##// END OF EJS Templates
Issue #5536 - ability to disable server-side SSH key generation...
csalgau -
r3478:6cd9b768 default
parent child Browse files
Show More
@@ -1,725 +1,729 b''
1 1
2 2
3 3 ################################################################################
4 4 ## RHODECODE COMMUNITY EDITION CONFIGURATION ##
5 5 ################################################################################
6 6
7 7 [DEFAULT]
8 8 ## Debug flag sets all loggers to debug, and enables request tracking
9 9 debug = true
10 10
11 11 ################################################################################
12 12 ## EMAIL CONFIGURATION ##
13 13 ## Uncomment and replace with the email address which should receive ##
14 14 ## any error reports after an application crash ##
15 15 ## Additionally these settings will be used by the RhodeCode mailing system ##
16 16 ################################################################################
17 17
18 18 ## prefix all emails subjects with given prefix, helps filtering out emails
19 19 #email_prefix = [RhodeCode]
20 20
21 21 ## email FROM address all mails will be sent
22 22 #app_email_from = rhodecode-noreply@localhost
23 23
24 24 #smtp_server = mail.server.com
25 25 #smtp_username =
26 26 #smtp_password =
27 27 #smtp_port =
28 28 #smtp_use_tls = false
29 29 #smtp_use_ssl = true
30 30
31 31 [server:main]
32 32 ## COMMON ##
33 33 host = 127.0.0.1
34 34 port = 5000
35 35
36 36 ###########################################################
37 37 ## WAITRESS WSGI SERVER - Recommended for Development ####
38 38 ###########################################################
39 39
40 40 use = egg:waitress#main
41 41 ## number of worker threads
42 42 threads = 5
43 43 ## MAX BODY SIZE 100GB
44 44 max_request_body_size = 107374182400
45 45 ## Use poll instead of select, fixes file descriptors limits problems.
46 46 ## May not work on old windows systems.
47 47 asyncore_use_poll = true
48 48
49 49
50 50 ##########################
51 51 ## GUNICORN WSGI SERVER ##
52 52 ##########################
53 53 ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
54 54
55 55 #use = egg:gunicorn#main
56 56 ## Sets the number of process workers. More workers means more concurent connections
57 57 ## RhodeCode can handle at the same time. Each additional worker also it increases
58 58 ## memory usage as each has it's own set of caches.
59 59 ## Recommended value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers, but no more
60 60 ## than 8-10 unless for really big deployments .e.g 700-1000 users.
61 61 ## `instance_id = *` must be set in the [app:main] section below (which is the default)
62 62 ## when using more than 1 worker.
63 63 #workers = 2
64 64 ## process name visible in process list
65 65 #proc_name = rhodecode
66 66 ## type of worker class, one of sync, gevent
67 67 ## recommended for bigger setup is using of of other than sync one
68 68 #worker_class = gevent
69 69 ## The maximum number of simultaneous clients. Valid only for Gevent
70 70 #worker_connections = 10
71 71 ## max number of requests that worker will handle before being gracefully
72 72 ## restarted, could prevent memory leaks
73 73 #max_requests = 1000
74 74 #max_requests_jitter = 30
75 75 ## amount of time a worker can spend with handling a request before it
76 76 ## gets killed and restarted. Set to 6hrs
77 77 #timeout = 21600
78 78
79 79
80 80 ## prefix middleware for RhodeCode.
81 81 ## recommended when using proxy setup.
82 82 ## allows to set RhodeCode under a prefix in server.
83 83 ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
84 84 ## And set your prefix like: `prefix = /custom_prefix`
85 85 ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
86 86 ## to make your cookies only work on prefix url
87 87 [filter:proxy-prefix]
88 88 use = egg:PasteDeploy#prefix
89 89 prefix = /
90 90
91 91 [app:main]
92 92 ## The %(here)s variable will be replaced with the absolute path of parent directory
93 93 ## of this file
94 94 ## In addition ENVIRONMENT variables usage is possible, e.g
95 95 ## sqlalchemy.db1.url = {ENV_RC_DB_URL}
96 96
97 97 use = egg:rhodecode-enterprise-ce
98 98
99 99 ## enable proxy prefix middleware, defined above
100 100 #filter-with = proxy-prefix
101 101
102 102 # During development the we want to have the debug toolbar enabled
103 103 pyramid.includes =
104 104 pyramid_debugtoolbar
105 105 rhodecode.lib.middleware.request_wrapper
106 106
107 107 pyramid.reload_templates = true
108 108
109 109 debugtoolbar.hosts = 0.0.0.0/0
110 110 debugtoolbar.exclude_prefixes =
111 111 /css
112 112 /fonts
113 113 /images
114 114 /js
115 115
116 116 ## RHODECODE PLUGINS ##
117 117 rhodecode.includes =
118 118 rhodecode.api
119 119
120 120
121 121 # api prefix url
122 122 rhodecode.api.url = /_admin/api
123 123
124 124
125 125 ## END RHODECODE PLUGINS ##
126 126
127 127 ## encryption key used to encrypt social plugin tokens,
128 128 ## remote_urls with credentials etc, if not set it defaults to
129 129 ## `beaker.session.secret`
130 130 #rhodecode.encrypted_values.secret =
131 131
132 132 ## decryption strict mode (enabled by default). It controls if decryption raises
133 133 ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
134 134 #rhodecode.encrypted_values.strict = false
135 135
136 136 ## return gzipped responses from Rhodecode (static files/application)
137 137 gzip_responses = false
138 138
139 139 ## autogenerate javascript routes file on startup
140 140 generate_js_files = false
141 141
142 142 ## System global default language.
143 143 ## All available languages: en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
144 144 lang = en
145 145
146 146 ## Perform a full repository scan and import on each server start.
147 147 ## Settings this to true could lead to very long startup time.
148 148 startup.import_repos = false
149 149
150 150 ## Uncomment and set this path to use archive download cache.
151 151 ## Once enabled, generated archives will be cached at this location
152 152 ## and served from the cache during subsequent requests for the same archive of
153 153 ## the repository.
154 154 #archive_cache_dir = /tmp/tarballcache
155 155
156 156 ## URL at which the application is running. This is used for bootstraping
157 157 ## requests in context when no web request is available. Used in ishell, or
158 158 ## SSH calls. Set this for events to receive proper url for SSH calls.
159 159 app.base_url = http://rhodecode.local
160 160
161 161 ## Unique application ID. Should be a random unique string for security.
162 162 app_instance_uuid = rc-production
163 163
164 164 ## Cut off limit for large diffs (size in bytes). If overall diff size on
165 165 ## commit, or pull request exceeds this limit this diff will be displayed
166 166 ## partially. E.g 512000 == 512Kb
167 167 cut_off_limit_diff = 512000
168 168
169 169 ## Cut off limit for large files inside diffs (size in bytes). Each individual
170 170 ## file inside diff which exceeds this limit will be displayed partially.
171 171 ## E.g 128000 == 128Kb
172 172 cut_off_limit_file = 128000
173 173
174 174 ## use cached version of vcs repositories everywhere. Recommended to be `true`
175 175 vcs_full_cache = true
176 176
177 177 ## Force https in RhodeCode, fixes https redirects, assumes it's always https.
178 178 ## Normally this is controlled by proper http flags sent from http server
179 179 force_https = false
180 180
181 181 ## use Strict-Transport-Security headers
182 182 use_htsts = false
183 183
184 184 ## git rev filter option, --all is the default filter, if you need to
185 185 ## hide all refs in changelog switch this to --branches --tags
186 186 git_rev_filter = --branches --tags
187 187
188 188 # Set to true if your repos are exposed using the dumb protocol
189 189 git_update_server_info = false
190 190
191 191 ## RSS/ATOM feed options
192 192 rss_cut_off_limit = 256000
193 193 rss_items_per_page = 10
194 194 rss_include_diff = false
195 195
196 196 ## gist URL alias, used to create nicer urls for gist. This should be an
197 197 ## url that does rewrites to _admin/gists/{gistid}.
198 198 ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
199 199 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
200 200 gist_alias_url =
201 201
202 202 ## List of views (using glob pattern syntax) that AUTH TOKENS could be
203 203 ## used for access.
204 204 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
205 205 ## came from the the logged in user who own this authentication token.
206 206 ## Additionally @TOKEN syntaxt can be used to bound the view to specific
207 207 ## authentication token. Such view would be only accessible when used together
208 208 ## with this authentication token
209 209 ##
210 210 ## list of all views can be found under `/_admin/permissions/auth_token_access`
211 211 ## The list should be "," separated and on a single line.
212 212 ##
213 213 ## Most common views to enable:
214 214 # RepoCommitsView:repo_commit_download
215 215 # RepoCommitsView:repo_commit_patch
216 216 # RepoCommitsView:repo_commit_raw
217 217 # RepoCommitsView:repo_commit_raw@TOKEN
218 218 # RepoFilesView:repo_files_diff
219 219 # RepoFilesView:repo_archivefile
220 220 # RepoFilesView:repo_file_raw
221 221 # GistView:*
222 222 api_access_controllers_whitelist =
223 223
224 224 ## Default encoding used to convert from and to unicode
225 225 ## can be also a comma separated list of encoding in case of mixed encodings
226 226 default_encoding = UTF-8
227 227
228 228 ## instance-id prefix
229 229 ## a prefix key for this instance used for cache invalidation when running
230 230 ## multiple instances of rhodecode, make sure it's globally unique for
231 231 ## all running rhodecode instances. Leave empty if you don't use it
232 232 instance_id =
233 233
234 234 ## Fallback authentication plugin. Set this to a plugin ID to force the usage
235 235 ## of an authentication plugin also if it is disabled by it's settings.
236 236 ## This could be useful if you are unable to log in to the system due to broken
237 237 ## authentication settings. Then you can enable e.g. the internal rhodecode auth
238 238 ## module to log in again and fix the settings.
239 239 ##
240 240 ## Available builtin plugin IDs (hash is part of the ID):
241 241 ## egg:rhodecode-enterprise-ce#rhodecode
242 242 ## egg:rhodecode-enterprise-ce#pam
243 243 ## egg:rhodecode-enterprise-ce#ldap
244 244 ## egg:rhodecode-enterprise-ce#jasig_cas
245 245 ## egg:rhodecode-enterprise-ce#headers
246 246 ## egg:rhodecode-enterprise-ce#crowd
247 247 #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
248 248
249 249 ## alternative return HTTP header for failed authentication. Default HTTP
250 250 ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
251 251 ## handling that causing a series of failed authentication calls.
252 252 ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
253 253 ## This will be served instead of default 401 on bad authnetication
254 254 auth_ret_code =
255 255
256 256 ## use special detection method when serving auth_ret_code, instead of serving
257 257 ## ret_code directly, use 401 initially (Which triggers credentials prompt)
258 258 ## and then serve auth_ret_code to clients
259 259 auth_ret_code_detection = false
260 260
261 261 ## locking return code. When repository is locked return this HTTP code. 2XX
262 262 ## codes don't break the transactions while 4XX codes do
263 263 lock_ret_code = 423
264 264
265 265 ## allows to change the repository location in settings page
266 266 allow_repo_location_change = true
267 267
268 268 ## allows to setup custom hooks in settings page
269 269 allow_custom_hooks_settings = true
270 270
271 271 ## Generated license token required for EE edition license.
272 272 ## New generated token value can be found in Admin > settings > license page.
273 273 license_token =
274 274
275 275 ## supervisor connection uri, for managing supervisor and logs.
276 276 supervisor.uri =
277 277 ## supervisord group name/id we only want this RC instance to handle
278 278 supervisor.group_id = dev
279 279
280 280 ## Display extended labs settings
281 281 labs_settings_active = true
282 282
283 283 ## Custom exception store path, defaults to TMPDIR
284 284 ## This is used to store exception from RhodeCode in shared directory
285 285 #exception_tracker.store_path =
286 286
287 287 ## File store configuration. This is used to store and serve uploaded files
288 288 file_store.enabled = true
289 289 ## backend, only available one is local
290 290 file_store.backend = local
291 291 ## path to store the uploaded binaries
292 292 file_store.storage_path = %(here)s/data/file_store
293 293
294 294
295 295 ####################################
296 296 ### CELERY CONFIG ####
297 297 ####################################
298 298 ## run: /path/to/celery worker \
299 299 ## -E --beat --app rhodecode.lib.celerylib.loader \
300 300 ## --scheduler rhodecode.lib.celerylib.scheduler.RcScheduler \
301 301 ## --loglevel DEBUG --ini /path/to/rhodecode.ini
302 302
303 303 use_celery = false
304 304
305 305 ## connection url to the message broker (default rabbitmq)
306 306 celery.broker_url = amqp://rabbitmq:qweqwe@localhost:5672/rabbitmqhost
307 307
308 308 ## maximum tasks to execute before worker restart
309 309 celery.max_tasks_per_child = 100
310 310
311 311 ## tasks will never be sent to the queue, but executed locally instead.
312 312 celery.task_always_eager = false
313 313
314 314 #####################################
315 315 ### DOGPILE CACHE ####
316 316 #####################################
317 317 ## Default cache dir for caches. Putting this into a ramdisk
318 318 ## can boost performance, eg. /tmpfs/data_ramdisk, however this directory might require
319 319 ## large amount of space
320 320 cache_dir = %(here)s/data
321 321
322 322 ## `cache_perms` cache settings for permission tree, auth TTL.
323 323 rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
324 324 rc_cache.cache_perms.expiration_time = 300
325 325
326 326 ## alternative `cache_perms` redis backend with distributed lock
327 327 #rc_cache.cache_perms.backend = dogpile.cache.rc.redis
328 328 #rc_cache.cache_perms.expiration_time = 300
329 329 ## redis_expiration_time needs to be greater then expiration_time
330 330 #rc_cache.cache_perms.arguments.redis_expiration_time = 7200
331 331 #rc_cache.cache_perms.arguments.socket_timeout = 30
332 332 #rc_cache.cache_perms.arguments.host = localhost
333 333 #rc_cache.cache_perms.arguments.port = 6379
334 334 #rc_cache.cache_perms.arguments.db = 0
335 335 #rc_cache.cache_perms.arguments.distributed_lock = true
336 336
337 337 ## `cache_repo` cache settings for FileTree, Readme, RSS FEEDS
338 338 rc_cache.cache_repo.backend = dogpile.cache.rc.file_namespace
339 339 rc_cache.cache_repo.expiration_time = 2592000
340 340
341 341 ## alternative `cache_repo` redis backend with distributed lock
342 342 #rc_cache.cache_repo.backend = dogpile.cache.rc.redis
343 343 #rc_cache.cache_repo.expiration_time = 2592000
344 344 ## redis_expiration_time needs to be greater then expiration_time
345 345 #rc_cache.cache_repo.arguments.redis_expiration_time = 2678400
346 346 #rc_cache.cache_repo.arguments.socket_timeout = 30
347 347 #rc_cache.cache_repo.arguments.host = localhost
348 348 #rc_cache.cache_repo.arguments.port = 6379
349 349 #rc_cache.cache_repo.arguments.db = 1
350 350 #rc_cache.cache_repo.arguments.distributed_lock = true
351 351
352 352 ## cache settings for SQL queries, this needs to use memory type backend
353 353 rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
354 354 rc_cache.sql_cache_short.expiration_time = 30
355 355
356 356 ## `cache_repo_longterm` cache for repo object instances, this needs to use memory
357 357 ## type backend as the objects kept are not pickle serializable
358 358 rc_cache.cache_repo_longterm.backend = dogpile.cache.rc.memory_lru
359 359 ## by default we use 96H, this is using invalidation on push anyway
360 360 rc_cache.cache_repo_longterm.expiration_time = 345600
361 361 ## max items in LRU cache, reduce this number to save memory, and expire last used
362 362 ## cached objects
363 363 rc_cache.cache_repo_longterm.max_size = 10000
364 364
365 365
366 366 ####################################
367 367 ### BEAKER SESSION ####
368 368 ####################################
369 369
370 370 ## .session.type is type of storage options for the session, current allowed
371 371 ## types are file, ext:memcached, ext:redis, ext:database, and memory (default).
