kallithea Changeset - 6257de126ec7

Changeset - 6257de126ec7

Parent rev.

Child rev.

[Not reviewed]

default

0 6 0

Mads Kiilerich - 10 years ago 2015-08-17 01:11:42
madski@unity3d.com

docs: improve documentation of beaker session configuration

beaker.session.auto is dropped; it defaults to false and there is no reason to
ever set it true for Kallithea.

beaker.session.cookie_path and secure are dropped; like cookie_domain, they
should automatically be set to the right value.
* * *
beaker.session.cookie_expires MUST have the default value of True to provide the default value of 'browser session lifetime' when not enabling 'remember' in the login box. The cookie life is hardcoded to 365 days when remember is selected.

6 files changed with 91 insertions and 134 deletions:

development.ini

docs/usage/performance.rst

kallithea/bin/template.ini.mako

kallithea/config/deployment.ini_tmpl

kallithea/lib/base.py

test.ini

0 comments (0 inline, 0 general)

development.ini

➞

Show inline comments

@@ @@ -164,424 +164,413 @@ max_request_body_size = 107374182400 @@
 ## COMMON ##
 host = 0.0.0.0
 port = 5000
 ## middleware for hosting the WSGI application under a URL prefix
 #[filter:proxy-prefix]
 #use = egg:PasteDeploy#prefix
 #prefix = /<your-prefix>
 [app:main]
 use = egg:kallithea
 ## enable proxy prefix middleware
 #filter-with = proxy-prefix
 full_stack = true
 static_files = true
 ## Available Languages:
 ## cs de fr hu ja nl_BE pl pt_BR ru sk zh_CN zh_TW
 lang =
 cache_dir = %(here)s/data
 index_dir = %(here)s/data/index
 ## perform a full repository scan on each server start, this should be
 ## set to false after first startup, to allow faster server restarts.
 #initial_repo_scan = false
 initial_repo_scan = true
 ## uncomment and set this path to use archive download cache
 archive_cache_dir = %(here)s/tarballcache
 ## change this to unique ID for security
 app_instance_uuid = development-not-secret
 ## cut off limit for large diffs (size in bytes)
 cut_off_limit = 256000
 ## use cache version of scm repo everywhere
 vcs_full_cache = true
 ## force https in Kallithea, fixes https redirects, assumes it's always https
 force_https = false
 ## use Strict-Transport-Security headers
 use_htsts = false
 ## number of commits stats will parse on each iteration
 commit_parse_limit = 25
 ## path to git executable
 git_path = git
 ## git rev filter option, --all is the default filter, if you need to
 ## hide all refs in changelog switch this to --branches --tags
 #git_rev_filter = --branches --tags
 ## RSS feed options
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 ## options for showing and identifying changesets
 show_sha_length = 12
 show_revision_number = false
 ## gist URL alias, used to create nicer urls for gist. This should be an
 ## url that does rewrites to _admin/gists/<gistid>.
 ## example: http://gist.kallithea.server/{gistid}. Empty means use the internal
 ## Kallithea url, ie. http[s]://your.kallithea.server/_admin/gists/<gistid>
 gist_alias_url =
 ## white list of API enabled controllers. This allows to add list of
 ## controllers to which access will be enabled by api_key. eg: to enable
 ## api access to raw_files put `FilesController:raw`, to enable access to patches
 ## add `ChangesetController:changeset_patch`. This list should be "," separated
 ## Syntax is <ControllerClass>:<function>. Check debug logs for generated names
 ## Recommended settings below are commented out:
 api_access_controllers_whitelist =
 #    ChangesetController:changeset_patch,
 #    ChangesetController:changeset_raw,
 #    FilesController:raw,
 #    FilesController:archivefile
 ## default encoding used to convert from and to unicode
 ## can be also a comma seperated list of encoding in case of mixed encodings
 default_encoding = utf8
 ## issue tracker for Kallithea (leave blank to disable, absent for default)
 #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
 ## issue tracking mapping for commits messages
 ## comment out issue_pat, issue_server, issue_prefix to enable
 ## pattern to get the issues from commit messages
 ## default one used here is #<numbers> with a regex passive group for `#`
 ## {id} will be all groups matched from this pattern
 issue_pat = (?:\s*#)(\d+)
 ## server url to the issue, each {id} will be replaced with match
 ## fetched from the regex and {repo} is replaced with full repository name
 ## including groups {repo_name} is replaced with just name of repo
 issue_server_link = https://myissueserver.com/{repo}/issue/{id}
 ## prefix to add to link to indicate it's an url
 ## #314 will be replaced by <issue_prefix><id>
 issue_prefix = #
 ## issue_pat, issue_server_link, issue_prefix can have suffixes to specify
 ## multiple patterns, to other issues server, wiki or others
 ## below an example how to create a wiki pattern
 # wiki-some-id -> https://mywiki.com/some-id
 #issue_pat_wiki = (?:wiki-)(.+)
 #issue_server_link_wiki = https://mywiki.com/{id}
 #issue_prefix_wiki = WIKI-
 ## instance-id prefix
 ## a prefix key for this instance used for cache invalidation when running
 ## multiple instances of kallithea, make sure it's globally unique for
 ## all running kallithea instances. Leave empty if you don't use it
 instance_id =
 ## alternative return HTTP header for failed authentication. Default HTTP
 ## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with
 ## handling that. Set this variable to 403 to return HTTPForbidden
 auth_ret_code =
 ## locking return code. When repository is locked return this HTTP code. 2XX
 ## codes don't break the transactions while 4XX codes do
 lock_ret_code = 423
 ## allows to change the repository location in settings page
 allow_repo_location_change = True
 ## allows to setup custom hooks in settings page
 allow_custom_hooks_settings = True
 ####################################
 ###        CELERY CONFIG        ####
 ####################################
 use_celery = false
 broker.host = localhost
 broker.vhost = rabbitmqhost
 broker.port = 5672
 broker.user = rabbitmq
 broker.password = qweqwe
 celery.imports = kallithea.lib.celerylib.tasks
 celery.result.backend = amqp
 celery.result.dburi = amqp://
 celery.result.serialier = json
 #celery.send.task.error.emails = true
 #celery.amqp.task.result.expires = 18000
 celeryd.concurrency = 2
 #celeryd.log.file = celeryd.log
 celeryd.log.level = DEBUG
 celeryd.max.tasks.per.child = 1
 ## tasks will never be sent to the queue, but executed locally instead.
 celery.always.eager = false
 ####################################
 ###         BEAKER CACHE        ####
 ####################################
 beaker.cache.data_dir = %(here)s/data/cache/data
 beaker.cache.lock_dir = %(here)s/data/cache/lock
 beaker.cache.regions = short_term,long_term,sql_cache_short
 beaker.cache.short_term.type = memory
 beaker.cache.short_term.expire = 60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type = memory
 beaker.cache.long_term.expire = 36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type = memory
 beaker.cache.sql_cache_short.expire = 10
 beaker.cache.sql_cache_short.key_length = 256
 ####################################
 ###       BEAKER SESSION        ####
 ####################################
 ## Name of session cookie. Should be unique for a given host and path, even when running
 ## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 ## Sessions should always only be accessible by the browser, not directly by JavaScript.
 beaker.session.httponly = true
 ## Session lifetime. 2592000 seconds is 30 days.
 beaker.session.timeout = 2592000
 ## Server secret used with HMAC to ensure integrity of cookies.
 beaker.session.secret = development-not-secret
 ## Further, encrypt the data with AES.
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## Type of storage used for the session, current types are
 ## dbm, file, memcached, database, and memory.
 ## The storage uses the Container API
 ## that is also used by the cache system.
 ## File system storage of session data. (default)
 #beaker.session.type = file
 ## db session ##
 ## Cookie only, store all session data inside the cookie. Requires secure secrets.
 #beaker.session.type = cookie
 ## Database storage of session data.
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea
 #beaker.session.table_name = db_session
 ## encrypted cookie client side session, good for many instances ##
 #beaker.session.type = cookie
 ## file based cookies (default) ##
 #beaker.session.type = file
 ## beaker.session.key should be unique for a given host, even when running
 ## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 beaker.session.secret = development-not-secret
 ## Secure encrypted cookie. Requires AES and AES python libraries
 ## you must disable beaker.session.secret to use this
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## sets session as invalid if it haven't been accessed for given amount of time
 beaker.session.timeout = 2592000
 beaker.session.httponly = true
 #beaker.session.cookie_path = /<your-prefix>
 ## uncomment for https secure cookie
 beaker.session.secure = false
 ## auto save the session to not to use .save()
 beaker.session.auto = False
 ## default cookie expiration time in seconds `true` expire at browser close ##
 #beaker.session.cookie_expires = 3600
 ############################
 ## ERROR HANDLING SYSTEMS ##
 ############################
 ####################
 ### [errormator] ###
 ####################
 ## Errormator is tailored to work with Kallithea, see
 ## http://errormator.com for details how to obtain an account
 ## you must install python package `errormator_client` to make it work
 ## errormator enabled
 errormator = false
 errormator.server_url = https://api.errormator.com
 errormator.api_key = YOUR_API_KEY
 ## TWEAK AMOUNT OF INFO SENT HERE
 ## enables 404 error logging (default False)
 errormator.report_404 = false
 ## time in seconds after request is considered being slow (default 1)
 errormator.slow_request_time = 1
 ## record slow requests in application
 ## (needs to be enabled for slow datastore recording and time tracking)
 errormator.slow_requests = true
 ## enable hooking to application loggers
 #errormator.logging = true
 ## minimum log level for log capture
 #errormator.logging.level = WARNING
 ## send logs only from erroneous/slow requests
 ## (saves API quota for intensive logging)
 errormator.logging_on_error = false
 ## list of additonal keywords that should be grabbed from environ object
 ## can be string with comma separated list of words in lowercase
 ## (by default client will always send following info:
 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
 ## start with HTTP* this list be extended with additional keywords here
 errormator.environ_keys_whitelist =
 ## list of keywords that should be blanked from request object
 ## can be string with comma separated list of words in lowercase
 ## (by default client will always blank keys that contain following words
 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
 ## this list be extended with additional keywords set here
 errormator.request_keys_blacklist =
 ## list of namespaces that should be ignores when gathering log entries
 ## can be string with comma separated list of namespaces
 ## (by default the client ignores own entries: errormator_client.client)
 errormator.log_namespace_blacklist =
 ################
 ### [sentry] ###
 ################
 ## sentry is a alternative open source error aggregator
 ## you must install python packages `sentry` and `raven` to enable
 sentry.dsn = YOUR_DNS
 sentry.servers =
 sentry.name =
 sentry.key =
 sentry.public_key =
 sentry.secret_key =
 sentry.project =
 sentry.site =
 sentry.include_paths =
 sentry.exclude_paths =
 ################################################################################
 ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
 ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
 ## execute malicious code after an exception is raised.                       ##
 ################################################################################
 #set debug = false
 set debug = true
 ##################################
 ###       LOGVIEW CONFIG       ###
 ##################################
 logview.sqlalchemy = #faa
 logview.pylons.templating = #bfb
 logview.pylons.util = #eee
 #########################################################
 ### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###
 #########################################################
 # SQLITE [default]
 sqlalchemy.db1.url = sqlite:///%(here)s/kallithea.db?timeout=60
 # POSTGRESQL
 #sqlalchemy.db1.url = postgresql://user:pass@localhost/kallithea
 # MySQL
 #sqlalchemy.db1.url = mysql://user:pass@localhost/kallithea
 # see sqlalchemy docs for others
 sqlalchemy.db1.echo = false
 sqlalchemy.db1.pool_recycle = 3600
 sqlalchemy.db1.convert_unicode = true
 ################################
 ### LOGGING CONFIGURATION   ####
 ################################
 [loggers]
 keys = root, routes, kallithea, sqlalchemy, beaker, templates, whoosh_indexer
 [handlers]
 keys = console, console_sql
 [formatters]
 keys = generic, color_formatter, color_formatter_sql
 #############
 ## LOGGERS ##
 #############
 [logger_root]
 level = NOTSET
 handlers = console
 [logger_routes]
 level = DEBUG
 handlers =
 qualname = routes.middleware
 ## "level = DEBUG" logs the route matched and routing variables.
 propagate = 1
 [logger_beaker]
 level = DEBUG
 handlers =
 qualname = beaker.container
 propagate = 1
 [logger_templates]
 level = INFO
 handlers =
 qualname = pylons.templating
 propagate = 1
 [logger_kallithea]
 level = DEBUG
 handlers =
 qualname = kallithea
 propagate = 1
 [logger_sqlalchemy]
 level = INFO
 handlers = console_sql
 qualname = sqlalchemy.engine
 propagate = 0
 [logger_whoosh_indexer]
 level = DEBUG
 handlers =
 qualname = whoosh_indexer
 propagate = 1
 ##############
 ## HANDLERS ##
 ##############
 [handler_console]
 class = StreamHandler
 args = (sys.stderr,)
 #level = INFO
 #formatter = generic
 level = DEBUG
 formatter = color_formatter
 [handler_console_sql]
 class = StreamHandler
 args = (sys.stderr,)
 #level = WARN
 #formatter = generic
 level = DEBUG
 formatter = color_formatter_sql
 ################
 ## FORMATTERS ##

