`',
4246 4245 self._pr, self._org_state)
4247 4246
4248 4247 @property
4249 4248 def state(self):
4250 4249 return self._current_state
4251 4250
4252 4251 def set_pr_state(self, pr_state):
4253 4252 try:
4254 4253 self._pr.pull_request_state = pr_state
4255 4254 Session().add(self._pr)
4256 4255 Session().commit()
4257 4256 self._current_state = pr_state
4258 4257 except Exception:
4259 4258 log.exception('Failed to set PullRequest %s state to %s', self._pr, pr_state)
4260 4259 raise
4261 4260
4262 4261
4263 4262 class _PullRequestBase(BaseModel):
4264 4263 """
4265 4264 Common attributes of pull request and version entries.
4266 4265 """
4267 4266
4268 4267 # .status values
4269 4268 STATUS_NEW = 'new'
4270 4269 STATUS_OPEN = 'open'
4271 4270 STATUS_CLOSED = 'closed'
4272 4271
4273 4272 # available states
4274 4273 STATE_CREATING = 'creating'
4275 4274 STATE_UPDATING = 'updating'
4276 4275 STATE_MERGING = 'merging'
4277 4276 STATE_CREATED = 'created'
4278 4277
4279 4278 title = Column('title', Unicode(255), nullable=True)
4280 4279 description = Column(
4281 4280 'description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'),
4282 4281 nullable=True)
4283 4282 description_renderer = Column('description_renderer', Unicode(64), nullable=True)
4284 4283
4285 4284 # new/open/closed status of pull request (not approve/reject/etc)
4286 4285 status = Column('status', Unicode(255), nullable=False, default=STATUS_NEW)
4287 4286 created_on = Column(
4288 4287 'created_on', DateTime(timezone=False), nullable=False,
4289 4288 default=datetime.datetime.now)
4290 4289 updated_on = Column(
4291 4290 'updated_on', DateTime(timezone=False), nullable=False,
4292 4291 default=datetime.datetime.now)
4293 4292
4294 4293 pull_request_state = Column("pull_request_state", String(255), nullable=True)
4295 4294
4296 4295 @declared_attr
4297 4296 def user_id(cls):
4298 4297 return Column(
4299 4298 "user_id", Integer(), ForeignKey('users.user_id'), nullable=False,
4300 4299 unique=None)
4301 4300
4302 4301 # 500 revisions max
4303 4302 _revisions = Column(
4304 4303 'revisions', UnicodeText().with_variant(UnicodeText(20500), 'mysql'))
4305 4304
4306 4305 common_ancestor_id = Column('common_ancestor_id', Unicode(255), nullable=True)
4307 4306
4308 4307 @declared_attr
4309 4308 def source_repo_id(cls):
4310 4309 # TODO: dan: rename column to source_repo_id
4311 4310 return Column(
4312 4311 'org_repo_id', Integer(), ForeignKey('repositories.repo_id'),
4313 4312 nullable=False)
4314 4313
4315 4314 @declared_attr
4316 4315 def pr_source(cls):
4317 4316 return relationship(
4318 4317 'Repository',
4319 4318 primaryjoin=f'{cls.__name__}.source_repo_id==Repository.repo_id',
4320 4319 overlaps="pull_requests_source"
4321 4320 )
4322 4321
4323 4322 _source_ref = Column('org_ref', Unicode(255), nullable=False)
4324 4323
4325 4324 @hybrid_property
4326 4325 def source_ref(self):
4327 4326 return self._source_ref
4328 4327
4329 4328 @source_ref.setter
4330 4329 def source_ref(self, val):
4331 4330 parts = (val or '').split(':')
4332 4331 if len(parts) != 3:
4333 4332 raise ValueError(
4334 4333 'Invalid reference format given: {}, expected X:Y:Z'.format(val))
4335 4334 self._source_ref = safe_str(val)
4336 4335
4337 4336 _target_ref = Column('other_ref', Unicode(255), nullable=False)
4338 4337
4339 4338 @hybrid_property
4340 4339 def target_ref(self):
4341 4340 return self._target_ref
4342 4341
4343 4342 @target_ref.setter
4344 4343 def target_ref(self, val):
4345 4344 parts = (val or '').split(':')
4346 4345 if len(parts) != 3:
4347 4346 raise ValueError(
4348 4347 'Invalid reference format given: {}, expected X:Y:Z'.format(val))
4349 4348 self._target_ref = safe_str(val)
4350 4349
4351 4350 @declared_attr
4352 4351 def target_repo_id(cls):
4353 4352 # TODO: dan: rename column to target_repo_id
4354 4353 return Column(
4355 4354 'other_repo_id', Integer(), ForeignKey('repositories.repo_id'),
4356 4355 nullable=False)
4357 4356
4358 4357 @declared_attr
4359 4358 def pr_target(cls):
4360 4359 return relationship(
4361 4360 'Repository',
4362 4361 primaryjoin=f'{cls.__name__}.target_repo_id==Repository.repo_id',
4363 4362 overlaps="pull_requests_target"
4364 4363 )
4365 4364
4366 4365 _shadow_merge_ref = Column('shadow_merge_ref', Unicode(255), nullable=True)
4367 4366
4368 4367 # TODO: dan: rename column to last_merge_source_rev
4369 4368 _last_merge_source_rev = Column(
4370 4369 'last_merge_org_rev', String(40), nullable=True)
4371 4370 # TODO: dan: rename column to last_merge_target_rev
4372 4371 _last_merge_target_rev = Column(
4373 4372 'last_merge_other_rev', String(40), nullable=True)
4374 4373 _last_merge_status = Column('merge_status', Integer(), nullable=True)
4375 4374 last_merge_metadata = Column(
4376 4375 'last_merge_metadata', MutationObj.as_mutable(
4377 4376 JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
4378 4377
4379 4378 merge_rev = Column('merge_rev', String(40), nullable=True)
4380 4379
4381 4380 reviewer_data = Column(
4382 4381 'reviewer_data_json', MutationObj.as_mutable(
4383 4382 JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
4384 4383
4385 4384 @property
4386 4385 def reviewer_data_json(self):
4387 4386 return str_json(self.reviewer_data)
4388 4387
4389 4388 @property
4390 4389 def last_merge_metadata_parsed(self):
4391 4390 metadata = {}
4392 4391 if not self.last_merge_metadata:
4393 4392 return metadata
4394 4393
4395 4394 if hasattr(self.last_merge_metadata, 'de_coerce'):
4396 4395 for k, v in self.last_merge_metadata.de_coerce().items():
4397 4396 if k in ['target_ref', 'source_ref']:
4398 4397 metadata[k] = Reference(v['type'], v['name'], v['commit_id'])
4399 4398 else:
4400 4399 if hasattr(v, 'de_coerce'):
4401 4400 metadata[k] = v.de_coerce()
4402 4401 else:
4403 4402 metadata[k] = v
4404 4403 return metadata
4405 4404
4406 4405 @property
4407 4406 def work_in_progress(self):
4408 4407 """checks if pull request is work in progress by checking the title"""
4409 4408 title = self.title.upper()
4410 4409 if re.match(r'^(\[WIP\]\s*|WIP:\s*|WIP\s+)', title):
4411 4410 return True
4412 4411 return False
4413 4412
4414 4413 @property
4415 4414 def title_safe(self):
4416 4415 return self.title\
4417 4416 .replace('{', '{{')\
4418 4417 .replace('}', '}}')
4419 4418
4420 4419 @hybrid_property
4421 4420 def description_safe(self):
4422 4421 from rhodecode.lib import helpers as h
4423 4422 return h.escape(self.description)
4424 4423
4425 4424 @hybrid_property
4426 4425 def revisions(self):
4427 4426 return self._revisions.split(':') if self._revisions else []
4428 4427
4429 4428 @revisions.setter
4430 4429 def revisions(self, val):
4431 4430 self._revisions = ':'.join(val)
4432 4431
4433 4432 @hybrid_property
4434 4433 def last_merge_status(self):
4435 4434 return safe_int(self._last_merge_status)
4436 4435
4437 4436 @last_merge_status.setter
4438 4437 def last_merge_status(self, val):
4439 4438 self._last_merge_status = val
4440 4439
4441 4440 @declared_attr
4442 4441 def author(cls):
4443 4442 return relationship(
4444 4443 'User', lazy='joined',
4445 4444 #TODO, problem that is somehow :?
4446 4445 #back_populates='user_pull_requests'
4447 4446 )
4448 4447
4449 4448 @declared_attr
4450 4449 def source_repo(cls):
4451 4450 return relationship(
4452 4451 'Repository',
4453 4452 primaryjoin=f'{cls.__name__}.source_repo_id==Repository.repo_id',
4454 4453 overlaps="pr_source"
4455 4454 )
4456 4455
4457 4456 @property
4458 4457 def source_ref_parts(self):
4459 4458 return self.unicode_to_reference(self.source_ref)
4460 4459
4461 4460 @declared_attr
4462 4461 def target_repo(cls):
4463 4462 return relationship(
4464 4463 'Repository',
4465 4464 primaryjoin=f'{cls.__name__}.target_repo_id==Repository.repo_id',
4466 4465 overlaps="pr_target"
4467 4466 )
4468 4467
4469 4468 @property
4470 4469 def target_ref_parts(self):
4471 4470 return self.unicode_to_reference(self.target_ref)
4472 4471
4473 4472 @property
4474 4473 def shadow_merge_ref(self):
4475 4474 return self.unicode_to_reference(self._shadow_merge_ref)
4476 4475
4477 4476 @shadow_merge_ref.setter
4478 4477 def shadow_merge_ref(self, ref):
4479 4478 self._shadow_merge_ref = self.reference_to_unicode(ref)
4480 4479
4481 4480 @staticmethod
4482 4481 def unicode_to_reference(raw):
4483 4482 return unicode_to_reference(raw)
4484 4483
4485 4484 @staticmethod
4486 4485 def reference_to_unicode(ref):
4487 4486 return reference_to_unicode(ref)
4488 4487
4489 4488 def get_api_data(self, with_merge_state=True):
4490 4489 from rhodecode.model.pull_request import PullRequestModel
4491 4490
4492 4491 pull_request = self
4493 4492 if with_merge_state:
4494 4493 merge_response, merge_status, msg = \
4495 4494 PullRequestModel().merge_status(pull_request)
4496 4495 merge_state = {
4497 4496 'status': merge_status,
4498 4497 'message': safe_str(msg),
4499 4498 }
4500 4499 else:
4501 4500 merge_state = {'status': 'not_available',
4502 4501 'message': 'not_available'}
4503 4502
4504 4503 merge_data = {
4505 4504 'clone_url': PullRequestModel().get_shadow_clone_url(pull_request),
4506 4505 'reference': (
4507 4506 pull_request.shadow_merge_ref.asdict()
4508 4507 if pull_request.shadow_merge_ref else None),
4509 4508 }
4510 4509
4511 4510 data = {
4512 4511 'pull_request_id': pull_request.pull_request_id,
4513 4512 'url': PullRequestModel().get_url(pull_request),
4514 4513 'title': pull_request.title,
4515 4514 'description': pull_request.description,
4516 4515 'status': pull_request.status,
4517 4516 'state': pull_request.pull_request_state,
4518 4517 'created_on': pull_request.created_on,
4519 4518 'updated_on': pull_request.updated_on,
4520 4519 'commit_ids': pull_request.revisions,
4521 4520 'review_status': pull_request.calculated_review_status(),
4522 4521 'mergeable': merge_state,
4523 4522 'source': {
4524 4523 'clone_url': pull_request.source_repo.clone_url(),
4525 4524 'repository': pull_request.source_repo.repo_name,
4526 4525 'reference': {
4527 4526 'name': pull_request.source_ref_parts.name,
4528 4527 'type': pull_request.source_ref_parts.type,
4529 4528 'commit_id': pull_request.source_ref_parts.commit_id,
4530 4529 },
4531 4530 },
4532 4531 'target': {
4533 4532 'clone_url': pull_request.target_repo.clone_url(),
4534 4533 'repository': pull_request.target_repo.repo_name,
4535 4534 'reference': {
4536 4535 'name': pull_request.target_ref_parts.name,
4537 4536 'type': pull_request.target_ref_parts.type,
4538 4537 'commit_id': pull_request.target_ref_parts.commit_id,
4539 4538 },
4540 4539 },
4541 4540 'merge': merge_data,
4542 4541 'author': pull_request.author.get_api_data(include_secrets=False,
4543 4542 details='basic'),
4544 4543 'reviewers': [
4545 4544 {
4546 4545 'user': reviewer.get_api_data(include_secrets=False,
4547 4546 details='basic'),
4548 4547 'reasons': reasons,
4549 4548 'review_status': st[0][1].status if st else 'not_reviewed',
4550 4549 }
4551 4550 for obj, reviewer, reasons, mandatory, st in
4552 4551 pull_request.reviewers_statuses()
4553 4552 ]
4554 4553 }
4555 4554
4556 4555 return data
4557 4556
4558 4557 def set_state(self, pull_request_state, final_state=None):
4559 4558 """
4560 4559 # goes from initial state to updating to initial state.
