# -*- coding: utf-8 -*-

"""

    rhodecode.lib.auth

    ~~~~~~~~~~~~~~~~~~

    authentication and permission libraries

    :created_on: Apr 4, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import random

import logging

import traceback

import hashlib

from tempfile import _RandomNameSequence

from decorator import decorator

from pylons import config, url, request

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode import __platform__, PLATFORM_WIN, PLATFORM_OTHERS

from rhodecode.model.meta import Session

if __platform__ in PLATFORM_WIN:

    from hashlib import sha256

if __platform__ in PLATFORM_OTHERS:

    import bcrypt

from rhodecode.lib.utils2 import str2bool, safe_unicode

from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError

from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug

from rhodecode.lib.auth_ldap import AuthLdap

from rhodecode.model import meta

from rhodecode.model.user import UserModel

from rhodecode.model.db import Permission, RhodeCodeSetting, User

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """

    This is a simple class for generating password from different sets of

    characters

    usage::

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM

    def __init__(self, passwd=''):

        self.passwd = passwd

    def gen_password(self, length, type_=None):

        if type_ is None:

            type_ = self.ALPHABETS_FULL

        self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])

        return self.passwd

class RhodeCodeCrypto(object):

    @classmethod

    def hash_string(cls, str_):

        """

        Cryptographic function used for password hashing based on pybcrypt

        or pycrypto in windows

        :param password: password to hash

        """

        if __platform__ in PLATFORM_WIN:

            return sha256(str_).hexdigest()

        elif __platform__ in PLATFORM_OTHERS:

            return bcrypt.hashpw(str_, bcrypt.gensalt(10))

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

    @classmethod

    def hash_check(cls, password, hashed):

        """

        Checks matching password with it's hashed value, runs different

        implementation based on platform it runs on

        :param password: password

        :param hashed: password in hashed form

        """

        if __platform__ in PLATFORM_WIN:

            return sha256(password).hexdigest() == hashed

        elif __platform__ in PLATFORM_OTHERS:

            return bcrypt.hashpw(password, hashed) == hashed

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

def get_crypt_password(password):

    return RhodeCodeCrypto.hash_string(password)

def check_password(password, hashed):

    return RhodeCodeCrypto.hash_check(password, hashed)

def generate_api_key(str_, salt=None):

    """

    Generates API KEY from given string

    :param str_:

    :param salt:

    """

    if salt is None:

        salt = _RandomNameSequence().next()

    return hashlib.sha1(str_ + salt).hexdigest()

def authfunc(environ, username, password):

    """

    Dummy authentication wrapper function used in Mercurial and Git for

    access control.

    :param environ: needed only for using in Basic auth

    """

    return authenticate(username, password)

def authenticate(username, password):

    """

    Authentication function used for access control,

    firstly checks for db authentication then if ldap is enabled for ldap

    authentication, also creates ldap user if not in database

    elif line.endswith('\r'):

        return 1

    else:

        return default

def generate_api_key(username, salt=None):

    """

    Generates unique API key for given username, if salt is not given

    it'll be generated from some random string

    :param username: username as string

    :param salt: salt to hash generate KEY

    :rtype: str

    :returns: sha1 hash from username+salt

    """

    from tempfile import _RandomNameSequence

    import hashlib

    if salt is None:

        salt = _RandomNameSequence().next()

    return hashlib.sha1(username + salt).hexdigest()

def safe_unicode(str_, from_encoding=None):

    """

    safe unicode function. Does few trick to turn str_ into unicode

    In case of UnicodeDecode error we try to return it with encoding detected

    by chardet library if it fails fallback to unicode with errors replaced

    :param str_: string to decode

    :rtype: unicode

    :returns: unicode object

    """

    if isinstance(str_, unicode):

        return str_

    if not from_encoding:

        import rhodecode

        DEFAULT_ENCODING = rhodecode.CONFIG.get('default_encoding','utf8')

        from_encoding = DEFAULT_ENCODING

    try:

        return unicode(str_)

    except UnicodeDecodeError:

        pass

    try:

        return unicode(str_, from_encoding)

    except UnicodeDecodeError:

        pass

    try:

        import chardet

        encoding = chardet.detect(str_)['encoding']

        if encoding is None:

            raise Exception()

        return str_.decode(encoding)

    except (ImportError, UnicodeDecodeError, Exception):

        return unicode(str_, from_encoding, 'replace')

def safe_str(unicode_, to_encoding=None):

    """

    safe str function. Does few trick to turn unicode_ into string

    In case of UnicodeEncodeError we try to return it with encoding detected

    by chardet library if it fails fallback to string with errors replaced

    :param unicode_: unicode to encode

    :rtype: str

    :returns: str object

    """

    # if it's not basestr cast to str

    if not isinstance(unicode_, basestring):

        return str(unicode_)

    if isinstance(unicode_, str):

        return unicode_

    if not to_encoding:

        import rhodecode

        DEFAULT_ENCODING = rhodecode.CONFIG.get('default_encoding','utf8')

        to_encoding = DEFAULT_ENCODING

    try:

        return unicode_.encode(to_encoding)

    except UnicodeEncodeError:

        pass

    try:

        import chardet

        encoding = chardet.detect(unicode_)['encoding']

        if encoding is None:

            raise UnicodeEncodeError()

        return unicode_.encode(encoding)

    except (ImportError, UnicodeEncodeError):

        return unicode_.encode(to_encoding, 'replace')

    return safe_str

def engine_from_config(configuration, prefix='sqlalchemy.', **kwargs):

    """

    Custom engine_from_config functions that makes sure we use NullPool for

    file based sqlite databases. This prevents errors on sqlite. This only

    applies to sqlalchemy versions < 0.7.0

    """

    import sqlalchemy

    from sqlalchemy import engine_from_config as efc

    import logging

    if int(sqlalchemy.__version__.split('.')[1]) < 7:

        # This solution should work for sqlalchemy < 0.7.0, and should use

        # proxy=TimerProxy() for execution time profiling

        from sqlalchemy.pool import NullPool

        url = configuration[prefix + 'url']

        if url.startswith('sqlite'):

            kwargs.update({'poolclass': NullPool})

        return efc(configuration, prefix, **kwargs)

    else:

        import time

        from sqlalchemy import event

        from sqlalchemy.engine import Engine

        log = logging.getLogger('sqlalchemy.engine')

        BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE = xrange(30, 38)

        engine = efc(configuration, prefix, **kwargs)

        def color_sql(sql):

            COLOR_SEQ = "\033[1;%dm"

            COLOR_SQL = YELLOW

            normal = '\x1b[0m'

            return ''.join([COLOR_SEQ % COLOR_SQL, sql, normal])

        if configuration['debug']:

            #attach events only for debug configuration

            def before_cursor_execute(conn, cursor, statement,

                                    parameters, context, executemany):

                context._query_start_time = time.time()

                log.info(color_sql(">>>>> STARTING QUERY >>>>>"))

            def after_cursor_execute(conn, cursor, statement,

                                    parameters, context, executemany):

                total = time.time() - context._query_start_time

                log.info(color_sql("<<<<< TOTAL TIME: %f <<<<<" % total))

            event.listen(engine, "before_cursor_execute",

                         before_cursor_execute)

            event.listen(engine, "after_cursor_execute",

                         after_cursor_execute)

    return engine

def age(curdate):

    """

    turns a datetime into an age string.

    :param curdate: datetime object

    :rtype: unicode

    :returns: unicode words describing age

    """

    from datetime import datetime

    from webhelpers.date import time_ago_in_words

    _ = lambda s: s

    if not curdate:

        return ''

    agescales = [(_(u"year"), 3600 * 24 * 365),

                 (_(u"month"), 3600 * 24 * 30),

                 (_(u"day"), 3600 * 24),

                 (_(u"hour"), 3600),

                 (_(u"minute"), 60),

                 (_(u"second"), 1), ]

    age = datetime.now() - curdate

    age_seconds = (age.days * agescales[2][1]) + age.seconds

    pos = 1

    def _extract_submodules(self):

        """

        returns a dictionary with submodule information from substate file

        of hg repository

        """

        return self._ctx.substate

    def get_file_mode(self, path):

        """

        Returns stat mode of the file at the given ``path``.

        """

        fctx = self._get_filectx(path)

        if 'x' in fctx.flags():

            return 0100755

        else:

            return 0100644

    def get_file_content(self, path):

        """

        Returns content of the file at given ``path``.

        """

        fctx = self._get_filectx(path)

        return fctx.data()

    def get_file_size(self, path):

        """

        Returns size of the file at given ``path``.

        """

        fctx = self._get_filectx(path)

        return fctx.size()

    def get_file_changeset(self, path):

        """

        Returns last commit of the file at the given ``path``.

        """

        node = self.get_node(path)

        return node.history[0]

    def get_file_history(self, path):

        """

        Returns history of file as reversed list of ``Changeset`` objects for

        which file at given ``path`` has been modified.

        """

        fctx = self._get_filectx(path)

        nodes = [fctx.filectx(x).node() for x in fctx.filelog()]

        changesets = [self.repository.get_changeset(hex(node))

            for node in reversed(nodes)]

        return changesets

    def get_file_annotate(self, path):

        """

        Returns a list of three element tuples with lineno,changeset and line

        """

        fctx = self._get_filectx(path)

        annotate = []

        for i, annotate_data in enumerate(fctx.annotate()):

            ln_no = i + 1

            annotate.append((ln_no, self.repository\

                             .get_changeset(hex(annotate_data[0].node())),

                             annotate_data[1],))

        return annotate

    def fill_archive(self, stream=None, kind='tgz', prefix=None,

                     subrepos=False):

        """

        Fills up given stream.

        :param stream: file like object.

        :param kind: one of following: ``zip``, ``tgz`` or ``tbz2``.

            Default: ``tgz``.

        :param prefix: name of root directory in archive.

            Default is repository name and changeset's raw_id joined with dash

            (``repo-tip.<KIND>``).

        :param subrepos: include subrepos in this archive.

        :raise ImproperArchiveTypeError: If given kind is wrong.

        :raise VcsError: If given stream is None

        """

        allowed_kinds = settings.ARCHIVE_SPECS.keys()

        if kind not in allowed_kinds:

            raise ImproperArchiveTypeError('Archive kind not supported use one'

                'of %s', allowed_kinds)

        if stream is None:

            raise VCSError('You need to pass in a valid stream for filling'

                           ' with archival data')

        if prefix is None:

            prefix = '%s-%s' % (self.repository.name, self.short_id)

        elif prefix.startswith('/'):

            raise VCSError("Prefix cannot start with leading slash")

        elif prefix.strip() == '':

            raise VCSError("Prefix cannot be empty")

        archival.archive(self.repository._repo, stream, self.raw_id,

                         kind, prefix=prefix, subrepos=subrepos)

        if stream.closed and hasattr(stream, 'name'):

            stream = open(stream.name, 'rb')

        elif hasattr(stream, 'mode') and 'r' not in stream.mode:

            stream = open(stream.name, 'rb')

        else:

            stream.seek(0)

    def get_nodes(self, path):

        """

        Returns combined ``DirNode`` and ``FileNode`` objects list representing

        state of changeset at the given ``path``. If node at the given ``path``

        is not instance of ``DirNode``, ChangesetError would be raised.

        """

        if self._get_kind(path) != NodeKind.DIR:

            raise ChangesetError("Directory does not exist for revision %r at "

                " %r" % (self.revision, path))

        path = self._fix_path(path)

        filenodes = [FileNode(f, changeset=self) for f in self._file_paths

            if os.path.dirname(f) == path]

        dirs = path == '' and '' or [d for d in self._dir_paths

            if d and posixpath.dirname(d) == path]

        dirnodes = [DirNode(d, changeset=self) for d in dirs

            if os.path.dirname(d) == path]

        als = self.repository.alias

        for k, vals in self._extract_submodules().iteritems():

            #vals = url,rev,type

            loc = vals[0]

            cs = vals[1]

            dirnodes.append(SubModuleNode(k, url=loc, changeset=cs,

                                          alias=als))

        nodes = dirnodes + filenodes

        # cache nodes

        for node in nodes:

            self.nodes[node.path] = node

        nodes.sort()

        return nodes

    def get_node(self, path):

        """

        Returns ``Node`` object from the given ``path``. If there is no node at

        the given ``path``, ``ChangesetError`` would be raised.

        """

        path = self._fix_path(path)

        if not path in self.nodes:

            if path in self._file_paths:

                node = FileNode(path, changeset=self)

            elif path in self._dir_paths or path in self._dir_paths:

                if path == '':

                    node = RootNode(changeset=self)

                else:

                    node = DirNode(path, changeset=self)

            else:

                raise NodeDoesNotExistError("There is no file nor directory "

                    "at the given path: %r at revision %r"

                    % (path, self.short_id))

            # cache node

            self.nodes[path] = node

        return self.nodes[path]

    @LazyProperty

    def affected_files(self):

        """

        Get's a fast accessible file changes for given changeset

        """

        return self._ctx.files()

    @property

    def added(self):

        """

        Returns list of added ``FileNode`` objects.

        """

        return AddedFileNodesGenerator([n for n in self.status[1]], self)

    @property

    def changed(self):

        """

        Returns list of modified ``FileNode`` objects.

        """

        return ChangedFileNodesGenerator([n for n in  self.status[0]], self)

    @property

    def removed(self):

        """

        Returns list of removed ``FileNode`` objects.

        """

        return RemovedFileNodesGenerator([n for n in self.status[2]], self)

"""

This module provides some useful tools for ``vcs`` like annotate/diff html

output. It also includes some internal helpers.

"""

import sys

import time

import datetime

def makedate():

    lt = time.localtime()

    if lt[8] == 1 and time.daylight:

        tz = time.altzone

    else:

        tz = time.timezone

    return time.mktime(lt), tz

def date_fromtimestamp(unixts, tzoffset=0):

    """

    Makes a local datetime object out of unix timestamp

    :param unixts:

    :param tzoffset:

    """

    return datetime.datetime.fromtimestamp(float(unixts))

def safe_unicode(str_, from_encoding=None):

    """

    safe unicode function. Does few trick to turn str_ into unicode

    In case of UnicodeDecode error we try to return it with encoding detected

    by chardet library if it fails fallback to unicode with errors replaced

    :param str_: string to decode

    :rtype: unicode

    :returns: unicode object

    """

    if isinstance(str_, unicode):

        return str_

    if not from_encoding:

        import rhodecode

        DEFAULT_ENCODING = rhodecode.CONFIG.get('default_encoding', 'utf8')

        from_encoding = DEFAULT_ENCODING

    try:

        return unicode(str_)

    except UnicodeDecodeError:

        pass

    try:

        return unicode(str_, from_encoding)

    except UnicodeDecodeError:

        pass

    try:

        import chardet

        encoding = chardet.detect(str_)['encoding']

        if encoding is None:

            raise Exception()

        return str_.decode(encoding)

    except (ImportError, UnicodeDecodeError, Exception):

        return unicode(str_, from_encoding, 'replace')

def safe_str(unicode_, to_encoding=None):

    """

    safe str function. Does few trick to turn unicode_ into string

    In case of UnicodeEncodeError we try to return it with encoding detected

    by chardet library if it fails fallback to string with errors replaced

    :param unicode_: unicode to encode

    :rtype: str

    :returns: str object

    """

    if isinstance(unicode_, str):

        return unicode_

    if not to_encoding:

        import rhodecode

        DEFAULT_ENCODING = rhodecode.CONFIG.get('default_encoding', 'utf8')

        to_encoding = DEFAULT_ENCODING

    try:

        return unicode_.encode(to_encoding)

    except UnicodeEncodeError:

        pass

    try:

        import chardet

        encoding = chardet.detect(unicode_)['encoding']

        if encoding is None:

            raise UnicodeEncodeError()

        return unicode_.encode(encoding)

    except (ImportError, UnicodeEncodeError):

        return unicode_.encode(to_encoding, 'replace')

    return safe_str

def author_email(author):

    """

    returns email address of given author.

    If any of <,> sign are found, it fallbacks to regex findall()

    and returns first found result or empty string

    Regex taken from http://www.regular-expressions.info/email.html

    """

    import re

    r = author.find('>')

    l = author.find('<')

    if l == -1 or r == -1:

        # fallback to regex match of email out of a string

        email_re = re.compile(r"""[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!"""

                              r"""#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z"""

                              r"""0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]"""

                              r"""*[a-z0-9])?""", re.IGNORECASE)

        m = re.findall(email_re, author)

        return m[0] if m else ''

    return author[l + 1:r].strip()

def author_name(author):

    """

    get name of author, or else username.

    It'll try to find an email in the author string and just cut it off

    to get the username

    """

    if not '@' in author:

        return author

    else:

        return author.replace(author_email(author), '').replace('<', '')\

            .replace('>', '').strip()

        # user global permissions

        user_perms = self.sa.query(UserToPerm)\

                .options(joinedload(UserToPerm.permission))\

                .filter(UserToPerm.user_id == uid).all()

        for perm in user_perms:

            user.permissions[GLOBAL].add(perm.permission.permission_name)

        # user explicit permissions for repositories

        user_repo_perms = \

         self.sa.query(UserRepoToPerm, Permission, Repository)\

         .join((Repository, UserRepoToPerm.repository_id == Repository.repo_id))\

         .join((Permission, UserRepoToPerm.permission_id == Permission.permission_id))\

         .filter(UserRepoToPerm.user_id == uid)\

         .all()

        for perm in user_repo_perms:

            # set admin if owner

            r_k = perm.UserRepoToPerm.repository.repo_name

            if perm.Repository.user_id == uid:

                p = 'repository.admin'

            else:

                p = perm.Permission.permission_name

            user.permissions[RK][r_k] = p

        # USER GROUP

        #==================================================================

        # check if user is part of user groups for this repository and

        # fill in (or replace with higher) permissions

        #==================================================================

        # users group global

        user_perms_from_users_groups = self.sa.query(UsersGroupToPerm)\

            .options(joinedload(UsersGroupToPerm.permission))\

            .join((UsersGroupMember, UsersGroupToPerm.users_group_id ==

                   UsersGroupMember.users_group_id))\

            .filter(UsersGroupMember.user_id == uid).all()

        for perm in user_perms_from_users_groups:

            user.permissions[GLOBAL].add(perm.permission.permission_name)

        # users group for repositories permissions

        user_repo_perms_from_users_groups = \

         self.sa.query(UsersGroupRepoToPerm, Permission, Repository,)\

         .join((Repository, UsersGroupRepoToPerm.repository_id == Repository.repo_id))\

         .join((Permission, UsersGroupRepoToPerm.permission_id == Permission.permission_id))\

         .join((UsersGroupMember, UsersGroupRepoToPerm.users_group_id == UsersGroupMember.users_group_id))\

         .filter(UsersGroupMember.user_id == uid)\

         .all()

        for perm in user_repo_perms_from_users_groups:

            r_k = perm.UsersGroupRepoToPerm.repository.repo_name

            p = perm.Permission.permission_name

            cur_perm = user.permissions[RK][r_k]

            # overwrite permission only if it's greater than permission

            # given from other sources

            if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:

                user.permissions[RK][r_k] = p

        # REPO GROUP

        #==================================================================

        # get access for this user for repos group and override defaults

        #==================================================================

        # user explicit permissions for repository

        user_repo_groups_perms = \

         self.sa.query(UserRepoGroupToPerm, Permission, RepoGroup)\

         .join((RepoGroup, UserRepoGroupToPerm.group_id == RepoGroup.group_id))\

         .join((Permission, UserRepoGroupToPerm.permission_id == Permission.permission_id))\

         .filter(UserRepoGroupToPerm.user_id == uid)\

         .all()

        for perm in user_repo_groups_perms:

            rg_k = perm.UserRepoGroupToPerm.group.group_name

            p = perm.Permission.permission_name

            cur_perm = user.permissions[GK][rg_k]

            if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:

                user.permissions[GK][rg_k] = p

        # REPO GROUP + USER GROUP

        #==================================================================

        # check if user is part of user groups for this repo group and

        # fill in (or replace with higher) permissions

        #==================================================================

        # users group for repositories permissions

        user_repo_group_perms_from_users_groups = \

         self.sa.query(UsersGroupRepoGroupToPerm, Permission, RepoGroup)\

         .join((RepoGroup, UsersGroupRepoGroupToPerm.group_id == RepoGroup.group_id))\

         .join((Permission, UsersGroupRepoGroupToPerm.permission_id == Permission.permission_id))\

         .join((UsersGroupMember, UsersGroupRepoGroupToPerm.users_group_id == UsersGroupMember.users_group_id))\

         .filter(UsersGroupMember.user_id == uid)\

         .all()

        for perm in user_repo_group_perms_from_users_groups:

            g_k = perm.UsersGroupRepoGroupToPerm.group.group_name

            p = perm.Permission.permission_name

            cur_perm = user.permissions[GK][g_k]

            # overwrite permission only if it's greater than permission

            # given from other sources

            if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:

                user.permissions[GK][g_k] = p

        return user

    def has_perm(self, user, perm):

        if not isinstance(perm, Permission):

            raise Exception('perm needs to be an instance of Permission class '

                            'got %s instead' % type(perm))

        user = self.__get_user(user)

        return UserToPerm.query().filter(UserToPerm.user == user)\

            .filter(UserToPerm.permission == perm).scalar() is not None

    def grant_perm(self, user, perm):

        """

        Grant user global permissions

        :param user:

        :param perm:

        """

        user = self.__get_user(user)

        perm = self.__get_perm(perm)

        # if this permission is already granted skip it

        _perm = UserToPerm.query()\

            .filter(UserToPerm.user == user)\

            .filter(UserToPerm.permission == perm)\

            .scalar()

        if _perm:

            return

        new = UserToPerm()

        new.user = user

        new.permission = perm

        self.sa.add(new)

    def revoke_perm(self, user, perm):

        """

        Revoke users global permissions

        :param user:

        :param perm:

        """

        user = self.__get_user(user)

        perm = self.__get_perm(perm)

        obj = UserToPerm.query()\

                .filter(UserToPerm.user == user)\

                .filter(UserToPerm.permission == perm)\

                .scalar()

        if obj:

            self.sa.delete(obj)