##// END OF EJS Templates
routing: optionally use explicit db object on route....
marcink -
r1989:f7b19fb3 default
parent child Browse files
Show More
@@ -1,454 +1,461 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2016-2017 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import time
22 22 import logging
23 23
24 24 from pyramid.httpexceptions import HTTPFound
25 25
26 26 from rhodecode.lib import helpers as h
27 27 from rhodecode.lib.utils2 import StrictAttributeDict, safe_int, datetime_to_time
28 28 from rhodecode.lib.vcs.exceptions import RepositoryRequirementError
29 29 from rhodecode.model import repo
30 30 from rhodecode.model import repo_group
31 31 from rhodecode.model.db import User
32 32 from rhodecode.model.scm import ScmModel
33 33
34 34 log = logging.getLogger(__name__)
35 35
36 36
37 37 ADMIN_PREFIX = '/_admin'
38 38 STATIC_FILE_PREFIX = '/_static'
39 39
40 40 URL_NAME_REQUIREMENTS = {
41 41 # group name can have a slash in them, but they must not end with a slash
42 42 'group_name': r'.*?[^/]',
43 43 'repo_group_name': r'.*?[^/]',
44 44 # repo names can have a slash in them, but they must not end with a slash
45 45 'repo_name': r'.*?[^/]',
46 46 # file path eats up everything at the end
47 47 'f_path': r'.*',
48 48 # reference types
49 49 'source_ref_type': '(branch|book|tag|rev|\%\(source_ref_type\)s)',
50 50 'target_ref_type': '(branch|book|tag|rev|\%\(target_ref_type\)s)',
51 51 }
52 52
53 53
54 54 def add_route_with_slash(config,name, pattern, **kw):
55 55 config.add_route(name, pattern, **kw)
56 56 if not pattern.endswith('/'):
57 57 config.add_route(name + '_slash', pattern + '/', **kw)
58 58
59 59
60 60 def add_route_requirements(route_path, requirements=URL_NAME_REQUIREMENTS):
61 61 """
62 62 Adds regex requirements to pyramid routes using a mapping dict
63 63 e.g::
64 64 add_route_requirements('{repo_name}/settings')
65 65 """
66 66 for key, regex in requirements.items():
67 67 route_path = route_path.replace('{%s}' % key, '{%s:%s}' % (key, regex))
68 68 return route_path
69 69
70 70
71 71 def get_format_ref_id(repo):
72 72 """Returns a `repo` specific reference formatter function"""
73 73 if h.is_svn(repo):
74 74 return _format_ref_id_svn
75 75 else:
76 76 return _format_ref_id
77 77
78 78
79 79 def _format_ref_id(name, raw_id):
80 80 """Default formatting of a given reference `name`"""
81 81 return name
82 82
83 83
84 84 def _format_ref_id_svn(name, raw_id):
85 85 """Special way of formatting a reference for Subversion including path"""
86 86 return '%s@%s' % (name, raw_id)
87 87
88 88
89 89 class TemplateArgs(StrictAttributeDict):
90 90 pass
91 91
92 92
93 93 class BaseAppView(object):
94 94
95 95 def __init__(self, context, request):
96 96 self.request = request
97 97 self.context = context
98 98 self.session = request.session
99 99 self._rhodecode_user = request.user # auth user
100 100 self._rhodecode_db_user = self._rhodecode_user.get_instance()
101 101 self._maybe_needs_password_change(
102 102 request.matched_route.name, self._rhodecode_db_user)
103 103
104 104 def _maybe_needs_password_change(self, view_name, user_obj):
105 105 log.debug('Checking if user %s needs password change on view %s',
106 106 user_obj, view_name)
107 107 skip_user_views = [
108 108 'logout', 'login',
109 109 'my_account_password', 'my_account_password_update'
110 110 ]
111 111
112 112 if not user_obj:
113 113 return
114 114
115 115 if user_obj.username == User.DEFAULT_USER:
116 116 return
117 117
118 118 now = time.time()
119 119 should_change = user_obj.user_data.get('force_password_change')
120 120 change_after = safe_int(should_change) or 0
121 121 if should_change and now > change_after:
122 122 log.debug('User %s requires password change', user_obj)
123 123 h.flash('You are required to change your password', 'warning',
124 124 ignore_duplicate=True)
125 125
126 126 if view_name not in skip_user_views:
127 127 raise HTTPFound(
128 128 self.request.route_path('my_account_password'))
129 129
130 130 def _log_creation_exception(self, e, repo_name):
131 131 _ = self.request.translate
132 132 reason = None
133 133 if len(e.args) == 2:
134 134 reason = e.args[1]
135 135
136 136 if reason == 'INVALID_CERTIFICATE':
137 137 log.exception(
138 138 'Exception creating a repository: invalid certificate')
139 139 msg = (_('Error creating repository %s: invalid certificate')
140 140 % repo_name)
141 141 else:
142 142 log.exception("Exception creating a repository")
143 143 msg = (_('Error creating repository %s')
144 144 % repo_name)
145 145 return msg
146 146
147 147 def _get_local_tmpl_context(self, include_app_defaults=False):
148 148 c = TemplateArgs()
149 149 c.auth_user = self.request.user
150 150 # TODO(marcink): migrate the usage of c.rhodecode_user to c.auth_user
151 151 c.rhodecode_user = self.request.user
152 152
153 153 if include_app_defaults:
154 154 # NOTE(marcink): after full pyramid migration include_app_defaults
155 155 # should be turned on by default
156 156 from rhodecode.lib.base import attach_context_attributes
157 157 attach_context_attributes(c, self.request, self.request.user.user_id)
158 158
159 159 return c
160 160
161 161 def _register_global_c(self, tmpl_args):
162 162 """
163 163 Registers attributes to pylons global `c`
164 164 """
165 165
166 166 # TODO(marcink): remove once pyramid migration is finished
167 167 from pylons import tmpl_context as c
168 168 try:
169 169 for k, v in tmpl_args.items():
170 170 setattr(c, k, v)
171 171 except TypeError:
172 172 log.exception('Failed to register pylons C')
173 173 pass
174 174
175 175 def _get_template_context(self, tmpl_args):
176 176 self._register_global_c(tmpl_args)
177 177
178 178 local_tmpl_args = {
179 179 'defaults': {},
180 180 'errors': {},
181 181 # register a fake 'c' to be used in templates instead of global
182 182 # pylons c, after migration to pyramid we should rename it to 'c'
183 183 # make sure we replace usage of _c in templates too
184 184 '_c': tmpl_args
185 185 }
186 186 local_tmpl_args.update(tmpl_args)
187 187 return local_tmpl_args
188 188
189 189 def load_default_context(self):
190 190 """
191 191 example:
192 192
193 193 def load_default_context(self):
194 194 c = self._get_local_tmpl_context()
195 195 c.custom_var = 'foobar'
196 196 self._register_global_c(c)
197 197 return c
198 198 """
199 199 raise NotImplementedError('Needs implementation in view class')
200 200
201 201
202 202 class RepoAppView(BaseAppView):
203 203
204 204 def __init__(self, context, request):
205 205 super(RepoAppView, self).__init__(context, request)
206 206 self.db_repo = request.db_repo
207 207 self.db_repo_name = self.db_repo.repo_name
208 208 self.db_repo_pull_requests = ScmModel().get_pull_requests(self.db_repo)
209 209
210 210 def _handle_missing_requirements(self, error):
211 211 log.error(
212 212 'Requirements are missing for repository %s: %s',
213 213 self.db_repo_name, error.message)
214 214
215 215 def _get_local_tmpl_context(self, include_app_defaults=False):
216 216 _ = self.request.translate
217 217 c = super(RepoAppView, self)._get_local_tmpl_context(
218 218 include_app_defaults=include_app_defaults)
219 219
220 220 # register common vars for this type of view
221 221 c.rhodecode_db_repo = self.db_repo
222 222 c.repo_name = self.db_repo_name
223 223 c.repository_pull_requests = self.db_repo_pull_requests
224 224
225 225 c.repository_requirements_missing = False
226 226 try:
227 227 self.rhodecode_vcs_repo = self.db_repo.scm_instance()
228 228 except RepositoryRequirementError as e:
229 229 c.repository_requirements_missing = True
230 230 self._handle_missing_requirements(e)
231 231 self.rhodecode_vcs_repo = None
232 232
233 233 if (not c.repository_requirements_missing
234 234 and self.rhodecode_vcs_repo is None):
235 235 # unable to fetch this repo as vcs instance, report back to user
236 236 h.flash(_(
237 237 "The repository `%(repo_name)s` cannot be loaded in filesystem. "
238 238 "Please check if it exist, or is not damaged.") %
239 239 {'repo_name': c.repo_name},
240 240 category='error', ignore_duplicate=True)
241 241 raise HTTPFound(h.route_path('home'))
242 242
243 243 return c
244 244
245 245 def _get_f_path(self, matchdict, default=None):
246 246 f_path = matchdict.get('f_path')
247 247 if f_path:
248 248 # fix for multiple initial slashes that causes errors for GIT
249 249 return f_path.lstrip('/')
250 250
251 251 return default
252 252
253 253
254 class RepoGroupAppView(BaseAppView):
255 def __init__(self, context, request):
256 super(RepoGroupAppView, self).__init__(context, request)
257 self.db_repo_group = request.db_repo_group
258 self.db_repo_group_name = self.db_repo_group.group_name
259
260
254 261 class DataGridAppView(object):
255 262 """
256 263 Common class to have re-usable grid rendering components
257 264 """
258 265
259 266 def _extract_ordering(self, request, column_map=None):
260 267 column_map = column_map or {}
261 268 column_index = safe_int(request.GET.get('order[0][column]'))
262 269 order_dir = request.GET.get(
263 270 'order[0][dir]', 'desc')
264 271 order_by = request.GET.get(
265 272 'columns[%s][data][sort]' % column_index, 'name_raw')
266 273
267 274 # translate datatable to DB columns
268 275 order_by = column_map.get(order_by) or order_by
269 276
270 277 search_q = request.GET.get('search[value]')
271 278 return search_q, order_by, order_dir
272 279
273 280 def _extract_chunk(self, request):
274 281 start = safe_int(request.GET.get('start'), 0)
275 282 length = safe_int(request.GET.get('length'), 25)
276 283 draw = safe_int(request.GET.get('draw'))
277 284 return draw, start, length
278 285
279 286
280 287 class BaseReferencesView(RepoAppView):
281 288 """
282 289 Base for reference view for branches, tags and bookmarks.
283 290 """
284 291 def load_default_context(self):
285 292 c = self._get_local_tmpl_context()
286 293
287 294 # TODO(marcink): remove repo_info and use c.rhodecode_db_repo instead
288 295 c.repo_info = self.db_repo
289 296
290 297 self._register_global_c(c)
291 298 return c
292 299
293 300 def load_refs_context(self, ref_items, partials_template):
294 301 _render = self.request.get_partial_renderer(partials_template)
295 302 pre_load = ["author", "date", "message"]
296 303
297 304 is_svn = h.is_svn(self.rhodecode_vcs_repo)
298 305 is_hg = h.is_hg(self.rhodecode_vcs_repo)
299 306
300 307 format_ref_id = get_format_ref_id(self.rhodecode_vcs_repo)
301 308
302 309 closed_refs = {}
303 310 if is_hg:
304 311 closed_refs = self.rhodecode_vcs_repo.branches_closed
305 312
306 313 data = []
307 314 for ref_name, commit_id in ref_items:
308 315 commit = self.rhodecode_vcs_repo.get_commit(
309 316 commit_id=commit_id, pre_load=pre_load)
310 317 closed = ref_name in closed_refs
311 318
312 319 # TODO: johbo: Unify generation of reference links
313 320 use_commit_id = '/' in ref_name or is_svn
314 321
315 322 if use_commit_id:
316 323 files_url = h.route_path(
317 324 'repo_files',
318 325 repo_name=self.db_repo_name,
319 326 f_path=ref_name if is_svn else '',
320 327 commit_id=commit_id)
321 328
322 329 else:
323 330 files_url = h.route_path(
324 331 'repo_files',
325 332 repo_name=self.db_repo_name,
326 333 f_path=ref_name if is_svn else '',
327 334 commit_id=ref_name,
328 335 _query=dict(at=ref_name))
329 336
330 337 data.append({
331 338 "name": _render('name', ref_name, files_url, closed),
332 339 "name_raw": ref_name,
333 340 "date": _render('date', commit.date),
334 341 "date_raw": datetime_to_time(commit.date),
335 342 "author": _render('author', commit.author),
336 343 "commit": _render(
337 344 'commit', commit.message, commit.raw_id, commit.idx),
338 345 "commit_raw": commit.idx,
339 346 "compare": _render(
340 347 'compare', format_ref_id(ref_name, commit.raw_id)),
341 348 })
342 349
343 350 return data
344 351
345 352
346 353 class RepoRoutePredicate(object):
347 354 def __init__(self, val, config):
348 355 self.val = val
349 356
350 357 def text(self):
351 358 return 'repo_route = %s' % self.val
352 359
353 360 phash = text
354 361
355 362 def __call__(self, info, request):
356 363
357 364 if hasattr(request, 'vcs_call'):
358 365 # skip vcs calls
359 366 return
360 367
361 368 repo_name = info['match']['repo_name']
362 369 repo_model = repo.RepoModel()
363 370 by_name_match = repo_model.get_by_repo_name(repo_name, cache=True)
364 371
365 372 def redirect_if_creating(db_repo):
366 373 if db_repo.repo_state in [repo.Repository.STATE_PENDING]:
367 374 raise HTTPFound(
368 375 request.route_path('repo_creating',
369 376 repo_name=db_repo.repo_name))
370 377
371 378 if by_name_match:
372 379 # register this as request object we can re-use later
373 380 request.db_repo = by_name_match
374 381 redirect_if_creating(by_name_match)
375 382 return True
376 383
377 384 by_id_match = repo_model.get_repo_by_id(repo_name)
378 385 if by_id_match:
379 386 request.db_repo = by_id_match
380 387 redirect_if_creating(by_id_match)
381 388 return True
382 389
383 390 return False
384 391
385 392
386 393 class RepoTypeRoutePredicate(object):
387 394 def __init__(self, val, config):
388 395 self.val = val or ['hg', 'git', 'svn']
389 396
390 397 def text(self):
391 398 return 'repo_accepted_type = %s' % self.val
392 399
393 400 phash = text
394 401
395 402 def __call__(self, info, request):
396 403 if hasattr(request, 'vcs_call'):
397 404 # skip vcs calls
398 405 return
399 406
400 407 rhodecode_db_repo = request.db_repo
401 408
402 409 log.debug(
403 410 '%s checking repo type for %s in %s',
404 411 self.__class__.__name__, rhodecode_db_repo.repo_type, self.val)
405 412
406 413 if rhodecode_db_repo.repo_type in self.val:
407 414 return True
408 415 else:
409 416 log.warning('Current view is not supported for repo type:%s',
410 417 rhodecode_db_repo.repo_type)
411 418 #
412 419 # h.flash(h.literal(
413 420 # _('Action not supported for %s.' % rhodecode_repo.alias)),
414 421 # category='warning')
415 422 # return redirect(
416 423 # route_path('repo_summary', repo_name=cls.rhodecode_db_repo.repo_name))
417 424
418 425 return False
419 426
420 427
421 428 class RepoGroupRoutePredicate(object):
422 429 def __init__(self, val, config):
423 430 self.val = val
424 431
425 432 def text(self):
426 433 return 'repo_group_route = %s' % self.val
427 434
428 435 phash = text
429 436
430 437 def __call__(self, info, request):
431 438 if hasattr(request, 'vcs_call'):
432 439 # skip vcs calls
433 440 return
434 441
435 442 repo_group_name = info['match']['repo_group_name']
436 443 repo_group_model = repo_group.RepoGroupModel()
437 444 by_name_match = repo_group_model.get_by_group_name(
438 445 repo_group_name, cache=True)
439 446
440 447 if by_name_match:
441 448 # register this as request object we can re-use later
442 449 request.db_repo_group = by_name_match
443 450 return True
444 451
445 452 return False
446 453
447 454
448 455 def includeme(config):
449 456 config.add_route_predicate(
450 457 'repo_route', RepoRoutePredicate)
451 458 config.add_route_predicate(
452 459 'repo_accepted_types', RepoTypeRoutePredicate)
453 460 config.add_route_predicate(
454 461 'repo_group_route', RepoGroupRoutePredicate)
@@ -1,534 +1,534 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2010-2017 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 """
22 22 Pylons middleware initialization
23 23 """
24 24 import logging
25 25 import traceback
26 26 from collections import OrderedDict
27 27
28 28 from paste.registry import RegistryManager
29 29 from paste.gzipper import make_gzip_middleware
30 30 from pylons.wsgiapp import PylonsApp
31 31 from pyramid.authorization import ACLAuthorizationPolicy
32 32 from pyramid.config import Configurator
33 33 from pyramid.settings import asbool, aslist
34 34 from pyramid.wsgi import wsgiapp
35 35 from pyramid.httpexceptions import (
36 36 HTTPException, HTTPError, HTTPInternalServerError, HTTPFound)
37 37 from pyramid.events import ApplicationCreated
38 38 from pyramid.renderers import render_to_response
39 39 from routes.middleware import RoutesMiddleware
40 40 import rhodecode
41 41
42 42 from rhodecode.model import meta
43 43 from rhodecode.config import patches
44 44 from rhodecode.config.routing import STATIC_FILE_PREFIX
45 45 from rhodecode.config.environment import (
46 46 load_environment, load_pyramid_environment)
47 47
48 48 from rhodecode.lib.vcs import VCSCommunicationError
49 49 from rhodecode.lib.exceptions import VCSServerUnavailable
50 50 from rhodecode.lib.middleware.appenlight import wrap_in_appenlight_if_enabled
51 51 from rhodecode.lib.middleware.error_handling import (
52 52 PylonsErrorHandlingMiddleware)
53 53 from rhodecode.lib.middleware.https_fixup import HttpsFixup
54 54 from rhodecode.lib.middleware.vcs import VCSMiddleware
55 55 from rhodecode.lib.plugins.utils import register_rhodecode_plugin
56 56 from rhodecode.lib.utils2 import aslist as rhodecode_aslist, AttributeDict
57 57 from rhodecode.subscribers import (
58 58 scan_repositories_if_enabled, write_js_routes_if_enabled,
59 59 write_metadata_if_needed)
60 60
61 61
62 62 log = logging.getLogger(__name__)
63 63
64 64
65 65 # this is used to avoid avoid the route lookup overhead in routesmiddleware
66 66 # for certain routes which won't go to pylons to - eg. static files, debugger
67 67 # it is only needed for the pylons migration and can be removed once complete
68 68 class SkippableRoutesMiddleware(RoutesMiddleware):
69 69 """ Routes middleware that allows you to skip prefixes """
70 70
71 71 def __init__(self, *args, **kw):
72 72 self.skip_prefixes = kw.pop('skip_prefixes', [])
73 73 super(SkippableRoutesMiddleware, self).__init__(*args, **kw)
74 74
75 75 def __call__(self, environ, start_response):
76 76 for prefix in self.skip_prefixes:
77 77 if environ['PATH_INFO'].startswith(prefix):
78 78 # added to avoid the case when a missing /_static route falls
79 79 # through to pylons and causes an exception as pylons is
80 80 # expecting wsgiorg.routingargs to be set in the environ
81 81 # by RoutesMiddleware.