372 372 beaker.session.type = file
373 373 beaker.session.data_dir = %(here)s/data/sessions
374 374
375 375 ## db based session, fast, and allows easy management over logged in users
376 376 #beaker.session.type = ext:database
377 377 #beaker.session.table_name = db_session
378 378 #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
379 379 #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
380 380 #beaker.session.sa.pool_recycle = 3600
381 381 #beaker.session.sa.echo = false
382 382
383 383 beaker.session.key = rhodecode
384 384 beaker.session.secret = develop-rc-uytcxaz
385 385 beaker.session.lock_dir = %(here)s/data/sessions/lock
386 386
387 387 ## Secure encrypted cookie. Requires AES and AES python libraries
388 388 ## you must disable beaker.session.secret to use this
389 389 #beaker.session.encrypt_key = key_for_encryption
390 390 #beaker.session.validate_key = validation_key
391 391
392 392 ## sets session as invalid(also logging out user) if it haven not been
393 393 ## accessed for given amount of time in seconds
394 394 beaker.session.timeout = 2592000
395 395 beaker.session.httponly = true
396 396 ## Path to use for the cookie. Set to prefix if you use prefix middleware
397 397 #beaker.session.cookie_path = /custom_prefix
398 398
399 399 ## uncomment for https secure cookie
400 400 beaker.session.secure = false
401 401
402 402 ## auto save the session to not to use .save()
403 403 beaker.session.auto = false
404 404
405 405 ## default cookie expiration time in seconds, set to `true` to set expire
406 406 ## at browser close
407 407 #beaker.session.cookie_expires = 3600
408 408
409 409 ###################################
410 410 ## SEARCH INDEXING CONFIGURATION ##
411 411 ###################################
412 412 ## Full text search indexer is available in rhodecode-tools under
413 413 ## `rhodecode-tools index` command
414 414
415 415 ## WHOOSH Backend, doesn't require additional services to run
416 416 ## it works good with few dozen repos
417 417 search.module = rhodecode.lib.index.whoosh
418 418 search.location = %(here)s/data/index
419 419
420 420 ########################################
421 421 ### CHANNELSTREAM CONFIG ####
422 422 ########################################
423 423 ## channelstream enables persistent connections and live notification
424 424 ## in the system. It's also used by the chat system
425 425
426 426 channelstream.enabled = false
427 427
428 428 ## server address for channelstream server on the backend
429 429 channelstream.server = 127.0.0.1:9800
430 430
431 431 ## location of the channelstream server from outside world
432 432 ## use ws:// for http or wss:// for https. This address needs to be handled
433 433 ## by external HTTP server such as Nginx or Apache
434 434 ## see nginx/apache configuration examples in our docs
435 435 channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
436 436 channelstream.secret = secret
437 437 channelstream.history.location = %(here)s/channelstream_history
438 438
439 439 ## Internal application path that Javascript uses to connect into.
440 440 ## If you use proxy-prefix the prefix should be added before /_channelstream
441 441 channelstream.proxy_path = /_channelstream
442 442
443 443
444 444 ###################################
445 445 ## APPENLIGHT CONFIG ##
446 446 ###################################
447 447
448 448 ## Appenlight is tailored to work with RhodeCode, see
449 449 ## http://appenlight.com for details how to obtain an account
450 450
451 451 ## appenlight integration enabled
452 452 appenlight = false
453 453
454 454 appenlight.server_url = https://api.appenlight.com
455 455 appenlight.api_key = YOUR_API_KEY
456 456 #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
457 457
458 458 # used for JS client
459 459 appenlight.api_public_key = YOUR_API_PUBLIC_KEY
460 460
461 461 ## TWEAK AMOUNT OF INFO SENT HERE
462 462
463 463 ## enables 404 error logging (default False)
464 464 appenlight.report_404 = false
465 465
466 466 ## time in seconds after request is considered being slow (default 1)
467 467 appenlight.slow_request_time = 1
468 468
469 469 ## record slow requests in application
470 470 ## (needs to be enabled for slow datastore recording and time tracking)
471 471 appenlight.slow_requests = true
472 472
473 473 ## enable hooking to application loggers
474 474 appenlight.logging = true
475 475
476 476 ## minimum log level for log capture
477 477 appenlight.logging.level = WARNING
478 478
479 479 ## send logs only from erroneous/slow requests
480 480 ## (saves API quota for intensive logging)
481 481 appenlight.logging_on_error = false
482 482
483 483 ## list of additonal keywords that should be grabbed from environ object
484 484 ## can be string with comma separated list of words in lowercase
485 485 ## (by default client will always send following info:
486 486 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
487 487 ## start with HTTP* this list be extended with additional keywords here
488 488 appenlight.environ_keys_whitelist =
489 489
490 490 ## list of keywords that should be blanked from request object
491 491 ## can be string with comma separated list of words in lowercase
492 492 ## (by default client will always blank keys that contain following words
493 493 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
494 494 ## this list be extended with additional keywords set here
495 495 appenlight.request_keys_blacklist =
496 496
497 497 ## list of namespaces that should be ignores when gathering log entries
498 498 ## can be string with comma separated list of namespaces
499 499 ## (by default the client ignores own entries: appenlight_client.client)
500 500 appenlight.log_namespace_blacklist =
501 501
502 502 # enable debug style page
503 503 debug_style = true
504 504
505 505 ###########################################
506 506 ### MAIN RHODECODE DATABASE CONFIG ###
507 507 ###########################################
508 508 #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
509 509 #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
510 510 #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode?charset=utf8
511 511 # pymysql is an alternative driver for MySQL, use in case of problems with default one
512 512 #sqlalchemy.db1.url = mysql+pymysql://root:qweqwe@localhost/rhodecode
513 513
514 514 sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
515 515
516 516 # see sqlalchemy docs for other advanced settings
517 517
518 518 ## print the sql statements to output
519 519 sqlalchemy.db1.echo = false
520 520 ## recycle the connections after this amount of seconds
521 521 sqlalchemy.db1.pool_recycle = 3600
522 522 sqlalchemy.db1.convert_unicode = true
523 523
524 524 ## the number of connections to keep open inside the connection pool.
525 525 ## 0 indicates no limit
526 526 #sqlalchemy.db1.pool_size = 5
527 527
528 528 ## the number of connections to allow in connection pool "overflow", that is
529 529 ## connections that can be opened above and beyond the pool_size setting,
530 530 ## which defaults to five.
531 531 #sqlalchemy.db1.max_overflow = 10
532 532
533 533 ## Connection check ping, used to detect broken database connections
534 534 ## could be enabled to better handle cases if MySQL has gone away errors
535 535 #sqlalchemy.db1.ping_connection = true
536 536
537 537 ##################
538 538 ### VCS CONFIG ###
539 539 ##################
540 540 vcs.server.enable = true
541 541 vcs.server = localhost:9900
542 542
543 543 ## Web server connectivity protocol, responsible for web based VCS operatations
544 544 ## Available protocols are:
545 545 ## `http` - use http-rpc backend (default)
546 546 vcs.server.protocol = http
547 547
548 548 ## Push/Pull operations protocol, available options are:
549 549 ## `http` - use http-rpc backend (default)
550 550 vcs.scm_app_implementation = http
551 551
552 552 ## Push/Pull operations hooks protocol, available options are:
553 553 ## `http` - use http-rpc backend (default)
554 554 vcs.hooks.protocol = http
555 555
556 556 ## Host on which this instance is listening for hooks. If vcsserver is in other location
557 557 ## this should be adjusted.
558 558 vcs.hooks.host = 127.0.0.1
559 559
560 560 vcs.server.log_level = debug
561 561 ## Start VCSServer with this instance as a subprocess, useful for development
562 562 vcs.start_server = false
563 563
564 564 ## List of enabled VCS backends, available options are:
565 565 ## `hg` - mercurial
566 566 ## `git` - git
567 567 ## `svn` - subversion
568 568 vcs.backends = hg, git, svn
569 569
570 570 vcs.connection_timeout = 3600
571 571 ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
572 572 ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
573 573 #vcs.svn.compatible_version = pre-1.8-compatible
574 574
575 575
576 576 ############################################################
577 577 ### Subversion proxy support (mod_dav_svn) ###
578 578 ### Maps RhodeCode repo groups into SVN paths for Apache ###
579 579 ############################################################
580 580 ## Enable or disable the config file generation.
581 581 svn.proxy.generate_config = false
582 582 ## Generate config file with `SVNListParentPath` set to `On`.
583 583 svn.proxy.list_parent_path = true
584 584 ## Set location and file name of generated config file.
585 585 svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
586 586 ## alternative mod_dav config template. This needs to be a mako template
587 587 #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
588 588 ## Used as a prefix to the `Location` block in the generated config file.
589 589 ## In most cases it should be set to `/`.
590 590 svn.proxy.location_root = /
591 591 ## Command to reload the mod dav svn configuration on change.
592 592 ## Example: `/etc/init.d/apache2 reload`
593 593 #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
594 594 ## If the timeout expires before the reload command finishes, the command will
595 595 ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
596 596 #svn.proxy.reload_timeout = 10
597 597
598 598 ############################################################
599 599 ### SSH Support Settings ###
600 600 ############################################################
601 601
602 602 ## Defines if a custom authorized_keys file should be created and written on
603 603 ## any change user ssh keys. Setting this to false also disables posibility
604 604 ## of adding SSH keys by users from web interface. Super admins can still
605 605 ## manage SSH Keys.
606 606 ssh.generate_authorized_keyfile = false
607 607
608 608 ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
609 609 # ssh.authorized_keys_ssh_opts =
610 610
611 611 ## Path to the authrozied_keys file where the generate entries are placed.
612 612 ## It is possible to have multiple key files specified in `sshd_config` e.g.
613 613 ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
614 614 ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
615 615
616 616 ## Command to execute the SSH wrapper. The binary is available in the
617 617 ## rhodecode installation directory.
618 618 ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
619 619 ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
620 620
621 621 ## Allow shell when executing the ssh-wrapper command
622 622 ssh.wrapper_cmd_allow_shell = false
623 623
624 624 ## Enables logging, and detailed output send back to the client during SSH
625 625 ## operations. Usefull for debugging, shouldn't be used in production.
626 626 ssh.enable_debug_logging = true
627 627
628 628 ## Paths to binary executable, by default they are the names, but we can
629 629 ## override them if we want to use a custom one
630 630 ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
631 631 ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
632 632 ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
633 633
634 ## Enables SSH key generator web interface. Disabling this still allows users
635 ## to add their own keys.
636 ssh.enable_ui_key_generator = true
637
634 638
635 639 ## Dummy marker to add new entries after.
636 640 ## Add any custom entries below. Please don't remove.
637 641 custom.conf = 1
638 642
639 643
640 644 ################################
641 645 ### LOGGING CONFIGURATION ####
642 646 ################################
643 647 [loggers]
644 648 keys = root, sqlalchemy, beaker, celery, rhodecode, ssh_wrapper
645 649
646 650 [handlers]
647 651 keys = console, console_sql
648 652
649 653 [formatters]
650 654 keys = generic, color_formatter, color_formatter_sql
651 655
652 656 #############
653 657 ## LOGGERS ##
654 658 #############
655 659 [logger_root]
656 660 level = NOTSET
657 661 handlers = console
658 662
659 663 [logger_sqlalchemy]
660 664 level = INFO
661 665 handlers = console_sql
662 666 qualname = sqlalchemy.engine
663 667 propagate = 0
664 668
665 669 [logger_beaker]
666 670 level = DEBUG
667 671 handlers =
668 672 qualname = beaker.container
669 673 propagate = 1
670 674
671 675 [logger_rhodecode]
672 676 level = DEBUG
673 677 handlers =
674 678 qualname = rhodecode
675 679 propagate = 1
676 680
677 681 [logger_ssh_wrapper]
678 682 level = DEBUG
679 683 handlers =
680 684 qualname = ssh_wrapper
681 685 propagate = 1
682 686
683 687 [logger_celery]
684 688 level = DEBUG
685 689 handlers =
686 690 qualname = celery
687 691
688 692
689 693 ##############
690 694 ## HANDLERS ##
691 695 ##############
692 696
693 697 [handler_console]
694 698 class = StreamHandler
695 699 args = (sys.stderr, )
696 700 level = DEBUG
697 701 formatter = color_formatter
698 702
699 703 [handler_console_sql]
700 704 # "level = DEBUG" logs SQL queries and results.
701 705 # "level = INFO" logs SQL queries.
702 706 # "level = WARN" logs neither. (Recommended for production systems.)
703 707 class = StreamHandler
704 708 args = (sys.stderr, )
705 709 level = WARN
706 710 formatter = color_formatter_sql
707 711
708 712 ################
709 713 ## FORMATTERS ##
710 714 ################
711 715
712 716 [formatter_generic]
713 717 class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
714 718 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
715 719 datefmt = %Y-%m-%d %H:%M:%S
716 720
717 721 [formatter_color_formatter]
718 722 class = rhodecode.lib.logging_formatter.ColorFormatter
719 723 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
720 724 datefmt = %Y-%m-%d %H:%M:%S
721 725
722 726 [formatter_color_formatter_sql]
723 727 class = rhodecode.lib.logging_formatter.ColorFormatterSql
724 728 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
725 729 datefmt = %Y-%m-%d %H:%M:%S
@@ -1,698 +1,702 b''
1 1
2 2
3 3 ################################################################################
4 4 ## RHODECODE COMMUNITY EDITION CONFIGURATION ##
5 5 ################################################################################
6 6
7 7 [DEFAULT]
8 8 ## Debug flag sets all loggers to debug, and enables request tracking
9 9 debug = false
10 10
11 11 ################################################################################
12 12 ## EMAIL CONFIGURATION ##
13 13 ## Uncomment and replace with the email address which should receive ##
14 14 ## any error reports after an application crash ##
15 15 ## Additionally these settings will be used by the RhodeCode mailing system ##
16 16 ################################################################################
17 17
18 18 ## prefix all emails subjects with given prefix, helps filtering out emails
19 19 #email_prefix = [RhodeCode]
20 20
21 21 ## email FROM address all mails will be sent
22 22 #app_email_from = rhodecode-noreply@localhost
23 23
24 24 #smtp_server = mail.server.com
25 25 #smtp_username =
26 26 #smtp_password =
27 27 #smtp_port =
28 28 #smtp_use_tls = false
29 29 #smtp_use_ssl = true
30 30
31 31 [server:main]
32 32 ## COMMON ##
33 33 host = 127.0.0.1
34 34 port = 5000
35 35
36 36 ###########################################################
37 37 ## WAITRESS WSGI SERVER - Recommended for Development ####
38 38 ###########################################################
39 39
40 40 #use = egg:waitress#main
41 41 ## number of worker threads
42 42 #threads = 5
43 43 ## MAX BODY SIZE 100GB
44 44 #max_request_body_size = 107374182400
45 45 ## Use poll instead of select, fixes file descriptors limits problems.
46 46 ## May not work on old windows systems.
47 47 #asyncore_use_poll = true
48 48
49 49
50 50 ##########################
51 51 ## GUNICORN WSGI SERVER ##
52 52 ##########################
53 53 ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
54 54
55 55 use = egg:gunicorn#main
56 56 ## Sets the number of process workers. More workers means more concurent connections
57 57 ## RhodeCode can handle at the same time. Each additional worker also it increases
58 58 ## memory usage as each has it's own set of caches.
59 59 ## Recommended value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers, but no more
60 60 ## than 8-10 unless for really big deployments .e.g 700-1000 users.
61 61 ## `instance_id = *` must be set in the [app:main] section below (which is the default)
62 62 ## when using more than 1 worker.
63 63 workers = 2
64 64 ## process name visible in process list
65 65 proc_name = rhodecode
66 66 ## type of worker class, one of sync, gevent
67 67 ## recommended for bigger setup is using of of other than sync one
68 68 worker_class = gevent
69 69 ## The maximum number of simultaneous clients. Valid only for Gevent
70 70 worker_connections = 10
71 71 ## max number of requests that worker will handle before being gracefully
72 72 ## restarted, could prevent memory leaks
73 73 max_requests = 1000
74 74 max_requests_jitter = 30
75 75 ## amount of time a worker can spend with handling a request before it
76 76 ## gets killed and restarted. Set to 6hrs
77 77 timeout = 21600
78 78
79 79
80 80 ## prefix middleware for RhodeCode.
81 81 ## recommended when using proxy setup.
82 82 ## allows to set RhodeCode under a prefix in server.
