upstream/kallithea Commit - r7677:6da70f45

ssh: introduce ini setting 'ssh_enabled', disabled by default...

Thomas De Schampheleire -

r7677:6da70f45 default

parent child

development.ini

0 +7 0

             ################################################################################
             ################################################################################
             # Kallithea - config file generated with kallithea-config                      #
             #                                                                              #
             # The %(here)s variable will be replaced with the parent directory of this file#
             ################################################################################
             ################################################################################
             [DEFAULT]
             ################################################################################
             ## Email settings                                                             ##
             ##                                                                            ##
             ## Refer to the documentation ("Email settings") for more details.            ##
             ##                                                                            ##
             ## It is recommended to use a valid sender address that passes access         ##
             ## validation and spam filtering in mail servers.                             ##
             ################################################################################
             ## 'From' header for application emails. You can optionally add a name.
             ## Default:
             #app_email_from = Kallithea
             ## Examples:
             #app_email_from = Kallithea <kallithea-noreply@example.com>
             #app_email_from = kallithea-noreply@example.com
             ## Subject prefix for application emails.
             ## A space between this prefix and the real subject is automatically added.
             ## Default:
             #email_prefix =
             ## Example:
             #email_prefix = [Kallithea]
             ## Recipients for error emails and fallback recipients of application mails.
             ## Multiple addresses can be specified, comma-separated.
             ## Only addresses are allowed, do not add any name part.
             ## Default:
             #email_to =
             ## Examples:
             #email_to = admin@example.com
             #email_to = admin@example.com,another_admin@example.com
             email_to =
             ## 'From' header for error emails. You can optionally add a name.
             ## Default: (none)
             ## Examples:
             #error_email_from = Kallithea Errors <kallithea-noreply@example.com>
             #error_email_from = kallithea_errors@example.com
             error_email_from =
             ## SMTP server settings
             ## If specifying credentials, make sure to use secure connections.
             ## Default: Send unencrypted unauthenticated mails to the specified smtp_server.
             ## For "SSL", use smtp_use_ssl = true and smtp_port = 465.
             ## For "STARTTLS", use smtp_use_tls = true and smtp_port = 587.
             smtp_server =
             #smtp_username =
             #smtp_password =
             smtp_port =
             #smtp_use_ssl = false
             #smtp_use_tls = false
             ## Entry point for 'gearbox serve'
             [server:main]
             #host = 127.0.0.1
             host = 0.0.0.0
             port = 5000
             ## WAITRESS ##
             use = egg:waitress#main
             ## number of worker threads
             threads = 1
             ## MAX BODY SIZE 100GB
             max_request_body_size = 107374182400
             ## use poll instead of select, fixes fd limits, may not work on old
             ## windows systems.
             #asyncore_use_poll = True
             ## middleware for hosting the WSGI application under a URL prefix
             #[filter:proxy-prefix]
             #use = egg:PasteDeploy#prefix
             #prefix = /<your-prefix>
             [app:main]
             use = egg:kallithea
             ## enable proxy prefix middleware
             #filter-with = proxy-prefix
             full_stack = true
             static_files = true
             ## Internationalization (see setup documentation for details)
             ## By default, the language requested by the browser is used if available.
             #i18n.enabled = false
             ## Fallback language, empty for English (valid values are the names of subdirectories in kallithea/i18n):
             i18n.lang =
             cache_dir = %(here)s/data
             index_dir = %(here)s/data/index
             ## uncomment and set this path to use archive download cache
             archive_cache_dir = %(here)s/tarballcache
             ## change this to unique ID for security
             #app_instance_uuid = VERY-SECRET
             app_instance_uuid = development-not-secret
             ## cut off limit for large diffs (size in bytes)
             cut_off_limit = 256000
             ## force https in Kallithea, fixes https redirects, assumes it's always https
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## number of commits stats will parse on each iteration
             commit_parse_limit = 25
             ## Path to Python executable to be used for git hooks.
             ## This value will be written inside the git hook scripts as the text
             ## after '#!' (shebang). When empty or not defined, the value of
             ## 'sys.executable' at the time of installation of the git hooks is
             ## used, which is correct in many cases but for example not when using uwsgi.
             ## If you change this setting, you should reinstall the Git hooks via
             ## Admin > Settings > Remap and Rescan.
             # git_hook_interpreter = /srv/kallithea/venv/bin/python2
             ## path to git executable
             git_path = git
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             #git_rev_filter = --branches --tags
             ## RSS feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## options for showing and identifying changesets
             show_sha_length = 12
             show_revision_number = false
             ## Canonical URL to use when creating full URLs in UI and texts.
             ## Useful when the site is available under different names or protocols.
             ## Defaults to what is provided in the WSGI environment.
             #canonical_url = https://kallithea.example.com/repos
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/<gistid>.
             ## example: http://gist.example.com/{gistid}. Empty means use the internal
             ## Kallithea url, ie. http[s]://kallithea.example.com/_admin/gists/<gistid>
             gist_alias_url =
             ## default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = utf-8
             ## Set Mercurial encoding, similar to setting HGENCODING before launching Kallithea
             hgencoding = utf-8
             ## issue tracker for Kallithea (leave blank to disable, absent for default)
             #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
             ## issue tracking mapping for commit messages, comments, PR descriptions, ...
             ## Refer to the documentation ("Integration with issue trackers") for more details.
             ## regular expression to match issue references
             ## This pattern may/should contain parenthesized groups, that can
             ## be referred to in issue_server_link or issue_sub using Python backreferences
             ## (e.g. \1, \2, ...). You can also create named groups with '(?P<groupname>)'.
             ## To require mandatory whitespace before the issue pattern, use:
             ## (?:^|(?<=\s)) before the actual pattern, and for mandatory whitespace
             ## behind the issue pattern, use (?:$|(?=\s)) after the actual pattern.
             issue_pat = #(\d+)
             ## server url to the issue
             ## This pattern may/should contain backreferences to parenthesized groups in issue_pat.
             ## A backreference can be \1, \2, ... or \g<groupname> if you specified a named group
             ## called 'groupname' in issue_pat.
             ## The special token {repo} is replaced with the full repository name
             ## including repository groups, while {repo_name} is replaced with just
             ## the name of the repository.
             issue_server_link = https://issues.example.com/{repo}/issue/\1
             ## substitution pattern to use as the link text
             ## If issue_sub is empty, the text matched by issue_pat is retained verbatim
             ## for the link text. Otherwise, the link text is that of issue_sub, with any
             ## backreferences to groups in issue_pat replaced.
             issue_sub =
             ## issue_pat, issue_server_link and issue_sub can have suffixes to specify
             ## multiple patterns, to other issues server, wiki or others
             ## below an example how to create a wiki pattern
             # wiki-some-id -> https://wiki.example.com/some-id
             #issue_pat_wiki = wiki-(\S+)
             #issue_server_link_wiki = https://wiki.example.com/\1
             #issue_sub_wiki = WIKI-\1
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with
             ## handling that. Set this variable to 403 to return HTTPForbidden
             auth_ret_code =
             ## allows to change the repository location in settings page
             allow_repo_location_change = True
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = True
             ## extra extensions for indexing, space separated and without the leading '.'.
             # index.extensions =
             #    gemfile
             #    lock
             ## extra filenames for indexing, space separated
             # index.filenames =
             #    .dockerignore
             #    .editorconfig
             #    INSTALL
             #    CHANGELOG
             ####################################
+            ###           SSH CONFIG        ####
+            ####################################
+            ## SSH is disabled by default, until an Administrator decides to enable it.
+            ssh_enabled = false
+            ####################################
             ###        CELERY CONFIG        ####
             ####################################
             use_celery = false
             ## Example: connect to the virtual host 'rabbitmqhost' on localhost as rabbitmq:
             broker.url = amqp://rabbitmq:qewqew@localhost:5672/rabbitmqhost
             celery.imports = kallithea.lib.celerylib.tasks
             celery.accept.content = pickle
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             celeryd.max.tasks.per.child = 1
             ## If true, tasks will never be sent to the queue, but executed locally instead.
             celery.always.eager = false
             ####################################
             ###         BEAKER CACHE        ####
             ####################################
             beaker.cache.data_dir = %(here)s/data/cache/data
             beaker.cache.lock_dir = %(here)s/data/cache/lock
             beaker.cache.regions = short_term,long_term,sql_cache_short
             beaker.cache.short_term.type = memory
             beaker.cache.short_term.expire = 60
             beaker.cache.short_term.key_length = 256
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             beaker.cache.sql_cache_short.type = memory
             beaker.cache.sql_cache_short.expire = 10
             beaker.cache.sql_cache_short.key_length = 256
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## Name of session cookie. Should be unique for a given host and path, even when running
             ## on different ports. Otherwise, cookie sessions will be shared and messed up.
             session.key = kallithea
             ## Sessions should always only be accessible by the browser, not directly by JavaScript.
             session.httponly = true
             ## Session lifetime. 2592000 seconds is 30 days.
             session.timeout = 2592000
             ## Server secret used with HMAC to ensure integrity of cookies.
             #session.secret = VERY-SECRET
             session.secret = development-not-secret
             ## Further, encrypt the data with AES.
             #session.encrypt_key = <key_for_encryption>
             #session.validate_key = <validation_key>
             ## Type of storage used for the session, current types are
             ## dbm, file, memcached, database, and memory.
             ## File system storage of session data. (default)
             #session.type = file
             ## Cookie only, store all session data inside the cookie. Requires secure secrets.
             #session.type = cookie
             ## Database storage of session data.
             #session.type = ext:database
             #session.sa.url = postgresql://postgres:qwe@localhost/kallithea
             #session.table_name = db_session
             ############################
             ## ERROR HANDLING SYSTEMS ##
             ############################
             # Propagate email settings to ErrorReporter of TurboGears2
             # You do not normally need to change these lines
             get trace_errors.error_email = email_to
             get trace_errors.smtp_server = smtp_server
             get trace_errors.smtp_port = smtp_port
             get trace_errors.from_address = error_email_from
             ################################################################################
             ## WARNING: *DEBUG MODE MUST BE OFF IN A PRODUCTION ENVIRONMENT*              ##
             ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
             ## execute malicious code after an exception is raised.                       ##
             ################################################################################
             #debug = false
             debug = true
             ##################################
             ###       LOGVIEW CONFIG       ###
             ##################################
             logview.sqlalchemy = #faa
             logview.pylons.templating = #bfb
             logview.pylons.util = #eee
             #########################################################
             ### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###
             #########################################################
             # SQLITE [default]
             sqlalchemy.url = sqlite:///%(here)s/kallithea.db?timeout=60
             # see sqlalchemy docs for others
             sqlalchemy.pool_recycle = 3600
             ################################
             ### ALEMBIC CONFIGURATION   ####
             ################################
             [alembic]
             script_location = kallithea:alembic
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, routes, kallithea, sqlalchemy, tg, gearbox, beaker, templates, whoosh_indexer, werkzeug, backlash
             [handlers]
             keys = console, console_color, console_color_sql, null
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             #handlers = console
             handlers = console_color
             # For coloring based on log level:
             # handlers = console_color
             [logger_routes]
             #level = WARN
             level = DEBUG
             handlers =
             qualname = routes.middleware
             ## "level = DEBUG" logs the route matched and routing variables.
             [logger_beaker]
             #level = WARN
             level = DEBUG
             handlers =
             qualname = beaker.container
             [logger_templates]
             #level = WARN
             level = INFO
             handlers =
             qualname = pylons.templating
             [logger_kallithea]
             #level = WARN
             level = DEBUG
             handlers =
             qualname = kallithea
             [logger_tg]
             #level = WARN
             level = DEBUG
             handlers =
             qualname = tg
             [logger_gearbox]
             #level = WARN
             level = DEBUG
             handlers =
             qualname = gearbox
             [logger_sqlalchemy]
             level = WARN
             handlers =
             qualname = sqlalchemy.engine
             # For coloring based on log level and pretty printing of SQL:
             # level = INFO
             # handlers = console_color_sql
             # propagate = 0
             [logger_whoosh_indexer]
             #level = WARN
             level = DEBUG
             handlers =
             qualname = whoosh_indexer
             [logger_werkzeug]
             level = WARN
             handlers =
             qualname = werkzeug
             [logger_backlash]
             level = WARN
             handlers =
             qualname = backlash
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr,)
             formatter = generic
             [handler_console_color]
             # ANSI color coding based on log level
             class = StreamHandler
             args = (sys.stderr,)
             formatter = color_formatter
             [handler_console_color_sql]
             # ANSI color coding and pretty printing of SQL statements
             class = StreamHandler
             args = (sys.stderr,)
             formatter = color_formatter_sql
             [handler_null]
             class = NullHandler
             args = ()
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = kallithea.lib.colored_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = kallithea.lib.colored_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