4561 4560 # initial state can be changed by specifying back_state=
4562 4561 with pull_request_obj.set_state(PullRequest.STATE_UPDATING):
4563 4562 pull_request.merge()
4564 4563
4565 4564 :param pull_request_state:
4566 4565 :param final_state:
4567 4566
4568 4567 """
4569 4568
4570 4569 return _SetState(self, pull_request_state, back_state=final_state)
4571 4570
4572 4571
4573 4572 class PullRequest(Base, _PullRequestBase):
4574 4573 __tablename__ = 'pull_requests'
4575 4574 __table_args__ = (
4576 4575 base_table_args,
4577 4576 )
4578 4577 LATEST_VER = 'latest'
4579 4578
4580 4579 pull_request_id = Column(
4581 4580 'pull_request_id', Integer(), nullable=False, primary_key=True)
4582 4581
4583 4582 def __repr__(self):
4584 4583 if self.pull_request_id:
4585 4584 return f'<DB:PullRequest #{self.pull_request_id}>'
4586 4585 else:
4587 4586 return f'<DB:PullRequest at {id(self)!r}>'
4588 4587
4589 4588 reviewers = relationship('PullRequestReviewers', cascade="all, delete-orphan", back_populates='pull_request')
4590 4589 statuses = relationship('ChangesetStatus', cascade="all, delete-orphan", back_populates='pull_request')
4591 4590 comments = relationship('ChangesetComment', cascade="all, delete-orphan", back_populates='pull_request')
4592 4591 versions = relationship('PullRequestVersion', cascade="all, delete-orphan", lazy='dynamic', back_populates='pull_request')
4593 4592
4594 4593 @classmethod
4595 4594 def get_pr_display_object(cls, pull_request_obj, org_pull_request_obj,
4596 4595 internal_methods=None):
4597 4596
4598 4597 class PullRequestDisplay(object):
4599 4598 """
4600 4599 Special object wrapper for showing PullRequest data via Versions
4601 4600 It mimics PR object as close as possible. This is read only object
4602 4601 just for display
4603 4602 """
4604 4603
4605 4604 def __init__(self, attrs, internal=None):
4606 4605 self.attrs = attrs
4607 4606 # internal have priority over the given ones via attrs
4608 4607 self.internal = internal or ['versions']
4609 4608
4610 4609 def __getattr__(self, item):
4611 4610 if item in self.internal:
4612 4611 return getattr(self, item)
4613 4612 try:
4614 4613 return self.attrs[item]
4615 4614 except KeyError:
4616 4615 raise AttributeError(
4617 4616 '%s object has no attribute %s' % (self, item))
4618 4617
4619 4618 def __repr__(self):
4620 4619 pr_id = self.attrs.get('pull_request_id')
4621 4620 return f'<DB:PullRequestDisplay #{pr_id}>'
4622 4621
4623 4622 def versions(self):
4624 4623 return pull_request_obj.versions.order_by(
4625 4624 PullRequestVersion.pull_request_version_id).all()
4626 4625
4627 4626 def is_closed(self):
4628 4627 return pull_request_obj.is_closed()
4629 4628
4630 4629 def is_state_changing(self):
4631 4630 return pull_request_obj.is_state_changing()
4632 4631
4633 4632 @property
4634 4633 def pull_request_version_id(self):
4635 4634 return getattr(pull_request_obj, 'pull_request_version_id', None)
4636 4635
4637 4636 @property
4638 4637 def pull_request_last_version(self):
4639 4638 return pull_request_obj.pull_request_last_version
4640 4639
4641 4640 attrs = StrictAttributeDict(pull_request_obj.get_api_data(with_merge_state=False))
4642 4641
4643 4642 attrs.author = StrictAttributeDict(
4644 4643 pull_request_obj.author.get_api_data())
4645 4644 if pull_request_obj.target_repo:
4646 4645 attrs.target_repo = StrictAttributeDict(
4647 4646 pull_request_obj.target_repo.get_api_data())
4648 4647 attrs.target_repo.clone_url = pull_request_obj.target_repo.clone_url
4649 4648
4650 4649 if pull_request_obj.source_repo:
4651 4650 attrs.source_repo = StrictAttributeDict(
4652 4651 pull_request_obj.source_repo.get_api_data())
4653 4652 attrs.source_repo.clone_url = pull_request_obj.source_repo.clone_url
4654 4653
4655 4654 attrs.source_ref_parts = pull_request_obj.source_ref_parts
4656 4655 attrs.target_ref_parts = pull_request_obj.target_ref_parts
4657 4656 attrs.revisions = pull_request_obj.revisions
4658 4657 attrs.common_ancestor_id = pull_request_obj.common_ancestor_id
4659 4658 attrs.shadow_merge_ref = org_pull_request_obj.shadow_merge_ref
4660 4659 attrs.reviewer_data = org_pull_request_obj.reviewer_data
4661 4660 attrs.reviewer_data_json = org_pull_request_obj.reviewer_data_json
4662 4661
4663 4662 return PullRequestDisplay(attrs, internal=internal_methods)
4664 4663
4665 4664 def is_closed(self):
4666 4665 return self.status == self.STATUS_CLOSED
4667 4666
4668 4667 def is_state_changing(self):
4669 4668 return self.pull_request_state != PullRequest.STATE_CREATED
4670 4669
4671 4670 def __json__(self):
4672 4671 return {
4673 4672 'revisions': self.revisions,
4674 4673 'versions': self.versions_count
4675 4674 }
4676 4675
4677 4676 def calculated_review_status(self):
4678 4677 from rhodecode.model.changeset_status import ChangesetStatusModel
4679 4678 return ChangesetStatusModel().calculated_review_status(self)
4680 4679
4681 4680 def reviewers_statuses(self, user=None):
4682 4681 from rhodecode.model.changeset_status import ChangesetStatusModel
4683 4682 return ChangesetStatusModel().reviewers_statuses(self, user=user)
4684 4683
4685 4684 def get_pull_request_reviewers(self, role=None):
4686 4685 qry = PullRequestReviewers.query()\
4687 4686 .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)
4688 4687 if role:
4689 4688 qry = qry.filter(PullRequestReviewers.role == role)
4690 4689
4691 4690 return qry.all()
4692 4691
4693 4692 @property
4694 4693 def reviewers_count(self):
4695 4694 qry = PullRequestReviewers.query()\
4696 4695 .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)\
4697 4696 .filter(PullRequestReviewers.role == PullRequestReviewers.ROLE_REVIEWER)
4698 4697 return qry.count()
4699 4698
4700 4699 @property
4701 4700 def observers_count(self):
4702 4701 qry = PullRequestReviewers.query()\
4703 4702 .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)\
4704 4703 .filter(PullRequestReviewers.role == PullRequestReviewers.ROLE_OBSERVER)
4705 4704 return qry.count()
4706 4705
4707 4706 def observers(self):
4708 4707 qry = PullRequestReviewers.query()\
4709 4708 .filter(PullRequestReviewers.pull_request_id == self.pull_request_id)\
4710 4709 .filter(PullRequestReviewers.role == PullRequestReviewers.ROLE_OBSERVER)\
4711 4710 .all()
4712 4711
4713 4712 for entry in qry:
4714 4713 yield entry, entry.user
4715 4714
4716 4715 @property
4717 4716 def workspace_id(self):
4718 4717 from rhodecode.model.pull_request import PullRequestModel
4719 4718 return PullRequestModel()._workspace_id(self)
4720 4719
4721 4720 def get_shadow_repo(self):
4722 4721 workspace_id = self.workspace_id
4723 4722 shadow_repository_path = self.target_repo.get_shadow_repository_path(workspace_id)
4724 4723 if os.path.isdir(shadow_repository_path):
4725 4724 vcs_obj = self.target_repo.scm_instance()
4726 4725 return vcs_obj.get_shadow_instance(shadow_repository_path)
4727 4726
4728 4727 @property
4729 4728 def versions_count(self):
4730 4729 """
4731 4730 return number of versions this PR have, e.g a PR that once been
4732 4731 updated will have 2 versions
4733 4732 """
4734 4733 return self.versions.count() + 1
4735 4734
4736 4735 @property
4737 4736 def pull_request_last_version(self):
4738 4737 return self.versions_count
4739 4738
4740 4739
4741 4740 class PullRequestVersion(Base, _PullRequestBase):
4742 4741 __tablename__ = 'pull_request_versions'
4743 4742 __table_args__ = (
4744 4743 base_table_args,
4745 4744 )
4746 4745
4747 4746 pull_request_version_id = Column('pull_request_version_id', Integer(), nullable=False, primary_key=True)
4748 4747 pull_request_id = Column('pull_request_id', Integer(), ForeignKey('pull_requests.pull_request_id'), nullable=False)
4749 4748 pull_request = relationship('PullRequest', back_populates='versions')
4750 4749
4751 4750 def __repr__(self):
4752 4751 if self.pull_request_version_id:
4753 4752 return f'<DB:PullRequestVersion #{self.pull_request_version_id}>'
4754 4753 else:
4755 4754 return f'<DB:PullRequestVersion at {id(self)!r}>'
4756 4755
4757 4756 @property
4758 4757 def reviewers(self):
4759 4758 return self.pull_request.reviewers
4760 4759
4761 4760 @property
4762 4761 def versions(self):
4763 4762 return self.pull_request.versions
4764 4763
4765 4764 def is_closed(self):
4766 4765 # calculate from original
4767 4766 return self.pull_request.status == self.STATUS_CLOSED
4768 4767
4769 4768 def is_state_changing(self):
4770 4769 return self.pull_request.pull_request_state != PullRequest.STATE_CREATED
4771 4770
4772 4771 def calculated_review_status(self):
4773 4772 return self.pull_request.calculated_review_status()
4774 4773
4775 4774 def reviewers_statuses(self):
4776 4775 return self.pull_request.reviewers_statuses()
4777 4776
4778 4777 def observers(self):
4779 4778 return self.pull_request.observers()
4780 4779
4781 4780
4782 4781 class PullRequestReviewers(Base, BaseModel):
4783 4782 __tablename__ = 'pull_request_reviewers'
4784 4783 __table_args__ = (
4785 4784 base_table_args,
4786 4785 )
4787 4786 ROLE_REVIEWER = 'reviewer'
4788 4787 ROLE_OBSERVER = 'observer'
4789 4788 ROLES = [ROLE_REVIEWER, ROLE_OBSERVER]
4790 4789
4791 4790 @hybrid_property
4792 4791 def reasons(self):
4793 4792 if not self._reasons:
4794 4793 return []
4795 4794 return self._reasons
4796 4795
4797 4796 @reasons.setter
4798 4797 def reasons(self, val):
4799 4798 val = val or []
4800 4799 if any(not isinstance(x, str) for x in val):
4801 4800 raise Exception('invalid reasons type, must be list of strings')
4802 4801 self._reasons = val
4803 4802
4804 4803 pull_requests_reviewers_id = Column(
4805 4804 'pull_requests_reviewers_id', Integer(), nullable=False,
4806 4805 primary_key=True)
4807 4806 pull_request_id = Column(
4808 4807 "pull_request_id", Integer(),
4809 4808 ForeignKey('pull_requests.pull_request_id'), nullable=False)
4810 4809 user_id = Column(
4811 4810 "user_id", Integer(), ForeignKey('users.user_id'), nullable=True)
4812 4811 _reasons = Column(
4813 4812 'reason', MutationList.as_mutable(
4814 4813 JsonType('list', dialect_map=dict(mysql=UnicodeText(16384)))))
4815 4814
4816 4815 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
4817 4816 role = Column('role', Unicode(255), nullable=True, default=ROLE_REVIEWER)
4818 4817
4819 4818 user = relationship('User')
4820 4819 pull_request = relationship('PullRequest', back_populates='reviewers')
4821 4820
4822 4821 rule_data = Column(
4823 4822 'rule_data_json',
4824 4823 JsonType(dialect_map=dict(mysql=UnicodeText(16384))))
4825 4824
4826 4825 def rule_user_group_data(self):
4827 4826 """
4828 4827 Returns the voting user group rule data for this reviewer
4829 4828 """
4830 4829
4831 4830 if self.rule_data and 'vote_rule' in self.rule_data:
4832 4831 user_group_data = {}
4833 4832 if 'rule_user_group_entry_id' in self.rule_data:
4834 4833 # means a group with voting rules !
4835 4834 user_group_data['id'] = self.rule_data['rule_user_group_entry_id']
4836 4835 user_group_data['name'] = self.rule_data['rule_name']
4837 4836 user_group_data['vote_rule'] = self.rule_data['vote_rule']
4838 4837
4839 4838 return user_group_data
4840 4839
4841 4840 @classmethod
4842 4841 def get_pull_request_reviewers(cls, pull_request_id, role=None):
4843 4842 qry = PullRequestReviewers.query()\
4844 4843 .filter(PullRequestReviewers.pull_request_id == pull_request_id)
4845 4844 if role:
4846 4845 qry = qry.filter(PullRequestReviewers.role == role)
4847 4846
4848 4847 return qry.all()
4849 4848
4850 4849 def __repr__(self):
4851 4850 return f"<{self.cls_name}('id:{self.pull_requests_reviewers_id}')>"
4852 4851
4853 4852
4854 4853 class Notification(Base, BaseModel):
4855 4854 __tablename__ = 'notifications'
4856 4855 __table_args__ = (
4857 4856 Index('notification_type_idx', 'type'),
4858 4857 base_table_args,
4859 4858 )
4860 4859
4861 4860 TYPE_CHANGESET_COMMENT = 'cs_comment'
4862 4861 TYPE_MESSAGE = 'message'
4863 4862 TYPE_MENTION = 'mention'
4864 4863 TYPE_REGISTRATION = 'registration'
4865 4864 TYPE_PULL_REQUEST = 'pull_request'
4866 4865 TYPE_PULL_REQUEST_COMMENT = 'pull_request_comment'
4867 4866 TYPE_PULL_REQUEST_UPDATE = 'pull_request_update'
4868 4867
4869 4868 notification_id = Column('notification_id', Integer(), nullable=False, primary_key=True)
4870 4869 subject = Column('subject', Unicode(512), nullable=True)
4871 4870 body = Column('body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
4872 4871 created_by = Column("created_by", Integer(), ForeignKey('users.user_id'), nullable=True)
4873 4872 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
4874 4873 type_ = Column('type', Unicode(255))
4875 4874
4876 4875 created_by_user = relationship('User', back_populates='user_created_notifications')
4877 4876 notifications_to_users = relationship('UserNotification', lazy='joined', cascade="all, delete-orphan", back_populates='notification')
4878 4877
4879 4878 @property
4880 4879 def recipients(self):
4881 4880 return [x.user for x in UserNotification.query()\
4882 4881 .filter(UserNotification.notification == self)\
4883 4882 .order_by(UserNotification.user_id.asc()).all()]
4884 4883
4885 4884 @classmethod
4886 4885 def create(cls, created_by, subject, body, recipients, type_=None):
4887 4886 if type_ is None:
4888 4887 type_ = Notification.TYPE_MESSAGE
4889 4888
4890 4889 notification = cls()
4891 4890 notification.created_by_user = created_by
4892 4891 notification.subject = subject
4893 4892 notification.body = body
4894 4893 notification.type_ = type_
4895 4894 notification.created_on = datetime.datetime.now()
4896 4895
4897 4896 # For each recipient link the created notification to his account
4898 4897 for u in recipients:
4899 4898 assoc = UserNotification()
4900 4899 assoc.user_id = u.user_id
4901 4900 assoc.notification = notification
4902 4901
4903 4902 # if created_by is inside recipients mark his notification
4904 4903 # as read
4905 4904 if u.user_id == created_by.user_id:
4906 4905 assoc.read = True
4907 4906 Session().add(assoc)
4908 4907
4909 4908 Session().add(notification)
4910 4909
4911 4910 return notification
4912 4911
4913 4912
4914 4913 class UserNotification(Base, BaseModel):
4915 4914 __tablename__ = 'user_to_notification'
4916 4915 __table_args__ = (
4917 4916 UniqueConstraint('user_id', 'notification_id'),
4918 4917 base_table_args
4919 4918 )
4920 4919
4921 4920 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
4922 4921 notification_id = Column("notification_id", Integer(), ForeignKey('notifications.notification_id'), primary_key=True)
4923 4922 read = Column('read', Boolean, default=False)
4924 4923 sent_on = Column('sent_on', DateTime(timezone=False), nullable=True, unique=None)
4925 4924
4926 4925 user = relationship('User', lazy="joined", back_populates='notifications')
4927 4926 notification = relationship('Notification', lazy="joined", order_by=lambda: Notification.created_on.desc(), back_populates='notifications_to_users')
4928 4927
4929 4928 def mark_as_read(self):
4930 4929 self.read = True
4931 4930 Session().add(self)
4932 4931
4933 4932
4934 4933 class UserNotice(Base, BaseModel):
4935 4934 __tablename__ = 'user_notices'
4936 4935 __table_args__ = (
4937 4936 base_table_args
4938 4937 )
4939 4938
4940 4939 NOTIFICATION_TYPE_MESSAGE = 'message'
4941 4940 NOTIFICATION_TYPE_NOTICE = 'notice'
4942 4941
4943 4942 NOTIFICATION_LEVEL_INFO = 'info'
4944 4943 NOTIFICATION_LEVEL_WARNING = 'warning'
4945 4944 NOTIFICATION_LEVEL_ERROR = 'error'
4946 4945
4947 4946 user_notice_id = Column('gist_id', Integer(), primary_key=True)
4948 4947
4949 4948 notice_subject = Column('notice_subject', Unicode(512), nullable=True)
4950 4949 notice_body = Column('notice_body', UnicodeText().with_variant(UnicodeText(50000), 'mysql'), nullable=True)
4951 4950
4952 4951 notice_read = Column('notice_read', Boolean, default=False)
4953 4952
4954 4953 notification_level = Column('notification_level', String(1024), default=NOTIFICATION_LEVEL_INFO)
4955 4954 notification_type = Column('notification_type', String(1024), default=NOTIFICATION_TYPE_NOTICE)
4956 4955
4957 4956 notice_created_by = Column('notice_created_by', Integer(), ForeignKey('users.user_id'), nullable=True)
4958 4957 notice_created_on = Column('notice_created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
4959 4958
4960 4959 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'))
4961 4960 user = relationship('User', lazy="joined", primaryjoin='User.user_id==UserNotice.user_id')
4962 4961
4963 4962 @classmethod
4964 4963 def create_for_user(cls, user, subject, body, notice_level=NOTIFICATION_LEVEL_INFO, allow_duplicate=False):
4965 4964
4966 4965 if notice_level not in [cls.NOTIFICATION_LEVEL_ERROR,
4967 4966 cls.NOTIFICATION_LEVEL_WARNING,
4968 4967 cls.NOTIFICATION_LEVEL_INFO]:
4969 4968 return
4970 4969
4971 4970 from rhodecode.model.user import UserModel
4972 4971 user = UserModel().get_user(user)
4973 4972
4974 4973 new_notice = UserNotice()
4975 4974 if not allow_duplicate:
4976 4975 existing_msg = UserNotice().query() \
4977 4976 .filter(UserNotice.user == user) \
4978 4977 .filter(UserNotice.notice_body == body) \
4979 4978 .filter(UserNotice.notice_read == false()) \
4980 4979 .scalar()
4981 4980 if existing_msg:
4982 4981 log.warning('Ignoring duplicate notice for user %s', user)
4983 4982 return
4984 4983
4985 4984 new_notice.user = user
4986 4985 new_notice.notice_subject = subject
4987 4986 new_notice.notice_body = body
4988 4987 new_notice.notification_level = notice_level
4989 4988 Session().add(new_notice)
4990 4989 Session().commit()
4991 4990
4992 4991
4993 4992 class Gist(Base, BaseModel):
4994 4993 __tablename__ = 'gists'
4995 4994 __table_args__ = (
4996 4995 Index('g_gist_access_id_idx', 'gist_access_id'),
4997 4996 Index('g_created_on_idx', 'created_on'),
4998 4997 base_table_args
4999 4998 )
5000 4999
5001 5000 GIST_PUBLIC = 'public'
5002 5001 GIST_PRIVATE = 'private'
5003 5002 DEFAULT_FILENAME = 'gistfile1.txt'
5004 5003
5005 5004 ACL_LEVEL_PUBLIC = 'acl_public'