82 82 if 'wsgiorg.routing_args' not in environ:
83 83 environ['wsgiorg.routing_args'] = (None, {})
84 84 return self.app(environ, start_response)
85 85
86 86 return super(SkippableRoutesMiddleware, self).__call__(
87 87 environ, start_response)
88 88
89 89
90 90 def make_app(global_conf, static_files=True, **app_conf):
91 91 """Create a Pylons WSGI application and return it
92 92
93 93 ``global_conf``
94 94 The inherited configuration for this application. Normally from
95 95 the [DEFAULT] section of the Paste ini file.
96 96
97 97 ``app_conf``
98 98 The application's local configuration. Normally specified in
99 99 the [app:<name>] section of the Paste ini file (where <name>
100 100 defaults to main).
101 101
102 102 """
103 103 # Apply compatibility patches
104 104 patches.kombu_1_5_1_python_2_7_11()
105 105 patches.inspect_getargspec()
106 106
107 107 # Configure the Pylons environment
108 108 config = load_environment(global_conf, app_conf)
109 109
110 110 # The Pylons WSGI app
111 111 app = PylonsApp(config=config)
112 112
113 113 # Establish the Registry for this application
114 114 app = RegistryManager(app)
115 115
116 116 app.config = config
117 117
118 118 return app
119 119
120 120
121 121 def make_pyramid_app(global_config, **settings):
122 122 """
123 123 Constructs the WSGI application based on Pyramid and wraps the Pylons based
124 124 application.
125 125
126 126 Specials:
127 127
128 128 * We migrate from Pylons to Pyramid. While doing this, we keep both
129 129 frameworks functional. This involves moving some WSGI middlewares around
130 130 and providing access to some data internals, so that the old code is
131 131 still functional.
132 132
133 133 * The application can also be integrated like a plugin via the call to
134 134 `includeme`. This is accompanied with the other utility functions which
135 135 are called. Changing this should be done with great care to not break
136 136 cases when these fragments are assembled from another place.
137 137
138 138 """
139 139 # The edition string should be available in pylons too, so we add it here
140 140 # before copying the settings.
141 141 settings.setdefault('rhodecode.edition', 'Community Edition')
142 142
143 143 # As long as our Pylons application does expect "unprepared" settings, make
144 144 # sure that we keep an unmodified copy. This avoids unintentional change of
145 145 # behavior in the old application.
146 146 settings_pylons = settings.copy()
147 147
148 148 sanitize_settings_and_apply_defaults(settings)
149 149 config = Configurator(settings=settings)
150 150 add_pylons_compat_data(config.registry, global_config, settings_pylons)
151 151
152 152 load_pyramid_environment(global_config, settings)
153 153
154 154 includeme_first(config)
155 155 includeme(config)
156 156
157 157 pyramid_app = config.make_wsgi_app()
158 158 pyramid_app = wrap_app_in_wsgi_middlewares(pyramid_app, config)
159 159 pyramid_app.config = config
160 160
161 161 # creating the app uses a connection - return it after we are done
162 162 meta.Session.remove()
163 163
164 164 return pyramid_app
165 165
166 166
167 167 def make_not_found_view(config):
168 168 """
169 169 This creates the view which should be registered as not-found-view to
170 170 pyramid. Basically it contains of the old pylons app, converted to a view.
171 171 Additionally it is wrapped by some other middlewares.
172 172 """
173 173 settings = config.registry.settings
174 174 vcs_server_enabled = settings['vcs.server.enable']
175 175
176 176 # Make pylons app from unprepared settings.
177 177 pylons_app = make_app(
178 178 config.registry._pylons_compat_global_config,
179 179 **config.registry._pylons_compat_settings)
180 180 config.registry._pylons_compat_config = pylons_app.config
181 181
182 182 # Appenlight monitoring.
183 183 pylons_app, appenlight_client = wrap_in_appenlight_if_enabled(
184 184 pylons_app, settings)
185 185
186 186 # The pylons app is executed inside of the pyramid 404 exception handler.
187 187 # Exceptions which are raised inside of it are not handled by pyramid
188 188 # again. Therefore we add a middleware that invokes the error handler in
189 189 # case of an exception or error response. This way we return proper error
190 190 # HTML pages in case of an error.
191 191 reraise = (settings.get('debugtoolbar.enabled', False) or
192 192 rhodecode.disable_error_handler)
193 193 pylons_app = PylonsErrorHandlingMiddleware(
194 194 pylons_app, error_handler, reraise)
195 195
196 196 # The VCSMiddleware shall operate like a fallback if pyramid doesn't find a
197 197 # view to handle the request. Therefore it is wrapped around the pylons
198 198 # app. It has to be outside of the error handling otherwise error responses
199 199 # from the vcsserver are converted to HTML error pages. This confuses the
200 200 # command line tools and the user won't get a meaningful error message.
201 201 if vcs_server_enabled:
202 202 pylons_app = VCSMiddleware(
203 203 pylons_app, settings, appenlight_client, registry=config.registry)
204 204
205 205 # Convert WSGI app to pyramid view and return it.
206 206 return wsgiapp(pylons_app)
207 207
208 208
209 209 def add_pylons_compat_data(registry, global_config, settings):
210 210 """
211 211 Attach data to the registry to support the Pylons integration.
212 212 """
213 213 registry._pylons_compat_global_config = global_config
214 214 registry._pylons_compat_settings = settings
215 215
216 216
217 217 def error_handler(exception, request):
218 218 import rhodecode
219 219 from rhodecode.lib import helpers
220 220
221 221 rhodecode_title = rhodecode.CONFIG.get('rhodecode_title') or 'RhodeCode'
222 222
223 223 base_response = HTTPInternalServerError()
224 224 # prefer original exception for the response since it may have headers set
225 225 if isinstance(exception, HTTPException):
226 226 base_response = exception
227 227 elif isinstance(exception, VCSCommunicationError):
228 228 base_response = VCSServerUnavailable()
229 229
230 230 def is_http_error(response):
231 231 # error which should have traceback
232 232 return response.status_code > 499
233 233
234 234 if is_http_error(base_response):
235 235 log.exception(
236 236 'error occurred handling this request for path: %s', request.path)
237 237
238 238 c = AttributeDict()
239 239 c.error_message = base_response.status
240 240 c.error_explanation = base_response.explanation or str(base_response)
241 241 c.visual = AttributeDict()
242 242
243 243 c.visual.rhodecode_support_url = (
244 244 request.registry.settings.get('rhodecode_support_url') or
245 245 request.route_url('rhodecode_support')
246 246 )
247 247 c.redirect_time = 0
248 248 c.rhodecode_name = rhodecode_title
249 249 if not c.rhodecode_name:
250 250 c.rhodecode_name = 'Rhodecode'
251 251
252 252 c.causes = []
253 253 if hasattr(base_response, 'causes'):
254 254 c.causes = base_response.causes
255 255 c.messages = helpers.flash.pop_messages(request=request)
256 256 c.traceback = traceback.format_exc()
257 257 response = render_to_response(
258 258 '/errors/error_document.mako', {'c': c, 'h': helpers}, request=request,
259 259 response=base_response)
260 260
261 261 return response
262 262
263 263
264 264 def includeme(config):
265 265 settings = config.registry.settings
266 266
267 267 # plugin information
268 268 config.registry.rhodecode_plugins = OrderedDict()
269 269
270 270 config.add_directive(
271 271 'register_rhodecode_plugin', register_rhodecode_plugin)
272 272
273 273 if asbool(settings.get('appenlight', 'false')):
274 274 config.include('appenlight_client.ext.pyramid_tween')
275 275
276 if not 'mako.default_filters' in settings:
276 if 'mako.default_filters' not in settings:
277 277 # set custom default filters if we don't have it defined
278 278 settings['mako.imports'] = 'from rhodecode.lib.base import h_filter'
279 279 settings['mako.default_filters'] = 'h_filter'
280 280
281 281 # Includes which are required. The application would fail without them.
282 282 config.include('pyramid_mako')
283 283 config.include('pyramid_beaker')
284 284
285 285 config.include('rhodecode.authentication')
286 286 config.include('rhodecode.integrations')
287 287
288 288 # apps
289 289 config.include('rhodecode.apps._base')
290 290 config.include('rhodecode.apps.ops')
291 291
292 292 config.include('rhodecode.apps.admin')
293 293 config.include('rhodecode.apps.channelstream')
294 294 config.include('rhodecode.apps.login')
295 295 config.include('rhodecode.apps.home')
296 296 config.include('rhodecode.apps.journal')
297 297 config.include('rhodecode.apps.repository')
298 298 config.include('rhodecode.apps.repo_group')
299 299 config.include('rhodecode.apps.search')
300 300 config.include('rhodecode.apps.user_profile')
301 301 config.include('rhodecode.apps.my_account')
302 302 config.include('rhodecode.apps.svn_support')
303 303 config.include('rhodecode.apps.gist')
304 304
305 305 config.include('rhodecode.apps.debug_style')
306 306 config.include('rhodecode.tweens')
307 307 config.include('rhodecode.api')
308 308
309 309 config.add_route(
310 310 'rhodecode_support', 'https://rhodecode.com/help/', static=True)
311 311
312 312 config.add_translation_dirs('rhodecode:i18n/')
313 313 settings['default_locale_name'] = settings.get('lang', 'en')
314 314
315 315 # Add subscribers.
316 316 config.add_subscriber(scan_repositories_if_enabled, ApplicationCreated)
317 317 config.add_subscriber(write_metadata_if_needed, ApplicationCreated)
318 318 config.add_subscriber(write_js_routes_if_enabled, ApplicationCreated)
319 319
320 320 config.add_request_method(
321 321 'rhodecode.lib.partial_renderer.get_partial_renderer',
322 322 'get_partial_renderer')
323 323
324 324 # events
325 325 # TODO(marcink): this should be done when pyramid migration is finished
326 326 # config.add_subscriber(
327 327 # 'rhodecode.integrations.integrations_event_handler',
328 328 # 'rhodecode.events.RhodecodeEvent')
329 329
330 330 # Set the authorization policy.
331 331 authz_policy = ACLAuthorizationPolicy()
332 332 config.set_authorization_policy(authz_policy)
333 333
334 334 # Set the default renderer for HTML templates to mako.
335 335 config.add_mako_renderer('.html')
336 336
337 337 config.add_renderer(
338 338 name='json_ext',
339 339 factory='rhodecode.lib.ext_json_renderer.pyramid_ext_json')
340 340
341 341 # include RhodeCode plugins
342 342 includes = aslist(settings.get('rhodecode.includes', []))
343 343 for inc in includes:
344 344 config.include(inc)
345 345
346 346 # This is the glue which allows us to migrate in chunks. By registering the
347 347 # pylons based application as the "Not Found" view in Pyramid, we will
348 348 # fallback to the old application each time the new one does not yet know
349 349 # how to handle a request.
350 350 config.add_notfound_view(make_not_found_view(config))
351 351
352 352 if not settings.get('debugtoolbar.enabled', False):
353 353 # disabled debugtoolbar handle all exceptions via the error_handlers
354 354 config.add_view(error_handler, context=Exception)
355 355
356 356 config.add_view(error_handler, context=HTTPError)
357 357
358 358
359 359 def includeme_first(config):
360 360 # redirect automatic browser favicon.ico requests to correct place
361 361 def favicon_redirect(context, request):
362 362 return HTTPFound(
363 363 request.static_path('rhodecode:public/images/favicon.ico'))
364 364
365 365 config.add_view(favicon_redirect, route_name='favicon')
366 366 config.add_route('favicon', '/favicon.ico')
367 367
368 368 def robots_redirect(context, request):
369 369 return HTTPFound(
370 370 request.static_path('rhodecode:public/robots.txt'))
371 371
372 372 config.add_view(robots_redirect, route_name='robots')
373 373 config.add_route('robots', '/robots.txt')
374 374
375 375 config.add_static_view(
376 376 '_static/deform', 'deform:static')
377 377 config.add_static_view(
378 378 '_static/rhodecode', path='rhodecode:public', cache_max_age=3600 * 24)
379 379
380 380
381 381 def wrap_app_in_wsgi_middlewares(pyramid_app, config):
382 382 """
383 383 Apply outer WSGI middlewares around the application.
384 384
385 385 Part of this has been moved up from the Pylons layer, so that the
386 386 data is also available if old Pylons code is hit through an already ported
387 387 view.
388 388 """
389 389 settings = config.registry.settings
390 390
391 391 # enable https redirects based on HTTP_X_URL_SCHEME set by proxy
392 392 pyramid_app = HttpsFixup(pyramid_app, settings)
393 393
394 394 # Add RoutesMiddleware to support the pylons compatibility tween during
395 395 # migration to pyramid.
396 396
397 397 # TODO(marcink): remove after migration to pyramid
398 398 if hasattr(config.registry, '_pylons_compat_config'):
399 399 routes_map = config.registry._pylons_compat_config['routes.map']
400 400 pyramid_app = SkippableRoutesMiddleware(
401 401 pyramid_app, routes_map,
402 402 skip_prefixes=(STATIC_FILE_PREFIX, '/_debug_toolbar'))
403 403
404 404 pyramid_app, _ = wrap_in_appenlight_if_enabled(pyramid_app, settings)
405 405
406 406 if settings['gzip_responses']:
407 407 pyramid_app = make_gzip_middleware(
408 408 pyramid_app, settings, compress_level=1)
409 409
410 410 # this should be the outer most middleware in the wsgi stack since
411 411 # middleware like Routes make database calls
412 412 def pyramid_app_with_cleanup(environ, start_response):
413 413 try:
414 414 return pyramid_app(environ, start_response)
415 415 finally:
416 416 # Dispose current database session and rollback uncommitted
417 417 # transactions.
418 418 meta.Session.remove()
419 419
420 420 # In a single threaded mode server, on non sqlite db we should have
421 421 # '0 Current Checked out connections' at the end of a request,
422 422 # if not, then something, somewhere is leaving a connection open
423 423 pool = meta.Base.metadata.bind.engine.pool
424 424 log.debug('sa pool status: %s', pool.status())
425 425
426 426 return pyramid_app_with_cleanup
427 427
428 428
429 429 def sanitize_settings_and_apply_defaults(settings):
430 430 """
431 431 Applies settings defaults and does all type conversion.
432 432
433 433 We would move all settings parsing and preparation into this place, so that
434 434 we have only one place left which deals with this part. The remaining parts
435 435 of the application would start to rely fully on well prepared settings.
436 436
437 437 This piece would later be split up per topic to avoid a big fat monster
438 438 function.
439 439 """
440 440
441 441 # Pyramid's mako renderer has to search in the templates folder so that the
442 442 # old templates still work. Ported and new templates are expected to use
443 443 # real asset specifications for the includes.
444 444 mako_directories = settings.setdefault('mako.directories', [
445 445 # Base templates of the original Pylons application
446 446 'rhodecode:templates',
447 447 ])
448 448 log.debug(
449 449 "Using the following Mako template directories: %s",
450 450 mako_directories)
451 451
452 452 # Default includes, possible to change as a user
453 453 pyramid_includes = settings.setdefault('pyramid.includes', [
454 454 'rhodecode.lib.middleware.request_wrapper',
455 455 ])
456 456 log.debug(
457 457 "Using the following pyramid.includes: %s",
458 458 pyramid_includes)
459 459
460 460 # TODO: johbo: Re-think this, usually the call to config.include
461 461 # should allow to pass in a prefix.
462 462 settings.setdefault('rhodecode.api.url', '/_admin/api')
463 463
464 464 # Sanitize generic settings.
465 465 _list_setting(settings, 'default_encoding', 'UTF-8')
466 466 _bool_setting(settings, 'is_test', 'false')
467 467 _bool_setting(settings, 'gzip_responses', 'false')
468 468
469 469 # Call split out functions that sanitize settings for each topic.
470 470 _sanitize_appenlight_settings(settings)
471 471 _sanitize_vcs_settings(settings)
472 472
473 473 return settings
474 474
475 475
476 476 def _sanitize_appenlight_settings(settings):
477 477 _bool_setting(settings, 'appenlight', 'false')
478 478
479 479
480 480 def _sanitize_vcs_settings(settings):
481 481 """
482 482 Applies settings defaults and does type conversion for all VCS related
483 483 settings.
484 484 """
485 485 _string_setting(settings, 'vcs.svn.compatible_version', '')
486 486 _string_setting(settings, 'git_rev_filter', '--all')
487 487 _string_setting(settings, 'vcs.hooks.protocol', 'http')
488 488 _string_setting(settings, 'vcs.scm_app_implementation', 'http')
489 489 _string_setting(settings, 'vcs.server', '')
490 490 _string_setting(settings, 'vcs.server.log_level', 'debug')
491 491 _string_setting(settings, 'vcs.server.protocol', 'http')
492 492 _bool_setting(settings, 'startup.import_repos', 'false')
493 493 _bool_setting(settings, 'vcs.hooks.direct_calls', 'false')
494 494 _bool_setting(settings, 'vcs.server.enable', 'true')
495 495 _bool_setting(settings, 'vcs.start_server', 'false')
496 496 _list_setting(settings, 'vcs.backends', 'hg, git, svn')
497 497 _int_setting(settings, 'vcs.connection_timeout', 3600)
498 498
499 499 # Support legacy values of vcs.scm_app_implementation. Legacy
500 500 # configurations may use 'rhodecode.lib.middleware.utils.scm_app_http'
501 501 # which is now mapped to 'http'.
502 502 scm_app_impl = settings['vcs.scm_app_implementation']
503 503 if scm_app_impl == 'rhodecode.lib.middleware.utils.scm_app_http':
504 504 settings['vcs.scm_app_implementation'] = 'http'
505 505
506 506
507 507 def _int_setting(settings, name, default):
508 508 settings[name] = int(settings.get(name, default))
509 509
510 510
511 511 def _bool_setting(settings, name, default):
512 512 input = settings.get(name, default)
513 513 if isinstance(input, unicode):
514 514 input = input.encode('utf8')
515 515 settings[name] = asbool(input)
516 516
517 517
518 518 def _list_setting(settings, name, default):
519 519 raw_value = settings.get(name, default)
520 520
521 521 old_separator = ','
522 522 if old_separator in raw_value:
523 523 # If we get a comma separated list, pass it to our own function.
524 524 settings[name] = rhodecode_aslist(raw_value, sep=old_separator)
525 525 else:
526 526 # Otherwise we assume it uses pyramids space/newline separation.
