u/pc/rhodecode-enterprise-ce-fork-pc Commit - r1125:ee691b6f

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

"""

21

"""

22

SimpleVCS middleware for handling protocol request (push/clone etc.)

22

SimpleVCS middleware for handling protocol request (push/clone etc.)

23

It's implemented with basic auth function

23

It's implemented with basic auth function

24

"""

24

"""

25

26

import os

26

import os

27

import logging

27

import logging

28

import importlib

28

import importlib

29

import re

29

import re

30

from functools import wraps

30

from functools import wraps

31

32

from paste.httpheaders import REMOTE_USER, AUTH_TYPE

32

from paste.httpheaders import REMOTE_USER, AUTH_TYPE

33

from webob.exc import (

33

from webob.exc import (

34

HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)

34

HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)

35

36

import rhodecode

36

import rhodecode

37

from rhodecode.authentication.base import authenticate, VCS_TYPE

37

from rhodecode.authentication.base import authenticate, VCS_TYPE

38

from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware

38

from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware

39

from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context

39

from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context

40

from rhodecode.lib.exceptions import (

40

from rhodecode.lib.exceptions import (

41

HTTPLockedRC, HTTPRequirementError, UserCreationError,

41

HTTPLockedRC, HTTPRequirementError, UserCreationError,

42

NotAllowedToCreateUserError)

42

NotAllowedToCreateUserError)

43

from rhodecode.lib.hooks_daemon import prepare_callback_daemon

43

from rhodecode.lib.hooks_daemon import prepare_callback_daemon

44

from rhodecode.lib.middleware import appenlight

44

from rhodecode.lib.middleware import appenlight

45

from rhodecode.lib.middleware.utils import scm_app, scm_app_http

45

from rhodecode.lib.middleware.utils import scm_app, scm_app_http

46

from rhodecode.lib.utils import (

46

from rhodecode.lib.utils import (

47

is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)

47

is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)

48

from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode

48

from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode

49

from rhodecode.lib.vcs.conf import settings as vcs_settings

49

from rhodecode.lib.vcs.conf import settings as vcs_settings

50

from rhodecode.lib.vcs.backends import base

50

from rhodecode.lib.vcs.backends import base

51

from rhodecode.model import meta

51

from rhodecode.model import meta

52

from rhodecode.model.db import User, Repository, PullRequest

52

from rhodecode.model.db import User, Repository, PullRequest

53

from rhodecode.model.scm import ScmModel

53

from rhodecode.model.scm import ScmModel

54

from rhodecode.model.pull_request import PullRequestModel

54

from rhodecode.model.pull_request import PullRequestModel

55

56

57

log = logging.getLogger(__name__)

57

log = logging.getLogger(__name__)

58

59

60

def initialize_generator(factory):

60

def initialize_generator(factory):

61

"""

61

"""

62

Initializes the returned generator by draining its first element.

62

Initializes the returned generator by draining its first element.

63

64

This can be used to give a generator an initializer, which is the code

64

This can be used to give a generator an initializer, which is the code

65

up to the first yield statement. This decorator enforces that the first

65

up to the first yield statement. This decorator enforces that the first

66

produced element has the value ``"__init__"`` to make its special

66

produced element has the value ``"__init__"`` to make its special

67

purpose very explicit in the using code.

67

purpose very explicit in the using code.

68

"""

68

"""

69

70

@wraps(factory)

70

@wraps(factory)

71

def wrapper(*args, **kwargs):

71

def wrapper(*args, **kwargs):

72

gen = factory(*args, **kwargs)

72

gen = factory(*args, **kwargs)

73

try:

73

try:

74

init = gen.next()

74

init = gen.next()

75

except StopIteration:

75

except StopIteration:

76

raise ValueError('Generator must yield at least one element.')

76

raise ValueError('Generator must yield at least one element.')

77

if init != "__init__":

77

if init != "__init__":

78

raise ValueError('First yielded element must be "__init__".')

78

raise ValueError('First yielded element must be "__init__".')

79

return gen

79

return gen

80

return wrapper

80

return wrapper

81

82

83

class SimpleVCS(object):

83

class SimpleVCS(object):

84

"""Common functionality for SCM HTTP handlers."""

84

"""Common functionality for SCM HTTP handlers."""

85

86

SCM = 'unknown'

86

SCM = 'unknown'

87

88

acl_repo_name = None

88

acl_repo_name = None

89

url_repo_name = None

89

url_repo_name = None

90

vcs_repo_name = None

90

vcs_repo_name = None

91

92

# We have to handle requests to shadow repositories different than requests

92

# We have to handle requests to shadow repositories different than requests

93

# to normal repositories. Therefore we have to distinguish them. To do this

93

# to normal repositories. Therefore we have to distinguish them. To do this

94

# we use this regex which will match only on URLs pointing to shadow

94

# we use this regex which will match only on URLs pointing to shadow

95

# repositories.

95

# repositories.

96

shadow_repo_re = re.compile(

96

shadow_repo_re = re.compile(

97

'(?P<groups>(?:{slug_pat}/)*)' # repo groups

97

'(?P<groups>(?:{slug_pat}/)*)' # repo groups

98

'(?P<target>{slug_pat})/' # target repo

98

'(?P<target>{slug_pat})/' # target repo

99

'pull-request/(?P<pr_id>\d+)/' # pull request

99

'pull-request/(?P<pr_id>\d+)/' # pull request

100

'repository$' # shadow repo

100

'repository$' # shadow repo

101

.format(slug_pat=SLUG_RE.pattern))

101

.format(slug_pat=SLUG_RE.pattern))

102

103

def __init__(self, application, config, registry):

103

def __init__(self, application, config, registry):

104

self.registry = registry

104

self.registry = registry

105

self.application = application

105

self.application = application

106

self.config = config

106

self.config = config

107

# re-populated by specialized middleware

107

# re-populated by specialized middleware

108

self.repo_vcs_config = base.Config()

108

self.repo_vcs_config = base.Config()

109

110

# base path of repo locations

110

# base path of repo locations

111

self.basepath = get_rhodecode_base_path()

111

self.basepath = get_rhodecode_base_path()

112

# authenticate this VCS request using authfunc

112

# authenticate this VCS request using authfunc

113

auth_ret_code_detection = \

113

auth_ret_code_detection = \

114

str2bool(self.config.get('auth_ret_code_detection', False))

114

str2bool(self.config.get('auth_ret_code_detection', False))

115

self.authenticate = BasicAuth(

115

self.authenticate = BasicAuth(

116

'', authenticate, registry, config.get('auth_ret_code'),

116

'', authenticate, registry, config.get('auth_ret_code'),

117

auth_ret_code_detection)

117

auth_ret_code_detection)

118

self.ip_addr = '0.0.0.0'

118

self.ip_addr = '0.0.0.0'

119

120

def set_repo_names(self, environ):

120

def set_repo_names(self, environ):

121

"""

121

"""

122

This will populate the attributes acl_repo_name, url_repo_name,

122

This will populate the attributes acl_repo_name, url_repo_name,

123

vcs_repo_name and is_shadow_repo. In case of requests to normal (non

123

vcs_repo_name and is_shadow_repo. In case of requests to normal (non

124

shadow) repositories all names are equal. In case of requests to a

124

shadow) repositories all names are equal. In case of requests to a

125

shadow repository the acl-name points to the target repo of the pull

125

shadow repository the acl-name points to the target repo of the pull

126

request and the vcs-name points to the shadow repo file system path.

