rhodecode-enterprise-ce Commit - r2930:a5198975

security: update lastactivity when on audit logs....

marcink -

r2930:a5198975 default

parent child

The requested changes are too big and content was truncated. Show full diff

rhodecode/api/__init__.py

0 +1 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2011-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import inspect
             import itertools
             import logging
             import types
             import fnmatch
             import decorator
             import venusian
             from collections import OrderedDict
             from pyramid.exceptions import ConfigurationError
             from pyramid.renderers import render
             from pyramid.response import Response
             from pyramid.httpexceptions import HTTPNotFound
             from rhodecode.api.exc import (
                 JSONRPCBaseError, JSONRPCError, JSONRPCForbidden, JSONRPCValidationError)
             from rhodecode.apps._base import TemplateArgs
             from rhodecode.lib.auth import AuthUser
             from rhodecode.lib.base import get_ip_addr, attach_context_attributes
             from rhodecode.lib.ext_json import json
             from rhodecode.lib.utils2 import safe_str
             from rhodecode.lib.plugins.utils import get_plugin_settings
             from rhodecode.model.db import User, UserApiKeys
             log = logging.getLogger(__name__)
             DEFAULT_RENDERER = 'jsonrpc_renderer'
             DEFAULT_URL = '/_admin/apiv2'
             def find_methods(jsonrpc_methods, pattern):
                 matches = OrderedDict()
                 if not isinstance(pattern, (list, tuple)):
                     pattern = [pattern]
                 for single_pattern in pattern:
                     for method_name, method in jsonrpc_methods.items():
                         if fnmatch.fnmatch(method_name, single_pattern):
                             matches[method_name] = method
                 return matches
             class ExtJsonRenderer(object):
                 """
                 Custom renderer that mkaes use of our ext_json lib
                 """
                 def __init__(self, serializer=json.dumps, **kw):
                     """ Any keyword arguments will be passed to the ``serializer``
                     function."""
                     self.serializer = serializer
                     self.kw = kw
                 def __call__(self, info):
                     """ Returns a plain JSON-encoded string with content-type
                     ``application/json``. The content-type may be overridden by
                     setting ``request.response.content_type``."""
                     def _render(value, system):
                         request = system.get('request')
                         if request is not None:
                             response = request.response
                             ct = response.content_type
                             if ct == response.default_content_type:
                                 response.content_type = 'application/json'
                         return self.serializer(value, **self.kw)
                     return _render
             def jsonrpc_response(request, result):
                 rpc_id = getattr(request, 'rpc_id', None)
                 response = request.response
                 # store content_type before render is called
                 ct = response.content_type
                 ret_value = ''
                 if rpc_id:
                     ret_value = {
                         'id': rpc_id,
                         'result': result,
                         'error': None,
                     }
                     # fetch deprecation warnings, and store it inside results
                     deprecation = getattr(request, 'rpc_deprecation', None)
                     if deprecation:
                         ret_value['DEPRECATION_WARNING'] = deprecation
                 raw_body = render(DEFAULT_RENDERER, ret_value, request=request)
                 response.body = safe_str(raw_body, response.charset)
                 if ct == response.default_content_type:
                     response.content_type = 'application/json'
                 return response
             def jsonrpc_error(request, message, retid=None, code=None):
                 """
                 Generate a Response object with a JSON-RPC error body
                 :param code:
                 :param retid:
                 :param message:
                 """
                 err_dict = {'id': retid, 'result': None, 'error': message}
                 body = render(DEFAULT_RENDERER, err_dict, request=request).encode('utf-8')
                 return Response(
                     body=body,
                     status=code,
                     content_type='application/json'
                 )
             def exception_view(exc, request):
                 rpc_id = getattr(request, 'rpc_id', None)
                 fault_message = 'undefined error'
                 if isinstance(exc, JSONRPCError):
                     fault_message = exc.message
                     log.debug('json-rpc error rpc_id:%s "%s"', rpc_id, fault_message)
                 elif isinstance(exc, JSONRPCValidationError):
                     colander_exc = exc.colander_exception
                     # TODO(marcink): think maybe of nicer way to serialize errors ?
                     fault_message = colander_exc.asdict()
                     log.debug('json-rpc error rpc_id:%s "%s"', rpc_id, fault_message)
                 elif isinstance(exc, JSONRPCForbidden):
                     fault_message = 'Access was denied to this resource.'
                     log.warning('json-rpc forbidden call rpc_id:%s "%s"', rpc_id, fault_message)
                 elif isinstance(exc, HTTPNotFound):
                     method = request.rpc_method
                     log.debug('json-rpc method `%s` not found in list of '
                               'api calls: %s, rpc_id:%s',
                               method, request.registry.jsonrpc_methods.keys(), rpc_id)
                     similar = 'none'
                     try:
                         similar_paterns = ['*{}*'.format(x) for x in method.split('_')]
                         similar_found = find_methods(
                             request.registry.jsonrpc_methods, similar_paterns)
                         similar = ', '.join(similar_found.keys()) or similar
                     except Exception:
                         # make the whole above block safe
                         pass
                     fault_message = "No such method: {}. Similar methods: {}".format(
                         method, similar)
                 return jsonrpc_error(request, fault_message, rpc_id)
             def request_view(request):
                 """
                 Main request handling method. It handles all logic to call a specific
                 exposed method
                 """
                 # check if we can find this session using api_key, get_by_auth_token
                 # search not expired tokens only
                 try:
                     api_user = User.get_by_auth_token(request.rpc_api_key)
                     if api_user is None:
                         return jsonrpc_error(
                             request, retid=request.rpc_id, message='Invalid API KEY')
                     if not api_user.active:
                         return jsonrpc_error(
                             request, retid=request.rpc_id,
                             message='Request from this user not allowed')
                     # check if we are allowed to use this IP
                     auth_u = AuthUser(
                         api_user.user_id, request.rpc_api_key, ip_addr=request.rpc_ip_addr)
                     if not auth_u.ip_allowed:
                         return jsonrpc_error(
                             request, retid=request.rpc_id,
                             message='Request from IP:%s not allowed' % (
                                 request.rpc_ip_addr,))
                     else:
                         log.info('Access for IP:%s allowed' % (request.rpc_ip_addr,))
                     # register our auth-user
                     request.rpc_user = auth_u
+                    request.environ['rc_auth_user_id'] = auth_u.user_id
                     # now check if token is valid for API
                     auth_token = request.rpc_api_key
                     token_match = api_user.authenticate_by_token(
                         auth_token, roles=[UserApiKeys.ROLE_API])
                     invalid_token = not token_match
                     log.debug('Checking if API KEY is valid with proper role')
                     if invalid_token:
                         return jsonrpc_error(
                             request, retid=request.rpc_id,
                             message='API KEY invalid or, has bad role for an API call')
                 except Exception:
                     log.exception('Error on API AUTH')
                     return jsonrpc_error(
                         request, retid=request.rpc_id, message='Invalid API KEY')
                 method = request.rpc_method
                 func = request.registry.jsonrpc_methods[method]
                 # now that we have a method, add request._req_params to
                 # self.kargs and dispatch control to WGIController
                 argspec = inspect.getargspec(func)
                 arglist = argspec[0]
                 defaults = map(type, argspec[3] or [])
                 default_empty = types.NotImplementedType
                 # kw arguments required by this method
                 func_kwargs = dict(itertools.izip_longest(
                     reversed(arglist), reversed(defaults), fillvalue=default_empty))
                 # This attribute will need to be first param of a method that uses
                 # api_key, which is translated to instance of user at that name
                 user_var = 'apiuser'
                 request_var = 'request'
                 for arg in [user_var, request_var]:
                     if arg not in arglist:
                         return jsonrpc_error(
                             request,
                             retid=request.rpc_id,
                             message='This method [%s] does not support '
                                     'required parameter `%s`' % (func.__name__, arg))
                 # get our arglist and check if we provided them as args
                 for arg, default in func_kwargs.items():
                     if arg in [user_var, request_var]:
                         # user_var and request_var are pre-hardcoded parameters and we
                         # don't need to do any translation
                         continue
                     # skip the required param check if it's default value is
                     # NotImplementedType (default_empty)
                     if default == default_empty and arg not in request.rpc_params:
                         return jsonrpc_error(
                             request,
                             retid=request.rpc_id,
                             message=('Missing non optional `%s` arg in JSON DATA' % arg)
                         )
                 # sanitize extra passed arguments
                 for k in request.rpc_params.keys()[:]:
                     if k not in func_kwargs:
                         del request.rpc_params[k]
                 call_params = request.rpc_params
                 call_params.update({
                     'request': request,
                     'apiuser': auth_u
                 })
                 # register some common functions for usage
                 attach_context_attributes(
                     TemplateArgs(), request, request.rpc_user.user_id)
                 try:
                     ret_value = func(**call_params)
                     return jsonrpc_response(request, ret_value)
                 except JSONRPCBaseError:
                     raise
                 except Exception:
                     log.exception('Unhandled exception occurred on api call: %s', func)
                     return jsonrpc_error(request, retid=request.rpc_id,
                                          message='Internal server error')
             def setup_request(request):
                 """
                 Parse a JSON-RPC request body. It's used inside the predicates method
                 to validate and bootstrap requests for usage in rpc calls.
                 We need to raise JSONRPCError here if we want to return some errors back to
                 user.
                 """
                 log.debug('Executing setup request: %r', request)
                 request.rpc_ip_addr = get_ip_addr(request.environ)
                 # TODO(marcink): deprecate GET at some point
                 if request.method not in ['POST', 'GET']:
                     log.debug('unsupported request method "%s"', request.method)
                     raise JSONRPCError(
                         'unsupported request method "%s". Please use POST' % request.method)
                 if 'CONTENT_LENGTH' not in request.environ:
                     log.debug("No Content-Length")
                     raise JSONRPCError("Empty body, No Content-Length in request")
                 else:
                     length = request.environ['CONTENT_LENGTH']
                     log.debug('Content-Length: %s', length)
                     if length == 0:
                         log.debug("Content-Length is 0")
                         raise JSONRPCError("Content-Length is 0")
                 raw_body = request.body
                 try:
                     json_body = json.loads(raw_body)
                 except ValueError as e:
                     # catch JSON errors Here
                     raise JSONRPCError("JSON parse error ERR:%s RAW:%r" % (e, raw_body))
                 request.rpc_id = json_body.get('id')
                 request.rpc_method = json_body.get('method')
                 # check required base parameters
                 try:
                     api_key = json_body.get('api_key')
                     if not api_key:
                         api_key = json_body.get('auth_token')
                     if not api_key:
                         raise KeyError('api_key or auth_token')
                     # TODO(marcink): support passing in token in request header
                     request.rpc_api_key = api_key
                     request.rpc_id = json_body['id']
                     request.rpc_method = json_body['method']
                     request.rpc_params = json_body['args'] \
                         if isinstance(json_body['args'], dict) else {}
                     log.debug(
                         'method: %s, params: %s' % (request.rpc_method, request.rpc_params))
                 except KeyError as e:
                     raise JSONRPCError('Incorrect JSON data. Missing %s' % e)
                 log.debug('setup complete, now handling method:%s rpcid:%s',
                           request.rpc_method, request.rpc_id, )
             class RoutePredicate(object):
                 def __init__(self, val, config):
                     self.val = val
                 def text(self):
                     return 'jsonrpc route = %s' % self.val
                 phash = text
                 def __call__(self, info, request):
                     if self.val:
                         # potentially setup and bootstrap our call
                         setup_request(request)
                         # Always return True so that even if it isn't a valid RPC it
                         # will fall through to the underlaying handlers like notfound_view
                         return True
             class NotFoundPredicate(object):
                 def __init__(self, val, config):
                     self.val = val
                     self.methods = config.registry.jsonrpc_methods
                 def text(self):
                     return 'jsonrpc method not found = {}.'.format(self.val)
                 phash = text
                 def __call__(self, info, request):
                     return hasattr(request, 'rpc_method')
             class MethodPredicate(object):
                 def __init__(self, val, config):
                     self.method = val
                 def text(self):
                     return 'jsonrpc method = %s' % self.method
                 phash = text
                 def __call__(self, context, request):
                     # we need to explicitly return False here, so pyramid doesn't try to
                     # execute our view directly. We need our main handler to execute things
                     return getattr(request, 'rpc_method') == self.method
             def add_jsonrpc_method(config, view, **kwargs):
                 # pop the method name
                 method = kwargs.pop('method', None)
                 if method is None:
                     raise ConfigurationError(
                         'Cannot register a JSON-RPC method without specifying the '
                         '"method"')
                 # we define custom predicate, to enable to detect conflicting methods,
                 # those predicates are kind of "translation" from the decorator variables
                 # to internal predicates names
                 kwargs['jsonrpc_method'] = method
                 # register our view into global view store for validation
                 config.registry.jsonrpc_methods[method] = view
                 # we're using our main request_view handler, here, so each method
                 # has a unified handler for itself
                 config.add_view(request_view, route_name='apiv2', **kwargs)
             class jsonrpc_method(object):
                 """
                 decorator that works similar to @add_view_config decorator,
                 but tailored for our JSON RPC
                 """
                 venusian = venusian  # for testing injection
                 def __init__(self, method=None, **kwargs):
                     self.method = method
                     self.kwargs = kwargs
                 def __call__(self, wrapped):
                     kwargs = self.kwargs.copy()
                     kwargs['method'] = self.method or wrapped.__name__
                     depth = kwargs.pop('_depth', 0)
                     def callback(context, name, ob):
                         config = context.config.with_package(info.module)
                         config.add_jsonrpc_method(view=ob, **kwargs)
                     info = venusian.attach(wrapped, callback, category='pyramid',
                                            depth=depth + 1)
                     if info.scope == 'class':
                         # ensure that attr is set if decorating a class method
                         kwargs.setdefault('attr', wrapped.__name__)
                     kwargs['_info'] = info.codeinfo  # fbo action_method
                     return wrapped
             class jsonrpc_deprecated_method(object):
                 """
                 Marks method as deprecated, adds log.warning, and inject special key to
                 the request variable to mark method as deprecated.
                 Also injects special docstring that extract_docs will catch to mark
                 method as deprecated.
                 :param use_method: specify which method should be used instead of
                     the decorated one
                 Use like::
                     @jsonrpc_method()
                     @jsonrpc_deprecated_method(use_method='new_func', deprecated_at_version='3.0.0')
                     def old_func(request, apiuser, arg1, arg2):
                         ...
                 """
                 def __init__(self, use_method, deprecated_at_version):
                     self.use_method = use_method
                     self.deprecated_at_version = deprecated_at_version
                     self.deprecated_msg = ''
                 def __call__(self, func):
                     self.deprecated_msg = 'Please use method `{method}` instead.'.format(
                         method=self.use_method)
                     docstring = """\n
                     .. deprecated:: {version}
                        {deprecation_message}
                     {original_docstring}
                     """
                     func.__doc__ = docstring.format(
                         version=self.deprecated_at_version,
                         deprecation_message=self.deprecated_msg,
                         original_docstring=func.__doc__)
                     return decorator.decorator(self.__wrapper, func)
                 def __wrapper(self, func, *fargs, **fkwargs):
                     log.warning('DEPRECATED API CALL on function %s, please '
                                 'use `%s` instead', func, self.use_method)
                     # alter function docstring to mark as deprecated, this is picked up
                     # via fabric file that generates API DOC.
                     result = func(*fargs, **fkwargs)
                     request = fargs[0]
                     request.rpc_deprecation = 'DEPRECATED METHOD ' + self.deprecated_msg
                     return result
             def includeme(config):
                 plugin_module = 'rhodecode.api'
                 plugin_settings = get_plugin_settings(
                     plugin_module, config.registry.settings)
                 if not hasattr(config.registry, 'jsonrpc_methods'):
                     config.registry.jsonrpc_methods = OrderedDict()
                 # match filter by given method only
                 config.add_view_predicate('jsonrpc_method', MethodPredicate)
                 config.add_renderer(DEFAULT_RENDERER, ExtJsonRenderer(
                     serializer=json.dumps, indent=4))
                 config.add_directive('add_jsonrpc_method', add_jsonrpc_method)
                 config.add_route_predicate(
                     'jsonrpc_call', RoutePredicate)
                 config.add_route(
                     'apiv2', plugin_settings.get('url', DEFAULT_URL), jsonrpc_call=True)
                 config.scan(plugin_module, ignore='rhodecode.api.tests')
                 # register some exception handling view
                 config.add_view(exception_view, context=JSONRPCBaseError)
                 config.add_view_predicate('jsonrpc_method_not_found', NotFoundPredicate)
                 config.add_notfound_view(exception_view, jsonrpc_method_not_found=True)