527 527 settings[name] = aslist(raw_value)
528 528
529 529
530 530 def _string_setting(settings, name, default, lower=True):
531 531 value = settings.get(name, default)
532 532 if lower:
533 533 value = value.lower()
534 534 settings[name] = value
@@ -1,62 +1,62 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2012-2017 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import logging
22 22
23 23 from rhodecode.integrations.registry import IntegrationTypeRegistry
24 24 from rhodecode.integrations.types import webhook, slack, hipchat, email
25 25
26 26 log = logging.getLogger(__name__)
27 27
28 28
29 29 # TODO: dan: This is currently global until we figure out what to do about
30 30 # VCS's not having a pyramid context - move it to pyramid app configuration
31 31 # includeme level later to allow per instance integration setup
32 32 integration_type_registry = IntegrationTypeRegistry()
33 33
34 34 integration_type_registry.register_integration_type(
35 35 webhook.WebhookIntegrationType)
36 36 integration_type_registry.register_integration_type(
37 37 slack.SlackIntegrationType)
38 38 integration_type_registry.register_integration_type(
39 39 hipchat.HipchatIntegrationType)
40 40 integration_type_registry.register_integration_type(
41 41 email.EmailIntegrationType)
42 42
43 43
44 44 def integrations_event_handler(event):
45 45 """
46 46 Takes an event and passes it to all enabled integrations
47 47 """
48 48 from rhodecode.model.integration import IntegrationModel
49 49
50 50 integration_model = IntegrationModel()
51 51 integrations = integration_model.get_for_event(event)
52 52 for integration in integrations:
53 53 try:
54 54 integration_model.send_event(integration, event)
55 55 except Exception:
56 56 log.exception(
57 'failure occured when sending event %s to integration %s' % (
57 'failure occurred when sending event %s to integration %s' % (
58 58 event, integration))
59 59
60 60
61 61 def includeme(config):
62 62 config.include('rhodecode.integrations.routes')
@@ -1,1994 +1,1997 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2010-2017 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 """
22 22 authentication and permission libraries
23 23 """
24 24
25 25 import os
26 26 import inspect
27 27 import collections
28 28 import fnmatch
29 29 import hashlib
30 30 import itertools
31 31 import logging
32 32 import random
33 33 import traceback
34 34 from functools import wraps
35 35
36 36 import ipaddress
37 37 from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
38 38 from pylons.i18n.translation import _
39 39 # NOTE(marcink): this has to be removed only after pyramid migration,
40 40 # replace with _ = request.translate
41 41 from sqlalchemy.orm.exc import ObjectDeletedError
42 42 from sqlalchemy.orm import joinedload
43 43 from zope.cachedescriptors.property import Lazy as LazyProperty
44 44
45 45 import rhodecode
46 46 from rhodecode.model import meta
47 47 from rhodecode.model.meta import Session
48 48 from rhodecode.model.user import UserModel
49 49 from rhodecode.model.db import (
50 50 User, Repository, Permission, UserToPerm, UserGroupToPerm, UserGroupMember,
51 51 UserIpMap, UserApiKeys, RepoGroup)
52 52 from rhodecode.lib import caches
53 53 from rhodecode.lib.utils2 import safe_unicode, aslist, safe_str, md5
54 54 from rhodecode.lib.utils import (
55 55 get_repo_slug, get_repo_group_slug, get_user_group_slug)
56 56 from rhodecode.lib.caching_query import FromCache
57 57
58 58
59 59 if rhodecode.is_unix:
60 60 import bcrypt
61 61
62 62 log = logging.getLogger(__name__)
63 63
64 64 csrf_token_key = "csrf_token"
65 65
66 66
67 67 class PasswordGenerator(object):
68 68 """
69 69 This is a simple class for generating password from different sets of
70 70 characters
71 71 usage::
72 72
73 73 passwd_gen = PasswordGenerator()
74 74 #print 8-letter password containing only big and small letters
75 75 of alphabet
76 76 passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
77 77 """
78 78 ALPHABETS_NUM = r'''1234567890'''
79 79 ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
80 80 ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
81 81 ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
82 82 ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
83 83 + ALPHABETS_NUM + ALPHABETS_SPECIAL
84 84 ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
85 85 ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
86 86 ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
87 87 ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
88 88
89 89 def __init__(self, passwd=''):
90 90 self.passwd = passwd
91 91
92 92 def gen_password(self, length, type_=None):
93 93 if type_ is None:
94 94 type_ = self.ALPHABETS_FULL
95 95 self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])
96 96 return self.passwd
97 97
98 98
99 99 class _RhodeCodeCryptoBase(object):
100 100 ENC_PREF = None
101 101
102 102 def hash_create(self, str_):
103 103 """
104 104 hash the string using
105 105
106 106 :param str_: password to hash
107 107 """
108 108 raise NotImplementedError
109 109
110 110 def hash_check_with_upgrade(self, password, hashed):
111 111 """
112 112 Returns tuple in which first element is boolean that states that
113 113 given password matches it's hashed version, and the second is new hash
114 114 of the password, in case this password should be migrated to new
115 115 cipher.
116 116 """
117 117 checked_hash = self.hash_check(password, hashed)
118 118 return checked_hash, None
119 119
120 120 def hash_check(self, password, hashed):
121 121 """
122 122 Checks matching password with it's hashed value.
123 123
124 124 :param password: password
125 125 :param hashed: password in hashed form
126 126 """
127 127 raise NotImplementedError
128 128
129 129 def _assert_bytes(self, value):
130 130 """
131 131 Passing in an `unicode` object can lead to hard to detect issues
132 132 if passwords contain non-ascii characters. Doing a type check
133 133 during runtime, so that such mistakes are detected early on.
134 134 """
135 135 if not isinstance(value, str):
136 136 raise TypeError(
137 137 "Bytestring required as input, got %r." % (value, ))
138 138
139 139
140 140 class _RhodeCodeCryptoBCrypt(_RhodeCodeCryptoBase):
141 141 ENC_PREF = ('$2a$10', '$2b$10')
142 142
143 143 def hash_create(self, str_):
144 144 self._assert_bytes(str_)
145 145 return bcrypt.hashpw(str_, bcrypt.gensalt(10))
146 146
147 147 def hash_check_with_upgrade(self, password, hashed):
148 148 """
149 149 Returns tuple in which first element is boolean that states that
150 150 given password matches it's hashed version, and the second is new hash
151 151 of the password, in case this password should be migrated to new
152 152 cipher.
153 153
154 154 This implements special upgrade logic which works like that:
155 155 - check if the given password == bcrypted hash, if yes then we
156 156 properly used password and it was already in bcrypt. Proceed
157 157 without any changes
158 158 - if bcrypt hash check is not working try with sha256. If hash compare
159 159 is ok, it means we using correct but old hashed password. indicate
160 160 hash change and proceed
161 161 """
162 162
163 163 new_hash = None
164 164
165 165 # regular pw check
166 166 password_match_bcrypt = self.hash_check(password, hashed)
167 167
168 168 # now we want to know if the password was maybe from sha256
169 169 # basically calling _RhodeCodeCryptoSha256().hash_check()
170 170 if not password_match_bcrypt:
171 171 if _RhodeCodeCryptoSha256().hash_check(password, hashed):
172 172 new_hash = self.hash_create(password) # make new bcrypt hash
173 173 password_match_bcrypt = True
174 174
175 175 return password_match_bcrypt, new_hash
176 176
177 177 def hash_check(self, password, hashed):
178 178 """
179 179 Checks matching password with it's hashed value.
180 180
181 181 :param password: password
182 182 :param hashed: password in hashed form
183 183 """
184 184 self._assert_bytes(password)
185 185 try:
186 186 return bcrypt.hashpw(password, hashed) == hashed
187 187 except ValueError as e:
188 188 # we're having a invalid salt here probably, we should not crash
189 189 # just return with False as it would be a wrong password.
190 190 log.debug('Failed to check password hash using bcrypt %s',
191 191 safe_str(e))
192 192
193 193 return False
194 194
195 195
196 196 class _RhodeCodeCryptoSha256(_RhodeCodeCryptoBase):
197 197 ENC_PREF = '_'
198 198
199 199 def hash_create(self, str_):
200 200 self._assert_bytes(str_)
201 201 return hashlib.sha256(str_).hexdigest()
202 202
203 203 def hash_check(self, password, hashed):
204 204 """
205 205 Checks matching password with it's hashed value.
206 206
207 207 :param password: password
208 208 :param hashed: password in hashed form
209 209 """
210 210 self._assert_bytes(password)
211 211 return hashlib.sha256(password).hexdigest() == hashed
212 212
213 213
214 214 class _RhodeCodeCryptoMd5(_RhodeCodeCryptoBase):
215 215 ENC_PREF = '_'
216 216
217 217 def hash_create(self, str_):
218 218 self._assert_bytes(str_)
219 219 return hashlib.md5(str_).hexdigest()
220 220
221 221 def hash_check(self, password, hashed):
222 222 """
223 223 Checks matching password with it's hashed value.
224 224
225 225 :param password: password
226 226 :param hashed: password in hashed form
227 227 """
228 228 self._assert_bytes(password)
229 229 return hashlib.md5(password).hexdigest() == hashed
230 230
231 231
232 232 def crypto_backend():
233 233 """
234 234 Return the matching crypto backend.
235 235
236 236 Selection is based on if we run tests or not, we pick md5 backend to run
237 237 tests faster since BCRYPT is expensive to calculate
238 238 """
239 239 if rhodecode.is_test:
240 240 RhodeCodeCrypto = _RhodeCodeCryptoMd5()
241 241 else:
242 242 RhodeCodeCrypto = _RhodeCodeCryptoBCrypt()
243 243
244 244 return RhodeCodeCrypto
245 245
246 246
247 247 def get_crypt_password(password):
248 248 """
249 249 Create the hash of `password` with the active crypto backend.
250 250
251 251 :param password: The cleartext password.
252 252 :type password: unicode
253 253 """
254 254 password = safe_str(password)
255 255 return crypto_backend().hash_create(password)
256 256
257 257
258 258 def check_password(password, hashed):
259 259 """
260 260 Check if the value in `password` matches the hash in `hashed`.
261 261
262 262 :param password: The cleartext password.
263 263 :type password: unicode
264 264
265 265 :param hashed: The expected hashed version of the password.
266 266 :type hashed: The hash has to be passed in in text representation.
267 267 """
268 268 password = safe_str(password)
269 269 return crypto_backend().hash_check(password, hashed)
270 270
271 271
272 272 def generate_auth_token(data, salt=None):
273 273 """
274 274 Generates API KEY from given string
275 275 """
276 276
277 277 if salt is None:
278 278 salt = os.urandom(16)
279 279 return hashlib.sha1(safe_str(data) + salt).hexdigest()
280 280
281 281
282 282 class CookieStoreWrapper(object):
283 283
284 284 def __init__(self, cookie_store):
285 285 self.cookie_store = cookie_store
286 286
287 287 def __repr__(self):
288 288 return 'CookieStore<%s>' % (self.cookie_store)
289 289
290 290 def get(self, key, other=None):
291 291 if isinstance(self.cookie_store, dict):
292 292 return self.cookie_store.get(key, other)
293 293 elif isinstance(self.cookie_store, AuthUser):
294 294 return self.cookie_store.__dict__.get(key, other)
295 295
296 296
297 297 def _cached_perms_data(user_id, scope, user_is_admin,
298 298 user_inherit_default_permissions, explicit, algo):
299 299
300 300 permissions = PermissionCalculator(
301 301 user_id, scope, user_is_admin, user_inherit_default_permissions,
302 302 explicit, algo)
303 303 return permissions.calculate()
304 304
305 305
306 306 class PermOrigin(object):
307 307 ADMIN = 'superadmin'
308 308
309 309 REPO_USER = 'user:%s'
310 310 REPO_USERGROUP = 'usergroup:%s'
311 311 REPO_OWNER = 'repo.owner'
312 312 REPO_DEFAULT = 'repo.default'
313 313 REPO_PRIVATE = 'repo.private'
314 314
315 315 REPOGROUP_USER = 'user:%s'
316 316 REPOGROUP_USERGROUP = 'usergroup:%s'
317 317 REPOGROUP_OWNER = 'group.owner'
318 318 REPOGROUP_DEFAULT = 'group.default'
319 319
320 320 USERGROUP_USER = 'user:%s'
321 321 USERGROUP_USERGROUP = 'usergroup:%s'
322 322 USERGROUP_OWNER = 'usergroup.owner'
323 323 USERGROUP_DEFAULT = 'usergroup.default'
324 324
325 325
326 326 class PermOriginDict(dict):
327 327 """
328 328 A special dict used for tracking permissions along with their origins.
329 329
330 330 `__setitem__` has been overridden to expect a tuple(perm, origin)
331 331 `__getitem__` will return only the perm
332 332 `.perm_origin_stack` will return the stack of (perm, origin) set per key
333 333
334 334 >>> perms = PermOriginDict()
335 335 >>> perms['resource'] = 'read', 'default'
336 336 >>> perms['resource']
337 337 'read'
338 338 >>> perms['resource'] = 'write', 'admin'
339 339 >>> perms['resource']
340 340 'write'
341 341 >>> perms.perm_origin_stack
342 342 {'resource': [('read', 'default'), ('write', 'admin')]}
343 343 """
344 344
345 345 def __init__(self, *args, **kw):
346 346 dict.__init__(self, *args, **kw)
347 347 self.perm_origin_stack = {}
348 348
349 349 def __setitem__(self, key, (perm, origin)):
350 350 self.perm_origin_stack.setdefault(key, []).append((perm, origin))
351 351 dict.__setitem__(self, key, perm)
352 352
353 353
354 354 class PermissionCalculator(object):
355 355
356 356 def __init__(
357 357 self, user_id, scope, user_is_admin,
358 358 user_inherit_default_permissions, explicit, algo):
359 359 self.user_id = user_id
360 360 self.user_is_admin = user_is_admin
361 361 self.inherit_default_permissions = user_inherit_default_permissions
362 362 self.explicit = explicit
363 363 self.algo = algo
364 364
365 365 scope = scope or {}
366 366 self.scope_repo_id = scope.get('repo_id')
367 367 self.scope_repo_group_id = scope.get('repo_group_id')
368 368 self.scope_user_group_id = scope.get('user_group_id')
369 369
370 370 self.default_user_id = User.get_default_user(cache=True).user_id
371 371
372 372 self.permissions_repositories = PermOriginDict()
373 373 self.permissions_repository_groups = PermOriginDict()
374 374 self.permissions_user_groups = PermOriginDict()
375 375 self.permissions_global = set()
376 376
377 377 self.default_repo_perms = Permission.get_default_repo_perms(
378 378 self.default_user_id, self.scope_repo_id)
379 379 self.default_repo_groups_perms = Permission.get_default_group_perms(
380 380 self.default_user_id, self.scope_repo_group_id)
381 381 self.default_user_group_perms = \
382 382 Permission.get_default_user_group_perms(
383 383 self.default_user_id, self.scope_user_group_id)
384 384
385 385 def calculate(self):
386 386 if self.user_is_admin:
387 387 return self._admin_permissions()
388 388
389 389 self._calculate_global_default_permissions()
390 390 self._calculate_global_permissions()
391 391 self._calculate_default_permissions()
392 392 self._calculate_repository_permissions()
393 393 self._calculate_repository_group_permissions()
394 394 self._calculate_user_group_permissions()
395 395 return self._permission_structure()
396 396
397 397 def _admin_permissions(self):
398 398 """
399 399 admin user have all default rights for repositories
400 400 and groups set to admin
401 401 """
402 402 self.permissions_global.add('hg.admin')
403 403 self.permissions_global.add('hg.create.write_on_repogroup.true')
404 404
405 405 # repositories
406 406 for perm in self.default_repo_perms:
407 407 r_k = perm.UserRepoToPerm.repository.repo_name
408 408 p = 'repository.admin'
409 409 self.permissions_repositories[r_k] = p, PermOrigin.ADMIN
410 410
411 411 # repository groups
412 412 for perm in self.default_repo_groups_perms:
413 413 rg_k = perm.UserRepoGroupToPerm.group.group_name
414 414 p = 'group.admin'
415 415 self.permissions_repository_groups[rg_k] = p, PermOrigin.ADMIN
416 416
417 417 # user groups
418 418 for perm in self.default_user_group_perms:
419 419 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
420 420 p = 'usergroup.admin'
421 421 self.permissions_user_groups[u_k] = p, PermOrigin.ADMIN
422 422
423 423 return self._permission_structure()
424 424
425 425 def _calculate_global_default_permissions(self):
426 426 """
427 427 global permissions taken from the default user
428 428 """
429 429 default_global_perms = UserToPerm.query()\
430 430 .filter(UserToPerm.user_id == self.default_user_id)\
431 431 .options(joinedload(UserToPerm.permission))
432 432
433 433 for perm in default_global_perms:
434 434 self.permissions_global.add(perm.permission.permission_name)
435 435
436 436 def _calculate_global_permissions(self):
437 437 """
438 438 Set global system permissions with user permissions or permissions
439 439 taken from the user groups of the current user.
440 440
441 441 The permissions include repo creating, repo group creating, forking
442 442 etc.
443 443 """
444 444
445 445 # now we read the defined permissions and overwrite what we have set
446 446 # before those can be configured from groups or users explicitly.
447 447
448 448 # TODO: johbo: This seems to be out of sync, find out the reason
449 449 # for the comment below and update it.
450 450
451 451 # In case we want to extend this list we should be always in sync with
452 452 # User.DEFAULT_USER_PERMISSIONS definitions
453 453 _configurable = frozenset([
454 454 'hg.fork.none', 'hg.fork.repository',
455 455 'hg.create.none', 'hg.create.repository',
456 456 'hg.usergroup.create.false', 'hg.usergroup.create.true',
457 457 'hg.repogroup.create.false', 'hg.repogroup.create.true',
458 458 'hg.create.write_on_repogroup.false',
459 459 'hg.create.write_on_repogroup.true',
460 460 'hg.inherit_default_perms.false', 'hg.inherit_default_perms.true'
461 461 ])
462 462
463 463 # USER GROUPS comes first user group global permissions
464 464 user_perms_from_users_groups = Session().query(UserGroupToPerm)\
465 465 .options(joinedload(UserGroupToPerm.permission))\
466 466 .join((UserGroupMember, UserGroupToPerm.users_group_id ==
467 467 UserGroupMember.users_group_id))\
468 468 .filter(UserGroupMember.user_id == self.user_id)\
469 469 .order_by(UserGroupToPerm.users_group_id)\
470 470 .all()
471 471
472 472 # need to group here by groups since user can be in more than
473 473 # one group, so we get all groups
474 474 _explicit_grouped_perms = [
475 475 [x, list(y)] for x, y in
476 476 itertools.groupby(user_perms_from_users_groups,
477 477 lambda _x: _x.users_group)]
478 478
479 479 for gr, perms in _explicit_grouped_perms:
480 480 # since user can be in multiple groups iterate over them and
481 481 # select the lowest permissions first (more explicit)
482 482 # TODO: marcink: do this^^
483 483
484 484 # group doesn't inherit default permissions so we actually set them
485 485 if not gr.inherit_default_permissions:
486 486 # NEED TO IGNORE all previously set configurable permissions
487 487 # and replace them with explicitly set from this user
488 488 # group permissions
489 489 self.permissions_global = self.permissions_global.difference(
490 490 _configurable)
491 491 for perm in perms:
492 492 self.permissions_global.add(perm.permission.permission_name)
493 493
494 494 # user explicit global permissions
495 495 user_perms = Session().query(UserToPerm)\
496 496 .options(joinedload(UserToPerm.permission))\
497 497 .filter(UserToPerm.user_id == self.user_id).all()
498 498
499 499 if not self.inherit_default_permissions:
500 500 # NEED TO IGNORE all configurable permissions and
501 501 # replace them with explicitly set from this user permissions
502 502 self.permissions_global = self.permissions_global.difference(
503 503 _configurable)
504 504 for perm in user_perms:
505 505 self.permissions_global.add(perm.permission.permission_name)
506 506
507 507 def _calculate_default_permissions(self):
508 508 """
509 509 Set default user permissions for repositories, repository groups
510 510 taken from the default user.
511 511
512 512 Calculate inheritance of object permissions based on what we have now
513 513 in GLOBAL permissions. We check if .false is in GLOBAL since this is
514 514 explicitly set. Inherit is the opposite of .false being there.