126

request and the vcs-name points to the shadow repo file system path.

127

The url-name is always the URL used by the vcs client program.

127

The url-name is always the URL used by the vcs client program.

128

129

Example in case of a shadow repo:

129

Example in case of a shadow repo:

130

acl_repo_name = RepoGroup/MyRepo

130

acl_repo_name = RepoGroup/MyRepo

131

url_repo_name = RepoGroup/MyRepo/pull-request/3/repository

131

url_repo_name = RepoGroup/MyRepo/pull-request/3/repository

132

vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'

132

vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'

133

"""

133

"""

134

# First we set the repo name from URL for all attributes. This is the

134

# First we set the repo name from URL for all attributes. This is the

135

# default if handling normal (non shadow) repo requests.

135

# default if handling normal (non shadow) repo requests.

136

self.url_repo_name = self._get_repository_name(environ)

136

self.url_repo_name = self._get_repository_name(environ)

137

self.acl_repo_name = self.vcs_repo_name = self.url_repo_name

137

self.acl_repo_name = self.vcs_repo_name = self.url_repo_name

138

self.is_shadow_repo = False

138

self.is_shadow_repo = False

139

140

# Check if this is a request to a shadow repository.

140

# Check if this is a request to a shadow repository.

141

match = self.shadow_repo_re.match(self.url_repo_name)

141

match = self.shadow_repo_re.match(self.url_repo_name)

142

if match:

142

if match:

143

match_dict = match.groupdict()

143

match_dict = match.groupdict()

144

145

# Build acl repo name from regex match.

145

# Build acl repo name from regex match.

146

acl_repo_name = safe_unicode('{groups}{target}'.format(

146

acl_repo_name = safe_unicode('{groups}{target}'.format(

147

groups=match_dict['groups'] or '',

147

groups=match_dict['groups'] or '',

148

target=match_dict['target']))

148

target=match_dict['target']))

149

150

# Retrieve pull request instance by ID from regex match.

150

# Retrieve pull request instance by ID from regex match.

151

pull_request = PullRequest.get(match_dict['pr_id'])

151

pull_request = PullRequest.get(match_dict['pr_id'])

152

153

# Only proceed if we got a pull request and if acl repo name from

153

# Only proceed if we got a pull request and if acl repo name from

154

# URL equals the target repo name of the pull request.

154

# URL equals the target repo name of the pull request.

155

if pull_request and (acl_repo_name ==

155

if pull_request and (acl_repo_name ==

156

pull_request.target_repo.repo_name):

156

pull_request.target_repo.repo_name):

157

# Get file system path to shadow repository.

157

# Get file system path to shadow repository.

158

workspace_id = PullRequestModel()._workspace_id(pull_request)

158

workspace_id = PullRequestModel()._workspace_id(pull_request)

159

target_vcs = pull_request.target_repo.scm_instance()

159

target_vcs = pull_request.target_repo.scm_instance()

160

vcs_repo_name = target_vcs._get_shadow_repository_path(

160

vcs_repo_name = target_vcs._get_shadow_repository_path(

161

workspace_id)

161

workspace_id)

162

163

# Store names for later usage.

163

# Store names for later usage.

164

self.vcs_repo_name = vcs_repo_name

164

self.vcs_repo_name = vcs_repo_name

165

self.acl_repo_name = acl_repo_name

165

self.acl_repo_name = acl_repo_name

166

self.is_shadow_repo = True

166

self.is_shadow_repo = True

167

168

log.debug('Repository names: %s', {

168

log.debug('Repository names: %s', {

169

'acl_repo_name': self.acl_repo_name,

169

'acl_repo_name': self.acl_repo_name,

170

'url_repo_name': self.url_repo_name,

170

'url_repo_name': self.url_repo_name,

171

'vcs_repo_name': self.vcs_repo_name,

171

'vcs_repo_name': self.vcs_repo_name,

172

})

172

})

173

174

@property

174

@property

175

def scm_app(self):

175

def scm_app(self):

176

custom_implementation = self.config['vcs.scm_app_implementation']

176

custom_implementation = self.config['vcs.scm_app_implementation']

177

if custom_implementation == 'http':

177

if custom_implementation == 'http':

178

log.info('Using HTTP implementation of scm app.')

178

log.info('Using HTTP implementation of scm app.')

179

scm_app_impl = scm_app_http

179

scm_app_impl = scm_app_http

180

elif custom_implementation == 'pyro4':

180

elif custom_implementation == 'pyro4':

181

log.info('Using Pyro implementation of scm app.')

181

log.info('Using Pyro implementation of scm app.')

182

scm_app_impl = scm_app

182

scm_app_impl = scm_app

183

else:

183

else:

184

log.info('Using custom implementation of scm_app: "{}"'.format(

184

log.info('Using custom implementation of scm_app: "{}"'.format(

185

custom_implementation))

185

custom_implementation))

186

scm_app_impl = importlib.import_module(custom_implementation)

186

scm_app_impl = importlib.import_module(custom_implementation)

187

return scm_app_impl

187

return scm_app_impl

188

189

def _get_by_id(self, repo_name):

189

def _get_by_id(self, repo_name):

190

"""

190

"""

191

Gets a special pattern _<ID> from clone url and tries to replace it

191

Gets a special pattern _<ID> from clone url and tries to replace it

192

with a repository_name for support of _<ID> non changeable urls

192

with a repository_name for support of _<ID> non changeable urls

193

"""

193

"""

194

195

data = repo_name.split('/')

195

data = repo_name.split('/')

196

if len(data) >= 2:

196

if len(data) >= 2:

197

from rhodecode.model.repo import RepoModel

197

from rhodecode.model.repo import RepoModel

198

by_id_match = RepoModel().get_repo_by_id(repo_name)

198

by_id_match = RepoModel().get_repo_by_id(repo_name)

199

if by_id_match:

199

if by_id_match:

200

data[1] = by_id_match.repo_name

200

data[1] = by_id_match.repo_name

201

202

return safe_str('/'.join(data))

202

return safe_str('/'.join(data))

203

204

def _invalidate_cache(self, repo_name):

204

def _invalidate_cache(self, repo_name):

205

"""

205

"""

206

Set's cache for this repository for invalidation on next access

206

Set's cache for this repository for invalidation on next access

207

208

:param repo_name: full repo name, also a cache key

208

:param repo_name: full repo name, also a cache key

209

"""

209

"""

210

ScmModel().mark_for_invalidation(repo_name)

210

ScmModel().mark_for_invalidation(repo_name)

211

212

def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):

212

def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):

213

db_repo = Repository.get_by_repo_name(repo_name)

213

db_repo = Repository.get_by_repo_name(repo_name)

214

if not db_repo:

214

if not db_repo:

215

log.debug('Repository `%s` not found inside the database.',

215

log.debug('Repository `%s` not found inside the database.',

216

repo_name)

216

repo_name)

217

return False

217

return False

218

219

if db_repo.repo_type != scm_type:

219

if db_repo.repo_type != scm_type:

220

log.warning(

220

log.warning(

221

'Repository `%s` have incorrect scm_type, expected %s got %s',

221

'Repository `%s` have incorrect scm_type, expected %s got %s',

222

repo_name, db_repo.repo_type, scm_type)

222

repo_name, db_repo.repo_type, scm_type)

223

return False

223

return False

224

225

return is_valid_repo(repo_name, base_path, expect_scm=scm_type)

225

return is_valid_repo(repo_name, base_path, explicit_scm=scm_type)

226

227

def valid_and_active_user(self, user):

227

def valid_and_active_user(self, user):

228

"""

228

"""

229

Checks if that user is not empty, and if it's actually object it checks

229

Checks if that user is not empty, and if it's actually object it checks

230

if he's active.

230

if he's active.

231

232

:param user: user object or None

232

:param user: user object or None

233

:return: boolean

233

:return: boolean

234

"""

234

"""

235

if user is None:

235

if user is None:

236

return False

236

return False

237

238

elif user.active:

238

elif user.active:

239

return True

239

return True

240

241

return False

241

return False

242

243

def _check_permission(self, action, user, repo_name, ip_addr=None):

243

def _check_permission(self, action, user, repo_name, ip_addr=None):

244

"""

244

"""

245

Checks permissions using action (push/pull) user and repository

245

Checks permissions using action (push/pull) user and repository

246

name

246

name

247

248

:param action: push or pull action

248

:param action: push or pull action

249

:param user: user instance

249

:param user: user instance

250

:param repo_name: repository name

250

:param repo_name: repository name

251

"""

251

"""

252

# check IP

252

# check IP

253

inherit = user.inherit_default_permissions

253

inherit = user.inherit_default_permissions

254

ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,

254

ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,

255

inherit_from_default=inherit)

255

inherit_from_default=inherit)

256

if ip_allowed:

256

if ip_allowed:

257

log.info('Access for IP:%s allowed', ip_addr)

257

log.info('Access for IP:%s allowed', ip_addr)

258

else:

258

else:

259

return False

259

return False

260

261

if action == 'push':

261

if action == 'push':

262

if not HasPermissionAnyMiddleware('repository.write',

262

if not HasPermissionAnyMiddleware('repository.write',

263

'repository.admin')(user,

263

'repository.admin')(user,

264

repo_name):

264

repo_name):

265

return False

265

return False

266

267

else:

267

else:

268

# any other action need at least read permission

268

# any other action need at least read permission

269

if not HasPermissionAnyMiddleware('repository.read',

269

if not HasPermissionAnyMiddleware('repository.read',

270

'repository.write',

270

'repository.write',

271

'repository.admin')(user,

271

'repository.admin')(user,

272

repo_name):

272

repo_name):

273

return False

273

return False

274

275

return True

275

return True

276

277

def _check_ssl(self, environ, start_response):

277

def _check_ssl(self, environ, start_response):

278

"""

278

"""

279

Checks the SSL check flag and returns False if SSL is not present

279

Checks the SSL check flag and returns False if SSL is not present

280

and required True otherwise

280

and required True otherwise

281

"""

281

"""

282

org_proto = environ['wsgi._org_proto']

282

org_proto = environ['wsgi._org_proto']

283

# check if we have SSL required ! if not it's a bad request !

283

# check if we have SSL required ! if not it's a bad request !

284

require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))

284

require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))

285

if require_ssl and org_proto == 'http':

285

if require_ssl and org_proto == 'http':

286

log.debug('proto is %s and SSL is required BAD REQUEST !',

286

log.debug('proto is %s and SSL is required BAD REQUEST !',

287

org_proto)

287

org_proto)

288

return False

288

return False

289

return True

289

return True

290

291

def __call__(self, environ, start_response):

291

def __call__(self, environ, start_response):

292

try:

292

try:

293

return self._handle_request(environ, start_response)

293

return self._handle_request(environ, start_response)

294

except Exception:

294

except Exception:

295

log.exception("Exception while handling request")

295

log.exception("Exception while handling request")

296

appenlight.track_exception(environ)

296

appenlight.track_exception(environ)

297

return HTTPInternalServerError()(environ, start_response)

297

return HTTPInternalServerError()(environ, start_response)

298

finally:

298

finally:

299

meta.Session.remove()

299

meta.Session.remove()

300

301

def _handle_request(self, environ, start_response):

301

def _handle_request(self, environ, start_response):

302

303

if not self._check_ssl(environ, start_response):

303

if not self._check_ssl(environ, start_response):

304

reason = ('SSL required, while RhodeCode was unable '

304

reason = ('SSL required, while RhodeCode was unable '

305

'to detect this as SSL request')

305

'to detect this as SSL request')

306

log.debug('User not allowed to proceed, %s', reason)

306

log.debug('User not allowed to proceed, %s', reason)

307

return HTTPNotAcceptable(reason)(environ, start_response)

307

return HTTPNotAcceptable(reason)(environ, start_response)

308

309

if not self.url_repo_name:

309

if not self.url_repo_name:

310

log.warning('Repository name is empty: %s', self.url_repo_name)