rhodecode/api/tests/test_update_user.py

0 +4 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import mock
             import pytest
             from rhodecode.model.db import User
             from rhodecode.model.user import UserModel
             from rhodecode.tests import TEST_USER_ADMIN_LOGIN
             from rhodecode.api.tests.utils import (
                 build_data, api_call, assert_ok, assert_error, crash, jsonify)
             @pytest.mark.usefixtures("testuser_api", "app")
             class TestUpdateUser(object):
                 @pytest.mark.parametrize("name, expected", [
                     ('firstname', 'new_username'),
                     ('lastname', 'new_username'),
                     ('email', 'new_username'),
                     ('admin', True),
                     ('admin', False),
                     ('extern_type', 'ldap'),
                     ('extern_type', None),
                     ('extern_name', 'test'),
                     ('extern_name', None),
                     ('active', False),
                     ('active', True),
                     ('password', 'newpass')
                 ])
                 def test_api_update_user(self, name, expected, user_util):
                     usr = user_util.create_user()
                     kw = {name: expected, 'userid': usr.user_id}
                     id_, params = build_data(self.apikey, 'update_user', **kw)
                     response = api_call(self.app, params)
                     ret = {
                         'msg': 'updated user ID:%s %s' % (usr.user_id, usr.username),
                         'user': jsonify(
                             UserModel()
                             .get_by_username(usr.username)
                             .get_api_data(include_secrets=True)
                         )
                     }
                     expected = ret
                     assert_ok(id_, expected, given=response.body)
                 def test_api_update_user_no_changed_params(self):
                     usr = UserModel().get_by_username(TEST_USER_ADMIN_LOGIN)
                     ret = jsonify(usr.get_api_data(include_secrets=True))
                     id_, params = build_data(
                         self.apikey, 'update_user', userid=TEST_USER_ADMIN_LOGIN)
                     response = api_call(self.app, params)
                     ret = {
                         'msg': 'updated user ID:%s %s' % (
                             usr.user_id, TEST_USER_ADMIN_LOGIN),
                         'user': ret
                     }
                     expected = ret
+                    expected['user']['last_activity'] = response.json['result']['user'][
+                        'last_activity']
                     assert_ok(id_, expected, given=response.body)
                 def test_api_update_user_by_user_id(self):
                     usr = UserModel().get_by_username(TEST_USER_ADMIN_LOGIN)
                     ret = jsonify(usr.get_api_data(include_secrets=True))
                     id_, params = build_data(
                         self.apikey, 'update_user', userid=usr.user_id)
                     response = api_call(self.app, params)
                     ret = {
                         'msg': 'updated user ID:%s %s' % (
                             usr.user_id, TEST_USER_ADMIN_LOGIN),
                         'user': ret
                     }
                     expected = ret
+                    expected['user']['last_activity'] = response.json['result']['user'][
+                        'last_activity']
                     assert_ok(id_, expected, given=response.body)
                 def test_api_update_user_default_user(self):
                     usr = User.get_default_user()
                     id_, params = build_data(
                         self.apikey, 'update_user', userid=usr.user_id)
                     response = api_call(self.app, params)
                     expected = 'editing default user is forbidden'
                     assert_error(id_, expected, given=response.body)
                 @mock.patch.object(UserModel, 'update_user', crash)
                 def test_api_update_user_when_exception_happens(self):
                     usr = UserModel().get_by_username(TEST_USER_ADMIN_LOGIN)
                     ret = jsonify(usr.get_api_data(include_secrets=True))
                     id_, params = build_data(
                         self.apikey, 'update_user', userid=usr.user_id)
                     response = api_call(self.app, params)
                     ret = 'failed to update user `%s`' % (usr.user_id,)
                     expected = ret
                     assert_error(id_, expected, given=response.body)

rhodecode/config/middleware.py

0 +10 -6

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import os
             import sys
             import logging
             import collections
             import tempfile
             from paste.gzipper import make_gzip_middleware
+            import pyramid.events
             from pyramid.wsgi import wsgiapp
             from pyramid.authorization import ACLAuthorizationPolicy
             from pyramid.config import Configurator
             from pyramid.settings import asbool, aslist
             from pyramid.httpexceptions import (
                 HTTPException, HTTPError, HTTPInternalServerError, HTTPFound, HTTPNotFound)
-            from pyramid.events import ApplicationCreated
             from pyramid.renderers import render_to_response
             from rhodecode.model import meta
             from rhodecode.config import patches
             from rhodecode.config import utils as config_utils
             from rhodecode.config.environment import load_pyramid_environment
+            import rhodecode.events
             from rhodecode.lib.middleware.vcs import VCSMiddleware
             from rhodecode.lib.request import Request
             from rhodecode.lib.vcs import VCSCommunicationError
             from rhodecode.lib.exceptions import VCSServerUnavailable
             from rhodecode.lib.middleware.appenlight import wrap_in_appenlight_if_enabled
             from rhodecode.lib.middleware.https_fixup import HttpsFixup
             from rhodecode.lib.celerylib.loader import configure_celery
             from rhodecode.lib.plugins.utils import register_rhodecode_plugin
             from rhodecode.lib.utils2 import aslist as rhodecode_aslist, AttributeDict
             from rhodecode.lib.exc_tracking import store_exception
             from rhodecode.subscribers import (
                 scan_repositories_if_enabled, write_js_routes_if_enabled,
                 write_metadata_if_needed, inject_app_settings)
             log = logging.getLogger(__name__)
             def is_http_error(response):
                 # error which should have traceback
                 return response.status_code > 499
             def make_pyramid_app(global_config, **settings):
                 """
                 Constructs the WSGI application based on Pyramid.
                 Specials:
                 * The application can also be integrated like a plugin via the call to
                   `includeme`. This is accompanied with the other utility functions which
                   are called. Changing this should be done with great care to not break
                   cases when these fragments are assembled from another place.
                 """
                 # Allows to use format style "{ENV_NAME}" placeholders in the configuration. It
                 # will be replaced by the value of the environment variable "NAME" in this case.
                 environ = {
                     'ENV_{}'.format(key): value for key, value in os.environ.items()}
                 global_config = _substitute_values(global_config, environ)
                 settings = _substitute_values(settings, environ)
                 sanitize_settings_and_apply_defaults(settings)
                 config = Configurator(settings=settings)
                 # Apply compatibility patches
                 patches.inspect_getargspec()
                 load_pyramid_environment(global_config, settings)
                 # Static file view comes first
                 includeme_first(config)
                 includeme(config)
                 pyramid_app = config.make_wsgi_app()
                 pyramid_app = wrap_app_in_wsgi_middlewares(pyramid_app, config)
                 pyramid_app.config = config
                 config.configure_celery(global_config['__file__'])
                 # creating the app uses a connection - return it after we are done
                 meta.Session.remove()
                 log.info('Pyramid app %s created and configured.', pyramid_app)
                 return pyramid_app
             def not_found_view(request):
                 """
                 This creates the view which should be registered as not-found-view to
                 pyramid.
                 """
                 if not getattr(request, 'vcs_call', None):
                     # handle like regular case with our error_handler
                     return error_handler(HTTPNotFound(), request)
                 # handle not found view as a vcs call
                 settings = request.registry.settings
                 ae_client = getattr(request, 'ae_client', None)
                 vcs_app = VCSMiddleware(
                     HTTPNotFound(), request.registry, settings,
                     appenlight_client=ae_client)
                 return wsgiapp(vcs_app)(None, request)
             def error_handler(exception, request):
                 import rhodecode
                 from rhodecode.lib import helpers
                 rhodecode_title = rhodecode.CONFIG.get('rhodecode_title') or 'RhodeCode'
                 base_response = HTTPInternalServerError()
                 # prefer original exception for the response since it may have headers set
                 if isinstance(exception, HTTPException):
                     base_response = exception
                 elif isinstance(exception, VCSCommunicationError):
                     base_response = VCSServerUnavailable()
                 if is_http_error(base_response):
                     log.exception(
                         'error occurred handling this request for path: %s', request.path)
                 error_explanation = base_response.explanation or str(base_response)
                 if base_response.status_code == 404:
                     error_explanation += " Or you don't have permission to access it."
                 c = AttributeDict()
                 c.error_message = base_response.status
                 c.error_explanation = error_explanation
                 c.visual = AttributeDict()
                 c.visual.rhodecode_support_url = (
                     request.registry.settings.get('rhodecode_support_url') or
                     request.route_url('rhodecode_support')
                 )
                 c.redirect_time = 0
                 c.rhodecode_name = rhodecode_title
                 if not c.rhodecode_name:
                     c.rhodecode_name = 'Rhodecode'
                 c.causes = []
                 if is_http_error(base_response):
                     c.causes.append('Server is overloaded.')
                     c.causes.append('Server database connection is lost.')
                     c.causes.append('Server expected unhandled error.')
                 if hasattr(base_response, 'causes'):
                     c.causes = base_response.causes
                 c.messages = helpers.flash.pop_messages(request=request)
                 exc_info = sys.exc_info()
                 c.exception_id = id(exc_info)
                 c.show_exception_id = isinstance(base_response, VCSServerUnavailable) \
                                       or base_response.status_code > 499
                 c.exception_id_url = request.route_url(
                     'admin_settings_exception_tracker_show', exception_id=c.exception_id)
                 if c.show_exception_id:
                     store_exception(c.exception_id, exc_info)
                 response = render_to_response(
                     '/errors/error_document.mako', {'c': c, 'h': helpers}, request=request,
                     response=base_response)
                 return response
             def includeme_first(config):
                 # redirect automatic browser favicon.ico requests to correct place
                 def favicon_redirect(context, request):
                     return HTTPFound(
                         request.static_path('rhodecode:public/images/favicon.ico'))
                 config.add_view(favicon_redirect, route_name='favicon')
                 config.add_route('favicon', '/favicon.ico')
                 def robots_redirect(context, request):
                     return HTTPFound(
                         request.static_path('rhodecode:public/robots.txt'))
                 config.add_view(robots_redirect, route_name='robots')
                 config.add_route('robots', '/robots.txt')
                 config.add_static_view(
                     '_static/deform', 'deform:static')
                 config.add_static_view(
                     '_static/rhodecode', path='rhodecode:public', cache_max_age=3600 * 24)
             def includeme(config):
                 settings = config.registry.settings
                 config.set_request_factory(Request)
                 # plugin information
                 config.registry.rhodecode_plugins = collections.OrderedDict()
                 config.add_directive(
                     'register_rhodecode_plugin', register_rhodecode_plugin)
                 config.add_directive('configure_celery', configure_celery)
                 if asbool(settings.get('appenlight', 'false')):
                     config.include('appenlight_client.ext.pyramid_tween')
                 # Includes which are required. The application would fail without them.
                 config.include('pyramid_mako')
                 config.include('pyramid_beaker')
                 config.include('rhodecode.lib.caches')
                 config.include('rhodecode.lib.rc_cache')
                 config.include('rhodecode.authentication')
                 config.include('rhodecode.integrations')
                 # apps
                 config.include('rhodecode.apps._base')
                 config.include('rhodecode.apps.ops')
                 config.include('rhodecode.apps.admin')
                 config.include('rhodecode.apps.channelstream')
                 config.include('rhodecode.apps.login')
                 config.include('rhodecode.apps.home')
                 config.include('rhodecode.apps.journal')
                 config.include('rhodecode.apps.repository')
                 config.include('rhodecode.apps.repo_group')
                 config.include('rhodecode.apps.user_group')
                 config.include('rhodecode.apps.search')
                 config.include('rhodecode.apps.user_profile')
                 config.include('rhodecode.apps.user_group_profile')
                 config.include('rhodecode.apps.my_account')
                 config.include('rhodecode.apps.svn_support')
                 config.include('rhodecode.apps.ssh_support')
                 config.include('rhodecode.apps.gist')
                 config.include('rhodecode.apps.debug_style')
                 config.include('rhodecode.tweens')
                 config.include('rhodecode.api')
                 config.add_route(
                     'rhodecode_support', 'https://rhodecode.com/help/', static=True)
                 config.add_translation_dirs('rhodecode:i18n/')
                 settings['default_locale_name'] = settings.get('lang', 'en')
                 # Add subscribers.
-                config.add_subscriber(inject_app_settings, ApplicationCreated)
+                config.add_subscriber(inject_app_settings,
-                config.add_subscriber(scan_repositories_if_enabled, ApplicationCreated)
+                                      pyramid.events.ApplicationCreated)
-                config.add_subscriber(write_metadata_if_needed, ApplicationCreated)
+                config.add_subscriber(scan_repositories_if_enabled,
-                config.add_subscriber(write_js_routes_if_enabled, ApplicationCreated)
+                                      pyramid.events.ApplicationCreated)
+                config.add_subscriber(write_metadata_if_needed,
+                                      pyramid.events.ApplicationCreated)
+                config.add_subscriber(write_js_routes_if_enabled,
+                                      pyramid.events.ApplicationCreated)
                 # request custom methods
                 config.add_request_method(
                     'rhodecode.lib.partial_renderer.get_partial_renderer',
                     'get_partial_renderer')
                 # Set the authorization policy.
                 authz_policy = ACLAuthorizationPolicy()
                 config.set_authorization_policy(authz_policy)
                 # Set the default renderer for HTML templates to mako.
                 config.add_mako_renderer('.html')
                 config.add_renderer(
                     name='json_ext',
                     factory='rhodecode.lib.ext_json_renderer.pyramid_ext_json')
                 # include RhodeCode plugins
                 includes = aslist(settings.get('rhodecode.includes', []))
                 for inc in includes:
                     config.include(inc)
                 # custom not found view, if our pyramid app doesn't know how to handle
                 # the request pass it to potential VCS handling ap
                 config.add_notfound_view(not_found_view)
                 if not settings.get('debugtoolbar.enabled', False):
                     # disabled debugtoolbar handle all exceptions via the error_handlers
                     config.add_view(error_handler, context=Exception)
                 # all errors including 403/404/50X
                 config.add_view(error_handler, context=HTTPError)
             def wrap_app_in_wsgi_middlewares(pyramid_app, config):
                 """
                 Apply outer WSGI middlewares around the application.
                 """
                 registry = config.registry
                 settings = registry.settings
                 # enable https redirects based on HTTP_X_URL_SCHEME set by proxy
                 pyramid_app = HttpsFixup(pyramid_app, settings)
                 pyramid_app, _ae_client = wrap_in_appenlight_if_enabled(
                     pyramid_app, settings)
                 registry.ae_client = _ae_client
                 if settings['gzip_responses']:
                     pyramid_app = make_gzip_middleware(
                         pyramid_app, settings, compress_level=1)
                 # this should be the outer most middleware in the wsgi stack since
                 # middleware like Routes make database calls
                 def pyramid_app_with_cleanup(environ, start_response):
                     try:
                         return pyramid_app(environ, start_response)
                     finally:
                         # Dispose current database session and rollback uncommitted
                         # transactions.
                         meta.Session.remove()
                         # In a single threaded mode server, on non sqlite db we should have
                         # '0 Current Checked out connections' at the end of a request,
                         # if not, then something, somewhere is leaving a connection open
                         pool = meta.Base.metadata.bind.engine.pool
                         log.debug('sa pool status: %s', pool.status())
                         log.debug('Request processing finalized')
                 return pyramid_app_with_cleanup
             def sanitize_settings_and_apply_defaults(settings):
                 """
                 Applies settings defaults and does all type conversion.
                 We would move all settings parsing and preparation into this place, so that
                 we have only one place left which deals with this part. The remaining parts
                 of the application would start to rely fully on well prepared settings.
                 This piece would later be split up per topic to avoid a big fat monster
                 function.
                 """
                 settings.setdefault('rhodecode.edition', 'Community Edition')
                 if 'mako.default_filters' not in settings:
                     # set custom default filters if we don't have it defined
                     settings['mako.imports'] = 'from rhodecode.lib.base import h_filter'
                     settings['mako.default_filters'] = 'h_filter'
                 if 'mako.directories' not in settings:
                     mako_directories = settings.setdefault('mako.directories', [
                         # Base templates of the original application
                         'rhodecode:templates',
                     ])
                     log.debug(
                         "Using the following Mako template directories: %s",
                         mako_directories)
                 # Default includes, possible to change as a user
                 pyramid_includes = settings.setdefault('pyramid.includes', [
                     'rhodecode.lib.middleware.request_wrapper',
                 ])
                 log.debug(
                     "Using the following pyramid.includes: %s",
                     pyramid_includes)
                 # TODO: johbo: Re-think this, usually the call to config.include
                 # should allow to pass in a prefix.
                 settings.setdefault('rhodecode.api.url', '/_admin/api')
                 # Sanitize generic settings.
                 _list_setting(settings, 'default_encoding', 'UTF-8')
                 _bool_setting(settings, 'is_test', 'false')
                 _bool_setting(settings, 'gzip_responses', 'false')
                 # Call split out functions that sanitize settings for each topic.
                 _sanitize_appenlight_settings(settings)
                 _sanitize_vcs_settings(settings)
                 _sanitize_cache_settings(settings)
                 # configure instance id
                 config_utils.set_instance_id(settings)
                 return settings
             def _sanitize_appenlight_settings(settings):
                 _bool_setting(settings, 'appenlight', 'false')
             def _sanitize_vcs_settings(settings):
                 """
                 Applies settings defaults and does type conversion for all VCS related
                 settings.
                 """
                 _string_setting(settings, 'vcs.svn.compatible_version', '')
                 _string_setting(settings, 'git_rev_filter', '--all')
                 _string_setting(settings, 'vcs.hooks.protocol', 'http')
                 _string_setting(settings, 'vcs.hooks.host', '127.0.0.1')
                 _string_setting(settings, 'vcs.scm_app_implementation', 'http')
                 _string_setting(settings, 'vcs.server', '')
                 _string_setting(settings, 'vcs.server.log_level', 'debug')
                 _string_setting(settings, 'vcs.server.protocol', 'http')
                 _bool_setting(settings, 'startup.import_repos', 'false')
                 _bool_setting(settings, 'vcs.hooks.direct_calls', 'false')
                 _bool_setting(settings, 'vcs.server.enable', 'true')
                 _bool_setting(settings, 'vcs.start_server', 'false')
                 _list_setting(settings, 'vcs.backends', 'hg, git, svn')
                 _int_setting(settings, 'vcs.connection_timeout', 3600)
                 # Support legacy values of vcs.scm_app_implementation. Legacy
                 # configurations may use 'rhodecode.lib.middleware.utils.scm_app_http'
                 # which is now mapped to 'http'.
                 scm_app_impl = settings['vcs.scm_app_implementation']
                 if scm_app_impl == 'rhodecode.lib.middleware.utils.scm_app_http':
                     settings['vcs.scm_app_implementation'] = 'http'
             def _sanitize_cache_settings(settings):
                 _string_setting(settings, 'cache_dir',
                                 os.path.join(tempfile.gettempdir(), 'rc_cache'))
                 # cache_perms
                 _string_setting(
                     settings,
                     'rc_cache.cache_perms.backend',
                     'dogpile.cache.rc.file_namespace')
                 _int_setting(
                     settings,
                     'rc_cache.cache_perms.expiration_time',
 )
                 _string_setting(
                     settings,
                     'rc_cache.cache_perms.arguments.filename',
                     os.path.join(tempfile.gettempdir(), 'rc_cache_1'))
                 # cache_repo
                 _string_setting(
                     settings,
                     'rc_cache.cache_repo.backend',
                     'dogpile.cache.rc.file_namespace')
                 _int_setting(
                     settings,
                     'rc_cache.cache_repo.expiration_time',
 )
                 _string_setting(
                     settings,
                     'rc_cache.cache_repo.arguments.filename',
                     os.path.join(tempfile.gettempdir(), 'rc_cache_2'))
                 # sql_cache_short
                 _string_setting(
                     settings,
                     'rc_cache.sql_cache_short.backend',
                     'dogpile.cache.rc.memory_lru')
                 _int_setting(
                     settings,
                     'rc_cache.sql_cache_short.expiration_time',
 )
                 _int_setting(
                     settings,
                     'rc_cache.sql_cache_short.max_size',
 )
             def _int_setting(settings, name, default):
                 settings[name] = int(settings.get(name, default))
             def _bool_setting(settings, name, default):
                 input_val = settings.get(name, default)
                 if isinstance(input_val, unicode):
                     input_val = input_val.encode('utf8')
                 settings[name] = asbool(input_val)
             def _list_setting(settings, name, default):
                 raw_value = settings.get(name, default)
                 old_separator = ','
                 if old_separator in raw_value:
                     # If we get a comma separated list, pass it to our own function.
                     settings[name] = rhodecode_aslist(raw_value, sep=old_separator)
                 else:
                     # Otherwise we assume it uses pyramids space/newline separation.
                     settings[name] = aslist(raw_value)
             def _string_setting(settings, name, default, lower=True):
                 value = settings.get(name, default)
                 if lower:
                     value = value.lower()
                 settings[name] = value
             def _substitute_values(mapping, substitutions):
                 result = {
                     # Note: Cannot use regular replacements, since they would clash
                     # with the implementation of ConfigParser. Using "format" instead.
                     key: value.format(**substitutions)
                     for key, value in mapping.items()
                 }
                 return result

rhodecode/events/__init__.py

0 +3 -1

             # Copyright (C) 2016-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.threadlocal import get_current_registry
             from rhodecode.events.base import RhodeCodeIntegrationEvent
             log = logging.getLogger(__name__)
             def trigger(event, registry=None):
                 """
                 Helper method to send an event. This wraps the pyramid logic to send an
                 event.
                 """
                 # For the first step we are using pyramids thread locals here. If the
                 # event mechanism works out as a good solution we should think about
                 # passing the registry as an argument to get rid of it.
+                event_name = event.__class__
+                log.debug('event %s sent for execution', event_name)
                 registry = registry or get_current_registry()
                 registry.notify(event)
-                log.debug('event %s triggered using registry %s', event.__class__, registry)
+                log.debug('event %s triggered using registry %s', event_name, registry)
                 # Send the events to integrations directly
                 from rhodecode.integrations import integrations_event_handler
                 if isinstance(event, RhodeCodeIntegrationEvent):
                     integrations_event_handler(event)
             from rhodecode.events.user import (  # noqa
                 UserPreCreate,
                 UserPostCreate,
                 UserPreUpdate,
                 UserRegistered,
                 UserPermissionsChange,
             )
             from rhodecode.events.repo import (  # noqa
                 RepoEvent,
                 RepoPreCreateEvent, RepoCreateEvent,
                 RepoPreDeleteEvent, RepoDeleteEvent,
                 RepoPrePushEvent,   RepoPushEvent,
                 RepoPrePullEvent,   RepoPullEvent,
             )
             from rhodecode.events.repo_group import (  # noqa
                 RepoGroupEvent,
                 RepoGroupCreateEvent,
                 RepoGroupUpdateEvent,
                 RepoGroupDeleteEvent,
             )
             from rhodecode.events.pullrequest import (  # noqa
                 PullRequestEvent,
                 PullRequestCreateEvent,
                 PullRequestUpdateEvent,
                 PullRequestCommentEvent,
                 PullRequestReviewEvent,
                 PullRequestMergeEvent,
                 PullRequestCloseEvent,
             )

rhodecode/lib/audit_logger.py

0 +28 -13

             # -*- coding: utf-8 -*-
             # Copyright (C) 2017-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             import datetime
             from rhodecode.lib.jsonalchemy import JsonRaw
             from rhodecode.model import meta
             from rhodecode.model.db import User, UserLog, Repository
             log = logging.getLogger(__name__)
             # action as key, and expected action_data as value
             ACTIONS_V1 = {
                 'user.login.success': {'user_agent': ''},
                 'user.login.failure': {'user_agent': ''},
                 'user.logout': {'user_agent': ''},
                 'user.register': {},
                 'user.password.reset_request': {},
                 'user.push': {'user_agent': '', 'commit_ids': []},
                 'user.pull': {'user_agent': ''},
                 'user.create': {'data': {}},
                 'user.delete': {'old_data': {}},
                 'user.edit': {'old_data': {}},
                 'user.edit.permissions': {},
                 'user.edit.ip.add': {'ip': {}, 'user': {}},
                 'user.edit.ip.delete': {'ip': {}, 'user': {}},
                 'user.edit.token.add': {'token': {}, 'user': {}},
                 'user.edit.token.delete': {'token': {}, 'user': {}},
                 'user.edit.email.add': {'email': ''},
                 'user.edit.email.delete': {'email': ''},
                 'user.edit.ssh_key.add': {'token': {}, 'user': {}},
                 'user.edit.ssh_key.delete': {'token': {}, 'user': {}},
                 'user.edit.password_reset.enabled': {},
                 'user.edit.password_reset.disabled': {},
                 'user_group.create': {'data': {}},
                 'user_group.delete': {'old_data': {}},
                 'user_group.edit': {'old_data': {}},
                 'user_group.edit.permissions': {},
                 'user_group.edit.member.add': {'user': {}},
                 'user_group.edit.member.delete': {'user': {}},
                 'repo.create': {'data': {}},
                 'repo.fork': {'data': {}},
                 'repo.edit': {'old_data': {}},
                 'repo.edit.permissions': {},
                 'repo.delete': {'old_data': {}},
                 'repo.commit.strip': {'commit_id': ''},
                 'repo.archive.download': {'user_agent': '', 'archive_name': '',
                                           'archive_spec': '', 'archive_cached': ''},
                 'repo.pull_request.create': '',
                 'repo.pull_request.edit': '',
                 'repo.pull_request.delete': '',
                 'repo.pull_request.close': '',
                 'repo.pull_request.merge': '',
                 'repo.pull_request.vote': '',
                 'repo.pull_request.comment.create': '',
                 'repo.pull_request.comment.delete': '',
                 'repo.pull_request.reviewer.add': '',
                 'repo.pull_request.reviewer.delete': '',
                 'repo.commit.comment.create': {'data': {}},
                 'repo.commit.comment.delete': {'data': {}},
                 'repo.commit.vote': '',
                 'repo_group.create': {'data': {}},
                 'repo_group.edit': {'old_data': {}},
                 'repo_group.edit.permissions': {},
                 'repo_group.delete': {'old_data': {}},
             }
             ACTIONS = ACTIONS_V1
             SOURCE_WEB = 'source_web'
             SOURCE_API = 'source_api'
             class UserWrap(object):
                 """
                 Fake object used to imitate AuthUser
                 """
                 def __init__(self, user_id=None, username=None, ip_addr=None):
                     self.user_id = user_id
                     self.username = username
                     self.ip_addr = ip_addr
             class RepoWrap(object):
                 """
                 Fake object used to imitate RepoObject that audit logger requires
                 """
                 def __init__(self, repo_id=None, repo_name=None):
                     self.repo_id = repo_id
                     self.repo_name = repo_name
             def _store_log(action_name, action_data, user_id, username, user_data,
                            ip_address, repository_id, repository_name):
                 user_log = UserLog()
                 user_log.version = UserLog.VERSION_2
                 user_log.action = action_name
                 user_log.action_data = action_data or JsonRaw(u'{}')
                 user_log.user_ip = ip_address
                 user_log.user_id = user_id
                 user_log.username = username
                 user_log.user_data = user_data or JsonRaw(u'{}')
                 user_log.repository_id = repository_id
                 user_log.repository_name = repository_name
                 user_log.action_date = datetime.datetime.now()
                 return user_log
             def store_web(*args, **kwargs):
                 if 'action_data' not in kwargs:
                     kwargs['action_data'] = {}
                 kwargs['action_data'].update({
                     'source': SOURCE_WEB
                 })
                 return store(*args, **kwargs)
             def store_api(*args, **kwargs):
                 if 'action_data' not in kwargs:
                     kwargs['action_data'] = {}
                 kwargs['action_data'].update({
                     'source': SOURCE_API
                 })
                 return store(*args, **kwargs)
             def store(action, user, action_data=None, user_data=None, ip_addr=None,
                       repo=None, sa_session=None, commit=False):
                 """
                 Audit logger for various actions made by users, typically this
                 results in a call such::
                     from rhodecode.lib import audit_logger
                     audit_logger.store(
                         'repo.edit', user=self._rhodecode_user)
                     audit_logger.store(
                         'repo.delete', action_data={'data': repo_data},
                         user=audit_logger.UserWrap(username='itried-login', ip_addr='8.8.8.8'))
                     # repo action
                     audit_logger.store(
                         'repo.delete',
                         user=audit_logger.UserWrap(username='itried-login', ip_addr='8.8.8.8'),
                         repo=audit_logger.RepoWrap(repo_name='some-repo'))
                     # repo action, when we know and have the repository object already
                     audit_logger.store(
                         'repo.delete', action_data={'source': audit_logger.SOURCE_WEB, },
                         user=self._rhodecode_user,
                         repo=repo_object)
                     # alternative wrapper to the above
                     audit_logger.store_web(
                         'repo.delete', action_data={},
                         user=self._rhodecode_user,
                         repo=repo_object)
                     # without an user ?
                     audit_logger.store(
                         'user.login.failure',
                         user=audit_logger.UserWrap(
                                 username=self.request.params.get('username'),
                                 ip_addr=self.request.remote_addr))
                 """
                 from rhodecode.lib.utils2 import safe_unicode
                 from rhodecode.lib.auth import AuthUser
                 action_spec = ACTIONS.get(action, None)
                 if action_spec is None:
                     raise ValueError('Action `{}` is not supported'.format(action))
                 if not sa_session:
                     sa_session = meta.Session()
                 try:
                     username = getattr(user, 'username', None)
                     if not username:
                         pass
                     user_id = getattr(user, 'user_id', None)
                     if not user_id:
                         # maybe we have username ? Try to figure user_id from username
                         if username:
                             user_id = getattr(
                                 User.get_by_username(username), 'user_id', None)
                     ip_addr = ip_addr or getattr(user, 'ip_addr', None)
                     if not ip_addr:
                         pass
                     if not user_data:
                         # try to get this from the auth user
                         if isinstance(user, AuthUser):
                             user_data = {
                                 'username': user.username,
                                 'email': user.email,
                             }
                     repository_name = getattr(repo, 'repo_name', None)
                     repository_id = getattr(repo, 'repo_id', None)
                     if not repository_id:
                         # maybe we have repo_name ? Try to figure repo_id from repo_name
                         if repository_name:
                             repository_id = getattr(
                                 Repository.get_by_repo_name(repository_name), 'repo_id', None)
                     action_name = safe_unicode(action)
                     ip_address = safe_unicode(ip_addr)
-                    user_log = _store_log(
+                    with sa_session.no_autoflush:
-                        action_name=action_name,
+                        update_user_last_activity(sa_session, user_id)
-                        action_data=action_data or {},
-                        user_id=user_id,
-                        username=username,
-                        user_data=user_data or {},
-                        ip_address=ip_address,
-                        repository_id=repository_id,
-                        repository_name=repository_name
-                    sa_session.add(user_log)
+                        user_log = _store_log(
-                    if commit:
+                            action_name=action_name,
-                        sa_session.commit()
+                            action_data=action_data or {},
+                            user_id=user_id,
+                            username=username,
+                            user_data=user_data or {},
+                            ip_address=ip_address,
+                            repository_id=repository_id,
+                            repository_name=repository_name
+                        )
+                        sa_session.add(user_log)
+                        if commit:
+                            sa_session.commit()
                     entry_id = user_log.entry_id or ''
                     log.info('AUDIT[%s]: Logging action: `%s` by user:id:%s[%s] ip:%s',
                              entry_id, action_name, user_id, username, ip_address)
                 except Exception:
                     log.exception('AUDIT: failed to store audit log')
+            def update_user_last_activity(sa_session, user_id):
+                _last_activity = datetime.datetime.now()
+                try:
+                    sa_session.query(User).filter(User.user_id == user_id).update(
+                        {"last_activity": _last_activity})
+                    log.debug(
+                        'updated user `%s` last activity to:%s', user_id, _last_activity)
+                except Exception:
+                    log.exception("Failed last activity update")

rhodecode/lib/middleware/simplevcs.py

0 +2 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             SimpleVCS middleware for handling protocol request (push/clone etc.)
             It's implemented with basic auth function
             """
             import os
             import re
             import logging
             import importlib
             from functools import wraps
             from StringIO import StringIO
             from lxml import etree
             import time
             from paste.httpheaders import REMOTE_USER, AUTH_TYPE
             from pyramid.httpexceptions import (
                 HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)
             from zope.cachedescriptors.property import Lazy as LazyProperty
             import rhodecode
             from rhodecode.authentication.base import authenticate, VCS_TYPE, loadplugin
             from rhodecode.lib import caches, rc_cache
             from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from rhodecode.lib.base import (
                 BasicAuth, get_ip_addr, get_user_agent, vcs_operation_context)
             from rhodecode.lib.exceptions import (UserCreationError, NotAllowedToCreateUserError)
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.middleware import appenlight
             from rhodecode.lib.middleware.utils import scm_app_http
             from rhodecode.lib.utils import is_valid_repo, SLUG_RE
             from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository, PullRequest
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.pull_request import PullRequestModel
             from rhodecode.model.settings import SettingsModel, VcsSettingsModel
             log = logging.getLogger(__name__)
             def extract_svn_txn_id(acl_repo_name, data):
                 """
                 Helper method for extraction of svn txn_id from submited XML data during
                 POST operations
                 """
                 try:
                     root = etree.fromstring(data)
                     pat = re.compile(r'/txn/(?P<txn_id>.*)')
                     for el in root:
                         if el.tag == '{DAV:}source':
                             for sub_el in el:
                                 if sub_el.tag == '{DAV:}href':
                                     match = pat.search(sub_el.text)
                                     if match:
                                         svn_tx_id = match.groupdict()['txn_id']
                                         txn_id = caches.compute_key_from_params(
                                             acl_repo_name, svn_tx_id)
                                         return txn_id
                 except Exception:
                     log.exception('Failed to extract txn_id')
             def initialize_generator(factory):
                 """
                 Initializes the returned generator by draining its first element.
                 This can be used to give a generator an initializer, which is the code
                 up to the first yield statement. This decorator enforces that the first
                 produced element has the value ``"__init__"`` to make its special
                 purpose very explicit in the using code.
                 """
                 @wraps(factory)
                 def wrapper(*args, **kwargs):
                     gen = factory(*args, **kwargs)
                     try:
                         init = gen.next()
                     except StopIteration:
                         raise ValueError('Generator must yield at least one element.')
                     if init != "__init__":
                         raise ValueError('First yielded element must be "__init__".')
                     return gen
                 return wrapper
             class SimpleVCS(object):
                 """Common functionality for SCM HTTP handlers."""
                 SCM = 'unknown'
                 acl_repo_name = None
                 url_repo_name = None
                 vcs_repo_name = None
                 rc_extras = {}
                 # We have to handle requests to shadow repositories different than requests
                 # to normal repositories. Therefore we have to distinguish them. To do this
                 # we use this regex which will match only on URLs pointing to shadow
                 # repositories.
                 shadow_repo_re = re.compile(
                     '(?P<groups>(?:{slug_pat}/)*)'  # repo groups
                     '(?P<target>{slug_pat})/'       # target repo
                     'pull-request/(?P<pr_id>\d+)/'  # pull request
                     'repository$'                   # shadow repo
                     .format(slug_pat=SLUG_RE.pattern))
                 def __init__(self, config, registry):
                     self.registry = registry
                     self.config = config
                     # re-populated by specialized middleware
                     self.repo_vcs_config = base.Config()
                     self.rhodecode_settings = SettingsModel().get_all_settings(cache=True)
                     registry.rhodecode_settings = self.rhodecode_settings
                     # authenticate this VCS request using authfunc
                     auth_ret_code_detection = \
                         str2bool(self.config.get('auth_ret_code_detection', False))
                     self.authenticate = BasicAuth(
                         '', authenticate, registry, config.get('auth_ret_code'),
                         auth_ret_code_detection)
                     self.ip_addr = '0.0.0.0'
                 @LazyProperty
                 def global_vcs_config(self):
                     try:
                         return VcsSettingsModel().get_ui_settings_as_config_obj()
                     except Exception:
                         return base.Config()
                 @property
                 def base_path(self):
                     settings_path = self.repo_vcs_config.get(
                         *VcsSettingsModel.PATH_SETTING)
                     if not settings_path:
                         settings_path = self.global_vcs_config.get(
                         *VcsSettingsModel.PATH_SETTING)
                     if not settings_path:
                         # try, maybe we passed in explicitly as config option
                         settings_path = self.config.get('base_path')
                     if not settings_path:
                         raise ValueError('FATAL: base_path is empty')
                     return settings_path
                 def set_repo_names(self, environ):
                     """
                     This will populate the attributes acl_repo_name, url_repo_name,
                     vcs_repo_name and is_shadow_repo. In case of requests to normal (non
                     shadow) repositories all names are equal. In case of requests to a
                     shadow repository the acl-name points to the target repo of the pull
                     request and the vcs-name points to the shadow repo file system path.
                     The url-name is always the URL used by the vcs client program.
                     Example in case of a shadow repo:
                         acl_repo_name = RepoGroup/MyRepo
                         url_repo_name = RepoGroup/MyRepo/pull-request/3/repository
                         vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'
                     """
                     # First we set the repo name from URL for all attributes. This is the
                     # default if handling normal (non shadow) repo requests.
                     self.url_repo_name = self._get_repository_name(environ)
                     self.acl_repo_name = self.vcs_repo_name = self.url_repo_name
                     self.is_shadow_repo = False
                     # Check if this is a request to a shadow repository.
                     match = self.shadow_repo_re.match(self.url_repo_name)
                     if match:
                         match_dict = match.groupdict()
                         # Build acl repo name from regex match.
                         acl_repo_name = safe_unicode('{groups}{target}'.format(
                             groups=match_dict['groups'] or '',
                             target=match_dict['target']))
                         # Retrieve pull request instance by ID from regex match.
                         pull_request = PullRequest.get(match_dict['pr_id'])
                         # Only proceed if we got a pull request and if acl repo name from
                         # URL equals the target repo name of the pull request.
                         if pull_request and \
                                 (acl_repo_name == pull_request.target_repo.repo_name):
                             repo_id = pull_request.target_repo.repo_id
                             # Get file system path to shadow repository.
                             workspace_id = PullRequestModel()._workspace_id(pull_request)
                             target_vcs = pull_request.target_repo.scm_instance()
                             vcs_repo_name = target_vcs._get_shadow_repository_path(
                                 repo_id, workspace_id)
                             # Store names for later usage.
                             self.vcs_repo_name = vcs_repo_name
                             self.acl_repo_name = acl_repo_name
                             self.is_shadow_repo = True
                     log.debug('Setting all VCS repository names: %s', {
                         'acl_repo_name': self.acl_repo_name,
                         'url_repo_name': self.url_repo_name,
                         'vcs_repo_name': self.vcs_repo_name,
                     })
                 @property
                 def scm_app(self):
                     custom_implementation = self.config['vcs.scm_app_implementation']
                     if custom_implementation == 'http':
                         log.info('Using HTTP implementation of scm app.')
                         scm_app_impl = scm_app_http
                     else:
                         log.info('Using custom implementation of scm_app: "{}"'.format(
                             custom_implementation))
                         scm_app_impl = importlib.import_module(custom_implementation)
                     return scm_app_impl
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> non changeable urls
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from rhodecode.model.repo import RepoModel
                         by_id_match = RepoModel().get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match.repo_name
                     return safe_str('/'.join(data))
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if not db_repo:
                         log.debug('Repository `%s` not found inside the database.',
                                   repo_name)
                         return False
                     if db_repo.repo_type != scm_type:
                         log.warning(
                             'Repository `%s` have incorrect scm_type, expected %s got %s',
                             repo_name, db_repo.repo_type, scm_type)
                         return False
                     config = db_repo._config
                     config.set('extensions', 'largefiles', '')
                     return is_valid_repo(
                         repo_name, base_path,
                         explicit_scm=scm_type, expect_scm=scm_type, config=config)
                 def valid_and_active_user(self, user):
                     """
                     Checks if that user is not empty, and if it's actually object it checks
                     if he's active.
                     :param user: user object or None
                     :return: boolean
                     """
                     if user is None:
                         return False
                     elif user.active:
                         return True
                     return False
                 @property
                 def is_shadow_repo_dir(self):
                     return os.path.isdir(self.vcs_repo_name)
                 def _check_permission(self, action, user, repo_name, ip_addr=None,
                                       plugin_id='', plugin_cache_active=False, cache_ttl=0):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name. If plugin_cache and ttl is set it will use the plugin which
                     authenticated the user to store the cached permissions result for N
                     amount of seconds as in cache_ttl
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
                     log.debug('AUTH_CACHE_TTL for permissions `%s` active: %s (TTL: %s)',
                               plugin_id, plugin_cache_active, cache_ttl)
                     user_id = user.user_id
                     cache_namespace_uid = 'cache_user_auth.{}'.format(user_id)
                     region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid)
                     @region.conditional_cache_on_arguments(namespace=cache_namespace_uid,
                                                            expiration_time=cache_ttl,
                                                            condition=plugin_cache_active)
                     def compute_perm_vcs(
                             cache_name, plugin_id, action, user_id, repo_name, ip_addr):
                         log.debug('auth: calculating permission access now...')
                         # check IP
                         inherit = user.inherit_default_permissions
                         ip_allowed = AuthUser.check_ip_allowed(
                             user_id, ip_addr, inherit_from_default=inherit)
                         if ip_allowed:
                             log.info('Access for IP:%s allowed', ip_addr)
                         else:
                             return False
                         if action == 'push':
                             perms = ('repository.write', 'repository.admin')
                             if not HasPermissionAnyMiddleware(*perms)(user, repo_name):
                                 return False
                         else:
                             # any other action need at least read permission
                             perms = (
                                 'repository.read', 'repository.write', 'repository.admin')
                             if not HasPermissionAnyMiddleware(*perms)(user, repo_name):
                                 return False
                         return True
                     start = time.time()
                     log.debug('Running plugin `%s` permissions check', plugin_id)
                     # for environ based auth, password can be empty, but then the validation is
                     # on the server that fills in the env data needed for authentication
                     perm_result = compute_perm_vcs(
                         'vcs_permissions', plugin_id, action, user.user_id, repo_name, ip_addr)
                     auth_time = time.time() - start
                     log.debug('Permissions for plugin `%s` completed in %.3fs, '
                               'expiration time of fetched cache %.1fs.',
                               plugin_id, auth_time, cache_ttl)
                     return perm_result
                 def _check_ssl(self, environ, start_response):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     org_proto = environ['wsgi._org_proto']
                     # check if we have SSL required  ! if not it's a bad request !
                     require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))
                     if require_ssl and org_proto == 'http':
                         log.debug(
                             'Bad request: detected protocol is `%s` and '
                             'SSL/HTTPS is required.', org_proto)
                         return False
                     return True
                 def _get_default_cache_ttl(self):
                     # take AUTH_CACHE_TTL from the `rhodecode` auth plugin
                     plugin = loadplugin('egg:rhodecode-enterprise-ce#rhodecode')
                     plugin_settings = plugin.get_settings()
                     plugin_cache_active, cache_ttl = plugin.get_ttl_cache(
                         plugin_settings) or (False, 0)
                     return plugin_cache_active, cache_ttl
                 def __call__(self, environ, start_response):
                     try:
                         return self._handle_request(environ, start_response)
                     except Exception:
                         log.exception("Exception while handling request")
                         appenlight.track_exception(environ)
                         return HTTPInternalServerError()(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     if not self._check_ssl(environ, start_response):
                         reason = ('SSL required, while RhodeCode was unable '
                                   'to detect this as SSL request')
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     if not self.url_repo_name:
                         log.warning('Repository name is empty: %s', self.url_repo_name)
                         # failed to get repo name, we fail now
                         return HTTPNotFound()(environ, start_response)
                     log.debug('Extracted repo name is %s', self.url_repo_name)
                     ip_addr = get_ip_addr(environ)
                     user_agent = get_user_agent(environ)
                     username = None
                     # skip passing error to error controller
                     environ['pylons.status_code_redirect'] = True
                     # ======================================================================
                     # GET ACTION PULL or PUSH
                     # ======================================================================
                     action = self._get_action(environ)
                     # ======================================================================
                     # Check if this is a request to a shadow repository of a pull request.
                     # In this case only pull action is allowed.
                     # ======================================================================
                     if self.is_shadow_repo and action != 'pull':
                         reason = 'Only pull action is allowed for shadow repositories.'
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     # Check if the shadow repo actually exists, in case someone refers
                     # to it, and it has been deleted because of successful merge.
                     if self.is_shadow_repo and not self.is_shadow_repo_dir:
                         log.debug(
                             'Shadow repo detected, and shadow repo dir `%s` is missing',
                             self.is_shadow_repo_dir)
                         return HTTPNotFound()(environ, start_response)
                     # ======================================================================
                     # CHECK ANONYMOUS PERMISSION
                     # ======================================================================
                     if action in ['pull', 'push']:
                         anonymous_user = User.get_default_user()
                         username = anonymous_user.username
                         if anonymous_user.active:
                             plugin_cache_active, cache_ttl = self._get_default_cache_ttl()
                             # ONLY check permissions if the user is activated
                             anonymous_perm = self._check_permission(
                                 action, anonymous_user, self.acl_repo_name, ip_addr,
                                 plugin_id='anonymous_access',
                                 plugin_cache_active=plugin_cache_active,
                                 cache_ttl=cache_ttl,
                             )
                         else:
                             anonymous_perm = False
                         if not anonymous_user.active or not anonymous_perm:
                             if not anonymous_user.active:
                                 log.debug('Anonymous access is disabled, running '
                                           'authentication')
                             if not anonymous_perm:
                                 log.debug('Not enough credentials to access this '
                                           'repository as anonymous user')
                             username = None
                             # ==============================================================
                             # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                             # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                             # ==============================================================
                             # try to auth based on environ, container auth methods
                             log.debug('Running PRE-AUTH for container based authentication')
                             pre_auth = authenticate(
                                 '', '', environ, VCS_TYPE, registry=self.registry,
                                 acl_repo_name=self.acl_repo_name)
                             if pre_auth and pre_auth.get('username'):
                                 username = pre_auth['username']
                             log.debug('PRE-AUTH got %s as username', username)
                             if pre_auth:
                                 log.debug('PRE-AUTH successful from %s',
                                           pre_auth.get('auth_data', {}).get('_plugin'))
                             # If not authenticated by the container, running basic auth
                             # before inject the calling repo_name for special scope checks
                             self.authenticate.acl_repo_name = self.acl_repo_name
                             plugin_cache_active, cache_ttl = False, 0
                             plugin = None
                             if not username:
                                 self.authenticate.realm = self.authenticate.get_rc_realm()
                                 try:
                                     auth_result = self.authenticate(environ)
                                 except (UserCreationError, NotAllowedToCreateUserError) as e:
                                     log.error(e)
                                     reason = safe_str(e)
                                     return HTTPNotAcceptable(reason)(environ, start_response)
                                 if isinstance(auth_result, dict):
                                     AUTH_TYPE.update(environ, 'basic')
                                     REMOTE_USER.update(environ, auth_result['username'])
                                     username = auth_result['username']
                                     plugin = auth_result.get('auth_data', {}).get('_plugin')
                                     log.info(
                                         'MAIN-AUTH successful for user `%s` from %s plugin',
                                         username, plugin)
                                     plugin_cache_active, cache_ttl = auth_result.get(
                                         'auth_data', {}).get('_ttl_cache') or (False, 0)
                                 else:
                                     return auth_result.wsgi_application(
                                         environ, start_response)
                             # ==============================================================
                             # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                             # ==============================================================
                             user = User.get_by_username(username)
                             if not self.valid_and_active_user(user):
                                 return HTTPForbidden()(environ, start_response)
                             username = user.username
+                            user_id = user.user_id
                             # check user attributes for password change flag
                             user_obj = user
                             if user_obj and user_obj.username != User.DEFAULT_USER and \
                                     user_obj.user_data.get('force_password_change'):
                                 reason = 'password change required'
                                 log.debug('User not allowed to authenticate, %s', reason)
                                 return HTTPNotAcceptable(reason)(environ, start_response)
                             # check permissions for this repository
                             perm = self._check_permission(
                                 action, user, self.acl_repo_name, ip_addr,
                                 plugin, plugin_cache_active, cache_ttl)
                             if not perm:
                                 return HTTPForbidden()(environ, start_response)
+                            environ['rc_auth_user_id'] = user_id
                     # extras are injected into UI object and later available
                     # in hooks executed by RhodeCode
                     check_locking = _should_check_locking(environ.get('QUERY_STRING'))
                     extras = vcs_operation_context(
                         environ, repo_name=self.acl_repo_name, username=username,
                         action=action, scm=self.SCM, check_locking=check_locking,
                         is_shadow_repo=self.is_shadow_repo
                     )
                     # ======================================================================
                     # REQUEST HANDLING
                     # ======================================================================
                     repo_path = os.path.join(
                         safe_str(self.base_path), safe_str(self.vcs_repo_name))
                     log.debug('Repository path is %s', repo_path)
                     fix_PATH()
                     log.info(
                         '%s action on %s repo "%s" by "%s" from %s %s',
                         action, self.SCM, safe_str(self.url_repo_name),
                         safe_str(username), ip_addr, user_agent)
                     return self._generate_vcs_response(
                         environ, start_response, repo_path, extras, action)
                 @initialize_generator
                 def _generate_vcs_response(
                         self, environ, start_response, repo_path, extras, action):
                     """
                     Returns a generator for the response content.
                     This method is implemented as a generator, so that it can trigger
                     the cache validation after all content sent back to the client. It
                     also handles the locking exceptions which will be triggered when
                     the first chunk is produced by the underlying WSGI application.
                     """
                     txn_id = ''
                     if 'CONTENT_LENGTH' in environ and environ['REQUEST_METHOD'] == 'MERGE':
                         # case for SVN, we want to re-use the callback daemon port
                         # so we use the txn_id, for this we peek the body, and still save
                         # it as wsgi.input
                         data = environ['wsgi.input'].read()
                         environ['wsgi.input'] = StringIO(data)
                         txn_id = extract_svn_txn_id(self.acl_repo_name, data)
                     callback_daemon, extras = self._prepare_callback_daemon(
                         extras, environ, action, txn_id=txn_id)
                     log.debug('HOOKS extras is %s', extras)
                     config = self._create_config(extras, self.acl_repo_name)
                     app = self._create_wsgi_app(repo_path, self.url_repo_name, config)
                     with callback_daemon:
                         app.rc_extras = extras
                         try:
                             response = app(environ, start_response)
                         finally:
                             # This statement works together with the decorator
                             # "initialize_generator" above. The decorator ensures that
                             # we hit the first yield statement before the generator is
                             # returned back to the WSGI server. This is needed to
                             # ensure that the call to "app" above triggers the
                             # needed callback to "start_response" before the
                             # generator is actually used.
                             yield "__init__"
                         # iter content
                         for chunk in response:
                             yield chunk
                         try:
                             # invalidate cache on push
                             if action == 'push':
                                 self._invalidate_cache(self.url_repo_name)
                         finally:
                             meta.Session.remove()
                 def _get_repository_name(self, environ):
                     """Get repository name out of the environmnent
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _get_action(self, environ):
                     """Map request commands into a pull or push command.
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _create_wsgi_app(self, repo_path, repo_name, config):
                     """Return the WSGI app that will finally handle the request."""
                     raise NotImplementedError()
                 def _create_config(self, extras, repo_name):
                     """Create a safe config representation."""
                     raise NotImplementedError()
                 def _should_use_callback_daemon(self, extras, environ, action):
                     return True
                 def _prepare_callback_daemon(self, extras, environ, action, txn_id=None):
                     direct_calls = vcs_settings.HOOKS_DIRECT_CALLS
                     if not self._should_use_callback_daemon(extras, environ, action):
                         # disable callback daemon for actions that don't require it
                         direct_calls = True
                     return prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         host=vcs_settings.HOOKS_HOST, use_direct_calls=direct_calls, txn_id=txn_id)
             def _should_check_locking(query_string):
                 # this is kind of hacky, but due to how mercurial handles client-server
                 # server see all operation on commit; bookmarks, phases and
                 # obsolescence marker in different transaction, we don't want to check
                 # locking on those
                 return query_string not in ['cmd=listkeys']

rhodecode/model/db.py

0 0 0

	1	NO CONTENT: modified file			NO CONTENT: modified file
The requested commit or file is too big and content was truncated. Show full diff

rhodecode/subscribers.py

0 +1 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import io
             import re
             import datetime
             import logging
             import Queue
             import subprocess32
             import os
             from dateutil.parser import parse
             from pyramid.i18n import get_localizer
             from pyramid.threadlocal import get_current_request
             from pyramid.interfaces import IRoutesMapper
             from pyramid.settings import asbool
             from pyramid.path import AssetResolver
             from threading import Thread
             from rhodecode.translation import _ as tsf
             from rhodecode.config.jsroutes import generate_jsroutes_content
             from rhodecode.lib import auth
             from rhodecode.lib.base import get_auth_user
             import rhodecode
             log = logging.getLogger(__name__)
             def add_renderer_globals(event):
                 from rhodecode.lib import helpers
                 # TODO: When executed in pyramid view context the request is not available
                 # in the event. Find a better solution to get the request.
                 request = event['request'] or get_current_request()
                 # Add Pyramid translation as '_' to context
                 event['_'] = request.translate
                 event['_ungettext'] = request.plularize
                 event['h'] = helpers
             def add_localizer(event):
                 request = event.request
                 localizer = request.localizer
                 def auto_translate(*args, **kwargs):
                     return localizer.translate(tsf(*args, **kwargs))
                 request.translate = auto_translate
                 request.plularize = localizer.pluralize
             def set_user_lang(event):
                 request = event.request
                 cur_user = getattr(request, 'user', None)
                 if cur_user:
                     user_lang = cur_user.get_instance().user_data.get('language')
                     if user_lang:
                         log.debug('lang: setting current user:%s language to: %s', cur_user, user_lang)
                         event.request._LOCALE_ = user_lang
             def add_request_user_context(event):
                 """
                 Adds auth user into request context
                 """
                 request = event.request
                 # access req_id as soon as possible
                 req_id = request.req_id
                 if hasattr(request, 'vcs_call'):
                     # skip vcs calls
                     return
                 if hasattr(request, 'rpc_method'):
                     # skip api calls
                     return
                 auth_user = get_auth_user(request)
                 request.user = auth_user
                 request.environ['rc_auth_user'] = auth_user
+                request.environ['rc_auth_user_id'] = auth_user.user_id
                 request.environ['rc_req_id'] = req_id
             def inject_app_settings(event):
                 settings = event.app.registry.settings
                 # inject info about available permissions
                 auth.set_available_permissions(settings)
             def scan_repositories_if_enabled(event):
                 """
                 This is subscribed to the `pyramid.events.ApplicationCreated` event. It
                 does a repository scan if enabled in the settings.
                 """
                 settings = event.app.registry.settings
                 vcs_server_enabled = settings['vcs.server.enable']
                 import_on_startup = settings['startup.import_repos']
                 if vcs_server_enabled and import_on_startup:
                     from rhodecode.model.scm import ScmModel
                     from rhodecode.lib.utils import repo2db_mapper, get_rhodecode_base_path
                     repositories = ScmModel().repo_scan(get_rhodecode_base_path())
                     repo2db_mapper(repositories, remove_obsolete=False)
             def write_metadata_if_needed(event):
                 """
                 Writes upgrade metadata
                 """
                 import rhodecode
                 from rhodecode.lib import system_info
                 from rhodecode.lib import ext_json
                 fname = '.rcmetadata.json'
                 ini_loc = os.path.dirname(rhodecode.CONFIG.get('__file__'))
                 metadata_destination = os.path.join(ini_loc, fname)
                 def get_update_age():
                     now = datetime.datetime.utcnow()
                     with open(metadata_destination, 'rb') as f:
                         data = ext_json.json.loads(f.read())
                         if 'created_on' in data:
                             update_date = parse(data['created_on'])
                             diff = now - update_date
                             return diff.total_seconds() / 60.0
                     return 0
                 def write():
                     configuration = system_info.SysInfo(
                         system_info.rhodecode_config)()['value']
                     license_token = configuration['config']['license_token']
                     setup = dict(
                         workers=configuration['config']['server:main'].get(
                             'workers', '?'),
                         worker_type=configuration['config']['server:main'].get(
                             'worker_class', 'sync'),
                     )
                     dbinfo = system_info.SysInfo(system_info.database_info)()['value']
                     del dbinfo['url']
                     metadata = dict(
                         desc='upgrade metadata info',
                         license_token=license_token,
                         created_on=datetime.datetime.utcnow().isoformat(),
                         usage=system_info.SysInfo(system_info.usage_info)()['value'],
                         platform=system_info.SysInfo(system_info.platform_type)()['value'],
                         database=dbinfo,
                         cpu=system_info.SysInfo(system_info.cpu)()['value'],
                         memory=system_info.SysInfo(system_info.memory)()['value'],
                         setup=setup
                     )
                     with open(metadata_destination, 'wb') as f:
                         f.write(ext_json.json.dumps(metadata))
                 settings = event.app.registry.settings
                 if settings.get('metadata.skip'):
                     return
                 # only write this every 24h, workers restart caused unwanted delays
                 try:
                     age_in_min = get_update_age()
                 except Exception:
                     age_in_min = 0
                 if age_in_min > 60 * 60 * 24:
                     return
                 try:
                     write()
                 except Exception:
                     pass
             def write_js_routes_if_enabled(event):
                 registry = event.app.registry
                 mapper = registry.queryUtility(IRoutesMapper)
                 _argument_prog = re.compile('\{(.*?)\}|:\((.*)\)')
                 def _extract_route_information(route):
                     """
                     Convert a route into tuple(name, path, args), eg:
                         ('show_user', '/profile/%(username)s', ['username'])
                     """
                     routepath = route.pattern
                     pattern = route.pattern
                     def replace(matchobj):
                         if matchobj.group(1):
                             return "%%(%s)s" % matchobj.group(1).split(':')[0]
                         else:
                             return "%%(%s)s" % matchobj.group(2)
                     routepath = _argument_prog.sub(replace, routepath)
                     if not routepath.startswith('/'):
                         routepath = '/'+routepath
                     return (
                         route.name,
                         routepath,
                         [(arg[0].split(':')[0] if arg[0] != '' else arg[1])
                           for arg in _argument_prog.findall(pattern)]
                     )
                 def get_routes():
                     # pyramid routes
                     for route in mapper.get_routes():
                         if not route.name.startswith('__'):
                             yield _extract_route_information(route)
                 if asbool(registry.settings.get('generate_js_files', 'false')):
                     static_path = AssetResolver().resolve('rhodecode:public').abspath()
                     jsroutes = get_routes()
                     jsroutes_file_content = generate_jsroutes_content(jsroutes)
                     jsroutes_file_path = os.path.join(
                         static_path, 'js', 'rhodecode', 'routes.js')
                     try:
                         with io.open(jsroutes_file_path, 'w', encoding='utf-8') as f:
                             f.write(jsroutes_file_content)
                     except Exception:
                         log.exception('Failed to write routes.js into %s', jsroutes_file_path)
             class Subscriber(object):
                 """
                 Base class for subscribers to the pyramid event system.
                 """
                 def __call__(self, event):
                     self.run(event)
                 def run(self, event):
                     raise NotImplementedError('Subclass has to implement this.')
             class AsyncSubscriber(Subscriber):
                 """
                 Subscriber that handles the execution of events in a separate task to not
                 block the execution of the code which triggers the event. It puts the
                 received events into a queue from which the worker process takes them in
                 order.
                 """
                 def __init__(self):
                     self._stop = False
                     self._eventq = Queue.Queue()
                     self._worker = self.create_worker()
                     self._worker.start()
                 def __call__(self, event):
                     self._eventq.put(event)
                 def create_worker(self):
                     worker = Thread(target=self.do_work)
                     worker.daemon = True
                     return worker
                 def stop_worker(self):
                     self._stop = False
                     self._eventq.put(None)
                     self._worker.join()
                 def do_work(self):
                     while not self._stop:
                         event = self._eventq.get()
                         if event is not None:
                             self.run(event)
             class AsyncSubprocessSubscriber(AsyncSubscriber):
                 """
                 Subscriber that uses the subprocess32 module to execute a command if an
                 event is received. Events are handled asynchronously.
                 """
                 def __init__(self, cmd, timeout=None):
                     super(AsyncSubprocessSubscriber, self).__init__()
                     self._cmd = cmd
                     self._timeout = timeout
                 def run(self, event):
                     cmd = self._cmd
                     timeout = self._timeout
                     log.debug('Executing command %s.', cmd)
                     try:
                         output = subprocess32.check_output(
                             cmd, timeout=timeout, stderr=subprocess32.STDOUT)
                         log.debug('Command finished %s', cmd)
                         if output:
                             log.debug('Command output: %s', output)
                     except subprocess32.TimeoutExpired as e:
                         log.exception('Timeout while executing command.')
                         if e.output:
                             log.error('Command output: %s', e.output)
                     except subprocess32.CalledProcessError as e:
                         log.exception('Error while executing command.')
                         if e.output:
                             log.error('Command output: %s', e.output)
                     except:
                         log.exception(
                             'Exception while executing command %s.', cmd)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages