kallithea Changeset - 0e3e0864f210

Changeset - 0e3e0864f210

Parent rev.

Child rev.

[Not reviewed]

default

0 7 0

Mads Kiilerich - 7 years ago 2019-01-03 01:16:36
mads@kiilerich.com

auth: drop api_access_controllers_whitelist and give API key auth same access as other kinds of auth

All authentication methods are created equal. There is no point in
discriminating api key authentication and limit it to few APIs.

7 files changed with 12 insertions and 111 deletions:

development.ini

docs/api/api.rst

kallithea/controllers/feed.py

kallithea/controllers/journal.py

kallithea/lib/auth.py

kallithea/lib/paster_commands/template.ini.mako

kallithea/tests/functional/test_login.py

0 comments (0 inline, 0 general)

development.ini

➞

Show inline comments

 ################################################################################
 ################################################################################
 # Kallithea - config file generated with kallithea-config                      #
 #                                                                              #
 # The %(here)s variable will be replaced with the parent directory of this file#
 ################################################################################
 ################################################################################
 [DEFAULT]
 ################################################################################
 ## Email settings                                                             ##
 ##                                                                            ##
 ## Refer to the documentation ("Email settings") for more details.            ##
 ##                                                                            ##
 ## It is recommended to use a valid sender address that passes access         ##
 ## validation and spam filtering in mail servers.                             ##
 ################################################################################
 ## 'From' header for application emails. You can optionally add a name.
 ## Default:
 #app_email_from = Kallithea
 ## Examples:
 #app_email_from = Kallithea <kallithea-noreply@example.com>
 #app_email_from = kallithea-noreply@example.com
 ## Subject prefix for application emails.
 ## A space between this prefix and the real subject is automatically added.
 ## Default:
 #email_prefix =
 ## Example:
 #email_prefix = [Kallithea]
 ## Recipients for error emails and fallback recipients of application mails.
 ## Multiple addresses can be specified, comma-separated.
 ## Only addresses are allowed, do not add any name part.
 ## Default:
 #email_to =
 ## Examples:
 #email_to = admin@example.com
 #email_to = admin@example.com,another_admin@example.com
 email_to =
 ## 'From' header for error emails. You can optionally add a name.
 ## Default: (none)
 ## Examples:
 #error_email_from = Kallithea Errors <kallithea-noreply@example.com>
 #error_email_from = kallithea_errors@example.com
 error_email_from =
 ## SMTP server settings
 ## If specifying credentials, make sure to use secure connections.
 ## Default: Send unencrypted unauthenticated mails to the specified smtp_server.
 ## For "SSL", use smtp_use_ssl = true and smtp_port = 465.
 ## For "STARTTLS", use smtp_use_tls = true and smtp_port = 587.
 smtp_server =
 #smtp_username =
 #smtp_password =
 smtp_port =
 #smtp_use_ssl = false
 #smtp_use_tls = false
 ## Entry point for 'gearbox serve'
 [server:main]
 #host = 127.0.0.1
 host = 0.0.0.0
 port = 5000
 ## WAITRESS ##
 use = egg:waitress#main
 ## number of worker threads
 threads = 1
 ## MAX BODY SIZE 100GB
 max_request_body_size = 107374182400
 ## use poll instead of select, fixes fd limits, may not work on old
 ## windows systems.
 #asyncore_use_poll = True
 ## middleware for hosting the WSGI application under a URL prefix
 #[filter:proxy-prefix]
 #use = egg:PasteDeploy#prefix
 #prefix = /<your-prefix>
 [app:main]
 use = egg:kallithea
 ## enable proxy prefix middleware
 #filter-with = proxy-prefix
 full_stack = true
 static_files = true
 ## Internationalization (see setup documentation for details)
 ## By default, the language requested by the browser is used if available.
 #i18n.enabled = false
 ## Fallback language, empty for English (valid values are the names of subdirectories in kallithea/i18n):
 i18n.lang =
 cache_dir = %(here)s/data
 index_dir = %(here)s/data/index
 ## uncomment and set this path to use archive download cache
 archive_cache_dir = %(here)s/tarballcache
 ## change this to unique ID for security
 #app_instance_uuid = VERY-SECRET
 app_instance_uuid = development-not-secret
 ## cut off limit for large diffs (size in bytes)
 cut_off_limit = 256000
 ## force https in Kallithea, fixes https redirects, assumes it's always https
 force_https = false
 ## use Strict-Transport-Security headers
 use_htsts = false
 ## number of commits stats will parse on each iteration
 commit_parse_limit = 25
 ## Path to Python executable to be used for git hooks.
 ## This value will be written inside the git hook scripts as the text
 ## after '#!' (shebang). When empty or not defined, the value of
 ## 'sys.executable' at the time of installation of the git hooks is
 ## used, which is correct in many cases but for example not when using uwsgi.
 ## If you change this setting, you should reinstall the Git hooks via
 ## Admin > Settings > Remap and Rescan.
 # git_hook_interpreter = /srv/kallithea/venv/bin/python2
 ## path to git executable
 git_path = git
 ## git rev filter option, --all is the default filter, if you need to
 ## hide all refs in changelog switch this to --branches --tags
 #git_rev_filter = --branches --tags
 ## RSS feed options
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 ## options for showing and identifying changesets
 show_sha_length = 12
 show_revision_number = false
 ## Canonical URL to use when creating full URLs in UI and texts.
 ## Useful when the site is available under different names or protocols.
 ## Defaults to what is provided in the WSGI environment.
 #canonical_url = https://kallithea.example.com/repos
 ## gist URL alias, used to create nicer urls for gist. This should be an
 ## url that does rewrites to _admin/gists/<gistid>.
 ## example: http://gist.example.com/{gistid}. Empty means use the internal
 ## Kallithea url, ie. http[s]://kallithea.example.com/_admin/gists/<gistid>
 gist_alias_url =
 ## white list of API enabled controllers. This allows to add list of
 ## controllers to which access will be enabled by api_key. eg: to enable
 ## api access to raw_files put `FilesController:raw`, to enable access to patches
 ## add `ChangesetController:changeset_patch`. This list should be "," separated
 ## Syntax is <ControllerClass>:<function>. Check debug logs for generated names
 ## Recommended settings below are commented out:
 api_access_controllers_whitelist =
 #    ChangesetController:changeset_patch,
 #    ChangesetController:changeset_raw,
 #    FilesController:raw,
 #    FilesController:archivefile
 ## default encoding used to convert from and to unicode
 ## can be also a comma separated list of encoding in case of mixed encodings
 default_encoding = utf-8
 ## Set Mercurial encoding, similar to setting HGENCODING before launching Kallithea
 hgencoding = utf-8
 ## issue tracker for Kallithea (leave blank to disable, absent for default)
 #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
 ## issue tracking mapping for commit messages, comments, PR descriptions, ...
 ## Refer to the documentation ("Integration with issue trackers") for more details.
 ## regular expression to match issue references
 ## This pattern may/should contain parenthesized groups, that can
 ## be referred to in issue_server_link or issue_sub using Python backreferences
 ## (e.g. \1, \2, ...). You can also create named groups with '(?P<groupname>)'.
 ## To require mandatory whitespace before the issue pattern, use:
 ## (?:^|(?<=\s)) before the actual pattern, and for mandatory whitespace
 ## behind the issue pattern, use (?:$|(?=\s)) after the actual pattern.
 issue_pat = #(\d+)
 ## server url to the issue
 ## This pattern may/should contain backreferences to parenthesized groups in issue_pat.
 ## A backreference can be \1, \2, ... or \g<groupname> if you specified a named group
 ## called 'groupname' in issue_pat.
 ## The special token {repo} is replaced with the full repository name
 ## including repository groups, while {repo_name} is replaced with just
 ## the name of the repository.
 issue_server_link = https://issues.example.com/{repo}/issue/\1
 ## substitution pattern to use as the link text
 ## If issue_sub is empty, the text matched by issue_pat is retained verbatim
 ## for the link text. Otherwise, the link text is that of issue_sub, with any
 ## backreferences to groups in issue_pat replaced.
 issue_sub =
 ## issue_pat, issue_server_link and issue_sub can have suffixes to specify
 ## multiple patterns, to other issues server, wiki or others
 ## below an example how to create a wiki pattern
 # wiki-some-id -> https://wiki.example.com/some-id
 #issue_pat_wiki = wiki-(\S+)
 #issue_server_link_wiki = https://wiki.example.com/\1
 #issue_sub_wiki = WIKI-\1
 ## alternative return HTTP header for failed authentication. Default HTTP
 ## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with
 ## handling that. Set this variable to 403 to return HTTPForbidden
 auth_ret_code =
 ## allows to change the repository location in settings page
 allow_repo_location_change = True
 ## allows to setup custom hooks in settings page
 allow_custom_hooks_settings = True
 ## extra extensions for indexing, space separated and without the leading '.'.
 # index.extensions =
 #    gemfile
 #    lock
 ## extra filenames for indexing, space separated
 # index.filenames =
 #    .dockerignore
 #    .editorconfig
 #    INSTALL
 #    CHANGELOG
 ####################################
 ###        CELERY CONFIG        ####
 ####################################
 use_celery = false
 ## Example: connect to the virtual host 'rabbitmqhost' on localhost as rabbitmq:
 broker.url = amqp://rabbitmq:qewqew@localhost:5672/rabbitmqhost
 celery.imports = kallithea.lib.celerylib.tasks
 celery.accept.content = pickle
 celery.result.backend = amqp
 celery.result.dburi = amqp://
 celery.result.serialier = json
 #celery.send.task.error.emails = true
 #celery.amqp.task.result.expires = 18000
 celeryd.concurrency = 2
 celeryd.max.tasks.per.child = 1
 ## If true, tasks will never be sent to the queue, but executed locally instead.
 celery.always.eager = false
 ####################################
 ###         BEAKER CACHE        ####
 ####################################
 beaker.cache.data_dir = %(here)s/data/cache/data
 beaker.cache.lock_dir = %(here)s/data/cache/lock
 beaker.cache.regions = short_term,long_term,sql_cache_short
 beaker.cache.short_term.type = memory
 beaker.cache.short_term.expire = 60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type = memory
 beaker.cache.long_term.expire = 36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type = memory
 beaker.cache.sql_cache_short.expire = 10
 beaker.cache.sql_cache_short.key_length = 256
 ####################################
 ###       BEAKER SESSION        ####
 ####################################
 ## Name of session cookie. Should be unique for a given host and path, even when running
 ## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 ## Sessions should always only be accessible by the browser, not directly by JavaScript.
 beaker.session.httponly = true
 ## Session lifetime. 2592000 seconds is 30 days.
 beaker.session.timeout = 2592000
 ## Server secret used with HMAC to ensure integrity of cookies.
 #beaker.session.secret = VERY-SECRET
 beaker.session.secret = development-not-secret
 ## Further, encrypt the data with AES.
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## Type of storage used for the session, current types are
 ## dbm, file, memcached, database, and memory.
 ## File system storage of session data. (default)
 #beaker.session.type = file
 ## Cookie only, store all session data inside the cookie. Requires secure secrets.
 #beaker.session.type = cookie
 ## Database storage of session data.
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea
 #beaker.session.table_name = db_session
 ################################################################################
 ## WARNING: *DEBUG MODE MUST BE OFF IN A PRODUCTION ENVIRONMENT*              ##
 ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
 ## execute malicious code after an exception is raised.                       ##
 ################################################################################
 #debug = false
 debug = true
 ##################################
 ###       LOGVIEW CONFIG       ###
 ##################################
 logview.sqlalchemy = #faa
 logview.pylons.templating = #bfb
 logview.pylons.util = #eee
 #########################################################
 ### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###
 #########################################################
 # SQLITE [default]
 sqlalchemy.url = sqlite:///%(here)s/kallithea.db?timeout=60
 # see sqlalchemy docs for others
 sqlalchemy.pool_recycle = 3600
 ################################
 ### ALEMBIC CONFIGURATION   ####
 ################################
 [alembic]
 script_location = kallithea:alembic
 ################################
 ### LOGGING CONFIGURATION   ####
 ################################
 [loggers]
 keys = root, routes, kallithea, sqlalchemy, tg, gearbox, beaker, templates, whoosh_indexer, werkzeug, backlash
 [handlers]

docs/api/api.rst

➞

Show inline comments

@@ @@ -1049,219 +1049,203 @@ INPUT:: @@
                 "repoid" : "<reponame or repo_id>",
                 "start": "<revision number> = Optional(None)",
                 "end": "<revision number> = Optional(None)",
                 "start_date": "<date> = Optional(None)",    # in "%Y-%m-%dT%H:%M:%S" format
                 "end_date": "<date> = Optional(None)",      # in "%Y-%m-%dT%H:%M:%S" format
                 "branch_name": "<branch name filter> = Optional(None)",
                 "reverse": "<bool> = Optional(False)",
                 "with_file_list": "<bool> = Optional(False)"
+              }
 OUTPUT::
     id : <id_given_in_input>
     result: [
+    {
       "raw_id": "<raw_id>",
       "short_id": "short_id": "<short_id>",
       "author": "<full_author>",
       "date": "<date_time_of_commit>",
       "message": "<commit_message>",
       "revision": "<numeric_revision>",
       <if with_file_list == True>
       "added": [<list of added files>],
       "changed": [<list of changed files>],
       "removed": [<list of removed files>]
     },
     ...
+    ]
     error:  null
 get_changeset
 ^^^^^^^^^^^^^
 Get information and review status for a given changeset. This command can only
 be executed using the api_key of a user with read permissions to the
 repository.
 INPUT::
     id : <id_for_response>
     api_key : "<api_key>"
     method  : "get_changeset"
     args:     {
                 "repoid" : "<reponame or repo_id>",
                 "raw_id" : "<raw_id>",
                 "with_reviews": "<bool> = Optional(False)"
+              }
 OUTPUT::
     id : <id_given_in_input>
     result: {
               "author":   "<full_author>",
               "date":     "<date_time_of_commit>",
               "message":  "<commit_message>",
               "raw_id":   "<raw_id>",
               "revision": "<numeric_revision>",
               "short_id": "<short_id>",
               "reviews": [{
                     "reviewer":   "<username>",
                     "modified_at": "<date_time_of_review>",  # iso 8601 date, server's timezone
                     "status":   "<status_of_review>",        # "under_review", "approved" or "rejected"
                  },
                  ...
+              ]
+            }
     error:  null
 Example output::
+    {
       "id" : 1,
       "error" : null,
       "result" : {
         "author" : {
           "email" : "user@example.com",
           "name" : "Kallithea Admin"
         },
         "changed" : [],
         "short_id" : "e1022d3d28df",
         "date" : "2017-03-28T09:09:03",
         "added" : [
           "README.rst"
         ],
         "removed" : [],
         "revision" : 0,
         "raw_id" : "e1022d3d28dfba02f626cde65dbe08f4ceb0e4e7",
         "message" : "Added file via Kallithea",
         "id" : "e1022d3d28dfba02f626cde65dbe08f4ceb0e4e7",
         "reviews" : [
+          {
             "status" : "under_review",
             "modified_at" : "2017-03-28T09:17:08.618",
             "reviewer" : "user"
+          }
+        ]
+      }
+    }
 get_pullrequest
 ^^^^^^^^^^^^^^^
 Get information and review status for a given pull request. This command can only be executed
 using the api_key of a user with read permissions to the original repository.
 INPUT::
     id : <id_for_response>
     api_key : "<api_key>"
     method  : "get_pullrequest"
     args:     {
                 "pullrequest_id" : "<pullrequest_id>",
+              }
 OUTPUT::
     id : <id_given_in_input>
     result: {
         "status": "<pull_request_status>",
         "pull_request_id": <pull_request_id>,
         "description": "<pull_request_description>",
         "title": "<pull_request_title>",
         "url": "<pull_request_url>",
         "reviewers": [
+          {
             "username": "<user_name>",
           },
           ...
         ],
         "org_repo_url": "<repo_url>",
         "org_ref_parts": [
           "<ref_type>",
           "<ref_name>",
           "<raw_id>"
         ],
         "other_ref_parts": [
           "<ref_type>",
           "<ref_name>",
           "<raw_id>"
         ],
         "comments": [
+          {
             "username": "<user_name>",
             "text": "<comment text>",
             "comment_id": "<comment_id>",
           },
           ...
         ],
         "owner": "<username>",
         "statuses": [
+          {
             "status": "<status_of_review>",        # "under_review", "approved" or "rejected"
             "reviewer": "<user_name>",
             "modified_at": "<date_time_of_review>" # iso 8601 date, server's timezone
           },
           ...
         ],
         "revisions": [
           "<raw_id>",
           ...
+        ]
     },
     error:  null
 comment_pullrequest
 ^^^^^^^^^^^^^^^^^^^
 Add comment, change status or close a given pull request. This command can only be executed
 using the api_key of a user with read permissions to the original repository.
 INPUT::
     id : <id_for_response>
     api_key : "<api_key>"
     method  : "comment_pullrequest"
     args:     {
                 "pull_request_id":  "<pull_request_id>",
                 "comment_msg":      Optional(''),
                 "status":           Optional(None),     # "under_review", "approved" or "rejected"
                 "close_pr":         Optional(False)",
+              }
 OUTPUT::
     id : <id_given_in_input>
     result: True
     error:  null
 API access for web views
 ------------------------
 API access can also be turned on for each web view in Kallithea that is
 decorated with the ``@LoginRequired`` decorator. Some views use
 ``@LoginRequired(api_access=True)`` and are always available. By default only
 RSS/Atom feed views are enabled. Other views are
 only available if they have been whitelisted. Edit the
 ``api_access_controllers_whitelist`` option in your .ini file and define views
 that should have API access enabled.
 For example, to enable API access to patch/diff, raw file and archive::
     api_access_controllers_whitelist =
         ChangesetController:changeset_patch,
         ChangesetController:changeset_raw,
         FilesController:raw,
         FilesController:archivefile
 After this change, a Kallithea view can be accessed without login using
 bearer authentication, by including this header with the request::
 Kallithea HTTP entry points can also be accessed without login using bearer
 authentication by including this header with the request::
     Authentication: Bearer <api_key>
 Alternatively, the API key can be passed in the URL query string using
 ``?api_key=<api_key>``, though this is not recommended due to the increased
 risk of API key leaks, and support will likely be removed in the future.
 Exposing raw diffs is a good way to integrate with
 third-party services like code review, or build farms that can download archives.