83 83 ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
84 84 ## And set your prefix like: `prefix = /custom_prefix`
85 85 ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
86 86 ## to make your cookies only work on prefix url
87 87 [filter:proxy-prefix]
88 88 use = egg:PasteDeploy#prefix
89 89 prefix = /
90 90
91 91 [app:main]
92 92 ## The %(here)s variable will be replaced with the absolute path of parent directory
93 93 ## of this file
94 94 ## In addition ENVIRONMENT variables usage is possible, e.g
95 95 ## sqlalchemy.db1.url = {ENV_RC_DB_URL}
96 96
97 97 use = egg:rhodecode-enterprise-ce
98 98
99 99 ## enable proxy prefix middleware, defined above
100 100 #filter-with = proxy-prefix
101 101
102 102 ## encryption key used to encrypt social plugin tokens,
103 103 ## remote_urls with credentials etc, if not set it defaults to
104 104 ## `beaker.session.secret`
105 105 #rhodecode.encrypted_values.secret =
106 106
107 107 ## decryption strict mode (enabled by default). It controls if decryption raises
108 108 ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
109 109 #rhodecode.encrypted_values.strict = false
110 110
111 111 ## return gzipped responses from Rhodecode (static files/application)
112 112 gzip_responses = false
113 113
114 114 ## autogenerate javascript routes file on startup
115 115 generate_js_files = false
116 116
117 117 ## System global default language.
118 118 ## All available languages: en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
119 119 lang = en
120 120
121 121 ## Perform a full repository scan and import on each server start.
122 122 ## Settings this to true could lead to very long startup time.
123 123 startup.import_repos = false
124 124
125 125 ## Uncomment and set this path to use archive download cache.
126 126 ## Once enabled, generated archives will be cached at this location
127 127 ## and served from the cache during subsequent requests for the same archive of
128 128 ## the repository.
129 129 #archive_cache_dir = /tmp/tarballcache
130 130
131 131 ## URL at which the application is running. This is used for bootstraping
132 132 ## requests in context when no web request is available. Used in ishell, or
133 133 ## SSH calls. Set this for events to receive proper url for SSH calls.
134 134 app.base_url = http://rhodecode.local
135 135
136 136 ## Unique application ID. Should be a random unique string for security.
137 137 app_instance_uuid = rc-production
138 138
139 139 ## Cut off limit for large diffs (size in bytes). If overall diff size on
140 140 ## commit, or pull request exceeds this limit this diff will be displayed
141 141 ## partially. E.g 512000 == 512Kb
142 142 cut_off_limit_diff = 512000
143 143
144 144 ## Cut off limit for large files inside diffs (size in bytes). Each individual
145 145 ## file inside diff which exceeds this limit will be displayed partially.
146 146 ## E.g 128000 == 128Kb
147 147 cut_off_limit_file = 128000
148 148
149 149 ## use cached version of vcs repositories everywhere. Recommended to be `true`
150 150 vcs_full_cache = true
151 151
152 152 ## Force https in RhodeCode, fixes https redirects, assumes it's always https.
153 153 ## Normally this is controlled by proper http flags sent from http server
154 154 force_https = false
155 155
156 156 ## use Strict-Transport-Security headers
157 157 use_htsts = false
158 158
159 159 ## git rev filter option, --all is the default filter, if you need to
160 160 ## hide all refs in changelog switch this to --branches --tags
161 161 git_rev_filter = --branches --tags
162 162
163 163 # Set to true if your repos are exposed using the dumb protocol
164 164 git_update_server_info = false
165 165
166 166 ## RSS/ATOM feed options
167 167 rss_cut_off_limit = 256000
168 168 rss_items_per_page = 10
169 169 rss_include_diff = false
170 170
171 171 ## gist URL alias, used to create nicer urls for gist. This should be an
172 172 ## url that does rewrites to _admin/gists/{gistid}.
173 173 ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
174 174 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
175 175 gist_alias_url =
176 176
177 177 ## List of views (using glob pattern syntax) that AUTH TOKENS could be
178 178 ## used for access.
179 179 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
180 180 ## came from the the logged in user who own this authentication token.
181 181 ## Additionally @TOKEN syntaxt can be used to bound the view to specific
182 182 ## authentication token. Such view would be only accessible when used together
183 183 ## with this authentication token
184 184 ##
185 185 ## list of all views can be found under `/_admin/permissions/auth_token_access`
186 186 ## The list should be "," separated and on a single line.
187 187 ##
188 188 ## Most common views to enable:
189 189 # RepoCommitsView:repo_commit_download
190 190 # RepoCommitsView:repo_commit_patch
191 191 # RepoCommitsView:repo_commit_raw
192 192 # RepoCommitsView:repo_commit_raw@TOKEN
193 193 # RepoFilesView:repo_files_diff
194 194 # RepoFilesView:repo_archivefile
195 195 # RepoFilesView:repo_file_raw
196 196 # GistView:*
197 197 api_access_controllers_whitelist =
198 198
199 199 ## Default encoding used to convert from and to unicode
200 200 ## can be also a comma separated list of encoding in case of mixed encodings
201 201 default_encoding = UTF-8
202 202
203 203 ## instance-id prefix
204 204 ## a prefix key for this instance used for cache invalidation when running
205 205 ## multiple instances of rhodecode, make sure it's globally unique for
206 206 ## all running rhodecode instances. Leave empty if you don't use it
207 207 instance_id =
208 208
209 209 ## Fallback authentication plugin. Set this to a plugin ID to force the usage
210 210 ## of an authentication plugin also if it is disabled by it's settings.
211 211 ## This could be useful if you are unable to log in to the system due to broken
212 212 ## authentication settings. Then you can enable e.g. the internal rhodecode auth
213 213 ## module to log in again and fix the settings.
214 214 ##
215 215 ## Available builtin plugin IDs (hash is part of the ID):
216 216 ## egg:rhodecode-enterprise-ce#rhodecode
217 217 ## egg:rhodecode-enterprise-ce#pam
218 218 ## egg:rhodecode-enterprise-ce#ldap
219 219 ## egg:rhodecode-enterprise-ce#jasig_cas
220 220 ## egg:rhodecode-enterprise-ce#headers
221 221 ## egg:rhodecode-enterprise-ce#crowd
222 222 #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
223 223
224 224 ## alternative return HTTP header for failed authentication. Default HTTP
225 225 ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
226 226 ## handling that causing a series of failed authentication calls.
227 227 ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
228 228 ## This will be served instead of default 401 on bad authnetication
229 229 auth_ret_code =
230 230
231 231 ## use special detection method when serving auth_ret_code, instead of serving
232 232 ## ret_code directly, use 401 initially (Which triggers credentials prompt)
233 233 ## and then serve auth_ret_code to clients
234 234 auth_ret_code_detection = false
235 235
236 236 ## locking return code. When repository is locked return this HTTP code. 2XX
237 237 ## codes don't break the transactions while 4XX codes do
238 238 lock_ret_code = 423
239 239
240 240 ## allows to change the repository location in settings page
241 241 allow_repo_location_change = true
242 242
243 243 ## allows to setup custom hooks in settings page
244 244 allow_custom_hooks_settings = true
245 245
246 246 ## Generated license token required for EE edition license.
247 247 ## New generated token value can be found in Admin > settings > license page.
248 248 license_token =
249 249
250 250 ## supervisor connection uri, for managing supervisor and logs.
251 251 supervisor.uri =
252 252 ## supervisord group name/id we only want this RC instance to handle
253 253 supervisor.group_id = prod
254 254
255 255 ## Display extended labs settings
256 256 labs_settings_active = true
257 257
258 258 ## Custom exception store path, defaults to TMPDIR
259 259 ## This is used to store exception from RhodeCode in shared directory
260 260 #exception_tracker.store_path =
261 261
262 262 ## File store configuration. This is used to store and serve uploaded files
263 263 file_store.enabled = true
264 264 ## backend, only available one is local
265 265 file_store.backend = local
266 266 ## path to store the uploaded binaries
267 267 file_store.storage_path = %(here)s/data/file_store
268 268
269 269
270 270 ####################################
271 271 ### CELERY CONFIG ####
272 272 ####################################
273 273 ## run: /path/to/celery worker \
274 274 ## -E --beat --app rhodecode.lib.celerylib.loader \
275 275 ## --scheduler rhodecode.lib.celerylib.scheduler.RcScheduler \
276 276 ## --loglevel DEBUG --ini /path/to/rhodecode.ini
277 277
278 278 use_celery = false
279 279
280 280 ## connection url to the message broker (default rabbitmq)
281 281 celery.broker_url = amqp://rabbitmq:qweqwe@localhost:5672/rabbitmqhost
282 282
283 283 ## maximum tasks to execute before worker restart
284 284 celery.max_tasks_per_child = 100
285 285
286 286 ## tasks will never be sent to the queue, but executed locally instead.
287 287 celery.task_always_eager = false
288 288
289 289 #####################################
290 290 ### DOGPILE CACHE ####
291 291 #####################################
292 292 ## Default cache dir for caches. Putting this into a ramdisk
293 293 ## can boost performance, eg. /tmpfs/data_ramdisk, however this directory might require
294 294 ## large amount of space
295 295 cache_dir = %(here)s/data
296 296
297 297 ## `cache_perms` cache settings for permission tree, auth TTL.
298 298 rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
299 299 rc_cache.cache_perms.expiration_time = 300
300 300
301 301 ## alternative `cache_perms` redis backend with distributed lock
302 302 #rc_cache.cache_perms.backend = dogpile.cache.rc.redis
303 303 #rc_cache.cache_perms.expiration_time = 300
304 304 ## redis_expiration_time needs to be greater then expiration_time
305 305 #rc_cache.cache_perms.arguments.redis_expiration_time = 7200
306 306 #rc_cache.cache_perms.arguments.socket_timeout = 30
307 307 #rc_cache.cache_perms.arguments.host = localhost
308 308 #rc_cache.cache_perms.arguments.port = 6379
309 309 #rc_cache.cache_perms.arguments.db = 0
310 310 #rc_cache.cache_perms.arguments.distributed_lock = true
311 311
312 312 ## `cache_repo` cache settings for FileTree, Readme, RSS FEEDS
313 313 rc_cache.cache_repo.backend = dogpile.cache.rc.file_namespace
314 314 rc_cache.cache_repo.expiration_time = 2592000
315 315
316 316 ## alternative `cache_repo` redis backend with distributed lock
317 317 #rc_cache.cache_repo.backend = dogpile.cache.rc.redis
318 318 #rc_cache.cache_repo.expiration_time = 2592000
319 319 ## redis_expiration_time needs to be greater then expiration_time
320 320 #rc_cache.cache_repo.arguments.redis_expiration_time = 2678400
321 321 #rc_cache.cache_repo.arguments.socket_timeout = 30
322 322 #rc_cache.cache_repo.arguments.host = localhost
323 323 #rc_cache.cache_repo.arguments.port = 6379
324 324 #rc_cache.cache_repo.arguments.db = 1
325 325 #rc_cache.cache_repo.arguments.distributed_lock = true
326 326
327 327 ## cache settings for SQL queries, this needs to use memory type backend
328 328 rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
329 329 rc_cache.sql_cache_short.expiration_time = 30
330 330
331 331 ## `cache_repo_longterm` cache for repo object instances, this needs to use memory
332 332 ## type backend as the objects kept are not pickle serializable
333 333 rc_cache.cache_repo_longterm.backend = dogpile.cache.rc.memory_lru
334 334 ## by default we use 96H, this is using invalidation on push anyway
335 335 rc_cache.cache_repo_longterm.expiration_time = 345600
336 336 ## max items in LRU cache, reduce this number to save memory, and expire last used
337 337 ## cached objects
338 338 rc_cache.cache_repo_longterm.max_size = 10000
339 339
340 340
341 341 ####################################
342 342 ### BEAKER SESSION ####
343 343 ####################################
344 344
345 345 ## .session.type is type of storage options for the session, current allowed
346 346 ## types are file, ext:memcached, ext:redis, ext:database, and memory (default).
347 347 beaker.session.type = file
348 348 beaker.session.data_dir = %(here)s/data/sessions
349 349
350 350 ## db based session, fast, and allows easy management over logged in users
351 351 #beaker.session.type = ext:database
352 352 #beaker.session.table_name = db_session
353 353 #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
354 354 #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
355 355 #beaker.session.sa.pool_recycle = 3600
356 356 #beaker.session.sa.echo = false
357 357
358 358 beaker.session.key = rhodecode
359 359 beaker.session.secret = production-rc-uytcxaz
360 360 beaker.session.lock_dir = %(here)s/data/sessions/lock
361 361
362 362 ## Secure encrypted cookie. Requires AES and AES python libraries
363 363 ## you must disable beaker.session.secret to use this
364 364 #beaker.session.encrypt_key = key_for_encryption
365 365 #beaker.session.validate_key = validation_key
366 366
367 367 ## sets session as invalid(also logging out user) if it haven not been
368 368 ## accessed for given amount of time in seconds
369 369 beaker.session.timeout = 2592000
370 370 beaker.session.httponly = true
371 371 ## Path to use for the cookie. Set to prefix if you use prefix middleware
372 372 #beaker.session.cookie_path = /custom_prefix
373 373
374 374 ## uncomment for https secure cookie
375 375 beaker.session.secure = false
376 376
377 377 ## auto save the session to not to use .save()
378 378 beaker.session.auto = false
379 379
380 380 ## default cookie expiration time in seconds, set to `true` to set expire
381 381 ## at browser close
382 382 #beaker.session.cookie_expires = 3600
383 383
384 384 ###################################
385 385 ## SEARCH INDEXING CONFIGURATION ##
386 386 ###################################
387 387 ## Full text search indexer is available in rhodecode-tools under
388 388 ## `rhodecode-tools index` command
389 389
390 390 ## WHOOSH Backend, doesn't require additional services to run
391 391 ## it works good with few dozen repos
392 392 search.module = rhodecode.lib.index.whoosh
393 393 search.location = %(here)s/data/index
394 394
395 395 ########################################
396 396 ### CHANNELSTREAM CONFIG ####
397 397 ########################################
398 398 ## channelstream enables persistent connections and live notification
399 399 ## in the system. It's also used by the chat system
400 400
401 401 channelstream.enabled = false
402 402
403 403 ## server address for channelstream server on the backend
404 404 channelstream.server = 127.0.0.1:9800
405 405
406 406 ## location of the channelstream server from outside world
407 407 ## use ws:// for http or wss:// for https. This address needs to be handled
408 408 ## by external HTTP server such as Nginx or Apache
409 409 ## see nginx/apache configuration examples in our docs
410 410 channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
411 411 channelstream.secret = secret
412 412 channelstream.history.location = %(here)s/channelstream_history
413 413
414 414 ## Internal application path that Javascript uses to connect into.
415 415 ## If you use proxy-prefix the prefix should be added before /_channelstream
416 416 channelstream.proxy_path = /_channelstream
417 417
418 418
419 419 ###################################
420 420 ## APPENLIGHT CONFIG ##
421 421 ###################################
422 422
423 423 ## Appenlight is tailored to work with RhodeCode, see
424 424 ## http://appenlight.com for details how to obtain an account
425 425
426 426 ## appenlight integration enabled
427 427 appenlight = false
428 428
429 429 appenlight.server_url = https://api.appenlight.com
430 430 appenlight.api_key = YOUR_API_KEY
431 431 #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
432 432
433 433 # used for JS client
434 434 appenlight.api_public_key = YOUR_API_PUBLIC_KEY
435 435
436 436 ## TWEAK AMOUNT OF INFO SENT HERE
437 437
438 438 ## enables 404 error logging (default False)
439 439 appenlight.report_404 = false
440 440
441 441 ## time in seconds after request is considered being slow (default 1)
442 442 appenlight.slow_request_time = 1
443 443
444 444 ## record slow requests in application
445 445 ## (needs to be enabled for slow datastore recording and time tracking)
446 446 appenlight.slow_requests = true
447 447
448 448 ## enable hooking to application loggers
449 449 appenlight.logging = true
450 450
451 451 ## minimum log level for log capture
452 452 appenlight.logging.level = WARNING
453 453
454 454 ## send logs only from erroneous/slow requests
455 455 ## (saves API quota for intensive logging)
456 456 appenlight.logging_on_error = false
457 457
458 458 ## list of additonal keywords that should be grabbed from environ object
459 459 ## can be string with comma separated list of words in lowercase
460 460 ## (by default client will always send following info:
461 461 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
462 462 ## start with HTTP* this list be extended with additional keywords here
463 463 appenlight.environ_keys_whitelist =
464 464
465 465 ## list of keywords that should be blanked from request object
466 466 ## can be string with comma separated list of words in lowercase
467 467 ## (by default client will always blank keys that contain following words
468 468 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
469 469 ## this list be extended with additional keywords set here
470 470 appenlight.request_keys_blacklist =
471 471
472 472 ## list of namespaces that should be ignores when gathering log entries
473 473 ## can be string with comma separated list of namespaces
474 474 ## (by default the client ignores own entries: appenlight_client.client)
475 475 appenlight.log_namespace_blacklist =
476 476
477 477
478 478 ###########################################
479 479 ### MAIN RHODECODE DATABASE CONFIG ###
480 480 ###########################################
481 481 #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
482 482 #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
483 483 #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode?charset=utf8
484 484 # pymysql is an alternative driver for MySQL, use in case of problems with default one
485 485 #sqlalchemy.db1.url = mysql+pymysql://root:qweqwe@localhost/rhodecode
486 486
487 487 sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
488 488
489 489 # see sqlalchemy docs for other advanced settings
490 490
491 491 ## print the sql statements to output
492 492 sqlalchemy.db1.echo = false
493 493 ## recycle the connections after this amount of seconds
494 494 sqlalchemy.db1.pool_recycle = 3600
495 495 sqlalchemy.db1.convert_unicode = true
496 496
497 497 ## the number of connections to keep open inside the connection pool.
498 498 ## 0 indicates no limit
499 499 #sqlalchemy.db1.pool_size = 5
500 500
501 501 ## the number of connections to allow in connection pool "overflow", that is
502 502 ## connections that can be opened above and beyond the pool_size setting,
503 503 ## which defaults to five.
504 504 #sqlalchemy.db1.max_overflow = 10
505 505
506 506 ## Connection check ping, used to detect broken database connections
507 507 ## could be enabled to better handle cases if MySQL has gone away errors
508 508 #sqlalchemy.db1.ping_connection = true
509 509
510 510 ##################
511 511 ### VCS CONFIG ###
512 512 ##################
513 513 vcs.server.enable = true
514 514 vcs.server = localhost:9900
515 515
516 516 ## Web server connectivity protocol, responsible for web based VCS operatations
517 517 ## Available protocols are:
518 518 ## `http` - use http-rpc backend (default)
519 519 vcs.server.protocol = http
520 520
521 521 ## Push/Pull operations protocol, available options are:
522 522 ## `http` - use http-rpc backend (default)
523 523 vcs.scm_app_implementation = http
524 524
525 525 ## Push/Pull operations hooks protocol, available options are:
526 526 ## `http` - use http-rpc backend (default)
527 527 vcs.hooks.protocol = http
528 528
529 529 ## Host on which this instance is listening for hooks. If vcsserver is in other location
530 530 ## this should be adjusted.
531 531 vcs.hooks.host = 127.0.0.1
532 532
533 533 vcs.server.log_level = info
534 534 ## Start VCSServer with this instance as a subprocess, useful for development
535 535 vcs.start_server = false
536 536
537 537 ## List of enabled VCS backends, available options are:
538 538 ## `hg` - mercurial
539 539 ## `git` - git
540 540 ## `svn` - subversion
541 541 vcs.backends = hg, git, svn
542 542
543 543 vcs.connection_timeout = 3600
544 544 ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
545 545 ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
546 546 #vcs.svn.compatible_version = pre-1.8-compatible
547 547
548 548
549 549 ############################################################
550 550 ### Subversion proxy support (mod_dav_svn) ###
551 551 ### Maps RhodeCode repo groups into SVN paths for Apache ###
552 552 ############################################################
553 553 ## Enable or disable the config file generation.
554 554 svn.proxy.generate_config = false
555 555 ## Generate config file with `SVNListParentPath` set to `On`.
556 556 svn.proxy.list_parent_path = true
557 557 ## Set location and file name of generated config file.
558 558 svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
559 559 ## alternative mod_dav config template. This needs to be a mako template
560 560 #svn.proxy.config_template = ~/.rccontrol/enterprise-1/custom_svn_conf.mako
561 561 ## Used as a prefix to the `Location` block in the generated config file.
562 562 ## In most cases it should be set to `/`.
563 563 svn.proxy.location_root = /
564 564 ## Command to reload the mod dav svn configuration on change.
565 565 ## Example: `/etc/init.d/apache2 reload`
566 566 #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
567 567 ## If the timeout expires before the reload command finishes, the command will
568 568 ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
569 569 #svn.proxy.reload_timeout = 10
570 570
571 571 ############################################################
572 572 ### SSH Support Settings ###
573 573 ############################################################
574 574
575 575 ## Defines if a custom authorized_keys file should be created and written on
576 576 ## any change user ssh keys. Setting this to false also disables posibility
577 577 ## of adding SSH keys by users from web interface. Super admins can still
578 578 ## manage SSH Keys.
579 579 ssh.generate_authorized_keyfile = false
580 580
581 581 ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
582 582 # ssh.authorized_keys_ssh_opts =
583 583
584 584 ## Path to the authrozied_keys file where the generate entries are placed.
585 585 ## It is possible to have multiple key files specified in `sshd_config` e.g.
586 586 ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
587 587 ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
588 588
589 589 ## Command to execute the SSH wrapper. The binary is available in the
590 590 ## rhodecode installation directory.
591 591 ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
592 592 ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
593 593
594 594 ## Allow shell when executing the ssh-wrapper command
595 595 ssh.wrapper_cmd_allow_shell = false
596 596
597 597 ## Enables logging, and detailed output send back to the client during SSH
598 598 ## operations. Usefull for debugging, shouldn't be used in production.
599 599 ssh.enable_debug_logging = false
600 600
601 601 ## Paths to binary executable, by default they are the names, but we can
602 602 ## override them if we want to use a custom one
603 603 ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
604 604 ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
605 605 ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
606 606
607 ## Enables SSH key generator web interface. Disabling this still allows users
608 ## to add their own keys.
609 ssh.enable_ui_key_generator = true
610
607 611
608 612 ## Dummy marker to add new entries after.
609 613 ## Add any custom entries below. Please don't remove.
610 614 custom.conf = 1
611 615
612 616
613 617 ################################
614 618 ### LOGGING CONFIGURATION ####
615 619 ################################
616 620 [loggers]
617 621 keys = root, sqlalchemy, beaker, celery, rhodecode, ssh_wrapper
618 622
619 623 [handlers]
620 624 keys = console, console_sql
621 625
622 626 [formatters]
623 627 keys = generic, color_formatter, color_formatter_sql
624 628
625 629 #############
626 630 ## LOGGERS ##
627 631 #############
628 632 [logger_root]
629 633 level = NOTSET
630 634 handlers = console
631 635
632 636 [logger_sqlalchemy]
633 637 level = INFO
634 638 handlers = console_sql
635 639 qualname = sqlalchemy.engine
636 640 propagate = 0
637 641
638 642 [logger_beaker]
639 643 level = DEBUG
640 644 handlers =
641 645 qualname = beaker.container
642 646 propagate = 1
643 647
644 648 [logger_rhodecode]
645 649 level = DEBUG
646 650 handlers =
647 651 qualname = rhodecode
648 652 propagate = 1
649 653
650 654 [logger_ssh_wrapper]
651 655 level = DEBUG
652 656 handlers =
653 657 qualname = ssh_wrapper
654 658 propagate = 1
655 659
656 660 [logger_celery]
657 661 level = DEBUG
658 662 handlers =
659 663 qualname = celery
660 664
661 665
662 666 ##############
663 667 ## HANDLERS ##
664 668 ##############
665 669
666 670 [handler_console]
667 671 class = StreamHandler
668 672 args = (sys.stderr, )
669 673 level = INFO
670 674 formatter = generic
671 675
672 676 [handler_console_sql]
673 677 # "level = DEBUG" logs SQL queries and results.
674 678 # "level = INFO" logs SQL queries.
675 679 # "level = WARN" logs neither. (Recommended for production systems.)
676 680 class = StreamHandler
677 681 args = (sys.stderr, )
678 682 level = WARN
679 683 formatter = generic
680 684
681 685 ################
682 686 ## FORMATTERS ##
683 687 ################
684 688
685 689 [formatter_generic]
686 690 class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
687 691 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
688 692 datefmt = %Y-%m-%d %H:%M:%S
689 693
690 694 [formatter_color_formatter]
691 695 class = rhodecode.lib.logging_formatter.ColorFormatter
692 696 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
693 697 datefmt = %Y-%m-%d %H:%M:%S
694 698
695 699 [formatter_color_formatter_sql]
696 700 class = rhodecode.lib.logging_formatter.ColorFormatterSql
697 701 format = %(asctime)s.%(msecs)03d [%(process)d] %(levelname)-5.5s [%(name)s] %(message)s
698 702 datefmt = %Y-%m-%d %H:%M:%S
@@ -1,140 +1,144 b''
1 1 .. _ssh-connection:
2 2
3 3 SSH Connection
4 4 --------------
5 5
6 6 If you wish to connect to your |repos| using SSH protocol, use the
7 7 following instructions.
8 8
9 9 1. Include |RCE| generated `authorized_keys` file into your sshd_config.
10 10
11 11 By default a file `authorized_keys_rhodecode` is created containing
12 12 configuration and all allowed user connection keys are stored inside.
13 13 On each change of stored keys inside |RCE| this file is updated with
14 14 proper data.
15 15
16 16 .. code-block:: bash
17 17
18 18 # Edit sshd_config file most likely at /etc/ssh/sshd_config
19 19 # add or edit the AuthorizedKeysFile, and set to use custom files
20 20
21 21 AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
22 22
23 23 This way we use a separate file for SSH access and separate one for
24 24 SSH access to |RCE| repositories.
25 25
26 26
27 27 2. Enable the SSH module on instance.
28 28
29 29 On the server where |RCE| is running executing:
30 30
31 31 .. code-block:: bash
32 32
33 33 rccontrol enable-module ssh {instance-id}
34 34
35 35 This will add the following configuration into :file:`rhodecode.ini`.
36 36 This also can be done manually:
37 37
38 38 .. code-block:: ini
39 39
40 40 ############################################################
41 41 ### SSH Support Settings ###
42 42 ############################################################
43 43
44 44 ## Defines if a custom authorized_keys file should be created and written on
45 45 ## any change user ssh keys. Setting this to false also disables posibility
46 46 ## of adding SSH keys by users from web interface. Super admins can still
47 47 ## manage SSH Keys.
48 48 ssh.generate_authorized_keyfile = true
49 49
50 50 ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
51 51 # ssh.authorized_keys_ssh_opts =
52 52
53 53 ## Path to the authrozied_keys file where the generate entries are placed.
54 54 ## It is possible to have multiple key files specified in `sshd_config` e.g.
55 55 ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
56 56 ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode
57 57
58 58 ## Command to execute the SSH wrapper. The binary is available in the
59 59 ## rhodecode installation directory.
60 60 ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
61 61 ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
62 62
63 63 ## Allow shell when executing the ssh-wrapper command
64 64 ssh.wrapper_cmd_allow_shell = false
65 65
66 66 ## Enables logging, and detailed output send back to the client during SSH
67 67 ## operations. Useful for debugging, shouldn't be used in production.
68 68 ssh.enable_debug_logging = false
69 69
70 70 ## Paths to binary executable, by default they are the names, but we can
71 71 ## override them if we want to use a custom one
72 72 ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
73 73 ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
74 74 ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
75 75
76 ## Enables SSH key generator web interface. Disabling this still allows users
77 ## to add their own keys.
78 ssh.enable_ui_key_generator = true
79
76 80
77 81 3. Set base_url for instance to enable proper event handling (Optional):
78 82
79 83 If you wish to have integrations working correctly via SSH please configure
80 84 The Application base_url.
81 85
82 86 Use the ``rccontrol status`` command to view instance details.
83 87 Hostname is required for the integration to properly set the instance URL.
84 88
85 89 When your hostname is known (e.g https://code.rhodecode.com) please set it
86 90 inside :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini`
87 91
88 92 add into `[app:main]` section the following configuration:
89 93
90 94 .. code-block:: ini
91 95
92 96 app.base_url = https://code.rhodecode.com
93 97
94 98
95 99 4. Add the public key to your user account for testing.
96 100 First generate a new key, or use your existing one and have your public key
97 101 at hand.
98 102
99 103 Go to
100 104 :menuselection:`My Account --> SSH Keys` and add the public key with proper description.
101 105
102 106 This will generate a new entry inside our configured `authorized_keys_rhodecode` file.
103 107
104 108 Test the connection from your local machine using the following example:
105 109
106 110 .. note::
107 111
108 112 In case of connection problems please set
109 113 `ssh.enable_debug_logging = true` inside the SSH configuration of
110 114 :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini`
111 115 Then add, remove your SSH key and try connecting again.
112 116 Debug logging will be printed to help find the problems on the server side.
113 117
114 118 Test connection using the ssh command from the local machine. Make sure
115 119 to use the use who is running the |RCE| server, and not your username from
116 120 the web interface.
117 121
118 122
119 123 For SVN:
120 124
121 125 .. code-block:: bash
122 126
123 127 SVN_SSH="ssh -i ~/.ssh/id_rsa_test_ssh_private.key" svn checkout svn+ssh://rhodecode@rc-server/repo_name
124 128
125 129 For GIT:
126 130
127 131 .. code-block:: bash
128 132
129 133 GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa_test_ssh_private.key' git clone ssh://rhodecode@rc-server/repo_name
130 134
131 135 For Mercurial:
132 136
133 137 .. code-block:: bash
134 138
135 139 Add to hgrc:
136 140
137 141 [ui]
138 142 ssh = ssh -C -i ~/.ssh/id_rsa_test_ssh_private.key
139 143
140 144 hg clone ssh://rhodecode@rc-server/repo_name
@@ -1,155 +1,156 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2016-2019 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import logging
22 22
23 23 from pyramid.httpexceptions import HTTPFound
24 24 from pyramid.view import view_config
25 25
26 26 from rhodecode.apps._base import BaseAppView, DataGridAppView
27 27 from rhodecode.apps.ssh_support import SshKeyFileChangeEvent
28 28 from rhodecode.events import trigger
29 29 from rhodecode.lib import helpers as h
30 30 from rhodecode.lib import audit_logger
31 31 from rhodecode.lib.auth import LoginRequired, NotAnonymous, CSRFRequired
32 32 from rhodecode.model.db import IntegrityError, UserSshKeys
33 33 from rhodecode.model.meta import Session
34 34 from rhodecode.model.ssh_key import SshKeyModel
35 35
36 36 log = logging.getLogger(__name__)
37 37
38 38
39 39 class MyAccountSshKeysView(BaseAppView, DataGridAppView):
40 40
41 41 def load_default_context(self):
42 42 c = self._get_local_tmpl_context()
43 43 c.user = c.auth_user.get_instance()
44 44
45 45 c.ssh_enabled = self.request.registry.settings.get(
46 46 'ssh.generate_authorized_keyfile')
47 47
48 48 return c
49 49
50 50 @LoginRequired()
51 51 @NotAnonymous()
52 52 @view_config(
53 53 route_name='my_account_ssh_keys', request_method='GET',
54 54 renderer='rhodecode:templates/admin/my_account/my_account.mako')
55 55 def my_account_ssh_keys(self):
56 56 _ = self.request.translate
57 57
58 58 c = self.load_default_context()
59 59 c.active = 'ssh_keys'
60 60 c.default_key = self.request.GET.get('default_key')
61 61 c.user_ssh_keys = SshKeyModel().get_ssh_keys(c.user.user_id)
62 62 return self._get_template_context(c)
63 63
64 64 @LoginRequired()
65 65 @NotAnonymous()
66 66 @view_config(
67 67 route_name='my_account_ssh_keys_generate', request_method='GET',
68 68 renderer='rhodecode:templates/admin/my_account/my_account.mako')
69 69 def ssh_keys_generate_keypair(self):
70 70 _ = self.request.translate
71 71 c = self.load_default_context()
72 72
73 73 c.active = 'ssh_keys_generate'
74 comment = 'RhodeCode-SSH {}'.format(c.user.email or '')
75 c.private, c.public = SshKeyModel().generate_keypair(comment=comment)
76 c.target_form_url = h.route_path(
77 'my_account_ssh_keys', _query=dict(default_key=c.public))
74 if c.ssh_key_generator_enabled:
75 comment = 'RhodeCode-SSH {}'.format(c.user.email or '')
76 c.private, c.public = SshKeyModel().generate_keypair(comment=comment)
77 c.target_form_url = h.route_path(
78 'my_account_ssh_keys', _query=dict(default_key=c.public))
78 79 return self._get_template_context(c)
79 80
80 81 @LoginRequired()
81 82 @NotAnonymous()
82 83 @CSRFRequired()
83 84 @view_config(
84 85 route_name='my_account_ssh_keys_add', request_method='POST',)
85 86 def my_account_ssh_keys_add(self):
86 87 _ = self.request.translate
87 88 c = self.load_default_context()
88 89
89 90 user_data = c.user.get_api_data()
90 91 key_data = self.request.POST.get('key_data')
91 92 description = self.request.POST.get('description')
92 93 fingerprint = 'unknown'
93 94 try:
94 95 if not key_data:
95 96 raise ValueError('Please add a valid public key')
96 97
97 98 key = SshKeyModel().parse_key(key_data.strip())
98 99 fingerprint = key.hash_md5()
99 100
100 101 ssh_key = SshKeyModel().create(
101 102 c.user.user_id, fingerprint, key.keydata, description)
102 103 ssh_key_data = ssh_key.get_api_data()
103 104
104 105 audit_logger.store_web(
105 106 'user.edit.ssh_key.add', action_data={
106 107 'data': {'ssh_key': ssh_key_data, 'user': user_data}},
107 108 user=self._rhodecode_user, )
108 109 Session().commit()
109 110
110 111 # Trigger an event on change of keys.
