# -*- coding: utf-8 -*-

"""

    rhodecode.controllers.admin.users

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Users crud controller for pylons

    :created_on: Apr 4, 2010

    :author: marcink

    :copyright: (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

import formencode

from formencode import htmlfill

from pylons import request, session, tmpl_context as c, url, config

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode.lib.exceptions import DefaultUserException, \

    UserOwnsReposException

from rhodecode.lib import helpers as h

from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator

from rhodecode.lib.base import BaseController, render

from rhodecode.model.db import User, UserRepoToPerm, UserToPerm, Permission

from rhodecode.model.forms import UserForm

from rhodecode.model.user import UserModel

log = logging.getLogger(__name__)

class UsersController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    # To properly map this controller, ensure your config/routing.py

    # file has a resource setup:

    #     map.resource('user', 'users')

    @LoginRequired()

    @HasPermissionAllDecorator('hg.admin')

    def __before__(self):

        c.admin_user = session.get('admin_user')

        c.admin_username = session.get('admin_username')

        super(UsersController, self).__before__()

        c.available_permissions = config['available_permissions']

    def index(self, format='html'):

        """GET /users: All items in the collection"""

        # url('users')

        c.users_list = self.sa.query(User).all()

        return render('admin/users/users.html')

    def create(self):

        """POST /users: Create a new item"""

        # url('users')

        user_model = UserModel()

        try:

            user_model.create(form_result)

            h.flash(_('created user %s') % form_result['username'],

                    category='success')

            #action_logger(self.rhodecode_user, 'new_user', '', '', self.sa)

        except formencode.Invalid, errors:

            return htmlfill.render(

                render('admin/users/user_add.html'),

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8")

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('error occurred during creation of user %s') \

                    % request.POST.get('username'), category='error')

        return redirect(url('users'))

    def new(self, format='html'):

        """GET /users/new: Form to create a new item"""

        # url('new_user')

        return render('admin/users/user_add.html')

    def update(self, id):

        """PUT /users/id: Update an existing item"""

        # Forms posted to this method should contain a hidden field:

        #    <input type="hidden" name="_method" value="PUT" />

        # Or using helpers:

        #    h.form(url('update_user', id=ID),

        #           method='put')

        # url('user', id=ID)

        user_model = UserModel()

        c.user = user_model.get(id)

        _form = UserForm(edit=True, old_data={'user_id': id,

                                              'email': c.user.email})()

        form_result = {}

        try:

            form_result = _form.to_python(dict(request.POST))

            user_model.update(id, form_result)

            h.flash(_('User updated successfully'), category='success')

        except formencode.Invalid, errors:

            e = errors.error_dict or {}

            perm = Permission.get_by_key('hg.create.repository')

            e.update({'create_repo_perm': UserToPerm.has_perm(id, perm)})

            return htmlfill.render(

                render('admin/users/user_edit.html'),

                defaults=errors.value,

                errors=e,

                prefix_error=False,

                encoding="UTF-8")

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('error occurred during update of user %s') \

                    % form_result.get('username'), category='error')

        return redirect(url('users'))

    def delete(self, id):

        """DELETE /users/id: Delete an existing item"""

        # Forms posted to this method should contain a hidden field:

        #    <input type="hidden" name="_method" value="DELETE" />

        # Or using helpers:

        #    h.form(url('delete_user', id=ID),

        #           method='delete')

        # url('user', id=ID)

        user_model = UserModel()

        try:

            user_model.delete(id)

            h.flash(_('successfully deleted user'), category='success')

        except (UserOwnsReposException, DefaultUserException), e:

            h.flash(str(e), category='warning')

        except Exception:

            h.flash(_('An error occurred during deletion of user'),

                    category='error')

        return redirect(url('users'))

    def show(self, id, format='html'):

        """GET /users/id: Show a specific item"""

        # url('user', id=ID)

    def edit(self, id, format='html'):

        """GET /users/id/edit: Form to edit an existing item"""

        # url('edit_user', id=ID)

        user_model = UserModel()

        c.user = user_model.get(id)

        if not c.user:

            return redirect(url('users'))

        if c.user.username == 'default':

            h.flash(_("You can't edit this user"), category='warning')

            return redirect(url('users'))

        c.user.permissions = {}

        c.granted_permissions = user_model.fill_perms(c.user)\

            .permissions['global']

        defaults = c.user.get_dict()

from rhodecode.model import meta

from rhodecode.model.user import UserModel

from rhodecode.model.db import Permission, RhodeCodeSetting, User

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """This is a simple class for generating password from

        different sets of characters

        usage:

