"""

    Pylons middleware initialization

"""

from routes.middleware import RoutesMiddleware

from paste.cascade import Cascade

from paste.registry import RegistryManager

from paste.urlparser import StaticURLParser

from paste.deploy.converters import asbool

from paste.gzipper import make_gzip_middleware

from pylons.middleware import ErrorHandler, StatusCodeRedirect

from pylons.wsgiapp import PylonsApp

from kallithea.lib.middleware.simplehg import SimpleHg

from kallithea.lib.middleware.simplegit import SimpleGit

from kallithea.lib.middleware.https_fixup import HttpsFixup

from kallithea.lib.middleware.sessionmiddleware import SecureSessionMiddleware

from kallithea.config.environment import load_environment

from kallithea.lib.middleware.wrapper import RequestWrapper

def make_app(global_conf, full_stack=True, static_files=True, **app_conf):

    """Create a Pylons WSGI application and return it

    ``global_conf``

        The inherited configuration for this application. Normally from

        the [DEFAULT] section of the Paste ini file.

    ``full_stack``

        Whether or not this application provides a full WSGI stack (by

        default, meaning it handles its own exceptions and errors).

        Disable full_stack when this application is "managed" by

        another WSGI middleware.

    ``app_conf``

        The application's local configuration. Normally specified in

        the [app:<name>] section of the Paste ini file (where <name>

        defaults to main).

    """

    # Configure the Pylons environment

    config = load_environment(global_conf, app_conf)

    # The Pylons WSGI app

    app = PylonsApp(config=config)

    # Routing/Session/Cache Middleware

    app = SecureSessionMiddleware(app, config)

    # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)

    if asbool(config['pdebug']):

        from kallithea.lib.profiler import ProfilingMiddleware

        app = ProfilingMiddleware(app)

    if asbool(full_stack):

        from kallithea.lib.middleware.sentry import Sentry

        from kallithea.lib.middleware.errormator import Errormator

        if Errormator and asbool(config['app_conf'].get('errormator')):

            app = Errormator(app, config)

        elif Sentry:

            app = Sentry(app, config)

        # Handle Python exceptions

        app = ErrorHandler(app, global_conf, **config['pylons.errorware'])

        # Display error documents for 401, 403, 404 status codes (and

        # 500 when debug is disabled)

        # Note: will buffer the output in memory!

        if asbool(config['debug']):

            app = StatusCodeRedirect(app)

        else:

            app = StatusCodeRedirect(app, [400, 401, 403, 404, 500])

        # we want our low level middleware to get to the request ASAP. We don't

        # need any pylons stack middleware in them - especially no StatusCodeRedirect buffering

        app = SimpleHg(app, config)

        app = SimpleGit(app, config)

        # Enable https redirects based on HTTP_X_URL_SCHEME set by proxy

        if any(asbool(config.get(x)) for x in ['https_fixup', 'force_https', 'use_htsts']):

            app = HttpsFixup(app, config)

        app = RequestWrapper(app, config) # logging

    # Establish the Registry for this application

    app = RegistryManager(app) # thread / request-local module globals / variables

    if asbool(static_files):

        # Serve static files

        static_app = StaticURLParser(config['pylons.paths']['static_files'])

        app = Cascade([static_app, app])

        app = make_gzip_middleware(app, global_conf, compress_level=1)

    app.config = config

    if message:

        h.flash(h.literal(message), category='warning')

    p = request.path_qs

    log.debug('Redirecting to login page, origin: %s', p)

    return HTTPFound(location=url('login_home', came_from=p))

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = controller.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        if not AuthUser.check_ip_allowed(user, controller.ip_addr):

            raise _redirect_to_login(_('IP %s not allowed') % controller.ip_addr)

        # check if we used an API key and it's a valid one

        api_key = request.GET.get('api_key')

        if api_key is not None:

            # explicit controller is enabled or API is in our whitelist

            if self.api_access or allowed_api_access(loc, api_key=api_key):

                if api_key in user.api_keys:

                    log.info('user %s authenticated with API key ****%s @ %s',

                             user, api_key[-4:], loc)

                    return func(*fargs, **fkwargs)

                else:

                    log.warning('API key ****%s is NOT valid', api_key[-4:])

                    raise _redirect_to_login(_('Invalid API key'))

            else:

                # controller does not allow API access

                log.warning('API access to %s is not allowed', loc)

                raise HTTPForbidden()

            raise HTTPMethodNotAllowed()

        _method = request.params.get('_method')

        if _method is None:

            pass # no override, no problem

        else:

            raise HTTPMethodNotAllowed()

        # Make sure CSRF token never appears in the URL. If so, invalidate it.

        if secure_form.token_key in request.GET:

            log.error('CSRF key leak detected')

            session.pop(secure_form.token_key, None)

            session.save()

            from kallithea.lib import helpers as h

            h.flash(_("CSRF token leak has been detected - all form tokens have been expired"),

                    category='error')

        # CSRF protection: Whenever a request has ambient authority (whether

        # through a session cookie or its origin IP address), it must include

        # the correct token, unless the HTTP method is GET or HEAD (and thus

        # guaranteed to be side effect free. In practice, the only situation

        # where we allow side effects without ambient authority is when the

        # authority comes from an API key; and that is handled above.

        if request.method not in ['GET', 'HEAD']:

            token = request.POST.get(secure_form.token_key)

            if not token or token != secure_form.authentication_token():

                log.error('CSRF check failed')

                raise HTTPForbidden()

        # WebOb already ignores request payload parameters for anything other

        # than POST/PUT, but double-check since other Kallithea code relies on

        # this assumption.

        if request.method not in ['POST', 'PUT'] and request.POST:

            log.error('%r request with payload parameters; WebOb should have stopped this', request.method)

            raise HTTPBadRequest()

        # regular user authentication

        if user.is_authenticated or user.is_default_user:

            log.info('user %s authenticated with regular auth @ %s', user, loc)

            return func(*fargs, **fkwargs)

        else:

            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

            raise _redirect_to_login()

class NotAnonymous(object):

    """

    Must be logged in to execute this function else

    redirect to login page"""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):