id : <id_for_response>

    api_key : "<api_key>"

    method :  "grant_user_permission"

    args:     {

                "repoid" : "<reponame or repo_id>"

                "userid" : "<username or user_id>"

                "perm" :       "(repository.(none|read|write|admin))",

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "msg" : "Granted perm: `<perm>` for user: `<username>` in repo: `<reponame>`",

              "success": true

            }

    error:  null

revoke_user_permission

^^^^^^^^^^^^^^^^^^^^^^

Revoke permission for a user on the given repository.

This command can only be executed using the api_key of a user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method  : "revoke_user_permission"

    args:     {

                "repoid" : "<reponame or repo_id>"

                "userid" : "<username or user_id>"

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "msg" : "Revoked perm for user: `<username>` in repo: `<reponame>`",

              "success": true

            }

    error:  null

grant_user_group_permission

^^^^^^^^^^^^^^^^^^^^^^^^^^^

Grant permission for a user group on the given repository, or update the

existing one if found.

This command can only be executed using the api_key of a user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method :  "grant_user_group_permission"

    args:     {

                "repoid" : "<reponame or repo_id>"

                "usersgroupid" : "<user group id or name>"

                "perm" : "(repository.(none|read|write|admin))",

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "msg" : "Granted perm: `<perm>` for group: `<usersgroupname>` in repo: `<reponame>`",

              "success": true

            }

    error:  null

revoke_user_group_permission

^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Revoke permission for a user group on the given repository.

This command can only be executed using the api_key of a user with admin rights.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method  : "revoke_user_group_permission"

    args:     {

                "repoid" : "<reponame or repo_id>"

                "usersgroupid" : "<user group id or name>"

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "msg" : "Revoked perm for group: `<usersgroupname>` in repo: `<reponame>`",

              "success": true

            }

    error:  null

get_changeset

^^^^^^^^^^^^^

Get information and review status for a given changeset. This command can only

be executed using the api_key of a user with read permissions to the

repository.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method  : "get_changeset"

    args:     {

                "repoid" : "<reponame or repo_id>",

                "raw_id" : "<raw_id>",

                "with_reviews": "<bool> = Optional(False)"

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

              "author":   "<full_author>",

              "date":     "<date_time_of_commit>",

              "message":  "<commit_message>",

              "raw_id":   "<raw_id>",

              "revision": "<numeric_revision>",

              "short_id": "<short_id>",

              "reviews": [{

                    "reviewer":   "<username>",

                    "modified_at": "<date_time_of_review>",  # iso 8601 date, server's timezone

                    "status":   "<status_of_review>",        # "under_review", "approved" or "rejected"

                 },

                 ...

              ]

            }

    error:  null

Example output::

    {

      "id" : 1,

      "error" : null,

      "result" : {

        "author" : {

          "email" : "user@example.com",

          "name" : "Kallithea Admin"

        },

        "changed" : [],

        "short_id" : "e1022d3d28df",

        "date" : "2017-03-28T09:09:03",

        "added" : [

          "README.rst"

        ],

        "removed" : [],

        "revision" : 0,

        "raw_id" : "e1022d3d28dfba02f626cde65dbe08f4ceb0e4e7",

        "message" : "Added file via Kallithea",

        "id" : "e1022d3d28dfba02f626cde65dbe08f4ceb0e4e7",

        "reviews" : [

          {

            "status" : "under_review",

            "modified_at" : "2017-03-28T09:17:08.618",

            "reviewer" : "user"

          }

        ]

      }

    }

get_pullrequest

^^^^^^^^^^^^^^^

Get information and review status for a given pull request. This command can only be executed

using the api_key of a user with read permissions to the original repository.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method  : "get_pullrequest"

    args:     {

                "pullrequest_id" : "<pullrequest_id>",

              }

OUTPUT::

    id : <id_given_in_input>

    result: {

        "status": "<pull_request_status>",

        "pull_request_id": <pull_request_id>,

        "description": "<pull_request_description>",

        "title": "<pull_request_title>",

        "url": "<pull_request_url>",

        "reviewers": [

          {

            "username": "<user_name>",

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.api.api

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

API controller for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Aug 20, 2011

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import time

import traceback

import logging

from sqlalchemy import or_

from tg import request

from kallithea.controllers.api import JSONRPCController, JSONRPCError

from kallithea.lib.auth import (

    PasswordGenerator, AuthUser, HasPermissionAnyDecorator,

    HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionLevel,

    HasRepoGroupPermissionLevel, HasUserGroupPermissionLevel)

from kallithea.lib.utils import map_groups, repo2db_mapper

from kallithea.lib.utils2 import (

    str2bool, time_to_datetime, safe_int, Optional, OAttr)

from kallithea.model.meta import Session

from kallithea.model.repo_group import RepoGroupModel

from kallithea.model.scm import ScmModel, UserGroupList

from kallithea.model.repo import RepoModel

from kallithea.model.user import UserModel

from kallithea.model.user_group import UserGroupModel

from kallithea.model.gist import GistModel

from kallithea.model.changeset_status import ChangesetStatusModel

from kallithea.model.comment import ChangesetCommentsModel

from kallithea.model.pull_request import PullRequestModel

from kallithea.model.db import (

    Repository, Setting, UserIpMap, Permission, User, Gist,

    RepoGroup, UserGroup, PullRequest, ChangesetStatus)

from kallithea.lib.compat import json

from kallithea.lib.exceptions import (

    DefaultUserException, UserGroupsAssignedException)

from kallithea.lib.vcs.backends.base import EmptyChangeset

from kallithea.lib.utils import action_logger

log = logging.getLogger(__name__)

def store_update(updates, attr, name):

    """

    Stores param in updates dict if it's not instance of Optional

    allows easy updates of passed in params

    """

    if not isinstance(attr, Optional):

        updates[name] = attr

def get_user_or_error(userid):

    """

    Get user by id or name or return JsonRPCError if not found

    :param userid:

    """

    user = UserModel().get_user(userid)

    if user is None:

        raise JSONRPCError("user `%s` does not exist" % (userid,))

    return user

def get_repo_or_error(repoid):

    """

    Get repo by id or name or return JsonRPCError if not found

    :param repoid:

    """

    repo = RepoModel().get_repo(repoid)

    if repo is None:

        raise JSONRPCError('repository `%s` does not exist' % (repoid,))

    return repo

def get_repo_group_or_error(repogroupid):

    """

    Get repo group by id or name or return JsonRPCError if not found

    :param repogroupid:

    """

    repo_group = RepoGroup.guess_instance(repogroupid)

    if repo_group is None:

        raise JSONRPCError(

            'repository group `%s` does not exist' % (repogroupid,))

    return repo_group

def get_user_group_or_error(usergroupid):

    """

    Get user group by id or name or return JsonRPCError if not found

    :param usergroupid:

    """

    user_group = UserGroupModel().get_group(usergroupid)

    if user_group is None:

        raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

    return user_group

def get_perm_or_error(permid, prefix=None):

    """

    Get permission by id or name or return JsonRPCError if not found

    :param permid:

    """

    perm = Permission.get_by_key(permid)

    if perm is None:

        raise JSONRPCError('permission `%s` does not exist' % (permid,))

    if prefix:

        if not perm.permission_name.startswith(prefix):

            raise JSONRPCError('permission `%s` is invalid, '

                               'should start with %s' % (permid, prefix))

    return perm

def get_gist_or_error(gistid):

    """

    Get gist by id or gist_access_id or return JsonRPCError if not found

    :param gistid:

    """

    gist = GistModel().get_gist(gistid)

    if gist is None:

        raise JSONRPCError('gist `%s` does not exist' % (gistid,))

    return gist

class ApiController(JSONRPCController):

    """

    API Controller

        :param lifetime: time in minutes of gist lifetime

        :type lifetime: Optional(int)

        :param description: gist description

        :type description: Optional(str)

        OUTPUT::

          id : <id_given_in_input>

          result : {

            "msg": "created new gist",

            "gist": {}

          }

          error :  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to create gist"

          }

        """

        try:

            if isinstance(owner, Optional):

                owner = request.authuser.user_id

            owner = get_user_or_error(owner)

            description = Optional.extract(description)

            gist_type = Optional.extract(gist_type)

            lifetime = Optional.extract(lifetime)

            gist = GistModel().create(description=description,

                                      owner=owner,

                                      gist_mapping=files,

                                      gist_type=gist_type,

                                      lifetime=lifetime)

            Session().commit()

            return dict(

                msg='created new gist',

                gist=gist.get_api_data()

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to create gist')

    # def update_gist(self, gistid, files, owner=Optional(OAttr('apiuser')),

    #                 gist_type=Optional(Gist.GIST_PUBLIC),

    #                 gist_lifetime=Optional(-1), gist_description=Optional('')):

    #     gist = get_gist_or_error(gistid)

    #     updates = {}

    # permission check inside

    def delete_gist(self, gistid):

        """

        Deletes existing gist

        :param gistid: id of gist to delete

        :type gistid: str

        OUTPUT::

          id : <id_given_in_input>

          result : {

            "deleted gist ID: <gist_id>",

            "gist": null

          }

          error :  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to delete gist ID:<gist_id>"

          }

        """

        gist = get_gist_or_error(gistid)

        if not HasPermissionAny('hg.admin')():

            if gist.owner_id != request.authuser.user_id:

                raise JSONRPCError('gist `%s` does not exist' % (gistid,))

        try:

            GistModel().delete(gist)

            Session().commit()

            return dict(

                msg='deleted gist ID:%s' % (gist.gist_access_id,),

                gist=None

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to delete gist ID:%s'

                               % (gist.gist_access_id,))

    # permission check inside

    def get_changeset(self, repoid, raw_id, with_reviews=Optional(False)):

        repo = get_repo_or_error(repoid)

        if not HasRepoPermissionLevel('read')(repo.repo_name):

            raise JSONRPCError('Access denied to repo %s' % repo.repo_name)

        changeset = repo.get_changeset(raw_id)

        if isinstance(changeset, EmptyChangeset):

            raise JSONRPCError('Changeset %s does not exist' % raw_id)

        info = dict(changeset.as_dict())

        with_reviews = Optional.extract(with_reviews)

        if with_reviews:

                reviews = ChangesetStatusModel().get_statuses(

                                    repo.repo_name, raw_id)

                info["reviews"] = reviews

        return info

    # permission check inside

    def get_pullrequest(self, pullrequest_id):

        """

        Get given pull request by id

        """

        pull_request = PullRequest.get(pullrequest_id)

        if pull_request is None:

            raise JSONRPCError('pull request `%s` does not exist' % (pullrequest_id,))

        if not HasRepoPermissionLevel('read')(pull_request.org_repo.repo_name):

            raise JSONRPCError('not allowed')

        return pull_request.get_api_data()

    # permission check inside

    def comment_pullrequest(self, pull_request_id, comment_msg=u'', status=None, close_pr=False):

        """

        Add comment, close and change status of pull request.

        """

        apiuser = get_user_or_error(request.authuser.user_id)

        pull_request = PullRequest.get(pull_request_id)

        if pull_request is None:

            raise JSONRPCError('pull request `%s` does not exist' % (pull_request_id,))

        if (not HasRepoPermissionLevel('read')(pull_request.org_repo.repo_name)):

            raise JSONRPCError('No permission to add comment. User needs at least reading permissions'

                               ' to the source repository.')

        owner = apiuser.user_id == pull_request.owner_id

        reviewer = apiuser.user_id in [reviewer.user_id for reviewer in pull_request.reviewers]

        if close_pr and not (apiuser.admin or owner):

            raise JSONRPCError('No permission to close pull request. User needs to be admin or owner.')

        if status and not (apiuser.admin or owner or reviewer):

            raise JSONRPCError('No permission to change pull request status. User needs to be admin, owner or reviewer.')

        if pull_request.is_closed():

            raise JSONRPCError('pull request is already closed')

        comment = ChangesetCommentsModel().create(

            text=comment_msg,

            repo=pull_request.org_repo.repo_id,

            author=apiuser.user_id,

            pull_request=pull_request.pull_request_id,

            f_path=None,

            line_no=None,

            status_change=(ChangesetStatus.get_status_lbl(status)),

            closing_pr=close_pr

        )

        action_logger(apiuser,

                      'user_commented_pull_request:%s' % pull_request_id,

                      pull_request.org_repo, request.ip_addr)

        if status:

            ChangesetStatusModel().set_status(

                pull_request.org_repo_id,

                status,

                apiuser.user_id,

                comment,

                pull_request=pull_request_id

            )

        if close_pr:

            PullRequestModel().close_pull_request(pull_request_id)

            action_logger(apiuser,

                          'user_closed_pull_request:%s' % pull_request_id,

                          pull_request.org_repo, request.ip_addr)

        Session().commit()

        return True

        :param name: Name of configuration we want to retrieve

        :param config_file: A path to file which should be used to retrieve

          configuration from (might also be a list of file paths)

        """

        raise NotImplementedError

    def get_user_name(self, config_file=None):

        """

        Returns user's name from global configuration file.

        :param config_file: A path to file which should be used to retrieve

          configuration from (might also be a list of file paths)

        """

        raise NotImplementedError

    def get_user_email(self, config_file=None):

        """

        Returns user's email from global configuration file.

        :param config_file: A path to file which should be used to retrieve

          configuration from (might also be a list of file paths)

        """

        raise NotImplementedError

    # =========== #

    # WORKDIR API #

    # =========== #

    @LazyProperty

    def workdir(self):

        """

        Returns ``Workdir`` instance for this repository.

        """

        raise NotImplementedError

class BaseChangeset(object):

    """

    Each backend should implement it's changeset representation.

    **Attributes**

        ``repository``

            repository object within which changeset exists

        ``id``

            may be ``raw_id`` or i.e. for mercurial's tip just ``tip``

        ``raw_id``

            raw changeset representation (i.e. full 40 length sha for git

            backend)

        ``short_id``

            shortened (if apply) version of ``raw_id``; it would be simple

            shortcut for ``raw_id[:12]`` for git/mercurial backends or same

            as ``raw_id`` for subversion

        ``revision``

            revision number as integer

        ``files``

            list of ``FileNode`` (``Node`` with NodeKind.FILE) objects

        ``dirs``

            list of ``DirNode`` (``Node`` with NodeKind.DIR) objects

        ``nodes``

            combined list of ``Node`` objects

        ``author``

            author of the changeset, as unicode

        ``message``

            message of the changeset, as unicode

        ``parents``

            list of parent changesets

        ``last``

            ``True`` if this is last changeset in repository, ``False``

            otherwise; trying to access this attribute while there is no

            changesets would raise ``EmptyRepositoryError``

    """

    def __str__(self):

        return '<%s at %s:%s>' % (self.__class__.__name__, self.revision,

            self.short_id)

    def __repr__(self):

        return self.__str__()

    def __unicode__(self):

        return u'%s:%s' % (self.revision, self.short_id)

    def __eq__(self, other):

        return self.raw_id == other.raw_id

    @LazyProperty

    def last(self):

        if self.repository is None:

            raise ChangesetError("Cannot check if it's most recent revision")

        return self.raw_id == self.repository.revisions[-1]

    @LazyProperty

    def parents(self):

        """

        Returns list of parents changesets.

        """

        raise NotImplementedError

    @LazyProperty

    def children(self):

        """

        Returns list of children changesets.

        """

        raise NotImplementedError

    @LazyProperty

    def id(self):

        """

        Returns string identifying this changeset.

        """

        raise NotImplementedError

    @LazyProperty

    def raw_id(self):

        """

        Returns raw string identifying this changeset.

        """

        raise NotImplementedError

    @LazyProperty

    def short_id(self):

        """

        Returns shortened version of ``raw_id`` attribute, as string,

        identifying this changeset, useful for web representation.

        """

        raise NotImplementedError

    @LazyProperty

    def revision(self):

        """

        Returns integer identifying this changeset.

        """

        raise NotImplementedError

    @LazyProperty

    def committer(self):

        """

        Returns Committer for given commit

        """

        raise NotImplementedError

    @LazyProperty

    def committer_name(self):

        """

        Returns Author name for given commit

        """

        return author_name(self.committer)

    @LazyProperty

    def committer_email(self):

        """

        Returns Author email address for given commit

        """

        return author_email(self.committer)

    @LazyProperty

    def author(self):

        """

        Returns Author for given commit

        """

        raise NotImplementedError

    @LazyProperty

    def author_name(self):

        """

        Returns Author name for given commit

        """

        return author_name(self.author)

    @LazyProperty

    def author_email(self):

        """

        Returns Author email address for given commit

        """

        fixture.create_gist(owner=self.TEST_USER_LOGIN)

        fixture.create_gist(owner=self.TEST_USER_LOGIN)

        fixture.create_gist(owner=self.TEST_USER_LOGIN)

        id_, params = _build_data(self.apikey, 'get_gists',

                                  userid=self.TEST_USER_LOGIN)

        response = api_call(self, params)

        expected = response.json

        assert len(response.json['result']) == 3

        #self._compare_ok(id_, expected, given=response.body)

    def test_api_get_gists_regular_user_with_different_userid(self):

        id_, params = _build_data(self.apikey_regular, 'get_gists',

                                  userid=TEST_USER_ADMIN_LOGIN)

        response = api_call(self, params)

        expected = 'userid is not the same as your user'

        self._compare_error(id_, expected, given=response.body)

    def test_api_create_gist(self):

        id_, params = _build_data(self.apikey_regular, 'create_gist',

                                  lifetime=10,

                                  description='foobar-gist',

                                  gist_type='public',

                                  files={'foobar': {'content': 'foo'}})

        response = api_call(self, params)

        response_json = response.json

        expected = {

            'gist': {

                'access_id': response_json['result']['gist']['access_id'],

                'created_on': response_json['result']['gist']['created_on'],

                'description': 'foobar-gist',

                'expires': response_json['result']['gist']['expires'],

                'gist_id': response_json['result']['gist']['gist_id'],

                'type': 'public',

                'url': response_json['result']['gist']['url']

            },

            'msg': 'created new gist'

        }

        self._compare_ok(id_, expected, given=response.body)

    @mock.patch.object(GistModel, 'create', crash)

    def test_api_create_gist_exception_occurred(self):

        id_, params = _build_data(self.apikey_regular, 'create_gist',

                                  files={})

        response = api_call(self, params)

        expected = 'failed to create gist'

        self._compare_error(id_, expected, given=response.body)

    def test_api_delete_gist(self):

        gist_id = fixture.create_gist().gist_access_id

        id_, params = _build_data(self.apikey, 'delete_gist',

                                  gistid=gist_id)

        response = api_call(self, params)

        expected = {'gist': None, 'msg': 'deleted gist ID:%s' % gist_id}