kallithea/lib/base.py

0 +13 0

             # -*- coding: utf-8 -*-
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU General Public License as published by
             # the Free Software Foundation, either version 3 of the License, or
             # (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             """
             kallithea.lib.base
             ~~~~~~~~~~~~~~~~~~
             The base Controller API
             Provides the BaseController class for subclassing. And usage in different
             controllers
             This file was forked by the Kallithea project in July 2014.
             Original author and date, and relevant copyright and licensing information is below:
             :created_on: Oct 06, 2010
             :author: marcink
             :copyright: (c) 2013 RhodeCode GmbH, and others.
             :license: GPLv3, see LICENSE.md for more details.
             """
             import datetime
             import decorator
             import logging
             import time
             import traceback
             import warnings
             import webob.exc
             import paste.httpexceptions
             import paste.auth.basic
             import paste.httpheaders
             from webhelpers.pylonslib import secure_form
             from tg import config, tmpl_context as c, request, response, session, render_template
             from tg import TGController
             from tg.i18n import ugettext as _
             from kallithea import __version__, BACKENDS
             from kallithea.config.routing import url
             from kallithea.lib.utils2 import str2bool, safe_unicode, AttributeDict, \
                 safe_str, safe_int, set_hook_environment
             from kallithea.lib import auth_modules
             from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware
             from kallithea.lib.compat import json
             from kallithea.lib.utils import get_repo_slug, is_valid_repo
             from kallithea.lib.exceptions import UserCreationError
             from kallithea.lib.vcs.exceptions import RepositoryError, EmptyRepositoryError, ChangesetDoesNotExistError
             from kallithea.model import meta
             from kallithea.model.db import PullRequest, Repository, User, Setting
             from kallithea.model.scm import ScmModel
             log = logging.getLogger(__name__)
             def render(template_path):
                 return render_template({'url': url}, 'mako', template_path)
             def _filter_proxy(ip):
                 """
                 HEADERS can have multiple ips inside the left-most being the original
                 client, and each successive proxy that passed the request adding the IP
                 address where it received the request from.
                 :param ip:
                 """
                 if ',' in ip:
                     _ips = ip.split(',')
                     _first_ip = _ips[0].strip()
                     log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
                     return _first_ip
                 return ip
             def _get_ip_addr(environ):
                 proxy_key = 'HTTP_X_REAL_IP'
                 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
                 def_key = 'REMOTE_ADDR'
                 ip = environ.get(proxy_key)
                 if ip:
                     return _filter_proxy(ip)
                 ip = environ.get(proxy_key2)
                 if ip:
                     return _filter_proxy(ip)
                 ip = environ.get(def_key, '0.0.0.0')
                 return _filter_proxy(ip)
             def _get_access_path(environ):
                 """Return PATH_INFO from environ ... using tg.original_request if available."""
                 org_req = environ.get('tg.original_request')
                 if org_req is not None:
                     environ = org_req.environ
                 return environ.get('PATH_INFO')
             def log_in_user(user, remember, is_external_auth, ip_addr):
                 """
                 Log a `User` in and update session and cookies. If `remember` is True,
                 the session cookie is set to expire in a year; otherwise, it expires at
                 the end of the browser session.
                 Returns populated `AuthUser` object.
                 """
                 # It should not be possible to explicitly log in as the default user.
                 assert not user.is_default_user, user
                 auth_user = AuthUser.make(dbuser=user, is_external_auth=is_external_auth, ip_addr=ip_addr)
                 if auth_user is None:
                     return None
                 user.update_lastlogin()
                 meta.Session().commit()
                 # Start new session to prevent session fixation attacks.
                 session.invalidate()
                 session['authuser'] = cookie = auth_user.to_cookie()
                 # If they want to be remembered, update the cookie.
                 # NOTE: Assumes that beaker defaults to browser session cookie.
                 if remember:
                     t = datetime.datetime.now() + datetime.timedelta(days=365)
                     session._set_cookie_expires(t)
                 session.save()
                 log.info('user %s is now authenticated and stored in '
                          'session, session attrs %s', user.username, cookie)
                 # dumps session attrs back to cookie
                 session._update_cookie_out()
                 return auth_user
             class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):
                 def __init__(self, realm, authfunc, auth_http_code=None):
                     self.realm = realm
                     self.authfunc = authfunc
                     self._rc_auth_http_code = auth_http_code
                 def build_authentication(self, environ):
                     head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
                     # Consume the whole body before sending a response
                     try:
                         request_body_size = int(environ.get('CONTENT_LENGTH', 0))
                     except (ValueError):
                         request_body_size = 0
                     environ['wsgi.input'].read(request_body_size)
                     if self._rc_auth_http_code and self._rc_auth_http_code == '403':
                         # return 403 if alternative http return code is specified in
                         # Kallithea config
                         return paste.httpexceptions.HTTPForbidden(headers=head)
                     return paste.httpexceptions.HTTPUnauthorized(headers=head)
                 def authenticate(self, environ):
                     authorization = paste.httpheaders.AUTHORIZATION(environ)
                     if not authorization:
                         return self.build_authentication(environ)
                     (authmeth, auth) = authorization.split(' ', 1)
                     if 'basic' != authmeth.lower():
                         return self.build_authentication(environ)
                     auth = auth.strip().decode('base64')
                     _parts = auth.split(':', 1)
                     if len(_parts) == 2:
                         username, password = _parts
                         if self.authfunc(username, password, environ) is not None:
                             return username
                     return self.build_authentication(environ)
                 __call__ = authenticate
             class BaseVCSController(object):
                 """Base controller for handling Mercurial/Git protocol requests
                 (coming from a VCS client, and not a browser).
                 """
                 scm_alias = None # 'hg' / 'git'
                 def __init__(self, application, config):
                     self.application = application
                     self.config = config
                     # base path of repo locations
                     self.basepath = self.config['base_path']
                     # authenticate this VCS request using the authentication modules
                     self.authenticate = BasicAuth('', auth_modules.authenticate,
                                                   config.get('auth_ret_code'))
                 @classmethod
                 def parse_request(cls, environ):
                     """If request is parsed as a request for this VCS, return a namespace with the parsed request.
                     If the request is unknown, return None.
                     """
                     raise NotImplementedError()
                 def _authorize(self, environ, action, repo_name, ip_addr):
                     """Authenticate and authorize user.
                     Since we're dealing with a VCS client and not a browser, we only
                     support HTTP basic authentication, either directly via raw header
                     inspection, or by using container authentication to delegate the
                     authentication to the web server.
                     Returns (user, None) on successful authentication and authorization.
                     Returns (None, wsgi_app) to send the wsgi_app response to the client.
                     """
                     # Use anonymous access if allowed for action on repo.
                     default_user = User.get_default_user(cache=True)
                     default_authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
                     if default_authuser is None:
                         log.debug('No anonymous access at all') # move on to proper user auth
                     else:
                         if self._check_permission(action, default_authuser, repo_name):
                             return default_authuser, None
                         log.debug('Not authorized to access this repository as anonymous user')
                     username = None
                     #==============================================================
                     # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE
                     # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS
                     #==============================================================
                     # try to auth based on environ, container auth methods
                     log.debug('Running PRE-AUTH for container based authentication')
                     pre_auth = auth_modules.authenticate('', '', environ)
                     if pre_auth is not None and pre_auth.get('username'):
                         username = pre_auth['username']
                     log.debug('PRE-AUTH got %s as username', username)
                     # If not authenticated by the container, running basic auth
                     if not username:
                         self.authenticate.realm = safe_str(self.config['realm'])
                         result = self.authenticate(environ)