111 112 trigger(SshKeyFileChangeEvent(), self.request.registry)
112 113
113 114 h.flash(_("Ssh Key successfully created"), category='success')
114 115
115 116 except IntegrityError:
116 117 log.exception("Exception during ssh key saving")
117 118 err = 'Such key with fingerprint `{}` already exists, ' \
118 119 'please use a different one'.format(fingerprint)
119 120 h.flash(_('An error occurred during ssh key saving: {}').format(err),
120 121 category='error')
121 122 except Exception as e:
122 123 log.exception("Exception during ssh key saving")
123 124 h.flash(_('An error occurred during ssh key saving: {}').format(e),
124 125 category='error')
125 126
126 127 return HTTPFound(h.route_path('my_account_ssh_keys'))
127 128
128 129 @LoginRequired()
129 130 @NotAnonymous()
130 131 @CSRFRequired()
131 132 @view_config(
132 133 route_name='my_account_ssh_keys_delete', request_method='POST')
133 134 def my_account_ssh_keys_delete(self):
134 135 _ = self.request.translate
135 136 c = self.load_default_context()
136 137
137 138 user_data = c.user.get_api_data()
138 139
139 140 del_ssh_key = self.request.POST.get('del_ssh_key')
140 141
141 142 if del_ssh_key:
142 143 ssh_key = UserSshKeys.get_or_404(del_ssh_key)
143 144 ssh_key_data = ssh_key.get_api_data()
144 145
145 146 SshKeyModel().delete(del_ssh_key, c.user.user_id)
146 147 audit_logger.store_web(
147 148 'user.edit.ssh_key.delete', action_data={
148 149 'data': {'ssh_key': ssh_key_data, 'user': user_data}},
149 150 user=self._rhodecode_user,)
150 151 Session().commit()
151 152 # Trigger an event on change of keys.
152 153 trigger(SshKeyFileChangeEvent(), self.request.registry)
153 154 h.flash(_("Ssh key successfully deleted"), category='success')
154 155
155 156 return HTTPFound(h.route_path('my_account_ssh_keys'))
@@ -1,66 +1,67 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2016-2019 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import logging
22 22
23 23 from . import config_keys
24 24 from .events import SshKeyFileChangeEvent
25 25 from .subscribers import generate_ssh_authorized_keys_file_subscriber
26 26
27 27 from rhodecode.config.middleware import _bool_setting, _string_setting
28 28
29 29 log = logging.getLogger(__name__)
30 30
31 31
32 32 def _sanitize_settings_and_apply_defaults(settings):
33 33 """
34 34 Set defaults, convert to python types and validate settings.
35 35 """
36 36 _bool_setting(settings, config_keys.generate_authorized_keyfile, 'false')
37 37 _bool_setting(settings, config_keys.wrapper_allow_shell, 'false')
38 38 _bool_setting(settings, config_keys.enable_debug_logging, 'false')
39 _bool_setting(settings, config_keys.ssh_key_generator_enabled, 'true')
39 40
40 41 _string_setting(settings, config_keys.authorized_keys_file_path,
41 42 '~/.ssh/authorized_keys_rhodecode',
42 43 lower=False)
43 44 _string_setting(settings, config_keys.wrapper_cmd, '',
44 45 lower=False)
45 46 _string_setting(settings, config_keys.authorized_keys_line_ssh_opts, '',
46 47 lower=False)
47 48
48 49 _string_setting(settings, config_keys.ssh_hg_bin,
49 50 '~/.rccontrol/vcsserver-1/profile/bin/hg',
50 51 lower=False)
51 52 _string_setting(settings, config_keys.ssh_git_bin,
52 53 '~/.rccontrol/vcsserver-1/profile/bin/git',
53 54 lower=False)
54 55 _string_setting(settings, config_keys.ssh_svn_bin,
55 56 '~/.rccontrol/vcsserver-1/profile/bin/svnserve',
56 57 lower=False)
57 58
58 59
59 60 def includeme(config):
60 61 settings = config.registry.settings
61 62 _sanitize_settings_and_apply_defaults(settings)
62 63
63 64 # if we have enable generation of file, subscribe to event
64 65 if settings[config_keys.generate_authorized_keyfile]:
65 66 config.add_subscriber(
66 67 generate_ssh_authorized_keys_file_subscriber, SshKeyFileChangeEvent)
@@ -1,33 +1,34 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2016-2019 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21
22 22 # Definition of setting keys used to configure this module. Defined here to
23 23 # avoid repetition of keys throughout the module.
24 24 generate_authorized_keyfile = 'ssh.generate_authorized_keyfile'
25 25 authorized_keys_file_path = 'ssh.authorized_keys_file_path'
26 26 authorized_keys_line_ssh_opts = 'ssh.authorized_keys_ssh_opts'
27 ssh_key_generator_enabled = 'ssh.enable_ui_key_generator'
27 28 wrapper_cmd = 'ssh.wrapper_cmd'
28 29 wrapper_allow_shell = 'ssh.wrapper_cmd_allow_shell'
29 30 enable_debug_logging = 'ssh.enable_debug_logging'
30 31
31 32 ssh_hg_bin = 'ssh.executable.hg'
32 33 ssh_git_bin = 'ssh.executable.git'
33 34 ssh_svn_bin = 'ssh.executable.svn'
@@ -1,582 +1,584 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2010-2019 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 """
22 22 The base Controller API
23 23 Provides the BaseController class for subclassing. And usage in different
24 24 controllers
25 25 """
26 26
27 27 import logging
28 28 import socket
29 29
30 30 import markupsafe
31 31 import ipaddress
32 32
33 33 from paste.auth.basic import AuthBasicAuthenticator
34 34 from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden, get_exception
35 35 from paste.httpheaders import WWW_AUTHENTICATE, AUTHORIZATION
36 36
37 37 import rhodecode
38 38 from rhodecode.apps._base import TemplateArgs
39 39 from rhodecode.authentication.base import VCS_TYPE
40 40 from rhodecode.lib import auth, utils2
41 41 from rhodecode.lib import helpers as h
42 42 from rhodecode.lib.auth import AuthUser, CookieStoreWrapper
43 43 from rhodecode.lib.exceptions import UserCreationError
44 44 from rhodecode.lib.utils import (password_changed, get_enabled_hook_classes)
45 45 from rhodecode.lib.utils2 import (
46 46 str2bool, safe_unicode, AttributeDict, safe_int, sha1, aslist, safe_str)
47 47 from rhodecode.model.db import Repository, User, ChangesetComment, UserBookmark
48 48 from rhodecode.model.notification import NotificationModel
49 49 from rhodecode.model.settings import VcsSettingsModel, SettingsModel
50 50
51 51 log = logging.getLogger(__name__)
52 52
53 53
54 54 def _filter_proxy(ip):
55 55 """
56 56 Passed in IP addresses in HEADERS can be in a special format of multiple
57 57 ips. Those comma separated IPs are passed from various proxies in the
58 58 chain of request processing. The left-most being the original client.
59 59 We only care about the first IP which came from the org. client.
60 60
61 61 :param ip: ip string from headers
62 62 """
63 63 if ',' in ip:
64 64 _ips = ip.split(',')
65 65 _first_ip = _ips[0].strip()
66 66 log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
67 67 return _first_ip
68 68 return ip
69 69
70 70
71 71 def _filter_port(ip):
72 72 """
73 73 Removes a port from ip, there are 4 main cases to handle here.
74 74 - ipv4 eg. 127.0.0.1
75 75 - ipv6 eg. ::1
76 76 - ipv4+port eg. 127.0.0.1:8080
77 77 - ipv6+port eg. [::1]:8080
78 78
79 79 :param ip:
80 80 """
81 81 def is_ipv6(ip_addr):
82 82 if hasattr(socket, 'inet_pton'):
83 83 try:
84 84 socket.inet_pton(socket.AF_INET6, ip_addr)
85 85 except socket.error:
86 86 return False
87 87 else:
88 88 # fallback to ipaddress
89 89 try:
90 90 ipaddress.IPv6Address(safe_unicode(ip_addr))
91 91 except Exception:
92 92 return False
93 93 return True
94 94
95 95 if ':' not in ip: # must be ipv4 pure ip
96 96 return ip
97 97
98 98 if '[' in ip and ']' in ip: # ipv6 with port
99 99 return ip.split(']')[0][1:].lower()
100 100
101 101 # must be ipv6 or ipv4 with port
102 102 if is_ipv6(ip):
103 103 return ip
104 104 else:
105 105 ip, _port = ip.split(':')[:2] # means ipv4+port
106 106 return ip
107 107
108 108
109 109 def get_ip_addr(environ):
110 110 proxy_key = 'HTTP_X_REAL_IP'
111 111 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
112 112 def_key = 'REMOTE_ADDR'
113 113 _filters = lambda x: _filter_port(_filter_proxy(x))
114 114
115 115 ip = environ.get(proxy_key)
116 116 if ip:
117 117 return _filters(ip)
118 118
119 119 ip = environ.get(proxy_key2)
120 120 if ip:
121 121 return _filters(ip)
122 122
123 123 ip = environ.get(def_key, '0.0.0.0')
124 124 return _filters(ip)
125 125
126 126
127 127 def get_server_ip_addr(environ, log_errors=True):
128 128 hostname = environ.get('SERVER_NAME')
129 129 try:
130 130 return socket.gethostbyname(hostname)
131 131 except Exception as e:
132 132 if log_errors:
133 133 # in some cases this lookup is not possible, and we don't want to
134 134 # make it an exception in logs
135 135 log.exception('Could not retrieve server ip address: %s', e)
136 136 return hostname
137 137
138 138
139 139 def get_server_port(environ):
140 140 return environ.get('SERVER_PORT')
141 141
142 142
143 143 def get_access_path(environ):
144 144 path = environ.get('PATH_INFO')
145 145 org_req = environ.get('pylons.original_request')
146 146 if org_req:
147 147 path = org_req.environ.get('PATH_INFO')
148 148 return path
149 149
150 150
151 151 def get_user_agent(environ):
152 152 return environ.get('HTTP_USER_AGENT')
153 153
154 154
155 155 def vcs_operation_context(
156 156 environ, repo_name, username, action, scm, check_locking=True,
157 157 is_shadow_repo=False, check_branch_perms=False, detect_force_push=False):
158 158 """
159 159 Generate the context for a vcs operation, e.g. push or pull.
160 160
161 161 This context is passed over the layers so that hooks triggered by the
162 162 vcs operation know details like the user, the user's IP address etc.
163 163
164 164 :param check_locking: Allows to switch of the computation of the locking
165 165 data. This serves mainly the need of the simplevcs middleware to be
166 166 able to disable this for certain operations.
167 167
168 168 """
169 169 # Tri-state value: False: unlock, None: nothing, True: lock
170 170 make_lock = None
171 171 locked_by = [None, None, None]
172 172 is_anonymous = username == User.DEFAULT_USER
173 173 user = User.get_by_username(username)
174 174 if not is_anonymous and check_locking:
175 175 log.debug('Checking locking on repository "%s"', repo_name)
176 176 repo = Repository.get_by_repo_name(repo_name)
177 177 make_lock, __, locked_by = repo.get_locking_state(
178 178 action, user.user_id)
179 179 user_id = user.user_id
180 180 settings_model = VcsSettingsModel(repo=repo_name)
181 181 ui_settings = settings_model.get_ui_settings()
182 182
183 183 # NOTE(marcink): This should be also in sync with
184 184 # rhodecode/apps/ssh_support/lib/backends/base.py:update_environment scm_data
185 185 store = [x for x in ui_settings if x.key == '/']
186 186 repo_store = ''
187 187 if store:
188 188 repo_store = store[0].value
189 189
190 190 scm_data = {
191 191 'ip': get_ip_addr(environ),
192 192 'username': username,
193 193 'user_id': user_id,
194 194 'action': action,
195 195 'repository': repo_name,
196 196 'scm': scm,
197 197 'config': rhodecode.CONFIG['__file__'],
198 198 'repo_store': repo_store,
199 199 'make_lock': make_lock,
200 200 'locked_by': locked_by,
201 201 'server_url': utils2.get_server_url(environ),
202 202 'user_agent': get_user_agent(environ),
203 203 'hooks': get_enabled_hook_classes(ui_settings),
204 204 'is_shadow_repo': is_shadow_repo,
205 205 'detect_force_push': detect_force_push,
206 206 'check_branch_perms': check_branch_perms,
207 207 }
208 208 return scm_data
209 209
210 210
211 211 class BasicAuth(AuthBasicAuthenticator):
212 212
213 213 def __init__(self, realm, authfunc, registry, auth_http_code=None,
214 214 initial_call_detection=False, acl_repo_name=None):
215 215 self.realm = realm
216 216 self.initial_call = initial_call_detection
217 217 self.authfunc = authfunc
218 218 self.registry = registry
219 219 self.acl_repo_name = acl_repo_name
220 220 self._rc_auth_http_code = auth_http_code
221 221
222 222 def _get_response_from_code(self, http_code):
223 223 try:
224 224 return get_exception(safe_int(http_code))
225 225 except Exception:
226 226 log.exception('Failed to fetch response for code %s', http_code)
227 227 return HTTPForbidden
228 228
229 229 def get_rc_realm(self):
230 230 return safe_str(self.registry.rhodecode_settings.get('rhodecode_realm'))
231 231
232 232 def build_authentication(self):
233 233 head = WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
234 234 if self._rc_auth_http_code and not self.initial_call:
235 235 # return alternative HTTP code if alternative http return code
236 236 # is specified in RhodeCode config, but ONLY if it's not the
237 237 # FIRST call
238 238 custom_response_klass = self._get_response_from_code(
239 239 self._rc_auth_http_code)
240 240 return custom_response_klass(headers=head)
241 241 return HTTPUnauthorized(headers=head)
242 242
243 243 def authenticate(self, environ):
244 244 authorization = AUTHORIZATION(environ)
245 245 if not authorization:
246 246 return self.build_authentication()
247 247 (authmeth, auth) = authorization.split(' ', 1)
248 248 if 'basic' != authmeth.lower():
249 249 return self.build_authentication()
250 250 auth = auth.strip().decode('base64')
251 251 _parts = auth.split(':', 1)
252 252 if len(_parts) == 2:
253 253 username, password = _parts
254 254 auth_data = self.authfunc(
255 255 username, password, environ, VCS_TYPE,
256 256 registry=self.registry, acl_repo_name=self.acl_repo_name)
257 257 if auth_data:
258 258 return {'username': username, 'auth_data': auth_data}
259 259 if username and password:
260 260 # we mark that we actually executed authentication once, at
261 261 # that point we can use the alternative auth code
262 262 self.initial_call = False
263 263
264 264 return self.build_authentication()
265 265
266 266 __call__ = authenticate
267 267
268 268
269 269 def calculate_version_hash(config):
270 270 return sha1(
271 271 config.get('beaker.session.secret', '') +
272 272 rhodecode.__version__)[:8]
273 273
274 274
275 275 def get_current_lang(request):
276 276 # NOTE(marcink): remove after pyramid move
277 277 try:
278 278 return translation.get_lang()[0]
279 279 except:
280 280 pass
281 281
282 282 return getattr(request, '_LOCALE_', request.locale_name)
283 283
284 284
285 285 def attach_context_attributes(context, request, user_id=None):
286 286 """
287 287 Attach variables into template context called `c`.
288 288 """
289 289 config = request.registry.settings
290 290
291 291
292 292 rc_config = SettingsModel().get_all_settings(cache=True)
293 293
294 294 context.rhodecode_version = rhodecode.__version__
295 295 context.rhodecode_edition = config.get('rhodecode.edition')
296 296 # unique secret + version does not leak the version but keep consistency
297 297 context.rhodecode_version_hash = calculate_version_hash(config)
298 298
299 299 # Default language set for the incoming request
300 300 context.language = get_current_lang(request)
301 301
302 302 # Visual options
303 303 context.visual = AttributeDict({})
304 304
305 305 # DB stored Visual Items
306 306 context.visual.show_public_icon = str2bool(
307 307 rc_config.get('rhodecode_show_public_icon'))
308 308 context.visual.show_private_icon = str2bool(
309 309 rc_config.get('rhodecode_show_private_icon'))
310 310 context.visual.stylify_metatags = str2bool(
311 311 rc_config.get('rhodecode_stylify_metatags'))
312 312 context.visual.dashboard_items = safe_int(
313 313 rc_config.get('rhodecode_dashboard_items', 100))
314 314 context.visual.admin_grid_items = safe_int(
315 315 rc_config.get('rhodecode_admin_grid_items', 100))
316 316 context.visual.show_revision_number = str2bool(
317 317 rc_config.get('rhodecode_show_revision_number', True))
318 318 context.visual.show_sha_length = safe_int(
319 319 rc_config.get('rhodecode_show_sha_length', 100))
320 320 context.visual.repository_fields = str2bool(
321 321 rc_config.get('rhodecode_repository_fields'))
322 322 context.visual.show_version = str2bool(
323 323 rc_config.get('rhodecode_show_version'))
324 324 context.visual.use_gravatar = str2bool(
325 325 rc_config.get('rhodecode_use_gravatar'))
326 326 context.visual.gravatar_url = rc_config.get('rhodecode_gravatar_url')
327 327 context.visual.default_renderer = rc_config.get(
328 328 'rhodecode_markup_renderer', 'rst')
329 329 context.visual.comment_types = ChangesetComment.COMMENT_TYPES
330 330 context.visual.rhodecode_support_url = \
331 331 rc_config.get('rhodecode_support_url') or h.route_url('rhodecode_support')
332 332
333 333 context.visual.affected_files_cut_off = 60
334 334
335 335 context.pre_code = rc_config.get('rhodecode_pre_code')
336 336 context.post_code = rc_config.get('rhodecode_post_code')
337 337 context.rhodecode_name = rc_config.get('rhodecode_title')
338 338 context.default_encodings = aslist(config.get('default_encoding'), sep=',')
339 339 # if we have specified default_encoding in the request, it has more
340 340 # priority
341 341 if request.GET.get('default_encoding'):
342 342 context.default_encodings.insert(0, request.GET.get('default_encoding'))
343 343 context.clone_uri_tmpl = rc_config.get('rhodecode_clone_uri_tmpl')
344 344 context.clone_uri_ssh_tmpl = rc_config.get('rhodecode_clone_uri_ssh_tmpl')
345 345
346 346 # INI stored
347 347 context.labs_active = str2bool(
348 348 config.get('labs_settings_active', 'false'))
349 349 context.ssh_enabled = str2bool(
350 350 config.get('ssh.generate_authorized_keyfile', 'false'))
351 context.ssh_key_generator_enabled = str2bool(
352 config.get('ssh.enable_ui_key_generator', 'true'))
351 353
352 354 context.visual.allow_repo_location_change = str2bool(
353 355 config.get('allow_repo_location_change', True))
354 356 context.visual.allow_custom_hooks_settings = str2bool(
355 357 config.get('allow_custom_hooks_settings', True))
356 358 context.debug_style = str2bool(config.get('debug_style', False))
357 359
358 360 context.rhodecode_instanceid = config.get('instance_id')
359 361
360 362 context.visual.cut_off_limit_diff = safe_int(
361 363 config.get('cut_off_limit_diff'))
362 364 context.visual.cut_off_limit_file = safe_int(
363 365 config.get('cut_off_limit_file'))
364 366
365 367 # AppEnlight
366 368 context.appenlight_enabled = str2bool(config.get('appenlight', 'false'))
367 369 context.appenlight_api_public_key = config.get(
368 370 'appenlight.api_public_key', '')
369 371 context.appenlight_server_url = config.get('appenlight.server_url', '')
370 372
371 373 diffmode = {
372 374 "unified": "unified",
373 375 "sideside": "sideside"
374 376 }.get(request.GET.get('diffmode'))
375 377
376 378 if diffmode and diffmode != request.session.get('rc_user_session_attr.diffmode'):
377 379 request.session['rc_user_session_attr.diffmode'] = diffmode
378 380
379 381 # session settings per user
380 382 session_attrs = {
381 383 # defaults
382 384 "clone_url_format": "http",
383 385 "diffmode": "sideside"
384 386 }
385 387 for k, v in request.session.items():
386 388 pref = 'rc_user_session_attr.'
387 389 if k and k.startswith(pref):
388 390 k = k[len(pref):]
389 391 session_attrs[k] = v
390 392
391 393 context.user_session_attrs = session_attrs
392 394
393 395 # JS template context
394 396 context.template_context = {
395 397 'repo_name': None,
396 398 'repo_type': None,
397 399 'repo_landing_commit': None,
398 400 'rhodecode_user': {
399 401 'username': None,
400 402 'email': None,
401 403 'notification_status': False
402 404 },
403 405 'session_attrs': session_attrs,
404 406 'visual': {
405 407 'default_renderer': None
406 408 },
407 409 'commit_data': {
408 410 'commit_id': None
409 411 },
410 412 'pull_request_data': {'pull_request_id': None},
411 413 'timeago': {
412 414 'refresh_time': 120 * 1000,
413 415 'cutoff_limit': 1000 * 60 * 60 * 24 * 7
414 416 },
415 417 'pyramid_dispatch': {
416 418
417 419 },
418 420 'extra': {'plugins': {}}
419 421 }
420 422 # END CONFIG VARS
421 423
422 424 context.csrf_token = auth.get_csrf_token(session=request.session)
423 425 context.backends = rhodecode.BACKENDS.keys()
424 426 context.backends.sort()
425 427 unread_count = 0
426 428 user_bookmark_list = []
427 429 if user_id:
428 430 unread_count = NotificationModel().get_unread_cnt_for_user(user_id)
429 431 user_bookmark_list = UserBookmark.get_bookmarks_for_user(user_id)
430 432 context.unread_notifications = unread_count
431 433 context.bookmark_items = user_bookmark_list
432 434
433 435 # web case
434 436 if hasattr(request, 'user'):
435 437 context.auth_user = request.user
436 438 context.rhodecode_user = request.user
437 439
438 440 # api case
439 441 if hasattr(request, 'rpc_user'):
440 442 context.auth_user = request.rpc_user
441 443 context.rhodecode_user = request.rpc_user
442 444
443 445 # attach the whole call context to the request
444 446 request.call_context = context
445 447
446 448
447 449 def get_auth_user(request):
448 450 environ = request.environ
449 451 session = request.session
450 452
451 453 ip_addr = get_ip_addr(environ)
452 454 # make sure that we update permissions each time we call controller
453 455 _auth_token = (request.GET.get('auth_token', '') or
454 456 request.GET.get('api_key', ''))
455 457
456 458 if _auth_token:
457 459 # when using API_KEY we assume user exists, and
458 460 # doesn't need auth based on cookies.
459 461 auth_user = AuthUser(api_key=_auth_token, ip_addr=ip_addr)
460 462 authenticated = False
461 463 else:
462 464 cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
463 465 try:
464 466 auth_user = AuthUser(user_id=cookie_store.get('user_id', None),
465 467 ip_addr=ip_addr)
466 468 except UserCreationError as e:
467 469 h.flash(e, 'error')
468 470 # container auth or other auth functions that create users
469 471 # on the fly can throw this exception signaling that there's
470 472 # issue with user creation, explanation should be provided
471 473 # in Exception itself. We then create a simple blank
472 474 # AuthUser
473 475 auth_user = AuthUser(ip_addr=ip_addr)
474 476
475 477 # in case someone changes a password for user it triggers session
476 478 # flush and forces a re-login
477 479 if password_changed(auth_user, session):
478 480 session.invalidate()
479 481 cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
480 482 auth_user = AuthUser(ip_addr=ip_addr)
481 483
482 484 authenticated = cookie_store.get('is_authenticated')
483 485
484 486 if not auth_user.is_authenticated and auth_user.is_user_object:
485 487 # user is not authenticated and not empty
486 488 auth_user.set_authenticated(authenticated)
487 489
488 490 return auth_user
489 491
490 492
491 493 def h_filter(s):
492 494 """
493 495 Custom filter for Mako templates. Mako by standard uses `markupsafe.escape`
494 496 we wrap this with additional functionality that converts None to empty
495 497 strings
496 498 """
497 499 if s is None:
498 500 return markupsafe.Markup()
499 501 return markupsafe.escape(s)
500 502
501 503
502 504 def add_events_routes(config):
503 505 """
504 506 Adds routing that can be used in events. Because some events are triggered
505 507 outside of pyramid context, we need to bootstrap request with some
506 508 routing registered
507 509 """
508 510
509 511 from rhodecode.apps._base import ADMIN_PREFIX
510 512
511 513 config.add_route(name='home', pattern='/')
512 514
513 515 config.add_route(name='login', pattern=ADMIN_PREFIX + '/login')
514 516 config.add_route(name='logout', pattern=ADMIN_PREFIX + '/logout')
515 517 config.add_route(name='repo_summary', pattern='/{repo_name}')
516 518 config.add_route(name='repo_summary_explicit', pattern='/{repo_name}/summary')
517 519 config.add_route(name='repo_group_home', pattern='/{repo_group_name}')
518 520
519 521 config.add_route(name='pullrequest_show',
520 522 pattern='/{repo_name}/pull-request/{pull_request_id}')
521 523 config.add_route(name='pull_requests_global',
522 524 pattern='/pull-request/{pull_request_id}')
523 525 config.add_route(name='repo_commit',
524 526 pattern='/{repo_name}/changeset/{commit_id}')
525 527
526 528 config.add_route(name='repo_files',
527 529 pattern='/{repo_name}/files/{commit_id}/{f_path}')
528 530
529 531
530 532 def bootstrap_config(request):
531 533 import pyramid.testing
532 534 registry = pyramid.testing.Registry('RcTestRegistry')
533 535
534 536 config = pyramid.testing.setUp(registry=registry, request=request)
535 537
536 538 # allow pyramid lookup in testing
537 539 config.include('pyramid_mako')
538 540 config.include('pyramid_beaker')
539 541 config.include('rhodecode.lib.rc_cache')
540 542
541 543 add_events_routes(config)
542 544
543 545 return config
544 546
545 547
546 548 def bootstrap_request(**kwargs):
547 549 import pyramid.testing
548 550
549 551 class TestRequest(pyramid.testing.DummyRequest):
550 552 application_url = kwargs.pop('application_url', 'http://example.com')
551 553 host = kwargs.pop('host', 'example.com:80')
552 554 domain = kwargs.pop('domain', 'example.com')
553 555
554 556 def translate(self, msg):
555 557 return msg
556 558
557 559 def plularize(self, singular, plural, n):
558 560 return singular
559 561
560 562 def get_partial_renderer(self, tmpl_name):
561 563
562 564 from rhodecode.lib.partial_renderer import get_partial_renderer
563 565 return get_partial_renderer(request=self, tmpl_name=tmpl_name)
564 566
565 567 _call_context = TemplateArgs()
566 568 _call_context.visual = TemplateArgs()
567 569 _call_context.visual.show_sha_length = 12
568 570 _call_context.visual.show_revision_number = True
569 571
570 572 @property
571 573 def call_context(self):
572 574 return self._call_context
573 575
574 576 class TestDummySession(pyramid.testing.DummySession):
575 577 def save(*arg, **kw):
576 578 pass
577 579
578 580 request = TestRequest(**kwargs)
579 581 request.session = TestDummySession()
580 582
581 583 return request
582 584
@@ -1,89 +1,91 b''
1 1 <div class="panel panel-default">
2 2 <div class="panel-heading">
3 3 <h3 class="panel-title">${_('SSH Keys')}</h3>
4 4 </div>
5 5 <div class="panel-body">
6 6 <div class="sshkeys_wrap">
7 7 <table class="rctable ssh_keys">
8 8 <tr>
9 9 <th>${_('Fingerprint')}</th>
10 10 <th>${_('Description')}</th>
11 11 <th>${_('Created on')}</th>
12 12 <th>${_('Accessed on')}</th>
13 13 <th>${_('Action')}</th>
14 14 </tr>
15 15 % if not c.ssh_enabled:
16 16 <tr><td colspan="4"><div class="">${_('SSH Keys usage is currently disabled, please ask your administrator to enable them.')}</div></td></tr>
17 17 % else:
18 18 %if c.user_ssh_keys:
19 19 %for ssh_key in c.user_ssh_keys:
20 20 <tr class="">
21 21 <td class="">
22 22 <code>${ssh_key.ssh_key_fingerprint}</code>
23 23 </td>
24 24 <td class="td-wrap">${ssh_key.description}</td>
25 25 <td class="td-tags">${h.format_date(ssh_key.created_on)}</td>
26 26 <td class="td-tags">${h.format_date(ssh_key.accessed_on)}</td>
27 27
28 28 <td class="td-action">
29 29 ${h.secure_form(h.route_path('my_account_ssh_keys_delete'), request=request)}
30 30 ${h.hidden('del_ssh_key', ssh_key.ssh_key_id)}
31 31 <button class="btn btn-link btn-danger" type="submit"
32 32 onclick="return confirm('${_('Confirm to remove ssh key %s') % ssh_key.ssh_key_fingerprint}');">
33 33 ${_('Delete')}
34 34 </button>
35 35 ${h.end_form()}
36 36 </td>
37 37 </tr>
38 38 %endfor
39 39 %else:
40 40 <tr><td colspan="4"><div class="">${_('No additional ssh keys specified')}</div></td></tr>
41 41 %endif
42 42 % endif
43 43 </table>
44 44 </div>
45 45
46 46 % if c.ssh_enabled:
47 47 <div class="user_ssh_keys">
48 48 ${h.secure_form(h.route_path('my_account_ssh_keys_add'), request=request)}
49 49 <div class="form form-vertical">
50 50 <!-- fields -->
51 51 <div class="fields">
52 52 <div class="field">
53 53 <div class="label">
54 54 <label for="new_email">${_('New ssh key')}:</label>
55 55 </div>
56 56 <div class="input">
57 57 ${h.text('description', class_='medium', placeholder=_('Description'))}
58 <a href="${h.route_path('my_account_ssh_keys_generate')}">${_('Generate random RSA key')}</a>
58 % if c.ssh_key_generator_enabled:
59 <a href="${h.route_path('my_account_ssh_keys_generate')}">${_('Generate random RSA key')}</a>
60 % endif
59 61 </div>
60 62 </div>
61 63
62 64 <div class="field">
63 65 <div class="textarea text-area editor">
64 66 ${h.textarea('key_data',c.default_key, size=30, placeholder=_("Public key, begins with 'ssh-rsa', 'ssh-dss', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', or 'ecdsa-sha2-nistp521'"))}
65 67 </div>
66 68 </div>
67 69
68 70 <div class="buttons">
69 71 ${h.submit('save',_('Add'),class_="btn")}
70 72 ${h.reset('reset',_('Reset'),class_="btn")}
71 73 </div>
72 74 % if c.default_key:
73 ${_('Click add to use this generate SSH key')}
75 ${_('Click add to use this generated SSH key')}
74 76 % endif
75 77 </div>
76 78 </div>
77 79 ${h.end_form()}
78 80 </div>
79 81 % endif
80 82 </div>
81 83 </div>
82 84
83 85 <script>
84 86
85 87 $(document).ready(function(){
86 88
87 89
88 90 });
89 91 </script>
@@ -1,83 +1,85 b''
1 1 <div class="panel panel-default">
2 2 <div class="panel-heading">
3 3 <h3 class="panel-title">${_('SSH Keys')}</h3>
4 4 </div>
5 5 <div class="panel-body">
6 6 <div class="sshkeys_wrap">
7 7 <table class="rctable ssh_keys">
8 8 <tr>
9 9 <th>${_('Fingerprint')}</th>
10 10 <th>${_('Description')}</th>
11 11 <th>${_('Created on')}</th>
12 12 <th>${_('Accessed on')}</th>
13 13 <th>${_('Action')}</th>
14 14 </tr>
15 15 %if c.user_ssh_keys:
16 16 %for ssh_key in c.user_ssh_keys:
17 17 <tr class="">
18 18 <td class="">
19 19 <code>${ssh_key.ssh_key_fingerprint}</code>
20 20 </td>
21 21 <td class="td-wrap">${ssh_key.description}</td>
22 22 <td class="td-tags">${h.format_date(ssh_key.created_on)}</td>
23 23 <td class="td-tags">${h.format_date(ssh_key.accessed_on)}</td>
24 24
25 25 <td class="td-action">
26 26 ${h.secure_form(h.route_path('edit_user_ssh_keys_delete', user_id=c.user.user_id), request=request)}
27 27 ${h.hidden('del_ssh_key', ssh_key.ssh_key_id)}
28 28 <button class="btn btn-link btn-danger" type="submit"
29 29 onclick="return confirm('${_('Confirm to remove ssh key %s') % ssh_key.ssh_key_fingerprint}');">
30 30 ${_('Delete')}
31 31 </button>
32 32 ${h.end_form()}
33 33 </td>
34 34 </tr>
35 35 %endfor
36 36 %else:
37 37 <tr><td><div class="ip">${_('No additional ssh keys specified')}</div></td></tr>
38 38 %endif
39 39 </table>
40 40 </div>
41 41
42 42 <div class="user_ssh_keys">
43 43 ${h.secure_form(h.route_path('edit_user_ssh_keys_add', user_id=c.user.user_id), request=request)}
44 44 <div class="form form-vertical">
45 45 <!-- fields -->
46 46 <div class="fields">
47 47 <div class="field">
48 48 <div class="label">
49 49 <label for="new_email">${_('New ssh key')}:</label>
50 50 </div>
51 51 <div class="input">
52 52 ${h.text('description', class_='medium', placeholder=_('Description'))}
53 <a href="${h.route_path('edit_user_ssh_keys_generate_keypair', user_id=c.user.user_id)}">${_('Generate random RSA key')}</a>
53 % if c.ssh_key_generator_enabled:
54 <a href="${h.route_path('edit_user_ssh_keys_generate_keypair', user_id=c.user.user_id)}">${_('Generate random RSA key')}</a>
55 % endif
54 56 </div>
55 57 </div>
56 58
57 59 <div class="field">
58 60 <div class="textarea text-area editor">
59 61 ${h.textarea('key_data',c.default_key, size=30, placeholder=_("Public key, begins with 'ssh-rsa', 'ssh-dss', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', or 'ecdsa-sha2-nistp521'"))}
60 62 </div>
61 63 </div>
62 64
63 65 <div class="buttons">
64 66 ${h.submit('save',_('Add'),class_="btn")}
65 67 ${h.reset('reset',_('Reset'),class_="btn")}
66 68 </div>
67 69 % if c.default_key:
68 70 ${_('Click add to use this generate SSH key')}
69 71 % endif
70 72 </div>
71 73 </div>
72 74 ${h.end_form()}
73 75 </div>
74 76 </div>
75 77 </div>
76 78
77 79 <script>
78 80
79 81 $(document).ready(function(){
80 82
81 83
82 84 });
83 85 </script>
@@ -1,52 +1,58 b''
1 1 <div class="panel panel-default">
2 2 <div class="panel-heading">
3 <h3 class="panel-title">${_('New SSH Key generated')}</h3>
3 <h3 class="panel-title">${_('New SSH Key generation')}</h3>
4 4 </div>
5 5 <div class="panel-body">
6 <p>
7 ${_('Below is a 2048 bit generated SSH RSA key.')}<br/>
8 ${_('If You wish to use it to access RhodeCode via the SSH please save the private key and click `Use this generated key` at the bottom.')}
9 </p>
10 <h4>${_('Private key')}</h4>
11 <pre>
6 %if c.ssh_enabled and c.ssh_key_generator_enabled:
7 <p>
8 ${_('Below is a 2048 bit generated SSH RSA key.')}<br/>
9 ${_('If You wish to use it to access RhodeCode via the SSH please save the private key and click `Use this generated key` at the bottom.')}
10 </p>
11 <h4>${_('Private key')}</h4>
12 <pre>
12 13 # Save the below content as
13 14 # Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_priv.key
14 15 # macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_priv.key
15 16 # Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
16 17
17 18 # Change permissions to 0600 to make it secure, and usable.
