rhodecode-enterprise-ce Commit - r3478:6cd9b768

Issue - ability to disable server-side SSH key generation...

csalgau -

r3478:6cd9b768 default

parent child

configs/development.ini

0 +4 0

             ################################################################################
             ##                RHODECODE COMMUNITY  EDITION CONFIGURATION                  ##
             ################################################################################
             [DEFAULT]
             ## Debug flag sets all loggers to debug, and enables request tracking
             debug = true
             ################################################################################
             ##                            EMAIL CONFIGURATION                             ##
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             ## prefix all emails subjects with given prefix, helps filtering out emails
             #email_prefix = [RhodeCode]
             ## email FROM address all mails will be sent
             #app_email_from = rhodecode-noreply@localhost
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             [server:main]
             ## COMMON ##
             host = 127.0.0.1
             port = 5000
             ###########################################################
             ## WAITRESS WSGI SERVER - Recommended for Development  ####
             ###########################################################
             use = egg:waitress#main
             ## number of worker threads
             threads = 5
             ## MAX BODY SIZE 100GB
             max_request_body_size = 107374182400
             ## Use poll instead of select, fixes file descriptors limits problems.
             ## May not work on old windows systems.
             asyncore_use_poll = true
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
             #use = egg:gunicorn#main
             ## Sets the number of process workers. More workers means more concurent connections
             ## RhodeCode can handle at the same time. Each additional worker also it increases
             ## memory usage as each has it's own set of caches.
             ## Recommended value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers, but no more
             ## than 8-10 unless for really big deployments .e.g 700-1000 users.
             ## `instance_id = *` must be set in the [app:main] section below (which is the default)
             ## when using more than 1 worker.
             #workers = 2
             ## process name visible in process list
             #proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             #worker_class = gevent
             ## The maximum number of simultaneous clients. Valid only for Gevent
             #worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             #max_requests = 1000
             #max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             #timeout = 21600
             ## prefix middleware for RhodeCode.
             ## recommended when using proxy setup.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
             ## And set your prefix like: `prefix = /custom_prefix`
             ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
             ## to make your cookies only work on prefix url
             [filter:proxy-prefix]
             use = egg:PasteDeploy#prefix
             prefix = /
             [app:main]
             ## The %(here)s variable will be replaced with the absolute path of parent directory
             ## of this file
             ## In addition ENVIRONMENT variables usage is possible, e.g
             ## sqlalchemy.db1.url = {ENV_RC_DB_URL}
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined above
             #filter-with = proxy-prefix
             # During development the we want to have the debug toolbar enabled
             pyramid.includes =
                 pyramid_debugtoolbar
                 rhodecode.lib.middleware.request_wrapper
             pyramid.reload_templates = true
             debugtoolbar.hosts = 0.0.0.0/0
             debugtoolbar.exclude_prefixes =
                 /css
                 /fonts
                 /images
                 /js
             ## RHODECODE PLUGINS ##
             rhodecode.includes =
                 rhodecode.api
             # api prefix url
             rhodecode.api.url = /_admin/api
             ## END RHODECODE PLUGINS ##
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
             ## decryption strict mode (enabled by default). It controls if decryption raises
             ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
             #rhodecode.encrypted_values.strict = false
             ## return gzipped responses from Rhodecode (static files/application)
             gzip_responses = false
             ## autogenerate javascript routes file on startup
             generate_js_files = false
             ## System global default language.
             ## All available languages: en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## Perform a full repository scan and import on each server start.
             ## Settings this to true could lead to very long startup time.
             startup.import_repos = false
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## URL at which the application is running. This is used for bootstraping
             ## requests in context when no web request is available. Used in ishell, or
             ## SSH calls. Set this for events to receive proper url for SSH calls.
             app.base_url = http://rhodecode.local
             ## Unique application ID. Should be a random unique string for security.
             app_instance_uuid = rc-production
             ## Cut off limit for large diffs (size in bytes). If overall diff size on
             ## commit, or pull request exceeds this limit this diff will be displayed
             ## partially. E.g 512000 == 512Kb
             cut_off_limit_diff = 512000
             ## Cut off limit for large files inside diffs (size in bytes). Each individual
             ## file inside diff which exceeds this limit will be displayed partially.
             ##  E.g 128000 == 128Kb
             cut_off_limit_file = 128000
             ## use cached version of vcs repositories everywhere. Recommended to be `true`
             vcs_full_cache = true
             ## Force https in RhodeCode, fixes https redirects, assumes it's always https.
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --branches --tags
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/{gistid}.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
             gist_alias_url =
             ## List of views (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ## Additionally @TOKEN syntaxt can be used to bound the view to specific
             ## authentication token. Such view would be only accessible when used together
             ## with this authentication token
             ##
             ## list of all views can be found under `/_admin/permissions/auth_token_access`
             ## The list should be "," separated and on a single line.
             ##
             ## Most common views to enable:
             #    RepoCommitsView:repo_commit_download
             #    RepoCommitsView:repo_commit_patch
             #    RepoCommitsView:repo_commit_raw
             #    RepoCommitsView:repo_commit_raw@TOKEN
             #    RepoFilesView:repo_files_diff
             #    RepoFilesView:repo_archivefile
             #    RepoFilesView:repo_file_raw
             #    GistView:*
             api_access_controllers_whitelist =
             ## Default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## Generated license token required for EE edition license.
             ## New generated token value can be found in Admin > settings > license page.
             license_token =
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = dev
             ## Display extended labs settings
             labs_settings_active = true
             ## Custom exception store path, defaults to TMPDIR
             ## This is used to store exception from RhodeCode in shared directory
             #exception_tracker.store_path =
             ## File store configuration. This is used to store and serve uploaded files
             file_store.enabled = true
             ## backend, only available one is local
             file_store.backend = local
             ## path to store the uploaded binaries
             file_store.storage_path = %(here)s/data/file_store
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             ## run: /path/to/celery worker \
             ##     -E --beat --app rhodecode.lib.celerylib.loader \
             ##     --scheduler rhodecode.lib.celerylib.scheduler.RcScheduler \
             ##     --loglevel DEBUG --ini /path/to/rhodecode.ini
             use_celery = false
             ## connection url to the message broker (default rabbitmq)
             celery.broker_url = amqp://rabbitmq:qweqwe@localhost:5672/rabbitmqhost
             ## maximum tasks to execute before worker restart
             celery.max_tasks_per_child = 100
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.task_always_eager = false
             #####################################
             ###         DOGPILE CACHE        ####
             #####################################
             ## Default cache dir for caches.  Putting this into a ramdisk
             ## can boost performance, eg. /tmpfs/data_ramdisk, however this directory might require
             ## large amount of space
             cache_dir = %(here)s/data
             ## `cache_perms` cache settings for permission tree, auth TTL.
             rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
             rc_cache.cache_perms.expiration_time = 300
             ## alternative `cache_perms` redis backend with distributed lock
             #rc_cache.cache_perms.backend = dogpile.cache.rc.redis
             #rc_cache.cache_perms.expiration_time = 300
             ## redis_expiration_time needs to be greater then expiration_time
             #rc_cache.cache_perms.arguments.redis_expiration_time = 7200
             #rc_cache.cache_perms.arguments.socket_timeout = 30
             #rc_cache.cache_perms.arguments.host = localhost
             #rc_cache.cache_perms.arguments.port = 6379
             #rc_cache.cache_perms.arguments.db = 0
             #rc_cache.cache_perms.arguments.distributed_lock = true
             ## `cache_repo` cache settings for FileTree, Readme, RSS FEEDS
             rc_cache.cache_repo.backend = dogpile.cache.rc.file_namespace
             rc_cache.cache_repo.expiration_time = 2592000
             ## alternative `cache_repo` redis backend with distributed lock
             #rc_cache.cache_repo.backend = dogpile.cache.rc.redis
             #rc_cache.cache_repo.expiration_time = 2592000
             ## redis_expiration_time needs to be greater then expiration_time
             #rc_cache.cache_repo.arguments.redis_expiration_time = 2678400
             #rc_cache.cache_repo.arguments.socket_timeout = 30
             #rc_cache.cache_repo.arguments.host = localhost
             #rc_cache.cache_repo.arguments.port = 6379
             #rc_cache.cache_repo.arguments.db = 1
             #rc_cache.cache_repo.arguments.distributed_lock = true
             ## cache settings for SQL queries, this needs to use memory type backend
             rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
             rc_cache.sql_cache_short.expiration_time = 30
             ## `cache_repo_longterm` cache for repo object instances, this needs to use memory
             ## type backend as the objects kept are not pickle serializable
             rc_cache.cache_repo_longterm.backend = dogpile.cache.rc.memory_lru
             ## by default we use 96H, this is using invalidation on push anyway
             rc_cache.cache_repo_longterm.expiration_time = 345600
             ## max items in LRU cache, reduce this number to save memory, and expire last used
             ## cached objects
             rc_cache.cache_repo_longterm.max_size = 10000
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:redis, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/data/sessions
             ## db based session, fast, and allows easy management over logged in users
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = develop-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = key_for_encryption
             #beaker.session.validate_key = validation_key
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             ## Path to use for the cookie. Set to prefix if you use prefix middleware
             #beaker.session.cookie_path = /custom_prefix
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             ## WHOOSH Backend, doesn't require additional services to run
             ## it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ########################################
             ###    CHANNELSTREAM CONFIG         ####
             ########################################
             ## channelstream enables persistent connections and live notification
             ## in the system. It's also used by the chat system
             channelstream.enabled = false
             ## server address for channelstream server on the backend
             channelstream.server = 127.0.0.1:9800
             ## location of the channelstream server from outside world
             ## use ws:// for http or wss:// for https. This address needs to be handled
             ## by external HTTP server such as Nginx or Apache
             ## see nginx/apache configuration examples in our docs
             channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
             channelstream.secret = secret
             channelstream.history.location = %(here)s/channelstream_history
             ## Internal application path that Javascript uses to connect into.
             ## If you use proxy-prefix the prefix should be added before /_channelstream
             channelstream.proxy_path = /_channelstream
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             # enable debug style page
             debug_style = true
             ###########################################
             ###   MAIN RHODECODE DATABASE CONFIG    ###
             ###########################################
             #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode?charset=utf8
             # pymysql is an alternative driver for MySQL, use in case of problems with default one
             #sqlalchemy.db1.url = mysql+pymysql://root:qweqwe@localhost/rhodecode
             sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this amount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ## Connection check ping, used to detect broken database connections
             ## could be enabled to better handle cases if MySQL has gone away errors
             #sqlalchemy.db1.ping_connection = true
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9900
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `http` - use http-rpc backend (default)
             vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.scm_app_implementation = http
             ## Push/Pull operations hooks protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.hooks.protocol = http
             ## Host on which this instance is listening for hooks. If vcsserver is in other location
             ## this should be adjusted.
             vcs.hooks.host = 127.0.0.1
             vcs.server.log_level = debug
             ## Start VCSServer with this instance as a subprocess, useful for development
             vcs.start_server = false
             ## List of enabled VCS backends, available options are:
             ## `hg`  - mercurial
             ## `git` - git
             ## `svn` - subversion
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ############################################################
             ### Subversion proxy support (mod_dav_svn)               ###
             ### Maps RhodeCode repo groups into SVN paths for Apache ###
             ############################################################
             ## Enable or disable the config file generation.
             svn.proxy.generate_config = false
             ## Generate config file with `SVNListParentPath` set to `On`.
             svn.proxy.list_parent_path = true
             ## Set location and file name of generated config file.
             svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
             ## alternative mod_dav config template. This needs to be a mako template
             #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
             ## Used as a prefix to the `Location` block in the generated config file.
             ## In most cases it should be set to `/`.
             svn.proxy.location_root = /
             ## Command to reload the mod dav svn configuration on change.
             ## Example: `/etc/init.d/apache2 reload`
             #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
             ## If the timeout expires before the reload command finishes, the command will
             ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
             #svn.proxy.reload_timeout = 10
             ############################################################
             ### SSH Support Settings                                 ###
             ############################################################
             ## Defines if a custom authorized_keys file should be created and written on
             ## any change user ssh keys. Setting this to false also disables posibility
             ## of adding SSH keys by users from web interface. Super admins can still
             ## manage SSH Keys.
             ssh.generate_authorized_keyfile = false
             ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
             # ssh.authorized_keys_ssh_opts =
             ## Path to the authrozied_keys file where the generate entries are placed.
             ## It is possible to have multiple key files specified in `sshd_config` e.g.
             ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
             ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
             ## Command to execute the SSH wrapper. The binary is available in the
             ## rhodecode installation directory.
             ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
             ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
             ## Allow shell when executing the ssh-wrapper command
             ssh.wrapper_cmd_allow_shell = false
             ## Enables logging, and detailed output send back to the client during SSH
             ## operations. Usefull for debugging, shouldn't be used in production.
             ssh.enable_debug_logging = true
             ## Paths to binary executable, by default they are the names, but we can
             ## override them if we want to use a custom one
             ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
             ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
             ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
+            ## Enables SSH key generator web interface. Disabling this still allows users
+            ## to add their own keys.
+            ssh.enable_ui_key_generator = true
             ## Dummy marker to add new entries after.
             ## Add any custom entries below. Please don't remove.
             custom.conf = 1
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, sqlalchemy, beaker, celery, rhodecode, ssh_wrapper
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_sqlalchemy]
             level = INFO
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_ssh_wrapper]
             level = DEBUG
             handlers =
             qualname = ssh_wrapper
             propagate = 1
             [logger_celery]
             level = DEBUG
             handlers =
             qualname = celery
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr, )
             level = DEBUG
             formatter = color_formatter
             [handler_console_sql]
             # "level = DEBUG" logs SQL queries and results.
             # "level = INFO" logs SQL queries.
             # "level = WARN" logs neither.  (Recommended for production systems.)
             class = StreamHandler
             args = (sys.stderr, )
             level = WARN
             formatter = color_formatter_sql
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
             format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