                         if isinstance(result, str):
                             paste.httpheaders.AUTH_TYPE.update(environ, 'basic')
                             paste.httpheaders.REMOTE_USER.update(environ, result)
                             username = result
                         else:
                             return None, result.wsgi_application
                     #==============================================================
                     # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME
                     #==============================================================
                     try:
                         user = User.get_by_username_or_email(username)
                     except Exception:
                         log.error(traceback.format_exc())
                         return None, webob.exc.HTTPInternalServerError()
                     authuser = AuthUser.make(dbuser=user, ip_addr=ip_addr)
                     if authuser is None:
                         return None, webob.exc.HTTPForbidden()
                     if not self._check_permission(action, authuser, repo_name):
                         return None, webob.exc.HTTPForbidden()
                     return user, None
                 def _handle_request(self, environ, start_response):
                     raise NotImplementedError()
                 def _check_permission(self, action, authuser, repo_name):
                     """
                     Checks permissions using action (push/pull) user and repository
                     name
                     :param action: 'push' or 'pull' action
                     :param user: `User` instance
                     :param repo_name: repository name
                     """
                     if action == 'push':
                         if not HasPermissionAnyMiddleware('repository.write',
                                                           'repository.admin')(authuser,
                                                                               repo_name):
                             return False
                     else:
                         #any other action need at least read permission
                         if not HasPermissionAnyMiddleware('repository.read',
                                                           'repository.write',
                                                           'repository.admin')(authuser,
                                                                               repo_name):
                             return False
                     return True
                 def _get_ip_addr(self, environ):
                     return _get_ip_addr(environ)
                 def __call__(self, environ, start_response):
                     start = time.time()
                     try:
                         # try parsing a request for this VCS - if it fails, call the wrapped app
                         parsed_request = self.parse_request(environ)
                         if parsed_request is None:
                             return self.application(environ, start_response)
                         # skip passing error to error controller
                         environ['pylons.status_code_redirect'] = True
                         # quick check if repo exists...
                         if not is_valid_repo(parsed_request.repo_name, self.basepath, self.scm_alias):
                             raise webob.exc.HTTPNotFound()
                         if parsed_request.action is None:
                             # Note: the client doesn't get the helpful error message
                             raise webob.exc.HTTPBadRequest('Unable to detect pull/push action for %r! Are you using a nonstandard command or client?' % parsed_request.repo_name)
                         #======================================================================
                         # CHECK PERMISSIONS
                         #======================================================================
                         ip_addr = self._get_ip_addr(environ)
                         user, response_app = self._authorize(environ, parsed_request.action, parsed_request.repo_name, ip_addr)
                         if response_app is not None:
                             return response_app(environ, start_response)
                         #======================================================================
                         # REQUEST HANDLING
                         #======================================================================
                         set_hook_environment(user.username, ip_addr,
                             parsed_request.repo_name, self.scm_alias, parsed_request.action)
                         try:
                             log.info('%s action on %s repo "%s" by "%s" from %s',
                                      parsed_request.action, self.scm_alias, parsed_request.repo_name, safe_str(user.username), ip_addr)
                             app = self._make_app(parsed_request)
                             return app(environ, start_response)
                         except Exception:
                             log.error(traceback.format_exc())
                             raise webob.exc.HTTPInternalServerError()
                     except webob.exc.HTTPException as e:
                         return e(environ, start_response)
                     finally:
                         log_ = logging.getLogger('kallithea.' + self.__class__.__name__)
                         log_.debug('Request time: %.3fs', time.time() - start)
                         meta.Session.remove()
             class BaseController(TGController):
                 def _before(self, *args, **kwargs):
                     """
                     _before is called before controller methods and after __call__
                     """
                     if request.needs_csrf_check:
                         # CSRF protection: Whenever a request has ambient authority (whether
                         # through a session cookie or its origin IP address), it must include
                         # the correct token, unless the HTTP method is GET or HEAD (and thus
                         # guaranteed to be side effect free. In practice, the only situation
                         # where we allow side effects without ambient authority is when the
                         # authority comes from an API key; and that is handled above.
                         token = request.POST.get(secure_form.token_key)
                         if not token or token != secure_form.authentication_token():
                             log.error('CSRF check failed')
                             raise webob.exc.HTTPForbidden()
                     c.kallithea_version = __version__
                     rc_config = Setting.get_app_settings()
                     # Visual options
                     c.visual = AttributeDict({})
                     ## DB stored
                     c.visual.show_public_icon = str2bool(rc_config.get('show_public_icon'))
                     c.visual.show_private_icon = str2bool(rc_config.get('show_private_icon'))
                     c.visual.stylify_metalabels = str2bool(rc_config.get('stylify_metalabels'))
                     c.visual.page_size = safe_int(rc_config.get('dashboard_items', 100))
                     c.visual.admin_grid_items = safe_int(rc_config.get('admin_grid_items', 100))
                     c.visual.repository_fields = str2bool(rc_config.get('repository_fields'))
                     c.visual.show_version = str2bool(rc_config.get('show_version'))
                     c.visual.use_gravatar = str2bool(rc_config.get('use_gravatar'))
                     c.visual.gravatar_url = rc_config.get('gravatar_url')
                     c.ga_code = rc_config.get('ga_code')
                     # TODO: replace undocumented backwards compatibility hack with db upgrade and rename ga_code
                     if c.ga_code and '<' not in c.ga_code:
                         c.ga_code = '''<script type="text/javascript">
                             var _gaq = _gaq || [];
                             _gaq.push(['_setAccount', '%s']);
                             _gaq.push(['_trackPageview']);
                             (function() {
                                 var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
                                 ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
                                 var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
                                 })();
                         </script>''' % c.ga_code
                     c.site_name = rc_config.get('title')
                     c.clone_uri_tmpl = rc_config.get('clone_uri_tmpl') or Repository.DEFAULT_CLONE_URI
                     ## INI stored
                     c.visual.allow_repo_location_change = str2bool(config.get('allow_repo_location_change', True))
                     c.visual.allow_custom_hooks_settings = str2bool(config.get('allow_custom_hooks_settings', True))
+                    c.ssh_enabled = str2bool(config.get('ssh_enabled', False))
                     c.instance_id = config.get('instance_id')
                     c.issues_url = config.get('bugtracker', url('issues_url'))
                     # END CONFIG VARS
                     c.repo_name = get_repo_slug(request)  # can be empty
                     c.backends = BACKENDS.keys()
                     self.cut_off_limit = safe_int(config.get('cut_off_limit'))
                     c.my_pr_count = PullRequest.query(reviewer_id=request.authuser.user_id, include_closed=False).count()
                     self.scm_model = ScmModel()
                 @staticmethod
                 def _determine_auth_user(session_authuser, ip_addr):
                     """
                     Create an `AuthUser` object given the API key/bearer token
                     (if any) and the value of the authuser session cookie.
                     Returns None if no valid user is found (like not active or no access for IP).
                     """
                     # Authenticate by session cookie
                     # In ancient login sessions, 'authuser' may not be a dict.
                     # In that case, the user will have to log in again.
                     # v0.3 and earlier included an 'is_authenticated' key; if present,
                     # this must be True.
                     if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True):
                         return AuthUser.from_cookie(session_authuser, ip_addr=ip_addr)
                     # Authenticate by auth_container plugin (if enabled)
                     if any(
                         plugin.is_container_auth
                         for plugin in auth_modules.get_auth_plugins()
                     ):
                         try:
                             user_info = auth_modules.authenticate('', '', request.environ)