kallithea/controllers/feed.py

➞

Show inline comments

 # -*- coding: utf-8 -*-
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
+#
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 kallithea.controllers.feed
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Feed controller for Kallithea
 This file was forked by the Kallithea project in July 2014.
 Original author and date, and relevant copyright and licensing information is below:
 :created_on: Apr 23, 2010
 :author: marcink
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import logging
 from tg import response, tmpl_context as c
 from tg.i18n import ugettext as _
 from beaker.cache import cache_region, region_invalidate
 from webhelpers.feedgenerator import Atom1Feed, Rss201rev2Feed
 from kallithea import CONFIG
 from kallithea.lib import helpers as h
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
 from kallithea.lib.base import BaseRepoController
 from kallithea.lib.diffs import DiffProcessor
 from kallithea.model.db import CacheInvalidation
 from kallithea.lib.utils2 import safe_int, str2bool, safe_unicode
 log = logging.getLogger(__name__)
 language = 'en-us'
 ttl = "5"
 class FeedController(BaseRepoController):
-    @LoginRequired(api_access=True, allow_default_user=True)
     @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def _before(self, *args, **kwargs):
         super(FeedController, self)._before(*args, **kwargs)
     def _get_title(self, cs):
         return h.shorter(cs.message, 160)
     def __get_desc(self, cs):
         desc_msg = [(_('%s committed on %s')
                      % (h.person(cs.author), h.fmt_date(cs.date))) + '<br/>']
         # branches, tags, bookmarks
         for branch in cs.branches:
             desc_msg.append('branch: %s<br/>' % branch)
         for book in cs.bookmarks:
             desc_msg.append('bookmark: %s<br/>' % book)
         for tag in cs.tags:
             desc_msg.append('tag: %s<br/>' % tag)
         changes = []
         diff_limit = safe_int(CONFIG.get('rss_cut_off_limit', 32 * 1024))
         raw_diff = cs.diff()
         diff_processor = DiffProcessor(raw_diff,
                                        diff_limit=diff_limit,
                                        inline_diff=False)
         for st in diff_processor.parsed:
             st.update({'added': st['stats']['added'],
                        'removed': st['stats']['deleted']})
             changes.append('\n %(operation)s %(filename)s '
                            '(%(added)s lines added, %(removed)s lines removed)'
                             % st)
         if diff_processor.limited_diff:
             changes = changes + ['\n ' +
                                  _('Changeset was too big and was cut off...')]
         # rev link
         _url = h.canonical_url('changeset_home', repo_name=c.db_repo.repo_name,
                    revision=cs.raw_id)
         desc_msg.append('changeset: <a href="%s">%s</a>' % (_url, cs.raw_id[:8]))
         desc_msg.append('<pre>')
         desc_msg.append(h.urlify_text(cs.message))
         desc_msg.append('\n')
         desc_msg.extend(changes)
         if str2bool(CONFIG.get('rss_include_diff', False)):
             desc_msg.append('\n\n')
             desc_msg.append(raw_diff)
         desc_msg.append('</pre>')
         return map(safe_unicode, desc_msg)
     def atom(self, repo_name):
         """Produce an atom-1.0 feed via feedgenerator module"""
         @cache_region('long_term', '_get_feed_from_cache')
         def _get_feed_from_cache(key, kind):
             feed = Atom1Feed(
                 title=_('%s %s feed') % (c.site_name, repo_name),
                 link=h.canonical_url('summary_home', repo_name=repo_name),
                 description=_('Changes on %s repository') % repo_name,
                 language=language,
                 ttl=ttl
+            )
             rss_items_per_page = safe_int(CONFIG.get('rss_items_per_page', 20))
             for cs in reversed(list(c.db_repo_scm_instance[-rss_items_per_page:])):
                 feed.add_item(title=self._get_title(cs),
                               link=h.canonical_url('changeset_home', repo_name=repo_name,
                                        revision=cs.raw_id),
                               author_name=cs.author,
                               description=''.join(self.__get_desc(cs)),
                               pubdate=cs.date,
+                              )
             response.content_type = feed.mime_type
             return feed.writeString('utf-8')
         kind = 'ATOM'
         valid = CacheInvalidation.test_and_set_valid(repo_name, kind)
         if not valid:
             region_invalidate(_get_feed_from_cache, None, '_get_feed_from_cache', repo_name, kind)
         return _get_feed_from_cache(repo_name, kind)
     def rss(self, repo_name):
         """Produce an rss2 feed via feedgenerator module"""
         @cache_region('long_term', '_get_feed_from_cache')
         def _get_feed_from_cache(key, kind):
             feed = Rss201rev2Feed(
                 title=_('%s %s feed') % (c.site_name, repo_name),
                 link=h.canonical_url('summary_home', repo_name=repo_name),
                 description=_('Changes on %s repository') % repo_name,
                 language=language,
                 ttl=ttl
+            )
             rss_items_per_page = safe_int(CONFIG.get('rss_items_per_page', 20))
             for cs in reversed(list(c.db_repo_scm_instance[-rss_items_per_page:])):
                 feed.add_item(title=self._get_title(cs),
                               link=h.canonical_url('changeset_home', repo_name=repo_name,
                                        revision=cs.raw_id),
                               author_name=cs.author,
                               description=''.join(self.__get_desc(cs)),
                               pubdate=cs.date,
+                             )
             response.content_type = feed.mime_type
             return feed.writeString('utf-8')
         kind = 'RSS'
         valid = CacheInvalidation.test_and_set_valid(repo_name, kind)
         if not valid:
             region_invalidate(_get_feed_from_cache, None, '_get_feed_from_cache', repo_name, kind)
         return _get_feed_from_cache(repo_name, kind)

kallithea/controllers/journal.py

➞

Show inline comments

@@ @@ -31,284 +31,284 @@ import traceback @@
 from itertools import groupby
 from sqlalchemy import or_
 from sqlalchemy.orm import joinedload
 from sqlalchemy.sql.expression import func
 from webhelpers.feedgenerator import Atom1Feed, Rss201rev2Feed
 from webob.exc import HTTPBadRequest
 from tg import request, tmpl_context as c, response
 from tg.i18n import ugettext as _
 from kallithea.config.routing import url
 from kallithea.controllers.admin.admin import _journal_filter
 from kallithea.model.db import UserLog, UserFollowing, Repository, User
 from kallithea.model.meta import Session
 from kallithea.model.repo import RepoModel
 import kallithea.lib.helpers as h
 from kallithea.lib.auth import LoginRequired
 from kallithea.lib.base import BaseController, render
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_int, AttributeDict
 log = logging.getLogger(__name__)
 language = 'en-us'
 ttl = "5"
 feed_nr = 20
 class JournalController(BaseController):
     def _before(self, *args, **kwargs):
         super(JournalController, self)._before(*args, **kwargs)
         c.search_term = request.GET.get('filter')
     def _get_daily_aggregate(self, journal):
         groups = []
         for k, g in groupby(journal, lambda x: x.action_as_day):
             user_group = []
             # groupby username if it's a present value, else fallback to journal username
             for _unused, g2 in groupby(list(g), lambda x: x.user.username if x.user else x.username):
                 l = list(g2)
                 user_group.append((l[0].user, l))
             groups.append((k, user_group,))
         return groups
     def _get_journal_data(self, following_repos):
         repo_ids = [x.follows_repository_id for x in following_repos
                     if x.follows_repository_id is not None]
         user_ids = [x.follows_user_id for x in following_repos
                     if x.follows_user_id is not None]
         filtering_criterion = None
         if repo_ids and user_ids:
             filtering_criterion = or_(UserLog.repository_id.in_(repo_ids),
                         UserLog.user_id.in_(user_ids))
         if repo_ids and not user_ids:
             filtering_criterion = UserLog.repository_id.in_(repo_ids)
         if not repo_ids and user_ids:
             filtering_criterion = UserLog.user_id.in_(user_ids)
         if filtering_criterion is not None:
             journal = UserLog.query() \
                 .options(joinedload(UserLog.user)) \
                 .options(joinedload(UserLog.repository))
             # filter
             journal = _journal_filter(journal, c.search_term)
             journal = journal.filter(filtering_criterion) \
                         .order_by(UserLog.action_date.desc())
         else:
             journal = []
         return journal
     def _atom_feed(self, repos, public=True):
         journal = self._get_journal_data(repos)
         if public:
             _link = h.canonical_url('public_journal_atom')
             _desc = '%s %s %s' % (c.site_name, _('Public Journal'),
                                   'atom feed')
         else:
             _link = h.canonical_url('journal_atom')
             _desc = '%s %s %s' % (c.site_name, _('Journal'), 'atom feed')
         feed = Atom1Feed(title=_desc,
                          link=_link,
                          description=_desc,
                          language=language,
                          ttl=ttl)
         for entry in journal[:feed_nr]:
             user = entry.user
             if user is None:
                 # fix deleted users
                 user = AttributeDict({'short_contact': entry.username,
                                       'email': '',
                                       'full_contact': ''})
             action, action_extra, ico = h.action_parser(entry, feed=True)
             title = "%s - %s %s" % (user.short_contact, action(),
                                     entry.repository.repo_name)
             desc = action_extra()
             _url = None
             if entry.repository is not None:
                 _url = h.canonical_url('changelog_home',
                            repo_name=entry.repository.repo_name)
             feed.add_item(title=title,
                           pubdate=entry.action_date,
                           link=_url or h.canonical_url(''),
                           author_email=user.email,
                           author_name=user.full_contact,
                           description=desc)
         response.content_type = feed.mime_type
         return feed.writeString('utf-8')
     def _rss_feed(self, repos, public=True):
         journal = self._get_journal_data(repos)
         if public:
             _link = h.canonical_url('public_journal_atom')
             _desc = '%s %s %s' % (c.site_name, _('Public Journal'),
                                   'rss feed')
         else:
             _link = h.canonical_url('journal_atom')
             _desc = '%s %s %s' % (c.site_name, _('Journal'), 'rss feed')
         feed = Rss201rev2Feed(title=_desc,
                          link=_link,
                          description=_desc,
                          language=language,
                          ttl=ttl)
         for entry in journal[:feed_nr]:
             user = entry.user
             if user is None:
                 # fix deleted users
                 user = AttributeDict({'short_contact': entry.username,
                                       'email': '',
                                       'full_contact': ''})
             action, action_extra, ico = h.action_parser(entry, feed=True)
             title = "%s - %s %s" % (user.short_contact, action(),
                                     entry.repository.repo_name)
             desc = action_extra()
             _url = None
             if entry.repository is not None:
                 _url = h.canonical_url('changelog_home',
                            repo_name=entry.repository.repo_name)
             feed.add_item(title=title,
                           pubdate=entry.action_date,
                           link=_url or h.canonical_url(''),
                           author_email=user.email,
                           author_name=user.full_contact,
                           description=desc)
         response.content_type = feed.mime_type
         return feed.writeString('utf-8')
     @LoginRequired()
     def index(self):
         # Return a rendered template
         p = safe_int(request.GET.get('page'), 1)
         c.user = User.get(request.authuser.user_id)
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         journal = self._get_journal_data(c.following)
         def url_generator(**kw):
             return url.current(filter=c.search_term, **kw)
         c.journal_pager = Page(journal, page=p, items_per_page=20, url=url_generator)
         c.journal_day_aggregate = self._get_daily_aggregate(c.journal_pager)
         if request.environ.get('HTTP_X_PARTIAL_XHR'):
             return render('journal/journal_data.html')
         repos_list = Repository.query(sorted=True) \
             .filter_by(owner_id=request.authuser.user_id).all()
         repos_data = RepoModel().get_repos_as_dict(repos_list, admin=True)
         # data used to render the grid
         c.data = repos_data
         return render('journal/journal.html')
-    @LoginRequired(api_access=True)
     @LoginRequired()
     def journal_atom(self):
         """
         Produce an atom-1.0 feed via feedgenerator module
         """
         following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._atom_feed(following, public=False)
-    @LoginRequired(api_access=True)
     @LoginRequired()
     def journal_rss(self):
         """
         Produce an rss feed via feedgenerator module
         """
         following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._rss_feed(following, public=False)
     @LoginRequired()
     def toggle_following(self):
         user_id = request.POST.get('follows_user_id')
         if user_id:
             try:
                 self.scm_model.toggle_following_user(user_id,
                                             request.authuser.user_id)
                 Session().commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
         repo_id = request.POST.get('follows_repository_id')
         if repo_id:
             try:
                 self.scm_model.toggle_following_repo(repo_id,
                                             request.authuser.user_id)
                 Session().commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
         raise HTTPBadRequest()
     @LoginRequired(allow_default_user=True)
     def public_journal(self):
         # Return a rendered template
         p = safe_int(request.GET.get('page'), 1)
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         journal = self._get_journal_data(c.following)
         c.journal_pager = Page(journal, page=p, items_per_page=20)
         c.journal_day_aggregate = self._get_daily_aggregate(c.journal_pager)
         if request.environ.get('HTTP_X_PARTIAL_XHR'):
             return render('journal/journal_data.html')
         return render('journal/public_journal.html')
-    @LoginRequired(api_access=True, allow_default_user=True)
     @LoginRequired(allow_default_user=True)
     def public_journal_atom(self):
         """
         Produce an atom-1.0 feed via feedgenerator module
         """
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._atom_feed(c.following)
-    @LoginRequired(api_access=True, allow_default_user=True)
     @LoginRequired(allow_default_user=True)
     def public_journal_rss(self):
         """
         Produce an rss2 feed via feedgenerator module
         """
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._rss_feed(c.following)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -178,735 +178,703 @@ def _cached_perms_data(user_id, user_is_ @@
         # repository groups
         for perm in default_repo_groups_perms:
             rg_k = perm.UserRepoGroupToPerm.group.group_name
             p = 'group.admin'
             permissions[GK][rg_k] = p
         # user groups
         for perm in default_user_group_perms:
             u_k = perm.UserUserGroupToPerm.user_group.users_group_name
             p = 'usergroup.admin'
             permissions[UK][u_k] = p
         return permissions
     #==================================================================
     # SET DEFAULTS GLOBAL, REPOS, REPOSITORY GROUPS
     #==================================================================
     # default global permissions taken from the default user
     default_global_perms = UserToPerm.query() \
         .filter(UserToPerm.user_id == default_user_id) \
         .options(joinedload(UserToPerm.permission))
     for perm in default_global_perms:
         permissions[GLOBAL].add(perm.permission.permission_name)
     # defaults for repositories, taken from default user
     for perm in default_repo_perms:
         r_k = perm.UserRepoToPerm.repository.repo_name
         if perm.Repository.owner_id == user_id:
             p = 'repository.admin'
         elif perm.Repository.private:
             p = 'repository.none'
         else:
             p = perm.Permission.permission_name
         permissions[RK][r_k] = p
     # defaults for repository groups taken from default user permission
     # on given group
     for perm in default_repo_groups_perms:
         rg_k = perm.UserRepoGroupToPerm.group.group_name
         p = perm.Permission.permission_name
         permissions[GK][rg_k] = p
     # defaults for user groups taken from default user permission
     # on given user group
     for perm in default_user_group_perms:
         u_k = perm.UserUserGroupToPerm.user_group.users_group_name
         p = perm.Permission.permission_name
         permissions[UK][u_k] = p
     #======================================================================
     # !! Augment GLOBALS with user permissions if any found !!
     #======================================================================
     # USER GROUPS comes first
     # user group global permissions
     user_perms_from_users_groups = Session().query(UserGroupToPerm) \
         .options(joinedload(UserGroupToPerm.permission)) \
         .join((UserGroupMember, UserGroupToPerm.users_group_id ==
                UserGroupMember.users_group_id)) \
         .filter(UserGroupMember.user_id == user_id) \
         .join((UserGroup, UserGroupMember.users_group_id ==
                UserGroup.users_group_id)) \
         .filter(UserGroup.users_group_active == True) \
         .order_by(UserGroupToPerm.users_group_id) \
         .all()
     # need to group here by groups since user can be in more than
     # one group
     _grouped = [[x, list(y)] for x, y in
                 itertools.groupby(user_perms_from_users_groups,
                                   lambda x:x.users_group)]
     for gr, perms in _grouped:
         for perm in perms:
             permissions[GLOBAL].add(perm.permission.permission_name)
     # user specific global permissions
     user_perms = Session().query(UserToPerm) \
             .options(joinedload(UserToPerm.permission)) \
             .filter(UserToPerm.user_id == user_id).all()
     for perm in user_perms:
         permissions[GLOBAL].add(perm.permission.permission_name)
     # for each kind of global permissions, only keep the one with heighest weight
     kind_max_perm = {}
     for perm in sorted(permissions[GLOBAL], key=lambda n: PERM_WEIGHTS[n]):
         kind = perm.rsplit('.', 1)[0]
         kind_max_perm[kind] = perm
     permissions[GLOBAL] = set(kind_max_perm.values())
     ## END GLOBAL PERMISSIONS
     #======================================================================
     # !! PERMISSIONS FOR REPOSITORIES !!
     #======================================================================
     #======================================================================
     # check if user is part of user groups for this repository and
     # fill in his permission from it.
     #======================================================================
     # user group for repositories permissions
     user_repo_perms_from_users_groups = \
      Session().query(UserGroupRepoToPerm, Permission, Repository,) \
         .join((Repository, UserGroupRepoToPerm.repository_id ==
                Repository.repo_id)) \
         .join((Permission, UserGroupRepoToPerm.permission_id ==
                Permission.permission_id)) \
         .join((UserGroup, UserGroupRepoToPerm.users_group_id ==
                UserGroup.users_group_id)) \
         .filter(UserGroup.users_group_active == True) \
         .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==
                UserGroupMember.users_group_id)) \
         .filter(UserGroupMember.user_id == user_id) \
         .all()
     for perm in user_repo_perms_from_users_groups:
         bump_permission(RK,
             perm.UserGroupRepoToPerm.repository.repo_name,
             perm.Permission.permission_name)
     # user permissions for repositories
     user_repo_perms = Permission.get_default_perms(user_id)
     for perm in user_repo_perms:
         bump_permission(RK,
             perm.UserRepoToPerm.repository.repo_name,
             perm.Permission.permission_name)
     #======================================================================
     # !! PERMISSIONS FOR REPOSITORY GROUPS !!
     #======================================================================
     #======================================================================
     # check if user is part of user groups for this repository groups and
     # fill in his permission from it.
     #======================================================================
     # user group for repo groups permissions
     user_repo_group_perms_from_users_groups = \
      Session().query(UserGroupRepoGroupToPerm, Permission, RepoGroup) \
      .join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)) \
      .join((Permission, UserGroupRepoGroupToPerm.permission_id
             == Permission.permission_id)) \
      .join((UserGroup, UserGroupRepoGroupToPerm.users_group_id ==
             UserGroup.users_group_id)) \
      .filter(UserGroup.users_group_active == True) \
      .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id
             == UserGroupMember.users_group_id)) \
      .filter(UserGroupMember.user_id == user_id) \
      .all()
     for perm in user_repo_group_perms_from_users_groups:
         bump_permission(GK,
             perm.UserGroupRepoGroupToPerm.group.group_name,
             perm.Permission.permission_name)
     # user explicit permissions for repository groups
     user_repo_groups_perms = Permission.get_default_group_perms(user_id)
     for perm in user_repo_groups_perms:
         bump_permission(GK,
             perm.UserRepoGroupToPerm.group.group_name,
             perm.Permission.permission_name)
     #======================================================================
     # !! PERMISSIONS FOR USER GROUPS !!
     #======================================================================
     # user group for user group permissions
     user_group_user_groups_perms = \
      Session().query(UserGroupUserGroupToPerm, Permission, UserGroup) \
      .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id
             == UserGroup.users_group_id)) \
      .join((Permission, UserGroupUserGroupToPerm.permission_id
             == Permission.permission_id)) \
      .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id
             == UserGroupMember.users_group_id)) \
      .filter(UserGroupMember.user_id == user_id) \
      .join((UserGroup, UserGroupMember.users_group_id ==
             UserGroup.users_group_id), aliased=True, from_joinpoint=True) \
      .filter(UserGroup.users_group_active == True) \
      .all()
     for perm in user_group_user_groups_perms:
         bump_permission(UK,
             perm.UserGroupUserGroupToPerm.target_user_group.users_group_name,
             perm.Permission.permission_name)
     # user explicit permission for user groups
     user_user_groups_perms = Permission.get_default_user_group_perms(user_id)
     for perm in user_user_groups_perms:
         bump_permission(UK,
             perm.UserUserGroupToPerm.user_group.users_group_name,
             perm.Permission.permission_name)
     return permissions
 def allowed_api_access(controller_name, whitelist=None, api_key=None):
     """
     Check if given controller_name is in whitelist API access
     """
     if not whitelist:
         from kallithea import CONFIG
         whitelist = aslist(CONFIG.get('api_access_controllers_whitelist'),
                            sep=',')
         log.debug('whitelist of API access is: %s', whitelist)
     api_access_valid = controller_name in whitelist
     if api_access_valid:
         log.debug('controller:%s is in API whitelist', controller_name)
     else:
         msg = 'controller: %s is *NOT* in API whitelist' % (controller_name)
         if api_key:
             # if we use API key and don't have access it's a warning
             log.warning(msg)
         else:
             log.debug(msg)
     return api_access_valid
 class AuthUser(object):
     """
     Represents a Kallithea user, including various authentication and
     authorization information. Typically used to store the current user,
     but is also used as a generic user information data structure in
     parts of the code, e.g. user management.
     Constructed from a database `User` object, a user ID or cookie dict,
     it looks up the user (if needed) and copies all attributes to itself,
     adding various non-persistent data. If lookup fails but anonymous
     access to Kallithea is enabled, the default user is loaded instead.
     `AuthUser` does not by itself authenticate users and the constructor
     sets the `is_authenticated` field to False. It's up to other parts
     of the code to check e.g. if a supplied password is correct, and if
     so, set `is_authenticated` to True.
     However, `AuthUser` does refuse to load a user that is not `active`.
     Note that Kallithea distinguishes between the default user (an actual
     user in the database with username "default") and "no user" (no actual
     User object, AuthUser filled with blank values and username "None").
     If the default user is active, that will always be used instead of
     "no user". On the other hand, if the default user is disabled (and
     there is no login information), we instead get "no user"; this should
     only happen on the login page (as all other requests are redirected).
     `is_default_user` specifically checks if the AuthUser is the user named
     "default". Use `is_anonymous` to check for both "default" and "no user".
     """
     def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None,
             is_external_auth=False):
         self.is_authenticated = False
         self.is_external_auth = is_external_auth
         self.authenticating_api_key = authenticating_api_key
         # These attributes will be overridden by fill_data, below, unless the
         # requested user cannot be found and the default anonymous user is
         # not enabled.
         self.user_id = None
         self.username = None
         self.api_key = None
         self.name = ''
         self.lastname = ''
         self.email = ''
         self.admin = False
         # Look up database user, if necessary.
         if user_id is not None:
             log.debug('Auth User lookup by USER ID %s', user_id)
             dbuser = UserModel().get(user_id)
         else:
             # Note: dbuser is allowed to be None.
             log.debug('Auth User lookup by database user %s', dbuser)
         is_user_loaded = self._fill_data(dbuser)
         # If user cannot be found, try falling back to anonymous.
         if is_user_loaded:
             assert dbuser is not None
             self.is_default_user = dbuser.is_default_user
         else:
             default_user = User.get_default_user(cache=True)
             is_user_loaded = self._fill_data(default_user)
             self.is_default_user = is_user_loaded
         self.is_anonymous = not is_user_loaded or self.is_default_user
         if not self.username:
             self.username = 'None'
         log.debug('Auth User is now %s', self)
     def _fill_data(self, dbuser):
         """
         Copies database fields from a `db.User` to this `AuthUser`. Does
         not copy `api_keys` and `permissions` attributes.
         Checks that `dbuser` is `active` (and not None) before copying;
         returns True on success.
         """
         if dbuser is not None and dbuser.active:
             log.debug('filling %s data', dbuser)
             for k, v in dbuser.get_dict().iteritems():
                 assert k not in ['api_keys', 'permissions']
                 setattr(self, k, v)
             return True
         return False
     @LazyProperty
     def permissions(self):
         return self.__get_perms(user=self, cache=False)
     def has_repository_permission_level(self, repo_name, level, purpose=None):
         required_perms = {
             'read': ['repository.read', 'repository.write', 'repository.admin'],
             'write': ['repository.write', 'repository.admin'],
             'admin': ['repository.admin'],
         }[level]
         actual_perm = self.permissions['repositories'].get(repo_name)
         ok = actual_perm in required_perms
         log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',
             self.username, level, repo_name, purpose, ok, actual_perm)
         return ok
     def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):
         required_perms = {
             'read': ['group.read', 'group.write', 'group.admin'],
             'write': ['group.write', 'group.admin'],
             'admin': ['group.admin'],
         }[level]
         actual_perm = self.permissions['repositories_groups'].get(repo_group_name)
         ok = actual_perm in required_perms
         log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',
             self.username, level, repo_group_name, purpose, ok, actual_perm)
         return ok
     def has_user_group_permission_level(self, user_group_name, level, purpose=None):
         required_perms = {
             'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],
             'write': ['usergroup.write', 'usergroup.admin'],
             'admin': ['usergroup.admin'],
         }[level]
         actual_perm = self.permissions['user_groups'].get(user_group_name)
         ok = actual_perm in required_perms
         log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',
             self.username, level, user_group_name, purpose, ok, actual_perm)
         return ok
     @property
     def api_keys(self):
         return self._get_api_keys()
     def __get_perms(self, user, cache=False):
         """
         Fills user permission attribute with permissions taken from database
         works for permissions given for repositories, and for permissions that
         are granted to groups
         :param user: `AuthUser` instance
         """
         user_id = user.user_id
         user_is_admin = user.is_admin
         log.debug('Getting PERMISSION tree')
         compute = conditional_cache('short_term', 'cache_desc',
                                     condition=cache, func=_cached_perms_data)
         return compute(user_id, user_is_admin)
     def _get_api_keys(self):
         api_keys = [self.api_key]
         for api_key in UserApiKeys.query() \
                 .filter_by(user_id=self.user_id, is_expired=False):
             api_keys.append(api_key.api_key)
         return api_keys
     @property
     def is_admin(self):
         return self.admin
     @property
     def repositories_admin(self):
         """
         Returns list of repositories you're an admin of
         """
         return [x[0] for x in self.permissions['repositories'].iteritems()
                 if x[1] == 'repository.admin']
     @property
     def repository_groups_admin(self):
         """
         Returns list of repository groups you're an admin of
         """
         return [x[0] for x in self.permissions['repositories_groups'].iteritems()
                 if x[1] == 'group.admin']
     @property
     def user_groups_admin(self):
         """
         Returns list of user groups you're an admin of
         """
         return [x[0] for x in self.permissions['user_groups'].iteritems()
                 if x[1] == 'usergroup.admin']
     @staticmethod
     def check_ip_allowed(user, ip_addr):
         """
         Check if the given IP address (a `str`) is allowed for the given
         user (an `AuthUser` or `db.User`).
         """
         allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True)
         if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
             log.debug('IP:%s is in range of %s', ip_addr, allowed_ips)
             return True
         else:
             log.info('Access for IP:%s forbidden, '
                      'not in %s' % (ip_addr, allowed_ips))
             return False
     def __repr__(self):
         return "<AuthUser('id:%s[%s] auth:%s')>" \
             % (self.user_id, self.username, (self.is_authenticated or self.is_default_user))
     def to_cookie(self):
         """ Serializes this login session to a cookie `dict`. """
         return {
             'user_id': self.user_id,
             'is_external_auth': self.is_external_auth,
+        }
     @staticmethod
     def from_cookie(cookie):
         """
         Deserializes an `AuthUser` from a cookie `dict`.
         """
         au = AuthUser(
             user_id=cookie.get('user_id'),
             is_external_auth=cookie.get('is_external_auth', False),
+        )
         au.is_authenticated = True
         return au
     @classmethod
     def get_allowed_ips(cls, user_id, cache=False):
         _set = set()
         default_ips = UserIpMap.query().filter(UserIpMap.user_id ==
                                         User.get_default_user(cache=True).user_id)
         if cache:
             default_ips = default_ips.options(FromCache("sql_cache_short",
                                               "get_user_ips_default"))
         for ip in default_ips:
             try:
                 _set.add(ip.ip_addr)
             except ObjectDeletedError:
                 # since we use heavy caching sometimes it happens that we get
                 # deleted objects here, we just skip them
                 pass
         user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)
         if cache:
             user_ips = user_ips.options(FromCache("sql_cache_short",
                                                   "get_user_ips_%s" % user_id))
         for ip in user_ips:
             try:
                 _set.add(ip.ip_addr)
             except ObjectDeletedError:
                 # since we use heavy caching sometimes it happens that we get
                 # deleted objects here, we just skip them
                 pass
         return _set or set(['0.0.0.0/0', '::/0'])
 def set_available_permissions(config):
     """
     This function will propagate globals with all available defined
     permission given in db. We don't want to check each time from db for new
     permissions since adding a new permission also requires application restart
     ie. to decorate new views with the newly created permission
     :param config: current config instance
     """
     log.info('getting information about all available permissions')
     try:
         all_perms = Session().query(Permission).all()
         config['available_permissions'] = [x.permission_name for x in all_perms]
     finally:
         Session.remove()
 #==============================================================================
 # CHECK DECORATORS
 #==============================================================================
 def _redirect_to_login(message=None):
     """Return an exception that must be raised. It will redirect to the login
     page which will redirect back to the current URL after authentication.
     The optional message will be shown in a flash message."""
     from kallithea.lib import helpers as h
     if message:
         h.flash(message, category='warning')
     p = request.path_qs
     log.debug('Redirecting to login page, origin: %s', p)
     return HTTPFound(location=url('login_home', came_from=p))
 # Use as decorator
 class LoginRequired(object):
     """Client must be logged in as a valid User, or we'll redirect to the login
     page.
     If the "default" user is enabled and allow_default_user is true, that is
     considered valid too.
     Also checks that IP address is allowed, and if using API key instead
     of regular cookie authentication, checks that API key access is allowed
     (based on `api_access` parameter and the API view whitelist).
     Also checks that IP address is allowed.
     """
     def __init__(self, api_access=False, allow_default_user=False):
         self.api_access = api_access
     def __init__(self, allow_default_user=False):
         self.allow_default_user = allow_default_user
     def __call__(self, func):
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         controller = fargs[0]
         user = request.authuser
         loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
         log.debug('Checking access for user %s @ %s', user, loc)
         # Check if we used an API key to authenticate.
         api_key = user.authenticating_api_key
         if api_key is not None:
             # Check that controller is enabled for API key usage.
             if not self.api_access and not allowed_api_access(loc, api_key=api_key):
                 # controller does not allow API access
                 log.warning('API access to %s is not allowed', loc)
                 raise HTTPForbidden()
         if user.authenticating_api_key is not None:
             log.info('user %s authenticated with API key ****%s @ %s',
-                     user, api_key[-4:], loc)
+                     user, user.authenticating_api_key[-4:], loc)
             return func(*fargs, **fkwargs)
         # CSRF protection: Whenever a request has ambient authority (whether
         # through a session cookie or its origin IP address), it must include
         # the correct token, unless the HTTP method is GET or HEAD (and thus
         # guaranteed to be side effect free. In practice, the only situation
         # where we allow side effects without ambient authority is when the
         # authority comes from an API key; and that is handled above.
         if request.method not in ['GET', 'HEAD']:
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
                 log.error('CSRF check failed')
                 raise HTTPForbidden()
         # regular user authentication
         if user.is_authenticated:
             log.info('user %s authenticated with regular auth @ %s', user, loc)
             return func(*fargs, **fkwargs)
         elif user.is_default_user:
             if self.allow_default_user:
                 log.info('default user @ %s', loc)
                 return func(*fargs, **fkwargs)
             log.info('default user is not accepted here @ %s', loc)
         else:
             log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)
         raise _redirect_to_login()
 # Use as decorator
 class NotAnonymous(object):
     """Ensures that client is not logged in as the "default" user, and
     redirects to the login page otherwise. Must be used together with
     LoginRequired."""
     def __call__(self, func):
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         cls = fargs[0]
         user = request.authuser
         log.debug('Checking that user %s is not anonymous @%s', user.username, cls)
         if user.is_default_user:
             raise _redirect_to_login(_('You need to be a registered user to '
                                        'perform this action'))
         else:
             return func(*fargs, **fkwargs)
 class _PermsDecorator(object):
     """Base class for controller decorators with multiple permissions"""
     def __init__(self, *required_perms):
         self.required_perms = required_perms # usually very short - a list is thus fine
     def __call__(self, func):
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         cls = fargs[0]
         user = request.authuser
         log.debug('checking %s permissions %s for %s %s',
           self.__class__.__name__, self.required_perms, cls, user)
         if self.check_permissions(user):
             log.debug('Permission granted for %s %s', cls, user)
             return func(*fargs, **fkwargs)
         else:
             log.info('Permission denied for %s %s', cls, user)
             if user.is_default_user:
                 raise _redirect_to_login(_('You need to be signed in to view this page'))
             else:
                 raise HTTPForbidden()
     def check_permissions(self, user):
         raise NotImplementedError()
 class HasPermissionAnyDecorator(_PermsDecorator):
     """
     Checks the user has any of the given global permissions.
     """
     def check_permissions(self, user):
         global_permissions = user.permissions['global'] # usually very short
         return any(p in global_permissions for p in self.required_perms)
 class _PermDecorator(_PermsDecorator):
     """Base class for controller decorators with a single permission"""
     def __init__(self, required_perm):
         _PermsDecorator.__init__(self, [required_perm])
         self.required_perm = required_perm
 class HasRepoPermissionLevelDecorator(_PermDecorator):
     """
     Checks the user has at least the specified permission level for the requested repository.
     """
     def check_permissions(self, user):
         repo_name = get_repo_slug(request)
         return user.has_repository_permission_level(repo_name, self.required_perm)
 class HasRepoGroupPermissionLevelDecorator(_PermDecorator):
     """
     Checks the user has any of given permissions for the requested repository group.
     """
     def check_permissions(self, user):
         repo_group_name = get_repo_group_slug(request)
         return user.has_repository_group_permission_level(repo_group_name, self.required_perm)
 class HasUserGroupPermissionLevelDecorator(_PermDecorator):
     """
     Checks for access permission for any of given predicates for specific
     user group. In order to fulfill the request any of predicates must be meet
     """
     def check_permissions(self, user):
         user_group_name = get_user_group_slug(request)
         return user.has_user_group_permission_level(user_group_name, self.required_perm)
 #==============================================================================
 # CHECK FUNCTIONS
 #==============================================================================
 class _PermsFunction(object):
     """Base function for other check functions with multiple permissions"""
     def __init__(self, *required_perms):
         self.required_perms = required_perms # usually very short - a list is thus fine
     def __nonzero__(self):
         """ Defend against accidentally forgetting to call the object
             and instead evaluating it directly in a boolean context,
             which could have security implications.
         """
         raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')
     def __call__(self, *a, **b):
         raise NotImplementedError()
 class HasPermissionAny(_PermsFunction):
     def __call__(self, purpose=None):
         global_permissions = request.authuser.permissions['global'] # usually very short
         ok = any(p in global_permissions for p in self.required_perms)
         log.debug('Check %s for global %s (%s): %s',
             request.authuser.username, self.required_perms, purpose, ok)
         return ok
 class _PermFunction(_PermsFunction):
     """Base function for other check functions with a single permission"""
     def __init__(self, required_perm):
         _PermsFunction.__init__(self, [required_perm])
         self.required_perm = required_perm
 class HasRepoPermissionLevel(_PermFunction):
     def __call__(self, repo_name, purpose=None):
         return request.authuser.has_repository_permission_level(repo_name, self.required_perm, purpose)
 class HasRepoGroupPermissionLevel(_PermFunction):
     def __call__(self, group_name, purpose=None):
         return request.authuser.has_repository_group_permission_level(group_name, self.required_perm, purpose)
 class HasUserGroupPermissionLevel(_PermFunction):
     def __call__(self, user_group_name, purpose=None):
         return request.authuser.has_user_group_permission_level(user_group_name, self.required_perm, purpose)
 #==============================================================================
 # SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH
 #==============================================================================
 class HasPermissionAnyMiddleware(object):

kallithea/lib/paster_commands/template.ini.mako

➞

Show inline comments

@@ @@ -61,396 +61,384 @@ smtp_port = @@
 #smtp_use_ssl = false
 #smtp_use_tls = false
 %if http_server != 'uwsgi':
 <%text>## Entry point for 'gearbox serve'</%text>
 [server:main]
 host = ${host}
 port = ${port}
 %if http_server == 'gearbox':
 <%text>## Gearbox default web server ##</%text>
 use = egg:gearbox#wsgiref
 <%text>## nr of worker threads to spawn</%text>
 threadpool_workers = 1
 <%text>## max request before thread respawn</%text>
 threadpool_max_requests = 100
 <%text>## option to use threads of process</%text>
 use_threadpool = true
 %elif http_server == 'gevent':
 <%text>## Gearbox gevent web server ##</%text>
 use = egg:gearbox#gevent
 %elif http_server == 'waitress':
 <%text>## WAITRESS ##</%text>
 use = egg:waitress#main
 <%text>## number of worker threads</%text>
 threads = 1
 <%text>## MAX BODY SIZE 100GB</%text>
 max_request_body_size = 107374182400
 <%text>## use poll instead of select, fixes fd limits, may not work on old</%text>
 <%text>## windows systems.</%text>
 #asyncore_use_poll = True
 %elif http_server == 'gunicorn':
 <%text>## GUNICORN ##</%text>
 use = egg:gunicorn#main
 <%text>## number of process workers. You must set `instance_id = *` when this option</%text>
 <%text>## is set to more than one worker</%text>
 workers = 4
 <%text>## process name</%text>
 proc_name = kallithea
 <%text>## type of worker class, one of sync, eventlet, gevent, tornado</%text>
 <%text>## recommended for bigger setup is using of of other than sync one</%text>
 worker_class = sync
 max_requests = 1000
 <%text>## amount of time a worker can handle request before it gets killed and</%text>
 <%text>## restarted</%text>
 timeout = 3600
 %endif
 %else:
 <%text>## UWSGI ##</%text>
 <%text>## run with uwsgi --ini-paste-logged <inifile.ini></%text>
 [uwsgi]
 socket = /tmp/uwsgi.sock
 master = true
 http = ${host}:${port}
 <%text>## set as daemon and redirect all output to file</%text>
 #daemonize = ./uwsgi_kallithea.log
 <%text>## master process PID</%text>
 pidfile = ./uwsgi_kallithea.pid
 <%text>## stats server with workers statistics, use uwsgitop</%text>
 <%text>## for monitoring, `uwsgitop 127.0.0.1:1717`</%text>
 stats = 127.0.0.1:1717
 memory-report = true
 <%text>## log 5XX errors</%text>
 log-5xx = true
 <%text>## Set the socket listen queue size.</%text>
 listen = 128
 <%text>## Gracefully Reload workers after the specified amount of managed requests</%text>
 <%text>## (avoid memory leaks).</%text>
 max-requests = 1000
 <%text>## enable large buffers</%text>
 buffer-size = 65535
 <%text>## socket and http timeouts ##</%text>
 http-timeout = 3600
 socket-timeout = 3600
 <%text>## Log requests slower than the specified number of milliseconds.</%text>
 log-slow = 10
 <%text>## Exit if no app can be loaded.</%text>
 need-app = true
 <%text>## Set lazy mode (load apps in workers instead of master).</%text>
 lazy = true
 <%text>## scaling ##</%text>
 <%text>## set cheaper algorithm to use, if not set default will be used</%text>
 cheaper-algo = spare
 <%text>## minimum number of workers to keep at all times</%text>
 cheaper = 1
 <%text>## number of workers to spawn at startup</%text>
 cheaper-initial = 1
 <%text>## maximum number of workers that can be spawned</%text>
 workers = 4
 <%text>## how many workers should be spawned at a time</%text>
 cheaper-step = 1
 %endif
 <%text>## middleware for hosting the WSGI application under a URL prefix</%text>
 #[filter:proxy-prefix]
 #use = egg:PasteDeploy#prefix
 #prefix = /<your-prefix>
 [app:main]
 use = egg:kallithea
 <%text>## enable proxy prefix middleware</%text>
 #filter-with = proxy-prefix
 full_stack = true
 static_files = true
 <%text>## Internationalization (see setup documentation for details)</%text>
 <%text>## By default, the language requested by the browser is used if available.</%text>
 #i18n.enabled = false
 <%text>## Fallback language, empty for English (valid values are the names of subdirectories in kallithea/i18n):</%text>
 i18n.lang =
 cache_dir = %(here)s/data
 index_dir = %(here)s/data/index
 <%text>## uncomment and set this path to use archive download cache</%text>
 archive_cache_dir = %(here)s/tarballcache
 <%text>## change this to unique ID for security</%text>
 app_instance_uuid = ${uuid()}
 <%text>## cut off limit for large diffs (size in bytes)</%text>
 cut_off_limit = 256000
 <%text>## force https in Kallithea, fixes https redirects, assumes it's always https</%text>
 force_https = false
 <%text>## use Strict-Transport-Security headers</%text>
 use_htsts = false
 <%text>## number of commits stats will parse on each iteration</%text>
 commit_parse_limit = 25
 <%text>## Path to Python executable to be used for git hooks.</%text>
 <%text>## This value will be written inside the git hook scripts as the text</%text>
 <%text>## after '#!' (shebang). When empty or not defined, the value of</%text>
 <%text>## 'sys.executable' at the time of installation of the git hooks is</%text>
 <%text>## used, which is correct in many cases but for example not when using uwsgi.</%text>
 <%text>## If you change this setting, you should reinstall the Git hooks via</%text>
 <%text>## Admin > Settings > Remap and Rescan.</%text>
 # git_hook_interpreter = /srv/kallithea/venv/bin/python2
 %if git_hook_interpreter:
 git_hook_interpreter = ${git_hook_interpreter}
 %endif
 <%text>## path to git executable</%text>
 git_path = git
 <%text>## git rev filter option, --all is the default filter, if you need to</%text>
 <%text>## hide all refs in changelog switch this to --branches --tags</%text>
 #git_rev_filter = --branches --tags
 <%text>## RSS feed options</%text>
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 <%text>## options for showing and identifying changesets</%text>
 show_sha_length = 12
 show_revision_number = false
 <%text>## Canonical URL to use when creating full URLs in UI and texts.</%text>
 <%text>## Useful when the site is available under different names or protocols.</%text>
 <%text>## Defaults to what is provided in the WSGI environment.</%text>
 #canonical_url = https://kallithea.example.com/repos
 <%text>## gist URL alias, used to create nicer urls for gist. This should be an</%text>
 <%text>## url that does rewrites to _admin/gists/<gistid>.</%text>
 <%text>## example: http://gist.example.com/{gistid}. Empty means use the internal</%text>
 <%text>## Kallithea url, ie. http[s]://kallithea.example.com/_admin/gists/<gistid></%text>
 gist_alias_url =
 <%text>## white list of API enabled controllers. This allows to add list of</%text>
 <%text>## controllers to which access will be enabled by api_key. eg: to enable</%text>
 <%text>## api access to raw_files put `FilesController:raw`, to enable access to patches</%text>
 <%text>## add `ChangesetController:changeset_patch`. This list should be "," separated</%text>
 <%text>## Syntax is <ControllerClass>:<function>. Check debug logs for generated names</%text>
 <%text>## Recommended settings below are commented out:</%text>
 api_access_controllers_whitelist =
 #    ChangesetController:changeset_patch,
 #    ChangesetController:changeset_raw,
 #    FilesController:raw,
 #    FilesController:archivefile
 <%text>## default encoding used to convert from and to unicode</%text>
 <%text>## can be also a comma separated list of encoding in case of mixed encodings</%text>
 default_encoding = utf-8
 <%text>## Set Mercurial encoding, similar to setting HGENCODING before launching Kallithea</%text>
 hgencoding = utf-8
 <%text>## issue tracker for Kallithea (leave blank to disable, absent for default)</%text>
 #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
 <%text>## issue tracking mapping for commit messages, comments, PR descriptions, ...</%text>
 <%text>## Refer to the documentation ("Integration with issue trackers") for more details.</%text>
 <%text>## regular expression to match issue references</%text>
 <%text>## This pattern may/should contain parenthesized groups, that can</%text>
 <%text>## be referred to in issue_server_link or issue_sub using Python backreferences</%text>
 <%text>## (e.g. \1, \2, ...). You can also create named groups with '(?P<groupname>)'.</%text>
 <%text>## To require mandatory whitespace before the issue pattern, use:</%text>
 <%text>## (?:^|(?<=\s)) before the actual pattern, and for mandatory whitespace</%text>
 <%text>## behind the issue pattern, use (?:$|(?=\s)) after the actual pattern.</%text>
 issue_pat = #(\d+)
 <%text>## server url to the issue</%text>
 <%text>## This pattern may/should contain backreferences to parenthesized groups in issue_pat.</%text>
 <%text>## A backreference can be \1, \2, ... or \g<groupname> if you specified a named group</%text>
 <%text>## called 'groupname' in issue_pat.</%text>
 <%text>## The special token {repo} is replaced with the full repository name</%text>
 <%text>## including repository groups, while {repo_name} is replaced with just</%text>
 <%text>## the name of the repository.</%text>
 issue_server_link = https://issues.example.com/{repo}/issue/\1
 <%text>## substitution pattern to use as the link text</%text>
 <%text>## If issue_sub is empty, the text matched by issue_pat is retained verbatim</%text>
 <%text>## for the link text. Otherwise, the link text is that of issue_sub, with any</%text>
 <%text>## backreferences to groups in issue_pat replaced.</%text>
 issue_sub =
 <%text>## issue_pat, issue_server_link and issue_sub can have suffixes to specify</%text>
 <%text>## multiple patterns, to other issues server, wiki or others</%text>
 <%text>## below an example how to create a wiki pattern</%text>
 # wiki-some-id -> https://wiki.example.com/some-id
 #issue_pat_wiki = wiki-(\S+)
 #issue_server_link_wiki = https://wiki.example.com/\1
 #issue_sub_wiki = WIKI-\1
 <%text>## alternative return HTTP header for failed authentication. Default HTTP</%text>
 <%text>## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with</%text>
 <%text>## handling that. Set this variable to 403 to return HTTPForbidden</%text>
 auth_ret_code =
 <%text>## allows to change the repository location in settings page</%text>
 allow_repo_location_change = True
 <%text>## allows to setup custom hooks in settings page</%text>
 allow_custom_hooks_settings = True
 <%text>## extra extensions for indexing, space separated and without the leading '.'.</%text>
 # index.extensions =
 #    gemfile
 #    lock
 <%text>## extra filenames for indexing, space separated</%text>
 # index.filenames =
 #    .dockerignore
 #    .editorconfig
 #    INSTALL
 #    CHANGELOG
 <%text>####################################</%text>
 <%text>###        CELERY CONFIG        ####</%text>
 <%text>####################################</%text>
 use_celery = false
 <%text>## Example: connect to the virtual host 'rabbitmqhost' on localhost as rabbitmq:</%text>
 broker.url = amqp://rabbitmq:qewqew@localhost:5672/rabbitmqhost
 celery.imports = kallithea.lib.celerylib.tasks
 celery.accept.content = pickle
 celery.result.backend = amqp
 celery.result.dburi = amqp://
 celery.result.serialier = json
 #celery.send.task.error.emails = true
 #celery.amqp.task.result.expires = 18000
 celeryd.concurrency = 2
 celeryd.max.tasks.per.child = 1
 <%text>## If true, tasks will never be sent to the queue, but executed locally instead.</%text>
 celery.always.eager = false
 <%text>####################################</%text>
 <%text>###         BEAKER CACHE        ####</%text>
 <%text>####################################</%text>
 beaker.cache.data_dir = %(here)s/data/cache/data
 beaker.cache.lock_dir = %(here)s/data/cache/lock
 beaker.cache.regions = short_term,long_term,sql_cache_short
 beaker.cache.short_term.type = memory
 beaker.cache.short_term.expire = 60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type = memory
 beaker.cache.long_term.expire = 36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type = memory
 beaker.cache.sql_cache_short.expire = 10
 beaker.cache.sql_cache_short.key_length = 256
 <%text>####################################</%text>
 <%text>###       BEAKER SESSION        ####</%text>
 <%text>####################################</%text>
 <%text>## Name of session cookie. Should be unique for a given host and path, even when running</%text>
 <%text>## on different ports. Otherwise, cookie sessions will be shared and messed up.</%text>
 beaker.session.key = kallithea
 <%text>## Sessions should always only be accessible by the browser, not directly by JavaScript.</%text>
 beaker.session.httponly = true
 <%text>## Session lifetime. 2592000 seconds is 30 days.</%text>
 beaker.session.timeout = 2592000
 <%text>## Server secret used with HMAC to ensure integrity of cookies.</%text>
 beaker.session.secret = ${uuid()}
 <%text>## Further, encrypt the data with AES.</%text>
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 <%text>## Type of storage used for the session, current types are</%text>
 <%text>## dbm, file, memcached, database, and memory.</%text>
 <%text>## File system storage of session data. (default)</%text>
 #beaker.session.type = file
 <%text>## Cookie only, store all session data inside the cookie. Requires secure secrets.</%text>
 #beaker.session.type = cookie
 <%text>## Database storage of session data.</%text>
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea
 #beaker.session.table_name = db_session
 %if error_aggregation_service == 'appenlight':
 <%text>############################</%text>
 <%text>## ERROR HANDLING SYSTEMS ##</%text>
 <%text>############################</%text>
 # Propagate email settings to ErrorReporter of TurboGears2
 # You do not normally need to change these lines
 get trace_errors.error_email = email_to
 get trace_errors.smtp_server = smtp_server
 get trace_errors.smtp_port = smtp_port
 get trace_errors.from_address = error_email_from
 <%text>####################</%text>
 <%text>### [appenlight] ###</%text>
 <%text>####################</%text>
 <%text>## AppEnlight is tailored to work with Kallithea, see</%text>
 <%text>## http://appenlight.com for details how to obtain an account</%text>
 <%text>## you must install python package `appenlight_client` to make it work</%text>
 <%text>## appenlight enabled</%text>
 appenlight = false
 appenlight.server_url = https://api.appenlight.com
 appenlight.api_key = YOUR_API_KEY
 <%text>## TWEAK AMOUNT OF INFO SENT HERE</%text>
 <%text>## enables 404 error logging (default False)</%text>
 appenlight.report_404 = false
 <%text>## time in seconds after request is considered being slow (default 1)</%text>
 appenlight.slow_request_time = 1
 <%text>## record slow requests in application</%text>
 <%text>## (needs to be enabled for slow datastore recording and time tracking)</%text>
 appenlight.slow_requests = true
 <%text>## enable hooking to application loggers</%text>
 #appenlight.logging = true
 <%text>## minimum log level for log capture</%text>
 #appenlight.logging.level = WARNING

kallithea/tests/functional/test_login.py

➞

Show inline comments

@@ @@ -252,269 +252,242 @@ class TestLoginController(TestController @@
                                              'firstname': 'test',
                                              'lastname': 'test'})
         with test_context(self.app):
             msg = validators.UniqSystemEmail()()._messages['email_taken']
         response.mustcontain(msg)
     def test_register_err_wrong_data(self):
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': 'xs',
                                              'password': 'test',
                                              'password_confirmation': 'test',
                                              'email': 'goodmailm',
                                              'firstname': 'test',
                                              'lastname': 'test'})
         assert response.status == '200 OK'
         response.mustcontain('An email address must contain a single @')
         response.mustcontain('Enter a value 6 characters long or more')
     def test_register_err_username(self):
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': 'error user',
                                              'password': 'test12',
                                              'password_confirmation': 'test12',
                                              'email': 'goodmailm',
                                              'firstname': 'test',
                                              'lastname': 'test'})
         response.mustcontain('An email address must contain a single @')
         response.mustcontain('Username may only contain '
                 'alphanumeric characters underscores, '
                 'periods or dashes and must begin with an '
                 'alphanumeric character')
     def test_register_err_case_sensitive(self):
         usr = TEST_USER_ADMIN_LOGIN.title()
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': usr,
                                              'password': 'test12',
                                              'password_confirmation': 'test12',
                                              'email': 'goodmailm',
                                              'firstname': 'test',
                                              'lastname': 'test'})
         response.mustcontain('An email address must contain a single @')
         with test_context(self.app):
             msg = validators.ValidUsername()._messages['username_exists']
         msg = h.html_escape(msg % {'username': usr})
         response.mustcontain(msg)
     def test_register_special_chars(self):
         response = self.app.post(url(controller='login', action='register'),
                                         {'username': 'xxxaxn',
                                          'password': 'ąćźżąśśśś',
                                          'password_confirmation': 'ąćźżąśśśś',
                                          'email': 'goodmailm@test.plx',
                                          'firstname': 'test',
                                          'lastname': 'test'})
         with test_context(self.app):
             msg = validators.ValidPassword()._messages['invalid_password']
         response.mustcontain(msg)
     def test_register_password_mismatch(self):
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': 'xs',
                                              'password': '123qwe',
                                              'password_confirmation': 'qwe123',
                                              'email': 'goodmailm@test.plxa',
                                              'firstname': 'test',
                                              'lastname': 'test'})
         with test_context(self.app):
             msg = validators.ValidPasswordsMatch('password', 'password_confirmation')._messages['password_mismatch']
         response.mustcontain(msg)
     def test_register_ok(self):
         username = 'test_regular4'
         password = 'qweqwe'
         email = 'user4@example.com'
         name = 'testname'
         lastname = 'testlastname'
         response = self.app.post(url(controller='login', action='register'),
                                             {'username': username,
                                              'password': password,
                                              'password_confirmation': password,
                                              'email': email,
                                              'firstname': name,
                                              'lastname': lastname,
                                              'admin': True})  # This should be overridden
         assert response.status == '302 Found'
         self.checkSessionFlash(response, 'You have successfully registered with Kallithea')
         ret = Session().query(User).filter(User.username == 'test_regular4').one()
         assert ret.username == username
         assert check_password(password, ret.password) == True
         assert ret.email == email
         assert ret.name == name
         assert ret.lastname == lastname
         assert ret.api_key is not None
         assert ret.admin == False
     #==========================================================================
     # PASSWORD RESET
     #==========================================================================
     def test_forgot_password_wrong_mail(self):
         bad_email = 'username%wrongmail.org'
         response = self.app.post(
                         url(controller='login', action='password_reset'),
                             {'email': bad_email, }
+        )
         response.mustcontain('An email address must contain a single @')
     def test_forgot_password(self):
         response = self.app.get(url(controller='login',
                                     action='password_reset'))
         assert response.status == '200 OK'
         username = 'test_password_reset_1'
         password = 'qweqwe'
         email = 'username@example.com'
         name = u'passwd'
         lastname = u'reset'
         timestamp = int(time.time())
         new = User()
         new.username = username
         new.password = password
         new.email = email
         new.name = name
         new.lastname = lastname
         new.api_key = generate_api_key()
         Session().add(new)
         Session().commit()
         response = self.app.post(url(controller='login',
                                      action='password_reset'),
                                  {'email': email, })
         self.checkSessionFlash(response, 'A password reset confirmation code has been sent')
         response = response.follow()
         # BAD TOKEN
         token = "bad"
         response = self.app.post(url(controller='login',
                                      action='password_reset_confirmation'),
                                  {'email': email,
                                   'timestamp': timestamp,
                                   'password': "p@ssw0rd",
                                   'password_confirm': "p@ssw0rd",
                                   'token': token,
                                  })
         assert response.status == '200 OK'
         response.mustcontain('Invalid password reset token')
         # GOOD TOKEN
         # TODO: The token should ideally be taken from the mail sent
         # above, instead of being recalculated.
         token = UserModel().get_reset_password_token(
             User.get_by_username(username), timestamp, self.authentication_token())
         response = self.app.get(url(controller='login',
                                     action='password_reset_confirmation',
                                     email=email,
                                     timestamp=timestamp,
                                     token=token))
         assert response.status == '200 OK'
         response.mustcontain("You are about to set a new password for the email address %s" % email)
         response = self.app.post(url(controller='login',
                                      action='password_reset_confirmation'),
                                  {'email': email,
                                   'timestamp': timestamp,
                                   'password': "p@ssw0rd",
                                   'password_confirm': "p@ssw0rd",
                                   'token': token,
                                  })
         assert response.status == '302 Found'
         self.checkSessionFlash(response, 'Successfully updated password')
         response = response.follow()
     #==========================================================================
     # API
     #==========================================================================
     def _get_api_whitelist(self, values=None):
         config = {'api_access_controllers_whitelist': values or []}
         return config
     def _api_key_test(self, api_key, status):
         """Verifies HTTP status code for accessing an auth-requiring page,
         using the given api_key URL parameter as well as using the API key
         with bearer authentication.
         If api_key is None, no api_key is passed at all. If api_key is True,
         a real, working API key is used.
         """
         with fixture.anon_access(False):
             if api_key is None:
                 params = {}
                 headers = {}
             else:
                 if api_key is True:
                     api_key = User.get_first_admin().api_key
                 params = {'api_key': api_key}
                 headers = {'Authorization': 'Bearer ' + str(api_key)}
             self.app.get(url(controller='changeset', action='changeset_raw',
                              repo_name=HG_REPO, revision='tip', **params),
                          status=status)
             self.app.get(url(controller='changeset', action='changeset_raw',
                              repo_name=HG_REPO, revision='tip'),
                          headers=headers,
                          status=status)
     @parametrize('test_name,api_key,code', [
         ('none', None, 302),
         ('empty_string', '', 403),
         ('fake_number', '123456', 403),
         ('proper_api_key', True, 403)
     ])
     def test_access_not_whitelisted_page_via_api_key(self, test_name, api_key, code):
         whitelist = self._get_api_whitelist([])
         with mock.patch('kallithea.CONFIG', whitelist):
             assert [] == whitelist['api_access_controllers_whitelist']
             self._api_key_test(api_key, code)
     @parametrize('test_name,api_key,code', [
         ('none', None, 302),
         ('empty_string', '', 403),
         ('fake_number', '123456', 403),
         ('fake_not_alnum', 'a-z', 403),
         ('fake_api_key', '0123456789abcdef0123456789ABCDEF01234567', 403),
         ('proper_api_key', True, 200)
     ])
     def test_access_whitelisted_page_via_api_key(self, test_name, api_key, code):
         whitelist = self._get_api_whitelist(['ChangesetController:changeset_raw'])
         with mock.patch('kallithea.CONFIG', whitelist):
             assert ['ChangesetController:changeset_raw'] == whitelist['api_access_controllers_whitelist']
     def test_access_page_via_api_key(self, test_name, api_key, code):
             self._api_key_test(api_key, code)
     def test_access_page_via_extra_api_key(self):
         whitelist = self._get_api_whitelist(['ChangesetController:changeset_raw'])
         with mock.patch('kallithea.CONFIG', whitelist):
             assert ['ChangesetController:changeset_raw'] == whitelist['api_access_controllers_whitelist']
             new_api_key = ApiKeyModel().create(TEST_USER_ADMIN_LOGIN, u'test')
             Session().commit()
             self._api_key_test(new_api_key.api_key, status=200)
     def test_access_page_via_expired_api_key(self):
         whitelist = self._get_api_whitelist(['ChangesetController:changeset_raw'])
         with mock.patch('kallithea.CONFIG', whitelist):
             assert ['ChangesetController:changeset_raw'] == whitelist['api_access_controllers_whitelist']
             new_api_key = ApiKeyModel().create(TEST_USER_ADMIN_LOGIN, u'test')
             Session().commit()
             # patch the API key and make it expired
             new_api_key.expires = 0
             Session().commit()
             self._api_key_test(new_api_key.api_key, status=403)

0 comments (0 inline, 0 general)