i = ord(os.urandom(1))

            if i < len(alphabet):

                l.append(alphabet[i])

        return ''.join(l)

def get_crypt_password(password):

    """

    Cryptographic function used for password hashing based on pybcrypt

    or Python's own OpenSSL wrapper on windows

    :param password: password to hash

    """

    if is_windows:

        return hashlib.sha256(password).hexdigest()

    elif is_unix:

        import bcrypt

        return bcrypt.hashpw(safe_str(password), bcrypt.gensalt(10))

    else:

        raise Exception('Unknown or unsupported platform %s'

                        % __platform__)

def check_password(password, hashed):

    """

    Checks matching password with it's hashed value, runs different

    implementation based on platform it runs on

    :param password: password

    :param hashed: password in hashed form

    """

    if is_windows:

        return hashlib.sha256(password).hexdigest() == hashed

    elif is_unix:

        import bcrypt

        try:

            return bcrypt.checkpw(safe_str(password), safe_str(hashed))

        except ValueError as e:

            # bcrypt will throw ValueError 'Invalid hashed_password salt' on all password errors

            log.error('error from bcrypt checking password: %s', e)

            return False

    else:

        raise Exception('Unknown or unsupported platform %s'

                        % __platform__)

def _cached_perms_data(user_id, user_is_admin, user_inherit_default_permissions,

    RK = 'repositories'

    GK = 'repositories_groups'

    UK = 'user_groups'

    GLOBAL = 'global'

    PERM_WEIGHTS = Permission.PERM_WEIGHTS

    permissions = {RK: {}, GK: {}, UK: {}, GLOBAL: set()}

    def _choose_perm(new_perm, cur_perm):

        new_perm_val = PERM_WEIGHTS[new_perm]

        cur_perm_val = PERM_WEIGHTS[cur_perm]

    #======================================================================

    # fetch default permissions

    #======================================================================

    default_user = User.get_by_username('default', cache=True)

    default_user_id = default_user.user_id

    default_repo_perms = Permission.get_default_perms(default_user_id)

    default_repo_groups_perms = Permission.get_default_group_perms(default_user_id)

    default_user_group_perms = Permission.get_default_user_group_perms(default_user_id)

    if user_is_admin:

        #==================================================================

        # admin users have all rights;

        # based on default permissions, just set everything to admin

        #==================================================================

        permissions[GLOBAL].add('hg.admin')

        permissions[GLOBAL].add('hg.create.write_on_repogroup.true')

        # repositories

        for perm in default_repo_perms:

            r_k = perm.UserRepoToPerm.repository.repo_name

            p = 'repository.admin'

            permissions[RK][r_k] = p

        # repository groups

        for perm in default_repo_groups_perms:

            rg_k = perm.UserRepoGroupToPerm.group.group_name

            p = 'group.admin'

            permissions[GK][rg_k] = p

        # user groups

        for perm in default_user_group_perms:

            u_k = perm.UserUserGroupToPerm.user_group.users_group_name

            p = 'usergroup.admin'

            permissions[UK][u_k] = p

        return permissions

    #==================================================================

    # SET DEFAULTS GLOBAL, REPOS, REPOSITORY GROUPS

    #==================================================================

    # default global permissions taken from the default user

    default_global_perms = UserToPerm.query() \

        .filter(UserToPerm.user_id == default_user_id) \

        .options(joinedload(UserToPerm.permission))

    for perm in default_global_perms:

    # user group global permissions

    user_perms_from_users_groups = Session().query(UserGroupToPerm) \

        .options(joinedload(UserGroupToPerm.permission)) \

        .join((UserGroupMember, UserGroupToPerm.users_group_id ==

               UserGroupMember.users_group_id)) \

        .filter(UserGroupMember.user_id == user_id) \

        .join((UserGroup, UserGroupMember.users_group_id ==

               UserGroup.users_group_id)) \

        .filter(UserGroup.users_group_active == True) \

        .order_by(UserGroupToPerm.users_group_id) \

        .all()

    # need to group here by groups since user can be in more than

    # one group

    _grouped = [[x, list(y)] for x, y in

                itertools.groupby(user_perms_from_users_groups,

                                  lambda x:x.users_group)]

    for gr, perms in _grouped:

        # since user can be in multiple groups iterate over them and

        # select the lowest permissions first (more explicit)

        # TODO: do this^^

        if not gr.inherit_default_permissions:

            # NEED TO IGNORE all configurable permissions and

            # replace them with explicitly set

            permissions[GLOBAL] = permissions[GLOBAL] \

                                            .difference(_configurable)

        for perm in perms:

            permissions[GLOBAL].add(perm.permission.permission_name)

    # user specific global permissions

    user_perms = Session().query(UserToPerm) \

            .options(joinedload(UserToPerm.permission)) \

            .filter(UserToPerm.user_id == user_id).all()

    if not user_inherit_default_permissions:

        # NEED TO IGNORE all configurable permissions and

        # replace them with explicitly set

        permissions[GLOBAL] = permissions[GLOBAL] \

                                        .difference(_configurable)

        for perm in user_perms:

            permissions[GLOBAL].add(perm.permission.permission_name)

    ## END GLOBAL PERMISSIONS

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORIES !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository and

    #======================================================================

    # user group for repositories permissions

    user_repo_perms_from_users_groups = \

     Session().query(UserGroupRepoToPerm, Permission, Repository,) \

        .join((Repository, UserGroupRepoToPerm.repository_id ==

               Repository.repo_id)) \

        .join((Permission, UserGroupRepoToPerm.permission_id ==

               Permission.permission_id)) \

        .join((UserGroup, UserGroupRepoToPerm.users_group_id ==

               UserGroup.users_group_id)) \

        .filter(UserGroup.users_group_active == True) \

        .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==

               UserGroupMember.users_group_id)) \

        .filter(UserGroupMember.user_id == user_id) \

        .all()

    multiple_counter = collections.defaultdict(int)

    for perm in user_repo_perms_from_users_groups:

        r_k = perm.UserGroupRepoToPerm.repository.repo_name

        multiple_counter[r_k] += 1

        p = perm.Permission.permission_name

        cur_perm = permissions[RK][r_k]

        if perm.Repository.owner_id == user_id:

            # set admin if owner

            p = 'repository.admin'

        else:

            if multiple_counter[r_k] > 1:

                p = _choose_perm(p, cur_perm)

        permissions[RK][r_k] = p

    # user explicit permissions for repositories, overrides any specified

    # by the group permission

    user_repo_perms = Permission.get_default_perms(user_id)

    for perm in user_repo_perms:

        r_k = perm.UserRepoToPerm.repository.repo_name

        cur_perm = permissions[RK][r_k]

        # set admin if owner

        if perm.Repository.owner_id == user_id:

            p = 'repository.admin'

        else:

            p = perm.Permission.permission_name

            if not explicit:

                p = _choose_perm(p, cur_perm)

        permissions[RK][r_k] = p

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORY GROUPS !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository groups and

    #======================================================================

    # user group for repo groups permissions

    user_repo_group_perms_from_users_groups = \

     Session().query(UserGroupRepoGroupToPerm, Permission, RepoGroup) \

     .join((RepoGroup, UserGroupRepoGroupToPerm.group_id == RepoGroup.group_id)) \

     .join((Permission, UserGroupRepoGroupToPerm.permission_id

            == Permission.permission_id)) \

     .join((UserGroup, UserGroupRepoGroupToPerm.users_group_id ==

            UserGroup.users_group_id)) \

     .filter(UserGroup.users_group_active == True) \

     .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id

            == UserGroupMember.users_group_id)) \

     .filter(UserGroupMember.user_id == user_id) \

     .all()

    multiple_counter = collections.defaultdict(int)

    for perm in user_repo_group_perms_from_users_groups:

        g_k = perm.UserGroupRepoGroupToPerm.group.group_name

        multiple_counter[g_k] += 1

        p = perm.Permission.permission_name

        cur_perm = permissions[GK][g_k]

        if multiple_counter[g_k] > 1:

            p = _choose_perm(p, cur_perm)

        permissions[GK][g_k] = p

    # user explicit permissions for repository groups

    user_repo_groups_perms = Permission.get_default_group_perms(user_id)

    for perm in user_repo_groups_perms:

        rg_k = perm.UserRepoGroupToPerm.group.group_name

        p = perm.Permission.permission_name

        cur_perm = permissions[GK][rg_k]

        if not explicit:

            p = _choose_perm(p, cur_perm)

        permissions[GK][rg_k] = p

    #======================================================================

    # !! PERMISSIONS FOR USER GROUPS !!

    #======================================================================

    # user group for user group permissions

    user_group_user_groups_perms = \

     Session().query(UserGroupUserGroupToPerm, Permission, UserGroup) \

     .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id

            == UserGroup.users_group_id)) \

     .join((Permission, UserGroupUserGroupToPerm.permission_id

            == Permission.permission_id)) \

     .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id

            == UserGroupMember.users_group_id)) \

     .filter(UserGroupMember.user_id == user_id) \

                setattr(self, k, v)

            return True

        return False

    @LazyProperty

    def permissions(self):

        return self.__get_perms(user=self, cache=False)

    def has_repository_permission_level(self, repo_name, level, purpose=None):

        required_perms = {

            'read': ['repository.read', 'repository.write', 'repository.admin'],

            'write': ['repository.write', 'repository.admin'],

            'admin': ['repository.admin'],

        }[level]

        actual_perm = self.permissions['repositories'].get(repo_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',

            self.username, level, repo_name, purpose, ok, actual_perm)

        return ok

    def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):

        required_perms = {

            'read': ['group.read', 'group.write', 'group.admin'],

            'write': ['group.write', 'group.admin'],

            'admin': ['group.admin'],

        }[level]

        actual_perm = self.permissions['repositories_groups'].get(repo_group_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',

            self.username, level, repo_group_name, purpose, ok, actual_perm)

        return ok

    def has_user_group_permission_level(self, user_group_name, level, purpose=None):

        required_perms = {

            'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],

            'write': ['usergroup.write', 'usergroup.admin'],

            'admin': ['usergroup.admin'],

        }[level]

        actual_perm = self.permissions['user_groups'].get(user_group_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',

            self.username, level, user_group_name, purpose, ok, actual_perm)

        return ok

    @property

    def api_keys(self):

        return self._get_api_keys()

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        :param explicit: In case there are permissions both for user and a group

            that user is part of, explicit flag will define if user will

            explicitly override permissions from group, if it's False it will

        """

        user_id = user.user_id

        user_is_admin = user.is_admin

        user_inherit_default_permissions = user.inherit_default_permissions

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

        return compute(user_id, user_is_admin,

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query() \

                .filter_by(user_id=self.user_id, is_expired=False):

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

        return [x[0] for x in self.permissions['repositories'].iteritems()

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

        return [x[0] for x in self.permissions['repositories_groups'].iteritems()

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    @staticmethod

    def check_ip_allowed(user, ip_addr):

        """

        Check if the given IP address (a `str`) is allowed for the given

        user (an `AuthUser` or `db.User`).

        """

        allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True,

            inherit_from_default=user.inherit_default_permissions)

        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s', ip_addr, allowed_ips)

            return True