310

log.warning('Repository name is empty: %s', self.url_repo_name)

311

# failed to get repo name, we fail now

311

# failed to get repo name, we fail now

312

return HTTPNotFound()(environ, start_response)

312

return HTTPNotFound()(environ, start_response)

313

log.debug('Extracted repo name is %s', self.url_repo_name)

313

log.debug('Extracted repo name is %s', self.url_repo_name)

314

315

ip_addr = get_ip_addr(environ)

315

ip_addr = get_ip_addr(environ)

316

username = None

316

username = None

317

318

# skip passing error to error controller

318

# skip passing error to error controller

319

environ['pylons.status_code_redirect'] = True

319

environ['pylons.status_code_redirect'] = True

320

321

# ======================================================================

321

# ======================================================================

322

# GET ACTION PULL or PUSH

322

# GET ACTION PULL or PUSH

323

# ======================================================================

323

# ======================================================================

324

action = self._get_action(environ)

324

action = self._get_action(environ)

325

326

# ======================================================================

326

# ======================================================================

327

# Check if this is a request to a shadow repository of a pull request.

327

# Check if this is a request to a shadow repository of a pull request.

328

# In this case only pull action is allowed.

328

# In this case only pull action is allowed.

329

# ======================================================================

329

# ======================================================================

330

if self.is_shadow_repo and action != 'pull':

330

if self.is_shadow_repo and action != 'pull':

331

reason = 'Only pull action is allowed for shadow repositories.'

331

reason = 'Only pull action is allowed for shadow repositories.'

332

log.debug('User not allowed to proceed, %s', reason)

332

log.debug('User not allowed to proceed, %s', reason)

333

return HTTPNotAcceptable(reason)(environ, start_response)

333

return HTTPNotAcceptable(reason)(environ, start_response)

334

335

# ======================================================================

335

# ======================================================================

336

# CHECK ANONYMOUS PERMISSION

336

# CHECK ANONYMOUS PERMISSION

337

# ======================================================================

337

# ======================================================================

338

if action in ['pull', 'push']:

338

if action in ['pull', 'push']:

339

anonymous_user = User.get_default_user()

339

anonymous_user = User.get_default_user()

340

username = anonymous_user.username

340

username = anonymous_user.username

341

if anonymous_user.active:

341

if anonymous_user.active:

342

# ONLY check permissions if the user is activated

342

# ONLY check permissions if the user is activated

343

anonymous_perm = self._check_permission(

343

anonymous_perm = self._check_permission(

344

action, anonymous_user, self.acl_repo_name, ip_addr)

344

action, anonymous_user, self.acl_repo_name, ip_addr)

345

else:

345

else:

346

anonymous_perm = False

346

anonymous_perm = False

347

348

if not anonymous_user.active or not anonymous_perm:

348

if not anonymous_user.active or not anonymous_perm:

349

if not anonymous_user.active:

349

if not anonymous_user.active:

350

log.debug('Anonymous access is disabled, running '

350

log.debug('Anonymous access is disabled, running '

351

'authentication')

351

'authentication')

352

353

if not anonymous_perm:

353

if not anonymous_perm:

354

log.debug('Not enough credentials to access this '

354

log.debug('Not enough credentials to access this '

355

'repository as anonymous user')

355

'repository as anonymous user')

356

357

username = None

357

username = None

358

# ==============================================================

358

# ==============================================================

359

# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

359

# DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

360

# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

360

# NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

361

# ==============================================================

361

# ==============================================================

362

363

# try to auth based on environ, container auth methods

363

# try to auth based on environ, container auth methods

364

log.debug('Running PRE-AUTH for container based authentication')

364

log.debug('Running PRE-AUTH for container based authentication')

365

pre_auth = authenticate(

365

pre_auth = authenticate(

366

'', '', environ, VCS_TYPE, registry=self.registry)

366

'', '', environ, VCS_TYPE, registry=self.registry)

367

if pre_auth and pre_auth.get('username'):

367

if pre_auth and pre_auth.get('username'):

368

username = pre_auth['username']

368

username = pre_auth['username']

369

log.debug('PRE-AUTH got %s as username', username)

369

log.debug('PRE-AUTH got %s as username', username)

370

371

# If not authenticated by the container, running basic auth

371

# If not authenticated by the container, running basic auth

372

if not username:

372

if not username:

373

self.authenticate.realm = get_rhodecode_realm()

373

self.authenticate.realm = get_rhodecode_realm()

374

375

try:

375

try:

376

result = self.authenticate(environ)

376

result = self.authenticate(environ)

377

except (UserCreationError, NotAllowedToCreateUserError) as e:

377

except (UserCreationError, NotAllowedToCreateUserError) as e:

378

log.error(e)

378

log.error(e)

379

reason = safe_str(e)

379

reason = safe_str(e)

380

return HTTPNotAcceptable(reason)(environ, start_response)

380

return HTTPNotAcceptable(reason)(environ, start_response)

381

382

if isinstance(result, str):

382

if isinstance(result, str):

383

AUTH_TYPE.update(environ, 'basic')

383

AUTH_TYPE.update(environ, 'basic')

384

REMOTE_USER.update(environ, result)

384

REMOTE_USER.update(environ, result)

385

username = result

385

username = result

386

else:

386

else:

387

return result.wsgi_application(environ, start_response)

387

return result.wsgi_application(environ, start_response)

388

389

# ==============================================================

389

# ==============================================================

390

# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

390

# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

391

# ==============================================================

391

# ==============================================================

392

user = User.get_by_username(username)

392

user = User.get_by_username(username)

393

if not self.valid_and_active_user(user):

393

if not self.valid_and_active_user(user):

394

return HTTPForbidden()(environ, start_response)

394

return HTTPForbidden()(environ, start_response)

395

username = user.username

395

username = user.username

396

user.update_lastactivity()

396

user.update_lastactivity()

397

meta.Session().commit()

397

meta.Session().commit()

398

399

# check user attributes for password change flag

399

# check user attributes for password change flag

400

user_obj = user

400

user_obj = user

401

if user_obj and user_obj.username != User.DEFAULT_USER and \

401

if user_obj and user_obj.username != User.DEFAULT_USER and \

402

user_obj.user_data.get('force_password_change'):

402

user_obj.user_data.get('force_password_change'):

403

reason = 'password change required'

403

reason = 'password change required'

404

log.debug('User not allowed to authenticate, %s', reason)

404

log.debug('User not allowed to authenticate, %s', reason)

405

return HTTPNotAcceptable(reason)(environ, start_response)

