if ip_allowed:

            log.info('Access for IP:%s allowed', ip_addr)

        else:

            return False

        if action == 'push':

            if not HasPermissionAnyMiddleware('repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        else:

            #any other action need at least read permission

            if not HasPermissionAnyMiddleware('repository.read',

                                              'repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        return True

    def _get_ip_addr(self, environ):

        return _get_ip_addr(environ)

        """

        Checks locking on this repository, if locking is enabled, and if lock

        is present. Returns a tuple of make_lock, locked, locked_by. make_lock

        can have 3 states: None (do nothing), True (make lock), and False

        (release lock). This value is later propagated to hooks, telling them

        what to do.

        """

        locked = False  # defines that locked error should be thrown to user

        make_lock = None

        locked_by = repo.locked

        if repo and repo.enable_locking:

            if action == 'push':

                # Check if repo already is locked !, if it is compare users

                user_id, _date = locked_by

                if user.user_id == user_id:

                    log.debug('Got push from user %s, now unlocking', user)

                    # Unlock if we have push from the user who locked

                    make_lock = False

                else:

                    # Another used tried to push - deny access with something like 423 Locked!

                    locked = True

            if action == 'pull':

                if repo.locked[0] and repo.locked[1]:

                    locked = True

                else:

                    log.debug('Setting lock on repo %s by %s', repo, user)

                    make_lock = True

        else:

            log.debug('Repository %s does not have locking enabled', repo)

        log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',

                  make_lock, locked, locked_by)

        return make_lock, locked, locked_by

kallithea.lib.middleware.simplegit

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SimpleGit middleware for handling git protocol request (push/clone etc.)

It's implemented with basic auth function

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 28, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import os

import re

import logging

import traceback

from paste.httpheaders import REMOTE_USER, AUTH_TYPE

from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \

    HTTPNotAcceptable

from kallithea.lib.utils2 import safe_str, safe_unicode, fix_PATH, get_server_url, \

    _set_extras

from kallithea.lib.base import BaseVCSController, WSGIResultCloseCallback

from kallithea.lib.utils import make_ui, is_valid_repo

from kallithea.lib.exceptions import HTTPLockedRC

from kallithea.lib.hooks import pre_pull

from kallithea.lib import auth_modules

log = logging.getLogger(__name__)

GIT_PROTO_PAT = re.compile(r'^/(.+)/(info/refs|git-upload-pack|git-receive-pack)')

def is_git(environ):

    path_info = environ['PATH_INFO']

    isgit_path = GIT_PROTO_PAT.match(path_info)

    log.debug('pathinfo: %s detected as Git %s',

        path_info, isgit_path is not None

    )

    return isgit_path

        # in hooks executed by kallithea

        from kallithea import CONFIG

        server_url = get_server_url(environ)

        extras = {

            'ip': ip_addr,

            'username': user.username,

            'action': action,

            'repository': repo_name,

            'scm': 'git',

            'config': CONFIG['__file__'],

            'server_url': server_url,

            'make_lock': None,

            'locked_by': [None, None]

        }

        #===================================================================

        # GIT REQUEST HANDLING

        #===================================================================

        repo_path = os.path.join(safe_str(self.basepath),str_repo_name)

        log.debug('Repository path is %s', repo_path)

        # CHECK LOCKING only if it's not ANONYMOUS USER

        if not user.is_default_user:

            log.debug('Checking locking on repository')

            # store the make_lock for later evaluation in hooks

            extras.update({'make_lock': make_lock,

                           'locked_by': locked_by})

        fix_PATH()

        log.debug('HOOKS extras is %s', extras)

        baseui = make_ui('db')

        self.__inject_extras(repo_path, baseui, extras)

        try:

            self._handle_githooks(repo_name, action, baseui, environ)

            log.info('%s action on Git repo "%s" by "%s" from %s',

                     action, str_repo_name, safe_str(user.username), ip_addr)

            app = self.__make_app(repo_name, repo_path, extras)

            result = app(environ, start_response)

            if action == 'push':

                result = WSGIResultCloseCallback(result,

                    lambda: self._invalidate_cache(repo_name))

            return result

        except HTTPLockedRC as e:

            log.debug('Locked, response %s: %s', e.code, e.title)

            return e(environ, start_response)

        except Exception:

            log.error(traceback.format_exc())

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.middleware.simplehg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SimpleHg middleware for handling mercurial protocol request

(push/clone etc.). It's implemented with basic auth function

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 28, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import os

import logging

import traceback

from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \

    HTTPNotAcceptable, HTTPBadRequest

from kallithea.lib.utils2 import safe_str, safe_unicode, fix_PATH, get_server_url, \

    _set_extras

from kallithea.lib.base import BaseVCSController, WSGIResultCloseCallback

from kallithea.lib.utils import make_ui, is_valid_repo, ui_sections

from kallithea.lib.vcs.utils.hgcompat import RepoError, hgweb_mod

from kallithea.lib.exceptions import HTTPLockedRC

log = logging.getLogger(__name__)

def is_mercurial(environ):

    """

    Returns True if request's target is mercurial server - header

    ``HTTP_ACCEPT`` of such request would start with ``application/mercurial``.

    """

    http_accept = environ.get('HTTP_ACCEPT')

    path_info = environ['PATH_INFO']

    if http_accept and http_accept.startswith('application/mercurial'):

        ishg_path = True

    else:

        ishg_path = False

    log.debug('pathinfo: %s detected as Mercurial %s',

            'ip': ip_addr,

            'username': user.username,

            'action': action,

            'repository': repo_name,

            'scm': 'hg',

            'config': CONFIG['__file__'],

            'server_url': server_url,

            'make_lock': None,

            'locked_by': [None, None]

        }

        #======================================================================

        # MERCURIAL REQUEST HANDLING

        #======================================================================

        repo_path = os.path.join(safe_str(self.basepath), str_repo_name)

        log.debug('Repository path is %s', repo_path)

        # A Mercurial HTTP server will see listkeys operations (bookmarks,

        # phases and obsolescence marker) in a different request - we don't

        # want to check locking on those

        if environ['QUERY_STRING'] == 'cmd=listkeys':

            pass

        # CHECK LOCKING only if it's not ANONYMOUS USER

        elif not user.is_default_user:

            log.debug('Checking locking on repository')

            # store the make_lock for later evaluation in hooks

            extras.update({'make_lock': make_lock,

                           'locked_by': locked_by})

        fix_PATH()

        log.debug('HOOKS extras is %s', extras)

        baseui = make_ui('db')

        self.__inject_extras(repo_path, baseui, extras)

        try:

            log.info('%s action on Mercurial repo "%s" by "%s" from %s',

                     action, str_repo_name, safe_str(user.username), ip_addr)

            app = self.__make_app(repo_path, baseui, extras)

            result = app(environ, start_response)

            if action == 'push':

                result = WSGIResultCloseCallback(result,

                    lambda: self._invalidate_cache(repo_name))

            return result

        except RepoError as e:

            if str(e).find('not found') != -1:

                return HTTPNotFound()(environ, start_response)

        except HTTPLockedRC as e:

            # Before Mercurial 3.6, lock exceptions were caught here

            log.debug('Locked, response %s: %s', e.code, e.title)