515 515
516 516 .. note::
517 517
518 518 the syntax is little bit odd but what we need to check here is
519 519 the opposite of .false permission being in the list so even for
520 520 inconsistent state when both .true/.false is there
521 521 .false is more important
522 522
523 523 """
524 524 user_inherit_object_permissions = not ('hg.inherit_default_perms.false'
525 525 in self.permissions_global)
526 526
527 527 # defaults for repositories, taken from `default` user permissions
528 528 # on given repo
529 529 for perm in self.default_repo_perms:
530 530 r_k = perm.UserRepoToPerm.repository.repo_name
531 531 o = PermOrigin.REPO_DEFAULT
532 532 if perm.Repository.private and not (
533 533 perm.Repository.user_id == self.user_id):
534 534 # disable defaults for private repos,
535 535 p = 'repository.none'
536 536 o = PermOrigin.REPO_PRIVATE
537 537 elif perm.Repository.user_id == self.user_id:
538 538 # set admin if owner
539 539 p = 'repository.admin'
540 540 o = PermOrigin.REPO_OWNER
541 541 else:
542 542 p = perm.Permission.permission_name
543 543 # if we decide this user isn't inheriting permissions from
544 544 # default user we set him to .none so only explicit
545 545 # permissions work
546 546 if not user_inherit_object_permissions:
547 547 p = 'repository.none'
548 548 self.permissions_repositories[r_k] = p, o
549 549
550 550 # defaults for repository groups taken from `default` user permission
551 551 # on given group
552 552 for perm in self.default_repo_groups_perms:
553 553 rg_k = perm.UserRepoGroupToPerm.group.group_name
554 554 o = PermOrigin.REPOGROUP_DEFAULT
555 555 if perm.RepoGroup.user_id == self.user_id:
556 556 # set admin if owner
557 557 p = 'group.admin'
558 558 o = PermOrigin.REPOGROUP_OWNER
559 559 else:
560 560 p = perm.Permission.permission_name
561 561
562 562 # if we decide this user isn't inheriting permissions from default
563 563 # user we set him to .none so only explicit permissions work
564 564 if not user_inherit_object_permissions:
565 565 p = 'group.none'
566 566 self.permissions_repository_groups[rg_k] = p, o
567 567
568 568 # defaults for user groups taken from `default` user permission
569 569 # on given user group
570 570 for perm in self.default_user_group_perms:
571 571 u_k = perm.UserUserGroupToPerm.user_group.users_group_name
572 572 o = PermOrigin.USERGROUP_DEFAULT
573 573 if perm.UserGroup.user_id == self.user_id:
574 574 # set admin if owner
575 575 p = 'usergroup.admin'
576 576 o = PermOrigin.USERGROUP_OWNER
577 577 else:
578 578 p = perm.Permission.permission_name
579 579
580 580 # if we decide this user isn't inheriting permissions from default
581 581 # user we set him to .none so only explicit permissions work
582 582 if not user_inherit_object_permissions:
583 583 p = 'usergroup.none'
584 584 self.permissions_user_groups[u_k] = p, o
585 585
586 586 def _calculate_repository_permissions(self):
587 587 """
588 588 Repository permissions for the current user.
589 589
590 590 Check if the user is part of user groups for this repository and
591 591 fill in the permission from it. `_choose_permission` decides of which
592 592 permission should be selected based on selected method.
593 593 """
594 594
595 595 # user group for repositories permissions
596 596 user_repo_perms_from_user_group = Permission\
597 597 .get_default_repo_perms_from_user_group(
598 598 self.user_id, self.scope_repo_id)
599 599
600 600 multiple_counter = collections.defaultdict(int)
601 601 for perm in user_repo_perms_from_user_group:
602 602 r_k = perm.UserGroupRepoToPerm.repository.repo_name
603 603 ug_k = perm.UserGroupRepoToPerm.users_group.users_group_name
604 604 multiple_counter[r_k] += 1
605 605 p = perm.Permission.permission_name
606 606 o = PermOrigin.REPO_USERGROUP % ug_k
607 607
608 608 if perm.Repository.user_id == self.user_id:
609 609 # set admin if owner
610 610 p = 'repository.admin'
611 611 o = PermOrigin.REPO_OWNER
612 612 else:
613 613 if multiple_counter[r_k] > 1:
614 614 cur_perm = self.permissions_repositories[r_k]
615 615 p = self._choose_permission(p, cur_perm)
616 616 self.permissions_repositories[r_k] = p, o
617 617
618 618 # user explicit permissions for repositories, overrides any specified
619 619 # by the group permission
620 620 user_repo_perms = Permission.get_default_repo_perms(
621 621 self.user_id, self.scope_repo_id)
622 622 for perm in user_repo_perms:
623 623 r_k = perm.UserRepoToPerm.repository.repo_name
624 624 o = PermOrigin.REPO_USER % perm.UserRepoToPerm.user.username
625 625 # set admin if owner
626 626 if perm.Repository.user_id == self.user_id:
627 627 p = 'repository.admin'
628 628 o = PermOrigin.REPO_OWNER
629 629 else:
630 630 p = perm.Permission.permission_name
631 631 if not self.explicit:
632 632 cur_perm = self.permissions_repositories.get(
633 633 r_k, 'repository.none')
634 634 p = self._choose_permission(p, cur_perm)
635 635 self.permissions_repositories[r_k] = p, o
636 636
637 637 def _calculate_repository_group_permissions(self):
638 638 """
639 639 Repository group permissions for the current user.
640 640
641 641 Check if the user is part of user groups for repository groups and
642 642 fill in the permissions from it. `_choose_permmission` decides of which
643 643 permission should be selected based on selected method.
644 644 """
645 645 # user group for repo groups permissions
646 646 user_repo_group_perms_from_user_group = Permission\
647 647 .get_default_group_perms_from_user_group(
648 648 self.user_id, self.scope_repo_group_id)
649 649
650 650 multiple_counter = collections.defaultdict(int)
651 651 for perm in user_repo_group_perms_from_user_group:
652 652 g_k = perm.UserGroupRepoGroupToPerm.group.group_name
653 653 ug_k = perm.UserGroupRepoGroupToPerm.users_group.users_group_name
654 654 o = PermOrigin.REPOGROUP_USERGROUP % ug_k
655 655 multiple_counter[g_k] += 1
656 656 p = perm.Permission.permission_name
657 657 if perm.RepoGroup.user_id == self.user_id:
658 658 # set admin if owner, even for member of other user group
659 659 p = 'group.admin'
660 660 o = PermOrigin.REPOGROUP_OWNER
661 661 else:
662 662 if multiple_counter[g_k] > 1:
663 663 cur_perm = self.permissions_repository_groups[g_k]
664 664 p = self._choose_permission(p, cur_perm)
665 665 self.permissions_repository_groups[g_k] = p, o
666 666
667 667 # user explicit permissions for repository groups
668 668 user_repo_groups_perms = Permission.get_default_group_perms(
669 669 self.user_id, self.scope_repo_group_id)
670 670 for perm in user_repo_groups_perms:
671 671 rg_k = perm.UserRepoGroupToPerm.group.group_name
672 672 u_k = perm.UserRepoGroupToPerm.user.username
673 673 o = PermOrigin.REPOGROUP_USER % u_k
674 674
675 675 if perm.RepoGroup.user_id == self.user_id:
676 676 # set admin if owner
677 677 p = 'group.admin'
678 678 o = PermOrigin.REPOGROUP_OWNER
679 679 else:
680 680 p = perm.Permission.permission_name
681 681 if not self.explicit:
682 682 cur_perm = self.permissions_repository_groups.get(
683 683 rg_k, 'group.none')
684 684 p = self._choose_permission(p, cur_perm)
685 685 self.permissions_repository_groups[rg_k] = p, o
686 686
687 687 def _calculate_user_group_permissions(self):
688 688 """
689 689 User group permissions for the current user.
690 690 """
691 691 # user group for user group permissions
692 692 user_group_from_user_group = Permission\
693 693 .get_default_user_group_perms_from_user_group(
694 694 self.user_id, self.scope_user_group_id)
695 695
696 696 multiple_counter = collections.defaultdict(int)
697 697 for perm in user_group_from_user_group:
698 698 g_k = perm.UserGroupUserGroupToPerm\
699 699 .target_user_group.users_group_name
700 700 u_k = perm.UserGroupUserGroupToPerm\
701 701 .user_group.users_group_name
702 702 o = PermOrigin.USERGROUP_USERGROUP % u_k
703 703 multiple_counter[g_k] += 1
704 704 p = perm.Permission.permission_name
705 705
706 706 if perm.UserGroup.user_id == self.user_id:
707 707 # set admin if owner, even for member of other user group
708 708 p = 'usergroup.admin'
709 709 o = PermOrigin.USERGROUP_OWNER
710 710 else:
711 711 if multiple_counter[g_k] > 1:
712 712 cur_perm = self.permissions_user_groups[g_k]
713 713 p = self._choose_permission(p, cur_perm)
714 714 self.permissions_user_groups[g_k] = p, o
715 715
716 716 # user explicit permission for user groups
717 717 user_user_groups_perms = Permission.get_default_user_group_perms(
718 718 self.user_id, self.scope_user_group_id)
719 719 for perm in user_user_groups_perms:
720 720 ug_k = perm.UserUserGroupToPerm.user_group.users_group_name
721 721 u_k = perm.UserUserGroupToPerm.user.username
722 722 o = PermOrigin.USERGROUP_USER % u_k
723 723
724 724 if perm.UserGroup.user_id == self.user_id:
725 725 # set admin if owner
726 726 p = 'usergroup.admin'
727 727 o = PermOrigin.USERGROUP_OWNER
728 728 else:
729 729 p = perm.Permission.permission_name
730 730 if not self.explicit:
731 731 cur_perm = self.permissions_user_groups.get(
732 732 ug_k, 'usergroup.none')
733 733 p = self._choose_permission(p, cur_perm)
734 734 self.permissions_user_groups[ug_k] = p, o
735 735
736 736 def _choose_permission(self, new_perm, cur_perm):
737 737 new_perm_val = Permission.PERM_WEIGHTS[new_perm]
738 738 cur_perm_val = Permission.PERM_WEIGHTS[cur_perm]
739 739 if self.algo == 'higherwin':
740 740 if new_perm_val > cur_perm_val:
741 741 return new_perm
742 742 return cur_perm
743 743 elif self.algo == 'lowerwin':
744 744 if new_perm_val < cur_perm_val:
745 745 return new_perm
746 746 return cur_perm
747 747
748 748 def _permission_structure(self):
749 749 return {
750 750 'global': self.permissions_global,
751 751 'repositories': self.permissions_repositories,
752 752 'repositories_groups': self.permissions_repository_groups,
753 753 'user_groups': self.permissions_user_groups,
754 754 }
755 755
756 756
757 757 def allowed_auth_token_access(view_name, whitelist=None, auth_token=None):
758 758 """
759 759 Check if given controller_name is in whitelist of auth token access
760 760 """
761 761 if not whitelist:
762 762 from rhodecode import CONFIG
763 763 whitelist = aslist(
764 764 CONFIG.get('api_access_controllers_whitelist'), sep=',')
765 765 log.debug(
766 766 'Allowed controllers for AUTH TOKEN access: %s' % (whitelist,))
767 767
768 768 auth_token_access_valid = False
769 769 for entry in whitelist:
770 770 if fnmatch.fnmatch(view_name, entry):
771 771 auth_token_access_valid = True
772 772 break
773 773
774 774 if auth_token_access_valid:
775 775 log.debug('view: `%s` matches entry in whitelist: %s'
776 776 % (view_name, whitelist))
777 777 else:
778 778 msg = ('view: `%s` does *NOT* match any entry in whitelist: %s'
779 779 % (view_name, whitelist))
780 780 if auth_token:
781 781 # if we use auth token key and don't have access it's a warning
782 782 log.warning(msg)
783 783 else:
784 784 log.debug(msg)
785 785
786 786 return auth_token_access_valid
787 787
788 788
789 789 class AuthUser(object):
790 790 """
791 791 A simple object that handles all attributes of user in RhodeCode
792 792
793 793 It does lookup based on API key,given user, or user present in session
794 794 Then it fills all required information for such user. It also checks if
795 795 anonymous access is enabled and if so, it returns default user as logged in
796 796 """
797 797 GLOBAL_PERMS = [x[0] for x in Permission.PERMS]
798 798
799 799 def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):
800 800
801 801 self.user_id = user_id
802 802 self._api_key = api_key
803 803
804 804 self.api_key = None
805 805 self.feed_token = ''
806 806 self.username = username
807 807 self.ip_addr = ip_addr
808 808 self.name = ''
809 809 self.lastname = ''
810 810 self.first_name = ''
811 811 self.last_name = ''
812 812 self.email = ''
813 813 self.is_authenticated = False
814 814 self.admin = False
815 815 self.inherit_default_permissions = False
816 816 self.password = ''
817 817
818 818 self.anonymous_user = None # propagated on propagate_data
819 819 self.propagate_data()
820 820 self._instance = None
821 821 self._permissions_scoped_cache = {} # used to bind scoped calculation
822 822
823 823 @LazyProperty
824 824 def permissions(self):
825 825 return self.get_perms(user=self, cache=False)
826 826
827 827 def permissions_with_scope(self, scope):
828 828 """
829 829 Call the get_perms function with scoped data. The scope in that function
830 830 narrows the SQL calls to the given ID of objects resulting in fetching
831 831 Just particular permission we want to obtain. If scope is an empty dict
832 832 then it basically narrows the scope to GLOBAL permissions only.
833 833
834 834 :param scope: dict
835 835 """
836 836 if 'repo_name' in scope:
837 837 obj = Repository.get_by_repo_name(scope['repo_name'])
838 838 if obj:
839 839 scope['repo_id'] = obj.repo_id
840 840 _scope = {
841 841 'repo_id': -1,
842 842 'user_group_id': -1,
843 843 'repo_group_id': -1,
844 844 }
845 845 _scope.update(scope)
846 846 cache_key = "_".join(map(safe_str, reduce(lambda a, b: a+b,
847 847 _scope.items())))
848 848 if cache_key not in self._permissions_scoped_cache:
849 849 # store in cache to mimic how the @LazyProperty works,
850 850 # the difference here is that we use the unique key calculated
851 851 # from params and values
852 852 res = self.get_perms(user=self, cache=False, scope=_scope)
853 853 self._permissions_scoped_cache[cache_key] = res
854 854 return self._permissions_scoped_cache[cache_key]
855 855
856 856 def get_instance(self):
857 857 return User.get(self.user_id)
858 858
859 859 def update_lastactivity(self):
860 860 if self.user_id:
861 861 User.get(self.user_id).update_lastactivity()
862 862
863 863 def propagate_data(self):
864 864 """
865 865 Fills in user data and propagates values to this instance. Maps fetched
866 866 user attributes to this class instance attributes
867 867 """
868 868 log.debug('AuthUser: starting data propagation for new potential user')
869 869 user_model = UserModel()
870 870 anon_user = self.anonymous_user = User.get_default_user(cache=True)
871 871 is_user_loaded = False
872 872
873 873 # lookup by userid
874 874 if self.user_id is not None and self.user_id != anon_user.user_id:
875 875 log.debug('Trying Auth User lookup by USER ID: `%s`', self.user_id)
876 876 is_user_loaded = user_model.fill_data(self, user_id=self.user_id)
877 877
878 878 # try go get user by api key
879 879 elif self._api_key and self._api_key != anon_user.api_key:
880 880 log.debug('Trying Auth User lookup by API KEY: `%s`', self._api_key)
881 881 is_user_loaded = user_model.fill_data(self, api_key=self._api_key)
882 882
883 883 # lookup by username
884 884 elif self.username:
885 885 log.debug('Trying Auth User lookup by USER NAME: `%s`', self.username)
886 886 is_user_loaded = user_model.fill_data(self, username=self.username)
887 887 else:
888 888 log.debug('No data in %s that could been used to log in', self)
889 889
890 890 if not is_user_loaded:
891 891 log.debug('Failed to load user. Fallback to default user')
892 892 # if we cannot authenticate user try anonymous
893 893 if anon_user.active:
894 894 user_model.fill_data(self, user_id=anon_user.user_id)
895 895 # then we set this user is logged in
896 896 self.is_authenticated = True
897 897 else:
898 898 # in case of disabled anonymous user we reset some of the
899 899 # parameters so such user is "corrupted", skipping the fill_data
900 900 for attr in ['user_id', 'username', 'admin', 'active']:
901 901 setattr(self, attr, None)
902 902 self.is_authenticated = False
903 903
904 904 if not self.username:
905 905 self.username = 'None'
906 906
907 907 log.debug('AuthUser: propagated user is now %s', self)
908 908
909 909 def get_perms(self, user, scope=None, explicit=True, algo='higherwin',
910 910 cache=False):
911 911 """
912 912 Fills user permission attribute with permissions taken from database
913 913 works for permissions given for repositories, and for permissions that
914 914 are granted to groups
915 915
916 916 :param user: instance of User object from database
917 917 :param explicit: In case there are permissions both for user and a group
918 918 that user is part of, explicit flag will defiine if user will
919 919 explicitly override permissions from group, if it's False it will
920 920 make decision based on the algo
921 921 :param algo: algorithm to decide what permission should be choose if
922 922 it's multiple defined, eg user in two different groups. It also
923 923 decides if explicit flag is turned off how to specify the permission
924 924 for case when user is in a group + have defined separate permission
925 925 """
926 926 user_id = user.user_id
927 927 user_is_admin = user.is_admin
928 928
929 929 # inheritance of global permissions like create repo/fork repo etc
930 930 user_inherit_default_permissions = user.inherit_default_permissions
931 931
932 932 log.debug('Computing PERMISSION tree for scope %s' % (scope, ))
933 933 compute = caches.conditional_cache(
934 934 'short_term', 'cache_desc',
935 935 condition=cache, func=_cached_perms_data)
936 936 result = compute(user_id, scope, user_is_admin,
937 937 user_inherit_default_permissions, explicit, algo)
938 938
939 939 result_repr = []
940 940 for k in result:
941 941 result_repr.append((k, len(result[k])))
942 942
943 943 log.debug('PERMISSION tree computed %s' % (result_repr,))
944 944 return result
945 945
946 946 @property
947 947 def is_default(self):
948 948 return self.username == User.DEFAULT_USER
949 949
950 950 @property
951 951 def is_admin(self):
952 952 return self.admin
953 953
954 954 @property
955 955 def is_user_object(self):
956 956 return self.user_id is not None
957 957
958 958 @property
959 959 def repositories_admin(self):
960 960 """
961 961 Returns list of repositories you're an admin of
962 962 """
963 963 return [
964 964 x[0] for x in self.permissions['repositories'].iteritems()
965 965 if x[1] == 'repository.admin']
966 966
967 967 @property
968 968 def repository_groups_admin(self):
969 969 """
970 970 Returns list of repository groups you're an admin of
971 971 """
972 972 return [
973 973 x[0] for x in self.permissions['repositories_groups'].iteritems()
974 974 if x[1] == 'group.admin']
975 975
976 976 @property
977 977 def user_groups_admin(self):
978 978 """
979 979 Returns list of user groups you're an admin of
980 980 """
981 981 return [
982 982 x[0] for x in self.permissions['user_groups'].iteritems()
983 983 if x[1] == 'usergroup.admin']
984 984
985 985 @property
986 986 def ip_allowed(self):
987 987 """
988 988 Checks if ip_addr used in constructor is allowed from defined list of
989 989 allowed ip_addresses for user
990 990
991 991 :returns: boolean, True if ip is in allowed ip range
992 992 """
993 993 # check IP
994 994 inherit = self.inherit_default_permissions
995 995 return AuthUser.check_ip_allowed(self.user_id, self.ip_addr,
996 996 inherit_from_default=inherit)
997 997 @property
998 998 def personal_repo_group(self):
999 999 return RepoGroup.get_user_personal_repo_group(self.user_id)
1000 1000
1001 1001 @classmethod
1002 1002 def check_ip_allowed(cls, user_id, ip_addr, inherit_from_default):
1003 1003 allowed_ips = AuthUser.get_allowed_ips(
1004 1004 user_id, cache=True, inherit_from_default=inherit_from_default)
1005 1005 if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
1006 1006 log.debug('IP:%s is in range of %s' % (ip_addr, allowed_ips))
1007 1007 return True
1008 1008 else:
1009 1009 log.info('Access for IP:%s forbidden, '
1010 1010 'not in %s' % (ip_addr, allowed_ips))
1011 1011 return False
1012 1012
1013 1013 def __repr__(self):
1014 1014 return "<AuthUser('id:%s[%s] ip:%s auth:%s')>"\
1015 1015 % (self.user_id, self.username, self.ip_addr, self.is_authenticated)
1016 1016
1017 1017 def set_authenticated(self, authenticated=True):
1018 1018 if self.user_id != self.anonymous_user.user_id:
1019 1019 self.is_authenticated = authenticated
1020 1020
1021 1021 def get_cookie_store(self):
1022 1022 return {
1023 1023 'username': self.username,
1024 1024 'password': md5(self.password),
1025 1025 'user_id': self.user_id,
1026 1026 'is_authenticated': self.is_authenticated
1027 1027 }
1028 1028
1029 1029 @classmethod
1030 1030 def from_cookie_store(cls, cookie_store):
1031 1031 """
1032 1032 Creates AuthUser from a cookie store
1033 1033
1034 1034 :param cls:
1035 1035 :param cookie_store:
1036 1036 """
1037 1037 user_id = cookie_store.get('user_id')
1038 1038 username = cookie_store.get('username')
1039 1039 api_key = cookie_store.get('api_key')
1040 1040 return AuthUser(user_id, api_key, username)
1041 1041
1042 1042 @classmethod
1043 1043 def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
1044 1044 _set = set()
1045 1045
1046 1046 if inherit_from_default:
1047 1047 default_ips = UserIpMap.query().filter(
1048 1048 UserIpMap.user == User.get_default_user(cache=True))
1049 1049 if cache:
1050 1050 default_ips = default_ips.options(
1051 1051 FromCache("sql_cache_short", "get_user_ips_default"))
1052 1052
1053 1053 # populate from default user
1054 1054 for ip in default_ips:
1055 1055 try:
1056 1056 _set.add(ip.ip_addr)
1057 1057 except ObjectDeletedError:
1058 1058 # since we use heavy caching sometimes it happens that
1059 1059 # we get deleted objects here, we just skip them
1060 1060 pass
1061 1061
1062 1062 user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
1063 1063 if cache:
1064 1064 user_ips = user_ips.options(
1065 1065 FromCache("sql_cache_short", "get_user_ips_%s" % user_id))
1066 1066
1067 1067 for ip in user_ips:
1068 1068 try:
1069 1069 _set.add(ip.ip_addr)
1070 1070 except ObjectDeletedError:
1071 1071 # since we use heavy caching sometimes it happens that we get
1072 1072 # deleted objects here, we just skip them
1073 1073 pass
1074 1074 return _set or set(['0.0.0.0/0', '::/0'])
1075 1075
1076 1076
1077 1077 def set_available_permissions(config):
1078 1078 """
1079 1079 This function will propagate pylons globals with all available defined
1080 1080 permission given in db. We don't want to check each time from db for new
1081 1081 permissions since adding a new permission also requires application restart
1082 1082 ie. to decorate new views with the newly created permission
1083 1083
1084 1084 :param config: current pylons config instance
1085 1085
1086 1086 """
1087 1087 log.info('getting information about all available permissions')
1088 1088 try:
1089 1089 sa = meta.Session
1090 1090 all_perms = sa.query(Permission).all()
1091 1091 config['available_permissions'] = [x.permission_name for x in all_perms]
1092 1092 except Exception:
1093 1093 log.error(traceback.format_exc())
1094 1094 finally:
1095 1095 meta.Session.remove()
1096 1096
1097 1097
1098 1098 def get_csrf_token(session=None, force_new=False, save_if_missing=True):
1099 1099 """
1100 1100 Return the current authentication token, creating one if one doesn't
1101 1101 already exist and the save_if_missing flag is present.