5006 5005 ACL_LEVEL_PRIVATE = 'acl_private'
5007 5006
5008 5007 gist_id = Column('gist_id', Integer(), primary_key=True)
5009 5008 gist_access_id = Column('gist_access_id', Unicode(250))
5010 5009 gist_description = Column('gist_description', UnicodeText().with_variant(UnicodeText(1024), 'mysql'))
5011 5010 gist_owner = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=True)
5012 5011 gist_expires = Column('gist_expires', Float(53), nullable=False)
5013 5012 gist_type = Column('gist_type', Unicode(128), nullable=False)
5014 5013 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
5015 5014 modified_at = Column('modified_at', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
5016 5015 acl_level = Column('acl_level', Unicode(128), nullable=True)
5017 5016
5018 5017 owner = relationship('User', back_populates='user_gists')
5019 5018
5020 5019 def __repr__(self):
5021 5020 return f'<Gist:[{self.gist_type}]{self.gist_access_id}>'
5022 5021
5023 5022 @hybrid_property
5024 5023 def description_safe(self):
5025 5024 from rhodecode.lib import helpers as h
5026 5025 return h.escape(self.gist_description)
5027 5026
5028 5027 @classmethod
5029 5028 def get_or_404(cls, id_):
5030 5029 from pyramid.httpexceptions import HTTPNotFound
5031 5030
5032 5031 res = cls.query().filter(cls.gist_access_id == id_).scalar()
5033 5032 if not res:
5034 5033 log.debug('WARN: No DB entry with id %s', id_)
5035 5034 raise HTTPNotFound()
5036 5035 return res
5037 5036
5038 5037 @classmethod
5039 5038 def get_by_access_id(cls, gist_access_id):
5040 5039 return cls.query().filter(cls.gist_access_id == gist_access_id).scalar()
5041 5040
5042 5041 def gist_url(self):
5043 5042 from rhodecode.model.gist import GistModel
5044 5043 return GistModel().get_url(self)
5045 5044
5046 5045 @classmethod
5047 5046 def base_path(cls):
5048 5047 """
5049 5048 Returns base path when all gists are stored
5050 5049
5051 5050 :param cls:
5052 5051 """
5053 5052 from rhodecode.model.gist import GIST_STORE_LOC
5054 5053 from rhodecode.lib.utils import get_rhodecode_repo_store_path
5055 5054 repo_store_path = get_rhodecode_repo_store_path()
5056 5055 return os.path.join(repo_store_path, GIST_STORE_LOC)
5057 5056
5058 5057 def get_api_data(self):
5059 5058 """
5060 5059 Common function for generating gist related data for API
5061 5060 """
5062 5061 gist = self
5063 5062 data = {
5064 5063 'gist_id': gist.gist_id,
5065 5064 'type': gist.gist_type,
5066 5065 'access_id': gist.gist_access_id,
5067 5066 'description': gist.gist_description,
5068 5067 'url': gist.gist_url(),
5069 5068 'expires': gist.gist_expires,
5070 5069 'created_on': gist.created_on,
5071 5070 'modified_at': gist.modified_at,
5072 5071 'content': None,
5073 5072 'acl_level': gist.acl_level,
5074 5073 }
5075 5074 return data
5076 5075
5077 5076 def __json__(self):
5078 5077 data = dict()
5079 5078 data.update(self.get_api_data())
5080 5079 return data
5081 5080 # SCM functions
5082 5081
5083 5082 def scm_instance(self, **kwargs):
5084 5083 """
5085 5084 Get an instance of VCS Repository
5086 5085
5087 5086 :param kwargs:
5088 5087 """
5089 5088 from rhodecode.model.gist import GistModel
5090 5089 full_repo_path = os.path.join(self.base_path(), self.gist_access_id)
5091 5090 return get_vcs_instance(
5092 5091 repo_path=safe_str(full_repo_path), create=False,
5093 5092 _vcs_alias=GistModel.vcs_backend)
5094 5093
5095 5094
5096 5095 class ExternalIdentity(Base, BaseModel):
5097 5096 __tablename__ = 'external_identities'
5098 5097 __table_args__ = (
5099 5098 Index('local_user_id_idx', 'local_user_id'),
5100 5099 Index('external_id_idx', 'external_id'),
5101 5100 base_table_args
5102 5101 )
5103 5102
5104 5103 external_id = Column('external_id', Unicode(255), default='', primary_key=True)
5105 5104 external_username = Column('external_username', Unicode(1024), default='')
5106 5105 local_user_id = Column('local_user_id', Integer(), ForeignKey('users.user_id'), primary_key=True)
5107 5106 provider_name = Column('provider_name', Unicode(255), default='', primary_key=True)
5108 5107 access_token = Column('access_token', String(1024), default='')
5109 5108 alt_token = Column('alt_token', String(1024), default='')
5110 5109 token_secret = Column('token_secret', String(1024), default='')
5111 5110
5112 5111 @classmethod
5113 5112 def by_external_id_and_provider(cls, external_id, provider_name, local_user_id=None):
5114 5113 """
5115 5114 Returns ExternalIdentity instance based on search params
5116 5115
5117 5116 :param external_id:
5118 5117 :param provider_name:
5119 5118 :return: ExternalIdentity
5120 5119 """
5121 5120 query = cls.query()
5122 5121 query = query.filter(cls.external_id == external_id)
5123 5122 query = query.filter(cls.provider_name == provider_name)
5124 5123 if local_user_id:
5125 5124 query = query.filter(cls.local_user_id == local_user_id)
5126 5125 return query.first()
5127 5126
5128 5127 @classmethod
5129 5128 def user_by_external_id_and_provider(cls, external_id, provider_name):
5130 5129 """
5131 5130 Returns User instance based on search params
5132 5131
5133 5132 :param external_id:
5134 5133 :param provider_name:
5135 5134 :return: User
5136 5135 """
5137 5136 query = User.query()
5138 5137 query = query.filter(cls.external_id == external_id)
5139 5138 query = query.filter(cls.provider_name == provider_name)
5140 5139 query = query.filter(User.user_id == cls.local_user_id)
5141 5140 return query.first()
5142 5141
5143 5142 @classmethod
5144 5143 def by_local_user_id(cls, local_user_id):
5145 5144 """
5146 5145 Returns all tokens for user
5147 5146
5148 5147 :param local_user_id:
5149 5148 :return: ExternalIdentity
5150 5149 """
5151 5150 query = cls.query()
5152 5151 query = query.filter(cls.local_user_id == local_user_id)
5153 5152 return query
5154 5153
5155 5154 @classmethod
5156 5155 def load_provider_plugin(cls, plugin_id):
5157 5156 from rhodecode.authentication.base import loadplugin
5158 5157 _plugin_id = 'egg:rhodecode-enterprise-ee#{}'.format(plugin_id)
5159 5158 auth_plugin = loadplugin(_plugin_id)
5160 5159 return auth_plugin
5161 5160
5162 5161
5163 5162 class Integration(Base, BaseModel):
5164 5163 __tablename__ = 'integrations'
5165 5164 __table_args__ = (
5166 5165 base_table_args
5167 5166 )
5168 5167
5169 5168 integration_id = Column('integration_id', Integer(), primary_key=True)
5170 5169 integration_type = Column('integration_type', String(255))
5171 5170 enabled = Column('enabled', Boolean(), nullable=False)
5172 5171 name = Column('name', String(255), nullable=False)
5173 5172 child_repos_only = Column('child_repos_only', Boolean(), nullable=False, default=False)
5174 5173
5175 5174 settings = Column(
5176 5175 'settings_json', MutationObj.as_mutable(
5177 5176 JsonType(dialect_map=dict(mysql=UnicodeText(16384)))))
5178 5177 repo_id = Column('repo_id', Integer(), ForeignKey('repositories.repo_id'), nullable=True, unique=None, default=None)
5179 5178 repo = relationship('Repository', lazy='joined', back_populates='integrations')
5180 5179
5181 5180 repo_group_id = Column('repo_group_id', Integer(), ForeignKey('groups.group_id'), nullable=True, unique=None, default=None)
5182 5181 repo_group = relationship('RepoGroup', lazy='joined', back_populates='integrations')
5183 5182
5184 5183 @property
5185 5184 def scope(self):
5186 5185 if self.repo:
5187 5186 return repr(self.repo)
5188 5187 if self.repo_group:
5189 5188 if self.child_repos_only:
5190 5189 return repr(self.repo_group) + ' (child repos only)'
5191 5190 else:
5192 5191 return repr(self.repo_group) + ' (recursive)'
5193 5192 if self.child_repos_only:
5194 5193 return 'root_repos'
5195 5194 return 'global'
5196 5195
5197 5196 def __repr__(self):
5198 5197 return '<Integration(%r, %r)>' % (self.integration_type, self.scope)
5199 5198
5200 5199
5201 5200 class RepoReviewRuleUser(Base, BaseModel):
5202 5201 __tablename__ = 'repo_review_rules_users'
5203 5202 __table_args__ = (
5204 5203 base_table_args
5205 5204 )
5206 5205 ROLE_REVIEWER = 'reviewer'
5207 5206 ROLE_OBSERVER = 'observer'
5208 5207 ROLES = [ROLE_REVIEWER, ROLE_OBSERVER]
5209 5208
5210 5209 repo_review_rule_user_id = Column('repo_review_rule_user_id', Integer(), primary_key=True)
5211 5210 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
5212 5211 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False)
5213 5212 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
5214 5213 role = Column('role', Unicode(255), nullable=True, default=ROLE_REVIEWER)
5215 5214 user = relationship('User', back_populates='user_review_rules')
5216 5215
5217 5216 def rule_data(self):
5218 5217 return {
5219 5218 'mandatory': self.mandatory,
5220 5219 'role': self.role,
5221 5220 }
5222 5221
5223 5222
5224 5223 class RepoReviewRuleUserGroup(Base, BaseModel):
5225 5224 __tablename__ = 'repo_review_rules_users_groups'
5226 5225 __table_args__ = (
5227 5226 base_table_args
5228 5227 )
5229 5228
5230 5229 VOTE_RULE_ALL = -1
5231 5230 ROLE_REVIEWER = 'reviewer'
5232 5231 ROLE_OBSERVER = 'observer'
5233 5232 ROLES = [ROLE_REVIEWER, ROLE_OBSERVER]
5234 5233
5235 5234 repo_review_rule_users_group_id = Column('repo_review_rule_users_group_id', Integer(), primary_key=True)
5236 5235 repo_review_rule_id = Column("repo_review_rule_id", Integer(), ForeignKey('repo_review_rules.repo_review_rule_id'))
5237 5236 users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False)
5238 5237 mandatory = Column("mandatory", Boolean(), nullable=False, default=False)
5239 5238 role = Column('role', Unicode(255), nullable=True, default=ROLE_REVIEWER)
5240 5239 vote_rule = Column("vote_rule", Integer(), nullable=True, default=VOTE_RULE_ALL)
5241 5240 users_group = relationship('UserGroup')
5242 5241
5243 5242 def rule_data(self):
5244 5243 return {
5245 5244 'mandatory': self.mandatory,
5246 5245 'role': self.role,
5247 5246 'vote_rule': self.vote_rule
5248 5247 }
5249 5248
5250 5249 @property
5251 5250 def vote_rule_label(self):
5252 5251 if not self.vote_rule or self.vote_rule == self.VOTE_RULE_ALL:
5253 5252 return 'all must vote'
5254 5253 else:
5255 5254 return 'min. vote {}'.format(self.vote_rule)
5256 5255
5257 5256
5258 5257 class RepoReviewRule(Base, BaseModel):
5259 5258 __tablename__ = 'repo_review_rules'
5260 5259 __table_args__ = (
5261 5260 base_table_args
5262 5261 )
5263 5262
5264 5263 repo_review_rule_id = Column(
5265 5264 'repo_review_rule_id', Integer(), primary_key=True)
5266 5265 repo_id = Column(
5267 5266 "repo_id", Integer(), ForeignKey('repositories.repo_id'))
5268 5267 repo = relationship('Repository', back_populates='review_rules')
5269 5268
5270 5269 review_rule_name = Column('review_rule_name', String(255))
5271 5270 _branch_pattern = Column("branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default='*') # glob
5272 5271 _target_branch_pattern = Column("target_branch_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default='*') # glob
5273 5272 _file_pattern = Column("file_pattern", UnicodeText().with_variant(UnicodeText(255), 'mysql'), default='*') # glob
5274 5273
5275 5274 use_authors_for_review = Column("use_authors_for_review", Boolean(), nullable=False, default=False)
5276 5275
5277 5276 # Legacy fields, just for backward compat
5278 5277 _forbid_author_to_review = Column("forbid_author_to_review", Boolean(), nullable=False, default=False)
5279 5278 _forbid_commit_author_to_review = Column("forbid_commit_author_to_review", Boolean(), nullable=False, default=False)
5280 5279
5281 5280 pr_author = Column("pr_author", UnicodeText().with_variant(UnicodeText(255), 'mysql'), nullable=True)
5282 5281 commit_author = Column("commit_author", UnicodeText().with_variant(UnicodeText(255), 'mysql'), nullable=True)
5283 5282
5284 5283 forbid_adding_reviewers = Column("forbid_adding_reviewers", Boolean(), nullable=False, default=False)
5285 5284
5286 5285 rule_users = relationship('RepoReviewRuleUser')
5287 5286 rule_user_groups = relationship('RepoReviewRuleUserGroup')
5288 5287
5289 5288 def _validate_pattern(self, value):
5290 5289 re.compile('^' + glob2re(value) + '$')
5291 5290
5292 5291 @hybrid_property
5293 5292 def source_branch_pattern(self):
5294 5293 return self._branch_pattern or '*'
5295 5294
5296 5295 @source_branch_pattern.setter
5297 5296 def source_branch_pattern(self, value):
5298 5297 self._validate_pattern(value)
5299 5298 self._branch_pattern = value or '*'
5300 5299
5301 5300 @hybrid_property
5302 5301 def target_branch_pattern(self):
5303 5302 return self._target_branch_pattern or '*'
5304 5303
5305 5304 @target_branch_pattern.setter
5306 5305 def target_branch_pattern(self, value):
5307 5306 self._validate_pattern(value)
5308 5307 self._target_branch_pattern = value or '*'
5309 5308
5310 5309 @hybrid_property
5311 5310 def file_pattern(self):
5312 5311 return self._file_pattern or '*'
5313 5312
5314 5313 @file_pattern.setter
5315 5314 def file_pattern(self, value):
5316 5315 self._validate_pattern(value)
5317 5316 self._file_pattern = value or '*'
5318 5317
5319 5318 @hybrid_property
5320 5319 def forbid_pr_author_to_review(self):
5321 5320 return self.pr_author == 'forbid_pr_author'
5322 5321
5323 5322 @hybrid_property
5324 5323 def include_pr_author_to_review(self):
5325 5324 return self.pr_author == 'include_pr_author'
5326 5325
5327 5326 @hybrid_property
5328 5327 def forbid_commit_author_to_review(self):
5329 5328 return self.commit_author == 'forbid_commit_author'
5330 5329
5331 5330 @hybrid_property
5332 5331 def include_commit_author_to_review(self):
5333 5332 return self.commit_author == 'include_commit_author'
5334 5333
5335 5334 def matches(self, source_branch, target_branch, files_changed):
5336 5335 """
5337 5336 Check if this review rule matches a branch/files in a pull request
5338 5337
5339 5338 :param source_branch: source branch name for the commit
5340 5339 :param target_branch: target branch name for the commit
5341 5340 :param files_changed: list of file paths changed in the pull request
5342 5341 """
5343 5342
5344 5343 source_branch = source_branch or ''
5345 5344 target_branch = target_branch or ''
5346 5345 files_changed = files_changed or []
5347 5346
5348 5347 branch_matches = True
5349 5348 if source_branch or target_branch:
5350 5349 if self.source_branch_pattern == '*':
5351 5350 source_branch_match = True
5352 5351 else:
5353 5352 if self.source_branch_pattern.startswith('re:'):
5354 5353 source_pattern = self.source_branch_pattern[3:]
5355 5354 else:
5356 5355 source_pattern = '^' + glob2re(self.source_branch_pattern) + '$'
5357 5356 source_branch_regex = re.compile(source_pattern)
5358 5357 source_branch_match = bool(source_branch_regex.search(source_branch))
5359 5358 if self.target_branch_pattern == '*':
5360 5359 target_branch_match = True
5361 5360 else:
5362 5361 if self.target_branch_pattern.startswith('re:'):
5363 5362 target_pattern = self.target_branch_pattern[3:]
5364 5363 else:
5365 5364 target_pattern = '^' + glob2re(self.target_branch_pattern) + '$'
5366 5365 target_branch_regex = re.compile(target_pattern)
5367 5366 target_branch_match = bool(target_branch_regex.search(target_branch))
5368 5367
5369 5368 branch_matches = source_branch_match and target_branch_match
5370 5369
5371 5370 files_matches = True
5372 5371 if self.file_pattern != '*':
5373 5372 files_matches = False
5374 5373 if self.file_pattern.startswith('re:'):
5375 5374 file_pattern = self.file_pattern[3:]
5376 5375 else:
5377 5376 file_pattern = glob2re(self.file_pattern)
5378 5377 file_regex = re.compile(file_pattern)
5379 5378 for file_data in files_changed:
5380 5379 filename = file_data.get('filename')
5381 5380
5382 5381 if file_regex.search(filename):
5383 5382 files_matches = True
5384 5383 break
5385 5384
5386 5385 return branch_matches and files_matches
5387 5386
5388 5387 @property
5389 5388 def review_users(self):
5390 5389 """ Returns the users which this rule applies to """
5391 5390
5392 5391 users = collections.OrderedDict()
5393 5392
5394 5393 for rule_user in self.rule_users:
5395 5394 if rule_user.user.active:
5396 5395 if rule_user.user not in users:
5397 5396 users[rule_user.user.username] = {
5398 5397 'user': rule_user.user,
5399 5398 'source': 'user',
5400 5399 'source_data': {},
5401 5400 'data': rule_user.rule_data()
5402 5401 }
5403 5402
5404 5403 for rule_user_group in self.rule_user_groups:
5405 5404 source_data = {
5406 5405 'user_group_id': rule_user_group.users_group.users_group_id,
5407 5406 'name': rule_user_group.users_group.users_group_name,
5408 5407 'members': len(rule_user_group.users_group.members)
5409 5408 }
5410 5409 for member in rule_user_group.users_group.members:
5411 5410 if member.user.active:
5412 5411 key = member.user.username
5413 5412 if key in users:
5414 5413 # skip this member as we have him already
5415 5414 # this prevents from override the "first" matched
5416 5415 # users with duplicates in multiple groups
5417 5416 continue
5418 5417
5419 5418 users[key] = {
5420 5419 'user': member.user,
5421 5420 'source': 'user_group',
5422 5421 'source_data': source_data,
5423 5422 'data': rule_user_group.rule_data()
5424 5423 }
5425 5424
5426 5425 return users
5427 5426
5428 5427 def user_group_vote_rule(self, user_id):
5429 5428
5430 5429 rules = []
5431 5430 if not self.rule_user_groups:
5432 5431 return rules
5433 5432
5434 5433 for user_group in self.rule_user_groups:
5435 5434 user_group_members = [x.user_id for x in user_group.users_group.members]
5436 5435 if user_id in user_group_members:
5437 5436 rules.append(user_group)
5438 5437 return rules
5439 5438
5440 5439 def __repr__(self):
5441 5440 return f'<RepoReviewerRule(id={self.repo_review_rule_id}, repo={self.repo!r})>'
5442 5441
5443 5442
5444 5443 class ScheduleEntry(Base, BaseModel):
5445 5444 __tablename__ = 'schedule_entries'
5446 5445 __table_args__ = (
5447 5446 UniqueConstraint('schedule_name', name='s_schedule_name_idx'),
5448 5447 UniqueConstraint('task_uid', name='s_task_uid_idx'),
5449 5448 base_table_args,
5450 5449 )
5451 5450 SCHEDULE_TYPE_INTEGER = "integer"
5452 5451 SCHEDULE_TYPE_CRONTAB = "crontab"
5453 5452
5454 5453 schedule_types = [SCHEDULE_TYPE_CRONTAB, SCHEDULE_TYPE_INTEGER]
5455 5454 schedule_entry_id = Column('schedule_entry_id', Integer(), primary_key=True)
5456 5455
5457 5456 schedule_name = Column("schedule_name", String(255), nullable=False, unique=None, default=None)
5458 5457 schedule_description = Column("schedule_description", String(10000), nullable=True, unique=None, default=None)
5459 5458 schedule_enabled = Column("schedule_enabled", Boolean(), nullable=False, unique=None, default=True)
5460 5459
5461 5460 _schedule_type = Column("schedule_type", String(255), nullable=False, unique=None, default=None)
5462 5461 schedule_definition = Column('schedule_definition_json', MutationObj.as_mutable(JsonType(default=lambda: "", dialect_map=dict(mysql=LONGTEXT()))))
5463 5462
5464 5463 schedule_last_run = Column('schedule_last_run', DateTime(timezone=False), nullable=True, unique=None, default=None)
5465 5464 schedule_total_run_count = Column('schedule_total_run_count', Integer(), nullable=True, unique=None, default=0)
5466 5465
5467 5466 # task
5468 5467 task_uid = Column("task_uid", String(255), nullable=False, unique=None, default=None)
5469 5468 task_dot_notation = Column("task_dot_notation", String(4096), nullable=False, unique=None, default=None)
5470 5469 task_args = Column('task_args_json', MutationObj.as_mutable(JsonType(default=list, dialect_map=dict(mysql=LONGTEXT()))))
5471 5470 task_kwargs = Column('task_kwargs_json', MutationObj.as_mutable(JsonType(default=dict, dialect_map=dict(mysql=LONGTEXT()))))
5472 5471
5473 5472 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
5474 5473 updated_on = Column('updated_on', DateTime(timezone=False), nullable=True, unique=None, default=None)
5475 5474
5476 5475 @hybrid_property
5477 5476 def schedule_type(self):
5478 5477 return self._schedule_type
5479 5478
5480 5479 @schedule_type.setter
5481 5480 def schedule_type(self, val):
5482 5481 if val not in self.schedule_types:
5483 5482 raise ValueError('Value must be on of `{}` and got `{}`'.format(
5484 5483 val, self.schedule_type))
5485 5484
5486 5485 self._schedule_type = val
5487 5486
5488 5487 @classmethod
5489 5488 def get_uid(cls, obj):
5490 5489 args = obj.task_args
5491 5490 kwargs = obj.task_kwargs
5492 5491 if isinstance(args, JsonRaw):
5493 5492 try:
5494 5493 args = json.loads(args)
5495 5494 except ValueError:
5496 5495 args = tuple()
5497 5496
5498 5497 if isinstance(kwargs, JsonRaw):
5499 5498 try:
5500 5499 kwargs = json.loads(kwargs)
5501 5500 except ValueError:
5502 5501 kwargs = dict()
5503 5502
5504 5503 dot_notation = obj.task_dot_notation
5505 5504 val = '.'.join(map(safe_str, [
5506 5505 sorted(dot_notation), args, sorted(kwargs.items())]))
5507 5506 return sha1(safe_bytes(val))
5508 5507
5509 5508 @classmethod
5510 5509 def get_by_schedule_name(cls, schedule_name):
5511 5510 return cls.query().filter(cls.schedule_name == schedule_name).scalar()
5512 5511
5513 5512 @classmethod
5514 5513 def get_by_schedule_id(cls, schedule_id):
5515 5514 return cls.query().filter(cls.schedule_entry_id == schedule_id).scalar()
5516 5515
5517 5516 @property
5518 5517 def task(self):
5519 5518 return self.task_dot_notation
5520 5519
5521 5520 @property
5522 5521 def schedule(self):
5523 5522 from rhodecode.lib.celerylib.utils import raw_2_schedule
5524 5523 schedule = raw_2_schedule(self.schedule_definition, self.schedule_type)
5525 5524 return schedule
5526 5525
5527 5526 @property
5528 5527 def args(self):
5529 5528 try:
5530 5529 return list(self.task_args or [])
5531 5530 except ValueError:
5532 5531 return list()
5533 5532
5534 5533 @property
5535 5534 def kwargs(self):
5536 5535 try:
5537 5536 return dict(self.task_kwargs or {})
5538 5537 except ValueError:
5539 5538 return dict()
5540 5539
5541 5540 def _as_raw(self, val, indent=False):
5542 5541 if hasattr(val, 'de_coerce'):
5543 5542 val = val.de_coerce()
5544 5543 if val:
5545 5544 if indent:
5546 5545 val = ext_json.formatted_str_json(val)
5547 5546 else:
5548 5547 val = ext_json.str_json(val)
5549 5548
5550 5549 return val
5551 5550
5552 5551 @property
5553 5552 def schedule_definition_raw(self):
5554 5553 return self._as_raw(self.schedule_definition)
5555 5554
5556 5555 def args_raw(self, indent=False):
5557 5556 return self._as_raw(self.task_args, indent)
5558 5557
5559 5558 def kwargs_raw(self, indent=False):
5560 5559 return self._as_raw(self.task_kwargs, indent)
5561 5560
5562 5561 def __repr__(self):
5563 5562 return f'<DB:ScheduleEntry({self.schedule_entry_id}:{self.schedule_name})>'
5564 5563
5565 5564
5566 5565 @event.listens_for(ScheduleEntry, 'before_update')
5567 5566 def update_task_uid(mapper, connection, target):
5568 5567 target.task_uid = ScheduleEntry.get_uid(target)
5569 5568
5570 5569
5571 5570 @event.listens_for(ScheduleEntry, 'before_insert')
5572 5571 def set_task_uid(mapper, connection, target):
5573 5572 target.task_uid = ScheduleEntry.get_uid(target)
5574 5573
5575 5574
5576 5575 class _BaseBranchPerms(BaseModel):
5577 5576 @classmethod
5578 5577 def compute_hash(cls, value):
5579 5578 return sha1_safe(value)
5580 5579
5581 5580 @hybrid_property
5582 5581 def branch_pattern(self):
5583 5582 return self._branch_pattern or '*'
5584 5583
5585 5584 @hybrid_property
5586 5585 def branch_hash(self):
5587 5586 return self._branch_hash
5588 5587
5589 5588 def _validate_glob(self, value):
5590 5589 re.compile('^' + glob2re(value) + '$')
5591 5590
5592 5591 @branch_pattern.setter
5593 5592 def branch_pattern(self, value):
5594 5593 self._validate_glob(value)
5595 5594 self._branch_pattern = value or '*'
5596 5595 # set the Hash when setting the branch pattern
5597 5596 self._branch_hash = self.compute_hash(self._branch_pattern)
5598 5597
5599 5598 def matches(self, branch):
5600 5599 """
5601 5600 Check if this the branch matches entry
5602 5601
5603 5602 :param branch: branch name for the commit
5604 5603 """
5605 5604
5606 5605 branch = branch or ''
5607 5606
5608 5607 branch_matches = True
5609 5608 if branch:
5610 5609 branch_regex = re.compile('^' + glob2re(self.branch_pattern) + '$')
5611 5610 branch_matches = bool(branch_regex.search(branch))
5612 5611
5613 5612 return branch_matches
5614 5613
5615 5614
5616 5615 class UserToRepoBranchPermission(Base, _BaseBranchPerms):
5617 5616 __tablename__ = 'user_to_repo_branch_permissions'
5618 5617 __table_args__ = (
5619 5618 base_table_args
5620 5619 )
5621 5620
5622 5621 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
5623 5622
5624 5623 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
5625 5624 repo = relationship('Repository', back_populates='user_branch_perms')
5626 5625
5627 5626 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
5628 5627 permission = relationship('Permission')
5629 5628
5630 5629 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('repo_to_perm.repo_to_perm_id'), nullable=False, unique=None, default=None)
5631 5630 user_repo_to_perm = relationship('UserRepoToPerm', back_populates='branch_perm_entry')
5632 5631
5633 5632 rule_order = Column('rule_order', Integer(), nullable=False)
5634 5633 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default='*') # glob
5635 5634 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
5636 5635
5637 5636 def __repr__(self):
5638 5637 return f'<UserBranchPermission({self.user_repo_to_perm} => {self.branch_pattern!r})>'
5639 5638
5640 5639
5641 5640 class UserGroupToRepoBranchPermission(Base, _BaseBranchPerms):
5642 5641 __tablename__ = 'user_group_to_repo_branch_permissions'
5643 5642 __table_args__ = (
5644 5643 base_table_args
5645 5644 )
5646 5645
5647 5646 branch_rule_id = Column('branch_rule_id', Integer(), primary_key=True)
5648 5647
5649 5648 repository_id = Column('repository_id', Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)
5650 5649 repo = relationship('Repository', back_populates='user_group_branch_perms')
5651 5650
5652 5651 permission_id = Column('permission_id', Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)
5653 5652 permission = relationship('Permission')
5654 5653
5655 5654 rule_to_perm_id = Column('rule_to_perm_id', Integer(), ForeignKey('users_group_repo_to_perm.users_group_to_perm_id'), nullable=False, unique=None, default=None)
5656 5655 user_group_repo_to_perm = relationship('UserGroupRepoToPerm', back_populates='user_group_branch_perms')
5657 5656
5658 5657 rule_order = Column('rule_order', Integer(), nullable=False)
5659 5658 _branch_pattern = Column('branch_pattern', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), default='*') # glob
5660 5659 _branch_hash = Column('branch_hash', UnicodeText().with_variant(UnicodeText(2048), 'mysql'))
5661 5660
5662 5661 def __repr__(self):
5663 5662 return f'<UserBranchPermission({self.user_group_repo_to_perm} => {self.branch_pattern!r})>'
5664 5663
5665 5664
5666 5665 class UserBookmark(Base, BaseModel):
5667 5666 __tablename__ = 'user_bookmarks'
5668 5667 __table_args__ = (
5669 5668 UniqueConstraint('user_id', 'bookmark_repo_id'),
5670 5669 UniqueConstraint('user_id', 'bookmark_repo_group_id'),
5671 5670 UniqueConstraint('user_id', 'bookmark_position'),
5672 5671 base_table_args
5673 5672 )
5674 5673
5675 5674 user_bookmark_id = Column("user_bookmark_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)
5676 5675 user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=None, default=None)
5677 5676 position = Column("bookmark_position", Integer(), nullable=False)
5678 5677 title = Column("bookmark_title", String(255), nullable=True, unique=None, default=None)
5679 5678 redirect_url = Column("bookmark_redirect_url", String(10240), nullable=True, unique=None, default=None)
5680 5679 created_on = Column("created_on", DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
5681 5680
5682 5681 bookmark_repo_id = Column("bookmark_repo_id", Integer(), ForeignKey("repositories.repo_id"), nullable=True, unique=None, default=None)
5683 5682 bookmark_repo_group_id = Column("bookmark_repo_group_id", Integer(), ForeignKey("groups.group_id"), nullable=True, unique=None, default=None)
5684 5683
5685 5684 user = relationship("User")
5686 5685
5687 5686 repository = relationship("Repository")
5688 5687 repository_group = relationship("RepoGroup")
5689 5688
5690 5689 @classmethod
5691 5690 def get_by_position_for_user(cls, position, user_id):
5692 5691 return cls.query() \
5693 5692 .filter(UserBookmark.user_id == user_id) \
5694 5693 .filter(UserBookmark.position == position).scalar()
5695 5694
5696 5695 @classmethod
5697 5696 def get_bookmarks_for_user(cls, user_id, cache=True):
5698 5697 bookmarks = select(
5699 5698 UserBookmark.title,
5700 5699 UserBookmark.position,
5701 5700 ) \
5702 5701 .add_columns(Repository.repo_id, Repository.repo_type, Repository.repo_name) \
5703 5702 .add_columns(RepoGroup.group_id, RepoGroup.group_name) \
5704 5703 .where(UserBookmark.user_id == user_id) \
5705 5704 .outerjoin(Repository, Repository.repo_id == UserBookmark.bookmark_repo_id) \
5706 5705 .outerjoin(RepoGroup, RepoGroup.group_id == UserBookmark.bookmark_repo_group_id) \
5707 5706 .order_by(UserBookmark.position.asc())
5708 5707
5709 5708 if cache:
5710 5709 bookmarks = bookmarks.options(
5711 5710 FromCache("sql_cache_short", f"get_user_{user_id}_bookmarks")
5712 5711 )
5713 5712
5714 5713 return Session().execute(bookmarks).all()
5715 5714
5716 5715 def __repr__(self):
5717 5716 return f'<UserBookmark({self.position} @ {self.redirect_url!r})>'
5718 5717
5719 5718
5720 5719 class FileStore(Base, BaseModel):
5721 5720 __tablename__ = 'file_store'
5722 5721 __table_args__ = (
5723 5722 base_table_args
5724 5723 )
5725 5724
5726 5725 file_store_id = Column('file_store_id', Integer(), primary_key=True)
5727 5726 file_uid = Column('file_uid', String(1024), nullable=False)
5728 5727 file_display_name = Column('file_display_name', UnicodeText().with_variant(UnicodeText(2048), 'mysql'), nullable=True)
5729 5728 file_description = Column('file_description', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=True)
5730 5729 file_org_name = Column('file_org_name', UnicodeText().with_variant(UnicodeText(10240), 'mysql'), nullable=False)
5731 5730
5732 5731 # sha256 hash
5733 5732 file_hash = Column('file_hash', String(512), nullable=False)
5734 5733 file_size = Column('file_size', BigInteger(), nullable=False)
5735 5734
5736 5735 created_on = Column('created_on', DateTime(timezone=False), nullable=False, default=datetime.datetime.now)
5737 5736 accessed_on = Column('accessed_on', DateTime(timezone=False), nullable=True)
5738 5737 accessed_count = Column('accessed_count', Integer(), default=0)
5739 5738
5740 5739 enabled = Column('enabled', Boolean(), nullable=False, default=True)
5741 5740
5742 5741 # if repo/repo_group reference is set, check for permissions
5743 5742 check_acl = Column('check_acl', Boolean(), nullable=False, default=True)
5744 5743
5745 5744 # hidden defines an attachment that should be hidden from showing in artifact listing
5746 5745 hidden = Column('hidden', Boolean(), nullable=False, default=False)
5747 5746
5748 5747 user_id = Column('user_id', Integer(), ForeignKey('users.user_id'), nullable=False)
5749 5748 upload_user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.user_id', back_populates='artifacts')
5750 5749
5751 5750 file_metadata = relationship('FileStoreMetadata', lazy='joined')
5752 5751
5753 5752 # scope limited to user, which requester have access to
5754 5753 scope_user_id = Column(
5755 5754 'scope_user_id', Integer(), ForeignKey('users.user_id'),
5756 5755 nullable=True, unique=None, default=None)
5757 5756 user = relationship('User', lazy='joined', primaryjoin='User.user_id==FileStore.scope_user_id', back_populates='scope_artifacts')
5758 5757
5759 5758 # scope limited to user group, which requester have access to
5760 5759 scope_user_group_id = Column(
5761 5760 'scope_user_group_id', Integer(), ForeignKey('users_groups.users_group_id'),
5762 5761 nullable=True, unique=None, default=None)
5763 5762 user_group = relationship('UserGroup', lazy='joined')
5764 5763
5765 5764 # scope limited to repo, which requester have access to
5766 5765 scope_repo_id = Column(
5767 5766 'scope_repo_id', Integer(), ForeignKey('repositories.repo_id'),
5768 5767 nullable=True, unique=None, default=None)
5769 5768 repo = relationship('Repository', lazy='joined')
5770 5769
5771 5770 # scope limited to repo group, which requester have access to
5772 5771 scope_repo_group_id = Column(
5773 5772 'scope_repo_group_id', Integer(), ForeignKey('groups.group_id'),
5774 5773 nullable=True, unique=None, default=None)
5775 5774 repo_group = relationship('RepoGroup', lazy='joined')
5776 5775
5777 5776 @classmethod
5778 5777 def get_scope(cls, scope_type, scope_id):
5779 5778 if scope_type == 'repo':
5780 5779 return f'repo:{scope_id}'
5781 5780 elif scope_type == 'repo-group':
5782 5781 return f'repo-group:{scope_id}'
5783 5782 elif scope_type == 'user':
5784 5783 return f'user:{scope_id}'
5785 5784 elif scope_type == 'user-group':
5786 5785 return f'user-group:{scope_id}'
5787 5786 else:
5788 5787 return scope_type
5789 5788
5790 5789 @classmethod
5791 5790 def get_by_store_uid(cls, file_store_uid, safe=False):
5792 5791 if safe:
5793 5792 return FileStore.query().filter(FileStore.file_uid == file_store_uid).first()
5794 5793 else:
5795 5794 return FileStore.query().filter(FileStore.file_uid == file_store_uid).scalar()
5796 5795
5797 5796 @classmethod
5798 5797 def create(cls, file_uid, filename, file_hash, file_size, file_display_name='',
5799 5798 file_description='', enabled=True, hidden=False, check_acl=True,
5800 5799 user_id=None, scope_user_id=None, scope_repo_id=None, scope_repo_group_id=None):
5801 5800
5802 5801 store_entry = FileStore()
5803 5802 store_entry.file_uid = file_uid
5804 5803 store_entry.file_display_name = file_display_name
5805 5804 store_entry.file_org_name = filename
5806 5805 store_entry.file_size = file_size
5807 5806 store_entry.file_hash = file_hash
5808 5807 store_entry.file_description = file_description
5809 5808
5810 5809 store_entry.check_acl = check_acl
5811 5810 store_entry.enabled = enabled
5812 5811 store_entry.hidden = hidden
5813 5812
5814 5813 store_entry.user_id = user_id
5815 5814 store_entry.scope_user_id = scope_user_id
5816 5815 store_entry.scope_repo_id = scope_repo_id
5817 5816 store_entry.scope_repo_group_id = scope_repo_group_id
5818 5817
5819 5818 return store_entry
5820 5819
5821 5820 @classmethod
5822 5821 def store_metadata(cls, file_store_id, args, commit=True):
5823 5822 file_store = FileStore.get(file_store_id)
5824 5823 if file_store is None:
5825 5824 return
5826 5825
5827 5826 for section, key, value, value_type in args:
5828 5827 has_key = FileStoreMetadata().query() \
5829 5828 .filter(FileStoreMetadata.file_store_id == file_store.file_store_id) \
5830 5829 .filter(FileStoreMetadata.file_store_meta_section == section) \
5831 5830 .filter(FileStoreMetadata.file_store_meta_key == key) \
5832 5831 .scalar()
5833 5832 if has_key:
5834 5833 msg = 'key `{}` already defined under section `{}` for this file.'\
5835 5834 .format(key, section)
5836 5835 raise ArtifactMetadataDuplicate(msg, err_section=section, err_key=key)
5837 5836
5838 5837 # NOTE(marcink): raises ArtifactMetadataBadValueType
5839 5838 FileStoreMetadata.valid_value_type(value_type)
5840 5839
5841 5840 meta_entry = FileStoreMetadata()
5842 5841 meta_entry.file_store = file_store
5843 5842 meta_entry.file_store_meta_section = section
5844 5843 meta_entry.file_store_meta_key = key
5845 5844 meta_entry.file_store_meta_value_type = value_type
5846 5845 meta_entry.file_store_meta_value = value
5847 5846
5848 5847 Session().add(meta_entry)
5849 5848
5850 5849 try:
5851 5850 if commit:
5852 5851 Session().commit()
5853 5852 except IntegrityError:
5854 5853 Session().rollback()
5855 5854 raise ArtifactMetadataDuplicate('Duplicate section/key found for this file.')
5856 5855
5857 5856 @classmethod
5858 5857 def bump_access_counter(cls, file_uid, commit=True):
5859 5858 FileStore().query()\
5860 5859 .filter(FileStore.file_uid == file_uid)\
5861 5860 .update({FileStore.accessed_count: (FileStore.accessed_count + 1),
5862 5861 FileStore.accessed_on: datetime.datetime.now()})
5863 5862 if commit:
5864 5863 Session().commit()
5865 5864
5866 5865 def __json__(self):
5867 5866 data = {
5868 5867 'filename': self.file_display_name,
5869 5868 'filename_org': self.file_org_name,
5870 5869 'file_uid': self.file_uid,
5871 5870 'description': self.file_description,
5872 5871 'hidden': self.hidden,
5873 5872 'size': self.file_size,
5874 5873 'created_on': self.created_on,
5875 5874 'uploaded_by': self.upload_user.get_api_data(details='basic'),
5876 5875 'downloaded_times': self.accessed_count,
5877 5876 'sha256': self.file_hash,
5878 5877 'metadata': self.file_metadata,
5879 5878 }
5880 5879
5881 5880 return data
5882 5881
5883 5882 def __repr__(self):
5884 5883 return f'<FileStore({self.file_store_id})>'
5885 5884
5886 5885
5887 5886 class FileStoreMetadata(Base, BaseModel):
5888 5887 __tablename__ = 'file_store_metadata'
5889 5888 __table_args__ = (
5890 5889 UniqueConstraint('file_store_id', 'file_store_meta_section_hash', 'file_store_meta_key_hash'),
5891 5890 Index('file_store_meta_section_idx', 'file_store_meta_section', mysql_length=255),
5892 5891 Index('file_store_meta_key_idx', 'file_store_meta_key', mysql_length=255),
5893 5892 base_table_args
5894 5893 )
5895 5894 SETTINGS_TYPES = {
5896 5895 'str': safe_str,
5897 5896 'int': safe_int,
5898 5897 'unicode': safe_str,
5899 5898 'bool': str2bool,
5900 5899 'list': functools.partial(aslist, sep=',')
5901 5900 }
5902 5901
5903 5902 file_store_meta_id = Column(
5904 5903 "file_store_meta_id", Integer(), nullable=False, unique=True, default=None,
5905 5904 primary_key=True)
5906 5905 _file_store_meta_section = Column(
5907 5906 "file_store_meta_section", UnicodeText().with_variant(UnicodeText(1024), 'mysql'),
5908 5907 nullable=True, unique=None, default=None)
5909 5908 _file_store_meta_section_hash = Column(
5910 5909 "file_store_meta_section_hash", String(255),
5911 5910 nullable=True, unique=None, default=None)
5912 5911 _file_store_meta_key = Column(
5913 5912 "file_store_meta_key", UnicodeText().with_variant(UnicodeText(1024), 'mysql'),
5914 5913 nullable=True, unique=None, default=None)
5915 5914 _file_store_meta_key_hash = Column(
5916 5915 "file_store_meta_key_hash", String(255), nullable=True, unique=None, default=None)
5917 5916 _file_store_meta_value = Column(
5918 5917 "file_store_meta_value", UnicodeText().with_variant(UnicodeText(20480), 'mysql'),
5919 5918 nullable=True, unique=None, default=None)
5920 5919 _file_store_meta_value_type = Column(
5921 5920 "file_store_meta_value_type", String(255), nullable=True, unique=None,
5922 5921 default='unicode')
5923 5922
5924 5923 file_store_id = Column(
5925 5924 'file_store_id', Integer(), ForeignKey('file_store.file_store_id'),
5926 5925 nullable=True, unique=None, default=None)
5927 5926
5928 5927 file_store = relationship('FileStore', lazy='joined', viewonly=True)
5929 5928
5930 5929 @classmethod
5931 5930 def valid_value_type(cls, value):
5932 5931 if value.split('.')[0] not in cls.SETTINGS_TYPES:
5933 5932 raise ArtifactMetadataBadValueType(
5934 5933 'value_type must be one of %s got %s' % (cls.SETTINGS_TYPES.keys(), value))
5935 5934
5936 5935 @hybrid_property
5937 5936 def file_store_meta_section(self):
5938 5937 return self._file_store_meta_section
5939 5938
5940 5939 @file_store_meta_section.setter
5941 5940 def file_store_meta_section(self, value):
5942 5941 self._file_store_meta_section = value
5943 5942 self._file_store_meta_section_hash = _hash_key(value)
5944 5943
5945 5944 @hybrid_property
5946 5945 def file_store_meta_key(self):
5947 5946 return self._file_store_meta_key
5948 5947
5949 5948 @file_store_meta_key.setter
5950 5949 def file_store_meta_key(self, value):
5951 5950 self._file_store_meta_key = value
5952 5951 self._file_store_meta_key_hash = _hash_key(value)
5953 5952
5954 5953 @hybrid_property
5955 5954 def file_store_meta_value(self):
5956 5955 val = self._file_store_meta_value
5957 5956
5958 5957 if self._file_store_meta_value_type:
5959 5958 # e.g unicode.encrypted == unicode
5960 5959 _type = self._file_store_meta_value_type.split('.')[0]
5961 5960 # decode the encrypted value if it's encrypted field type
5962 5961 if '.encrypted' in self._file_store_meta_value_type:
5963 5962 cipher = EncryptedTextValue()
5964 5963 val = safe_str(cipher.process_result_value(val, None))
5965 5964 # do final type conversion
5966 5965 converter = self.SETTINGS_TYPES.get(_type) or self.SETTINGS_TYPES['unicode']
5967 5966 val = converter(val)
5968 5967
5969 5968 return val
5970 5969
5971 5970 @file_store_meta_value.setter
5972 5971 def file_store_meta_value(self, val):
5973 5972 val = safe_str(val)
5974 5973 # encode the encrypted value
5975 5974 if '.encrypted' in self.file_store_meta_value_type:
5976 5975 cipher = EncryptedTextValue()
5977 5976 val = safe_str(cipher.process_bind_param(val, None))
5978 5977 self._file_store_meta_value = val
5979 5978
5980 5979 @hybrid_property
5981 5980 def file_store_meta_value_type(self):
5982 5981 return self._file_store_meta_value_type
5983 5982
5984 5983 @file_store_meta_value_type.setter
5985 5984 def file_store_meta_value_type(self, val):
5986 5985 # e.g unicode.encrypted
5987 5986 self.valid_value_type(val)
5988 5987 self._file_store_meta_value_type = val
5989 5988
5990 5989 def __json__(self):
5991 5990 data = {
5992 5991 'artifact': self.file_store.file_uid,
5993 5992 'section': self.file_store_meta_section,
5994 5993 'key': self.file_store_meta_key,
5995 5994 'value': self.file_store_meta_value,
5996 5995 }
5997 5996
5998 5997 return data
5999 5998
6000 5999 def __repr__(self):
6001 6000 return '<%s[%s]%s=>%s]>' % (self.cls_name, self.file_store_meta_section,
6002 6001 self.file_store_meta_key, self.file_store_meta_value)
6003 6002
6004 6003
6005 6004 class DbMigrateVersion(Base, BaseModel):
6006 6005 __tablename__ = 'db_migrate_version'
6007 6006 __table_args__ = (
6008 6007 base_table_args,
6009 6008 )
6010 6009
6011 6010 repository_id = Column('repository_id', String(250), primary_key=True)
6012 6011 repository_path = Column('repository_path', Text)
6013 6012 version = Column('version', Integer)
6014 6013
6015 6014 @classmethod
6016 6015 def set_version(cls, version):
6017 6016 """
6018 6017 Helper for forcing a different version, usually for debugging purposes via ishell.
6019 6018 """
6020 6019 ver = DbMigrateVersion.query().first()
6021 6020 ver.version = version
6022 6021 Session().commit()
6023 6022
6024 6023
6025 6024 class DbSession(Base, BaseModel):
6026 6025 __tablename__ = 'db_session'
6027 6026 __table_args__ = (
6028 6027 base_table_args,
6029 6028 )
6030 6029
6031 6030 def __repr__(self):
6032 6031 return f'<DB:DbSession({self.id})>'
6033 6032
6034 6033 id = Column('id', Integer())
6035 6034 namespace = Column('namespace', String(255), primary_key=True)
6036 6035 accessed = Column('accessed', DateTime, nullable=False)
6037 6036 created = Column('created', DateTime, nullable=False)
6038 6037 data = Column('data', PickleType, nullable=False)
@@ -1,134 +1,139 b''
1 1 <%inherit file="/base/base.mako"/>
2 2
3 3 <%def name="title()">
4 4 ${_('Authentication Settings')}
5 5 %if c.rhodecode_name:
6 6 &middot; ${h.branding(c.rhodecode_name)}}
7 7 %endif
8 8 </%def>
9 9
10 10 <%def name="breadcrumbs_links()">
11 11 ${h.link_to(_('Admin'),h.route_path('admin_home'))}
12 12 &raquo;
13 13 ${h.link_to(_('Authentication Plugins'),request.resource_path(resource.__parent__, route_name='auth_home'))}
14 14 &raquo;
15 15 ${resource.display_name}
16 16 </%def>
17 17
18 18 <%def name="menu_bar_nav()">
19 19 ${self.menu_items(active='admin')}
20 20 </%def>
21 21
22 22 <%def name="menu_bar_subnav()">
23 23 ${self.admin_menu(active='authentication')}
24 24 </%def>
25 25
26 26 <%def name="main()">
27 27
28 28 <div class="box">
29 29
30 30 <div class='sidebar-col-wrapper'>
31 31
32 32 <div class="sidebar">
33 33 <ul class="nav nav-pills nav-stacked">
34 34 % for item in resource.get_root().get_nav_list():
35 35 <li ${('class=active' if item == resource else '')}>
36 36 <a href="${request.resource_path(item, route_name='auth_home')}">${item.display_name}</a>
37 37 </li>
38 38 % endfor
39 39 </ul>
40 40 </div>
41 41
42 42 <div class="main-content-full-width">
43 43 <div class="panel panel-default">
44 44 <div class="panel-heading">
45 45 <h3 class="panel-title">${_('Plugin')}: ${resource.display_name}</h3>
46 46 </div>
47 47 <div class="panel-body">
48 48 <div class="plugin_form">
49 49 <div class="fields">
50 50 ${h.secure_form(request.resource_path(resource, route_name='auth_home'), request=request)}
51 51 <div class="form">
52 52
53 53 %for node in plugin.get_settings_schema():
54 54 <%
55 55 label_to_type = {'label-checkbox': 'bool', 'label-textarea': 'textarea'}
56 56 %>
57 57
58 58 <div class="field">
59 59 <div class="label ${label_to_type.get(node.widget)}"><label for="${node.name}">${node.title}</label></div>
60 60 <div class="input">
61 61 %if node.widget in ["string", "int", "unicode"]:
62 62 ${h.text(node.name, defaults.get(node.name), class_="large")}
63 63 %elif node.widget == "password":
64 64 ${h.password(node.name, defaults.get(node.name), class_="large")}
65 65 %elif node.widget == "bool":
66 <div class="checkbox">${h.checkbox(node.name, True, checked=defaults.get(node.name))}</div>
66 %if node.name == "global_2fa" and c.rhodecode_edition_id != "EE":
67 <input type="checkbox" disabled/>
68 <%node.description = _('This feature is available in RhodeCode EE edition only. Contact {sales_email} to obtain a trial license.').format(sales_email='<a href="mailto:sales@rhodecode.com">sales@rhodecode.com</a>')%>
69 %else:
70 <div class="checkbox" >${h.checkbox(node.name, True, checked=defaults.get(node.name))}</div>
71 %endif
67 72 %elif node.widget == "select":
68 73 ${h.select(node.name, defaults.get(node.name), node.validator.choices, class_="select2AuthSetting")}
69 74 %elif node.widget == "select_with_labels":
70 75 ${h.select(node.name, defaults.get(node.name), node.choices, class_="select2AuthSetting")}
71 76 %elif node.widget == "textarea":
72 77 <div class="textarea" style="margin-left: 0px">${h.textarea(node.name, defaults.get(node.name), rows=10)}</div>
73 78 %elif node.widget == "readonly":
74 79 ${node.default}
75 80 %else:
76 81 This field is of type ${node.typ}, which cannot be displayed. Must be one of [string|int|bool|select].
77 82 %endif
78 83
79 84 %if node.name in errors:
80 85 <span class="error-message">${errors.get(node.name)}</span>
81 86 <br />
82 87 %endif
83 <p class="help-block pre-formatting">${node.description}</p>
88 <p class="help-block pre-formatting">${node.description | n}</p>
84 89 </div>
85 90 </div>
86 91 %endfor
87 92
88 93 ## Allow derived templates to add something below the form
89 94 ## input fields
90 95 %if hasattr(next, 'below_form_fields'):
91 96 ${next.below_form_fields()}
92 97 %endif
93 98
94 99 <div class="buttons">
95 100 ${h.submit('save',_('Save'),class_="btn")}
96 101 </div>
97 102
98 103 </div>
99 104 ${h.end_form()}
100 105 </div>
101 106 </div>
102 107
103 108 % if request.GET.get('schema'):
104 109 ## this is for development and creation of example configurations for documentation
105 110 <pre>
106 111 % for node in plugin.get_settings_schema():
107 112 *option*: `${node.name}` => `${defaults.get(node.name)}`${'\n # '.join(['']+node.description.splitlines())}
108 113
109 114 % endfor
110 115 </pre>
111 116
112 117 % endif
113 118
114 119 </div>
115 120 </div>
116 121 </div>
117 122
118 123 </div>
119 124 </div>
120 125
121 126
122 127 <script>
123 128 $(document).ready(function() {
124 129 var select2Options = {
125 130 containerCssClass: 'drop-menu',
126 131 dropdownCssClass: 'drop-menu-dropdown',
127 132 dropdownAutoWidth: true,
128 133 minimumResultsForSearch: -1
129 134 };
130 135 $('.select2AuthSetting').select2(select2Options);
131 136
132 137 });
133 138 </script>
134 139 </%def>
General Comments 0
You need to be logged in to leave comments. Login now