# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.api

~~~~~~~~~~~~~~~~~~~~~~~~~

JSON RPC controller

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Aug 20, 2011

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import inspect

import logging

import types

import traceback

import time

import itertools

from paste.response import replace_header

from pylons.controllers import WSGIController

from webob.exc import HTTPError

from kallithea.model.db import User

from kallithea.model import meta

from kallithea.lib.compat import json

from kallithea.lib.auth import AuthUser

from kallithea.lib.base import _get_ip_addr as _get_ip, _get_access_path

from kallithea.lib.utils2 import safe_unicode, safe_str

log = logging.getLogger('JSONRPC')

class JSONRPCError(BaseException):

    def __init__(self, message):

        self.message = message

        super(JSONRPCError, self).__init__()

    def __str__(self):

        return safe_str(self.message)

def jsonrpc_error(message, retid=None, code=None):

            return jsonrpc_error(retid=self._req_id,

                                 message='Invalid API key')

        self._error = None

        try:

            self._func = self._find_method()

        except AttributeError as e:

            return jsonrpc_error(retid=self._req_id,

                                 message=str(e))

        # now that we have a method, add self._req_params to

        # self.kargs and dispatch control to WGIController

        argspec = inspect.getargspec(self._func)

        arglist = argspec[0][1:]

        defaults = map(type, argspec[3] or [])

        default_empty = types.NotImplementedType

        # kw arguments required by this method

        func_kwargs = dict(itertools.izip_longest(reversed(arglist), reversed(defaults),

                                                  fillvalue=default_empty))

        # this is little trick to inject logged in user for

        # perms decorators to work they expect the controller class to have

        # authuser attribute set

        # This attribute will need to be first param of a method that uses

        # api_key, which is translated to instance of user at that name

        USER_SESSION_ATTR = 'apiuser'

        if USER_SESSION_ATTR not in arglist:

            return jsonrpc_error(

                retid=self._req_id,

                message='This method [%s] does not support '

                         'authentication (missing %s param)' % (

                                    self._func.__name__, USER_SESSION_ATTR)

            )

        # get our arglist and check if we provided them as args

        for arg, default in func_kwargs.iteritems():

            if arg == USER_SESSION_ATTR:

                # USER_SESSION_ATTR is something translated from API key and

                # this is checked before so we don't need validate it

                continue

            # skip the required param check if it's default value is

            # NotImplementedType (default_empty)

            if default == default_empty and arg not in self._request_params:

                return jsonrpc_error(

            return True

        return False

#==============================================================================

# CHECK FUNCTIONS

#==============================================================================

class PermsFunction(object):

    """Base function for other check functions"""

    def __init__(self, *perms):

        self.required_perms = set(perms)

        self.user_perms = None

        self.repo_name = None

        self.group_name = None

    def __nonzero__(self):

        """ Defend against accidentally forgetting to call the object

            and instead evaluating it directly in a boolean context,

            which could have security implications.

        """

        raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')

    def __call__(self, check_location='unspecified location', user=None):

        cls_name = self.__class__.__name__

        check_scope = self._scope()

        log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,

                  self.required_perms, user, check_scope,

                  check_location)

        self.user_perms = user.permissions

        result = self.check_permissions()

        result_text = 'granted' if result else 'denied'

        log.debug('Permission to %s %s for user: %s @ %s',

            check_scope, result_text, user, check_location)

        return result

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

    def _scope(self):

        return '(unknown scope)'

class HasPermissionAny(PermsFunction):

    def check_permissions(self):

        if self.required_perms.intersection(self.user_perms.get('global')):

            return True

        return False

class HasRepoPermissionAny(PermsFunction):

        return self.check_permissions()

    def check_permissions(self):

        log.debug('checking VCS protocol '

                  'permissions %s for user:%s repository:%s', self.user_perms,

                                                self.username, self.repo_name)

        if self.required_perms.intersection(self.user_perms):

            log.debug('Permission to repo: %s granted for user: %s @ %s',

                      self.repo_name, self.username, 'PermissionMiddleware')

            return True

        log.debug('Permission to repo: %s denied for user: %s @ %s',

                  self.repo_name, self.username, 'PermissionMiddleware')

        return False

#==============================================================================

# SPECIAL VERSION TO HANDLE API AUTH

#==============================================================================

class _BaseApiPerm(object):

    def __init__(self, *perms):

        self.required_perms = set(perms)

    def __call__(self, check_location=None, user=None, repo_name=None,

                 group_name=None):

        cls_name = self.__class__.__name__

        check_scope = 'user:%s' % (user)

        if repo_name:

            check_scope += ', repo:%s' % (repo_name)

        if group_name:

            check_scope += ', repo group:%s' % (group_name)

        log.debug('checking cls:%s %s %s @ %s',

                  cls_name, self.required_perms, check_scope, check_location)

        ## process user

        if not check_location:

            check_location = 'unspecified'

        if self.check_permissions(user.permissions, repo_name, group_name):

            log.debug('Permission to %s granted for user: %s @ %s',

                      check_scope, user, check_location)

            return True

        else:

            log.debug('Permission to %s denied for user: %s @ %s',

                      check_scope, user, check_location)

            return False

    def check_permissions(self, perm_defs, repo_name=None, group_name=None):

        """

        implement in child class should return True if permissions are ok,

        False otherwise

        :param perm_defs: dict with permission definitions

        :param repo_name: repo name

        """

        raise NotImplementedError()

class HasPermissionAnyApi(_BaseApiPerm):