1102 1102
1103 1103 :param session: pass in the pylons session, else we use the global ones
1104 1104 :param force_new: force to re-generate the token and store it in session
1105 1105 :param save_if_missing: save the newly generated token if it's missing in
1106 1106 session
1107 1107 """
1108 1108 # NOTE(marcink): probably should be replaced with below one from pyramid 1.9
1109 1109 # from pyramid.csrf import get_csrf_token
1110 1110
1111 1111 if not session:
1112 1112 from pylons import session
1113 1113
1114 1114 if (csrf_token_key not in session and save_if_missing) or force_new:
1115 1115 token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
1116 1116 session[csrf_token_key] = token
1117 1117 if hasattr(session, 'save'):
1118 1118 session.save()
1119 1119 return session.get(csrf_token_key)
1120 1120
1121 1121
1122 1122 def get_request(perm_class):
1123 1123 from pyramid.threadlocal import get_current_request
1124 1124 pyramid_request = get_current_request()
1125 1125 if not pyramid_request:
1126 1126 # return global request of pylons in case pyramid isn't available
1127 1127 # NOTE(marcink): this should be removed after migration to pyramid
1128 1128 from pylons import request
1129 1129 return request
1130 1130 return pyramid_request
1131 1131
1132 1132
1133 1133 # CHECK DECORATORS
1134 1134 class CSRFRequired(object):
1135 1135 """
1136 1136 Decorator for authenticating a form
1137 1137
1138 1138 This decorator uses an authorization token stored in the client's
1139 1139 session for prevention of certain Cross-site request forgery (CSRF)
1140 1140 attacks (See
1141 1141 http://en.wikipedia.org/wiki/Cross-site_request_forgery for more
1142 1142 information).
1143 1143
1144 1144 For use with the ``webhelpers.secure_form`` helper functions.
1145 1145
1146 1146 """
1147 1147 def __init__(self, token=csrf_token_key, header='X-CSRF-Token',
1148 1148 except_methods=None):
1149 1149 self.token = token
1150 1150 self.header = header
1151 1151 self.except_methods = except_methods or []
1152 1152
1153 1153 def __call__(self, func):
1154 1154 return get_cython_compat_decorator(self.__wrapper, func)
1155 1155
1156 1156 def _get_csrf(self, _request):
1157 1157 return _request.POST.get(self.token, _request.headers.get(self.header))
1158 1158
1159 1159 def check_csrf(self, _request, cur_token):
1160 1160 supplied_token = self._get_csrf(_request)
1161 1161 return supplied_token and supplied_token == cur_token
1162 1162
1163 1163 def _get_request(self):
1164 1164 return get_request(self)
1165 1165
1166 1166 def __wrapper(self, func, *fargs, **fkwargs):
1167 1167 request = self._get_request()
1168 1168
1169 1169 if request.method in self.except_methods:
1170 1170 return func(*fargs, **fkwargs)
1171 1171
1172 1172 cur_token = get_csrf_token(save_if_missing=False)
1173 1173 if self.check_csrf(request, cur_token):
1174 1174 if request.POST.get(self.token):
1175 1175 del request.POST[self.token]
1176 1176 return func(*fargs, **fkwargs)
1177 1177 else:
1178 1178 reason = 'token-missing'
1179 1179 supplied_token = self._get_csrf(request)
1180 1180 if supplied_token and cur_token != supplied_token:
1181 1181 reason = 'token-mismatch [%s:%s]' % (
1182 1182 cur_token or ''[:6], supplied_token or ''[:6])
1183 1183
1184 1184 csrf_message = \
1185 1185 ("Cross-site request forgery detected, request denied. See "
1186 1186 "http://en.wikipedia.org/wiki/Cross-site_request_forgery for "
1187 1187 "more information.")
1188 1188 log.warn('Cross-site request forgery detected, request %r DENIED: %s '
1189 1189 'REMOTE_ADDR:%s, HEADERS:%s' % (
1190 1190 request, reason, request.remote_addr, request.headers))
1191 1191
1192 1192 raise HTTPForbidden(explanation=csrf_message)
1193 1193
1194 1194
1195 1195 class LoginRequired(object):
1196 1196 """
1197 1197 Must be logged in to execute this function else
1198 1198 redirect to login page
1199 1199
1200 1200 :param api_access: if enabled this checks only for valid auth token
1201 1201 and grants access based on valid token
1202 1202 """
1203 1203 def __init__(self, auth_token_access=None):
1204 1204 self.auth_token_access = auth_token_access
1205 1205
1206 1206 def __call__(self, func):
1207 1207 return get_cython_compat_decorator(self.__wrapper, func)
1208 1208
1209 1209 def _get_request(self):
1210 1210 return get_request(self)
1211 1211
1212 1212 def __wrapper(self, func, *fargs, **fkwargs):
1213 1213 from rhodecode.lib import helpers as h
1214 1214 cls = fargs[0]
1215 1215 user = cls._rhodecode_user
1216 1216 request = self._get_request()
1217 1217
1218 1218 loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
1219 1219 log.debug('Starting login restriction checks for user: %s' % (user,))
1220 1220 # check if our IP is allowed
1221 1221 ip_access_valid = True
1222 1222 if not user.ip_allowed:
1223 1223 h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr,))),
1224 1224 category='warning')
1225 1225 ip_access_valid = False
1226 1226
1227 1227 # check if we used an APIKEY and it's a valid one
1228 1228 # defined white-list of controllers which API access will be enabled
1229 1229 _auth_token = request.GET.get(
1230 1230 'auth_token', '') or request.GET.get('api_key', '')
1231 1231 auth_token_access_valid = allowed_auth_token_access(
1232 1232 loc, auth_token=_auth_token)
1233 1233
1234 1234 # explicit controller is enabled or API is in our whitelist
1235 1235 if self.auth_token_access or auth_token_access_valid:
1236 1236 log.debug('Checking AUTH TOKEN access for %s' % (cls,))
1237 1237 db_user = user.get_instance()
1238 1238
1239 1239 if db_user:
1240 1240 if self.auth_token_access:
1241 1241 roles = self.auth_token_access
1242 1242 else:
1243 1243 roles = [UserApiKeys.ROLE_HTTP]
1244 1244 token_match = db_user.authenticate_by_token(
1245 1245 _auth_token, roles=roles)
1246 1246 else:
1247 1247 log.debug('Unable to fetch db instance for auth user: %s', user)
1248 1248 token_match = False
1249 1249
1250 1250 if _auth_token and token_match:
1251 1251 auth_token_access_valid = True
1252 1252 log.debug('AUTH TOKEN ****%s is VALID' % (_auth_token[-4:],))
1253 1253 else:
1254 1254 auth_token_access_valid = False
1255 1255 if not _auth_token:
1256 1256 log.debug("AUTH TOKEN *NOT* present in request")
1257 1257 else:
1258 1258 log.warning(
1259 1259 "AUTH TOKEN ****%s *NOT* valid" % _auth_token[-4:])
1260 1260
1261 1261 log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
1262 1262 reason = 'RHODECODE_AUTH' if user.is_authenticated \
1263 1263 else 'AUTH_TOKEN_AUTH'
1264 1264
1265 1265 if ip_access_valid and (
1266 1266 user.is_authenticated or auth_token_access_valid):
1267 1267 log.info(
1268 1268 'user %s authenticating with:%s IS authenticated on func %s'
1269 1269 % (user, reason, loc))
1270 1270
1271 1271 # update user data to check last activity
1272 1272 user.update_lastactivity()
1273 1273 Session().commit()
1274 1274 return func(*fargs, **fkwargs)
1275 1275 else:
1276 1276 log.warning(
1277 1277 'user %s authenticating with:%s NOT authenticated on '
1278 1278 'func: %s: IP_ACCESS:%s AUTH_TOKEN_ACCESS:%s'
1279 1279 % (user, reason, loc, ip_access_valid,
1280 1280 auth_token_access_valid))
1281 1281 # we preserve the get PARAM
1282 1282 came_from = request.path_qs
1283 1283 log.debug('redirecting to login page with %s' % (came_from,))
1284 1284 raise HTTPFound(
1285 1285 h.route_path('login', _query={'came_from': came_from}))
1286 1286
1287 1287
1288 1288 class NotAnonymous(object):
1289 1289 """
1290 1290 Must be logged in to execute this function else
1291 1291 redirect to login page
1292 1292 """
1293 1293
1294 1294 def __call__(self, func):
1295 1295 return get_cython_compat_decorator(self.__wrapper, func)
1296 1296
1297 1297 def _get_request(self):
1298 1298 return get_request(self)
1299 1299
1300 1300 def __wrapper(self, func, *fargs, **fkwargs):
1301 1301 import rhodecode.lib.helpers as h
1302 1302 cls = fargs[0]
1303 1303 self.user = cls._rhodecode_user
1304 1304 request = self._get_request()
1305 1305
1306 1306 log.debug('Checking if user is not anonymous @%s' % cls)
1307 1307
1308 1308 anonymous = self.user.username == User.DEFAULT_USER
1309 1309
1310 1310 if anonymous:
1311 1311 came_from = request.path_qs
1312 1312 h.flash(_('You need to be a registered user to '
1313 1313 'perform this action'),
1314 1314 category='warning')
1315 1315 raise HTTPFound(
1316 1316 h.route_path('login', _query={'came_from': came_from}))
1317 1317 else:
1318 1318 return func(*fargs, **fkwargs)
1319 1319
1320 1320
1321 1321 class XHRRequired(object):
1322 1322 # TODO(marcink): remove this in favor of the predicates in pyramid routes
1323 1323
1324 1324 def __call__(self, func):
1325 1325 return get_cython_compat_decorator(self.__wrapper, func)
1326 1326
1327 1327 def _get_request(self):
1328 1328 return get_request(self)
1329 1329
1330 1330 def __wrapper(self, func, *fargs, **fkwargs):
1331 1331 from pylons.controllers.util import abort
1332 1332 request = self._get_request()
1333 1333
1334 1334 log.debug('Checking if request is XMLHttpRequest (XHR)')
1335 1335 xhr_message = 'This is not a valid XMLHttpRequest (XHR) request'
1336 1336
1337 1337 if not request.is_xhr:
1338 1338 abort(400, detail=xhr_message)
1339 1339
1340 1340 return func(*fargs, **fkwargs)
1341 1341
1342 1342
1343 1343 class PermsDecorator(object):
1344 1344 """
1345 1345 Base class for controller decorators, we extract the current user from
1346 1346 the class itself, which has it stored in base controllers
1347 1347 """
1348 1348
1349 1349 def __init__(self, *required_perms):
1350 1350 self.required_perms = set(required_perms)
1351 1351
1352 1352 def __call__(self, func):
1353 1353 return get_cython_compat_decorator(self.__wrapper, func)
1354 1354
1355 1355 def _get_request(self):
1356 1356 return get_request(self)
1357 1357
1358 1358 def _get_came_from(self):
1359 1359 _request = self._get_request()
1360 1360
1361 1361 # both pylons/pyramid has this attribute
1362 1362 return _request.path_qs
1363 1363
1364 1364 def __wrapper(self, func, *fargs, **fkwargs):
1365 1365 import rhodecode.lib.helpers as h
1366 1366 cls = fargs[0]
1367 1367 _user = cls._rhodecode_user
1368 1368
1369 1369 log.debug('checking %s permissions %s for %s %s',
1370 1370 self.__class__.__name__, self.required_perms, cls, _user)
1371 1371
1372 1372 if self.check_permissions(_user):
1373 1373 log.debug('Permission granted for %s %s', cls, _user)
1374 1374 return func(*fargs, **fkwargs)
1375 1375
1376 1376 else:
1377 1377 log.debug('Permission denied for %s %s', cls, _user)
1378 1378 anonymous = _user.username == User.DEFAULT_USER
1379 1379
1380 1380 if anonymous:
1381 1381 came_from = self._get_came_from()
1382 1382 h.flash(_('You need to be signed in to view this page'),
1383 1383 category='warning')
1384 1384 raise HTTPFound(
1385 1385 h.route_path('login', _query={'came_from': came_from}))
1386 1386
1387 1387 else:
1388 1388 # redirect with 404 to prevent resource discovery
1389 1389 raise HTTPNotFound()
1390 1390
1391 1391 def check_permissions(self, user):
1392 1392 """Dummy function for overriding"""
1393 1393 raise NotImplementedError(
1394 1394 'You have to write this function in child class')
1395 1395
1396 1396
1397 1397 class HasPermissionAllDecorator(PermsDecorator):
1398 1398 """
1399 1399 Checks for access permission for all given predicates. All of them
1400 1400 have to be meet in order to fulfill the request
1401 1401 """
1402 1402
1403 1403 def check_permissions(self, user):
1404 1404 perms = user.permissions_with_scope({})
1405 1405 if self.required_perms.issubset(perms['global']):
1406 1406 return True
1407 1407 return False
1408 1408
1409 1409
1410 1410 class HasPermissionAnyDecorator(PermsDecorator):
1411 1411 """
1412 1412 Checks for access permission for any of given predicates. In order to
1413 1413 fulfill the request any of predicates must be meet
1414 1414 """
1415 1415
1416 1416 def check_permissions(self, user):
1417 1417 perms = user.permissions_with_scope({})
1418 1418 if self.required_perms.intersection(perms['global']):
1419 1419 return True
1420 1420 return False
1421 1421
1422 1422
1423 1423 class HasRepoPermissionAllDecorator(PermsDecorator):
1424 1424 """
1425 1425 Checks for access permission for all given predicates for specific
1426 1426 repository. All of them have to be meet in order to fulfill the request
1427 1427 """
1428 1428 def _get_repo_name(self):
1429 1429 _request = self._get_request()
1430 1430 return get_repo_slug(_request)
1431 1431
1432 1432 def check_permissions(self, user):
1433 1433 perms = user.permissions
1434 1434 repo_name = self._get_repo_name()
1435 1435
1436 1436 try:
1437 1437 user_perms = set([perms['repositories'][repo_name]])
1438 1438 except KeyError:
1439 1439 log.debug('cannot locate repo with name: `%s` in permissions defs',
1440 1440 repo_name)
1441 1441 return False
1442 1442
1443 1443 log.debug('checking `%s` permissions for repo `%s`',
1444 1444 user_perms, repo_name)
1445 1445 if self.required_perms.issubset(user_perms):
1446 1446 return True
1447 1447 return False
1448 1448
1449 1449
1450 1450 class HasRepoPermissionAnyDecorator(PermsDecorator):
1451 1451 """
1452 1452 Checks for access permission for any of given predicates for specific
1453 1453 repository. In order to fulfill the request any of predicates must be meet
1454 1454 """
1455 1455 def _get_repo_name(self):
1456 1456 _request = self._get_request()
1457 1457 return get_repo_slug(_request)
1458 1458
1459 1459 def check_permissions(self, user):
1460 1460 perms = user.permissions
1461 1461 repo_name = self._get_repo_name()
1462 1462
1463 1463 try:
1464 1464 user_perms = set([perms['repositories'][repo_name]])
1465 1465 except KeyError:
1466 log.debug('cannot locate repo with name: `%s` in permissions defs',
1466 log.debug(
1467 'cannot locate repo with name: `%s` in permissions defs',
1467 1468 repo_name)
1468 1469 return False
1469 1470
1470 1471 log.debug('checking `%s` permissions for repo `%s`',
1471 1472 user_perms, repo_name)
1472 1473 if self.required_perms.intersection(user_perms):
1473 1474 return True
1474 1475 return False
1475 1476
1476 1477
1477 1478 class HasRepoGroupPermissionAllDecorator(PermsDecorator):
1478 1479 """
1479 1480 Checks for access permission for all given predicates for specific
1480 1481 repository group. All of them have to be meet in order to
1481 1482 fulfill the request
1482 1483 """
1483 1484 def _get_repo_group_name(self):
1484 1485 _request = self._get_request()
1485 1486 return get_repo_group_slug(_request)
1486 1487
1487 1488 def check_permissions(self, user):
1488 1489 perms = user.permissions
1489 1490 group_name = self._get_repo_group_name()
1490 1491 try:
1491 1492 user_perms = set([perms['repositories_groups'][group_name]])
1492 1493 except KeyError:
1493 log.debug('cannot locate repo group with name: `%s` in permissions defs',
1494 log.debug(
1495 'cannot locate repo group with name: `%s` in permissions defs',
1494 1496 group_name)
1495 1497 return False
1496 1498
1497 1499 log.debug('checking `%s` permissions for repo group `%s`',
1498 1500 user_perms, group_name)
1499 1501 if self.required_perms.issubset(user_perms):
1500 1502 return True
1501 1503 return False
1502 1504
1503 1505
1504 1506 class HasRepoGroupPermissionAnyDecorator(PermsDecorator):
1505 1507 """
1506 1508 Checks for access permission for any of given predicates for specific
1507 1509 repository group. In order to fulfill the request any
1508 1510 of predicates must be met
1509 1511 """
1510 1512 def _get_repo_group_name(self):
1511 1513 _request = self._get_request()
1512 1514 return get_repo_group_slug(_request)
1513 1515
1514 1516 def check_permissions(self, user):
1515 1517 perms = user.permissions
1516 1518 group_name = self._get_repo_group_name()
1517 1519
1518 1520 try:
1519 1521 user_perms = set([perms['repositories_groups'][group_name]])
1520 1522 except KeyError:
1521 log.debug('cannot locate repo group with name: `%s` in permissions defs',
1523 log.debug(
1524 'cannot locate repo group with name: `%s` in permissions defs',
1522 1525 group_name)
1523 1526 return False
1524 1527
1525 1528 log.debug('checking `%s` permissions for repo group `%s`',
1526 1529 user_perms, group_name)
1527 1530 if self.required_perms.intersection(user_perms):
1528 1531 return True
1529 1532 return False
1530 1533
1531 1534
1532 1535 class HasUserGroupPermissionAllDecorator(PermsDecorator):
1533 1536 """
1534 1537 Checks for access permission for all given predicates for specific
1535 1538 user group. All of them have to be meet in order to fulfill the request
1536 1539 """
1537 1540 def _get_user_group_name(self):
1538 1541 _request = self._get_request()
1539 1542 return get_user_group_slug(_request)
1540 1543
1541 1544 def check_permissions(self, user):
1542 1545 perms = user.permissions
1543 1546 group_name = self._get_user_group_name()
1544 1547 try:
1545 1548 user_perms = set([perms['user_groups'][group_name]])
1546 1549 except KeyError:
1547 1550 return False
1548 1551
1549 1552 if self.required_perms.issubset(user_perms):
1550 1553 return True
1551 1554 return False
1552 1555
1553 1556
1554 1557 class HasUserGroupPermissionAnyDecorator(PermsDecorator):
1555 1558 """
1556 1559 Checks for access permission for any of given predicates for specific
1557 1560 user group. In order to fulfill the request any of predicates must be meet
1558 1561 """
1559 1562 def _get_user_group_name(self):
1560 1563 _request = self._get_request()
1561 1564 return get_user_group_slug(_request)
1562 1565
1563 1566 def check_permissions(self, user):
1564 1567 perms = user.permissions
1565 1568 group_name = self._get_user_group_name()
1566 1569 try:
1567 1570 user_perms = set([perms['user_groups'][group_name]])
1568 1571 except KeyError:
1569 1572 return False
1570 1573
1571 1574 if self.required_perms.intersection(user_perms):
1572 1575 return True
1573 1576 return False
1574 1577
1575 1578
1576 1579 # CHECK FUNCTIONS
1577 1580 class PermsFunction(object):
1578 1581 """Base function for other check functions"""
1579 1582
1580 1583 def __init__(self, *perms):
1581 1584 self.required_perms = set(perms)
1582 1585 self.repo_name = None
1583 1586 self.repo_group_name = None
1584 1587 self.user_group_name = None
1585 1588
1586 1589 def __bool__(self):
1587 1590 frame = inspect.currentframe()
1588 1591 stack_trace = traceback.format_stack(frame)
1589 1592 log.error('Checking bool value on a class instance of perm '
1590 1593 'function is not allowed: %s' % ''.join(stack_trace))
1591 1594 # rather than throwing errors, here we always return False so if by
1592 1595 # accident someone checks truth for just an instance it will always end
1593 1596 # up in returning False
1594 1597 return False
1595 1598 __nonzero__ = __bool__
1596 1599
1597 1600 def __call__(self, check_location='', user=None):
1598 1601 if not user:
1599 1602 log.debug('Using user attribute from global request')
1600 1603 # TODO: remove this someday,put as user as attribute here
1601 1604 request = self._get_request()
1602 1605 user = request.user
1603 1606
1604 1607 # init auth user if not already given
1605 1608 if not isinstance(user, AuthUser):
1606 1609 log.debug('Wrapping user %s into AuthUser', user)
1607 1610 user = AuthUser(user.user_id)
1608 1611
1609 1612 cls_name = self.__class__.__name__
1610 1613 check_scope = self._get_check_scope(cls_name)
1611 1614 check_location = check_location or 'unspecified location'
1612 1615
1613 1616 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
1614 1617 self.required_perms, user, check_scope, check_location)
1615 1618 if not user:
1616 1619 log.warning('Empty user given for permission check')
1617 1620 return False
1618 1621
1619 1622 if self.check_permissions(user):
1620 1623 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
1621 1624 check_scope, user, check_location)
1622 1625 return True
1623 1626
1624 1627 else:
1625 1628 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
1626 1629 check_scope, user, check_location)
1627 1630 return False
1628 1631
1629 1632 def _get_request(self):
1630 1633 return get_request(self)
1631 1634
1632 1635 def _get_check_scope(self, cls_name):
1633 1636 return {
1634 1637 'HasPermissionAll': 'GLOBAL',
1635 1638 'HasPermissionAny': 'GLOBAL',
1636 1639 'HasRepoPermissionAll': 'repo:%s' % self.repo_name,
1637 1640 'HasRepoPermissionAny': 'repo:%s' % self.repo_name,
1638 1641 'HasRepoGroupPermissionAll': 'repo_group:%s' % self.repo_group_name,
1639 1642 'HasRepoGroupPermissionAny': 'repo_group:%s' % self.repo_group_name,
1640 1643 'HasUserGroupPermissionAll': 'user_group:%s' % self.user_group_name,
1641 1644 'HasUserGroupPermissionAny': 'user_group:%s' % self.user_group_name,
1642 1645 }.get(cls_name, '?:%s' % cls_name)
1643 1646
1644 1647 def check_permissions(self, user):
1645 1648 """Dummy function for overriding"""
1646 1649 raise Exception('You have to write this function in child class')
1647 1650
1648 1651
1649 1652 class HasPermissionAll(PermsFunction):
1650 1653 def check_permissions(self, user):
1651 1654 perms = user.permissions_with_scope({})
1652 1655 if self.required_perms.issubset(perms.get('global')):
1653 1656 return True
1654 1657 return False
1655 1658
1656 1659
1657 1660 class HasPermissionAny(PermsFunction):
1658 1661 def check_permissions(self, user):
1659 1662 perms = user.permissions_with_scope({})
1660 1663 if self.required_perms.intersection(perms.get('global')):
1661 1664 return True
1662 1665 return False
1663 1666
1664 1667
1665 1668 class HasRepoPermissionAll(PermsFunction):
1666 1669 def __call__(self, repo_name=None, check_location='', user=None):
1667 1670 self.repo_name = repo_name
1668 1671 return super(HasRepoPermissionAll, self).__call__(check_location, user)
1669 1672
1670 1673 def _get_repo_name(self):
1671 1674 if not self.repo_name:
1672 1675 _request = self._get_request()
1673 1676 self.repo_name = get_repo_slug(_request)
1674 1677 return self.repo_name
1675 1678
1676 1679 def check_permissions(self, user):
1677 1680 self.repo_name = self._get_repo_name()
1678 1681 perms = user.permissions
1679 1682 try:
1680 1683 user_perms = set([perms['repositories'][self.repo_name]])
1681 1684 except KeyError:
1682 1685 return False
1683 1686 if self.required_perms.issubset(user_perms):
1684 1687 return True
1685 1688 return False
1686 1689
1687 1690
1688 1691 class HasRepoPermissionAny(PermsFunction):
1689 1692 def __call__(self, repo_name=None, check_location='', user=None):
1690 1693 self.repo_name = repo_name
1691 1694 return super(HasRepoPermissionAny, self).__call__(check_location, user)
1692 1695
1693 1696 def _get_repo_name(self):
1694 1697 if not self.repo_name:
1695 1698 _request = self._get_request()
1696 1699 self.repo_name = get_repo_slug(_request)
1697 1700 return self.repo_name
1698 1701
1699 1702 def check_permissions(self, user):
1700 1703 self.repo_name = self._get_repo_name()
1701 1704 perms = user.permissions
1702 1705 try:
1703 1706 user_perms = set([perms['repositories'][self.repo_name]])
1704 1707 except KeyError:
1705 1708 return False
1706 1709 if self.required_perms.intersection(user_perms):
1707 1710 return True
1708 1711 return False
1709 1712
1710 1713
1711 1714 class HasRepoGroupPermissionAny(PermsFunction):
1712 1715 def __call__(self, group_name=None, check_location='', user=None):
1713 1716 self.repo_group_name = group_name
1714 1717 return super(HasRepoGroupPermissionAny, self).__call__(
1715 1718 check_location, user)
1716 1719
1717 1720 def check_permissions(self, user):
1718 1721 perms = user.permissions
1719 1722 try:
1720 1723 user_perms = set(
1721 1724 [perms['repositories_groups'][self.repo_group_name]])
1722 1725 except KeyError:
1723 1726 return False
1724 1727 if self.required_perms.intersection(user_perms):
1725 1728 return True
1726 1729 return False
1727 1730
1728 1731
1729 1732 class HasRepoGroupPermissionAll(PermsFunction):
1730 1733 def __call__(self, group_name=None, check_location='', user=None):
1731 1734 self.repo_group_name = group_name
1732 1735 return super(HasRepoGroupPermissionAll, self).__call__(
1733 1736 check_location, user)
1734 1737
1735 1738 def check_permissions(self, user):
1736 1739 perms = user.permissions
1737 1740 try:
1738 1741 user_perms = set(
1739 1742 [perms['repositories_groups'][self.repo_group_name]])
1740 1743 except KeyError:
1741 1744 return False
1742 1745 if self.required_perms.issubset(user_perms):
1743 1746 return True
1744 1747 return False
1745 1748
1746 1749
1747 1750 class HasUserGroupPermissionAny(PermsFunction):
1748 1751 def __call__(self, user_group_name=None, check_location='', user=None):
1749 1752 self.user_group_name = user_group_name
1750 1753 return super(HasUserGroupPermissionAny, self).__call__(
1751 1754 check_location, user)
1752 1755
1753 1756 def check_permissions(self, user):
1754 1757 perms = user.permissions
1755 1758 try:
1756 1759 user_perms = set([perms['user_groups'][self.user_group_name]])
1757 1760 except KeyError:
1758 1761 return False
1759 1762 if self.required_perms.intersection(user_perms):
1760 1763 return True
1761 1764 return False
1762 1765
1763 1766
1764 1767 class HasUserGroupPermissionAll(PermsFunction):
1765 1768 def __call__(self, user_group_name=None, check_location='', user=None):
1766 1769 self.user_group_name = user_group_name
1767 1770 return super(HasUserGroupPermissionAll, self).__call__(
1768 1771 check_location, user)
1769 1772
1770 1773 def check_permissions(self, user):
1771 1774 perms = user.permissions
1772 1775 try:
1773 1776 user_perms = set([perms['user_groups'][self.user_group_name]])
1774 1777 except KeyError:
1775 1778 return False
1776 1779 if self.required_perms.issubset(user_perms):
1777 1780 return True
1778 1781 return False
1779 1782
1780 1783
1781 1784 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
1782 1785 class HasPermissionAnyMiddleware(object):
1783 1786 def __init__(self, *perms):
1784 1787 self.required_perms = set(perms)
1785 1788
1786 1789 def __call__(self, user, repo_name):
1787 1790 # repo_name MUST be unicode, since we handle keys in permission
1788 1791 # dict by unicode
1789 1792 repo_name = safe_unicode(repo_name)
1790 1793 user = AuthUser(user.user_id)
1791 1794 log.debug(
1792 1795 'Checking VCS protocol permissions %s for user:%s repo:`%s`',
1793 1796 self.required_perms, user, repo_name)
1794 1797
1795 1798 if self.check_permissions(user, repo_name):
1796 1799 log.debug('Permission to repo:`%s` GRANTED for user:%s @ %s',
1797 1800 repo_name, user, 'PermissionMiddleware')
1798 1801 return True
1799 1802
1800 1803 else:
1801 1804 log.debug('Permission to repo:`%s` DENIED for user:%s @ %s',
1802 1805 repo_name, user, 'PermissionMiddleware')
1803 1806 return False
1804 1807
1805 1808 def check_permissions(self, user, repo_name):
1806 1809 perms = user.permissions_with_scope({'repo_name': repo_name})
1807 1810
1808 1811 try:
1809 1812 user_perms = set([perms['repositories'][repo_name]])
1810 1813 except Exception:
1811 1814 log.exception('Error while accessing user permissions')
1812 1815 return False
1813 1816
1814 1817 if self.required_perms.intersection(user_perms):
1815 1818 return True
1816 1819 return False
1817 1820
1818 1821
1819 1822 # SPECIAL VERSION TO HANDLE API AUTH
1820 1823 class _BaseApiPerm(object):
1821 1824 def __init__(self, *perms):
1822 1825 self.required_perms = set(perms)
1823 1826
1824 1827 def __call__(self, check_location=None, user=None, repo_name=None,
1825 1828 group_name=None, user_group_name=None):
1826 1829 cls_name = self.__class__.__name__
1827 1830 check_scope = 'global:%s' % (self.required_perms,)
1828 1831 if repo_name:
1829 1832 check_scope += ', repo_name:%s' % (repo_name,)
1830 1833
1831 1834 if group_name:
1832 1835 check_scope += ', repo_group_name:%s' % (group_name,)
1833 1836
1834 1837 if user_group_name:
1835 1838 check_scope += ', user_group_name:%s' % (user_group_name,)
1836 1839
1837 1840 log.debug(
1838 1841 'checking cls:%s %s %s @ %s'
1839 1842 % (cls_name, self.required_perms, check_scope, check_location))
1840 1843 if not user:
1841 1844 log.debug('Empty User passed into arguments')
1842 1845 return False
1843 1846
1844 1847 # process user
1845 1848 if not isinstance(user, AuthUser):
1846 1849 user = AuthUser(user.user_id)
1847 1850 if not check_location:
1848 1851 check_location = 'unspecified'
1849 1852 if self.check_permissions(user.permissions, repo_name, group_name,
1850 1853 user_group_name):
1851 1854 log.debug('Permission to repo:`%s` GRANTED for user:`%s` @ %s',
1852 1855 check_scope, user, check_location)
1853 1856 return True
1854 1857
1855 1858 else:
1856 1859 log.debug('Permission to repo:`%s` DENIED for user:`%s` @ %s',
1857 1860 check_scope, user, check_location)
1858 1861 return False
1859 1862
1860 1863 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1861 1864 user_group_name=None):
1862 1865 """
1863 1866 implement in child class should return True if permissions are ok,
1864 1867 False otherwise
1865 1868
1866 1869 :param perm_defs: dict with permission definitions
1867 1870 :param repo_name: repo name
1868 1871 """
1869 1872 raise NotImplementedError()
1870 1873
1871 1874
1872 1875 class HasPermissionAllApi(_BaseApiPerm):
1873 1876 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1874 1877 user_group_name=None):
1875 1878 if self.required_perms.issubset(perm_defs.get('global')):
1876 1879 return True
1877 1880 return False
1878 1881
1879 1882
1880 1883 class HasPermissionAnyApi(_BaseApiPerm):
1881 1884 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1882 1885 user_group_name=None):
1883 1886 if self.required_perms.intersection(perm_defs.get('global')):
1884 1887 return True
1885 1888 return False
1886 1889
1887 1890
1888 1891 class HasRepoPermissionAllApi(_BaseApiPerm):
1889 1892 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1890 1893 user_group_name=None):
1891 1894 try:
1892 1895 _user_perms = set([perm_defs['repositories'][repo_name]])
1893 1896 except KeyError:
1894 1897 log.warning(traceback.format_exc())
1895 1898 return False
1896 1899 if self.required_perms.issubset(_user_perms):
1897 1900 return True
1898 1901 return False
1899 1902
1900 1903
1901 1904 class HasRepoPermissionAnyApi(_BaseApiPerm):
1902 1905 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1903 1906 user_group_name=None):
1904 1907 try:
1905 1908 _user_perms = set([perm_defs['repositories'][repo_name]])
1906 1909 except KeyError:
1907 1910 log.warning(traceback.format_exc())
1908 1911 return False
1909 1912 if self.required_perms.intersection(_user_perms):
1910 1913 return True
1911 1914 return False
1912 1915
1913 1916
1914 1917 class HasRepoGroupPermissionAnyApi(_BaseApiPerm):
1915 1918 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1916 1919 user_group_name=None):
1917 1920 try:
1918 1921 _user_perms = set([perm_defs['repositories_groups'][group_name]])
1919 1922 except KeyError:
1920 1923 log.warning(traceback.format_exc())
1921 1924 return False
1922 1925 if self.required_perms.intersection(_user_perms):
1923 1926 return True
1924 1927 return False
1925 1928
1926 1929
1927 1930 class HasRepoGroupPermissionAllApi(_BaseApiPerm):
1928 1931 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1929 1932 user_group_name=None):
1930 1933 try:
1931 1934 _user_perms = set([perm_defs['repositories_groups'][group_name]])
1932 1935 except KeyError:
1933 1936 log.warning(traceback.format_exc())
1934 1937 return False
1935 1938 if self.required_perms.issubset(_user_perms):
1936 1939 return True
1937 1940 return False
1938 1941
1939 1942
1940 1943 class HasUserGroupPermissionAnyApi(_BaseApiPerm):
1941 1944 def check_permissions(self, perm_defs, repo_name=None, group_name=None,
1942 1945 user_group_name=None):
1943 1946 try:
1944 1947 _user_perms = set([perm_defs['user_groups'][user_group_name]])
1945 1948 except KeyError:
1946 1949 log.warning(traceback.format_exc())
1947 1950 return False
1948 1951 if self.required_perms.intersection(_user_perms):
1949 1952 return True
1950 1953 return False
1951 1954
1952 1955
1953 1956 def check_ip_access(source_ip, allowed_ips=None):
1954 1957 """
1955 1958 Checks if source_ip is a subnet of any of allowed_ips.
1956 1959
1957 1960 :param source_ip:
1958 1961 :param allowed_ips: list of allowed ips together with mask
1959 1962 """
1960 1963 log.debug('checking if ip:%s is subnet of %s' % (source_ip, allowed_ips))
1961 1964 source_ip_address = ipaddress.ip_address(safe_unicode(source_ip))
1962 1965 if isinstance(allowed_ips, (tuple, list, set)):
1963 1966 for ip in allowed_ips:
1964 1967 ip = safe_unicode(ip)
1965 1968 try:
1966 1969 network_address = ipaddress.ip_network(ip, strict=False)
1967 1970 if source_ip_address in network_address:
1968 1971 log.debug('IP %s is network %s' %
1969 1972 (source_ip_address, network_address))
1970 1973 return True
1971 1974 # for any case we cannot determine the IP, don't crash just
1972 1975 # skip it and log as error, we want to say forbidden still when
1973 1976 # sending bad IP
1974 1977 except Exception:
1975 1978 log.error(traceback.format_exc())
1976 1979 continue
1977 1980 return False
1978 1981
1979 1982
1980 1983 def get_cython_compat_decorator(wrapper, func):
1981 1984 """
1982 1985 Creates a cython compatible decorator. The previously used
1983 1986 decorator.decorator() function seems to be incompatible with cython.
1984 1987
1985 1988 :param wrapper: __wrapper method of the decorator class
1986 1989 :param func: decorated function
1987 1990 """
1988 1991 @wraps(func)
1989 1992 def local_wrapper(*args, **kwds):
1990 1993 return wrapper(func, *args, **kwds)
1991 1994 local_wrapper.__wrapped__ = func
1992 1995 return local_wrapper
1993 1996
1994 1997
@@ -1,982 +1,997 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2010-2017 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 """
22 22 Utilities library for RhodeCode
23 23 """
24 24
25 25 import datetime
26 26 import decorator
27 27 import json
28 28 import logging
29 29 import os
30 30 import re
31 31 import shutil
32 32 import tempfile
33 33 import traceback
34 34 import tarfile
35 35 import warnings
36 36 import hashlib
37 37 from os.path import join as jn
38 38
39 39 import paste
40 40 import pkg_resources
41 41 from paste.script.command import Command, BadCommand
42 42 from webhelpers.text import collapse, remove_formatting, strip_tags
43 43 from mako import exceptions
44 44 from pyramid.threadlocal import get_current_registry
45 45 from pyramid.request import Request
46 46
47 47 from rhodecode.lib.fakemod import create_module
48 48 from rhodecode.lib.vcs.backends.base import Config
49 49 from rhodecode.lib.vcs.exceptions import VCSError
50 50 from rhodecode.lib.vcs.utils.helpers import get_scm, get_scm_backend
51 51 from rhodecode.lib.utils2 import (
52 52 safe_str, safe_unicode, get_current_rhodecode_user, md5)
53 53 from rhodecode.model import meta
54 54 from rhodecode.model.db import (
55 55 Repository, User, RhodeCodeUi, UserLog, RepoGroup, UserGroup)
56 56 from rhodecode.model.meta import Session
57 57
58 58
59 59 log = logging.getLogger(__name__)
60 60
61 61 REMOVED_REPO_PAT = re.compile(r'rm__\d{8}_\d{6}_\d{6}__.*')
62 62
63 63 # String which contains characters that are not allowed in slug names for
64 64 # repositories or repository groups. It is properly escaped to use it in
65 65 # regular expressions.
66 66 SLUG_BAD_CHARS = re.escape('`?=[]\;\'"<>,/~!@#$%^&*()+{}|:')
67 67
68 68 # Regex that matches forbidden characters in repo/group slugs.
69 69 SLUG_BAD_CHAR_RE = re.compile('[{}]'.format(SLUG_BAD_CHARS))
70 70
71 71 # Regex that matches allowed characters in repo/group slugs.
72 72 SLUG_GOOD_CHAR_RE = re.compile('[^{}]'.format(SLUG_BAD_CHARS))
73 73
74 74 # Regex that matches whole repo/group slugs.
75 75 SLUG_RE = re.compile('[^{}]+'.format(SLUG_BAD_CHARS))
76 76
77 77 _license_cache = None
78 78
79 79
80 80 def repo_name_slug(value):
81 81 """
82 82 Return slug of name of repository
83 83 This function is called on each creation/modification
84 84 of repository to prevent bad names in repo
85 85 """
86 86 replacement_char = '-'
87 87
88 88 slug = remove_formatting(value)
89 89 slug = SLUG_BAD_CHAR_RE.sub('', slug)
90 90 slug = re.sub('[\s]+', '-', slug)
91 91 slug = collapse(slug, replacement_char)
92 92 return slug
93 93
94 94
95 95 #==============================================================================
96 96 # PERM DECORATOR HELPERS FOR EXTRACTING NAMES FOR PERM CHECKS
97 97 #==============================================================================
98 98 def get_repo_slug(request):
99 if isinstance(request, Request) and getattr(request, 'db_repo', None):
100 # pyramid
99 _repo = ''
100 if isinstance(request, Request):
101 if hasattr(request, 'db_repo'):
102 # if our requests has set db reference use it for name, this
103 # translates the example.com/_<id> into proper repo names
101 104 _repo = request.db_repo.repo_name
102 else:
105 elif getattr(request, 'matchdict', None):
106 # pyramid
107 _repo = request.matchdict.get('repo_name')
108
103 109 # TODO(marcink): remove after pylons migration...
110 if not _repo:
104 111 _repo = request.environ['pylons.routes_dict'].get('repo_name')
105 112
106 113 if _repo:
107 114 _repo = _repo.rstrip('/')
108 115 return _repo
109 116
110 117
111 118 def get_repo_group_slug(request):
112 if isinstance(request, Request) and getattr(request, 'matchdict', None):
119 _group = ''
120 if isinstance(request, Request):
121 if hasattr(request, 'db_repo_group'):
122 # if our requests has set db reference use it for name, this
123 # translates the example.com/_<id> into proper repo group names
124 _group = request.db_repo_group.group_name
125 elif getattr(request, 'matchdict', None):
113 126 # pyramid
114 127 _group = request.matchdict.get('repo_group_name')
115 else:
128
129 # TODO(marcink): remove after pylons migration...
130 if not _group:
116 131 _group = request.environ['pylons.routes_dict'].get('group_name')
117 132
118 133 if _group:
119 134 _group = _group.rstrip('/')
120 135 return _group
121 136
122 137
123 138 def get_user_group_slug(request):
124 139 if isinstance(request, Request) and getattr(request, 'matchdict', None):
125 140 # pyramid
126 141 _group = request.matchdict.get('user_group_id')
127 142 else:
128 143 _group = request.environ['pylons.routes_dict'].get('user_group_id')
129 144
130 145 try:
131 146 _group = UserGroup.get(_group)
132 147 if _group:
133 148 _group = _group.users_group_name
134 149 except Exception:
135 150 log.exception('Failed to get user group by id')
136 151 # catch all failures here
137 152 return None
138 153
139 154 return _group
140 155
141 156
142 157 def get_filesystem_repos(path, recursive=False, skip_removed_repos=True):
143 158 """
144 159 Scans given path for repos and return (name,(type,path)) tuple
145 160
146 161 :param path: path to scan for repositories
147 162 :param recursive: recursive search and return names with subdirs in front
148 163 """
149 164
150 165 # remove ending slash for better results
151 166 path = path.rstrip(os.sep)
152 167 log.debug('now scanning in %s location recursive:%s...', path, recursive)
153 168
154 169 def _get_repos(p):
155 170 dirpaths = _get_dirpaths(p)
156 171 if not _is_dir_writable(p):
157 172 log.warning('repo path without write access: %s', p)
158 173
159 174 for dirpath in dirpaths:
160 175 if os.path.isfile(os.path.join(p, dirpath)):
161 176 continue
162 177 cur_path = os.path.join(p, dirpath)
163 178
164 179 # skip removed repos
165 180 if skip_removed_repos and REMOVED_REPO_PAT.match(dirpath):
166 181 continue
167 182
168 183 #skip .<somethin> dirs
169 184 if dirpath.startswith('.'):
170 185 continue
171 186
172 187 try:
173 188 scm_info = get_scm(cur_path)
174 189 yield scm_info[1].split(path, 1)[-1].lstrip(os.sep), scm_info
175 190 except VCSError:
176 191 if not recursive:
177 192 continue
178 193 #check if this dir containts other repos for recursive scan
179 194 rec_path = os.path.join(p, dirpath)
180 195 if os.path.isdir(rec_path):
181 196 for inner_scm in _get_repos(rec_path):
182 197 yield inner_scm
183 198
184 199 return _get_repos(path)
185 200
186 201
187 202 def _get_dirpaths(p):
188 203 try:
189 204 # OS-independable way of checking if we have at least read-only
190 205 # access or not.
191 206 dirpaths = os.listdir(p)
192 207 except OSError:
193 208 log.warning('ignoring repo path without read access: %s', p)
194 209 return []
195 210
196 211 # os.listpath has a tweak: If a unicode is passed into it, then it tries to
197 212 # decode paths and suddenly returns unicode objects itself. The items it
198 213 # cannot decode are returned as strings and cause issues.
199 214 #
200 215 # Those paths are ignored here until a solid solution for path handling has
201 216 # been built.
202 217 expected_type = type(p)
203 218
204 219 def _has_correct_type(item):
205 220 if type(item) is not expected_type:
206 221 log.error(
207 222 u"Ignoring path %s since it cannot be decoded into unicode.",
208 223 # Using "repr" to make sure that we see the byte value in case
209 224 # of support.
210 225 repr(item))
211 226 return False
212 227 return True
213 228
214 229 dirpaths = [item for item in dirpaths if _has_correct_type(item)]
215 230
216 231 return dirpaths
217 232
218 233
219 234 def _is_dir_writable(path):
220 235 """
221 236 Probe if `path` is writable.
222 237
223 238 Due to trouble on Cygwin / Windows, this is actually probing if it is
224 239 possible to create a file inside of `path`, stat does not produce reliable
225 240 results in this case.
226 241 """
227 242 try:
228 243 with tempfile.TemporaryFile(dir=path):
229 244 pass
230 245 except OSError:
231 246 return False
232 247 return True
233 248
234 249
235 250 def is_valid_repo(repo_name, base_path, expect_scm=None, explicit_scm=None):
236 251 """
237 252 Returns True if given path is a valid repository False otherwise.
238 253 If expect_scm param is given also, compare if given scm is the same
239 254 as expected from scm parameter. If explicit_scm is given don't try to
240 255 detect the scm, just use the given one to check if repo is valid
241 256
242 257 :param repo_name:
243 258 :param base_path:
244 259 :param expect_scm:
245 260 :param explicit_scm:
246 261
247 262 :return True: if given path is a valid repository
248 263 """
249 264 full_path = os.path.join(safe_str(base_path), safe_str(repo_name))
250 265 log.debug('Checking if `%s` is a valid path for repository. '
251 266 'Explicit type: %s', repo_name, explicit_scm)
252 267
253 268 try:
254 269 if explicit_scm:
255 270 detected_scms = [get_scm_backend(explicit_scm)]
256 271 else:
257 272 detected_scms = get_scm(full_path)
258 273
259 274 if expect_scm:
260 275 return detected_scms[0] == expect_scm
261 276 log.debug('path: %s is an vcs object:%s', full_path, detected_scms)
262 277 return True
263 278 except VCSError:
264 279 log.debug('path: %s is not a valid repo !', full_path)
265 280 return False
266 281
267 282
268 283 def is_valid_repo_group(repo_group_name, base_path, skip_path_check=False):
269 284 """
270 285 Returns True if given path is a repository group, False otherwise
271 286
272 287 :param repo_name:
273 288 :param base_path:
274 289 """
275 290 full_path = os.path.join(safe_str(base_path), safe_str(repo_group_name))
276 291 log.debug('Checking if `%s` is a valid path for repository group',
277 292 repo_group_name)
278 293
279 294 # check if it's not a repo
280 295 if is_valid_repo(repo_group_name, base_path):
281 296 log.debug('Repo called %s exist, it is not a valid '
282 297 'repo group' % repo_group_name)
283 298 return False
284 299
285 300 try:
286 301 # we need to check bare git repos at higher level
287 302 # since we might match branches/hooks/info/objects or possible
288 303 # other things inside bare git repo
289 304 scm_ = get_scm(os.path.dirname(full_path))
290 305 log.debug('path: %s is a vcs object:%s, not valid '
291 306 'repo group' % (full_path, scm_))
292 307 return False
293 308 except VCSError:
294 309 pass
295 310
296 311 # check if it's a valid path
297 312 if skip_path_check or os.path.isdir(full_path):
298 313 log.debug('path: %s is a valid repo group !', full_path)
299 314 return True
300 315
301 316 log.debug('path: %s is not a valid repo group !', full_path)
302 317 return False
303 318
304 319
305 320 def ask_ok(prompt, retries=4, complaint='[y]es or [n]o please!'):
306 321 while True:
307 322 ok = raw_input(prompt)
308 323 if ok.lower() in ('y', 'ye', 'yes'):
309 324 return True
310 325 if ok.lower() in ('n', 'no', 'nop', 'nope'):
311 326 return False
312 327 retries = retries - 1
313 328 if retries < 0:
314 329 raise IOError
315 330 print(complaint)
316 331
317 332 # propagated from mercurial documentation
318 333 ui_sections = [
319 334 'alias', 'auth',
320 335 'decode/encode', 'defaults',
321 336 'diff', 'email',
322 337 'extensions', 'format',
323 338 'merge-patterns', 'merge-tools',
324 339 'hooks', 'http_proxy',
325 340 'smtp', 'patch',
326 341 'paths', 'profiling',
327 342 'server', 'trusted',
328 343 'ui', 'web', ]
329 344
330 345
331 346 def config_data_from_db(clear_session=True, repo=None):
332 347 """
333 348 Read the configuration data from the database and return configuration
334 349 tuples.
335 350 """
336 351 from rhodecode.model.settings import VcsSettingsModel
337 352
338 353 config = []
339 354
340 355 sa = meta.Session()
341 356 settings_model = VcsSettingsModel(repo=repo, sa=sa)
342 357
343 358 ui_settings = settings_model.get_ui_settings()
344 359
345 360 for setting in ui_settings:
346 361 if setting.active:
347 362 log.debug(
348 363 'settings ui from db: [%s] %s=%s',
349 364 setting.section, setting.key, setting.value)
350 365 config.append((
351 366 safe_str(setting.section), safe_str(setting.key),
352 367 safe_str(setting.value)))
353 368 if setting.key == 'push_ssl':
354 369 # force set push_ssl requirement to False, rhodecode
355 370 # handles that
356 371 config.append((
357 372 safe_str(setting.section), safe_str(setting.key), False))
358 373 if clear_session:
359 374 meta.Session.remove()
360 375
361 376 # TODO: mikhail: probably it makes no sense to re-read hooks information.
362 377 # It's already there and activated/deactivated
363 378 skip_entries = []
364 379 enabled_hook_classes = get_enabled_hook_classes(ui_settings)
365 380 if 'pull' not in enabled_hook_classes:
366 381 skip_entries.append(('hooks', RhodeCodeUi.HOOK_PRE_PULL))
367 382 if 'push' not in enabled_hook_classes:
368 383 skip_entries.append(('hooks', RhodeCodeUi.HOOK_PRE_PUSH))
369 384 skip_entries.append(('hooks', RhodeCodeUi.HOOK_PRETX_PUSH))
370 385 skip_entries.append(('hooks', RhodeCodeUi.HOOK_PUSH_KEY))
371 386
372 387 config = [entry for entry in config if entry[:2] not in skip_entries]
373 388
374 389 return config
375 390
376 391
377 392 def make_db_config(clear_session=True, repo=None):
378 393 """
379 394 Create a :class:`Config` instance based on the values in the database.
380 395 """
381 396 config = Config()
382 397 config_data = config_data_from_db(clear_session=clear_session, repo=repo)
383 398 for section, option, value in config_data:
384 399 config.set(section, option, value)
385 400 return config
386 401
387 402
388 403 def get_enabled_hook_classes(ui_settings):
389 404 """
390 405 Return the enabled hook classes.
391 406
392 407 :param ui_settings: List of ui_settings as returned
393 408 by :meth:`VcsSettingsModel.get_ui_settings`
394 409
395 410 :return: a list with the enabled hook classes. The order is not guaranteed.
396 411 :rtype: list
397 412 """
398 413 enabled_hooks = []
399 414 active_hook_keys = [
400 415 key for section, key, value, active in ui_settings
401 416 if section == 'hooks' and active]
402 417
403 418 hook_names = {
404 419 RhodeCodeUi.HOOK_PUSH: 'push',
405 420 RhodeCodeUi.HOOK_PULL: 'pull',
406 421 RhodeCodeUi.HOOK_REPO_SIZE: 'repo_size'
407 422 }
408 423
409 424 for key in active_hook_keys:
410 425 hook = hook_names.get(key)
411 426 if hook:
412 427 enabled_hooks.append(hook)
413 428
414 429 return enabled_hooks
415 430
416 431
417 432 def set_rhodecode_config(config):
418 433 """
419 434 Updates pylons config with new settings from database
420 435
421 436 :param config:
422 437 """
423 438 from rhodecode.model.settings import SettingsModel
424 439 app_settings = SettingsModel().get_all_settings()
425 440
426 441 for k, v in app_settings.items():
427 442 config[k] = v
428 443
429 444
430 445 def get_rhodecode_realm():
431 446 """
432 447 Return the rhodecode realm from database.
433 448 """
434 449 from rhodecode.model.settings import SettingsModel
435 450 realm = SettingsModel().get_setting_by_name('realm')
436 451 return safe_str(realm.app_settings_value)
437 452
438 453
439 454 def get_rhodecode_base_path():
440 455 """
441 456 Returns the base path. The base path is the filesystem path which points
442 457 to the repository store.
443 458 """
444 459 from rhodecode.model.settings import SettingsModel
445 460 paths_ui = SettingsModel().get_ui_by_section_and_key('paths', '/')
446 461 return safe_str(paths_ui.ui_value)
447 462
448 463
449 464 def map_groups(path):
450 465 """
451 466 Given a full path to a repository, create all nested groups that this
452 467 repo is inside. This function creates parent-child relationships between
453 468 groups and creates default perms for all new groups.
454 469
455 470 :param paths: full path to repository
456 471 """
457 472 from rhodecode.model.repo_group import RepoGroupModel
458 473 sa = meta.Session()
459 474 groups = path.split(Repository.NAME_SEP)
460 475 parent = None
461 476 group = None
462 477
463 478 # last element is repo in nested groups structure
464 479 groups = groups[:-1]
465 480 rgm = RepoGroupModel(sa)
466 481 owner = User.get_first_super_admin()
467 482 for lvl, group_name in enumerate(groups):
468 483 group_name = '/'.join(groups[:lvl] + [group_name])
469 484 group = RepoGroup.get_by_group_name(group_name)
470 485 desc = '%s group' % group_name
471 486
472 487 # skip folders that are now removed repos
473 488 if REMOVED_REPO_PAT.match(group_name):
474 489 break
475 490
476 491 if group is None:
477 492 log.debug('creating group level: %s group_name: %s',
478 493 lvl, group_name)
479 494 group = RepoGroup(group_name, parent)
480 495 group.group_description = desc
481 496 group.user = owner
482 497 sa.add(group)
483 498 perm_obj = rgm._create_default_perms(group)
484 499 sa.add(perm_obj)
485 500 sa.flush()
486 501
487 502 parent = group
488 503 return group
489 504
490 505
491 506 def repo2db_mapper(initial_repo_list, remove_obsolete=False):
492 507 """
493 508 maps all repos given in initial_repo_list, non existing repositories
494 509 are created, if remove_obsolete is True it also checks for db entries
495 510 that are not in initial_repo_list and removes them.
496 511
497 512 :param initial_repo_list: list of repositories found by scanning methods
498 513 :param remove_obsolete: check for obsolete entries in database
499 514 """
500 515 from rhodecode.model.repo import RepoModel
501 516 from rhodecode.model.scm import ScmModel
502 517 from rhodecode.model.repo_group import RepoGroupModel
503 518 from rhodecode.model.settings import SettingsModel
504 519
505 520 sa = meta.Session()
506 521 repo_model = RepoModel()
507 522 user = User.get_first_super_admin()
508 523 added = []
509 524
510 525 # creation defaults
511 526 defs = SettingsModel().get_default_repo_settings(strip_prefix=True)
512 527 enable_statistics = defs.get('repo_enable_statistics')
513 528 enable_locking = defs.get('repo_enable_locking')
514 529 enable_downloads = defs.get('repo_enable_downloads')
515 530 private = defs.get('repo_private')
516 531
517 532 for name, repo in initial_repo_list.items():
518 533 group = map_groups(name)
519 534 unicode_name = safe_unicode(name)
520 535 db_repo = repo_model.get_by_repo_name(unicode_name)
521 536 # found repo that is on filesystem not in RhodeCode database
522 537 if not db_repo:
523 538 log.info('repository %s not found, creating now', name)
524 539 added.append(name)
525 540 desc = (repo.description
526 541 if repo.description != 'unknown'
527 542 else '%s repository' % name)
528 543
529 544 db_repo = repo_model._create_repo(
530 545 repo_name=name,
531 546 repo_type=repo.alias,
532 547 description=desc,
533 548 repo_group=getattr(group, 'group_id', None),
534 549 owner=user,
535 550 enable_locking=enable_locking,
536 551 enable_downloads=enable_downloads,
537 552 enable_statistics=enable_statistics,
538 553 private=private,
539 554 state=Repository.STATE_CREATED
540 555 )
541 556 sa.commit()
542 557 # we added that repo just now, and make sure we updated server info
543 558 if db_repo.repo_type == 'git':
544 559 git_repo = db_repo.scm_instance()
545 560 # update repository server-info
546 561 log.debug('Running update server info')
547 562 git_repo._update_server_info()
548 563
549 564 db_repo.update_commit_cache()
550 565
551 566 config = db_repo._config
552 567 config.set('extensions', 'largefiles', '')
553 568 ScmModel().install_hooks(
554 569 db_repo.scm_instance(config=config),
555 570 repo_type=db_repo.repo_type)
556 571
557 572 removed = []
558 573 if remove_obsolete:
559 574 # remove from database those repositories that are not in the filesystem
560 575 for repo in sa.query(Repository).all():
561 576 if repo.repo_name not in initial_repo_list.keys():
562 577 log.debug("Removing non-existing repository found in db `%s`",
563 578 repo.repo_name)
564 579 try:
565 580 RepoModel(sa).delete(repo, forks='detach', fs_remove=False)
566 581 sa.commit()
567 582 removed.append(repo.repo_name)
568 583 except Exception:
569 584 # don't hold further removals on error
570 585 log.error(traceback.format_exc())
571 586 sa.rollback()
572 587
573 588 def splitter(full_repo_name):
574 589 _parts = full_repo_name.rsplit(RepoGroup.url_sep(), 1)
575 590 gr_name = None
576 591 if len(_parts) == 2:
577 592 gr_name = _parts[0]
578 593 return gr_name
579 594
580 595 initial_repo_group_list = [splitter(x) for x in
581 596 initial_repo_list.keys() if splitter(x)]
582 597
583 598 # remove from database those repository groups that are not in the
584 599 # filesystem due to parent child relationships we need to delete them
585 600 # in a specific order of most nested first
586 601 all_groups = [x.group_name for x in sa.query(RepoGroup).all()]
587 602 nested_sort = lambda gr: len(gr.split('/'))
588 603 for group_name in sorted(all_groups, key=nested_sort, reverse=True):
589 604 if group_name not in initial_repo_group_list:
590 605 repo_group = RepoGroup.get_by_group_name(group_name)
591 606 if (repo_group.children.all() or
592 607 not RepoGroupModel().check_exist_filesystem(
593 608 group_name=group_name, exc_on_failure=False)):
594 609 continue
595 610
596 611 log.info(
597 612 'Removing non-existing repository group found in db `%s`',
598 613 group_name)
599 614 try:
600 615 RepoGroupModel(sa).delete(group_name, fs_remove=False)
601 616 sa.commit()
602 617 removed.append(group_name)
603 618 except Exception:
604 619 # don't hold further removals on error
605 620 log.exception(
606 621 'Unable to remove repository group `%s`',
607 622 group_name)
608 623 sa.rollback()
609 624 raise
610 625
611 626 return added, removed
612 627
613 628
614 629 def get_default_cache_settings(settings):
615 630 cache_settings = {}
616 631 for key in settings.keys():
617 632 for prefix in ['beaker.cache.', 'cache.']:
618 633 if key.startswith(prefix):
619 634 name = key.split(prefix)[1].strip()
620 635 cache_settings[name] = settings[key].strip()
621 636 return cache_settings
622 637
623 638
624 639 # set cache regions for beaker so celery can utilise it
625 640 def add_cache(settings):
626 641 from rhodecode.lib import caches
627 642 cache_settings = {'regions': None}
628 643 # main cache settings used as default ...
629 644 cache_settings.update(get_default_cache_settings(settings))
630 645
631 646 if cache_settings['regions']:
632 647 for region in cache_settings['regions'].split(','):
633 648 region = region.strip()
634 649 region_settings = {}
635 650 for key, value in cache_settings.items():
636 651 if key.startswith(region):
637 652 region_settings[key.split('.')[1]] = value
638 653
639 654 caches.configure_cache_region(
640 655 region, region_settings, cache_settings)
641 656
642 657
643 658 def load_rcextensions(root_path):
644 659 import rhodecode
645 660 from rhodecode.config import conf
646 661
647 662 path = os.path.join(root_path, 'rcextensions', '__init__.py')
648 663 if os.path.isfile(path):
649 664 rcext = create_module('rc', path)
650 665 EXT = rhodecode.EXTENSIONS = rcext
651 666 log.debug('Found rcextensions now loading %s...', rcext)
652 667
653 668 # Additional mappings that are not present in the pygments lexers
654 669 conf.LANGUAGES_EXTENSIONS_MAP.update(getattr(EXT, 'EXTRA_MAPPINGS', {}))
655 670
656 671 # auto check if the module is not missing any data, set to default if is
657 672 # this will help autoupdate new feature of rcext module
658 673 #from rhodecode.config import rcextensions
659 674 #for k in dir(rcextensions):
660 675 # if not k.startswith('_') and not hasattr(EXT, k):
661 676 # setattr(EXT, k, getattr(rcextensions, k))
662 677
663 678
664 679 def get_custom_lexer(extension):
665 680 """
666 681 returns a custom lexer if it is defined in rcextensions module, or None
667 682 if there's no custom lexer defined
668 683 """
669 684 import rhodecode
670 685 from pygments import lexers
671 686
672 687 # custom override made by RhodeCode
673 688 if extension in ['mako']:
674 689 return lexers.get_lexer_by_name('html+mako')
675 690
676 691 # check if we didn't define this extension as other lexer
677 692 extensions = rhodecode.EXTENSIONS and getattr(rhodecode.EXTENSIONS, 'EXTRA_LEXERS', None)
678 693 if extensions and extension in rhodecode.EXTENSIONS.EXTRA_LEXERS:
679 694 _lexer_name = rhodecode.EXTENSIONS.EXTRA_LEXERS[extension]
680 695 return lexers.get_lexer_by_name(_lexer_name)
681 696
682 697
683 698 #==============================================================================
684 699 # TEST FUNCTIONS AND CREATORS
685 700 #==============================================================================
686 701 def create_test_index(repo_location, config):
687 702 """
688 703 Makes default test index.
689 704 """
690 705 import rc_testdata
691 706
692 707 rc_testdata.extract_search_index(
693 708 'vcs_search_index', os.path.dirname(config['search.location']))
694 709
695 710
696 711 def create_test_directory(test_path):
697 712 """
698 713 Create test directory if it doesn't exist.
699 714 """
700 715 if not os.path.isdir(test_path):
701 716 log.debug('Creating testdir %s', test_path)
702 717 os.makedirs(test_path)
703 718
704 719
705 720 def create_test_database(test_path, config):
706 721 """
707 722 Makes a fresh database.
708 723 """
709 724 from rhodecode.lib.db_manage import DbManage
710 725
711 726 # PART ONE create db
712 727 dbconf = config['sqlalchemy.db1.url']
713 728 log.debug('making test db %s', dbconf)
714 729
715 730 dbmanage = DbManage(log_sql=False, dbconf=dbconf, root=config['here'],
716 731 tests=True, cli_args={'force_ask': True})
717 732 dbmanage.create_tables(override=True)
718 733 dbmanage.set_db_version()
719 734 # for tests dynamically set new root paths based on generated content
720 735 dbmanage.create_settings(dbmanage.config_prompt(test_path))
721 736 dbmanage.create_default_user()
722 737 dbmanage.create_test_admin_and_users()
723 738 dbmanage.create_permissions()
724 739 dbmanage.populate_default_permissions()
725 740 Session().commit()
726 741
727 742
728 743 def create_test_repositories(test_path, config):
729 744 """
730 745 Creates test repositories in the temporary directory. Repositories are
731 746 extracted from archives within the rc_testdata package.
732 747 """
733 748 import rc_testdata
734 749 from rhodecode.tests import HG_REPO, GIT_REPO, SVN_REPO
735 750
736 751 log.debug('making test vcs repositories')
737 752
738 753 idx_path = config['search.location']
739 754 data_path = config['cache_dir']
740 755
741 756 # clean index and data
742 757 if idx_path and os.path.exists(idx_path):
743 758 log.debug('remove %s', idx_path)
744 759 shutil.rmtree(idx_path)
745 760
746 761 if data_path and os.path.exists(data_path):
747 762 log.debug('remove %s', data_path)
748 763 shutil.rmtree(data_path)
749 764
750 765 rc_testdata.extract_hg_dump('vcs_test_hg', jn(test_path, HG_REPO))
751 766 rc_testdata.extract_git_dump('vcs_test_git', jn(test_path, GIT_REPO))
752 767
753 768 # Note: Subversion is in the process of being integrated with the system,
754 769 # until we have a properly packed version of the test svn repository, this
755 770 # tries to copy over the repo from a package "rc_testdata"
756 771 svn_repo_path = rc_testdata.get_svn_repo_archive()
757 772 with tarfile.open(svn_repo_path) as tar:
758 773 tar.extractall(jn(test_path, SVN_REPO))
759 774
760 775
761 776 #==============================================================================
762 777 # PASTER COMMANDS
763 778 #==============================================================================
764 779 class BasePasterCommand(Command):
765 780 """
766 781 Abstract Base Class for paster commands.
767 782
768 783 The celery commands are somewhat aggressive about loading
769 784 celery.conf, and since our module sets the `CELERY_LOADER`
770 785 environment variable to our loader, we have to bootstrap a bit and
771 786 make sure we've had a chance to load the pylons config off of the
772 787 command line, otherwise everything fails.
773 788 """
774 789 min_args = 1
775 790 min_args_error = "Please provide a paster config file as an argument."
776 791 takes_config_file = 1
777 792 requires_config_file = True
778 793
779 794 def notify_msg(self, msg, log=False):
780 795 """Make a notification to user, additionally if logger is passed
781 796 it logs this action using given logger
782 797
783 798 :param msg: message that will be printed to user
784 799 :param log: logging instance, to use to additionally log this message
785 800
786 801 """
787 802 if log and isinstance(log, logging):
788 803 log(msg)
789 804
790 805 def run(self, args):
791 806 """
792 807 Overrides Command.run
793 808
794 809 Checks for a config file argument and loads it.
795 810 """
796 811 if len(args) < self.min_args:
797 812 raise BadCommand(
798 813 self.min_args_error % {'min_args': self.min_args,
799 814 'actual_args': len(args)})
800 815
801 816 # Decrement because we're going to lob off the first argument.
802 817 # @@ This is hacky
803 818 self.min_args -= 1
804 819 self.bootstrap_config(args[0])
805 820 self.update_parser()
806 821 return super(BasePasterCommand, self).run(args[1:])
807 822
808 823 def update_parser(self):
809 824 """
810 825 Abstract method. Allows for the class' parser to be updated
811 826 before the superclass' `run` method is called. Necessary to
812 827 allow options/arguments to be passed through to the underlying
813 828 celery command.
814 829 """
815 830 raise NotImplementedError("Abstract Method.")
816 831
817 832 def bootstrap_config(self, conf):
818 833 """
819 834 Loads the pylons configuration.
820 835 """
821 836 from pylons import config as pylonsconfig
822 837
823 838 self.path_to_ini_file = os.path.realpath(conf)
824 839 conf = paste.deploy.appconfig('config:' + self.path_to_ini_file)
825 840 pylonsconfig.init_app(conf.global_conf, conf.local_conf)
826 841
827 842 def _init_session(self):
828 843 """
829 844 Inits SqlAlchemy Session
830 845 """
831 846 logging.config.fileConfig(self.path_to_ini_file)
832 847 from pylons import config
833 848 from rhodecode.config.utils import initialize_database
834 849
835 850 # get to remove repos !!
836 851 add_cache(config)
837 852 initialize_database(config)
838 853
839 854
840 855 @decorator.decorator
841 856 def jsonify(func, *args, **kwargs):
842 857 """Action decorator that formats output for JSON
843 858
844 859 Given a function that will return content, this decorator will turn
845 860 the result into JSON, with a content-type of 'application/json' and
846 861 output it.
847 862
848 863 """
849 864 from pylons.decorators.util import get_pylons
850 865 from rhodecode.lib.ext_json import json
851 866 pylons = get_pylons(args)
852 867 pylons.response.headers['Content-Type'] = 'application/json; charset=utf-8'
853 868 data = func(*args, **kwargs)
854 869 if isinstance(data, (list, tuple)):
855 870 msg = "JSON responses with Array envelopes are susceptible to " \
856 871 "cross-site data leak attacks, see " \
857 872 "http://wiki.pylonshq.com/display/pylonsfaq/Warnings"
858 873 warnings.warn(msg, Warning, 2)
859 874 log.warning(msg)
860 875 log.debug("Returning JSON wrapped action output")
861 876 return json.dumps(data, encoding='utf-8')
862 877
863 878
864 879 class PartialRenderer(object):
865 880 """
866 881 Partial renderer used to render chunks of html used in datagrids
867 882 use like::
868 883
869 884 _render = PartialRenderer('data_table/_dt_elements.mako')
870 885 _render('quick_menu', args, kwargs)
871 886 PartialRenderer.h,
872 887 c,
873 888 _,
874 889 ungettext
875 890 are the template stuff initialized inside and can be re-used later
876 891
877 892 :param tmpl_name: template path relate to /templates/ dir
878 893 """
879 894
880 895 def __init__(self, tmpl_name):
881 896 import rhodecode
882 897 from pylons import request, tmpl_context as c
883 898 from pylons.i18n.translation import _, ungettext
884 899 from rhodecode.lib import helpers as h
885 900
886 901 self.tmpl_name = tmpl_name
887 902 self.rhodecode = rhodecode
888 903 self.c = c
889 904 self._ = _
890 905 self.ungettext = ungettext
891 906 self.h = h
892 907 self.request = request
893 908
894 909 def _mako_lookup(self):
895 910 _tmpl_lookup = self.rhodecode.CONFIG['pylons.app_globals'].mako_lookup
896 911 return _tmpl_lookup.get_template(self.tmpl_name)
897 912
898 913 def _update_kwargs_for_render(self, kwargs):
899 914 """
900 915 Inject params required for Mako rendering
901 916 """
902 917 _kwargs = {
903 918 '_': self._,
904 919 'h': self.h,
905 920 'c': self.c,
906 921 'request': self.request,
907 922 '_ungettext': self.ungettext,
908 923 }
909 924 _kwargs.update(kwargs)
910 925 return _kwargs
911 926
912 927 def _render_with_exc(self, render_func, args, kwargs):
913 928 try:
914 929 return render_func.render(*args, **kwargs)
915 930 except:
916 931 log.error(exceptions.text_error_template().render())
917 932 raise
918 933
919 934 def _get_template(self, template_obj, def_name):
920 935 if def_name:
921 936 tmpl = template_obj.get_def(def_name)
922 937 else:
923 938 tmpl = template_obj
924 939 return tmpl
925 940
926 941 def render(self, def_name, *args, **kwargs):
927 942 lookup_obj = self._mako_lookup()
928 943 tmpl = self._get_template(lookup_obj, def_name=def_name)
929 944 kwargs = self._update_kwargs_for_render(kwargs)
930 945 return self._render_with_exc(tmpl, args, kwargs)
931 946
932 947 def __call__(self, tmpl, *args, **kwargs):
933 948 return self.render(tmpl, *args, **kwargs)
934 949
935 950
936 951 def password_changed(auth_user, session):
937 952 # Never report password change in case of default user or anonymous user.
938 953 if auth_user.username == User.DEFAULT_USER or auth_user.user_id is None:
939 954 return False
940 955
941 956 password_hash = md5(auth_user.password) if auth_user.password else None
942 957 rhodecode_user = session.get('rhodecode_user', {})
943 958 session_password_hash = rhodecode_user.get('password', '')
944 959 return password_hash != session_password_hash
945 960
946 961
947 962 def read_opensource_licenses():
948 963 global _license_cache
949 964
950 965 if not _license_cache:
951 966 licenses = pkg_resources.resource_string(
952 967 'rhodecode', 'config/licenses.json')
953 968 _license_cache = json.loads(licenses)
954 969
955 970 return _license_cache
956 971
957 972
958 973 def get_registry(request):
959 974 """
960 975 Utility to get the pyramid registry from a request. During migration to
961 976 pyramid we sometimes want to use the pyramid registry from pylons context.
962 977 Therefore this utility returns `request.registry` for pyramid requests and
963 978 uses `get_current_registry()` for pylons requests.
964 979 """
965 980 try:
966 981 return request.registry
967 982 except AttributeError:
968 983 return get_current_registry()
969 984
970 985
971 986 def generate_platform_uuid():
972 987 """
973 988 Generates platform UUID based on it's name
974 989 """
975 990 import platform
976 991
977 992 try:
978 993 uuid_list = [platform.platform()]
979 994 return hashlib.sha256(':'.join(uuid_list)).hexdigest()
980 995 except Exception as e:
981 996 log.error('Failed to generate host uuid: %s' % e)
982 997 return 'UNDEFINED'
General Comments 0
You need to be logged in to leave comments. Login now