docs/usage/performance.rst

➞

Show inline comments

 .. _performance:
 ================================
 Optimizing Kallithea Performance
 ================================
 When serving a large amount of big repositories, Kallithea can start
 performing slower than expected. Because of the demanding nature of handling large
 amounts of data from version control systems, here are some tips on how to get
 the best performance.
 * Kallithea will perform better on machines with faster disks (SSD/SAN). It's
   more important to have a faster disk than a faster CPU.
 * Slowness on initial page can be easily fixed by grouping repositories, and/or
   increasing cache size (see below). This includes using the lightweight dashboard
   option and ``vcs_full_cache`` setting in .ini file
 Follow these few steps to improve performance of Kallithea system.
 . Increase cache
-    Tweak beaker cache settings in the ini file. That actual effect of that
+    Tweak beaker cache settings in the ini file. The actual effect of that
     is questionable.
 . Switch from sqlite to postgres or mysql
     sqlite is a good option when having a small load on the system. But due to
     locking issues with sqlite, it is not recommended to use it for larger
     deployments. Switching to mysql or postgres will result in an immediate
     performance increase. A tool like SQLAlchemyGrate_ can be used for
     migrating to another database platform.
 . Scale Kallithea horizontally
     Scaling horizontally can give huge performance increases when dealing with
     large traffic (large amount of users, CI servers etc). Kallithea can be
     scaled horizontally on one (recommended) or multiple machines. In order
     to scale horizontally you need to do the following:
     - Each instance needs its own .ini file and unique ``instance_id`` set.
     - Each instance's ``data`` storage needs to be configured to be stored on a
       shared disk storage, preferably together with repositories. This ``data``
       dir contains template caches, sessions, whoosh index and is used for
       task locking (so it is safe across multiple instances). Set the
       ``cache_dir``, ``index_dir``, ``beaker.cache.data_dir``, ``beaker.cache.lock_dir``
       variables in each .ini file to a shared location across Kallithea instances
     - If celery is used each instance should run a separate Celery instance, but
       the message broker should be common to all of them (e.g.,  one
       shared RabbitMQ server)
     - Load balance using round robin or IP hash, recommended is writing LB rules
       that will separate regular user traffic from automated processes like CI
       servers or build bots.
 .. _SQLAlchemyGrate: https://github.com/shazow/sqlalchemygrate

kallithea/bin/template.ini.mako

➞

Show inline comments

@@ @@ -162,424 +162,413 @@ cheaper-step = 1 @@
 %endif
 <%text>## COMMON ##</%text>
 host = ${host}
 port = ${port}
 <%text>## middleware for hosting the WSGI application under a URL prefix</%text>
 #[filter:proxy-prefix]
 #use = egg:PasteDeploy#prefix
 #prefix = /<your-prefix>
 [app:main]
 use = egg:kallithea
 <%text>## enable proxy prefix middleware</%text>
 #filter-with = proxy-prefix
 full_stack = true
 static_files = true
 <%text>## Available Languages:</%text>
 <%text>## cs de fr hu ja nl_BE pl pt_BR ru sk zh_CN zh_TW</%text>
 lang =
 cache_dir = ${here}/data
 index_dir = ${here}/data/index
 <%text>## perform a full repository scan on each server start, this should be</%text>
 <%text>## set to false after first startup, to allow faster server restarts.</%text>
 initial_repo_scan = false
 <%text>## uncomment and set this path to use archive download cache</%text>
 archive_cache_dir = ${here}/tarballcache
 <%text>## change this to unique ID for security</%text>
 app_instance_uuid = ${uuid()}
 <%text>## cut off limit for large diffs (size in bytes)</%text>
 cut_off_limit = 256000
 <%text>## use cache version of scm repo everywhere</%text>
 vcs_full_cache = true
 <%text>## force https in Kallithea, fixes https redirects, assumes it's always https</%text>
 force_https = false
 <%text>## use Strict-Transport-Security headers</%text>
 use_htsts = false
 <%text>## number of commits stats will parse on each iteration</%text>
 commit_parse_limit = 25
 <%text>## path to git executable</%text>
 git_path = git
 <%text>## git rev filter option, --all is the default filter, if you need to</%text>
 <%text>## hide all refs in changelog switch this to --branches --tags</%text>
 #git_rev_filter = --branches --tags
 <%text>## RSS feed options</%text>
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 <%text>## options for showing and identifying changesets</%text>
 show_sha_length = 12
 show_revision_number = false
 <%text>## gist URL alias, used to create nicer urls for gist. This should be an</%text>
 <%text>## url that does rewrites to _admin/gists/<gistid>.</%text>
 <%text>## example: http://gist.kallithea.server/{gistid}. Empty means use the internal</%text>
 <%text>## Kallithea url, ie. http[s]://your.kallithea.server/_admin/gists/<gistid></%text>
 gist_alias_url =
 <%text>## white list of API enabled controllers. This allows to add list of</%text>
 <%text>## controllers to which access will be enabled by api_key. eg: to enable</%text>
 <%text>## api access to raw_files put `FilesController:raw`, to enable access to patches</%text>
 <%text>## add `ChangesetController:changeset_patch`. This list should be "," separated</%text>
 <%text>## Syntax is <ControllerClass>:<function>. Check debug logs for generated names</%text>
 <%text>## Recommended settings below are commented out:</%text>
 api_access_controllers_whitelist =
 #    ChangesetController:changeset_patch,
 #    ChangesetController:changeset_raw,
 #    FilesController:raw,
 #    FilesController:archivefile
 <%text>## default encoding used to convert from and to unicode</%text>
 <%text>## can be also a comma seperated list of encoding in case of mixed encodings</%text>
 default_encoding = utf8
 <%text>## issue tracker for Kallithea (leave blank to disable, absent for default)</%text>
 #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
 <%text>## issue tracking mapping for commits messages</%text>
 <%text>## comment out issue_pat, issue_server, issue_prefix to enable</%text>
 <%text>## pattern to get the issues from commit messages</%text>
 <%text>## default one used here is #<numbers> with a regex passive group for `#`</%text>
 <%text>## {id} will be all groups matched from this pattern</%text>
 issue_pat = (?:\s*#)(\d+)
 <%text>## server url to the issue, each {id} will be replaced with match</%text>
 <%text>## fetched from the regex and {repo} is replaced with full repository name</%text>
 <%text>## including groups {repo_name} is replaced with just name of repo</%text>
 issue_server_link = https://myissueserver.com/{repo}/issue/{id}
 <%text>## prefix to add to link to indicate it's an url</%text>
 <%text>## #314 will be replaced by <issue_prefix><id></%text>
 issue_prefix = #
 <%text>## issue_pat, issue_server_link, issue_prefix can have suffixes to specify</%text>
 <%text>## multiple patterns, to other issues server, wiki or others</%text>
 <%text>## below an example how to create a wiki pattern</%text>
 # wiki-some-id -> https://mywiki.com/some-id
 #issue_pat_wiki = (?:wiki-)(.+)
 #issue_server_link_wiki = https://mywiki.com/{id}
 #issue_prefix_wiki = WIKI-
 <%text>## instance-id prefix</%text>
 <%text>## a prefix key for this instance used for cache invalidation when running</%text>
 <%text>## multiple instances of kallithea, make sure it's globally unique for</%text>
 <%text>## all running kallithea instances. Leave empty if you don't use it</%text>
 instance_id =
 <%text>## alternative return HTTP header for failed authentication. Default HTTP</%text>
 <%text>## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with</%text>
 <%text>## handling that. Set this variable to 403 to return HTTPForbidden</%text>
 auth_ret_code =
 <%text>## locking return code. When repository is locked return this HTTP code. 2XX</%text>
 <%text>## codes don't break the transactions while 4XX codes do</%text>
 lock_ret_code = 423
 <%text>## allows to change the repository location in settings page</%text>
 allow_repo_location_change = True
 <%text>## allows to setup custom hooks in settings page</%text>
 allow_custom_hooks_settings = True
 <%text>####################################</%text>
 <%text>###        CELERY CONFIG        ####</%text>
 <%text>####################################</%text>
 use_celery = false
 broker.host = localhost
 broker.vhost = rabbitmqhost
 broker.port = 5672
 broker.user = rabbitmq
 broker.password = qweqwe
 celery.imports = kallithea.lib.celerylib.tasks
 celery.result.backend = amqp
 celery.result.dburi = amqp://
 celery.result.serialier = json
 #celery.send.task.error.emails = true
 #celery.amqp.task.result.expires = 18000
 celeryd.concurrency = 2
 #celeryd.log.file = celeryd.log
 celeryd.log.level = DEBUG
 celeryd.max.tasks.per.child = 1
 <%text>## tasks will never be sent to the queue, but executed locally instead.</%text>
 celery.always.eager = false
 <%text>####################################</%text>
 <%text>###         BEAKER CACHE        ####</%text>
 <%text>####################################</%text>
 beaker.cache.data_dir = ${here}/data/cache/data
 beaker.cache.lock_dir = ${here}/data/cache/lock
 beaker.cache.regions = short_term,long_term,sql_cache_short
 beaker.cache.short_term.type = memory
 beaker.cache.short_term.expire = 60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type = memory
 beaker.cache.long_term.expire = 36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type = memory
 beaker.cache.sql_cache_short.expire = 10
 beaker.cache.sql_cache_short.key_length = 256
 <%text>####################################</%text>
 <%text>###       BEAKER SESSION        ####</%text>
 <%text>####################################</%text>
 <%text>## Name of session cookie. Should be unique for a given host and path, even when running</%text>
 <%text>## on different ports. Otherwise, cookie sessions will be shared and messed up.</%text>
 beaker.session.key = kallithea
 <%text>## Sessions should always only be accessible by the browser, not directly by JavaScript.</%text>
 beaker.session.httponly = true
 <%text>## Session lifetime. 2592000 seconds is 30 days.</%text>
 beaker.session.timeout = 2592000
 <%text>## Server secret used with HMAC to ensure integrity of cookies.</%text>
 beaker.session.secret = ${uuid()}
 <%text>## Further, encrypt the data with AES.</%text>
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 <%text>## Type of storage used for the session, current types are</%text>
 <%text>## dbm, file, memcached, database, and memory.</%text>
 <%text>## The storage uses the Container API</%text>
 <%text>## that is also used by the cache system.</%text>
 <%text>## File system storage of session data. (default)</%text>
 #beaker.session.type = file
 <%text>## db session ##</%text>
 <%text>## Cookie only, store all session data inside the cookie. Requires secure secrets.</%text>
 #beaker.session.type = cookie
 <%text>## Database storage of session data.</%text>
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea
 #beaker.session.table_name = db_session
 <%text>## encrypted cookie client side session, good for many instances ##</%text>
 #beaker.session.type = cookie
 <%text>## file based cookies (default) ##</%text>
 #beaker.session.type = file
 <%text>## beaker.session.key should be unique for a given host, even when running</%text>
 <%text>## on different ports. Otherwise, cookie sessions will be shared and messed up.</%text>
 beaker.session.key = kallithea
 beaker.session.secret = ${uuid()}
 <%text>## Secure encrypted cookie. Requires AES and AES python libraries</%text>
 <%text>## you must disable beaker.session.secret to use this</%text>
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 <%text>## sets session as invalid if it haven't been accessed for given amount of time</%text>
 beaker.session.timeout = 2592000
 beaker.session.httponly = true
 #beaker.session.cookie_path = /<your-prefix>
 <%text>## uncomment for https secure cookie</%text>
 beaker.session.secure = false
 <%text>## auto save the session to not to use .save()</%text>
 beaker.session.auto = False
 <%text>## default cookie expiration time in seconds `true` expire at browser close ##</%text>
 #beaker.session.cookie_expires = 3600
 %if error_aggregation_service == 'errormator':
 <%text>############################</%text>
 <%text>## ERROR HANDLING SYSTEMS ##</%text>
 <%text>############################</%text>
 <%text>####################</%text>
 <%text>### [errormator] ###</%text>
 <%text>####################</%text>
 <%text>## Errormator is tailored to work with Kallithea, see</%text>
 <%text>## http://errormator.com for details how to obtain an account</%text>
 <%text>## you must install python package `errormator_client` to make it work</%text>
 <%text>## errormator enabled</%text>
 errormator = false
 errormator.server_url = https://api.errormator.com
 errormator.api_key = YOUR_API_KEY
 <%text>## TWEAK AMOUNT OF INFO SENT HERE</%text>
 <%text>## enables 404 error logging (default False)</%text>
 errormator.report_404 = false
 <%text>## time in seconds after request is considered being slow (default 1)</%text>
 errormator.slow_request_time = 1
 <%text>## record slow requests in application</%text>
 <%text>## (needs to be enabled for slow datastore recording and time tracking)</%text>
 errormator.slow_requests = true
 <%text>## enable hooking to application loggers</%text>
 #errormator.logging = true
 <%text>## minimum log level for log capture</%text>
 #errormator.logging.level = WARNING
 <%text>## send logs only from erroneous/slow requests</%text>
 <%text>## (saves API quota for intensive logging)</%text>
 errormator.logging_on_error = false
 <%text>## list of additonal keywords that should be grabbed from environ object</%text>
 <%text>## can be string with comma separated list of words in lowercase</%text>
 <%text>## (by default client will always send following info:</%text>
 <%text>## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that</%text>
 <%text>## start with HTTP* this list be extended with additional keywords here</%text>
 errormator.environ_keys_whitelist =
 <%text>## list of keywords that should be blanked from request object</%text>
 <%text>## can be string with comma separated list of words in lowercase</%text>
 <%text>## (by default client will always blank keys that contain following words</%text>
 <%text>## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'</%text>
 <%text>## this list be extended with additional keywords set here</%text>
 errormator.request_keys_blacklist =
 <%text>## list of namespaces that should be ignores when gathering log entries</%text>
 <%text>## can be string with comma separated list of namespaces</%text>
 <%text>## (by default the client ignores own entries: errormator_client.client)</%text>
 errormator.log_namespace_blacklist =
 %elif error_aggregation_service == 'sentry':
 <%text>################</%text>
 <%text>### [sentry] ###</%text>
 <%text>################</%text>
 <%text>## sentry is a alternative open source error aggregator</%text>
 <%text>## you must install python packages `sentry` and `raven` to enable</%text>
 sentry.dsn = YOUR_DNS
 sentry.servers =
 sentry.name =
 sentry.key =
 sentry.public_key =
 sentry.secret_key =
 sentry.project =
 sentry.site =
 sentry.include_paths =
 sentry.exclude_paths =
 %endif
 <%text>################################################################################</%text>
 <%text>## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##</%text>
 <%text>## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##</%text>
 <%text>## execute malicious code after an exception is raised.                       ##</%text>
 <%text>################################################################################</%text>
 set debug = false
 <%text>##################################</%text>
 <%text>###       LOGVIEW CONFIG       ###</%text>
 <%text>##################################</%text>
 logview.sqlalchemy = #faa
 logview.pylons.templating = #bfb
 logview.pylons.util = #eee
 <%text>#########################################################</%text>
 <%text>### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###</%text>
 <%text>#########################################################</%text>
 %if database_engine == 'sqlite':
 # SQLITE [default]
 sqlalchemy.db1.url = sqlite:///${here}/kallithea.db?timeout=60
 %elif database_engine == 'postgres':
 # POSTGRESQL
 sqlalchemy.db1.url = postgresql://user:pass@localhost/kallithea
 %elif database_engine == 'mysql':
 # MySQL
 sqlalchemy.db1.url = mysql://user:pass@localhost/kallithea
 %endif
 # see sqlalchemy docs for others
 sqlalchemy.db1.echo = false
 sqlalchemy.db1.pool_recycle = 3600
 sqlalchemy.db1.convert_unicode = true
 <%text>################################</%text>
 <%text>### LOGGING CONFIGURATION   ####</%text>
 <%text>################################</%text>
 [loggers]
 keys = root, routes, kallithea, sqlalchemy, beaker, templates, whoosh_indexer
 [handlers]
 keys = console, console_sql
 [formatters]
 keys = generic, color_formatter, color_formatter_sql
 <%text>#############</%text>
 <%text>## LOGGERS ##</%text>
 <%text>#############</%text>
 [logger_root]
 level = NOTSET
 handlers = console
 [logger_routes]
 level = DEBUG
 handlers =
 qualname = routes.middleware
 <%text>## "level = DEBUG" logs the route matched and routing variables.</%text>
 propagate = 1
 [logger_beaker]
 level = DEBUG
 handlers =
 qualname = beaker.container
 propagate = 1
 [logger_templates]
 level = INFO
 handlers =
 qualname = pylons.templating
 propagate = 1
 [logger_kallithea]
 level = DEBUG
 handlers =
 qualname = kallithea
 propagate = 1
 [logger_sqlalchemy]
 level = INFO
 handlers = console_sql
 qualname = sqlalchemy.engine
 propagate = 0
 [logger_whoosh_indexer]
 level = DEBUG
 handlers =
 qualname = whoosh_indexer
 propagate = 1
 <%text>##############</%text>
 <%text>## HANDLERS ##</%text>
 <%text>##############</%text>
 [handler_console]
 class = StreamHandler
 args = (sys.stderr,)
 level = INFO
 formatter = generic
 [handler_console_sql]
 class = StreamHandler
 args = (sys.stderr,)
 level = WARN
 formatter = generic

kallithea/config/deployment.ini_tmpl

➞

Show inline comments

@@ @@ -158,424 +158,413 @@ max_request_body_size = 107374182400 @@
 #cheaper-step = 1
 ## COMMON ##
 host = 127.0.0.1
 port = 5000
 ## middleware for hosting the WSGI application under a URL prefix
 #[filter:proxy-prefix]
 #use = egg:PasteDeploy#prefix
 #prefix = /<your-prefix>
 [app:main]
 use = egg:kallithea
 ## enable proxy prefix middleware
 #filter-with = proxy-prefix
 full_stack = true
 static_files = true
 ## Available Languages:
 ## cs de fr hu ja nl_BE pl pt_BR ru sk zh_CN zh_TW
 lang =
 cache_dir = %(here)s/data
 index_dir = %(here)s/data/index
 ## perform a full repository scan on each server start, this should be
 ## set to false after first startup, to allow faster server restarts.
 initial_repo_scan = false
 ## uncomment and set this path to use archive download cache
 archive_cache_dir = %(here)s/tarballcache
 ## change this to unique ID for security
 app_instance_uuid = ${app_instance_uuid}
 ## cut off limit for large diffs (size in bytes)
 cut_off_limit = 256000
 ## use cache version of scm repo everywhere
 vcs_full_cache = true
 ## force https in Kallithea, fixes https redirects, assumes it's always https
 force_https = false
 ## use Strict-Transport-Security headers
 use_htsts = false
 ## number of commits stats will parse on each iteration
 commit_parse_limit = 25
 ## path to git executable
 git_path = git
 ## git rev filter option, --all is the default filter, if you need to
 ## hide all refs in changelog switch this to --branches --tags
 #git_rev_filter = --branches --tags
 ## RSS feed options
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 ## options for showing and identifying changesets
 show_sha_length = 12
 show_revision_number = false
 ## gist URL alias, used to create nicer urls for gist. This should be an
 ## url that does rewrites to _admin/gists/<gistid>.
 ## example: http://gist.kallithea.server/{gistid}. Empty means use the internal
 ## Kallithea url, ie. http[s]://your.kallithea.server/_admin/gists/<gistid>
 gist_alias_url =
 ## white list of API enabled controllers. This allows to add list of
 ## controllers to which access will be enabled by api_key. eg: to enable
 ## api access to raw_files put `FilesController:raw`, to enable access to patches
 ## add `ChangesetController:changeset_patch`. This list should be "," separated
 ## Syntax is <ControllerClass>:<function>. Check debug logs for generated names
 ## Recommended settings below are commented out:
 api_access_controllers_whitelist =
 #    ChangesetController:changeset_patch,
 #    ChangesetController:changeset_raw,
 #    FilesController:raw,
 #    FilesController:archivefile
 ## default encoding used to convert from and to unicode
 ## can be also a comma seperated list of encoding in case of mixed encodings
 default_encoding = utf8
 ## issue tracker for Kallithea (leave blank to disable, absent for default)
 #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
 ## issue tracking mapping for commits messages
 ## comment out issue_pat, issue_server, issue_prefix to enable
 ## pattern to get the issues from commit messages
 ## default one used here is #<numbers> with a regex passive group for `#`
 ## {id} will be all groups matched from this pattern
 issue_pat = (?:\s*#)(\d+)
 ## server url to the issue, each {id} will be replaced with match
 ## fetched from the regex and {repo} is replaced with full repository name
 ## including groups {repo_name} is replaced with just name of repo
 issue_server_link = https://myissueserver.com/{repo}/issue/{id}
 ## prefix to add to link to indicate it's an url
 ## #314 will be replaced by <issue_prefix><id>
 issue_prefix = #
 ## issue_pat, issue_server_link, issue_prefix can have suffixes to specify
 ## multiple patterns, to other issues server, wiki or others
 ## below an example how to create a wiki pattern
 # wiki-some-id -> https://mywiki.com/some-id
 #issue_pat_wiki = (?:wiki-)(.+)
 #issue_server_link_wiki = https://mywiki.com/{id}
 #issue_prefix_wiki = WIKI-
 ## instance-id prefix
 ## a prefix key for this instance used for cache invalidation when running
 ## multiple instances of kallithea, make sure it's globally unique for
 ## all running kallithea instances. Leave empty if you don't use it
 instance_id =
 ## alternative return HTTP header for failed authentication. Default HTTP
 ## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with
 ## handling that. Set this variable to 403 to return HTTPForbidden
 auth_ret_code =
 ## locking return code. When repository is locked return this HTTP code. 2XX
 ## codes don't break the transactions while 4XX codes do
 lock_ret_code = 423
 ## allows to change the repository location in settings page
 allow_repo_location_change = True
 ## allows to setup custom hooks in settings page
 allow_custom_hooks_settings = True
 ####################################
 ###        CELERY CONFIG        ####
 ####################################
 use_celery = false
 broker.host = localhost
 broker.vhost = rabbitmqhost
 broker.port = 5672
 broker.user = rabbitmq
 broker.password = qweqwe
 celery.imports = kallithea.lib.celerylib.tasks
 celery.result.backend = amqp
 celery.result.dburi = amqp://
 celery.result.serialier = json
 #celery.send.task.error.emails = true
 #celery.amqp.task.result.expires = 18000
 celeryd.concurrency = 2
 #celeryd.log.file = celeryd.log
 celeryd.log.level = DEBUG
 celeryd.max.tasks.per.child = 1
 ## tasks will never be sent to the queue, but executed locally instead.
 celery.always.eager = false
 ####################################
 ###         BEAKER CACHE        ####
 ####################################
 beaker.cache.data_dir = %(here)s/data/cache/data
 beaker.cache.lock_dir = %(here)s/data/cache/lock
 beaker.cache.regions = short_term,long_term,sql_cache_short
 beaker.cache.short_term.type = memory
 beaker.cache.short_term.expire = 60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type = memory
 beaker.cache.long_term.expire = 36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type = memory
 beaker.cache.sql_cache_short.expire = 10
 beaker.cache.sql_cache_short.key_length = 256
 ####################################
 ###       BEAKER SESSION        ####
 ####################################
 ## Name of session cookie. Should be unique for a given host and path, even when running
 ## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 ## Sessions should always only be accessible by the browser, not directly by JavaScript.
 beaker.session.httponly = true
 ## Session lifetime. 2592000 seconds is 30 days.
 beaker.session.timeout = 2592000
 ## Server secret used with HMAC to ensure integrity of cookies.
 beaker.session.secret = ${app_instance_uuid}
 ## Further, encrypt the data with AES.
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## Type of storage used for the session, current types are
 ## dbm, file, memcached, database, and memory.
 ## The storage uses the Container API
 ## that is also used by the cache system.
 ## File system storage of session data. (default)
 #beaker.session.type = file
 ## db session ##
 ## Cookie only, store all session data inside the cookie. Requires secure secrets.
 #beaker.session.type = cookie
 ## Database storage of session data.
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea
 #beaker.session.table_name = db_session
 ## encrypted cookie client side session, good for many instances ##
 #beaker.session.type = cookie
 ## file based cookies (default) ##
 #beaker.session.type = file
 ## beaker.session.key should be unique for a given host, even when running
 ## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 beaker.session.secret = ${app_instance_uuid}
 ## Secure encrypted cookie. Requires AES and AES python libraries
 ## you must disable beaker.session.secret to use this
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## sets session as invalid if it haven't been accessed for given amount of time
 beaker.session.timeout = 2592000
 beaker.session.httponly = true
 #beaker.session.cookie_path = /<your-prefix>
 ## uncomment for https secure cookie
 beaker.session.secure = false
 ## auto save the session to not to use .save()
 beaker.session.auto = False
 ## default cookie expiration time in seconds `true` expire at browser close ##
 #beaker.session.cookie_expires = 3600
 ############################
 ## ERROR HANDLING SYSTEMS ##
 ############################
 ####################
 ### [errormator] ###
 ####################
 ## Errormator is tailored to work with Kallithea, see
 ## http://errormator.com for details how to obtain an account
 ## you must install python package `errormator_client` to make it work
 ## errormator enabled
 errormator = false
 errormator.server_url = https://api.errormator.com
 errormator.api_key = YOUR_API_KEY
 ## TWEAK AMOUNT OF INFO SENT HERE
 ## enables 404 error logging (default False)
 errormator.report_404 = false
 ## time in seconds after request is considered being slow (default 1)
 errormator.slow_request_time = 1
 ## record slow requests in application
 ## (needs to be enabled for slow datastore recording and time tracking)
 errormator.slow_requests = true
 ## enable hooking to application loggers
 #errormator.logging = true
 ## minimum log level for log capture
 #errormator.logging.level = WARNING
 ## send logs only from erroneous/slow requests
 ## (saves API quota for intensive logging)
 errormator.logging_on_error = false
 ## list of additonal keywords that should be grabbed from environ object
 ## can be string with comma separated list of words in lowercase
 ## (by default client will always send following info:
 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
 ## start with HTTP* this list be extended with additional keywords here
 errormator.environ_keys_whitelist =
 ## list of keywords that should be blanked from request object
 ## can be string with comma separated list of words in lowercase
 ## (by default client will always blank keys that contain following words
 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
 ## this list be extended with additional keywords set here
 errormator.request_keys_blacklist =
 ## list of namespaces that should be ignores when gathering log entries
 ## can be string with comma separated list of namespaces
 ## (by default the client ignores own entries: errormator_client.client)
 errormator.log_namespace_blacklist =
 ################
 ### [sentry] ###
 ################
 ## sentry is a alternative open source error aggregator
 ## you must install python packages `sentry` and `raven` to enable
 sentry.dsn = YOUR_DNS
 sentry.servers =
 sentry.name =
 sentry.key =
 sentry.public_key =
 sentry.secret_key =
 sentry.project =
 sentry.site =
 sentry.include_paths =
 sentry.exclude_paths =
 ################################################################################
 ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
 ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
 ## execute malicious code after an exception is raised.                       ##
 ################################################################################
 set debug = false
 ##################################
 ###       LOGVIEW CONFIG       ###
 ##################################
 logview.sqlalchemy = #faa
 logview.pylons.templating = #bfb
 logview.pylons.util = #eee
 #########################################################
 ### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###
 #########################################################
 # SQLITE [default]
 sqlalchemy.db1.url = sqlite:///%(here)s/kallithea.db?timeout=60
 # POSTGRESQL
 #sqlalchemy.db1.url = postgresql://user:pass@localhost/kallithea
 # MySQL
 #sqlalchemy.db1.url = mysql://user:pass@localhost/kallithea
 # see sqlalchemy docs for others
 sqlalchemy.db1.echo = false
 sqlalchemy.db1.pool_recycle = 3600
 sqlalchemy.db1.convert_unicode = true
 ################################
 ### LOGGING CONFIGURATION   ####
 ################################
 [loggers]
 keys = root, routes, kallithea, sqlalchemy, beaker, templates, whoosh_indexer
 [handlers]
 keys = console, console_sql
 [formatters]
 keys = generic, color_formatter, color_formatter_sql
 #############
 ## LOGGERS ##
 #############
 [logger_root]
 level = NOTSET
 handlers = console
 [logger_routes]
 level = DEBUG
 handlers =
 qualname = routes.middleware
 ## "level = DEBUG" logs the route matched and routing variables.
 propagate = 1
 [logger_beaker]
 level = DEBUG
 handlers =
 qualname = beaker.container
 propagate = 1
 [logger_templates]
 level = INFO
 handlers =
 qualname = pylons.templating
 propagate = 1
 [logger_kallithea]
 level = DEBUG
 handlers =
 qualname = kallithea
 propagate = 1
 [logger_sqlalchemy]
 level = INFO
 handlers = console_sql
 qualname = sqlalchemy.engine
 propagate = 0
 [logger_whoosh_indexer]
 level = DEBUG
 handlers =
 qualname = whoosh_indexer
 propagate = 1
 ##############
 ## HANDLERS ##
 ##############
 [handler_console]
 class = StreamHandler
 args = (sys.stderr,)
 level = INFO
 formatter = generic
 [handler_console_sql]
 class = StreamHandler
 args = (sys.stderr,)
 level = WARN
 formatter = generic
 ################
 ## FORMATTERS ##
 ################
 [formatter_generic]
 format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
 datefmt = %Y-%m-%d %H:%M:%S

kallithea/lib/base.py

➞

Show inline comments

 # -*- coding: utf-8 -*-
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
+#
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 kallithea.lib.base
 ~~~~~~~~~~~~~~~~~~
 The base Controller API
 Provides the BaseController class for subclassing. And usage in different
 controllers
 This file was forked by the Kallithea project in July 2014.
 Original author and date, and relevant copyright and licensing information is below:
 :created_on: Oct 06, 2010
 :author: marcink
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import datetime
 import logging
 import time
 import traceback
 import webob.exc
 import paste.httpexceptions
 import paste.auth.basic
 import paste.httpheaders
 from pylons import config, tmpl_context as c, request, session, url
 from pylons.controllers import WSGIController
 from pylons.controllers.util import redirect
 from pylons.templating import render_mako as render  # don't remove this import
 from pylons.i18n.translation import _
 from kallithea import __version__, BACKENDS
 from kallithea.lib.utils2 import str2bool, safe_unicode, AttributeDict,\
     safe_str, safe_int
 from kallithea.lib import auth_modules
 from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware
 from kallithea.lib.utils import get_repo_slug
 from kallithea.lib.exceptions import UserCreationError
 from kallithea.lib.vcs.exceptions import RepositoryError, EmptyRepositoryError, ChangesetDoesNotExistError
 from kallithea.model import meta
 from kallithea.model.db import Repository, Ui, User, Setting
 from kallithea.model.notification import NotificationModel
 from kallithea.model.scm import ScmModel
 from kallithea.model.pull_request import PullRequestModel
 log = logging.getLogger(__name__)
 def _filter_proxy(ip):
     """
     HEADERS can have multiple ips inside the left-most being the original
     client, and each successive proxy that passed the request adding the IP
     address where it received the request from.
     :param ip:
     """
     if ',' in ip:
         _ips = ip.split(',')
         _first_ip = _ips[0].strip()
         log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
         return _first_ip
     return ip
 def _get_ip_addr(environ):
     proxy_key = 'HTTP_X_REAL_IP'
     proxy_key2 = 'HTTP_X_FORWARDED_FOR'
     def_key = 'REMOTE_ADDR'
     ip = environ.get(proxy_key)
     if ip:
         return _filter_proxy(ip)
     ip = environ.get(proxy_key2)
     if ip:
         return _filter_proxy(ip)
     ip = environ.get(def_key, '0.0.0.0')
     return _filter_proxy(ip)
 def _get_access_path(environ):
     path = environ.get('PATH_INFO')
     org_req = environ.get('pylons.original_request')
     if org_req:
         path = org_req.environ.get('PATH_INFO')
     return path
 def log_in_user(user, remember, is_external_auth):
     """
     Log a `User` in and update session and cookies. If `remember` is True,
     the session cookie is set to expire in a year; otherwise, it expires at
     the end of the browser session.
     Returns populated `AuthUser` object.
     """
     user.update_lastlogin()
     meta.Session().commit()
     auth_user = AuthUser(dbuser=user,
                          is_external_auth=is_external_auth)
     auth_user.set_authenticated()
     # Start new session to prevent session fixation attacks.
     session.invalidate()
     session['authuser'] = cookie = auth_user.to_cookie()
     # If they want to be remembered, update the cookie
     # If they want to be remembered, update the cookie.
     # NOTE: Assumes that beaker defaults to browser session cookie.
     if remember:
         t = datetime.datetime.now() + datetime.timedelta(days=365)
         session._set_cookie_expires(t)
     session.save()
     log.info('user %s is now authenticated and stored in '
              'session, session attrs %s', user.username, cookie)
     # dumps session attrs back to cookie
     session._update_cookie_out()
     return auth_user
 class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):
     def __init__(self, realm, authfunc, auth_http_code=None):
         self.realm = realm
         self.authfunc = authfunc
         self._rc_auth_http_code = auth_http_code
     def build_authentication(self):
         head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)
         if self._rc_auth_http_code and self._rc_auth_http_code == '403':
             # return 403 if alternative http return code is specified in
             # Kallithea config
             return paste.httpexceptions.HTTPForbidden(headers=head)
         return paste.httpexceptions.HTTPUnauthorized(headers=head)
     def authenticate(self, environ):
         authorization = paste.httpheaders.AUTHORIZATION(environ)
         if not authorization:
             return self.build_authentication()
         (authmeth, auth) = authorization.split(' ', 1)
         if 'basic' != authmeth.lower():
             return self.build_authentication()
         auth = auth.strip().decode('base64')
         _parts = auth.split(':', 1)
         if len(_parts) == 2:
             username, password = _parts
             if self.authfunc(username, password, environ) is not None:
                 return username
         return self.build_authentication()
     __call__ = authenticate
 class BaseVCSController(object):
     def __init__(self, application, config):
         self.application = application
         self.config = config
         # base path of repo locations
         self.basepath = self.config['base_path']
         # authenticate this VCS request using the authentication modules
         self.authenticate = BasicAuth('', auth_modules.authenticate,
                                       config.get('auth_ret_code'))
         self.ip_addr = '0.0.0.0'
     def _handle_request(self, environ, start_response):
         raise NotImplementedError()
     def _get_by_id(self, repo_name):
         """
         Gets a special pattern _<ID> from clone url and tries to replace it
         with a repository_name for support of _<ID> permanent URLs
         :param repo_name:
         """
         data = repo_name.split('/')
         if len(data) >= 2:
             from kallithea.lib.utils import get_repo_by_id
             by_id_match = get_repo_by_id(repo_name)
             if by_id_match:
                 data[1] = by_id_match
         return '/'.join(data)
     def _invalidate_cache(self, repo_name):
         """
         Sets cache for this repository for invalidation on next access
         :param repo_name: full repo name, also a cache key
         """
         ScmModel().mark_for_invalidation(repo_name)
     def _check_permission(self, action, user, repo_name, ip_addr=None):
         """
         Checks permissions using action (push/pull) user and repository
         name
         :param action: push or pull action
         :param user: `User` instance
         :param repo_name: repository name
         """
         # check IP
         ip_allowed = AuthUser.check_ip_allowed(user, ip_addr)
         if ip_allowed:
             log.info('Access for IP:%s allowed', ip_addr)
         else:
             return False
         if action == 'push':
             if not HasPermissionAnyMiddleware('repository.write',
                                               'repository.admin')(user,
                                                                   repo_name):
                 return False
         else:
             #any other action need at least read permission
             if not HasPermissionAnyMiddleware('repository.read',
                                               'repository.write',
                                               'repository.admin')(user,
                                                                   repo_name):
                 return False
         return True
     def _get_ip_addr(self, environ):
         return _get_ip_addr(environ)
     def _check_ssl(self, environ):
         """
         Checks the SSL check flag and returns False if SSL is not present
         and required True otherwise
         """
         #check if we have SSL required  ! if not it's a bad request !
         if str2bool(Ui.get_by_key('push_ssl').ui_value):
             org_proto = environ.get('wsgi._org_proto', environ['wsgi.url_scheme'])
             if org_proto != 'https':
                 log.debug('proto is %s and SSL is required BAD REQUEST !',
                           org_proto)
                 return False
         return True
     def _check_locking_state(self, environ, action, repo, user_id):
         """
         Checks locking on this repository, if locking is enabled and lock is
         present returns a tuple of make_lock, locked, locked_by.
         make_lock can have 3 states None (do nothing) True, make lock
         False release lock, This value is later propagated to hooks, which
         do the locking. Think about this as signals passed to hooks what to do.
         """
         locked = False  # defines that locked error should be thrown to user
         make_lock = None
         repo = Repository.get_by_repo_name(repo)
         user = User.get(user_id)
         # this is kind of hacky, but due to how mercurial handles client-server
         # server see all operation on changeset; bookmarks, phases and
         # obsolescence marker in different transaction, we don't want to check
         # locking on those
         obsolete_call = environ['QUERY_STRING'] in ['cmd=listkeys',]
         locked_by = repo.locked
         if repo and repo.enable_locking and not obsolete_call:
             if action == 'push':
                 #check if it's already locked !, if it is compare users
                 user_id, _date = repo.locked
                 if user.user_id == user_id:
                     log.debug('Got push from user %s, now unlocking', user)
                     # unlock if we have push from user who locked
                     make_lock = False
                 else:
                     # we're not the same user who locked, ban with 423 !
                     locked = True
             if action == 'pull':
                 if repo.locked[0] and repo.locked[1]:
                     locked = True
                 else:
                     log.debug('Setting lock on repo %s by %s', repo, user)
                     make_lock = True
         else:
             log.debug('Repository %s do not have locking enabled', repo)
         log.debug('FINAL locking values make_lock:%s,locked:%s,locked_by:%s',
                   make_lock, locked, locked_by)
         return make_lock, locked, locked_by
     def __call__(self, environ, start_response):
         start = time.time()
         try:
             return self._handle_request(environ, start_response)
         finally:
             log = logging.getLogger('kallithea.' + self.__class__.__name__)
             log.debug('Request time: %.3fs', time.time() - start)
             meta.Session.remove()
 class BaseController(WSGIController):

test.ini

➞

Show inline comments

@@ @@ -164,424 +164,413 @@ max_request_body_size = 107374182400 @@
 ## COMMON ##
 host = 127.0.0.1
 port = 4999
 ## middleware for hosting the WSGI application under a URL prefix
 #[filter:proxy-prefix]
 #use = egg:PasteDeploy#prefix
 #prefix = /<your-prefix>
 [app:main]
 use = egg:kallithea
 ## enable proxy prefix middleware
 #filter-with = proxy-prefix
 full_stack = true
 static_files = true
 ## Available Languages:
 ## cs de fr hu ja nl_BE pl pt_BR ru sk zh_CN zh_TW
 lang =
 cache_dir = %(here)s/data
 index_dir = %(here)s/data/index
 ## perform a full repository scan on each server start, this should be
 ## set to false after first startup, to allow faster server restarts.
 #initial_repo_scan = false
 initial_repo_scan = true
 ## uncomment and set this path to use archive download cache
 archive_cache_dir = %(here)s/tarballcache
 ## change this to unique ID for security
 app_instance_uuid = test
 ## cut off limit for large diffs (size in bytes)
 cut_off_limit = 256000
 ## use cache version of scm repo everywhere
 #vcs_full_cache = true
 vcs_full_cache = false
 ## force https in Kallithea, fixes https redirects, assumes it's always https
 force_https = false
 ## use Strict-Transport-Security headers
 use_htsts = false
 ## number of commits stats will parse on each iteration
 commit_parse_limit = 25
 ## path to git executable
 git_path = git
 ## git rev filter option, --all is the default filter, if you need to
 ## hide all refs in changelog switch this to --branches --tags
 #git_rev_filter = --branches --tags
 ## RSS feed options
 rss_cut_off_limit = 256000
 rss_items_per_page = 10
 rss_include_diff = false
 ## options for showing and identifying changesets
 show_sha_length = 12
 show_revision_number = true
 ## gist URL alias, used to create nicer urls for gist. This should be an
 ## url that does rewrites to _admin/gists/<gistid>.
 ## example: http://gist.kallithea.server/{gistid}. Empty means use the internal
 ## Kallithea url, ie. http[s]://your.kallithea.server/_admin/gists/<gistid>
 gist_alias_url =
 ## white list of API enabled controllers. This allows to add list of
 ## controllers to which access will be enabled by api_key. eg: to enable
 ## api access to raw_files put `FilesController:raw`, to enable access to patches
 ## add `ChangesetController:changeset_patch`. This list should be "," separated
 ## Syntax is <ControllerClass>:<function>. Check debug logs for generated names
 ## Recommended settings below are commented out:
 api_access_controllers_whitelist =
 #    ChangesetController:changeset_patch,
 #    ChangesetController:changeset_raw,
 #    FilesController:raw,
 #    FilesController:archivefile
 ## default encoding used to convert from and to unicode
 ## can be also a comma seperated list of encoding in case of mixed encodings
 default_encoding = utf8
 ## issue tracker for Kallithea (leave blank to disable, absent for default)
 #bugtracker = https://bitbucket.org/conservancy/kallithea/issues
 ## issue tracking mapping for commits messages
 ## comment out issue_pat, issue_server, issue_prefix to enable
 ## pattern to get the issues from commit messages
 ## default one used here is #<numbers> with a regex passive group for `#`
 ## {id} will be all groups matched from this pattern
 issue_pat = (?:\s*#)(\d+)
 ## server url to the issue, each {id} will be replaced with match
 ## fetched from the regex and {repo} is replaced with full repository name
 ## including groups {repo_name} is replaced with just name of repo
 issue_server_link = https://myissueserver.com/{repo}/issue/{id}
 ## prefix to add to link to indicate it's an url
 ## #314 will be replaced by <issue_prefix><id>
 issue_prefix = #
 ## issue_pat, issue_server_link, issue_prefix can have suffixes to specify
 ## multiple patterns, to other issues server, wiki or others
 ## below an example how to create a wiki pattern
 # wiki-some-id -> https://mywiki.com/some-id
 #issue_pat_wiki = (?:wiki-)(.+)
 #issue_server_link_wiki = https://mywiki.com/{id}
 #issue_prefix_wiki = WIKI-
 ## instance-id prefix
 ## a prefix key for this instance used for cache invalidation when running
 ## multiple instances of kallithea, make sure it's globally unique for
 ## all running kallithea instances. Leave empty if you don't use it
 instance_id =
 ## alternative return HTTP header for failed authentication. Default HTTP
 ## response is 401 HTTPUnauthorized. Currently Mercurial clients have trouble with
 ## handling that. Set this variable to 403 to return HTTPForbidden
 auth_ret_code =
 ## locking return code. When repository is locked return this HTTP code. 2XX
 ## codes don't break the transactions while 4XX codes do
 lock_ret_code = 423
 ## allows to change the repository location in settings page
 allow_repo_location_change = True
 ## allows to setup custom hooks in settings page
 allow_custom_hooks_settings = True
 ####################################
 ###        CELERY CONFIG        ####
 ####################################
 use_celery = false
 broker.host = localhost
 broker.vhost = rabbitmqhost
 broker.port = 5672
 broker.user = rabbitmq
 broker.password = qweqwe
 celery.imports = kallithea.lib.celerylib.tasks
 celery.result.backend = amqp
 celery.result.dburi = amqp://
 celery.result.serialier = json
 #celery.send.task.error.emails = true
 #celery.amqp.task.result.expires = 18000
 celeryd.concurrency = 2
 #celeryd.log.file = celeryd.log
 celeryd.log.level = DEBUG
 celeryd.max.tasks.per.child = 1
 ## tasks will never be sent to the queue, but executed locally instead.
 celery.always.eager = false
 ####################################
 ###         BEAKER CACHE        ####
 ####################################
 beaker.cache.data_dir = %(here)s/data/cache/data
 beaker.cache.lock_dir = %(here)s/data/cache/lock
 beaker.cache.regions = short_term,long_term,sql_cache_short
 beaker.cache.short_term.type = memory
 beaker.cache.short_term.expire = 60
 beaker.cache.short_term.key_length = 256
 beaker.cache.long_term.type = memory
 beaker.cache.long_term.expire = 36000
 beaker.cache.long_term.key_length = 256
 beaker.cache.sql_cache_short.type = memory
 beaker.cache.sql_cache_short.expire = 1
 beaker.cache.sql_cache_short.key_length = 256
 ####################################
 ###       BEAKER SESSION        ####
 ####################################
 ## Name of session cookie. Should be unique for a given host and path, even when running
 ## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 ## Sessions should always only be accessible by the browser, not directly by JavaScript.
 beaker.session.httponly = true
 ## Session lifetime. 2592000 seconds is 30 days.
 beaker.session.timeout = 2592000
 ## Server secret used with HMAC to ensure integrity of cookies.
 beaker.session.secret = {74e0cd75-b339-478b-b129-07dd221def1f}
 ## Further, encrypt the data with AES.
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## Type of storage used for the session, current types are
 ## dbm, file, memcached, database, and memory.
 ## The storage uses the Container API
 ## that is also used by the cache system.
 ## File system storage of session data. (default)
 #beaker.session.type = file
 ## db session ##
 ## Cookie only, store all session data inside the cookie. Requires secure secrets.
 #beaker.session.type = cookie
 ## Database storage of session data.
 #beaker.session.type = ext:database
 #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea
 #beaker.session.table_name = db_session
 ## encrypted cookie client side session, good for many instances ##
 #beaker.session.type = cookie
 ## file based cookies (default) ##
 #beaker.session.type = file
 ## beaker.session.key should be unique for a given host, even when running
 ## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 beaker.session.secret = {74e0cd75-b339-478b-b129-07dd221def1f}
 ## Secure encrypted cookie. Requires AES and AES python libraries
 ## you must disable beaker.session.secret to use this
 #beaker.session.encrypt_key = <key_for_encryption>
 #beaker.session.validate_key = <validation_key>
 ## sets session as invalid if it haven't been accessed for given amount of time
 beaker.session.timeout = 2592000
 beaker.session.httponly = true
 #beaker.session.cookie_path = /<your-prefix>
 ## uncomment for https secure cookie
 beaker.session.secure = false
 ## auto save the session to not to use .save()
 beaker.session.auto = False
 ## default cookie expiration time in seconds `true` expire at browser close ##
 #beaker.session.cookie_expires = 3600
 ############################
 ## ERROR HANDLING SYSTEMS ##
 ############################
 ####################
 ### [errormator] ###
 ####################
 ## Errormator is tailored to work with Kallithea, see
 ## http://errormator.com for details how to obtain an account
 ## you must install python package `errormator_client` to make it work
 ## errormator enabled
 errormator = false
 errormator.server_url = https://api.errormator.com
 errormator.api_key = YOUR_API_KEY
 ## TWEAK AMOUNT OF INFO SENT HERE
 ## enables 404 error logging (default False)
 errormator.report_404 = false
 ## time in seconds after request is considered being slow (default 1)
 errormator.slow_request_time = 1
 ## record slow requests in application
 ## (needs to be enabled for slow datastore recording and time tracking)
 errormator.slow_requests = true
 ## enable hooking to application loggers
 #errormator.logging = true
 ## minimum log level for log capture
 #errormator.logging.level = WARNING
 ## send logs only from erroneous/slow requests
 ## (saves API quota for intensive logging)
 errormator.logging_on_error = false
 ## list of additonal keywords that should be grabbed from environ object
 ## can be string with comma separated list of words in lowercase
 ## (by default client will always send following info:
 ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
 ## start with HTTP* this list be extended with additional keywords here
 errormator.environ_keys_whitelist =
 ## list of keywords that should be blanked from request object
 ## can be string with comma separated list of words in lowercase
 ## (by default client will always blank keys that contain following words
 ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
 ## this list be extended with additional keywords set here
 errormator.request_keys_blacklist =
 ## list of namespaces that should be ignores when gathering log entries
 ## can be string with comma separated list of namespaces
 ## (by default the client ignores own entries: errormator_client.client)
 errormator.log_namespace_blacklist =
 ################
 ### [sentry] ###
 ################
 ## sentry is a alternative open source error aggregator
 ## you must install python packages `sentry` and `raven` to enable
 sentry.dsn = YOUR_DNS
 sentry.servers =
 sentry.name =
 sentry.key =
 sentry.public_key =
 sentry.secret_key =
 sentry.project =
 sentry.site =
 sentry.include_paths =
 sentry.exclude_paths =
 ################################################################################
 ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
 ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
 ## execute malicious code after an exception is raised.                       ##
 ################################################################################
 set debug = false
 ##################################
 ###       LOGVIEW CONFIG       ###
 ##################################
 logview.sqlalchemy = #faa
 logview.pylons.templating = #bfb
 logview.pylons.util = #eee
 #########################################################
 ### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###
 #########################################################
 # SQLITE [default]
 #sqlalchemy.db1.url = sqlite:///%(here)s/kallithea.db?timeout=60
 sqlalchemy.db1.url = sqlite:///%(here)s/kallithea_test.sqlite
 # POSTGRESQL
 #sqlalchemy.db1.url = postgresql://user:pass@localhost/kallithea
 # MySQL
 #sqlalchemy.db1.url = mysql://user:pass@localhost/kallithea
 # see sqlalchemy docs for others
 sqlalchemy.db1.echo = false
 sqlalchemy.db1.pool_recycle = 3600
 sqlalchemy.db1.convert_unicode = true
 ################################
 ### LOGGING CONFIGURATION   ####
 ################################
 [loggers]
 keys = root, routes, kallithea, sqlalchemy, beaker, templates, whoosh_indexer
 [handlers]
 keys = console, console_sql
 [formatters]
 keys = generic, color_formatter, color_formatter_sql
 #############
 ## LOGGERS ##
 #############
 [logger_root]
 #level = NOTSET
 level = DEBUG
 handlers = console
 [logger_routes]
 level = DEBUG
 handlers =
 qualname = routes.middleware
 ## "level = DEBUG" logs the route matched and routing variables.
 propagate = 1
 [logger_beaker]
 level = DEBUG
 handlers =
 qualname = beaker.container
 propagate = 1
 [logger_templates]
 level = INFO
 handlers =
 qualname = pylons.templating
 propagate = 1
 [logger_kallithea]
 level = DEBUG
 handlers =
 qualname = kallithea
 propagate = 1
 [logger_sqlalchemy]
 #level = INFO
 #handlers = console_sql
 level = ERROR
 handlers = console
 qualname = sqlalchemy.engine
 propagate = 0
 [logger_whoosh_indexer]
 level = DEBUG
 handlers =
 qualname = whoosh_indexer
 propagate = 1
 ##############
 ## HANDLERS ##
 ##############
 [handler_console]
 class = StreamHandler
 args = (sys.stderr,)
 #level = INFO
 level = NOTSET
 formatter = generic
 [handler_console_sql]
 class = StreamHandler
 args = (sys.stderr,)
 level = WARN
 formatter = generic
 ################
 ## FORMATTERS ##

0 comments (0 inline, 0 general)