configs/production.ini

0 +4 0

             ################################################################################
             ##                RHODECODE COMMUNITY  EDITION CONFIGURATION                  ##
             ################################################################################
             [DEFAULT]
             ## Debug flag sets all loggers to debug, and enables request tracking
             debug = false
             ################################################################################
             ##                            EMAIL CONFIGURATION                             ##
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             ## prefix all emails subjects with given prefix, helps filtering out emails
             #email_prefix = [RhodeCode]
             ## email FROM address all mails will be sent
             #app_email_from = rhodecode-noreply@localhost
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             [server:main]
             ## COMMON ##
             host = 127.0.0.1
             port = 5000
             ###########################################################
             ## WAITRESS WSGI SERVER - Recommended for Development  ####
             ###########################################################
             #use = egg:waitress#main
             ## number of worker threads
             #threads = 5
             ## MAX BODY SIZE 100GB
             #max_request_body_size = 107374182400
             ## Use poll instead of select, fixes file descriptors limits problems.
             ## May not work on old windows systems.
             #asyncore_use_poll = true
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
             use = egg:gunicorn#main
             ## Sets the number of process workers. More workers means more concurent connections
             ## RhodeCode can handle at the same time. Each additional worker also it increases
             ## memory usage as each has it's own set of caches.
             ## Recommended value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers, but no more
             ## than 8-10 unless for really big deployments .e.g 700-1000 users.
             ## `instance_id = *` must be set in the [app:main] section below (which is the default)
             ## when using more than 1 worker.
             workers = 2
             ## process name visible in process list
             proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             worker_class = gevent
             ## The maximum number of simultaneous clients. Valid only for Gevent
             worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             max_requests = 1000
             max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             timeout = 21600
             ## prefix middleware for RhodeCode.
             ## recommended when using proxy setup.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
             ## And set your prefix like: `prefix = /custom_prefix`
             ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
             ## to make your cookies only work on prefix url
             [filter:proxy-prefix]
             use = egg:PasteDeploy#prefix
             prefix = /
             [app:main]
             ## The %(here)s variable will be replaced with the absolute path of parent directory
             ## of this file
             ## In addition ENVIRONMENT variables usage is possible, e.g
             ## sqlalchemy.db1.url = {ENV_RC_DB_URL}
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined above
             #filter-with = proxy-prefix
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
             ## decryption strict mode (enabled by default). It controls if decryption raises
             ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
             #rhodecode.encrypted_values.strict = false
             ## return gzipped responses from Rhodecode (static files/application)
             gzip_responses = false
             ## autogenerate javascript routes file on startup
             generate_js_files = false
             ## System global default language.
             ## All available languages: en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## Perform a full repository scan and import on each server start.
             ## Settings this to true could lead to very long startup time.
             startup.import_repos = false
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## URL at which the application is running. This is used for bootstraping
             ## requests in context when no web request is available. Used in ishell, or
             ## SSH calls. Set this for events to receive proper url for SSH calls.
             app.base_url = http://rhodecode.local
             ## Unique application ID. Should be a random unique string for security.
             app_instance_uuid = rc-production
             ## Cut off limit for large diffs (size in bytes). If overall diff size on
             ## commit, or pull request exceeds this limit this diff will be displayed
             ## partially. E.g 512000 == 512Kb
             cut_off_limit_diff = 512000
             ## Cut off limit for large files inside diffs (size in bytes). Each individual
             ## file inside diff which exceeds this limit will be displayed partially.
             ##  E.g 128000 == 128Kb
             cut_off_limit_file = 128000
             ## use cached version of vcs repositories everywhere. Recommended to be `true`
             vcs_full_cache = true
             ## Force https in RhodeCode, fixes https redirects, assumes it's always https.
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --branches --tags
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/{gistid}.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
             gist_alias_url =
             ## List of views (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ## Additionally @TOKEN syntaxt can be used to bound the view to specific
             ## authentication token. Such view would be only accessible when used together
             ## with this authentication token
             ##
             ## list of all views can be found under `/_admin/permissions/auth_token_access`
             ## The list should be "," separated and on a single line.
             ##
             ## Most common views to enable:
             #    RepoCommitsView:repo_commit_download
             #    RepoCommitsView:repo_commit_patch
             #    RepoCommitsView:repo_commit_raw
             #    RepoCommitsView:repo_commit_raw@TOKEN
             #    RepoFilesView:repo_files_diff
             #    RepoFilesView:repo_archivefile
             #    RepoFilesView:repo_file_raw
             #    GistView:*
             api_access_controllers_whitelist =
             ## Default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## Generated license token required for EE edition license.
             ## New generated token value can be found in Admin > settings > license page.
             license_token =
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = prod
             ## Display extended labs settings
             labs_settings_active = true
             ## Custom exception store path, defaults to TMPDIR
             ## This is used to store exception from RhodeCode in shared directory
             #exception_tracker.store_path =
             ## File store configuration. This is used to store and serve uploaded files
             file_store.enabled = true
             ## backend, only available one is local
             file_store.backend = local
             ## path to store the uploaded binaries
             file_store.storage_path = %(here)s/data/file_store
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             ## run: /path/to/celery worker \
             ##     -E --beat --app rhodecode.lib.celerylib.loader \
             ##     --scheduler rhodecode.lib.celerylib.scheduler.RcScheduler \
             ##     --loglevel DEBUG --ini /path/to/rhodecode.ini
             use_celery = false
             ## connection url to the message broker (default rabbitmq)
             celery.broker_url = amqp://rabbitmq:qweqwe@localhost:5672/rabbitmqhost
             ## maximum tasks to execute before worker restart
             celery.max_tasks_per_child = 100
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.task_always_eager = false
             #####################################
             ###         DOGPILE CACHE        ####
             #####################################
             ## Default cache dir for caches.  Putting this into a ramdisk
             ## can boost performance, eg. /tmpfs/data_ramdisk, however this directory might require
             ## large amount of space
             cache_dir = %(here)s/data
             ## `cache_perms` cache settings for permission tree, auth TTL.
             rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
             rc_cache.cache_perms.expiration_time = 300
             ## alternative `cache_perms` redis backend with distributed lock
             #rc_cache.cache_perms.backend = dogpile.cache.rc.redis
             #rc_cache.cache_perms.expiration_time = 300
             ## redis_expiration_time needs to be greater then expiration_time
             #rc_cache.cache_perms.arguments.redis_expiration_time = 7200
             #rc_cache.cache_perms.arguments.socket_timeout = 30
             #rc_cache.cache_perms.arguments.host = localhost
             #rc_cache.cache_perms.arguments.port = 6379
             #rc_cache.cache_perms.arguments.db = 0
             #rc_cache.cache_perms.arguments.distributed_lock = true
             ## `cache_repo` cache settings for FileTree, Readme, RSS FEEDS
             rc_cache.cache_repo.backend = dogpile.cache.rc.file_namespace
             rc_cache.cache_repo.expiration_time = 2592000
             ## alternative `cache_repo` redis backend with distributed lock
             #rc_cache.cache_repo.backend = dogpile.cache.rc.redis
             #rc_cache.cache_repo.expiration_time = 2592000
             ## redis_expiration_time needs to be greater then expiration_time
             #rc_cache.cache_repo.arguments.redis_expiration_time = 2678400
             #rc_cache.cache_repo.arguments.socket_timeout = 30
             #rc_cache.cache_repo.arguments.host = localhost
             #rc_cache.cache_repo.arguments.port = 6379
             #rc_cache.cache_repo.arguments.db = 1
             #rc_cache.cache_repo.arguments.distributed_lock = true
             ## cache settings for SQL queries, this needs to use memory type backend
             rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
             rc_cache.sql_cache_short.expiration_time = 30
             ## `cache_repo_longterm` cache for repo object instances, this needs to use memory
             ## type backend as the objects kept are not pickle serializable
             rc_cache.cache_repo_longterm.backend = dogpile.cache.rc.memory_lru
             ## by default we use 96H, this is using invalidation on push anyway
             rc_cache.cache_repo_longterm.expiration_time = 345600
             ## max items in LRU cache, reduce this number to save memory, and expire last used
             ## cached objects
             rc_cache.cache_repo_longterm.max_size = 10000
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:redis, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/data/sessions
             ## db based session, fast, and allows easy management over logged in users
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = production-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = key_for_encryption
             #beaker.session.validate_key = validation_key
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             ## Path to use for the cookie. Set to prefix if you use prefix middleware
             #beaker.session.cookie_path = /custom_prefix
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             ## WHOOSH Backend, doesn't require additional services to run
             ## it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ########################################
             ###    CHANNELSTREAM CONFIG         ####
             ########################################
             ## channelstream enables persistent connections and live notification
             ## in the system. It's also used by the chat system
             channelstream.enabled = false
             ## server address for channelstream server on the backend
             channelstream.server = 127.0.0.1:9800
             ## location of the channelstream server from outside world
             ## use ws:// for http or wss:// for https. This address needs to be handled
             ## by external HTTP server such as Nginx or Apache
             ## see nginx/apache configuration examples in our docs
             channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
             channelstream.secret = secret
             channelstream.history.location = %(here)s/channelstream_history
             ## Internal application path that Javascript uses to connect into.
             ## If you use proxy-prefix the prefix should be added before /_channelstream
             channelstream.proxy_path = /_channelstream
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             ###########################################
             ###   MAIN RHODECODE DATABASE CONFIG    ###
             ###########################################
             #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode?charset=utf8
             # pymysql is an alternative driver for MySQL, use in case of problems with default one
             #sqlalchemy.db1.url = mysql+pymysql://root:qweqwe@localhost/rhodecode
             sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this amount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ## Connection check ping, used to detect broken database connections
             ## could be enabled to better handle cases if MySQL has gone away errors
             #sqlalchemy.db1.ping_connection = true
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9900
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `http` - use http-rpc backend (default)
             vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.scm_app_implementation = http
             ## Push/Pull operations hooks protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.hooks.protocol = http
             ## Host on which this instance is listening for hooks. If vcsserver is in other location
             ## this should be adjusted.
             vcs.hooks.host = 127.0.0.1
             vcs.server.log_level = info
             ## Start VCSServer with this instance as a subprocess, useful for development
             vcs.start_server = false
             ## List of enabled VCS backends, available options are:
             ## `hg`  - mercurial
             ## `git` - git
             ## `svn` - subversion
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ############################################################
             ### Subversion proxy support (mod_dav_svn)               ###
             ### Maps RhodeCode repo groups into SVN paths for Apache ###
             ############################################################
             ## Enable or disable the config file generation.
             svn.proxy.generate_config = false
             ## Generate config file with `SVNListParentPath` set to `On`.
             svn.proxy.list_parent_path = true
             ## Set location and file name of generated config file.
             svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
             ## alternative mod_dav config template. This needs to be a mako template
             #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
             ## Used as a prefix to the `Location` block in the generated config file.
             ## In most cases it should be set to `/`.
             svn.proxy.location_root = /
             ## Command to reload the mod dav svn configuration on change.
             ## Example: `/etc/init.d/apache2 reload`
             #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
             ## If the timeout expires before the reload command finishes, the command will
             ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
             #svn.proxy.reload_timeout = 10
             ############################################################
             ### SSH Support Settings                                 ###
             ############################################################
             ## Defines if a custom authorized_keys file should be created and written on
             ## any change user ssh keys. Setting this to false also disables posibility
             ## of adding SSH keys by users from web interface. Super admins can still
             ## manage SSH Keys.
             ssh.generate_authorized_keyfile = false
             ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
             # ssh.authorized_keys_ssh_opts =
             ## Path to the authrozied_keys file where the generate entries are placed.
             ## It is possible to have multiple key files specified in `sshd_config` e.g.
             ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
             ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
             ## Command to execute the SSH wrapper. The binary is available in the
             ## rhodecode installation directory.
             ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
             ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
             ## Allow shell when executing the ssh-wrapper command
             ssh.wrapper_cmd_allow_shell = false
             ## Enables logging, and detailed output send back to the client during SSH
             ## operations. Usefull for debugging, shouldn't be used in production.
             ssh.enable_debug_logging = false
             ## Paths to binary executable, by default they are the names, but we can
             ## override them if we want to use a custom one
             ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
             ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
             ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
+            ## Enables SSH key generator web interface. Disabling this still allows users
+            ## to add their own keys.
+            ssh.enable_ui_key_generator = true
             ## Dummy marker to add new entries after.
             ## Add any custom entries below. Please don't remove.
             custom.conf = 1
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, sqlalchemy, beaker, celery, rhodecode, ssh_wrapper
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_sqlalchemy]
             level = INFO
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_ssh_wrapper]
             level = DEBUG
             handlers =
             qualname = ssh_wrapper
             propagate = 1
             [logger_celery]
             level = DEBUG
             handlers =
             qualname = celery
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr, )
             level = INFO
             formatter = generic
             [handler_console_sql]
             # "level = DEBUG" logs SQL queries and results.
             # "level = INFO" logs SQL queries.
             # "level = WARN" logs neither.  (Recommended for production systems.)
             class = StreamHandler
             args = (sys.stderr, )
             level = WARN
             formatter = generic
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
             format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

docs/auth/ssh-connection.rst

0 +4 0

             .. _ssh-connection:
             SSH Connection
             --------------
             If you wish to connect to your |repos| using SSH protocol, use the
             following instructions.
 . Include |RCE| generated `authorized_keys` file into your sshd_config.
                By default a file `authorized_keys_rhodecode` is created containing
                configuration and all allowed user connection keys are stored inside.
                On each change of stored keys inside |RCE| this file is updated with
                proper data.
                .. code-block:: bash
                    # Edit sshd_config file most likely at /etc/ssh/sshd_config
                    # add or edit the AuthorizedKeysFile, and set to use custom files
                    AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
                This way we use a separate file for SSH access and separate one for
                SSH access to |RCE| repositories.
 . Enable the SSH module on instance.
                On the server where |RCE| is running executing:
                .. code-block:: bash
                    rccontrol enable-module ssh {instance-id}
                This will add the following configuration into :file:`rhodecode.ini`.
                This also can be done manually:
                .. code-block:: ini
                     ############################################################
                     ### SSH Support Settings                                 ###
                     ############################################################
                     ## Defines if a custom authorized_keys file should be created and written on
                     ## any change user ssh keys. Setting this to false also disables posibility
                     ## of adding SSH keys by users from web interface. Super admins can still
                     ## manage SSH Keys.
                     ssh.generate_authorized_keyfile = true
                     ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
                     # ssh.authorized_keys_ssh_opts =
                     ## Path to the authrozied_keys file where the generate entries are placed.
                     ## It is possible to have multiple key files specified in `sshd_config` e.g.
                     ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
                     ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
                     ## Command to execute the SSH wrapper. The binary is available in the
                     ## rhodecode installation directory.
                     ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
                     ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
                     ## Allow shell when executing the ssh-wrapper command
                     ssh.wrapper_cmd_allow_shell = false
                     ## Enables logging, and detailed output send back to the client during SSH
                     ## operations. Useful for debugging, shouldn't be used in production.
                     ssh.enable_debug_logging = false
                     ## Paths to binary executable, by default they are the names, but we can
                     ## override them if we want to use a custom one
                     ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
                     ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
                     ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
+                    ## Enables SSH key generator web interface. Disabling this still allows users
+                    ## to add their own keys.
+                    ssh.enable_ui_key_generator = true
 . Set base_url for instance to enable proper event handling (Optional):
                If you wish to have integrations working correctly via SSH please configure
                The Application base_url.
                Use the ``rccontrol status`` command to view instance details.
                Hostname is required for the integration to properly set the instance URL.
                When your hostname is known (e.g https://code.rhodecode.com) please set it
                inside :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini`
                add into `[app:main]` section the following configuration:
                .. code-block:: ini
                    app.base_url = https://code.rhodecode.com
 . Add the public key to your user account for testing.
                First generate a new key, or use your existing one and have your public key
                at hand.
                Go to
                :menuselection:`My Account --> SSH Keys` and add the public key with proper description.
                This will generate a new entry inside our configured `authorized_keys_rhodecode` file.
                Test the connection from your local machine using the following example:
                .. note::
                    In case of connection problems please set
                    `ssh.enable_debug_logging = true` inside the SSH configuration of
                    :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini`
                    Then add, remove your SSH key and try connecting again.
                    Debug logging will be printed to help find the problems on the server side.
                Test connection using the ssh command from the local machine. Make sure
                to use the use who is running the |RCE| server, and not your username from
                the web interface.
                For SVN:
                .. code-block:: bash
                    SVN_SSH="ssh -i ~/.ssh/id_rsa_test_ssh_private.key" svn checkout svn+ssh://rhodecode@rc-server/repo_name
                For GIT:
                .. code-block:: bash
                    GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa_test_ssh_private.key' git clone ssh://rhodecode@rc-server/repo_name
                For Mercurial:
                .. code-block:: bash
                    Add to hgrc:
                    [ui]
                    ssh = ssh -C -i ~/.ssh/id_rsa_test_ssh_private.key
                    hg clone ssh://rhodecode@rc-server/repo_name

rhodecode/apps/my_account/views/my_account_ssh_keys.py

0 +5 -4

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.httpexceptions import HTTPFound
             from pyramid.view import view_config
             from rhodecode.apps._base import BaseAppView, DataGridAppView
             from rhodecode.apps.ssh_support import SshKeyFileChangeEvent
             from rhodecode.events import trigger
             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import LoginRequired, NotAnonymous, CSRFRequired
             from rhodecode.model.db import IntegrityError, UserSshKeys
             from rhodecode.model.meta import Session
             from rhodecode.model.ssh_key import SshKeyModel
             log = logging.getLogger(__name__)
             class MyAccountSshKeysView(BaseAppView, DataGridAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     c.user = c.auth_user.get_instance()
                     c.ssh_enabled = self.request.registry.settings.get(
                         'ssh.generate_authorized_keyfile')
                     return c
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_ssh_keys', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def my_account_ssh_keys(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'ssh_keys'
                     c.default_key = self.request.GET.get('default_key')
                     c.user_ssh_keys = SshKeyModel().get_ssh_keys(c.user.user_id)
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='my_account_ssh_keys_generate', request_method='GET',
                     renderer='rhodecode:templates/admin/my_account/my_account.mako')
                 def ssh_keys_generate_keypair(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     c.active = 'ssh_keys_generate'
-                    comment = 'RhodeCode-SSH {}'.format(c.user.email or '')
+                    if c.ssh_key_generator_enabled:
-                    c.private, c.public = SshKeyModel().generate_keypair(comment=comment)
+                        comment = 'RhodeCode-SSH {}'.format(c.user.email or '')
-                    c.target_form_url = h.route_path(
+                        c.private, c.public = SshKeyModel().generate_keypair(comment=comment)
-                        'my_account_ssh_keys', _query=dict(default_key=c.public))
+                        c.target_form_url = h.route_path(
+                            'my_account_ssh_keys', _query=dict(default_key=c.public))
                     return self._get_template_context(c)
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_ssh_keys_add', request_method='POST',)
                 def my_account_ssh_keys_add(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_data = c.user.get_api_data()
                     key_data = self.request.POST.get('key_data')
                     description = self.request.POST.get('description')
                     fingerprint = 'unknown'
                     try:
                         if not key_data:
                             raise ValueError('Please add a valid public key')
                         key = SshKeyModel().parse_key(key_data.strip())
                         fingerprint = key.hash_md5()
                         ssh_key = SshKeyModel().create(
                             c.user.user_id, fingerprint, key.keydata, description)
                         ssh_key_data = ssh_key.get_api_data()
                         audit_logger.store_web(
                             'user.edit.ssh_key.add', action_data={
                                 'data': {'ssh_key': ssh_key_data, 'user': user_data}},
                             user=self._rhodecode_user, )
                         Session().commit()
                         # Trigger an event on change of keys.
                         trigger(SshKeyFileChangeEvent(), self.request.registry)
                         h.flash(_("Ssh Key successfully created"), category='success')
                     except IntegrityError:
                         log.exception("Exception during ssh key saving")
                         err = 'Such key with fingerprint `{}` already exists, ' \
                               'please use a different one'.format(fingerprint)
                         h.flash(_('An error occurred during ssh key saving: {}').format(err),
                                 category='error')
                     except Exception as e:
                         log.exception("Exception during ssh key saving")
                         h.flash(_('An error occurred during ssh key saving: {}').format(e),
                                 category='error')
                     return HTTPFound(h.route_path('my_account_ssh_keys'))
                 @LoginRequired()
                 @NotAnonymous()
                 @CSRFRequired()
                 @view_config(
                     route_name='my_account_ssh_keys_delete', request_method='POST')
                 def my_account_ssh_keys_delete(self):
                     _ = self.request.translate
                     c = self.load_default_context()
                     user_data = c.user.get_api_data()
                     del_ssh_key = self.request.POST.get('del_ssh_key')
                     if del_ssh_key:
                         ssh_key = UserSshKeys.get_or_404(del_ssh_key)
                         ssh_key_data = ssh_key.get_api_data()
                         SshKeyModel().delete(del_ssh_key, c.user.user_id)
                         audit_logger.store_web(
                             'user.edit.ssh_key.delete', action_data={
                                 'data': {'ssh_key': ssh_key_data, 'user': user_data}},
                             user=self._rhodecode_user,)
                         Session().commit()
                         # Trigger an event on change of keys.
                         trigger(SshKeyFileChangeEvent(), self.request.registry)
                         h.flash(_("Ssh key successfully deleted"), category='success')
                     return HTTPFound(h.route_path('my_account_ssh_keys'))

rhodecode/apps/ssh_support/__init__.py

0 +1 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from . import config_keys
             from .events import SshKeyFileChangeEvent
             from .subscribers import generate_ssh_authorized_keys_file_subscriber
             from rhodecode.config.middleware import _bool_setting, _string_setting
             log = logging.getLogger(__name__)
             def _sanitize_settings_and_apply_defaults(settings):
                 """
                 Set defaults, convert to python types and validate settings.
                 """
                 _bool_setting(settings, config_keys.generate_authorized_keyfile, 'false')
                 _bool_setting(settings, config_keys.wrapper_allow_shell, 'false')
                 _bool_setting(settings, config_keys.enable_debug_logging, 'false')
+                _bool_setting(settings, config_keys.ssh_key_generator_enabled, 'true')
                 _string_setting(settings, config_keys.authorized_keys_file_path,
                                 '~/.ssh/authorized_keys_rhodecode',
                                 lower=False)
                 _string_setting(settings, config_keys.wrapper_cmd, '',
                                 lower=False)
                 _string_setting(settings, config_keys.authorized_keys_line_ssh_opts, '',
                                 lower=False)
                 _string_setting(settings, config_keys.ssh_hg_bin,
                                 '~/.rccontrol/vcsserver-1/profile/bin/hg',
                                 lower=False)
                 _string_setting(settings, config_keys.ssh_git_bin,
                                 '~/.rccontrol/vcsserver-1/profile/bin/git',
                                 lower=False)
                 _string_setting(settings, config_keys.ssh_svn_bin,
                                 '~/.rccontrol/vcsserver-1/profile/bin/svnserve',
                                 lower=False)
             def includeme(config):
                 settings = config.registry.settings
                 _sanitize_settings_and_apply_defaults(settings)
                 # if we have enable generation of file, subscribe to event
                 if settings[config_keys.generate_authorized_keyfile]:
                     config.add_subscriber(
                         generate_ssh_authorized_keys_file_subscriber, SshKeyFileChangeEvent)

rhodecode/apps/ssh_support/config_keys.py

0 +1 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             # Definition of setting keys used to configure this module. Defined here to
             # avoid repetition of keys throughout the module.
             generate_authorized_keyfile = 'ssh.generate_authorized_keyfile'
             authorized_keys_file_path = 'ssh.authorized_keys_file_path'
             authorized_keys_line_ssh_opts = 'ssh.authorized_keys_ssh_opts'
+            ssh_key_generator_enabled = 'ssh.enable_ui_key_generator'
             wrapper_cmd = 'ssh.wrapper_cmd'
             wrapper_allow_shell = 'ssh.wrapper_cmd_allow_shell'
             enable_debug_logging = 'ssh.enable_debug_logging'
             ssh_hg_bin = 'ssh.executable.hg'
             ssh_git_bin = 'ssh.executable.git'
             ssh_svn_bin = 'ssh.executable.svn'