                         except UserCreationError as e:
                             from kallithea.lib import helpers as h
                             h.flash(e, 'error', logf=log.error)
                         else:
                             if user_info is not None:
                                 username = user_info['username']
                                 user = User.get_by_username(username, case_insensitive=True)
                                 return log_in_user(user, remember=False, is_external_auth=True, ip_addr=ip_addr)
                     # User is default user (if active) or anonymous
                     default_user = User.get_default_user(cache=True)
                     authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
                     if authuser is None: # fall back to anonymous
                         authuser = AuthUser(dbuser=default_user) # TODO: somehow use .make?
                     return authuser
                 @staticmethod
                 def _basic_security_checks():
                     """Perform basic security/sanity checks before processing the request."""
                     # Only allow the following HTTP request methods.
                     if request.method not in ['GET', 'HEAD', 'POST']:
                         raise webob.exc.HTTPMethodNotAllowed()
                     # Also verify the _method override - no longer allowed.
                     if request.params.get('_method') is None:
                         pass # no override, no problem
                     else:
                         raise webob.exc.HTTPMethodNotAllowed()
                     # Make sure CSRF token never appears in the URL. If so, invalidate it.
                     if secure_form.token_key in request.GET:
                         log.error('CSRF key leak detected')
                         session.pop(secure_form.token_key, None)
                         session.save()
                         from kallithea.lib import helpers as h
                         h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),
                                 category='error')
                     # WebOb already ignores request payload parameters for anything other
                     # than POST/PUT, but double-check since other Kallithea code relies on
                     # this assumption.
                     if request.method not in ['POST', 'PUT'] and request.POST:
                         log.error('%r request with payload parameters; WebOb should have stopped this', request.method)
                         raise webob.exc.HTTPBadRequest()
                 def __call__(self, environ, context):
                     try:
                         ip_addr = _get_ip_addr(environ)
                         self._basic_security_checks()
                         api_key = request.GET.get('api_key')
                         try:
                             # Request.authorization may raise ValueError on invalid input
                             type, params = request.authorization
                         except (ValueError, TypeError):
                             pass
                         else:
                             if type.lower() == 'bearer':
                                 api_key = params # bearer token is an api key too
                         if api_key is None:
                             authuser = self._determine_auth_user(
                                 session.get('authuser'),
                                 ip_addr=ip_addr,
                             )
                             needs_csrf_check = request.method not in ['GET', 'HEAD']
                         else:
                             dbuser = User.get_by_api_key(api_key)
                             if dbuser is None:
                                 log.info('No db user found for authentication with API key ****%s from %s',
                                          api_key[-4:], ip_addr)
                             authuser = AuthUser.make(dbuser=dbuser, is_external_auth=True, ip_addr=ip_addr)
                             needs_csrf_check = False # API key provides CSRF protection
                         if authuser is None:
                             log.info('No valid user found')
                             raise webob.exc.HTTPForbidden()
                         # set globals for auth user
                         request.authuser = authuser
                         request.ip_addr = ip_addr
                         request.needs_csrf_check = needs_csrf_check
                         log.info('IP: %s User: %s accessed %s',
                             request.ip_addr, request.authuser,
                             safe_unicode(_get_access_path(environ)),
                         )
                         return super(BaseController, self).__call__(environ, context)
                     except webob.exc.HTTPException as e:
                         return e
             class BaseRepoController(BaseController):
                 """
                 Base class for controllers responsible for loading all needed data for
                 repository loaded items are
                 c.db_repo_scm_instance: instance of scm repository
                 c.db_repo: instance of db
                 c.repository_followers: number of followers
                 c.repository_forks: number of forks
                 c.repository_following: weather the current user is following the current repo
                 """
                 def _before(self, *args, **kwargs):
                     super(BaseRepoController, self)._before(*args, **kwargs)
                     if c.repo_name:  # extracted from routes
                         _dbr = Repository.get_by_repo_name(c.repo_name)
                         if not _dbr:
                             return
                         log.debug('Found repository in database %s with state `%s`',
                                   safe_unicode(_dbr), safe_unicode(_dbr.repo_state))
                         route = getattr(request.environ.get('routes.route'), 'name', '')
                         # allow to delete repos that are somehow damages in filesystem
                         if route in ['delete_repo']:
                             return
                         if _dbr.repo_state in [Repository.STATE_PENDING]:
                             if route in ['repo_creating_home']:
                                 return
                             check_url = url('repo_creating_home', repo_name=c.repo_name)
                             raise webob.exc.HTTPFound(location=check_url)
                         dbr = c.db_repo = _dbr
                         c.db_repo_scm_instance = c.db_repo.scm_instance
                         if c.db_repo_scm_instance is None:
                             log.error('%s this repository is present in database but it '
                                       'cannot be created as an scm instance', c.repo_name)
                             from kallithea.lib import helpers as h
                             h.flash(_('Repository not found in the filesystem'),
                                     category='error')
                             raise webob.exc.HTTPNotFound()
                         # some globals counter for menu
                         c.repository_followers = self.scm_model.get_followers(dbr)
                         c.repository_forks = self.scm_model.get_forks(dbr)
                         c.repository_pull_requests = self.scm_model.get_pull_requests(dbr)
                         c.repository_following = self.scm_model.is_following_repo(
                                                 c.repo_name, request.authuser.user_id)
                 @staticmethod
                 def _get_ref_rev(repo, ref_type, ref_name, returnempty=False):
                     """
                     Safe way to get changeset. If error occurs show error.
                     """
                     from kallithea.lib import helpers as h
                     try:
                         return repo.scm_instance.get_ref_revision(ref_type, ref_name)
                     except EmptyRepositoryError as e:
                         if returnempty:
                             return repo.scm_instance.EMPTY_CHANGESET
                         h.flash(_('There are no changesets yet'), category='error')
                         raise webob.exc.HTTPNotFound()
                     except ChangesetDoesNotExistError as e:
                         h.flash(_('Changeset for %s %s not found in %s') %
                                           (ref_type, ref_name, repo.repo_name),
                                 category='error')
                         raise webob.exc.HTTPNotFound()
                     except RepositoryError as e:
                         log.error(traceback.format_exc())
                         h.flash(safe_str(e), category='error')
                         raise webob.exc.HTTPBadRequest()
             @decorator.decorator
             def jsonify(func, *args, **kwargs):
                 """Action decorator that formats output for JSON
                 Given a function that will return content, this decorator will turn
                 the result into JSON, with a content-type of 'application/json' and
                 output it.
                 """
                 response.headers['Content-Type'] = 'application/json; charset=utf-8'
                 data = func(*args, **kwargs)
                 if isinstance(data, (list, tuple)):
                     # A JSON list response is syntactically valid JavaScript and can be
                     # loaded and executed as JavaScript by a malicious third-party site
                     # using <script>, which can lead to cross-site data leaks.
                     # JSON responses should therefore be scalars or objects (i.e. Python
                     # dicts), because a JSON object is a syntax error if intepreted as JS.
                     msg = "JSON responses with Array envelopes are susceptible to " \
                           "cross-site data leak attacks, see " \
                           "https://web.archive.org/web/20120519231904/http://wiki.pylonshq.com/display/pylonsfaq/Warnings"
                     warnings.warn(msg, Warning, 2)
                     log.warning(msg)
                 log.debug("Returning JSON wrapped action output")
                 return json.dumps(data, encoding='utf-8')
+            @decorator.decorator
+            def IfSshEnabled(func, *args, **kwargs):
+                """Decorator for functions that can only be called if SSH access is enabled.
+                If SSH access is disabled in the configuration file, HTTPNotFound is raised.
+                """
+                if not c.ssh_enabled:
+                    from kallithea.lib import helpers as h
+                    h.flash(_("SSH access is disabled."), category='warning')
+                    raise webob.exc.HTTPNotFound()
+                return func(*args, **kwargs)

kallithea/lib/paster_commands/template.ini.mako

0 +7 0

             ## -*- coding: utf-8 -*-
             <%text>################################################################################</%text>
             <%text>################################################################################</%text>
             # Kallithea - config file generated with kallithea-config                      #
             #                                                                              #
             # The %(here)s variable will be replaced with the parent directory of this file#
             <%text>################################################################################</%text>
             <%text>################################################################################</%text>
             [DEFAULT]
             <%text>################################################################################</%text>
             <%text>## Email settings                                                             ##</%text>
             <%text>##                                                                            ##</%text>
             <%text>## Refer to the documentation ("Email settings") for more details.            ##</%text>
             <%text>##                                                                            ##</%text>
             <%text>## It is recommended to use a valid sender address that passes access         ##</%text>
             <%text>## validation and spam filtering in mail servers.                             ##</%text>
             <%text>################################################################################</%text>
             <%text>## 'From' header for application emails. You can optionally add a name.</%text>
             <%text>## Default:</%text>
             #app_email_from = Kallithea
             <%text>## Examples:</%text>
             #app_email_from = Kallithea <kallithea-noreply@example.com>
             #app_email_from = kallithea-noreply@example.com
             <%text>## Subject prefix for application emails.</%text>
             <%text>## A space between this prefix and the real subject is automatically added.</%text>
             <%text>## Default:</%text>
             #email_prefix =
             <%text>## Example:</%text>
             #email_prefix = [Kallithea]
             <%text>## Recipients for error emails and fallback recipients of application mails.</%text>
             <%text>## Multiple addresses can be specified, comma-separated.</%text>
             <%text>## Only addresses are allowed, do not add any name part.</%text>
             <%text>## Default:</%text>
             #email_to =
             <%text>## Examples:</%text>
             #email_to = admin@example.com
             #email_to = admin@example.com,another_admin@example.com
             email_to =
             <%text>## 'From' header for error emails. You can optionally add a name.</%text>
             <%text>## Default: (none)</%text>
             <%text>## Examples:</%text>
             #error_email_from = Kallithea Errors <kallithea-noreply@example.com>
             #error_email_from = kallithea_errors@example.com
             error_email_from =
             <%text>## SMTP server settings</%text>
             <%text>## If specifying credentials, make sure to use secure connections.</%text>
             <%text>## Default: Send unencrypted unauthenticated mails to the specified smtp_server.</%text>
             <%text>## For "SSL", use smtp_use_ssl = true and smtp_port = 465.</%text>
             <%text>## For "STARTTLS", use smtp_use_tls = true and smtp_port = 587.</%text>
             smtp_server =
             #smtp_username =
             #smtp_password =
             smtp_port =
             #smtp_use_ssl = false
             #smtp_use_tls = false
             %if http_server != 'uwsgi':
             <%text>## Entry point for 'gearbox serve'</%text>
             [server:main]
             host = ${host}
             port = ${port}
             %if http_server == 'gearbox':
             <%text>## Gearbox default web server ##</%text>
             use = egg:gearbox#wsgiref
             <%text>## nr of worker threads to spawn</%text>
             threadpool_workers = 1
             <%text>## max request before thread respawn</%text>
             threadpool_max_requests = 100
             <%text>## option to use threads of process</%text>
             use_threadpool = true
             %elif http_server == 'gevent':
             <%text>## Gearbox gevent web server ##</%text>
             use = egg:gearbox#gevent
             %elif http_server == 'waitress':
             <%text>## WAITRESS ##</%text>
             use = egg:waitress#main
             <%text>## number of worker threads</%text>
             threads = 1
             <%text>## MAX BODY SIZE 100GB</%text>
             max_request_body_size = 107374182400
             <%text>## use poll instead of select, fixes fd limits, may not work on old</%text>
             <%text>## windows systems.</%text>
             #asyncore_use_poll = True
             %elif http_server == 'gunicorn':
             <%text>## GUNICORN ##</%text>
             use = egg:gunicorn#main
             <%text>## number of process workers. You must set `instance_id = *` when this option</%text>
             <%text>## is set to more than one worker</%text>
             workers = 4
             <%text>## process name</%text>
             proc_name = kallithea
             <%text>## type of worker class, one of sync, eventlet, gevent, tornado</%text>
             <%text>## recommended for bigger setup is using of of other than sync one</%text>
             worker_class = sync
             max_requests = 1000
             <%text>## amount of time a worker can handle request before it gets killed and</%text>
             <%text>## restarted</%text>
             timeout = 3600
             %endif
             %else:
             <%text>## UWSGI ##</%text>
             <%text>## run with uwsgi --ini-paste-logged <inifile.ini></%text>
             [uwsgi]
             socket = /tmp/uwsgi.sock
             master = true
             http = ${host}:${port}
             <%text>## set as daemon and redirect all output to file</%text>
             #daemonize = ./uwsgi_kallithea.log
             <%text>## master process PID</%text>
             pidfile = ./uwsgi_kallithea.pid
             <%text>## stats server with workers statistics, use uwsgitop</%text>
             <%text>## for monitoring, `uwsgitop 127.0.0.1:1717`</%text>
             stats = 127.0.0.1:1717
             memory-report = true
             <%text>## log 5XX errors</%text>
             log-5xx = true
             <%text>## Set the socket listen queue size.</%text>
             listen = 128
             <%text>## Gracefully Reload workers after the specified amount of managed requests</%text>
             <%text>## (avoid memory leaks).</%text>
             max-requests = 1000
             <%text>## enable large buffers</%text>
             buffer-size = 65535
             <%text>## socket and http timeouts ##</%text>
             http-timeout = 3600
             socket-timeout = 3600
             <%text>## Log requests slower than the specified number of milliseconds.</%text>
             log-slow = 10
             <%text>## Exit if no app can be loaded.</%text>
             need-app = true
             <%text>## Set lazy mode (load apps in workers instead of master).</%text>
             lazy = true
             <%text>## scaling ##</%text>
             <%text>## set cheaper algorithm to use, if not set default will be used</%text>
             cheaper-algo = spare
             <%text>## minimum number of workers to keep at all times</%text>
             cheaper = 1
             <%text>## number of workers to spawn at startup</%text>
             cheaper-initial = 1
             <%text>## maximum number of workers that can be spawned</%text>
             workers = 4
             <%text>## how many workers should be spawned at a time</%text>
             cheaper-step = 1
             %endif
             <%text>## middleware for hosting the WSGI application under a URL prefix</%text>
             #[filter:proxy-prefix]
             #use = egg:PasteDeploy#prefix
             #prefix = /<your-prefix>
             [app:main]
             use = egg:kallithea
             <%text>## enable proxy prefix middleware</%text>
             #filter-with = proxy-prefix
             full_stack = true
             static_files = true
             <%text>## Internationalization (see setup documentation for details)</%text>
             <%text>## By default, the language requested by the browser is used if available.</%text>
             #i18n.enabled = false
             <%text>## Fallback language, empty for English (valid values are the names of subdirectories in kallithea/i18n):</%text>
             i18n.lang =
             cache_dir = %(here)s/data
             index_dir = %(here)s/data/index
             <%text>## uncomment and set this path to use archive download cache</%text>
             archive_cache_dir = %(here)s/tarballcache
             <%text>## change this to unique ID for security</%text>
             app_instance_uuid = ${uuid()}
             <%text>## cut off limit for large diffs (size in bytes)</%text>
             cut_off_limit = 256000
             <%text>## force https in Kallithea, fixes https redirects, assumes it's always https</%text>
             force_https = false
             <%text>## use Strict-Transport-Security headers</%text>
             use_htsts = false
             <%text>## number of commits stats will parse on each iteration</%text>
             commit_parse_limit = 25
             <%text>## Path to Python executable to be used for git hooks.</%text>
             <%text>## This value will be written inside the git hook scripts as the text</%text>
             <%text>## after '#!' (shebang). When empty or not defined, the value of</%text>
             <%text>## 'sys.executable' at the time of installation of the git hooks is</%text>
             <%text>## used, which is correct in many cases but for example not when using uwsgi.</%text>
             <%text>## If you change this setting, you should reinstall the Git hooks via</%text>
             <%text>## Admin > Settings > Remap and Rescan.</%text>
             # git_hook_interpreter = /srv/kallithea/venv/bin/python2
             %if git_hook_interpreter:
             git_hook_interpreter = ${git_hook_interpreter}
             %endif
             <%text>## path to git executable</%text>
             git_path = git
             <%text>## git rev filter option, --all is the default filter, if you need to</%text>
             <%text>## hide all refs in changelog switch this to --branches --tags</%text>
             #git_rev_filter = --branches --tags
             <%text>## RSS feed options</%text>
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             <%text>## options for showing and identifying changesets</%text>
             show_sha_length = 12
             show_revision_number = false
             <%text>## Canonical URL to use when creating full URLs in UI and texts.</%text>
             <%text>## Useful when the site is available under different names or protocols.</%text>
             <%text>## Defaults to what is provided in the WSGI environment.</%text>
             #canonical_url = https://kallithea.example.com/repos
             <%text>## gist URL alias, used to create nicer urls for gist. This should be an</%text>
             <%text>## url that does rewrites to _admin/gists/<gistid>.</%text>
             <%text>## example: http://gist.example.com/{gistid}. Empty means use the internal</%text>
             <%text>## Kallithea url, ie. http[s]://kallithea.example.com/_admin/gists/<gistid></%text>
             gist_alias_url =
             <%text>## default encoding used to convert from and to unicode</%text>
             <%text>## can be also a comma separated list of encoding in case of mixed encodings</%text>
             default_encoding = utf-8
             <%text>## Set Mercurial encoding, similar to setting HGENCODING before launching Kallithea</%text>
             hgencoding = utf-8
             <%text>## issue tracker for Kallithea (leave blank to disable, absent for default)</%text>
             #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
             <%text>## issue tracking mapping for commit messages, comments, PR descriptions, ...</%text>
             <%text>## Refer to the documentation ("Integration with issue trackers") for more details.</%text>
             <%text>## regular expression to match issue references</%text>
             <%text>## This pattern may/should contain parenthesized groups, that can</%text>
             <%text>## be referred to in issue_server_link or issue_sub using Python backreferences</%text>
             <%text>## (e.g. \1, \2, ...). You can also create named groups with '(?P<groupname>)'.</%text>
             <%text>## To require mandatory whitespace before the issue pattern, use:</%text>
             <%text>## (?:^|(?<=\s)) before the actual pattern, and for mandatory whitespace</%text>
             <%text>## behind the issue pattern, use (?:$|(?=\s)) after the actual pattern.</%text>
             issue_pat = #(\d+)
             <%text>## server url to the issue</%text>
             <%text>## This pattern may/should contain backreferences to parenthesized groups in issue_pat.</%text>
             <%text>## A backreference can be \1, \2, ... or \g<groupname> if you specified a named group</%text>
             <%text>## called 'groupname' in issue_pat.</%text>
             <%text>## The special token {repo} is replaced with the full repository name</%text>
             <%text>## including repository groups, while {repo_name} is replaced with just</%text>
             <%text>## the name of the repository.</%text>
             issue_server_link = https://issues.example.com/{repo}/issue/\1
             <%text>## substitution pattern to use as the link text</%text>
             <%text>## If issue_sub is empty, the text matched by issue_pat is retained verbatim</%text>
             <%text>## for the link text. Otherwise, the link text is that of issue_sub, with any</%text>
             <%text>## backreferences to groups in issue_pat replaced.</%text>
             issue_sub =
             <%text>## issue_pat, issue_server_link and issue_sub can have suffixes to specify</%text>
             <%text>## multiple patterns, to other issues server, wiki or others</%text>
             <%text>## below an example how to create a wiki pattern</%text>
             # wiki-some-id -> https://wiki.example.com/some-id
             #issue_pat_wiki = wiki-(\S+)
             #issue_server_link_wiki = https://wiki.example.com/\1
             #issue_sub_wiki = WIKI-\1
             <%text>## alternative return HTTP header for failed authentication. Default HTTP</%text>
             <%text>## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with</%text>
             <%text>## handling that. Set this variable to 403 to return HTTPForbidden</%text>
             auth_ret_code =
             <%text>## allows to change the repository location in settings page</%text>
             allow_repo_location_change = True
             <%text>## allows to setup custom hooks in settings page</%text>
             allow_custom_hooks_settings = True
             <%text>## extra extensions for indexing, space separated and without the leading '.'.</%text>
             # index.extensions =
             #    gemfile
             #    lock
             <%text>## extra filenames for indexing, space separated</%text>
             # index.filenames =
             #    .dockerignore
             #    .editorconfig
             #    INSTALL
             #    CHANGELOG
             <%text>####################################</%text>
+            <%text>###           SSH CONFIG        ####</%text>
+            <%text>####################################</%text>
+            <%text>## SSH is disabled by default, until an Administrator decides to enable it.</%text>
+            ssh_enabled = false
+            <%text>####################################</%text>
             <%text>###        CELERY CONFIG        ####</%text>
             <%text>####################################</%text>
             use_celery = false
             <%text>## Example: connect to the virtual host 'rabbitmqhost' on localhost as rabbitmq:</%text>
             broker.url = amqp://rabbitmq:qewqew@localhost:5672/rabbitmqhost
             celery.imports = kallithea.lib.celerylib.tasks
             celery.accept.content = pickle
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             celeryd.max.tasks.per.child = 1
             <%text>## If true, tasks will never be sent to the queue, but executed locally instead.</%text>
             celery.always.eager = false
             <%text>####################################</%text>
             <%text>###         BEAKER CACHE        ####</%text>
             <%text>####################################</%text>
             beaker.cache.data_dir = %(here)s/data/cache/data
             beaker.cache.lock_dir = %(here)s/data/cache/lock
             beaker.cache.regions = short_term,long_term,sql_cache_short
             beaker.cache.short_term.type = memory
             beaker.cache.short_term.expire = 60
             beaker.cache.short_term.key_length = 256
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             beaker.cache.sql_cache_short.type = memory
             beaker.cache.sql_cache_short.expire = 10
             beaker.cache.sql_cache_short.key_length = 256
             <%text>####################################</%text>
             <%text>###       BEAKER SESSION        ####</%text>
             <%text>####################################</%text>
             <%text>## Name of session cookie. Should be unique for a given host and path, even when running</%text>
             <%text>## on different ports. Otherwise, cookie sessions will be shared and messed up.</%text>
             session.key = kallithea
             <%text>## Sessions should always only be accessible by the browser, not directly by JavaScript.</%text>
             session.httponly = true
             <%text>## Session lifetime. 2592000 seconds is 30 days.</%text>
             session.timeout = 2592000
             <%text>## Server secret used with HMAC to ensure integrity of cookies.</%text>
             session.secret = ${uuid()}
             <%text>## Further, encrypt the data with AES.</%text>
             #session.encrypt_key = <key_for_encryption>
             #session.validate_key = <validation_key>
             <%text>## Type of storage used for the session, current types are</%text>
             <%text>## dbm, file, memcached, database, and memory.</%text>
             <%text>## File system storage of session data. (default)</%text>
             #session.type = file
             <%text>## Cookie only, store all session data inside the cookie. Requires secure secrets.</%text>
             #session.type = cookie
             <%text>## Database storage of session data.</%text>
             #session.type = ext:database
             #session.sa.url = postgresql://postgres:qwe@localhost/kallithea
             #session.table_name = db_session
             <%text>############################</%text>
             <%text>## ERROR HANDLING SYSTEMS ##</%text>
             <%text>############################</%text>
             # Propagate email settings to ErrorReporter of TurboGears2
             # You do not normally need to change these lines
             get trace_errors.error_email = email_to
             get trace_errors.smtp_server = smtp_server
             get trace_errors.smtp_port = smtp_port
             get trace_errors.from_address = error_email_from
             %if error_aggregation_service == 'appenlight':
             <%text>####################</%text>
             <%text>### [appenlight] ###</%text>
             <%text>####################</%text>
             <%text>## AppEnlight is tailored to work with Kallithea, see</%text>
             <%text>## http://appenlight.com for details how to obtain an account</%text>
             <%text>## you must install python package `appenlight_client` to make it work</%text>
             <%text>## appenlight enabled</%text>
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             <%text>## TWEAK AMOUNT OF INFO SENT HERE</%text>
             <%text>## enables 404 error logging (default False)</%text>
             appenlight.report_404 = false
             <%text>## time in seconds after request is considered being slow (default 1)</%text>
             appenlight.slow_request_time = 1
             <%text>## record slow requests in application</%text>
             <%text>## (needs to be enabled for slow datastore recording and time tracking)</%text>
             appenlight.slow_requests = true
             <%text>## enable hooking to application loggers</%text>
             #appenlight.logging = true
             <%text>## minimum log level for log capture</%text>
             #appenlight.logging.level = WARNING
             <%text>## send logs only from erroneous/slow requests</%text>
             <%text>## (saves API quota for intensive logging)</%text>
             appenlight.logging_on_error = false
             <%text>## list of additional keywords that should be grabbed from environ object</%text>
             <%text>## can be string with comma separated list of words in lowercase</%text>
             <%text>## (by default client will always send following info:</%text>
             <%text>## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that</%text>
             <%text>## start with HTTP* this list be extended with additional keywords here</%text>
             appenlight.environ_keys_whitelist =
             <%text>## list of keywords that should be blanked from request object</%text>
             <%text>## can be string with comma separated list of words in lowercase</%text>
             <%text>## (by default client will always blank keys that contain following words</%text>
             <%text>## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'</%text>
             <%text>## this list be extended with additional keywords set here</%text>
             appenlight.request_keys_blacklist =
             <%text>## list of namespaces that should be ignores when gathering log entries</%text>
             <%text>## can be string with comma separated list of namespaces</%text>
             <%text>## (by default the client ignores own entries: appenlight_client.client)</%text>
             appenlight.log_namespace_blacklist =
             %elif error_aggregation_service == 'sentry':
             <%text>################</%text>
             <%text>### [sentry] ###</%text>
             <%text>################</%text>
             <%text>## sentry is a alternative open source error aggregator</%text>
             <%text>## you must install python packages `sentry` and `raven` to enable</%text>
             sentry.dsn = YOUR_DNS
             sentry.servers =
             sentry.name =
             sentry.key =
             sentry.public_key =
             sentry.secret_key =
             sentry.project =
             sentry.site =
             sentry.include_paths =
             sentry.exclude_paths =
             %endif
             <%text>################################################################################</%text>
             <%text>## WARNING: *DEBUG MODE MUST BE OFF IN A PRODUCTION ENVIRONMENT*              ##</%text>
             <%text>## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##</%text>
             <%text>## execute malicious code after an exception is raised.                       ##</%text>
             <%text>################################################################################</%text>
             debug = false
             <%text>##################################</%text>
             <%text>###       LOGVIEW CONFIG       ###</%text>
             <%text>##################################</%text>
             logview.sqlalchemy = #faa
             logview.pylons.templating = #bfb
             logview.pylons.util = #eee
             <%text>#########################################################</%text>
             <%text>### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###</%text>
             <%text>#########################################################</%text>
             %if database_engine == 'sqlite':
             # SQLITE [default]
             sqlalchemy.url = sqlite:///%(here)s/kallithea.db?timeout=60
             %elif database_engine == 'postgres':
             # POSTGRESQL
             sqlalchemy.url = postgresql://user:pass@localhost/kallithea
             %elif database_engine == 'mysql':
             # MySQL
             sqlalchemy.url = mysql://user:pass@localhost/kallithea?charset=utf8
             %endif
             # see sqlalchemy docs for others
             sqlalchemy.pool_recycle = 3600
             <%text>################################</%text>
             <%text>### ALEMBIC CONFIGURATION   ####</%text>
             <%text>################################</%text>
             [alembic]
             script_location = kallithea:alembic
             <%text>################################</%text>
             <%text>### LOGGING CONFIGURATION   ####</%text>
             <%text>################################</%text>
             [loggers]
             keys = root, routes, kallithea, sqlalchemy, tg, gearbox, beaker, templates, whoosh_indexer, werkzeug, backlash
             [handlers]
             keys = console, console_color, console_color_sql, null
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             <%text>#############</%text>
             <%text>## LOGGERS ##</%text>
             <%text>#############</%text>
             [logger_root]
             level = NOTSET
             handlers = console
             # For coloring based on log level:
             # handlers = console_color
             [logger_routes]
             level = WARN
             handlers =
             qualname = routes.middleware
             <%text>## "level = DEBUG" logs the route matched and routing variables.</%text>
             [logger_beaker]
             level = WARN
             handlers =
             qualname = beaker.container
             [logger_templates]
             level = WARN
             handlers =
             qualname = pylons.templating
             [logger_kallithea]
             level = WARN
             handlers =
             qualname = kallithea
             [logger_tg]
             level = WARN
             handlers =
             qualname = tg
             [logger_gearbox]
             level = WARN
             handlers =
             qualname = gearbox
             [logger_sqlalchemy]
             level = WARN
             handlers =
             qualname = sqlalchemy.engine
             # For coloring based on log level and pretty printing of SQL:
             # level = INFO
             # handlers = console_color_sql
             # propagate = 0
             [logger_whoosh_indexer]
             level = WARN
             handlers =
             qualname = whoosh_indexer
             [logger_werkzeug]
             level = WARN
             handlers =
             qualname = werkzeug
             [logger_backlash]
             level = WARN
             handlers =
             qualname = backlash
             <%text>##############</%text>
             <%text>## HANDLERS ##</%text>
             <%text>##############</%text>
             [handler_console]
             class = StreamHandler
             args = (sys.stderr,)
             formatter = generic
             [handler_console_color]
             # ANSI color coding based on log level
             class = StreamHandler
             args = (sys.stderr,)
             formatter = color_formatter
             [handler_console_color_sql]
             # ANSI color coding and pretty printing of SQL statements
             class = StreamHandler
             args = (sys.stderr,)
             formatter = color_formatter_sql
             [handler_null]
             class = NullHandler
             args = ()
             <%text>################</%text>
             <%text>## FORMATTERS ##</%text>
             <%text>################</%text>
             [formatter_generic]
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = kallithea.lib.colored_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = kallithea.lib.colored_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

kallithea/tests/conftest.py

0 +1 0

             import os
             import re
             import sys
             import logging
             import pkg_resources
             import time
             import formencode
             from paste.deploy import loadwsgi
             from routes.util import URLGenerator
             import pytest
             from pytest_localserver.http import WSGIServer
             from kallithea.controllers.root import RootController
             from kallithea.lib import inifile
             from kallithea.lib.utils import repo2db_mapper
             from kallithea.model.user import UserModel
             from kallithea.model.meta import Session
             from kallithea.model.db import Setting, User, UserIpMap
             from kallithea.model.scm import ScmModel
             from kallithea.tests.base import invalidate_all_caches, TEST_USER_REGULAR_LOGIN, TESTS_TMP_PATH, \
                 TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS
             import kallithea.tests.base # FIXME: needed for setting testapp instance!!!
             from tg.util.webtest import test_context
             def pytest_configure():
                 os.environ['TZ'] = 'UTC'
                 if not kallithea.is_windows:
                     time.tzset() # only available on Unix
                 path = os.getcwd()
                 sys.path.insert(0, path)
                 pkg_resources.working_set.add_entry(path)
                 # Disable INFO logging of test database creation, restore with NOTSET
                 logging.disable(logging.INFO)
                 ini_settings = {
                     '[server:main]': {
                         'port': '4999',
                     },
                     '[app:main]': {
+                        'ssh_enabled': 'true',
                         'app_instance_uuid': 'test',
                         'show_revision_number': 'true',
                         'beaker.cache.sql_cache_short.expire': '1',
                         'session.secret': '{74e0cd75-b339-478b-b129-07dd221def1f}',
                         #'i18n.lang': '',
                     },
                     '[handler_console]': {
                         'formatter': 'color_formatter',
                     },
                     # The 'handler_console_sql' block is very similar to the one in
                     # development.ini, but without the explicit 'level=DEBUG' setting:
                     # it causes duplicate sqlalchemy debug logs, one through
                     # handler_console_sql and another through another path.
                     '[handler_console_sql]': {
                         'formatter': 'color_formatter_sql',
                     },
                 }
                 if os.environ.get('TEST_DB'):
                     ini_settings['[app:main]']['sqlalchemy.url'] = os.environ.get('TEST_DB')
                 test_ini_file = os.path.join(TESTS_TMP_PATH, 'test.ini')
                 inifile.create(test_ini_file, None, ini_settings)
                 context = loadwsgi.loadcontext(loadwsgi.APP, 'config:%s' % test_ini_file)
                 from kallithea.tests.fixture import create_test_env, create_test_index
                 # set KALLITHEA_NO_TMP_PATH=1 to disable re-creating the database and test repos
                 if not int(os.environ.get('KALLITHEA_NO_TMP_PATH', 0)):
                     create_test_env(TESTS_TMP_PATH, context.config())
                 # set KALLITHEA_WHOOSH_TEST_DISABLE=1 to disable whoosh index during tests
                 if not int(os.environ.get('KALLITHEA_WHOOSH_TEST_DISABLE', 0)):
                     create_test_index(TESTS_TMP_PATH, context.config(), True)
                 kallithea.tests.base.testapp = context.create()
                 # do initial repo scan
                 repo2db_mapper(ScmModel().repo_scan(TESTS_TMP_PATH))
                 logging.disable(logging.NOTSET)
                 kallithea.tests.base.url = URLGenerator(RootController().mapper, {'HTTP_HOST': 'example.com'})
                 # set fixed language for form messages, regardless of environment settings
                 formencode.api.set_stdtranslation(languages=[])
             @pytest.fixture
             def create_test_user():
                 """Provide users that automatically disappear after test is over."""
                 test_user_ids = []
                 def _create_test_user(user_form):
                     user = UserModel().create(user_form)
                     test_user_ids.append(user.user_id)
                     return user
                 yield _create_test_user
                 for user_id in test_user_ids:
                     UserModel().delete(user_id)
                 Session().commit()
             def _set_settings(*kvtseq):
                 session = Session()
                 for kvt in kvtseq:
                     assert len(kvt) in (2, 3)
                     k = kvt[0]
                     v = kvt[1]
                     t = kvt[2] if len(kvt) == 3 else 'unicode'
                     Setting.create_or_update(k, v, t)
                 session.commit()
             @pytest.fixture
             def set_test_settings():
                 """Restore settings after test is over."""
                 # Save settings.
                 settings_snapshot = [
                     (s.app_settings_name, s.app_settings_value, s.app_settings_type)
                     for s in Setting.query().all()]
                 yield _set_settings
                 # Restore settings.
                 session = Session()
                 keys = frozenset(k for (k, v, t) in settings_snapshot)
                 for s in Setting.query().all():
                     if s.app_settings_name not in keys:
                         session.delete(s)
                 for k, v, t in settings_snapshot:
                     if t == 'list' and hasattr(v, '__iter__'):
                         v = ','.join(v) # Quirk: must format list value manually.
                     Setting.create_or_update(k, v, t)
                 session.commit()
             @pytest.fixture
             def auto_clear_ip_permissions():
                 """Fixture that provides nothing but clearing IP permissions upon test
                 exit. This clearing is needed to avoid other test failing to make fake http
                 accesses."""
                 yield
                 # cleanup
                 user_model = UserModel()
                 user_ids = []
                 user_ids.append(User.get_default_user().user_id)
                 user_ids.append(User.get_by_username(TEST_USER_REGULAR_LOGIN).user_id)
                 for user_id in user_ids:
                     for ip in UserIpMap.query().filter(UserIpMap.user_id == user_id):
                         user_model.delete_extra_ip(user_id, ip.ip_id)
                 # IP permissions are cached, need to invalidate this cache explicitly
                 invalidate_all_caches()
                 session = Session()
                 session.commit()
             @pytest.fixture
             def test_context_fixture(app_fixture):
                 """
                 Encompass the entire test using this fixture in a test_context,
                 making sure that certain functionality still works even if no call to
                 self.app.get/post has been made.
                 The typical error message indicating you need a test_context is:
                     TypeError: No object (name: context) has been registered for this thread
                 The standard way to fix this is simply using the test_context context
                 manager directly inside your test:
                     with test_context(self.app):
                         <actions>
                 but if test setup code (xUnit-style or pytest fixtures) also needs to be
                 executed inside the test context, that method is not possible.
                 Even if there is no such setup code, the fixture may reduce code complexity
                 if the entire test needs to run inside a test context.
                 To apply this fixture (like any other fixture) to all test methods of a
                 class, use the following class decorator:
                     @pytest.mark.usefixtures("test_context_fixture")
                     class TestFoo(TestController):
                         ...
                 """
                 with test_context(app_fixture):
                     yield
             class MyWSGIServer(WSGIServer):
                 def repo_url(self, repo_name, username=TEST_USER_ADMIN_LOGIN, password=TEST_USER_ADMIN_PASS):
                     """Return URL to repo on this web server."""
                     host, port = self.server_address
                     proto = 'http' if self._server.ssl_context is None else 'https'
                     auth = ''
                     if username is not None:
                         auth = username
                         if password is not None:
                             auth += ':' + password
                     if auth:
                         auth += '@'
                     return '%s://%s%s:%s/%s' % (proto, auth, host, port, repo_name)
             @pytest.yield_fixture(scope="session")
             def webserver():
                 """Start web server while tests are running.
                 Useful for debugging and necessary for vcs operation tests."""
                 server = MyWSGIServer(application=kallithea.tests.base.testapp)
                 server.start()
                 yield server
                 server.stop()

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages