# -*- coding: utf-8 -*-

"""

    rhodecode.lib.auth

    ~~~~~~~~~~~~~~~~~~

    authentication and permission libraries

    :created_on: Apr 4, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import random

import logging

import traceback

import hashlib

from tempfile import _RandomNameSequence

from decorator import decorator

from pylons import config, url, request

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode import __platform__, PLATFORM_WIN, PLATFORM_OTHERS

from rhodecode.model.meta import Session

if __platform__ in PLATFORM_WIN:

    from hashlib import sha256

if __platform__ in PLATFORM_OTHERS:

    import bcrypt

from rhodecode.lib.utils2 import str2bool, safe_unicode

from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError

from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug

from rhodecode.lib.auth_ldap import AuthLdap

from rhodecode.model import meta

from rhodecode.model.user import UserModel

from rhodecode.model.db import Permission, RhodeCodeSetting, User

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """

    This is a simple class for generating password from different sets of

    characters

    usage::

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM

    def __init__(self, passwd=''):

        self.passwd = passwd

    def gen_password(self, length, type_=None):

        if type_ is None:

            type_ = self.ALPHABETS_FULL

        self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])

        return self.passwd

class RhodeCodeCrypto(object):

    @classmethod

    def hash_string(cls, str_):

        """

        Cryptographic function used for password hashing based on pybcrypt

        or pycrypto in windows

        :param password: password to hash

        """

        if __platform__ in PLATFORM_WIN:

            return sha256(str_).hexdigest()

        elif __platform__ in PLATFORM_OTHERS:

            return bcrypt.hashpw(str_, bcrypt.gensalt(10))

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

    @classmethod

    def hash_check(cls, password, hashed):

        """

        Checks matching password with it's hashed value, runs different

        implementation based on platform it runs on

        :param password: password

        :param hashed: password in hashed form

        """

        if __platform__ in PLATFORM_WIN:

            return sha256(password).hexdigest() == hashed

        elif __platform__ in PLATFORM_OTHERS:

            return bcrypt.hashpw(password, hashed) == hashed

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

def get_crypt_password(password):

    return RhodeCodeCrypto.hash_string(password)

def check_password(password, hashed):

    return RhodeCodeCrypto.hash_check(password, hashed)

def generate_api_key(str_, salt=None):

    """

    Generates API KEY from given string

    :param str_:

    :param salt:

    """

    if salt is None:

        salt = _RandomNameSequence().next()

    return hashlib.sha1(str_ + salt).hexdigest()

def authfunc(environ, username, password):

    """

    Dummy authentication wrapper function used in Mercurial and Git for

    access control.

    :param environ: needed only for using in Basic auth

    """

    return authenticate(username, password)

def authenticate(username, password):

    """

    Authentication function used for access control,

    firstly checks for db authentication then if ldap is enabled for ldap

    authentication, also creates ldap user if not in database

    :param username: username

    :param password: password

    """

    user_model = UserModel()

    user = User.get_by_username(username)

    log.debug('Authenticating user using RhodeCode account')

    if user is not None and not user.ldap_dn:

        if user.active:

            if user.username == 'default' and user.active:

                log.info('user %s authenticated correctly as anonymous user' %

                         username)

                return True

            elif user.username == username and check_password(password,

                                                              user.password):

                log.info('user %s authenticated correctly' % username)

                return True

        else:

            log.warning('user %s tried auth but is disabled' % username)

    else:

        log.debug('Regular authentication failed')

        user_obj = User.get_by_username(username, case_insensitive=True)

        if user_obj is not None and not user_obj.ldap_dn:

            log.debug('this user already exists as non ldap')

            return False

        ldap_settings = RhodeCodeSetting.get_ldap_settings()

        #======================================================================

        # FALLBACK TO LDAP AUTH IF ENABLE

        #======================================================================

        if str2bool(ldap_settings.get('ldap_active')):

            log.debug("Authenticating user using ldap")

            kwargs = {

                  'server': ldap_settings.get('ldap_host', ''),

                  'base_dn': ldap_settings.get('ldap_base_dn', ''),

                  'port': ldap_settings.get('ldap_port'),

                  'bind_dn': ldap_settings.get('ldap_dn_user'),

                  'bind_pass': ldap_settings.get('ldap_dn_pass'),

                  'tls_kind': ldap_settings.get('ldap_tls_kind'),

                  'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),

                  'ldap_filter': ldap_settings.get('ldap_filter'),

                  'search_scope': ldap_settings.get('ldap_search_scope'),

                  'attr_login': ldap_settings.get('ldap_attr_login'),

                  'ldap_version': 3,

                  }

            log.debug('Checking for ldap authentication')

            try:

                aldap = AuthLdap(**kwargs)

                (user_dn, ldap_attrs) = aldap.authenticate_ldap(username,

                                                                password)

                log.debug('Got ldap DN response %s' % user_dn)

                get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\

                                                           .get(k), [''])[0]

                user_attrs = {

                 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')),

                 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')),

                 'email': get_ldap_attr('ldap_attr_email'),

                }

                # don't store LDAP password since we don't need it. Override

                # with some random generated password

                _password = PasswordGenerator().gen_password(length=8)

                # create this user on the fly if it doesn't exist in rhodecode

                # database

                if user_model.create_ldap(username, _password, user_dn,

                                          user_attrs):

                    log.info('created new ldap user %s' % username)

                Session.commit()

                return True

            except (LdapUsernameError, LdapPasswordError,):

                pass

            except (Exception,):

                log.error(traceback.format_exc())

                pass

    return False

def login_container_auth(username):

    user = User.get_by_username(username)

    if user is None:

        user_attrs = {

            'name': username,

            'lastname': None,

            'email': None,

        }

        user = UserModel().create_for_container_auth(username, user_attrs)

        if not user:

            return None

import re

from rhodecode.lib.vcs.utils.lazy import LazyProperty

def __get_lem():

    """

    Get language extension map based on what's inside pygments lexers

    """

    from pygments import lexers

    from string import lower

    from collections import defaultdict

    d = defaultdict(lambda: [])

    def __clean(s):

        s = s.lstrip('*')

        s = s.lstrip('.')

        if s.find('[') != -1:

            exts = []

            start, stop = s.find('['), s.find(']')

            for suffix in s[start + 1:stop]:

                exts.append(s[:s.find('[')] + suffix)

            return map(lower, exts)

        else:

            return map(lower, [s])

    for lx, t in sorted(lexers.LEXERS.items()):

        m = map(__clean, t[-2])

        if m:

            m = reduce(lambda x, y: x + y, m)

            for ext in m:

                desc = lx.replace('Lexer', '')

                d[ext].append(desc)

    return dict(d)

def str2bool(_str):

    """

    returs True/False value from given string, it tries to translate the

    string into boolean

    :param _str: string value to translate into boolean

    :rtype: boolean

    :returns: boolean from given string

    """

    if _str is None:

        return False

    if _str in (True, False):

        return _str

    _str = str(_str).strip().lower()

    return _str in ('t', 'true', 'y', 'yes', 'on', '1')

def convert_line_endings(line, mode):

    """

    Converts a given line  "line end" accordingly to given mode

    Available modes are::

        0 - Unix

        1 - Mac

        2 - DOS

    :param line: given line to convert

    :param mode: mode to convert to

    :rtype: str

    :return: converted line according to mode

    """

    from string import replace

    if mode == 0:

            line = replace(line, '\r\n', '\n')

            line = replace(line, '\r', '\n')

    elif mode == 1:

            line = replace(line, '\r\n', '\r')

            line = replace(line, '\n', '\r')

    elif mode == 2:

            line = re.sub("\r(?!\n)|(?<!\r)\n", "\r\n", line)

    return line

def detect_mode(line, default):

    """

    Detects line break for given line, if line break couldn't be found

    given default value is returned

    :param line: str line

    :param default: default

    :rtype: int

    :return: value of line end on of 0 - Unix, 1 - Mac, 2 - DOS

    """

    if line.endswith('\r\n'):

        return 2

    elif line.endswith('\n'):

        return 0

    elif line.endswith('\r'):

        return 1

    else:

        return default

def generate_api_key(username, salt=None):

    """

    Generates unique API key for given username, if salt is not given

    it'll be generated from some random string

    :param username: username as string

    :param salt: salt to hash generate KEY

    :rtype: str

    :returns: sha1 hash from username+salt

    """

    from tempfile import _RandomNameSequence

    import hashlib

    if salt is None:

        salt = _RandomNameSequence().next()

    return hashlib.sha1(username + salt).hexdigest()

def safe_unicode(str_, from_encoding=None):

    """

    safe unicode function. Does few trick to turn str_ into unicode

    In case of UnicodeDecode error we try to return it with encoding detected

    by chardet library if it fails fallback to unicode with errors replaced

    :param str_: string to decode

    :rtype: unicode

    :returns: unicode object

    """

    if isinstance(str_, unicode):

        return str_

    if not from_encoding:

        import rhodecode

        DEFAULT_ENCODING = rhodecode.CONFIG.get('default_encoding','utf8')

        from_encoding = DEFAULT_ENCODING

    try:

        return unicode(str_)

    except UnicodeDecodeError:

        pass

    try:

        return unicode(str_, from_encoding)

    except UnicodeDecodeError:

        pass

    try:

        import chardet

        encoding = chardet.detect(str_)['encoding']

        if encoding is None:

            raise Exception()

        return str_.decode(encoding)

    except (ImportError, UnicodeDecodeError, Exception):

        return unicode(str_, from_encoding, 'replace')

def safe_str(unicode_, to_encoding=None):

    """

    safe str function. Does few trick to turn unicode_ into string

    In case of UnicodeEncodeError we try to return it with encoding detected

    by chardet library if it fails fallback to string with errors replaced

    :param unicode_: unicode to encode

    :rtype: str

    :returns: str object

    """

    # if it's not basestr cast to str

    if not isinstance(unicode_, basestring):

        return str(unicode_)

    if isinstance(unicode_, str):

        return unicode_

    if not to_encoding:

        import rhodecode

        DEFAULT_ENCODING = rhodecode.CONFIG.get('default_encoding','utf8')

        to_encoding = DEFAULT_ENCODING

    try:

        return unicode_.encode(to_encoding)

    except UnicodeEncodeError:

        pass

    try:

        import chardet

        encoding = chardet.detect(unicode_)['encoding']

        if encoding is None:

            raise UnicodeEncodeError()

        return unicode_.encode(encoding)

    except (ImportError, UnicodeEncodeError):

        return unicode_.encode(to_encoding, 'replace')

    return safe_str

def engine_from_config(configuration, prefix='sqlalchemy.', **kwargs):

    """

    Custom engine_from_config functions that makes sure we use NullPool for

    file based sqlite databases. This prevents errors on sqlite. This only

    applies to sqlalchemy versions < 0.7.0

    """

    import sqlalchemy

    from sqlalchemy import engine_from_config as efc

    import logging

    if int(sqlalchemy.__version__.split('.')[1]) < 7:

        # This solution should work for sqlalchemy < 0.7.0, and should use

        # proxy=TimerProxy() for execution time profiling

        from sqlalchemy.pool import NullPool

        url = configuration[prefix + 'url']

        if url.startswith('sqlite'):

            kwargs.update({'poolclass': NullPool})

        return efc(configuration, prefix, **kwargs)

    else:

        import time

        from sqlalchemy import event

        from sqlalchemy.engine import Engine

        log = logging.getLogger('sqlalchemy.engine')

        BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE = xrange(30, 38)

        engine = efc(configuration, prefix, **kwargs)

        def color_sql(sql):

            COLOR_SEQ = "\033[1;%dm"

            COLOR_SQL = YELLOW

            normal = '\x1b[0m'

            return ''.join([COLOR_SEQ % COLOR_SQL, sql, normal])

        if configuration['debug']:

            #attach events only for debug configuration

            def before_cursor_execute(conn, cursor, statement,

                                    parameters, context, executemany):

                context._query_start_time = time.time()

                log.info(color_sql(">>>>> STARTING QUERY >>>>>"))

            def after_cursor_execute(conn, cursor, statement,

                                    parameters, context, executemany):

                total = time.time() - context._query_start_time

                log.info(color_sql("<<<<< TOTAL TIME: %f <<<<<" % total))

            event.listen(engine, "before_cursor_execute",

                         before_cursor_execute)

            event.listen(engine, "after_cursor_execute",

                         after_cursor_execute)

    return engine

def age(curdate):

    """

    turns a datetime into an age string.

    :param curdate: datetime object

    :rtype: unicode

    :returns: unicode words describing age

    """

    from datetime import datetime

    from webhelpers.date import time_ago_in_words

    _ = lambda s: s

    if not curdate:

        return ''

    agescales = [(_(u"year"), 3600 * 24 * 365),

                 (_(u"month"), 3600 * 24 * 30),

                 (_(u"day"), 3600 * 24),

                 (_(u"hour"), 3600),

                 (_(u"minute"), 60),

                 (_(u"second"), 1), ]

    age = datetime.now() - curdate

    age_seconds = (age.days * agescales[2][1]) + age.seconds

    pos = 1

    for scale in agescales:

        if scale[1] <= age_seconds:

            if pos == 6:

                pos = 5

            return '%s %s' % (time_ago_in_words(curdate,

                                                agescales[pos][0]), _('ago'))

        pos += 1

    return _(u'just now')

def uri_filter(uri):

    """

    Removes user:password from given url string

    :param uri:

    :rtype: unicode

    :returns: filtered list of strings

    """

    if not uri:

        return ''

    proto = ''

    for pat in ('https://', 'http://'):

        if uri.startswith(pat):

            uri = uri[len(pat):]

            proto = pat

            break

    # remove passwords and username

    uri = uri[uri.find('@') + 1:]

    # get the port

    cred_pos = uri.find(':')

    if cred_pos == -1:

        host, port = uri, None

    else:

        host, port = uri[:cred_pos], uri[cred_pos + 1:]

    return filter(None, [proto, host, port])

def credentials_filter(uri):

    """

    Returns a url with removed credentials

    :param uri:

    """

    uri = uri_filter(uri)

    #check if we have port

    if len(uri) > 2 and uri[2]:

        uri[2] = ':' + uri[2]

    return ''.join(uri)

def get_changeset_safe(repo, rev):

    """

    Safe version of get_changeset if this changeset doesn't exists for a

    repo it returns a Dummy one instead

    :param repo:

    :param rev:

    """

    from rhodecode.lib.vcs.backends.base import BaseRepository

    from rhodecode.lib.vcs.exceptions import RepositoryError

    if not isinstance(repo, BaseRepository):

        raise Exception('You must pass an Repository '

                        'object as first argument got %s', type(repo))

    try:

        cs = repo.get_changeset(rev)

    except RepositoryError:

        from rhodecode.lib.utils import EmptyChangeset

        cs = EmptyChangeset(requested_revision=rev)

    return cs

MENTIONS_REGEX = r'(?:^@|\s@)([a-zA-Z0-9]{1}[a-zA-Z0-9\-\_\.]+)(?:\s{1})'

def extract_mentioned_users(s):

    """

    Returns unique usernames from given string s that have @mention

    :param s: string to get mentions

    """

    usrs = set()

    for username in re.findall(MENTIONS_REGEX, s):

        usrs.add(username)

    return sorted(list(usrs), key=lambda k: k.lower())

        return p

    @LazyProperty

    def _paths(self):

        return self._dir_paths + self._file_paths

    @LazyProperty

    def id(self):

        if self.last:

            return u'tip'

        return self.short_id

    @LazyProperty

    def short_id(self):

        return self.raw_id[:12]

    @LazyProperty

    def parents(self):

        """

        Returns list of parents changesets.

        """

        return [self.repository.get_changeset(parent.rev())

                for parent in self._ctx.parents() if parent.rev() >= 0]

    def next(self, branch=None):

        if branch and self.branch != branch:

            raise VCSError('Branch option used on changeset not belonging '

                           'to that branch')

        def _next(changeset, branch):

            try:

                next_ = changeset.revision + 1

                next_rev = changeset.repository.revisions[next_]

            except IndexError:

                raise ChangesetDoesNotExistError

            cs = changeset.repository.get_changeset(next_rev)

            if branch and branch != cs.branch:

                return _next(cs, branch)

            return cs

        return _next(self, branch)

    def prev(self, branch=None):

        if branch and self.branch != branch:

            raise VCSError('Branch option used on changeset not belonging '

                           'to that branch')

        def _prev(changeset, branch):

            try:

                prev_ = changeset.revision - 1

                if prev_ < 0:

                    raise IndexError

                prev_rev = changeset.repository.revisions[prev_]

            except IndexError:

                raise ChangesetDoesNotExistError

            cs = changeset.repository.get_changeset(prev_rev)

            if branch and branch != cs.branch:

                return _prev(cs, branch)

            return cs

        return _prev(self, branch)

    def _fix_path(self, path):

        """

        Paths are stored without trailing slash so we need to get rid off it if

        needed. Also mercurial keeps filenodes as str so we need to decode

        from unicode to str

        """

        if path.endswith('/'):

            path = path.rstrip('/')

        return safe_str(path)

    def _get_kind(self, path):

        path = self._fix_path(path)

        if path in self._file_paths:

            return NodeKind.FILE

        elif path in self._dir_paths:

            return NodeKind.DIR

        else:

            raise ChangesetError("Node does not exist at the given path %r"

                % (path))

    def _get_filectx(self, path):

        path = self._fix_path(path)

        if self._get_kind(path) != NodeKind.FILE:

            raise ChangesetError("File does not exist for revision %r at "

                " %r" % (self.revision, path))

        return self._ctx.filectx(path)

    def _extract_submodules(self):

        """

        returns a dictionary with submodule information from substate file

        of hg repository

        """

        return self._ctx.substate

    def get_file_mode(self, path):

        """

        Returns stat mode of the file at the given ``path``.

        """

        fctx = self._get_filectx(path)

        if 'x' in fctx.flags():

            return 0100755

        else:

            return 0100644

    def get_file_content(self, path):

        """

        Returns content of the file at given ``path``.

        """

        fctx = self._get_filectx(path)

        return fctx.data()

    def get_file_size(self, path):

        """

        Returns size of the file at given ``path``.

        """

        fctx = self._get_filectx(path)

        return fctx.size()

    def get_file_changeset(self, path):

        """

        Returns last commit of the file at the given ``path``.

        """

        node = self.get_node(path)

        return node.history[0]

    def get_file_history(self, path):

        """

        Returns history of file as reversed list of ``Changeset`` objects for

        which file at given ``path`` has been modified.

        """

        fctx = self._get_filectx(path)

        nodes = [fctx.filectx(x).node() for x in fctx.filelog()]

        changesets = [self.repository.get_changeset(hex(node))

            for node in reversed(nodes)]

        return changesets

    def get_file_annotate(self, path):

        """

        Returns a list of three element tuples with lineno,changeset and line

        """

        fctx = self._get_filectx(path)

        annotate = []

        for i, annotate_data in enumerate(fctx.annotate()):

            ln_no = i + 1

            annotate.append((ln_no, self.repository\

                             .get_changeset(hex(annotate_data[0].node())),

                             annotate_data[1],))

        return annotate

    def fill_archive(self, stream=None, kind='tgz', prefix=None,

                     subrepos=False):

        """

        Fills up given stream.

        :param stream: file like object.

        :param kind: one of following: ``zip``, ``tgz`` or ``tbz2``.

            Default: ``tgz``.

        :param prefix: name of root directory in archive.

            Default is repository name and changeset's raw_id joined with dash

            (``repo-tip.<KIND>``).

        :param subrepos: include subrepos in this archive.

        :raise ImproperArchiveTypeError: If given kind is wrong.

        :raise VcsError: If given stream is None

        """

        allowed_kinds = settings.ARCHIVE_SPECS.keys()

        if kind not in allowed_kinds:

            raise ImproperArchiveTypeError('Archive kind not supported use one'

                'of %s', allowed_kinds)

        if stream is None:

            raise VCSError('You need to pass in a valid stream for filling'

                           ' with archival data')

        if prefix is None:

            prefix = '%s-%s' % (self.repository.name, self.short_id)

        elif prefix.startswith('/'):

            raise VCSError("Prefix cannot start with leading slash")

        elif prefix.strip() == '':

            raise VCSError("Prefix cannot be empty")

        archival.archive(self.repository._repo, stream, self.raw_id,

                         kind, prefix=prefix, subrepos=subrepos)

        if stream.closed and hasattr(stream, 'name'):

            stream = open(stream.name, 'rb')

        elif hasattr(stream, 'mode') and 'r' not in stream.mode:

            stream = open(stream.name, 'rb')

        else:

            stream.seek(0)

    def get_nodes(self, path):

        """

        Returns combined ``DirNode`` and ``FileNode`` objects list representing

        state of changeset at the given ``path``. If node at the given ``path``

        is not instance of ``DirNode``, ChangesetError would be raised.

        """

        if self._get_kind(path) != NodeKind.DIR:

            raise ChangesetError("Directory does not exist for revision %r at "

                " %r" % (self.revision, path))

        path = self._fix_path(path)

        filenodes = [FileNode(f, changeset=self) for f in self._file_paths

            if os.path.dirname(f) == path]

        dirs = path == '' and '' or [d for d in self._dir_paths

            if d and posixpath.dirname(d) == path]

        dirnodes = [DirNode(d, changeset=self) for d in dirs

            if os.path.dirname(d) == path]