rhodecode/lib/base.py

0 +2 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             The base Controller API
             Provides the BaseController class for subclassing. And usage in different
             controllers
             """
             import logging
             import socket
             import markupsafe
             import ipaddress
             from paste.auth.basic import AuthBasicAuthenticator
             from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden, get_exception
             from paste.httpheaders import WWW_AUTHENTICATE, AUTHORIZATION
             import rhodecode
             from rhodecode.apps._base import TemplateArgs
             from rhodecode.authentication.base import VCS_TYPE
             from rhodecode.lib import auth, utils2
             from rhodecode.lib import helpers as h
             from rhodecode.lib.auth import AuthUser, CookieStoreWrapper
             from rhodecode.lib.exceptions import UserCreationError
             from rhodecode.lib.utils import (password_changed, get_enabled_hook_classes)
             from rhodecode.lib.utils2 import (
                 str2bool, safe_unicode, AttributeDict, safe_int, sha1, aslist, safe_str)
             from rhodecode.model.db import Repository, User, ChangesetComment, UserBookmark
             from rhodecode.model.notification import NotificationModel
             from rhodecode.model.settings import VcsSettingsModel, SettingsModel
             log = logging.getLogger(__name__)
             def _filter_proxy(ip):
                 """
                 Passed in IP addresses in HEADERS can be in a special format of multiple
                 ips. Those comma separated IPs are passed from various proxies in the
                 chain of request processing. The left-most being the original client.
                 We only care about the first IP which came from the org. client.
                 :param ip: ip string from headers
                 """
                 if ',' in ip:
                     _ips = ip.split(',')
                     _first_ip = _ips[0].strip()
                     log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
                     return _first_ip
                 return ip
             def _filter_port(ip):
                 """
                 Removes a port from ip, there are 4 main cases to handle here.
                 - ipv4 eg. 127.0.0.1
                 - ipv6 eg. ::1
                 - ipv4+port eg. 127.0.0.1:8080
                 - ipv6+port eg. [::1]:8080
                 :param ip:
                 """
                 def is_ipv6(ip_addr):
                     if hasattr(socket, 'inet_pton'):
                         try:
                             socket.inet_pton(socket.AF_INET6, ip_addr)
                         except socket.error:
                             return False
                     else:
                         # fallback to ipaddress
                         try:
                             ipaddress.IPv6Address(safe_unicode(ip_addr))
                         except Exception:
                             return False
                     return True
                 if ':' not in ip:  # must be ipv4 pure ip
                     return ip
                 if '[' in ip and ']' in ip:  # ipv6 with port
                     return ip.split(']')[0][1:].lower()
                 # must be ipv6 or ipv4 with port
                 if is_ipv6(ip):
                     return ip
                 else:
                     ip, _port = ip.split(':')[:2]  # means ipv4+port
                     return ip
             def get_ip_addr(environ):
                 proxy_key = 'HTTP_X_REAL_IP'
                 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
                 def_key = 'REMOTE_ADDR'
                 _filters = lambda x: _filter_port(_filter_proxy(x))
                 ip = environ.get(proxy_key)
                 if ip:
                     return _filters(ip)
                 ip = environ.get(proxy_key2)
                 if ip:
                     return _filters(ip)
                 ip = environ.get(def_key, '0.0.0.0')
                 return _filters(ip)
             def get_server_ip_addr(environ, log_errors=True):
                 hostname = environ.get('SERVER_NAME')
                 try:
                     return socket.gethostbyname(hostname)
                 except Exception as e:
                     if log_errors:
                         # in some cases this lookup is not possible, and we don't want to
                         # make it an exception in logs
                         log.exception('Could not retrieve server ip address: %s', e)
                     return hostname
             def get_server_port(environ):
                 return environ.get('SERVER_PORT')
             def get_access_path(environ):
                 path = environ.get('PATH_INFO')
                 org_req = environ.get('pylons.original_request')
                 if org_req:
                     path = org_req.environ.get('PATH_INFO')
                 return path
             def get_user_agent(environ):
                 return environ.get('HTTP_USER_AGENT')
             def vcs_operation_context(
                     environ, repo_name, username, action, scm, check_locking=True,
                     is_shadow_repo=False, check_branch_perms=False, detect_force_push=False):
                 """
                 Generate the context for a vcs operation, e.g. push or pull.
                 This context is passed over the layers so that hooks triggered by the
                 vcs operation know details like the user, the user's IP address etc.
                 :param check_locking: Allows to switch of the computation of the locking
                     data. This serves mainly the need of the simplevcs middleware to be
                     able to disable this for certain operations.
                 """
                 # Tri-state value: False: unlock, None: nothing, True: lock
                 make_lock = None
                 locked_by = [None, None, None]
                 is_anonymous = username == User.DEFAULT_USER
                 user = User.get_by_username(username)
                 if not is_anonymous and check_locking:
                     log.debug('Checking locking on repository "%s"', repo_name)
                     repo = Repository.get_by_repo_name(repo_name)
                     make_lock, __, locked_by = repo.get_locking_state(
                         action, user.user_id)
                 user_id = user.user_id
                 settings_model = VcsSettingsModel(repo=repo_name)
                 ui_settings = settings_model.get_ui_settings()
                 # NOTE(marcink): This should be also in sync with
                 # rhodecode/apps/ssh_support/lib/backends/base.py:update_environment scm_data
                 store = [x for x in ui_settings if x.key == '/']
                 repo_store = ''
                 if store:
                     repo_store = store[0].value
                 scm_data = {
                     'ip': get_ip_addr(environ),
                     'username': username,
                     'user_id': user_id,
                     'action': action,
                     'repository': repo_name,
                     'scm': scm,
                     'config': rhodecode.CONFIG['__file__'],
                     'repo_store': repo_store,
                     'make_lock': make_lock,
                     'locked_by': locked_by,
                     'server_url': utils2.get_server_url(environ),
                     'user_agent': get_user_agent(environ),
                     'hooks': get_enabled_hook_classes(ui_settings),
                     'is_shadow_repo': is_shadow_repo,
                     'detect_force_push': detect_force_push,
                     'check_branch_perms': check_branch_perms,
                 }
                 return scm_data
             class BasicAuth(AuthBasicAuthenticator):
                 def __init__(self, realm, authfunc, registry, auth_http_code=None,
                              initial_call_detection=False, acl_repo_name=None):
                     self.realm = realm
                     self.initial_call = initial_call_detection
                     self.authfunc = authfunc
                     self.registry = registry
                     self.acl_repo_name = acl_repo_name
                     self._rc_auth_http_code = auth_http_code
                 def _get_response_from_code(self, http_code):
                     try:
                         return get_exception(safe_int(http_code))
                     except Exception:
                         log.exception('Failed to fetch response for code %s', http_code)
                         return HTTPForbidden
                 def get_rc_realm(self):
                     return safe_str(self.registry.rhodecode_settings.get('rhodecode_realm'))
                 def build_authentication(self):
                     head = WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
                     if self._rc_auth_http_code and not self.initial_call:
                         # return alternative HTTP code if alternative http return code
                         # is specified in RhodeCode config, but ONLY if it's not the
                         # FIRST call
                         custom_response_klass = self._get_response_from_code(
                             self._rc_auth_http_code)
                         return custom_response_klass(headers=head)
                     return HTTPUnauthorized(headers=head)
                 def authenticate(self, environ):
                     authorization = AUTHORIZATION(environ)
                     if not authorization:
                         return self.build_authentication()
                     (authmeth, auth) = authorization.split(' ', 1)
                     if 'basic' != authmeth.lower():
                         return self.build_authentication()
                     auth = auth.strip().decode('base64')
                     _parts = auth.split(':', 1)
                     if len(_parts) == 2:
                         username, password = _parts
                         auth_data = self.authfunc(
                                 username, password, environ, VCS_TYPE,
                                 registry=self.registry, acl_repo_name=self.acl_repo_name)
                         if auth_data:
                             return {'username': username, 'auth_data': auth_data}
                         if username and password:
                             # we mark that we actually executed authentication once, at
                             # that point we can use the alternative auth code
                             self.initial_call = False
                     return self.build_authentication()
                 __call__ = authenticate
             def calculate_version_hash(config):
                 return sha1(
                     config.get('beaker.session.secret', '') +
                     rhodecode.__version__)[:8]
             def get_current_lang(request):
                 # NOTE(marcink): remove after pyramid move
                 try:
                     return translation.get_lang()[0]
                 except:
                     pass
                 return getattr(request, '_LOCALE_', request.locale_name)
             def attach_context_attributes(context, request, user_id=None):
                 """
                 Attach variables into template context called `c`.
                 """
                 config = request.registry.settings
                 rc_config = SettingsModel().get_all_settings(cache=True)
                 context.rhodecode_version = rhodecode.__version__
                 context.rhodecode_edition = config.get('rhodecode.edition')
                 # unique secret + version does not leak the version but keep consistency
                 context.rhodecode_version_hash = calculate_version_hash(config)
                 # Default language set for the incoming request
                 context.language = get_current_lang(request)
                 # Visual options
                 context.visual = AttributeDict({})
                 # DB stored Visual Items
                 context.visual.show_public_icon = str2bool(
                     rc_config.get('rhodecode_show_public_icon'))
                 context.visual.show_private_icon = str2bool(
                     rc_config.get('rhodecode_show_private_icon'))
                 context.visual.stylify_metatags = str2bool(
                     rc_config.get('rhodecode_stylify_metatags'))
                 context.visual.dashboard_items = safe_int(
                     rc_config.get('rhodecode_dashboard_items', 100))
                 context.visual.admin_grid_items = safe_int(
                     rc_config.get('rhodecode_admin_grid_items', 100))
                 context.visual.show_revision_number = str2bool(
                     rc_config.get('rhodecode_show_revision_number', True))
                 context.visual.show_sha_length = safe_int(
                     rc_config.get('rhodecode_show_sha_length', 100))
                 context.visual.repository_fields = str2bool(
                     rc_config.get('rhodecode_repository_fields'))
                 context.visual.show_version = str2bool(
                     rc_config.get('rhodecode_show_version'))
                 context.visual.use_gravatar = str2bool(
                     rc_config.get('rhodecode_use_gravatar'))
                 context.visual.gravatar_url = rc_config.get('rhodecode_gravatar_url')
                 context.visual.default_renderer = rc_config.get(
                     'rhodecode_markup_renderer', 'rst')
                 context.visual.comment_types = ChangesetComment.COMMENT_TYPES
                 context.visual.rhodecode_support_url = \
                     rc_config.get('rhodecode_support_url') or h.route_url('rhodecode_support')
                 context.visual.affected_files_cut_off = 60
                 context.pre_code = rc_config.get('rhodecode_pre_code')
                 context.post_code = rc_config.get('rhodecode_post_code')
                 context.rhodecode_name = rc_config.get('rhodecode_title')
                 context.default_encodings = aslist(config.get('default_encoding'), sep=',')
                 # if we have specified default_encoding in the request, it has more
                 # priority
                 if request.GET.get('default_encoding'):
                     context.default_encodings.insert(0, request.GET.get('default_encoding'))
                 context.clone_uri_tmpl = rc_config.get('rhodecode_clone_uri_tmpl')
                 context.clone_uri_ssh_tmpl = rc_config.get('rhodecode_clone_uri_ssh_tmpl')
                 # INI stored
                 context.labs_active = str2bool(
                     config.get('labs_settings_active', 'false'))
                 context.ssh_enabled = str2bool(
                     config.get('ssh.generate_authorized_keyfile', 'false'))
+                context.ssh_key_generator_enabled = str2bool(
+                    config.get('ssh.enable_ui_key_generator', 'true'))
                 context.visual.allow_repo_location_change = str2bool(
                     config.get('allow_repo_location_change', True))
                 context.visual.allow_custom_hooks_settings = str2bool(
                     config.get('allow_custom_hooks_settings', True))
                 context.debug_style = str2bool(config.get('debug_style', False))
                 context.rhodecode_instanceid = config.get('instance_id')
                 context.visual.cut_off_limit_diff = safe_int(
                     config.get('cut_off_limit_diff'))
                 context.visual.cut_off_limit_file = safe_int(
                     config.get('cut_off_limit_file'))
                 # AppEnlight
                 context.appenlight_enabled = str2bool(config.get('appenlight', 'false'))
                 context.appenlight_api_public_key = config.get(
                     'appenlight.api_public_key', '')
                 context.appenlight_server_url = config.get('appenlight.server_url', '')
                 diffmode = {
                     "unified": "unified",
                     "sideside": "sideside"
                 }.get(request.GET.get('diffmode'))
                 if diffmode and diffmode != request.session.get('rc_user_session_attr.diffmode'):
                     request.session['rc_user_session_attr.diffmode'] = diffmode
                 # session settings per user
                 session_attrs = {
                     # defaults
                     "clone_url_format": "http",
                     "diffmode": "sideside"
                 }
                 for k, v in request.session.items():
                     pref = 'rc_user_session_attr.'
                     if k and k.startswith(pref):
                         k = k[len(pref):]
                         session_attrs[k] = v
                 context.user_session_attrs = session_attrs
                 # JS template context
                 context.template_context = {
                     'repo_name': None,
                     'repo_type': None,
                     'repo_landing_commit': None,
                     'rhodecode_user': {
                         'username': None,
                         'email': None,
                         'notification_status': False
                     },
                     'session_attrs': session_attrs,
                     'visual': {
                         'default_renderer': None
                     },
                     'commit_data': {
                         'commit_id': None
                     },
                     'pull_request_data': {'pull_request_id': None},
                     'timeago': {
                         'refresh_time': 120 * 1000,
                         'cutoff_limit': 1000 * 60 * 60 * 24 * 7
                     },
                     'pyramid_dispatch': {
                     },
                     'extra': {'plugins': {}}
                 }
                 # END CONFIG VARS
                 context.csrf_token = auth.get_csrf_token(session=request.session)
                 context.backends = rhodecode.BACKENDS.keys()
                 context.backends.sort()
                 unread_count = 0
                 user_bookmark_list = []
                 if user_id:
                     unread_count = NotificationModel().get_unread_cnt_for_user(user_id)
                     user_bookmark_list = UserBookmark.get_bookmarks_for_user(user_id)
                 context.unread_notifications = unread_count
                 context.bookmark_items = user_bookmark_list
                 # web case
                 if hasattr(request, 'user'):
                     context.auth_user = request.user
                     context.rhodecode_user = request.user
                 # api case
                 if hasattr(request, 'rpc_user'):
                     context.auth_user = request.rpc_user
                     context.rhodecode_user = request.rpc_user
                 # attach the whole call context to the request
                 request.call_context = context
             def get_auth_user(request):
                 environ = request.environ
                 session = request.session
                 ip_addr = get_ip_addr(environ)
                 # make sure that we update permissions each time we call controller
                 _auth_token = (request.GET.get('auth_token', '') or
                                request.GET.get('api_key', ''))
                 if _auth_token:
                     # when using API_KEY we assume user exists, and
                     # doesn't need auth based on cookies.
                     auth_user = AuthUser(api_key=_auth_token, ip_addr=ip_addr)
                     authenticated = False
                 else:
                     cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
                     try:
                         auth_user = AuthUser(user_id=cookie_store.get('user_id', None),
                                              ip_addr=ip_addr)
                     except UserCreationError as e:
                         h.flash(e, 'error')
                         # container auth or other auth functions that create users
                         # on the fly can throw this exception signaling that there's
                         # issue with user creation, explanation should be provided
                         # in Exception itself. We then create a simple blank
                         # AuthUser
                         auth_user = AuthUser(ip_addr=ip_addr)
                     # in case someone changes a password for user it triggers session
                     # flush and forces a re-login
                     if password_changed(auth_user, session):
                         session.invalidate()
                         cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
                         auth_user = AuthUser(ip_addr=ip_addr)
                     authenticated = cookie_store.get('is_authenticated')
                 if not auth_user.is_authenticated and auth_user.is_user_object:
                     # user is not authenticated and not empty
                     auth_user.set_authenticated(authenticated)
                 return auth_user
             def h_filter(s):
                 """
                 Custom filter for Mako templates. Mako by standard uses `markupsafe.escape`
                 we wrap this with additional functionality that converts None to empty
                 strings
                 """
                 if s is None:
                     return markupsafe.Markup()
                 return markupsafe.escape(s)
             def add_events_routes(config):
                 """
                 Adds routing that can be used in events. Because some events are triggered
                 outside of pyramid context, we need to bootstrap request with some
                 routing registered
                 """
                 from rhodecode.apps._base import ADMIN_PREFIX
                 config.add_route(name='home', pattern='/')
                 config.add_route(name='login', pattern=ADMIN_PREFIX + '/login')
                 config.add_route(name='logout', pattern=ADMIN_PREFIX + '/logout')
                 config.add_route(name='repo_summary', pattern='/{repo_name}')
                 config.add_route(name='repo_summary_explicit', pattern='/{repo_name}/summary')
                 config.add_route(name='repo_group_home', pattern='/{repo_group_name}')
                 config.add_route(name='pullrequest_show',
                                  pattern='/{repo_name}/pull-request/{pull_request_id}')
                 config.add_route(name='pull_requests_global',
                                  pattern='/pull-request/{pull_request_id}')
                 config.add_route(name='repo_commit',
                                  pattern='/{repo_name}/changeset/{commit_id}')
                 config.add_route(name='repo_files',
                                  pattern='/{repo_name}/files/{commit_id}/{f_path}')
             def bootstrap_config(request):
                 import pyramid.testing
                 registry = pyramid.testing.Registry('RcTestRegistry')
                 config = pyramid.testing.setUp(registry=registry, request=request)
                 # allow pyramid lookup in testing
                 config.include('pyramid_mako')
                 config.include('pyramid_beaker')
                 config.include('rhodecode.lib.rc_cache')
                 add_events_routes(config)
                 return config
             def bootstrap_request(**kwargs):
                 import pyramid.testing
                 class TestRequest(pyramid.testing.DummyRequest):
                     application_url = kwargs.pop('application_url', 'http://example.com')
                     host = kwargs.pop('host', 'example.com:80')
                     domain = kwargs.pop('domain', 'example.com')
                     def translate(self, msg):
                         return msg
                     def plularize(self, singular, plural, n):
                         return singular
                     def get_partial_renderer(self, tmpl_name):
                         from rhodecode.lib.partial_renderer import get_partial_renderer
                         return get_partial_renderer(request=self, tmpl_name=tmpl_name)
                     _call_context = TemplateArgs()
                     _call_context.visual = TemplateArgs()
                     _call_context.visual.show_sha_length = 12
                     _call_context.visual.show_revision_number = True
                     @property
                     def call_context(self):
                         return self._call_context
                 class TestDummySession(pyramid.testing.DummySession):
                     def save(*arg, **kw):
                         pass
                 request = TestRequest(**kwargs)
                 request.session = TestDummySession()
                 return request

rhodecode/templates/admin/my_account/my_account_ssh_keys.mako

0 +4 -2

             <div class="panel panel-default">
                 <div class="panel-heading">
                   <h3 class="panel-title">${_('SSH Keys')}</h3>
                 </div>
                 <div class="panel-body">
                     <div class="sshkeys_wrap">
                       <table class="rctable ssh_keys">
                         <tr>
                             <th>${_('Fingerprint')}</th>
                             <th>${_('Description')}</th>
                             <th>${_('Created on')}</th>
                             <th>${_('Accessed on')}</th>
                             <th>${_('Action')}</th>
                         </tr>
                         % if not c.ssh_enabled:
                             <tr><td colspan="4"><div class="">${_('SSH Keys usage is currently disabled, please ask your administrator to enable them.')}</div></td></tr>
                         % else:
                             %if c.user_ssh_keys:
                                 %for ssh_key in c.user_ssh_keys:
                                   <tr class="">
                                     <td class="">
                                         <code>${ssh_key.ssh_key_fingerprint}</code>
                                     </td>
                                     <td class="td-wrap">${ssh_key.description}</td>
                                     <td class="td-tags">${h.format_date(ssh_key.created_on)}</td>
                                     <td class="td-tags">${h.format_date(ssh_key.accessed_on)}</td>
                                     <td class="td-action">
                                         ${h.secure_form(h.route_path('my_account_ssh_keys_delete'), request=request)}
                                             ${h.hidden('del_ssh_key', ssh_key.ssh_key_id)}
                                             <button class="btn btn-link btn-danger" type="submit"
                                                     onclick="return confirm('${_('Confirm to remove ssh key %s') % ssh_key.ssh_key_fingerprint}');">
                                                 ${_('Delete')}
                                             </button>
                                         ${h.end_form()}
                                     </td>
                                   </tr>
                                 %endfor
                             %else:
                             <tr><td colspan="4"><div class="">${_('No additional ssh keys specified')}</div></td></tr>
                             %endif
                         % endif
                       </table>
                     </div>
                     % if c.ssh_enabled:
                     <div class="user_ssh_keys">
                         ${h.secure_form(h.route_path('my_account_ssh_keys_add'), request=request)}
                         <div class="form form-vertical">
                             <!-- fields -->
                             <div class="fields">
                                 <div class="field">
                                     <div class="label">
                                         <label for="new_email">${_('New ssh key')}:</label>
                                     </div>
                                     <div class="input">
                                         ${h.text('description', class_='medium', placeholder=_('Description'))}
-                                        <a href="${h.route_path('my_account_ssh_keys_generate')}">${_('Generate random RSA key')}</a>
+                                        % if c.ssh_key_generator_enabled:
+                                            <a href="${h.route_path('my_account_ssh_keys_generate')}">${_('Generate random RSA key')}</a>
+                                        % endif
                                     </div>
                                  </div>
                                 <div class="field">
                                     <div class="textarea text-area editor">
                                         ${h.textarea('key_data',c.default_key, size=30, placeholder=_("Public key, begins with 'ssh-rsa', 'ssh-dss', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', or 'ecdsa-sha2-nistp521'"))}
                                     </div>
                                 </div>
                                 <div class="buttons">
                                   ${h.submit('save',_('Add'),class_="btn")}
                                   ${h.reset('reset',_('Reset'),class_="btn")}
                                 </div>
                                 % if c.default_key:
-                                    ${_('Click add to use this generate SSH key')}
+                                    ${_('Click add to use this generated SSH key')}
                                 % endif
                             </div>
                         </div>
                         ${h.end_form()}
                     </div>
                     % endif
                 </div>
             </div>
             <script>
             $(document).ready(function(){
             });
             </script>

rhodecode/templates/admin/users/user_edit_ssh_keys.mako

0 +3 -1

             <div class="panel panel-default">
                 <div class="panel-heading">
                   <h3 class="panel-title">${_('SSH Keys')}</h3>
                 </div>
                 <div class="panel-body">
                     <div class="sshkeys_wrap">
                       <table class="rctable ssh_keys">
                         <tr>
                             <th>${_('Fingerprint')}</th>
                             <th>${_('Description')}</th>
                             <th>${_('Created on')}</th>
                             <th>${_('Accessed on')}</th>
                             <th>${_('Action')}</th>
                         </tr>
                         %if c.user_ssh_keys:
                             %for ssh_key in c.user_ssh_keys:
                               <tr class="">
                                 <td class="">
                                     <code>${ssh_key.ssh_key_fingerprint}</code>
                                 </td>
                                 <td class="td-wrap">${ssh_key.description}</td>
                                 <td class="td-tags">${h.format_date(ssh_key.created_on)}</td>
                                 <td class="td-tags">${h.format_date(ssh_key.accessed_on)}</td>
                                 <td class="td-action">
                                     ${h.secure_form(h.route_path('edit_user_ssh_keys_delete', user_id=c.user.user_id), request=request)}
                                         ${h.hidden('del_ssh_key', ssh_key.ssh_key_id)}
                                         <button class="btn btn-link btn-danger" type="submit"
                                                 onclick="return confirm('${_('Confirm to remove ssh key %s') % ssh_key.ssh_key_fingerprint}');">
                                             ${_('Delete')}
                                         </button>
                                     ${h.end_form()}
                                 </td>
                               </tr>
                             %endfor
                         %else:
                         <tr><td><div class="ip">${_('No additional ssh keys specified')}</div></td></tr>
                         %endif
                       </table>
                     </div>
                     <div class="user_ssh_keys">
                         ${h.secure_form(h.route_path('edit_user_ssh_keys_add', user_id=c.user.user_id), request=request)}
                         <div class="form form-vertical">
                             <!-- fields -->
                             <div class="fields">
                                 <div class="field">
                                     <div class="label">
                                         <label for="new_email">${_('New ssh key')}:</label>
                                     </div>
                                     <div class="input">
                                         ${h.text('description', class_='medium', placeholder=_('Description'))}
-                                        <a href="${h.route_path('edit_user_ssh_keys_generate_keypair', user_id=c.user.user_id)}">${_('Generate random RSA key')}</a>
+                                        % if c.ssh_key_generator_enabled:
+                                            <a href="${h.route_path('edit_user_ssh_keys_generate_keypair', user_id=c.user.user_id)}">${_('Generate random RSA key')}</a>
+                                        % endif
                                     </div>
                                  </div>
                                 <div class="field">
                                     <div class="textarea text-area editor">
                                         ${h.textarea('key_data',c.default_key, size=30, placeholder=_("Public key, begins with 'ssh-rsa', 'ssh-dss', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', or 'ecdsa-sha2-nistp521'"))}
                                     </div>
                                 </div>
                                 <div class="buttons">
                                   ${h.submit('save',_('Add'),class_="btn")}
                                   ${h.reset('reset',_('Reset'),class_="btn")}
                                 </div>
                                 % if c.default_key:
                                     ${_('Click add to use this generate SSH key')}
                                 % endif
                             </div>
                         </div>
                         ${h.end_form()}
                     </div>
                 </div>
             </div>
             <script>
             $(document).ready(function(){
             });
             </script>

rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako

0 +30 -24

             <div class="panel panel-default">
                 <div class="panel-heading">
-                  <h3 class="panel-title">${_('New SSH Key generated')}</h3>
+                     <h3 class="panel-title">${_('New SSH Key generation')}</h3>
                 </div>
                 <div class="panel-body">
-                    <p>
+                    %if c.ssh_enabled and c.ssh_key_generator_enabled:
-                        ${_('Below is a 2048 bit generated SSH RSA key.')}<br/>
+                        <p>
-                        ${_('If You wish to use it to access RhodeCode via the SSH please save the private key and click `Use this generated key` at the bottom.')}
+                            ${_('Below is a 2048 bit generated SSH RSA key.')}<br/>
-                    </p>
+                            ${_('If You wish to use it to access RhodeCode via the SSH please save the private key and click `Use this generated key` at the bottom.')}
-                    <h4>${_('Private key')}</h4>
+                        </p>
-                    <pre>
+                        <h4>${_('Private key')}</h4>
+                        <pre>
             # Save the below content as
             # Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_priv.key
             # macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_priv.key
             # Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
             # Change permissions to 0600 to make it secure, and usable.
             e.g chmod 0600 /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
-                    </pre>
+                        </pre>
-                    <div>
+                        <div>
-                        <textarea style="height: 300px">${c.private}</textarea>
+                            <textarea style="height: 300px">${c.private}</textarea>
-                    </div>
+                        </div>
-                    <br/>
+                        <br/>
-                    <h4>${_('Public key')}</h4>
+                        <h4>${_('Public key')}</h4>
-                    <pre>
+                        <pre>
             # Save the below content as
             # Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_pub.key
             # macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_pub.key
             # Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_pub.key
-                    </pre>
+                        </pre>
-                    <input type="text" value="${c.public}" class="large text" size="100"/>
+                        <input type="text" value="${c.public}" class="large text" size="100"/>
-                    <p>
+                        <p>
-                        % if hasattr(c, 'target_form_url'):
+                            % if hasattr(c, 'target_form_url'):
-                            <a href="${c.target_form_url}">${_('Use this generated key')}.</a>
+                                <a href="${c.target_form_url}">${_('Use this generated key')}.</a>
-                        % else:
+                            % else:
-                            <a href="${h.route_path('edit_user_ssh_keys', user_id=c.user.user_id, _query=dict(default_key=c.public))}">${_('Use this generated key')}.</a>
+                                <a href="${h.route_path('edit_user_ssh_keys', user_id=c.user.user_id, _query=dict(default_key=c.public))}">${_('Use this generated key')}.</a>
-                        % endif
+                            % endif
-                        ${_('Confirmation required on the next screen')}.
+                            ${_('Confirmation required on the next screen')}.
-                    </p>
+                        </p>
+                    % else:
+                        <h2>
+                            ${_('SSH key generator has been disabled.')}
+                        </h2>
+                    % endif
                 </div>
             </div>
             <script>
             $(document).ready(function(){
             });
             </script>

rhodecode/tests/rhodecode.ini

0 +4 0

             ################################################################################
             ##                 RHODECODE COMMUNITY EDITION CONFIGURATION                  ##
             # The %(here)s variable will be replaced with the parent directory of this file#
             ################################################################################
             [DEFAULT]
             debug = true
             ################################################################################
             ##                            EMAIL CONFIGURATION                             ##
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             ## prefix all emails subjects with given prefix, helps filtering out emails
             #email_prefix = [RhodeCode]
             ## email FROM address all mails will be sent
             #app_email_from = rhodecode-noreply@localhost
             ## Uncomment and replace with the address which should receive any error report
             ## note: using appenlight for error handling doesn't need this to be uncommented
             #email_to = admin@localhost
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             [server:main]
             ## COMMON ##
             host = 0.0.0.0
             port = 5000
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
             use = egg:gunicorn#main
             ## Sets the number of process workers. You must set `instance_id = *`
             ## when this option is set to more than one worker, recommended
             ## value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers
             ## The `instance_id = *` must be set in the [app:main] section below
             #workers = 2
             ## number of threads for each of the worker, must be set to 1 for gevent
             ## generally recommened to be at 1
             #threads = 1
             ## process name
             #proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             #worker_class = sync
             ## The maximum number of simultaneous clients. Valid only for Gevent
             #worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             #max_requests = 1000
             #max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             #timeout = 21600
             ## prefix middleware for RhodeCode.
             ## recommended when using proxy setup.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
             ## And set your prefix like: `prefix = /custom_prefix`
             ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
             ## to make your cookies only work on prefix url
             [filter:proxy-prefix]
             use = egg:PasteDeploy#prefix
             prefix = /
             [app:main]
             is_test = True
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined above
             #filter-with = proxy-prefix
             ## RHODECODE PLUGINS ##
             rhodecode.includes = rhodecode.api
             # api prefix url
             rhodecode.api.url = /_admin/api
             ## END RHODECODE PLUGINS ##
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
             ## decryption strict mode (enabled by default). It controls if decryption raises
             ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
             #rhodecode.encrypted_values.strict = false
             ## return gzipped responses from Rhodecode (static files/application)
             gzip_responses = false
             ## autogenerate javascript routes file on startup
             generate_js_files = false
             ## Optional Languages
             ## en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## perform a full repository scan on each server start, this should be
             ## set to false after first startup, to allow faster server restarts.
             startup.import_repos = true
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## URL at which the application is running. This is used for bootstraping
             ## requests in context when no web request is available. Used in ishell, or
             ## SSH calls. Set this for events to receive proper url for SSH calls.
             app.base_url = http://rhodecode.local
             ## change this to unique ID for security
             app_instance_uuid = rc-production
             ## cut off limit for large diffs (size in bytes)
             cut_off_limit_diff = 1024000
             cut_off_limit_file = 256000
             ## use cache version of scm repo everywhere
             vcs_full_cache = false
             ## force https in RhodeCode, fixes https redirects, assumes it's always https
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --all
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/{gistid}.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
             gist_alias_url =
             ## List of views (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ## Additionally @TOKEN syntaxt can be used to bound the view to specific
             ## authentication token. Such view would be only accessible when used together
             ## with this authentication token
             ##
             ## list of all views can be found under `/_admin/permissions/auth_token_access`
             ## The list should be "," separated and on a single line.
             ##
             ## Most common views to enable:
             #    RepoCommitsView:repo_commit_download
             #    RepoCommitsView:repo_commit_patch
             #    RepoCommitsView:repo_commit_raw
             #    RepoCommitsView:repo_commit_raw@TOKEN
             #    RepoFilesView:repo_files_diff
             #    RepoFilesView:repo_archivefile
             #    RepoFilesView:repo_file_raw
             #    GistView:*
             api_access_controllers_whitelist =
             ## default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## generated license token, goto license page in RhodeCode settings to obtain
             ## new token
             license_token = abra-cada-bra1-rce3
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = dev
             ## Display extended labs settings
             labs_settings_active = true
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             use_celery = false
             broker.host = localhost
             broker.vhost = rabbitmqhost
             broker.port = 5672
             broker.user = rabbitmq
             broker.password = qweqwe
             celery.imports = rhodecode.lib.celerylib.tasks
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             #celeryd.log.file = celeryd.log
             celeryd.log.level = debug
             celeryd.max.tasks.per.child = 1
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.always.eager = false
             ####################################
             ###         BEAKER CACHE        ####
             ####################################
             # default cache dir for templates.  Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk
             cache_dir = %(here)s/data
             ## locking and default file storage for Beaker. Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk/cache/beaker_data
             beaker.cache.data_dir = %(here)s/rc/data/cache/beaker_data
             beaker.cache.lock_dir = %(here)s/rc/data/cache/beaker_lock
             beaker.cache.regions = long_term
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             #####################################
             ###         DOGPILE CACHE        ####
             #####################################
             ## permission tree cache settings
             rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
             rc_cache.cache_perms.expiration_time = 0
             rc_cache.cache_perms.arguments.filename = /tmp/rc_cache_1
             ## cache settings for SQL queries
             rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
             rc_cache.sql_cache_short.expiration_time = 0
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/rc/data/sessions/data
             ## db based session, fast, and allows easy management over logged in users
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = test-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/rc/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = key_for_encryption
             #beaker.session.validate_key = validation_key
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             ## Path to use for the cookie. Set to prefix if you use prefix middleware
             #beaker.session.cookie_path = /custom_prefix
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             ## WHOOSH Backend, doesn't require additional services to run
             ## it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ########################################
             ###    CHANNELSTREAM CONFIG         ####
             ########################################
             ## channelstream enables persistent connections and live notification
             ## in the system. It's also used by the chat system
             channelstream.enabled = false
             ## server address for channelstream server on the backend
             channelstream.server = 127.0.0.1:9800
             ## location of the channelstream server from outside world
             ## use ws:// for http or wss:// for https. This address needs to be handled
             ## by external HTTP server such as Nginx or Apache
             ## see nginx/apache configuration examples in our docs
             channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
             channelstream.secret = secret
             channelstream.history.location = %(here)s/channelstream_history
             ## Internal application path that Javascript uses to connect into.
             ## If you use proxy-prefix the prefix should be added before /_channelstream
             channelstream.proxy_path = /_channelstream
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             ################################################################################
             ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
             ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
             ## execute malicious code after an exception is raised.                       ##
             ################################################################################
             set debug = false
             ##############
             ## STYLING  ##
             ##############
             debug_style = false
             ###########################################
             ###   MAIN RHODECODE DATABASE CONFIG    ###
             ###########################################
             #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode_test.db?timeout=30
             #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode_test
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode_test
             sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode_test.db?timeout=30
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this amount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9901
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `http` - use http-rpc backend (default)
             vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `http` - use http-rpc backend (default)
             ## `vcsserver.scm_app` - internal app (EE only)
             vcs.scm_app_implementation = http
             ## Push/Pull operations hooks protocol, available options are:
             ## `http` - use http-rpc backend (default)
             vcs.hooks.protocol = http
             vcs.hooks.host = 127.0.0.1
             vcs.server.log_level = debug
             ## Start VCSServer with this instance as a subprocess, Useful for development
             vcs.start_server = false
             ## List of enabled VCS backends, available options are:
             ## `hg`  - mercurial
             ## `git` - git
             ## `svn` - subversion
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ############################################################
             ### Subversion proxy support (mod_dav_svn)               ###
             ### Maps RhodeCode repo groups into SVN paths for Apache ###
             ############################################################
             ## Enable or disable the config file generation.
             svn.proxy.generate_config = false
             ## Generate config file with `SVNListParentPath` set to `On`.
             svn.proxy.list_parent_path = true
             ## Set location and file name of generated config file.
             svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
             ## Used as a prefix to the `Location` block in the generated config file.
             ## In most cases it should be set to `/`.
             svn.proxy.location_root = /
             ## Command to reload the mod dav svn configuration on change.
             ## Example: `/etc/init.d/apache2 reload`
             #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
             ## If the timeout expires before the reload command finishes, the command will
             ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
             #svn.proxy.reload_timeout = 10
             ############################################################
             ### SSH Support Settings                                 ###
             ############################################################
             ## Defines if the authorized_keys file should be written on any change of
             ## user ssh keys, setting this to false also disables posibility of adding
             ## ssh keys for users from web interface.
             ssh.generate_authorized_keyfile = true
             ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
             # ssh.authorized_keys_ssh_opts =
             ## File to generate the authorized keys together with options
             ## It is possible to have multiple key files specified in `sshd_config` e.g.
             ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
             ssh.authorized_keys_file_path = %(here)s/rc/authorized_keys_rhodecode
             ## Command to execute the SSH wrapper. The binary is available in the
             ## rhodecode installation directory.
             ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
             ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
             ## Allow shell when executing the ssh-wrapper command
             ssh.wrapper_cmd_allow_shell = false
             ## Enables logging, and detailed output send back to the client. Useful for
             ## debugging, shouldn't be used in production.
             ssh.enable_debug_logging = false
             ## Paths to binary executrables, by default they are the names, but we can
             ## override them if we want to use a custom one
             ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
             ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
             ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
+            ## Enables SSH key generator web interface. Disabling this still allows users
+            ## to add their own keys.
+            ssh.enable_ui_key_generator = true
             ## Dummy marker to add new entries after.
             ## Add any custom entries below. Please don't remove.
             custom.conf = 1
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, sqlalchemy, beaker, rhodecode, ssh_wrapper
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_routes]
             level = DEBUG
             handlers =
             qualname = routes.middleware
             ## "level = DEBUG" logs the route matched and routing variables.
             propagate = 1
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_sqlalchemy]
             level = ERROR
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_ssh_wrapper]
             level = DEBUG
             handlers =
             qualname = ssh_wrapper
             propagate = 1
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr,)
             level = DEBUG
             formatter = generic
             [handler_console_sql]
             class = StreamHandler
             args = (sys.stderr,)
             level = WARN
             formatter = generic
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages