# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import formencode

import traceback

from formencode import htmlfill

from pylons import request, response, session, tmpl_context as c, url

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode.lib.base import BaseController, render

from rhodecode.lib import helpers as h

from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator

from rhodecode.lib.auth_ldap import LdapImportError

from rhodecode.model.settings import SettingsModel

from rhodecode.model.forms import LdapSettingsForm

from sqlalchemy.exc import DatabaseError

log = logging.getLogger(__name__)

class LdapSettingsController(BaseController):

    search_scope_choices = [('BASE', _('BASE'),),

                            ('ONELEVEL', _('ONELEVEL'),),

                            ('SUBTREE', _('SUBTREE'),),

                            ]

    search_scope_default = 'SUBTREE'

    tls_reqcert_choices = [('NEVER', _('NEVER'),),

                           ('ALLOW', _('ALLOW'),),

                           ('TRY', _('TRY'),),

                           ('DEMAND', _('DEMAND'),),

                           ('HARD', _('HARD'),),

                           ]

    tls_reqcert_default = 'DEMAND'

    @LoginRequired()

    @HasPermissionAllDecorator('hg.admin')

    def __before__(self):

        c.admin_user = session.get('admin_user')

        c.admin_username = session.get('admin_username')

        c.search_scope_choices = self.search_scope_choices

        c.tls_reqcert_choices = self.tls_reqcert_choices

        super(LdapSettingsController, self).__before__()

    def index(self):

        defaults = SettingsModel().get_ldap_settings()

        c.search_scope_cur = defaults.get('ldap_search_scope')

        c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert')

        return htmlfill.render(

                    render('admin/ldap/ldap.html'),

                    defaults=defaults,

                    encoding="UTF-8",

                    force_defaults=True,)

    def ldap_settings(self):

        """POST ldap create and store ldap settings"""

        settings_model = SettingsModel()

        _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices],

        try:

            form_result = _form.to_python(dict(request.POST))

            try:

                for k, v in form_result.items():

                    if k.startswith('ldap_'):

                        setting = settings_model.get(k)

                        setting.app_settings_value = v

                        self.sa.add(setting)

                self.sa.commit()

                h.flash(_('Ldap settings updated successfully'),

                    category='success')

            except (DatabaseError,):

                raise

        except LdapImportError:

            h.flash(_('Unable to activate ldap. The "python-ldap" library '

                      'is missing.'), category='warning')

        except formencode.Invalid, errors:

            c.search_scope_cur = self.search_scope_default

            c.tls_reqcert_cur = self.search_scope_default

            return htmlfill.render(

                render('admin/ldap/ldap.html'),

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8")

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('error occurred during update of ldap settings'),

                    category='error')

        return redirect(url('ldap_home'))

    """Authentication function used for access control,

    firstly checks for db authentication then if ldap is enabled for ldap

    authentication, also creates ldap user if not in database

    :param username: username

    :param password: password

    """

    user_model = UserModel()

    user = user_model.get_by_username(username, cache=False)

    log.debug('Authenticating user using RhodeCode account')

    if user is not None and not user.ldap_dn:

        if user.active:

            if user.username == 'default' and user.active:

                log.info('user %s authenticated correctly as anonymous user',

                         username)

                return True

            elif user.username == username and check_password(password,

                                                              user.password):

                log.info('user %s authenticated correctly', username)

                return True

        else:

            log.warning('user %s is disabled', username)

    else:

        log.debug('Regular authentication failed')

        user_obj = user_model.get_by_username(username, cache=False,

                                            case_insensitive=True)

        if user_obj is not None and not user_obj.ldap_dn:

            log.debug('this user already exists as non ldap')

            return False

        from rhodecode.model.settings import SettingsModel

        ldap_settings = SettingsModel().get_ldap_settings()

        #======================================================================

        # FALLBACK TO LDAP AUTH IF ENABLE

        #======================================================================

        if str2bool(ldap_settings.get('ldap_active')):

            log.debug("Authenticating user using ldap")

            kwargs = {

                  'server': ldap_settings.get('ldap_host', ''),

                  'base_dn': ldap_settings.get('ldap_base_dn', ''),

                  'port': ldap_settings.get('ldap_port'),

                  'bind_dn': ldap_settings.get('ldap_dn_user'),

                  'bind_pass': ldap_settings.get('ldap_dn_pass'),

                  'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),

                  'ldap_filter': ldap_settings.get('ldap_filter'),

                  'search_scope': ldap_settings.get('ldap_search_scope'),

                  'attr_login': ldap_settings.get('ldap_attr_login'),

                  'ldap_version': 3,

                  }

            log.debug('Checking for ldap authentication')

            try:

                aldap = AuthLdap(**kwargs)

                (user_dn, ldap_attrs) = aldap.authenticate_ldap(username,

                                                                password)

                log.debug('Got ldap DN response %s', user_dn)

                user_attrs = {

                    }

                if user_model.create_ldap(username, password, user_dn,

                                          user_attrs):

                    log.info('created new ldap user %s', username)

                return True

            except (LdapUsernameError, LdapPasswordError,):

                pass

            except (Exception,):

                log.error(traceback.format_exc())

                pass

    return False

class  AuthUser(object):

    """

    A simple object that handles all attributes of user in RhodeCode

    It does lookup based on API key,given user, or user present in session

    Then it fills all required information for such user. It also checks if

    anonymous access is enabled and if so, it returns default user as logged

    in

    """

    def __init__(self, user_id=None, api_key=None):

        self.user_id = user_id

        self.api_key = None

        self.username = 'None'

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.is_authenticated = False

        self.admin = False

        self.permissions = {}

        self._api_key = api_key

        self.propagate_data()

    def propagate_data(self):

        user_model = UserModel()

        self.anonymous_user = user_model.get_by_username('default', cache=True)

        if self._api_key and self._api_key != self.anonymous_user.api_key:

            #try go get user by api key

            log.debug('Auth User lookup by API KEY %s', self._api_key)

            user_model.fill_data(self, api_key=self._api_key)

        else:

#!/usr/bin/env python

# encoding: utf-8

# ldap authentication lib

# Copyright (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>

#

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

Created on Nov 17, 2010

@author: marcink

"""

from rhodecode.lib.exceptions import *

import logging

log = logging.getLogger(__name__)

try:

    import ldap

except ImportError:

    pass

class AuthLdap(object):

    def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',

                 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',

                 search_scope='SUBTREE',

                 attr_login='uid'):

        self.ldap_version = ldap_version

            port = port or 689

        self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert]

        self.LDAP_SERVER_ADDRESS = server

        self.LDAP_SERVER_PORT = port

        #USE FOR READ ONLY BIND TO LDAP SERVER

        self.LDAP_BIND_DN = bind_dn

        self.LDAP_BIND_PASS = bind_pass

        self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,

                                               self.LDAP_SERVER_ADDRESS,

                                               self.LDAP_SERVER_PORT)

        self.BASE_DN = base_dn

        self.LDAP_FILTER = ldap_filter

        self.SEARCH_SCOPE = ldap.__dict__['SCOPE_' + search_scope]

        self.attr_login = attr_login

    def authenticate_ldap(self, username, password):

        """Authenticate a user via LDAP and return his/her LDAP properties.

        Raises AuthenticationError if the credentials are rejected, or

        EnvironmentError if the LDAP server can't be reached.

        :param username: username

        :param password: password

        """

        from rhodecode.lib.helpers import chop_at

        uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)

        if "," in username:

            raise LdapUsernameError("invalid character in username: ,")

        try:

            ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')

            ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

            ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

            ldap.set_option(ldap.OPT_TIMEOUT, 20)

            ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)

            ldap.set_option(ldap.OPT_TIMELIMIT, 15)

                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

            server = ldap.initialize(self.LDAP_SERVER)

            if self.ldap_version == 2:

                server.protocol = ldap.VERSION2

            else:

                server.protocol = ldap.VERSION3

            if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

                server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

            filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, username)

            log.debug("Authenticating %r filt %s at %s", self.BASE_DN,

                      filt, self.LDAP_SERVER)

            lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,

                                           filt)

            if not lobjects:

                raise ldap.NO_SUCH_OBJECT()

                try:

                    server.simple_bind_s(dn, password)

                    break

                except ldap.INVALID_CREDENTIALS, e:

                    log.debug("LDAP rejected password for user '%s' (%s): %s",

                              uid, username, dn)

            else:

                log.debug("No matching LDAP objects for authentication "

                          "of '%s' (%s)", uid, username)

                raise LdapPasswordError()

        except ldap.NO_SUCH_OBJECT, e:

            log.debug("LDAP says no such user '%s' (%s)", uid, username)

            raise LdapUsernameError()

        except ldap.SERVER_DOWN, e:

            raise LdapConnectionError("LDAP can't access authentication server")

        return (dn, attrs)

        hooks1 = RhodeCodeUi() if hooks1_ is None else hooks1_

        hooks1.ui_section = 'hooks'

        hooks1.ui_key = hooks1_key

        hooks1.ui_value = 'hg update >&2'

        hooks1.ui_active = False

        hooks2_key = 'changegroup.repo_size'

        hooks2_ = self.sa.query(RhodeCodeUi)\

            .filter(RhodeCodeUi.ui_key == hooks2_key).scalar()

        hooks2 = RhodeCodeUi() if hooks2_ is None else hooks2_

        hooks2.ui_section = 'hooks'

        hooks2.ui_key = hooks2_key

        hooks2.ui_value = 'python:rhodecode.lib.hooks.repo_size'

        hooks3 = RhodeCodeUi()

        hooks3.ui_section = 'hooks'

        hooks3.ui_key = 'pretxnchangegroup.push_logger'

        hooks3.ui_value = 'python:rhodecode.lib.hooks.log_push_action'

        hooks4 = RhodeCodeUi()

        hooks4.ui_section = 'hooks'

        hooks4.ui_key = 'preoutgoing.pull_logger'

        hooks4.ui_value = 'python:rhodecode.lib.hooks.log_pull_action'

        #For mercurial 1.7 set backward comapatibility with format

        dotencode_disable = RhodeCodeUi()

        dotencode_disable.ui_section = 'format'

        dotencode_disable.ui_key = 'dotencode'

        dotencode_disable.ui_value = 'false'

        try:

            self.sa.add(hooks1)

            self.sa.add(hooks2)

            self.sa.add(hooks3)

            self.sa.add(hooks4)

            self.sa.add(dotencode_disable)

            self.sa.commit()

        except:

            self.sa.rollback()

            raise

    def create_ldap_options(self):

        """Creates ldap settings"""

        try:

            for k, v in [('ldap_active', 'false'), ('ldap_host', ''),

                        ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''),

                        ('ldap_dn_pass', ''), ('ldap_base_dn', ''),

                        ('ldap_filter', ''), ('ldap_search_scope', ''),

                        ('ldap_attr_login', ''), ('ldap_attr_firstname', ''),

                        ('ldap_attr_lastname', ''), ('ldap_attr_email', '')]:

                setting = RhodeCodeSettings(k, v)

                self.sa.add(setting)

            self.sa.commit()

        except:

            self.sa.rollback()

            raise

    def config_prompt(self, test_repo_path='', retries=3):

        if retries == 3:

            log.info('Setting up repositories config')

        if not self.tests and not test_repo_path:

            path = raw_input('Specify valid full path to your repositories'

                        ' you can change this later in application settings:')

        else:

            path = test_repo_path

        path_ok = True

        #check proper dir

        if not os.path.isdir(path):

            path_ok = False

            log.error('Entered path is not a valid directory: %s [%s/3]',

                      path, retries)

        #check write access

        if not os.access(path, os.W_OK):

            path_ok = False

            log.error('No write permission to given path: %s [%s/3]',

                      path, retries)

        if retries == 0:

            sys.exit()

        if path_ok is False:

            retries -= 1

            return self.config_prompt(test_repo_path, retries)

        return path

    def create_settings(self, path):

        self.create_ui_settings()

    class _RepoForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        repo_name = All(UnicodeString(strip=True, min=1, not_empty=True),

                        ValidRepoName(edit, old_data))

        description = UnicodeString(strip=True, min=1, not_empty=True)

        private = StringBoolean(if_missing=False)

        chained_validators = [ValidPerms, ValidSettings]

    return _RepoForm

def ApplicationSettingsForm():

    class _ApplicationSettingsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        rhodecode_title = UnicodeString(strip=True, min=1, not_empty=True)

        rhodecode_realm = UnicodeString(strip=True, min=1, not_empty=True)

        rhodecode_ga_code = UnicodeString(strip=True, min=1, not_empty=False)

    return _ApplicationSettingsForm

def ApplicationUiSettingsForm():

    class _ApplicationUiSettingsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        web_push_ssl = OneOf(['true', 'false'], if_missing='false')

        paths_root_path = All(ValidPath(), UnicodeString(strip=True, min=1, not_empty=True))

        hooks_changegroup_update = OneOf(['True', 'False'], if_missing=False)

        hooks_changegroup_repo_size = OneOf(['True', 'False'], if_missing=False)

        hooks_pretxnchangegroup_push_logger = OneOf(['True', 'False'], if_missing=False)

        hooks_preoutgoing_pull_logger = OneOf(['True', 'False'], if_missing=False)

    return _ApplicationUiSettingsForm

def DefaultPermissionsForm(perms_choices, register_choices, create_choices):

    class _DefaultPermissionsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        overwrite_default = StringBoolean(if_missing=False)

        anonymous = OneOf(['True', 'False'], if_missing=False)

        default_perm = OneOf(perms_choices)

        default_register = OneOf(register_choices)

        default_create = OneOf(create_choices)

    return _DefaultPermissionsForm

    class _LdapSettingsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        pre_validators = [LdapLibValidator]

        ldap_active = StringBoolean(if_missing=False)

        ldap_host = UnicodeString(strip=True,)

        ldap_port = Number(strip=True,)

        ldap_tls_reqcert = OneOf(tls_reqcert_choices)

        ldap_dn_user = UnicodeString(strip=True,)

        ldap_dn_pass = UnicodeString(strip=True,)

        ldap_base_dn = UnicodeString(strip=True,)

        ldap_filter = UnicodeString(strip=True,)

        ldap_search_scope = OneOf(search_scope_choices)

        ldap_attr_login = All(AttrLoginValidator, UnicodeString(strip=True,))

        ldap_attr_firstname = UnicodeString(strip=True,)

        ldap_attr_lastname = UnicodeString(strip=True,)

        ldap_attr_email = UnicodeString(strip=True,)

    return _LdapSettingsForm

import logging

from rhodecode.model import BaseModel

from rhodecode.model.caching_query import FromCache

from rhodecode.model.db import  RhodeCodeSettings

log = logging.getLogger(__name__)

class SettingsModel(BaseModel):

    """

    Settings model

    """

    def get(self, settings_key, cache=False):

        r = self.sa.query(RhodeCodeSettings)\

            .filter(RhodeCodeSettings.app_settings_name == settings_key).scalar()

        if cache:

            r = r.options(FromCache("sql_cache_short",

                                          "get_setting_%s" % settings_key))

        return r

    def get_app_settings(self, cache=False):

        """Get's config from database, each config key is prefixed with

        'rhodecode_' prefix, than global pylons config is updated with such

        keys

        """

        ret = self.sa.query(RhodeCodeSettings)

        if cache:

            ret = ret.options(FromCache("sql_cache_short", "get_hg_settings"))

        if not ret:

            raise Exception('Could not get application settings !')

        settings = {}

        for each in ret:

            settings['rhodecode_' + each.app_settings_name] = each.app_settings_value

        return settings

    def get_ldap_settings(self):

        """

        Returns ldap settings from database

        :returns:

        ldap_active

        ldap_host

        ldap_port

        ldap_tls_reqcert

        ldap_dn_user

        ldap_dn_pass

        ldap_base_dn

        ldap_filter

        ldap_search_scope

        ldap_attr_login

        ldap_attr_firstname

        ldap_attr_lastname

        ldap_attr_email

        """

        # ldap_search_scope

        r = self.sa.query(RhodeCodeSettings)\

                .filter(RhodeCodeSettings.app_settings_name\

                        .startswith('ldap_'))\

                .all()

        fd = {}

        for row in r:

            v = row.app_settings_value

            if v in ['true', 'yes', 'on', 'y', 't', '1']:

                v = True

            elif v in ['false', 'no', 'off', 'n', 'f', '0']:

                v = False

            fd.update({row.app_settings_name:v})

        return fd

<%inherit file="/base/base.html"/>

<%def name="title()">

    ${_('LDAP administration')} - ${c.rhodecode_name}

</%def>

<%def name="breadcrumbs_links()">

    ${h.link_to(_('Admin'),h.url('admin_home'))} 

    »

    ${_('Ldap')}    

</%def>

<%def name="page_nav()">

    ${self.menu('admin')}

</%def>

<%def name="main()">

<div class="box">

    <!-- box / title -->

    <div class="title">

        ${self.breadcrumbs()}       

    </div>

    ${h.form(url('ldap_settings'))}

    <div class="form">

        <div class="fields">

	  <h3>${_('Connection settings')}</h3>

            <div class="field">

                <div class="label label-checkbox"><label for="ldap_active">${_('Enable LDAP')}</label></div>

                <div class="checkboxes"><div class="checkbox">${h.checkbox('ldap_active',True,class_='small')}</div></div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_host">${_('Host')}</label></div>

                <div class="input">${h.text('ldap_host',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_port">${_('Port')}</label></div>

                <div class="input">${h.text('ldap_port',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_dn_user">${_('Account')}</label></div>

                <div class="input">${h.text('ldap_dn_user',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_dn_pass">${_('Password')}</label></div>

                <div class="input">${h.password('ldap_dn_pass',class_='small')}</div>

            </div>

            <div class="field">

            </div>

            <div class="field">

                <div class="label"><label for="ldap_tls_reqcert">${_('Certificate Checks')}</label></div>

                <div class="select">${h.select('ldap_tls_reqcert',c.tls_reqcert_cur,c.tls_reqcert_choices,class_='small')}</div>

            </div>

	  <h3>${_('Search settings')}</h3>

            <div class="field">

                <div class="label"><label for="ldap_base_dn">${_('Base DN')}</label></div>

                <div class="input">${h.text('ldap_base_dn',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_filter">${_('LDAP Filter')}</label></div>

                <div class="input">${h.text('ldap_filter',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_search_scope">${_('LDAP Search Scope')}</label></div>

                <div class="select">${h.select('ldap_search_scope',c.search_scope_cur,c.search_scope_choices,class_='small')}</div>

            </div>

	  <h3>${_('Attribute mappings')}</h3>

            <div class="field">

                <div class="label"><label for="ldap_attr_login">${_('Login Attribute')}</label></div>

                <div class="input">${h.text('ldap_attr_login',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_attr_firstname">${_('First Name Attribute')}</label></div>

                <div class="input">${h.text('ldap_attr_firstname',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_attr_lastname">${_('Last Name Attribute')}</label></div>

                <div class="input">${h.text('ldap_attr_lastname',class_='small')}</div>

            </div>

            <div class="field">

                <div class="label"><label for="ldap_attr_email">${_('E-mail Attribute')}</label></div>

                <div class="input">${h.text('ldap_attr_email',class_='small')}</div>

            </div>

            <div class="buttons">

            ${h.submit('save','Save',class_="ui-button")}

            </div>              

        </div>

    </div>     

    ${h.end_form()}    

</div>

</%def>