18 19 e.g chmod 0600 /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
19 </pre>
20 </pre>
20 21
21 <div>
22 <textarea style="height: 300px">${c.private}</textarea>
23 </div>
24 <br/>
22 <div>
23 <textarea style="height: 300px">${c.private}</textarea>
24 </div>
25 <br/>
25 26
26 <h4>${_('Public key')}</h4>
27 <pre>
27 <h4>${_('Public key')}</h4>
28 <pre>
28 29 # Save the below content as
29 30 # Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_pub.key
30 31 # macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_pub.key
31 32 # Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_pub.key
32 </pre>
33 </pre>
33 34
34 <input type="text" value="${c.public}" class="large text" size="100"/>
35 <p>
36 % if hasattr(c, 'target_form_url'):
37 <a href="${c.target_form_url}">${_('Use this generated key')}.</a>
38 % else:
39 <a href="${h.route_path('edit_user_ssh_keys', user_id=c.user.user_id, _query=dict(default_key=c.public))}">${_('Use this generated key')}.</a>
40 % endif
41 ${_('Confirmation required on the next screen')}.
42 </p>
35 <input type="text" value="${c.public}" class="large text" size="100"/>
36 <p>
37 % if hasattr(c, 'target_form_url'):
38 <a href="${c.target_form_url}">${_('Use this generated key')}.</a>
39 % else:
40 <a href="${h.route_path('edit_user_ssh_keys', user_id=c.user.user_id, _query=dict(default_key=c.public))}">${_('Use this generated key')}.</a>
41 % endif
42 ${_('Confirmation required on the next screen')}.
43 </p>
44 % else:
45 <h2>
46 ${_('SSH key generator has been disabled.')}
47 </h2>
48 % endif
43 49 </div>
44 50 </div>
45 51
46 52 <script>
47 53
48 54 $(document).ready(function(){
49 55
50 56
51 57 });
52 58 </script>
@@ -1,665 +1,669 b''
1 1
2 2
3 3 ################################################################################
4 4 ## RHODECODE COMMUNITY EDITION CONFIGURATION ##
5 5 # The %(here)s variable will be replaced with the parent directory of this file#
6 6 ################################################################################
7 7
8 8 [DEFAULT]
9 9 debug = true
10 10
11 11 ################################################################################
12 12 ## EMAIL CONFIGURATION ##
13 13 ## Uncomment and replace with the email address which should receive ##
14 14 ## any error reports after an application crash ##
15 15 ## Additionally these settings will be used by the RhodeCode mailing system ##
16 16 ################################################################################
17 17
18 18 ## prefix all emails subjects with given prefix, helps filtering out emails
19 19 #email_prefix = [RhodeCode]
20 20
21 21 ## email FROM address all mails will be sent
22 22 #app_email_from = rhodecode-noreply@localhost
23 23
24 24 ## Uncomment and replace with the address which should receive any error report
25 25 ## note: using appenlight for error handling doesn't need this to be uncommented
26 26 #email_to = admin@localhost
27 27
28 28 #smtp_server = mail.server.com
29 29 #smtp_username =
30 30 #smtp_password =
31 31 #smtp_port =
32 32 #smtp_use_tls = false
33 33 #smtp_use_ssl = true
34 34
35 35 [server:main]
36 36 ## COMMON ##
37 37 host = 0.0.0.0
38 38 port = 5000
39 39
40 40 ##########################
41 41 ## GUNICORN WSGI SERVER ##
42 42 ##########################
43 43 ## run with gunicorn --log-config rhodecode.ini --paste rhodecode.ini
44 44
45 45 use = egg:gunicorn#main
46 46 ## Sets the number of process workers. You must set `instance_id = *`
47 47 ## when this option is set to more than one worker, recommended
48 48 ## value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers
49 49 ## The `instance_id = *` must be set in the [app:main] section below
50 50 #workers = 2
51 51 ## number of threads for each of the worker, must be set to 1 for gevent
52 52 ## generally recommened to be at 1
53 53 #threads = 1
54 54 ## process name
55 55 #proc_name = rhodecode
56 56 ## type of worker class, one of sync, gevent
57 57 ## recommended for bigger setup is using of of other than sync one
58 58 #worker_class = sync
59 59 ## The maximum number of simultaneous clients. Valid only for Gevent
60 60 #worker_connections = 10
61 61 ## max number of requests that worker will handle before being gracefully
62 62 ## restarted, could prevent memory leaks
63 63 #max_requests = 1000
64 64 #max_requests_jitter = 30
65 65 ## amount of time a worker can spend with handling a request before it
66 66 ## gets killed and restarted. Set to 6hrs
67 67 #timeout = 21600
68 68
69 69 ## prefix middleware for RhodeCode.
70 70 ## recommended when using proxy setup.
71 71 ## allows to set RhodeCode under a prefix in server.
72 72 ## eg https://server.com/custom_prefix. Enable `filter-with =` option below as well.
73 73 ## And set your prefix like: `prefix = /custom_prefix`
74 74 ## be sure to also set beaker.session.cookie_path = /custom_prefix if you need
75 75 ## to make your cookies only work on prefix url
76 76 [filter:proxy-prefix]
77 77 use = egg:PasteDeploy#prefix
78 78 prefix = /
79 79
80 80 [app:main]
81 81 is_test = True
82 82 use = egg:rhodecode-enterprise-ce
83 83
84 84 ## enable proxy prefix middleware, defined above
85 85 #filter-with = proxy-prefix
86 86
87 87
88 88 ## RHODECODE PLUGINS ##
89 89 rhodecode.includes = rhodecode.api
90 90
91 91 # api prefix url
92 92 rhodecode.api.url = /_admin/api
93 93
94 94
95 95 ## END RHODECODE PLUGINS ##
96 96
97 97 ## encryption key used to encrypt social plugin tokens,
98 98 ## remote_urls with credentials etc, if not set it defaults to
99 99 ## `beaker.session.secret`
100 100 #rhodecode.encrypted_values.secret =
101 101
102 102 ## decryption strict mode (enabled by default). It controls if decryption raises
103 103 ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
104 104 #rhodecode.encrypted_values.strict = false
105 105
106 106 ## return gzipped responses from Rhodecode (static files/application)
107 107 gzip_responses = false
108 108
109 109 ## autogenerate javascript routes file on startup
110 110 generate_js_files = false
111 111
112 112 ## Optional Languages
113 113 ## en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
114 114 lang = en
115 115
116 116 ## perform a full repository scan on each server start, this should be
117 117 ## set to false after first startup, to allow faster server restarts.
118 118 startup.import_repos = true
119 119
120 120 ## Uncomment and set this path to use archive download cache.
121 121 ## Once enabled, generated archives will be cached at this location
122 122 ## and served from the cache during subsequent requests for the same archive of
123 123 ## the repository.
124 124 #archive_cache_dir = /tmp/tarballcache
125 125
126 126 ## URL at which the application is running. This is used for bootstraping
127 127 ## requests in context when no web request is available. Used in ishell, or
128 128 ## SSH calls. Set this for events to receive proper url for SSH calls.
129 129 app.base_url = http://rhodecode.local
130 130
131 131 ## change this to unique ID for security
132 132 app_instance_uuid = rc-production
133 133
134 134 ## cut off limit for large diffs (size in bytes)
135 135 cut_off_limit_diff = 1024000
136 136 cut_off_limit_file = 256000
137 137
138 138 ## use cache version of scm repo everywhere
139 139 vcs_full_cache = false
140 140
141 141 ## force https in RhodeCode, fixes https redirects, assumes it's always https
142 142 ## Normally this is controlled by proper http flags sent from http server
143 143 force_https = false
144 144
145 145 ## use Strict-Transport-Security headers
146 146 use_htsts = false
147 147
148 148 ## git rev filter option, --all is the default filter, if you need to
149 149 ## hide all refs in changelog switch this to --branches --tags
150 150 git_rev_filter = --all
151 151
152 152 # Set to true if your repos are exposed using the dumb protocol
153 153 git_update_server_info = false
154 154
155 155 ## RSS/ATOM feed options
156 156 rss_cut_off_limit = 256000
157 157 rss_items_per_page = 10
158 158 rss_include_diff = false
159 159
160 160 ## gist URL alias, used to create nicer urls for gist. This should be an
161 161 ## url that does rewrites to _admin/gists/{gistid}.
162 162 ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
163 163 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
164 164 gist_alias_url =
165 165
166 166 ## List of views (using glob pattern syntax) that AUTH TOKENS could be
167 167 ## used for access.
168 168 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
169 169 ## came from the the logged in user who own this authentication token.
170 170 ## Additionally @TOKEN syntaxt can be used to bound the view to specific
171 171 ## authentication token. Such view would be only accessible when used together
172 172 ## with this authentication token
173 173 ##
174 174 ## list of all views can be found under `/_admin/permissions/auth_token_access`
175 175 ## The list should be "," separated and on a single line.
176 176 ##
177 177 ## Most common views to enable:
178 178 # RepoCommitsView:repo_commit_download
179 179 # RepoCommitsView:repo_commit_patch
180 180 # RepoCommitsView:repo_commit_raw
181 181 # RepoCommitsView:repo_commit_raw@TOKEN
182 182 # RepoFilesView:repo_files_diff
183 183 # RepoFilesView:repo_archivefile
184 184 # RepoFilesView:repo_file_raw
185 185 # GistView:*
186 186 api_access_controllers_whitelist =
187 187
188 188 ## default encoding used to convert from and to unicode
189 189 ## can be also a comma separated list of encoding in case of mixed encodings
190 190 default_encoding = UTF-8
191 191
192 192 ## instance-id prefix
193 193 ## a prefix key for this instance used for cache invalidation when running
194 194 ## multiple instances of rhodecode, make sure it's globally unique for
195 195 ## all running rhodecode instances. Leave empty if you don't use it
196 196 instance_id =
197 197
198 198 ## Fallback authentication plugin. Set this to a plugin ID to force the usage
199 199 ## of an authentication plugin also if it is disabled by it's settings.
200 200 ## This could be useful if you are unable to log in to the system due to broken
201 201 ## authentication settings. Then you can enable e.g. the internal rhodecode auth
202 202 ## module to log in again and fix the settings.
203 203 ##
204 204 ## Available builtin plugin IDs (hash is part of the ID):
205 205 ## egg:rhodecode-enterprise-ce#rhodecode
206 206 ## egg:rhodecode-enterprise-ce#pam
207 207 ## egg:rhodecode-enterprise-ce#ldap
208 208 ## egg:rhodecode-enterprise-ce#jasig_cas
209 209 ## egg:rhodecode-enterprise-ce#headers
210 210 ## egg:rhodecode-enterprise-ce#crowd
211 211 #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
212 212
213 213 ## alternative return HTTP header for failed authentication. Default HTTP
214 214 ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
215 215 ## handling that causing a series of failed authentication calls.
216 216 ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
217 217 ## This will be served instead of default 401 on bad authnetication
218 218 auth_ret_code =
219 219
220 220 ## use special detection method when serving auth_ret_code, instead of serving
221 221 ## ret_code directly, use 401 initially (Which triggers credentials prompt)
222 222 ## and then serve auth_ret_code to clients
223 223 auth_ret_code_detection = false
224 224
225 225 ## locking return code. When repository is locked return this HTTP code. 2XX
226 226 ## codes don't break the transactions while 4XX codes do
227 227 lock_ret_code = 423
228 228
229 229 ## allows to change the repository location in settings page
230 230 allow_repo_location_change = true
231 231
232 232 ## allows to setup custom hooks in settings page
233 233 allow_custom_hooks_settings = true
234 234
235 235 ## generated license token, goto license page in RhodeCode settings to obtain
236 236 ## new token
237 237 license_token = abra-cada-bra1-rce3
238 238
239 239 ## supervisor connection uri, for managing supervisor and logs.
240 240 supervisor.uri =
241 241 ## supervisord group name/id we only want this RC instance to handle
242 242 supervisor.group_id = dev
243 243
244 244 ## Display extended labs settings
245 245 labs_settings_active = true
246 246
247 247 ####################################
248 248 ### CELERY CONFIG ####
249 249 ####################################
250 250 use_celery = false
251 251 broker.host = localhost
252 252 broker.vhost = rabbitmqhost
253 253 broker.port = 5672
254 254 broker.user = rabbitmq
255 255 broker.password = qweqwe
256 256
257 257 celery.imports = rhodecode.lib.celerylib.tasks
258 258
259 259 celery.result.backend = amqp
260 260 celery.result.dburi = amqp://
261 261 celery.result.serialier = json
262 262
263 263 #celery.send.task.error.emails = true
264 264 #celery.amqp.task.result.expires = 18000
265 265
266 266 celeryd.concurrency = 2
267 267 #celeryd.log.file = celeryd.log
268 268 celeryd.log.level = debug
269 269 celeryd.max.tasks.per.child = 1
270 270
271 271 ## tasks will never be sent to the queue, but executed locally instead.
272 272 celery.always.eager = false
273 273
274 274 ####################################
275 275 ### BEAKER CACHE ####
276 276 ####################################
277 277 # default cache dir for templates. Putting this into a ramdisk
278 278 ## can boost performance, eg. %(here)s/data_ramdisk
279 279 cache_dir = %(here)s/data
280 280
281 281 ## locking and default file storage for Beaker. Putting this into a ramdisk
282 282 ## can boost performance, eg. %(here)s/data_ramdisk/cache/beaker_data
283 283 beaker.cache.data_dir = %(here)s/rc/data/cache/beaker_data
284 284 beaker.cache.lock_dir = %(here)s/rc/data/cache/beaker_lock
285 285
286 286 beaker.cache.regions = long_term
287 287
288 288 beaker.cache.long_term.type = memory
289 289 beaker.cache.long_term.expire = 36000
290 290 beaker.cache.long_term.key_length = 256
291 291
292 292
293 293 #####################################
294 294 ### DOGPILE CACHE ####
295 295 #####################################
296 296
297 297 ## permission tree cache settings
298 298 rc_cache.cache_perms.backend = dogpile.cache.rc.file_namespace
299 299 rc_cache.cache_perms.expiration_time = 0
300 300 rc_cache.cache_perms.arguments.filename = /tmp/rc_cache_1
301 301
302 302
303 303 ## cache settings for SQL queries
304 304 rc_cache.sql_cache_short.backend = dogpile.cache.rc.memory_lru
305 305 rc_cache.sql_cache_short.expiration_time = 0
306 306
307 307
308 308 ####################################
309 309 ### BEAKER SESSION ####
310 310 ####################################
311 311
312 312 ## .session.type is type of storage options for the session, current allowed
313 313 ## types are file, ext:memcached, ext:database, and memory (default).
314 314 beaker.session.type = file
315 315 beaker.session.data_dir = %(here)s/rc/data/sessions/data
316 316
317 317 ## db based session, fast, and allows easy management over logged in users
318 318 #beaker.session.type = ext:database
319 319 #beaker.session.table_name = db_session
320 320 #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
321 321 #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
322 322 #beaker.session.sa.pool_recycle = 3600
323 323 #beaker.session.sa.echo = false
324 324
325 325 beaker.session.key = rhodecode
326 326 beaker.session.secret = test-rc-uytcxaz
327 327 beaker.session.lock_dir = %(here)s/rc/data/sessions/lock
328 328
329 329 ## Secure encrypted cookie. Requires AES and AES python libraries
330 330 ## you must disable beaker.session.secret to use this
331 331 #beaker.session.encrypt_key = key_for_encryption
332 332 #beaker.session.validate_key = validation_key
333 333
334 334 ## sets session as invalid(also logging out user) if it haven not been
335 335 ## accessed for given amount of time in seconds
336 336 beaker.session.timeout = 2592000
337 337 beaker.session.httponly = true
338 338 ## Path to use for the cookie. Set to prefix if you use prefix middleware
339 339 #beaker.session.cookie_path = /custom_prefix
340 340
341 341 ## uncomment for https secure cookie
342 342 beaker.session.secure = false
343 343
344 344 ## auto save the session to not to use .save()
345 345 beaker.session.auto = false
346 346
347 347 ## default cookie expiration time in seconds, set to `true` to set expire
348 348 ## at browser close
349 349 #beaker.session.cookie_expires = 3600
350 350
351 351 ###################################
352 352 ## SEARCH INDEXING CONFIGURATION ##
353 353 ###################################
354 354 ## Full text search indexer is available in rhodecode-tools under
355 355 ## `rhodecode-tools index` command
356 356
357 357 ## WHOOSH Backend, doesn't require additional services to run
358 358 ## it works good with few dozen repos
359 359 search.module = rhodecode.lib.index.whoosh
360 360 search.location = %(here)s/data/index
361 361
362 362 ########################################
363 363 ### CHANNELSTREAM CONFIG ####
364 364 ########################################
365 365 ## channelstream enables persistent connections and live notification
366 366 ## in the system. It's also used by the chat system
367 367
368 368 channelstream.enabled = false
369 369
370 370 ## server address for channelstream server on the backend
371 371 channelstream.server = 127.0.0.1:9800
372 372 ## location of the channelstream server from outside world
373 373 ## use ws:// for http or wss:// for https. This address needs to be handled
374 374 ## by external HTTP server such as Nginx or Apache
375 375 ## see nginx/apache configuration examples in our docs
376 376 channelstream.ws_url = ws://rhodecode.yourserver.com/_channelstream
377 377 channelstream.secret = secret
378 378 channelstream.history.location = %(here)s/channelstream_history
379 379
380 380 ## Internal application path that Javascript uses to connect into.
381 381 ## If you use proxy-prefix the prefix should be added before /_channelstream
382 382 channelstream.proxy_path = /_channelstream
383 383
384 384
385 385 ###################################
386 386 ## APPENLIGHT CONFIG ##
387 387 ###################################
388 388
389 389 ## Appenlight is tailored to work with RhodeCode, see
390 390 ## http://appenlight.com for details how to obtain an account
391 391
392 392 ## appenlight integration enabled
393 393 appenlight = false
394 394
395 395 appenlight.server_url = https://api.appenlight.com
396 396 appenlight.api_key = YOUR_API_KEY
397 397 #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
398 398
399 399 # used for JS client
400 400 appenlight.api_public_key = YOUR_API_PUBLIC_KEY
401 401
402 402 ## TWEAK AMOUNT OF INFO SENT HERE
403 403
404 404 ## enables 404 error logging (default False)
405 405 appenlight.report_404 = false
406 406
407 407 ## time in seconds after request is considered being slow (default 1)
408 408 appenlight.slow_request_time = 1
409 409
410 410 ## record slow requests in application
411 411 ## (needs to be enabled for slow datastore recording and time tracking)
412 412 appenlight.slow_requests = true
413 413
414 414 ## enable hooking to application loggers
415 415 appenlight.logging = true
416 416
417 417 ## minimum log level for log capture
418 418 appenlight.logging.level = WARNING
419 419
420 420 ## send logs only from erroneous/slow requests
421 421 ## (saves API quota for intensive logging)
422 422 appenlight.logging_on_error = false
423 423
424 424 ## list of additonal keywords that should be grabbed from environ object
425 425 ## can be string with comma separated list of words in lowercase
426 426 ## (by default client will always send following info:
427 427 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
428 428 ## start with HTTP* this list be extended with additional keywords here
429 429 appenlight.environ_keys_whitelist =
430 430
431 431 ## list of keywords that should be blanked from request object
432 432 ## can be string with comma separated list of words in lowercase
433 433 ## (by default client will always blank keys that contain following words
434 434 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
435 435 ## this list be extended with additional keywords set here
436 436 appenlight.request_keys_blacklist =
437 437
438 438 ## list of namespaces that should be ignores when gathering log entries
439 439 ## can be string with comma separated list of namespaces
440 440 ## (by default the client ignores own entries: appenlight_client.client)
441 441 appenlight.log_namespace_blacklist =
442 442
443 443
444 444 ################################################################################
445 445 ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT* ##
446 446 ## Debug mode will enable the interactive debugging tool, allowing ANYONE to ##
447 447 ## execute malicious code after an exception is raised. ##
448 448 ################################################################################
449 449 set debug = false
450 450
451 451
452 452 ##############
453 453 ## STYLING ##
454 454 ##############
455 455 debug_style = false
456 456
457 457 ###########################################
458 458 ### MAIN RHODECODE DATABASE CONFIG ###
459 459 ###########################################
460 460 #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode_test.db?timeout=30
461 461 #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode_test
462 462 #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode_test
463 463 sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode_test.db?timeout=30
464 464
465 465 # see sqlalchemy docs for other advanced settings
466 466
467 467 ## print the sql statements to output
468 468 sqlalchemy.db1.echo = false
469 469 ## recycle the connections after this amount of seconds
470 470 sqlalchemy.db1.pool_recycle = 3600
471 471 sqlalchemy.db1.convert_unicode = true
472 472
473 473 ## the number of connections to keep open inside the connection pool.
474 474 ## 0 indicates no limit
475 475 #sqlalchemy.db1.pool_size = 5
476 476
477 477 ## the number of connections to allow in connection pool "overflow", that is
478 478 ## connections that can be opened above and beyond the pool_size setting,
479 479 ## which defaults to five.
480 480 #sqlalchemy.db1.max_overflow = 10
481 481
482 482
483 483 ##################
484 484 ### VCS CONFIG ###
485 485 ##################
486 486 vcs.server.enable = true
487 487 vcs.server = localhost:9901
488 488
489 489 ## Web server connectivity protocol, responsible for web based VCS operatations
490 490 ## Available protocols are:
491 491 ## `http` - use http-rpc backend (default)
492 492 vcs.server.protocol = http
493 493
494 494 ## Push/Pull operations protocol, available options are:
495 495 ## `http` - use http-rpc backend (default)
496 496 ## `vcsserver.scm_app` - internal app (EE only)
497 497 vcs.scm_app_implementation = http
498 498
499 499 ## Push/Pull operations hooks protocol, available options are:
500 500 ## `http` - use http-rpc backend (default)
501 501 vcs.hooks.protocol = http
502 502 vcs.hooks.host = 127.0.0.1
503 503
504 504 vcs.server.log_level = debug
505 505 ## Start VCSServer with this instance as a subprocess, Useful for development
506 506 vcs.start_server = false
507 507
508 508 ## List of enabled VCS backends, available options are:
509 509 ## `hg` - mercurial
510 510 ## `git` - git
511 511 ## `svn` - subversion
512 512 vcs.backends = hg, git, svn
513 513
514 514 vcs.connection_timeout = 3600
515 515 ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
516 516 ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible, pre-1.9-compatible
517 517 #vcs.svn.compatible_version = pre-1.8-compatible
518 518
519 519
520 520 ############################################################
521 521 ### Subversion proxy support (mod_dav_svn) ###
522 522 ### Maps RhodeCode repo groups into SVN paths for Apache ###
523 523 ############################################################
524 524 ## Enable or disable the config file generation.
525 525 svn.proxy.generate_config = false
526 526 ## Generate config file with `SVNListParentPath` set to `On`.
527 527 svn.proxy.list_parent_path = true
528 528 ## Set location and file name of generated config file.
529 529 svn.proxy.config_file_path = %(here)s/mod_dav_svn.conf
530 530 ## Used as a prefix to the `Location` block in the generated config file.
531 531 ## In most cases it should be set to `/`.
532 532 svn.proxy.location_root = /
533 533 ## Command to reload the mod dav svn configuration on change.
534 534 ## Example: `/etc/init.d/apache2 reload`
535 535 #svn.proxy.reload_cmd = /etc/init.d/apache2 reload
536 536 ## If the timeout expires before the reload command finishes, the command will
537 537 ## be killed. Setting it to zero means no timeout. Defaults to 10 seconds.
538 538 #svn.proxy.reload_timeout = 10
539 539
540 540 ############################################################
541 541 ### SSH Support Settings ###
542 542 ############################################################
543 543
544 544 ## Defines if the authorized_keys file should be written on any change of
545 545 ## user ssh keys, setting this to false also disables posibility of adding
546 546 ## ssh keys for users from web interface.
547 547 ssh.generate_authorized_keyfile = true
548 548
549 549 ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`
550 550 # ssh.authorized_keys_ssh_opts =
551 551
552 552 ## File to generate the authorized keys together with options
553 553 ## It is possible to have multiple key files specified in `sshd_config` e.g.
554 554 ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode
555 555 ssh.authorized_keys_file_path = %(here)s/rc/authorized_keys_rhodecode
556 556
557 557 ## Command to execute the SSH wrapper. The binary is available in the
558 558 ## rhodecode installation directory.
559 559 ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper
560 560 ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper
561 561
562 562 ## Allow shell when executing the ssh-wrapper command
563 563 ssh.wrapper_cmd_allow_shell = false
564 564
565 565 ## Enables logging, and detailed output send back to the client. Useful for
566 566 ## debugging, shouldn't be used in production.
567 567 ssh.enable_debug_logging = false
568 568
569 569 ## Paths to binary executrables, by default they are the names, but we can
570 570 ## override them if we want to use a custom one
571 571 ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg
572 572 ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git
573 573 ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve
574 574
575 ## Enables SSH key generator web interface. Disabling this still allows users
576 ## to add their own keys.
577 ssh.enable_ui_key_generator = true
578
575 579
576 580 ## Dummy marker to add new entries after.
577 581 ## Add any custom entries below. Please don't remove.
578 582 custom.conf = 1
579 583
580 584
581 585 ################################
582 586 ### LOGGING CONFIGURATION ####
583 587 ################################
584 588 [loggers]
585 589 keys = root, sqlalchemy, beaker, rhodecode, ssh_wrapper
586 590
587 591 [handlers]
588 592 keys = console, console_sql
589 593
590 594 [formatters]
591 595 keys = generic, color_formatter, color_formatter_sql
592 596
593 597 #############
594 598 ## LOGGERS ##
595 599 #############
596 600 [logger_root]
597 601 level = NOTSET
598 602 handlers = console
599 603
600 604 [logger_routes]
601 605 level = DEBUG
602 606 handlers =
603 607 qualname = routes.middleware
604 608 ## "level = DEBUG" logs the route matched and routing variables.
605 609 propagate = 1
606 610
607 611 [logger_beaker]
608 612 level = DEBUG
609 613 handlers =
610 614 qualname = beaker.container
611 615 propagate = 1
612 616
613 617 [logger_rhodecode]
614 618 level = DEBUG
615 619 handlers =
616 620 qualname = rhodecode
617 621 propagate = 1
618 622
619 623 [logger_sqlalchemy]
620 624 level = ERROR
621 625 handlers = console_sql
622 626 qualname = sqlalchemy.engine
623 627 propagate = 0
624 628
625 629 [logger_ssh_wrapper]
626 630 level = DEBUG
627 631 handlers =
628 632 qualname = ssh_wrapper
629 633 propagate = 1
630 634
631 635
632 636 ##############
633 637 ## HANDLERS ##
634 638 ##############
635 639
636 640 [handler_console]
637 641 class = StreamHandler
638 642 args = (sys.stderr,)
639 643 level = DEBUG
640 644 formatter = generic
641 645
642 646 [handler_console_sql]
643 647 class = StreamHandler
644 648 args = (sys.stderr,)
645 649 level = WARN
646 650 formatter = generic
647 651
648 652 ################
649 653 ## FORMATTERS ##
650 654 ################
651 655
652 656 [formatter_generic]
653 657 class = rhodecode.lib.logging_formatter.ExceptionAwareFormatter
654 658 format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
655 659 datefmt = %Y-%m-%d %H:%M:%S
656 660
657 661 [formatter_color_formatter]
658 662 class = rhodecode.lib.logging_formatter.ColorFormatter
659 663 format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
660 664 datefmt = %Y-%m-%d %H:%M:%S
661 665
662 666 [formatter_color_formatter_sql]
663 667 class = rhodecode.lib.logging_formatter.ColorFormatterSql
664 668 format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
665 669 datefmt = %Y-%m-%d %H:%M:%S
General Comments 0
You need to be logged in to leave comments. Login now