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

        print passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM

    def __init__(self, passwd=''):

        self.passwd = passwd

    def gen_password(self, len, type):

        self.passwd = ''.join([random.choice(type) for _ in xrange(len)])

        return self.passwd

class RhodeCodeCrypto(object):

    @classmethod

    def hash_string(cls, str_):

        """

        Cryptographic function used for password hashing based on pybcrypt

        or pycrypto in windows

        :param password: password to hash

        """

        if __platform__ in PLATFORM_WIN:

            return sha256(str_).hexdigest()

        elif __platform__ in PLATFORM_OTHERS:

            return bcrypt.hashpw(str_, bcrypt.gensalt(10))

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

    @classmethod

    def hash_check(cls, password, hashed):

        """

        Checks matching password with it's hashed value, runs different

        implementation based on platform it runs on

        :param password: password

        :param hashed: password in hashed form

        """

        if __platform__ in PLATFORM_WIN:

            return sha256(password).hexdigest() == hashed

        elif __platform__ in PLATFORM_OTHERS:

            return bcrypt.hashpw(password, hashed) == hashed

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

def get_crypt_password(password):

    return RhodeCodeCrypto.hash_string(password)

def check_password(password, hashed):

    return RhodeCodeCrypto.hash_check(password, hashed)

def generate_api_key(str_, salt=None):

    """

    Generates API KEY from given string

    :param str_:

    :param salt:

    """

    if salt is None:

        salt = _RandomNameSequence().next()

    return hashlib.sha1(str_ + salt).hexdigest()

def authfunc(environ, username, password):

    """

    :param environ: needed only for using in Basic auth

    """

    return authenticate(username, password)

def authenticate(username, password):

    """

    Authentication function used for access control,

    firstly checks for db authentication then if ldap is enabled for ldap

    authentication, also creates ldap user if not in database

    :param username: username

    :param password: password

    """

    user_model = UserModel()

    user = User.get_by_username(username)

    log.debug('Authenticating user using RhodeCode account')

    if user is not None and not user.ldap_dn:

        if user.active:

            if user.username == 'default' and user.active:

                log.info('user %s authenticated correctly as anonymous user',

                         username)

                return True

            elif user.username == username and check_password(password,

                                                              user.password):

                log.info('user %s authenticated correctly', username)

                return True

        else:

            log.warning('user %s is disabled', username)

    else:

        log.debug('Regular authentication failed')

        user_obj = User.get_by_username(username, case_insensitive=True)

        if user_obj is not None and not user_obj.ldap_dn:

            log.debug('this user already exists as non ldap')

            return False

        ldap_settings = RhodeCodeSetting.get_ldap_settings()

        #======================================================================

        # FALLBACK TO LDAP AUTH IF ENABLE

        #======================================================================

        if str2bool(ldap_settings.get('ldap_active')):

            log.debug("Authenticating user using ldap")

            kwargs = {

                  'server': ldap_settings.get('ldap_host', ''),

                  'base_dn': ldap_settings.get('ldap_base_dn', ''),

                  'port': ldap_settings.get('ldap_port'),

                  'bind_dn': ldap_settings.get('ldap_dn_user'),

                  'bind_pass': ldap_settings.get('ldap_dn_pass'),

                  'tls_kind': ldap_settings.get('ldap_tls_kind'),

                  'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),

                  'ldap_filter': ldap_settings.get('ldap_filter'),

                  'search_scope': ldap_settings.get('ldap_search_scope'),

                  'attr_login': ldap_settings.get('ldap_attr_login'),

                  'ldap_version': 3,

                  }

            log.debug('Checking for ldap authentication')

            try:

                aldap = AuthLdap(**kwargs)

                (user_dn, ldap_attrs) = aldap.authenticate_ldap(username,

                                                                password)

                log.debug('Got ldap DN response %s', user_dn)

                get_ldap_attr = lambda k: ldap_attrs.get(ldap_settings\

                                                           .get(k), [''])[0]

                user_attrs = {

                 'name': safe_unicode(get_ldap_attr('ldap_attr_firstname')),

                 'lastname': safe_unicode(get_ldap_attr('ldap_attr_lastname')),

                 'email': get_ldap_attr('ldap_attr_email'),

                }

                if user_model.create_ldap(username, password, user_dn,

                                          user_attrs):

                    log.info('created new ldap user %s', username)

                return True

            except (LdapUsernameError, LdapPasswordError,):

                pass

            except (Exception,):

                log.error(traceback.format_exc())

                pass

    return False

def login_container_auth(username):

    user = User.get_by_username(username)

    if user is None:

        user_model = UserModel()

        user_attrs = {

            'name': username,

            'lastname': None,