405

return HTTPNotAcceptable(reason)(environ, start_response)

406

407

# check permissions for this repository

407

# check permissions for this repository

408

perm = self._check_permission(

408

perm = self._check_permission(

409

action, user, self.acl_repo_name, ip_addr)

409

action, user, self.acl_repo_name, ip_addr)

410

if not perm:

410

if not perm:

411

return HTTPForbidden()(environ, start_response)

411

return HTTPForbidden()(environ, start_response)

412

413

# extras are injected into UI object and later available

413

# extras are injected into UI object and later available

414

# in hooks executed by rhodecode

414

# in hooks executed by rhodecode

415

check_locking = _should_check_locking(environ.get('QUERY_STRING'))

415

check_locking = _should_check_locking(environ.get('QUERY_STRING'))

416

extras = vcs_operation_context(

416

extras = vcs_operation_context(

417

environ, repo_name=self.acl_repo_name, username=username,

417

environ, repo_name=self.acl_repo_name, username=username,

418

action=action, scm=self.SCM, check_locking=check_locking,

418

action=action, scm=self.SCM, check_locking=check_locking,

419

is_shadow_repo=self.is_shadow_repo

419

is_shadow_repo=self.is_shadow_repo

420

)

420

)

421

422

# ======================================================================

422

# ======================================================================

423

# REQUEST HANDLING

423

# REQUEST HANDLING

424

# ======================================================================

424

# ======================================================================

425

repo_path = os.path.join(

425

repo_path = os.path.join(

426

safe_str(self.basepath), safe_str(self.vcs_repo_name))

426

safe_str(self.basepath), safe_str(self.vcs_repo_name))

427

log.debug('Repository path is %s', repo_path)

427

log.debug('Repository path is %s', repo_path)

428

429

fix_PATH()

429

fix_PATH()

430

431

log.info(

431

log.info(

432

'%s action on %s repo "%s" by "%s" from %s',

432

'%s action on %s repo "%s" by "%s" from %s',

433

action, self.SCM, safe_str(self.url_repo_name),

433

action, self.SCM, safe_str(self.url_repo_name),

434

safe_str(username), ip_addr)

434

safe_str(username), ip_addr)

435

436

return self._generate_vcs_response(

436

return self._generate_vcs_response(

437

environ, start_response, repo_path, extras, action)

437

environ, start_response, repo_path, extras, action)

438

439

@initialize_generator

439

@initialize_generator

440

def _generate_vcs_response(

440

def _generate_vcs_response(

441

self, environ, start_response, repo_path, extras, action):

441

self, environ, start_response, repo_path, extras, action):

442

"""

442

"""

443

Returns a generator for the response content.

443

Returns a generator for the response content.

444

445

This method is implemented as a generator, so that it can trigger

445

This method is implemented as a generator, so that it can trigger

446

the cache validation after all content sent back to the client. It

446

the cache validation after all content sent back to the client. It

447

also handles the locking exceptions which will be triggered when

447

also handles the locking exceptions which will be triggered when

448

the first chunk is produced by the underlying WSGI application.

448

the first chunk is produced by the underlying WSGI application.

449

"""

449

"""

450

callback_daemon, extras = self._prepare_callback_daemon(extras)

450

callback_daemon, extras = self._prepare_callback_daemon(extras)

451

config = self._create_config(extras, self.acl_repo_name)

451

config = self._create_config(extras, self.acl_repo_name)

452

log.debug('HOOKS extras is %s', extras)

452

log.debug('HOOKS extras is %s', extras)

453

app = self._create_wsgi_app(repo_path, self.url_repo_name, config)

453

app = self._create_wsgi_app(repo_path, self.url_repo_name, config)

454

455

try:

455

try:

456

with callback_daemon:

456

with callback_daemon:

457

try:

457

try:

458

response = app(environ, start_response)

458

response = app(environ, start_response)

459

finally:

459

finally:

460

# This statement works together with the decorator

460

# This statement works together with the decorator

461

# "initialize_generator" above. The decorator ensures that

461

# "initialize_generator" above. The decorator ensures that

462

# we hit the first yield statement before the generator is

462

# we hit the first yield statement before the generator is

463

# returned back to the WSGI server. This is needed to

463

# returned back to the WSGI server. This is needed to

464

# ensure that the call to "app" above triggers the

464

# ensure that the call to "app" above triggers the

465

# needed callback to "start_response" before the

465

# needed callback to "start_response" before the

466

# generator is actually used.

466

# generator is actually used.

467

yield "__init__"

467

yield "__init__"

468

469

for chunk in response:

469

for chunk in response:

470

yield chunk

470

yield chunk

471

except Exception as exc:

471

except Exception as exc:

472

# TODO: martinb: Exceptions are only raised in case of the Pyro4

472

# TODO: martinb: Exceptions are only raised in case of the Pyro4

473

# backend. Refactor this except block after dropping Pyro4 support.

473

# backend. Refactor this except block after dropping Pyro4 support.

474

# TODO: johbo: Improve "translating" back the exception.

474

# TODO: johbo: Improve "translating" back the exception.

475

if getattr(exc, '_vcs_kind', None) == 'repo_locked':

475

if getattr(exc, '_vcs_kind', None) == 'repo_locked':

476

exc = HTTPLockedRC(*exc.args)

476

exc = HTTPLockedRC(*exc.args)

477

_code = rhodecode.CONFIG.get('lock_ret_code')

477

_code = rhodecode.CONFIG.get('lock_ret_code')

478

log.debug('Repository LOCKED ret code %s!', (_code,))

478

log.debug('Repository LOCKED ret code %s!', (_code,))

479

elif getattr(exc, '_vcs_kind', None) == 'requirement':

479

elif getattr(exc, '_vcs_kind', None) == 'requirement':

480

log.debug(

480

log.debug(

481

'Repository requires features unknown to this Mercurial')

481

'Repository requires features unknown to this Mercurial')

482

exc = HTTPRequirementError(*exc.args)

482

exc = HTTPRequirementError(*exc.args)

483

else:

483

else:

484

raise

484

raise

485

486

for chunk in exc(environ, start_response):

486

for chunk in exc(environ, start_response):

487

yield chunk

487

yield chunk

488

finally:

488

finally:

489

# invalidate cache on push

489

# invalidate cache on push

490

try:

490

try:

491

if action == 'push':

491

if action == 'push':

492

self._invalidate_cache(self.url_repo_name)

492

self._invalidate_cache(self.url_repo_name)

493

finally:

493

finally:

494

meta.Session.remove()

494

meta.Session.remove()

495

496

def _get_repository_name(self, environ):

496

def _get_repository_name(self, environ):

497

"""Get repository name out of the environmnent

497

"""Get repository name out of the environmnent

498

499

:param environ: WSGI environment

499

:param environ: WSGI environment

500

"""

500

"""

501

raise NotImplementedError()

501

raise NotImplementedError()

502

503

def _get_action(self, environ):

503

def _get_action(self, environ):

504

"""Map request commands into a pull or push command.

504

"""Map request commands into a pull or push command.

505

506

:param environ: WSGI environment

506

:param environ: WSGI environment

507

"""

507

"""

508

raise NotImplementedError()

508

raise NotImplementedError()

509

510

def _create_wsgi_app(self, repo_path, repo_name, config):

510

def _create_wsgi_app(self, repo_path, repo_name, config):

511

"""Return the WSGI app that will finally handle the request."""

511

"""Return the WSGI app that will finally handle the request."""

512

raise NotImplementedError()

512

raise NotImplementedError()

513

514

def _create_config(self, extras, repo_name):

514

def _create_config(self, extras, repo_name):

515

"""Create a Pyro safe config representation."""

515

"""Create a Pyro safe config representation."""

516

raise NotImplementedError()

516

raise NotImplementedError()

517

518

def _prepare_callback_daemon(self, extras):

518

def _prepare_callback_daemon(self, extras):

519

return prepare_callback_daemon(

519

return prepare_callback_daemon(

520

extras, protocol=vcs_settings.HOOKS_PROTOCOL,

520

extras, protocol=vcs_settings.HOOKS_PROTOCOL,

521

use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)

521

use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)

522

523

524

def _should_check_locking(query_string):

524

def _should_check_locking(query_string):

525

# this is kind of hacky, but due to how mercurial handles client-server

525

# this is kind of hacky, but due to how mercurial handles client-server

526

# server see all operation on commit; bookmarks, phases and

526

# server see all operation on commit; bookmarks, phases and

527

# obsolescence marker in different transaction, we don't want to check

527

# obsolescence marker in different transaction, we don't want to check

528

# locking on those

528

# locking on those

529

return query_string not in ['cmd=listkeys']

529

return query_string not in ['cmd=listkeys']

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             SimpleVCS middleware for handling protocol request (push/clone etc.)
             It's implemented with basic auth function
             """
             import os
             import logging
             import importlib
             import re
             from functools import wraps
             from paste.httpheaders import REMOTE_USER, AUTH_TYPE
             from webob.exc import (
                 HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError)
             import rhodecode
             from rhodecode.authentication.base import authenticate, VCS_TYPE
             from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from rhodecode.lib.base import BasicAuth, get_ip_addr, vcs_operation_context
             from rhodecode.lib.exceptions import (
                 HTTPLockedRC, HTTPRequirementError, UserCreationError,
                 NotAllowedToCreateUserError)
             from rhodecode.lib.hooks_daemon import prepare_callback_daemon
             from rhodecode.lib.middleware import appenlight
             from rhodecode.lib.middleware.utils import scm_app, scm_app_http
             from rhodecode.lib.utils import (
                 is_valid_repo, get_rhodecode_realm, get_rhodecode_base_path, SLUG_RE)
             from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool, safe_unicode
             from rhodecode.lib.vcs.conf import settings as vcs_settings
             from rhodecode.lib.vcs.backends import base
             from rhodecode.model import meta
             from rhodecode.model.db import User, Repository, PullRequest
             from rhodecode.model.scm import ScmModel
             from rhodecode.model.pull_request import PullRequestModel
             log = logging.getLogger(__name__)
             def initialize_generator(factory):
                 """
                 Initializes the returned generator by draining its first element.
                 This can be used to give a generator an initializer, which is the code
                 up to the first yield statement. This decorator enforces that the first
                 produced element has the value ``"__init__"`` to make its special
                 purpose very explicit in the using code.
                 """
                 @wraps(factory)
                 def wrapper(*args, **kwargs):
                     gen = factory(*args, **kwargs)
                     try:
                         init = gen.next()
                     except StopIteration:
                         raise ValueError('Generator must yield at least one element.')
                     if init != "__init__":
                         raise ValueError('First yielded element must be "__init__".')
                     return gen
                 return wrapper
             class SimpleVCS(object):
                 """Common functionality for SCM HTTP handlers."""
                 SCM = 'unknown'
                 acl_repo_name = None
                 url_repo_name = None
                 vcs_repo_name = None
                 # We have to handle requests to shadow repositories different than requests
                 # to normal repositories. Therefore we have to distinguish them. To do this
                 # we use this regex which will match only on URLs pointing to shadow
                 # repositories.
                 shadow_repo_re = re.compile(
                     '(?P<groups>(?:{slug_pat}/)*)'  # repo groups
                     '(?P<target>{slug_pat})/'       # target repo
                     'pull-request/(?P<pr_id>\d+)/'  # pull request
                     'repository$'                   # shadow repo
                     .format(slug_pat=SLUG_RE.pattern))
                 def __init__(self, application, config, registry):
                     self.registry = registry
                     self.application = application
                     self.config = config
                     # re-populated by specialized middleware
                     self.repo_vcs_config = base.Config()
                     # base path of repo locations
                     self.basepath = get_rhodecode_base_path()
                     # authenticate this VCS request using authfunc
                     auth_ret_code_detection = \
                         str2bool(self.config.get('auth_ret_code_detection', False))
                     self.authenticate = BasicAuth(
                         '', authenticate, registry, config.get('auth_ret_code'),
                         auth_ret_code_detection)
                     self.ip_addr = '0.0.0.0'
                 def set_repo_names(self, environ):
                     """
                     This will populate the attributes acl_repo_name, url_repo_name,
                     vcs_repo_name and is_shadow_repo. In case of requests to normal (non
                     shadow) repositories all names are equal. In case of requests to a
                     shadow repository the acl-name points to the target repo of the pull
                     request and the vcs-name points to the shadow repo file system path.
                     The url-name is always the URL used by the vcs client program.
                     Example in case of a shadow repo:
                         acl_repo_name = RepoGroup/MyRepo
                         url_repo_name = RepoGroup/MyRepo/pull-request/3/repository
                         vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3'
                     """
                     # First we set the repo name from URL for all attributes. This is the
                     # default if handling normal (non shadow) repo requests.
                     self.url_repo_name = self._get_repository_name(environ)
                     self.acl_repo_name = self.vcs_repo_name = self.url_repo_name
                     self.is_shadow_repo = False
                     # Check if this is a request to a shadow repository.
                     match = self.shadow_repo_re.match(self.url_repo_name)
                     if match:
                         match_dict = match.groupdict()
                         # Build acl repo name from regex match.
                         acl_repo_name = safe_unicode('{groups}{target}'.format(
                             groups=match_dict['groups'] or '',
                             target=match_dict['target']))
                         # Retrieve pull request instance by ID from regex match.
                         pull_request = PullRequest.get(match_dict['pr_id'])
                         # Only proceed if we got a pull request and if acl repo name from
                         # URL equals the target repo name of the pull request.
                         if pull_request and (acl_repo_name ==
                                              pull_request.target_repo.repo_name):
                             # Get file system path to shadow repository.
                             workspace_id = PullRequestModel()._workspace_id(pull_request)
                             target_vcs = pull_request.target_repo.scm_instance()
                             vcs_repo_name = target_vcs._get_shadow_repository_path(
                                 workspace_id)
                             # Store names for later usage.
                             self.vcs_repo_name = vcs_repo_name
                             self.acl_repo_name = acl_repo_name
                             self.is_shadow_repo = True
                     log.debug('Repository names: %s', {
                         'acl_repo_name': self.acl_repo_name,
                         'url_repo_name': self.url_repo_name,
                         'vcs_repo_name': self.vcs_repo_name,
                     })
                 @property
                 def scm_app(self):
                     custom_implementation = self.config['vcs.scm_app_implementation']
                     if custom_implementation == 'http':
                         log.info('Using HTTP implementation of scm app.')
                         scm_app_impl = scm_app_http
                     elif custom_implementation == 'pyro4':
                         log.info('Using Pyro implementation of scm app.')
                         scm_app_impl = scm_app
                     else:
                         log.info('Using custom implementation of scm_app: "{}"'.format(
                             custom_implementation))
                         scm_app_impl = importlib.import_module(custom_implementation)
                     return scm_app_impl
                 def _get_by_id(self, repo_name):
                     """
                     Gets a special pattern _<ID> from clone url and tries to replace it
                     with a repository_name for support of _<ID> non changeable urls
                     """
                     data = repo_name.split('/')
                     if len(data) >= 2:
                         from rhodecode.model.repo import RepoModel
                         by_id_match = RepoModel().get_repo_by_id(repo_name)
                         if by_id_match:
                             data[1] = by_id_match.repo_name
                     return safe_str('/'.join(data))
                 def _invalidate_cache(self, repo_name):
                     """
                     Set's cache for this repository for invalidation on next access
                     :param repo_name: full repo name, also a cache key
                     """
                     ScmModel().mark_for_invalidation(repo_name)
                 def is_valid_and_existing_repo(self, repo_name, base_path, scm_type):
                     db_repo = Repository.get_by_repo_name(repo_name)
                     if not db_repo:
                         log.debug('Repository `%s` not found inside the database.',
                                   repo_name)
                         return False
                     if db_repo.repo_type != scm_type:
                         log.warning(
                             'Repository `%s` have incorrect scm_type, expected %s got %s',
                             repo_name, db_repo.repo_type, scm_type)
                         return False
-                    return is_valid_repo(repo_name, base_path, expect_scm=scm_type)
+                    return is_valid_repo(repo_name, base_path, explicit_scm=scm_type)
                 def valid_and_active_user(self, user):
                     """
                     Checks if that user is not empty, and if it's actually object it checks
                     if he's active.
                     :param user: user object or None
                     :return: boolean
                     """
                     if user is None:
                         return False
                     elif user.active:
                         return True
                     return False
                 def _check_permission(self, action, user, repo_name, ip_addr=None):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name
                     :param action: push or pull action
                     :param user: user instance
                     :param repo_name: repository name
                     """
                     # check IP
                     inherit = user.inherit_default_permissions
                     ip_allowed = AuthUser.check_ip_allowed(user.user_id, ip_addr,
                                                            inherit_from_default=inherit)
                     if ip_allowed:
                         log.info('Access for IP:%s allowed', ip_addr)
                     else:
                         return False
                     if action == 'push':
                         if not HasPermissionAnyMiddleware('repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     else:
                         # any other action need at least read permission
                         if not HasPermissionAnyMiddleware('repository.read',
                                                           'repository.write',
                                                           'repository.admin')(user,
                                                                               repo_name):
                             return False
                     return True
                 def _check_ssl(self, environ, start_response):
                     """
                     Checks the SSL check flag and returns False if SSL is not present
                     and required True otherwise
                     """
                     org_proto = environ['wsgi._org_proto']
                     # check if we have SSL required  ! if not it's a bad request !
                     require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl'))
                     if require_ssl and org_proto == 'http':
                         log.debug('proto is %s and SSL is required BAD REQUEST !',
                                   org_proto)
                         return False
                     return True
                 def __call__(self, environ, start_response):
                     try:
                         return self._handle_request(environ, start_response)
                     except Exception:
                         log.exception("Exception while handling request")
                         appenlight.track_exception(environ)
                         return HTTPInternalServerError()(environ, start_response)
                     finally:
                         meta.Session.remove()
                 def _handle_request(self, environ, start_response):
                     if not self._check_ssl(environ, start_response):
                         reason = ('SSL required, while RhodeCode was unable '
                                   'to detect this as SSL request')
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     if not self.url_repo_name:
                         log.warning('Repository name is empty: %s', self.url_repo_name)
                         # failed to get repo name, we fail now
                         return HTTPNotFound()(environ, start_response)
                     log.debug('Extracted repo name is %s', self.url_repo_name)
                     ip_addr = get_ip_addr(environ)
                     username = None
                     # skip passing error to error controller
                     environ['pylons.status_code_redirect'] = True
                     # ======================================================================
                     # GET ACTION PULL or PUSH
                     # ======================================================================
                     action = self._get_action(environ)
                     # ======================================================================
                     # Check if this is a request to a shadow repository of a pull request.
                     # In this case only pull action is allowed.
                     # ======================================================================
                     if self.is_shadow_repo and action != 'pull':
                         reason = 'Only pull action is allowed for shadow repositories.'
                         log.debug('User not allowed to proceed, %s', reason)
                         return HTTPNotAcceptable(reason)(environ, start_response)
                     # ======================================================================
                     # CHECK ANONYMOUS PERMISSION
                     # ======================================================================
                     if action in ['pull', 'push']:
                         anonymous_user = User.get_default_user()
                         username = anonymous_user.username
                         if anonymous_user.active:
                             # ONLY check permissions if the user is activated
                             anonymous_perm = self._check_permission(
                                 action, anonymous_user, self.acl_repo_name, ip_addr)
                         else:
                             anonymous_perm = False
                         if not anonymous_user.active or not anonymous_perm:
                             if not anonymous_user.active:
                                 log.debug('Anonymous access is disabled, running '
                                           'authentication')
                             if not anonymous_perm:
                                 log.debug('Not enough credentials to access this '
                                           'repository as anonymous user')
                             username = None
                             # ==============================================================
                             # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                             # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                             # ==============================================================
                             # try to auth based on environ, container auth methods
                             log.debug('Running PRE-AUTH for container based authentication')
                             pre_auth = authenticate(
                                 '', '', environ, VCS_TYPE, registry=self.registry)
                             if pre_auth and pre_auth.get('username'):
                                 username = pre_auth['username']
                             log.debug('PRE-AUTH got %s as username', username)
                             # If not authenticated by the container, running basic auth
                             if not username:
                                 self.authenticate.realm = get_rhodecode_realm()
                                 try:
                                     result = self.authenticate(environ)
                                 except (UserCreationError, NotAllowedToCreateUserError) as e:
                                     log.error(e)
                                     reason = safe_str(e)
                                     return HTTPNotAcceptable(reason)(environ, start_response)
                                 if isinstance(result, str):
                                     AUTH_TYPE.update(environ, 'basic')
                                     REMOTE_USER.update(environ, result)
                                     username = result
                                 else:
                                     return result.wsgi_application(environ, start_response)
                             # ==============================================================
                             # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                             # ==============================================================
                             user = User.get_by_username(username)
                             if not self.valid_and_active_user(user):
                                 return HTTPForbidden()(environ, start_response)
                             username = user.username
                             user.update_lastactivity()
                             meta.Session().commit()
                             # check user attributes for password change flag
                             user_obj = user
                             if user_obj and user_obj.username != User.DEFAULT_USER and \
                                     user_obj.user_data.get('force_password_change'):
                                 reason = 'password change required'
                                 log.debug('User not allowed to authenticate, %s', reason)
                                 return HTTPNotAcceptable(reason)(environ, start_response)
                             # check permissions for this repository
                             perm = self._check_permission(
                                 action, user, self.acl_repo_name, ip_addr)
                             if not perm:
                                 return HTTPForbidden()(environ, start_response)
                     # extras are injected into UI object and later available
                     # in hooks executed by rhodecode
                     check_locking = _should_check_locking(environ.get('QUERY_STRING'))
                     extras = vcs_operation_context(
                         environ, repo_name=self.acl_repo_name, username=username,
                         action=action, scm=self.SCM, check_locking=check_locking,
                         is_shadow_repo=self.is_shadow_repo
                     )
                     # ======================================================================
                     # REQUEST HANDLING
                     # ======================================================================
                     repo_path = os.path.join(
                         safe_str(self.basepath), safe_str(self.vcs_repo_name))
                     log.debug('Repository path is %s', repo_path)
                     fix_PATH()
                     log.info(
                         '%s action on %s repo "%s" by "%s" from %s',
                         action, self.SCM, safe_str(self.url_repo_name),
                         safe_str(username), ip_addr)
                     return self._generate_vcs_response(
                         environ, start_response, repo_path, extras, action)
                 @initialize_generator
                 def _generate_vcs_response(
                         self, environ, start_response, repo_path, extras, action):
                     """
                     Returns a generator for the response content.
                     This method is implemented as a generator, so that it can trigger
                     the cache validation after all content sent back to the client. It
                     also handles the locking exceptions which will be triggered when
                     the first chunk is produced by the underlying WSGI application.
                     """
                     callback_daemon, extras = self._prepare_callback_daemon(extras)
                     config = self._create_config(extras, self.acl_repo_name)
                     log.debug('HOOKS extras is %s', extras)
                     app = self._create_wsgi_app(repo_path, self.url_repo_name, config)
                     try:
                         with callback_daemon:
                             try:
                                 response = app(environ, start_response)
                             finally:
                                 # This statement works together with the decorator
                                 # "initialize_generator" above. The decorator ensures that
                                 # we hit the first yield statement before the generator is
                                 # returned back to the WSGI server. This is needed to
                                 # ensure that the call to "app" above triggers the
                                 # needed callback to "start_response" before the
                                 # generator is actually used.
                                 yield "__init__"
                             for chunk in response:
                                 yield chunk
                     except Exception as exc:
                         # TODO: martinb: Exceptions are only raised in case of the Pyro4
                         # backend. Refactor this except block after dropping Pyro4 support.
                         # TODO: johbo: Improve "translating" back the exception.
                         if getattr(exc, '_vcs_kind', None) == 'repo_locked':
                             exc = HTTPLockedRC(*exc.args)
                             _code = rhodecode.CONFIG.get('lock_ret_code')
                             log.debug('Repository LOCKED ret code %s!', (_code,))
                         elif getattr(exc, '_vcs_kind', None) == 'requirement':
                             log.debug(
                                 'Repository requires features unknown to this Mercurial')
                             exc = HTTPRequirementError(*exc.args)
                         else:
                             raise
                         for chunk in exc(environ, start_response):
                             yield chunk
                     finally:
                         # invalidate cache on push
                         try:
                             if action == 'push':
                                 self._invalidate_cache(self.url_repo_name)
                         finally:
                             meta.Session.remove()
                 def _get_repository_name(self, environ):
                     """Get repository name out of the environmnent
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _get_action(self, environ):
                     """Map request commands into a pull or push command.
                     :param environ: WSGI environment
                     """
                     raise NotImplementedError()
                 def _create_wsgi_app(self, repo_path, repo_name, config):
                     """Return the WSGI app that will finally handle the request."""
                     raise NotImplementedError()
                 def _create_config(self, extras, repo_name):
                     """Create a Pyro safe config representation."""
                     raise NotImplementedError()
                 def _prepare_callback_daemon(self, extras):
                     return prepare_callback_daemon(
                         extras, protocol=vcs_settings.HOOKS_PROTOCOL,
                         use_direct_calls=vcs_settings.HOOKS_DIRECT_CALLS)
             def _should_check_locking(query_string):
                 # this is kind of hacky, but due to how mercurial handles client-server
                 # server see all operation on commit; bookmarks, phases and
                 # obsolescence marker in different transaction, we don't want to check
                 # locking on those
                 return query_string not in ['cmd=listkeys']