# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

Routes configuration

The more specific and detailed routes should be defined first so they

may take precedent over the more generic routes. For more information

refer to the routes manual at http://routes.groovie.org/docs/

"""

from tg import request

# prefix for non repository related links needs to be prefixed with `/`

ADMIN_PREFIX = '/_admin'

def make_map(config):

    """Create, configure and return the routes Mapper"""

    rmap = Mapper(directory=config['paths']['controllers'],

                  always_scan=config['debug'])

    rmap.minimization = False

    rmap.explicit = False

    from kallithea.lib.utils import is_valid_repo, is_valid_repo_group

    def check_repo(environ, match_dict):

        """

        Check for valid repository for proper 404 handling.

        Also, a bit of side effect modifying match_dict ...

        """

        if match_dict.get('f_path'):

            # fix for multiple initial slashes that causes errors

            match_dict['f_path'] = match_dict['f_path'].lstrip('/')

        return is_valid_repo(match_dict['repo_name'], config['base_path'])

    def check_group(environ, match_dict):

        """

        check for valid repository group for proper 404 handling

        :param environ:

        :param match_dict:

        """

        repo_group_name = match_dict.get('group_name')

        return is_valid_repo_group(repo_group_name, config['base_path'])

    def check_group_skip_path(environ, match_dict):

        """

        check for valid repository group for proper 404 handling, but skips

        verification of existing path

        :param environ:

        :param match_dict:

        """

        repo_group_name = match_dict.get('group_name')

        return is_valid_repo_group(repo_group_name, config['base_path'],

                                   skip_path_check=True)

    def check_user_group(environ, match_dict):

        """

        check for valid user group for proper 404 handling

        :param environ:

        :param match_dict:

        """

        return True

    def check_int(environ, match_dict):

        return match_dict.get('id').isdigit()

    #==========================================================================

    # CUSTOM ROUTES HERE

    #==========================================================================

    # MAIN PAGE

    rmap.connect('home', '/', controller='home')

    rmap.connect('about', '/about', controller='home', action='about')

    rmap.redirect('/favicon.ico', '/images/favicon.ico')

    rmap.connect('repo_switcher_data', '/_repos', controller='home',

                 action='repo_switcher_data')

    rmap.connect('users_and_groups_data', '/_users_and_groups', controller='home',

                 action='users_and_groups_data')

    rmap.connect('rst_help',

                 "http://docutils.sourceforge.net/docs/user/rst/quickref.html",

                 _static=True)

    rmap.connect('kallithea_project_url', "https://kallithea-scm.org/", _static=True)

    rmap.connect('issues_url', 'https://bitbucket.org/conservancy/kallithea/issues', _static=True)

    # ADMIN REPOSITORY ROUTES

    with rmap.submapper(path_prefix=ADMIN_PREFIX,

                        controller='admin/repos') as m:

        m.connect("repos", "/repos",

                  action="create", conditions=dict(method=["POST"]))

        m.connect("repos", "/repos",

                  conditions=dict(method=["GET"]))

        m.connect("new_repo", "/create_repository",

                  action="create_repository", conditions=dict(method=["GET"]))

        m.connect("update_repo", "/repos/{repo_name:.*?}",

                  action="update", conditions=dict(method=["POST"],

                  function=check_repo))

        m.connect("delete_repo", "/repos/{repo_name:.*?}/delete",

                  action="delete", conditions=dict(method=["POST"]))

    # ADMIN REPOSITORY GROUPS ROUTES

    with rmap.submapper(path_prefix=ADMIN_PREFIX,

                        controller='admin/repo_groups') as m:

        m.connect("repos_groups", "/repo_groups",

                  action="create", conditions=dict(method=["POST"]))

        m.connect("repos_groups", "/repo_groups",

                  conditions=dict(method=["GET"]))

        m.connect("new_repos_group", "/repo_groups/new",

                  action="new", conditions=dict(method=["GET"]))

        m.connect("update_repos_group", "/repo_groups/{group_name:.*?}",

                  action="update", conditions=dict(method=["POST"],

                                                   function=check_group))

        m.connect("repos_group", "/repo_groups/{group_name:.*?}",

                  action="show", conditions=dict(method=["GET"],

                                                 function=check_group))

        # EXTRAS REPO GROUP ROUTES

        m.connect("edit_repo_group", "/repo_groups/{group_name:.*?}/edit",

                  action="edit",

                  conditions=dict(method=["GET"], function=check_group))

        m.connect("edit_repo_group_advanced", "/repo_groups/{group_name:.*?}/edit/advanced",

                  action="edit_repo_group_advanced",

                  conditions=dict(method=["GET"], function=check_group))

        m.connect("edit_repo_group_perms", "/repo_groups/{group_name:.*?}/edit/permissions",

                  action="edit_repo_group_perms",

                  conditions=dict(method=["GET"], function=check_group))

        m.connect("edit_repo_group_perms_update", "/repo_groups/{group_name:.*?}/edit/permissions",

                  action="update_perms",

                  conditions=dict(method=["POST"], function=check_group))

        m.connect("edit_repo_group_perms_delete", "/repo_groups/{group_name:.*?}/edit/permissions/delete",

                  action="delete_perms",

                  conditions=dict(method=["POST"], function=check_group))

        m.connect("delete_repo_group", "/repo_groups/{group_name:.*?}/delete",

                  action="delete", conditions=dict(method=["POST"],

                                                   function=check_group_skip_path))

    # ADMIN USER ROUTES

    with rmap.submapper(path_prefix=ADMIN_PREFIX,

                        controller='admin/users') as m:

        m.connect("new_user", "/users/new",

                  action="create", conditions=dict(method=["POST"]))

        m.connect("users", "/users",

                  conditions=dict(method=["GET"]))

        m.connect("formatted_users", "/users.{format}",

                  conditions=dict(method=["GET"]))

        m.connect("new_user", "/users/new",

                  action="new", conditions=dict(method=["GET"]))

        m.connect("update_user", "/users/{id}",

                  action="update", conditions=dict(method=["POST"]))

        m.connect("delete_user", "/users/{id}/delete",

                  action="delete", conditions=dict(method=["POST"]))

        m.connect("edit_user", "/users/{id}/edit",

                  action="edit", conditions=dict(method=["GET"]))

        # EXTRAS USER ROUTES

        m.connect("edit_user_advanced", "/users/{id}/edit/advanced",

                  action="edit_advanced", conditions=dict(method=["GET"]))

        m.connect("edit_user_api_keys", "/users/{id}/edit/api_keys",

                  action="edit_api_keys", conditions=dict(method=["GET"]))

        m.connect("edit_user_api_keys_update", "/users/{id}/edit/api_keys",

                  action="add_api_key", conditions=dict(method=["POST"]))

        m.connect("edit_user_api_keys_delete", "/users/{id}/edit/api_keys/delete",

                  action="delete_api_key", conditions=dict(method=["POST"]))

        m.connect("edit_user_ssh_keys", "/users/{id}/edit/ssh_keys",

                  action="edit_ssh_keys", conditions=dict(method=["GET"]))

        m.connect("edit_user_ssh_keys", "/users/{id}/edit/ssh_keys",

                  action="ssh_keys_add", conditions=dict(method=["POST"]))

        m.connect("edit_user_ssh_keys_delete", "/users/{id}/edit/ssh_keys/delete",

                  action="ssh_keys_delete", conditions=dict(method=["POST"]))

        m.connect("edit_user_perms", "/users/{id}/edit/permissions",

                  action="edit_perms", conditions=dict(method=["GET"]))

        m.connect("edit_user_perms_update", "/users/{id}/edit/permissions",

                  action="update_perms", conditions=dict(method=["POST"]))

        m.connect("edit_user_emails", "/users/{id}/edit/emails",

                  action="edit_emails", conditions=dict(method=["GET"]))

        m.connect("edit_user_emails_update", "/users/{id}/edit/emails",

                  action="add_email", conditions=dict(method=["POST"]))

        m.connect("edit_user_emails_delete", "/users/{id}/edit/emails/delete",

                  action="delete_email", conditions=dict(method=["POST"]))

        m.connect("edit_user_ips", "/users/{id}/edit/ips",

                  action="edit_ips", conditions=dict(method=["GET"]))

        m.connect("edit_user_ips_update", "/users/{id}/edit/ips",

                  action="add_ip", conditions=dict(method=["POST"]))

        m.connect("edit_user_ips_delete", "/users/{id}/edit/ips/delete",

                  action="delete_ip", conditions=dict(method=["POST"]))

    # ADMIN USER GROUPS REST ROUTES

    with rmap.submapper(path_prefix=ADMIN_PREFIX,

                        controller='admin/user_groups') as m:

        m.connect("users_groups", "/user_groups",

                  action="create", conditions=dict(method=["POST"]))

        m.connect("users_groups", "/user_groups",

                  conditions=dict(method=["GET"]))

        m.connect("new_users_group", "/user_groups/new",

                  action="new", conditions=dict(method=["GET"]))

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.base

~~~~~~~~~~~~~~~~~~

The base Controller API

Provides the BaseController class for subclassing. And usage in different

controllers

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Oct 06, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import base64

import datetime

import logging

import traceback

import warnings

import decorator

import paste.auth.basic

import paste.httpexceptions

import paste.httpheaders

import webob.exc

from tg import TGController, config, render_template, request, response, session

from tg import tmpl_context as c

from tg.i18n import ugettext as _

from kallithea import BACKENDS, __version__

from kallithea.config.routing import url

from kallithea.lib import auth_modules, ext_json

from kallithea.lib.auth import AuthUser, HasPermissionAnyMiddleware

from kallithea.lib.exceptions import UserCreationError

from kallithea.lib.utils import get_repo_slug, is_valid_repo

from kallithea.lib.utils2 import AttributeDict, ascii_bytes, safe_int, safe_str, set_hook_environment, str2bool

from kallithea.lib.vcs.exceptions import ChangesetDoesNotExistError, EmptyRepositoryError, RepositoryError

from kallithea.model import meta

from kallithea.model.db import PullRequest, Repository, Setting, User

from kallithea.model.scm import ScmModel

log = logging.getLogger(__name__)

def render(template_path):

    return render_template({'url': url}, 'mako', template_path)

def _filter_proxy(ip):

    """

    HEADERS can have multiple ips inside the left-most being the original

    client, and each successive proxy that passed the request adding the IP

    address where it received the request from.

    :param ip:

    """

    if ',' in ip:

        _ips = ip.split(',')

        _first_ip = _ips[0].strip()

        log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)

        return _first_ip

    return ip

def _get_ip_addr(environ):

    proxy_key = 'HTTP_X_REAL_IP'

    proxy_key2 = 'HTTP_X_FORWARDED_FOR'

    def_key = 'REMOTE_ADDR'

    ip = environ.get(proxy_key)

    if ip:

        return _filter_proxy(ip)

    ip = environ.get(proxy_key2)

    if ip:

        return _filter_proxy(ip)

    ip = environ.get(def_key, '0.0.0.0')

    return _filter_proxy(ip)

def get_path_info(environ):

    """

    org_req = environ.get('tg.original_request')

    if org_req is not None:

        environ = org_req.environ

def log_in_user(user, remember, is_external_auth, ip_addr):

    """

    Log a `User` in and update session and cookies. If `remember` is True,

    the session cookie is set to expire in a year; otherwise, it expires at

    the end of the browser session.

    Returns populated `AuthUser` object.

    """

    # It should not be possible to explicitly log in as the default user.

    assert not user.is_default_user, user

    auth_user = AuthUser.make(dbuser=user, is_external_auth=is_external_auth, ip_addr=ip_addr)

    if auth_user is None:

        return None

    user.update_lastlogin()

    meta.Session().commit()

    # Start new session to prevent session fixation attacks.

    session.invalidate()

    session['authuser'] = cookie = auth_user.to_cookie()

    # If they want to be remembered, update the cookie.

    # NOTE: Assumes that beaker defaults to browser session cookie.

    if remember:

        t = datetime.datetime.now() + datetime.timedelta(days=365)

        session._set_cookie_expires(t)

    session.save()

    log.info('user %s is now authenticated and stored in '

             'session, session attrs %s', user.username, cookie)

    # dumps session attrs back to cookie

    session._update_cookie_out()

    return auth_user

class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):

    def __init__(self, realm, authfunc, auth_http_code=None):

        self.realm = realm

        self.authfunc = authfunc

        self._rc_auth_http_code = auth_http_code

    def build_authentication(self, environ):

        head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)

        # Consume the whole body before sending a response

        try:

            request_body_size = int(environ.get('CONTENT_LENGTH', 0))

        except (ValueError):

            request_body_size = 0

        environ['wsgi.input'].read(request_body_size)

        if self._rc_auth_http_code and self._rc_auth_http_code == '403':

            # return 403 if alternative http return code is specified in

            # Kallithea config

            return paste.httpexceptions.HTTPForbidden(headers=head)

        return paste.httpexceptions.HTTPUnauthorized(headers=head)

    def authenticate(self, environ):

        authorization = paste.httpheaders.AUTHORIZATION(environ)

        if not authorization:

            return self.build_authentication(environ)

        (authmeth, auth) = authorization.split(' ', 1)

        if 'basic' != authmeth.lower():

            return self.build_authentication(environ)

        auth = safe_str(base64.b64decode(auth.strip()))

        _parts = auth.split(':', 1)

        if len(_parts) == 2:

            username, password = _parts

            if self.authfunc(username, password, environ) is not None:

                return username

        return self.build_authentication(environ)

    __call__ = authenticate

class BaseVCSController(object):

    """Base controller for handling Mercurial/Git protocol requests

    (coming from a VCS client, and not a browser).

    """

    scm_alias = None # 'hg' / 'git'

    def __init__(self, application, config):

        self.application = application

        self.config = config

        # base path of repo locations

        self.basepath = self.config['base_path']

        # authenticate this VCS request using the authentication modules

        self.authenticate = BasicAuth('', auth_modules.authenticate,

                                      config.get('auth_ret_code'))

    @classmethod

    def parse_request(cls, environ):

        """If request is parsed as a request for this VCS, return a namespace with the parsed request.

        If the request is unknown, return None.

        """

        raise NotImplementedError()

    def _authorize(self, environ, action, repo_name, ip_addr):

        """Authenticate and authorize user.

        Since we're dealing with a VCS client and not a browser, we only

        support HTTP basic authentication, either directly via raw header

        inspection, or by using container authentication to delegate the

        authentication to the web server.

        Returns (user, None) on successful authentication and authorization.

        Returns (None, wsgi_app) to send the wsgi_app response to the client.

        """

        # Use anonymous access if allowed for action on repo.

        default_user = User.get_default_user(cache=True)

        default_authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)

        if default_authuser is None:

            log.debug('No anonymous access at all') # move on to proper user auth

        else:

            if self._check_permission(action, default_authuser, repo_name):

                return default_authuser, None

            log.debug('Not authorized to access this repository as anonymous user')

        username = None

        #==============================================================

        # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

        # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

        #==============================================================

        # try to auth based on environ, container auth methods

        log.debug('Running PRE-AUTH for container based authentication')

        pre_auth = auth_modules.authenticate('', '', environ)

        if pre_auth is not None and pre_auth.get('username'):

            username = pre_auth['username']

        log.debug('PRE-AUTH got %s as username', username)

        # If not authenticated by the container, running basic auth

        if not username:

            self.authenticate.realm = self.config['realm']

            result = self.authenticate(environ)

            if isinstance(result, str):

                paste.httpheaders.AUTH_TYPE.update(environ, 'basic')

                paste.httpheaders.REMOTE_USER.update(environ, result)

                username = result

            else:

                return None, result.wsgi_application

        #==============================================================

        # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

        #==============================================================

        try:

            user = User.get_by_username_or_email(username)

        except Exception:

            log.error(traceback.format_exc())

            return None, webob.exc.HTTPInternalServerError()

        authuser = AuthUser.make(dbuser=user, ip_addr=ip_addr)

        if authuser is None:

            return None, webob.exc.HTTPForbidden()

        if not self._check_permission(action, authuser, repo_name):

            return None, webob.exc.HTTPForbidden()

        return user, None

    def _handle_request(self, environ, start_response):

        raise NotImplementedError()

    def _check_permission(self, action, authuser, repo_name):

        """

        Checks permissions using action (push/pull) user and repository

        name

        :param action: 'push' or 'pull' action

        :param user: `User` instance

        :param repo_name: repository name

        """

        if action == 'push':

            if not HasPermissionAnyMiddleware('repository.write',

                                              'repository.admin')(authuser,

                                                                  repo_name):

                return False

        else:

            #any other action need at least read permission

            if not HasPermissionAnyMiddleware('repository.read',

                                              'repository.write',

                                              'repository.admin')(authuser,

                                                                  repo_name):

                return False

        return True

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.middleware.permanent_repo_url

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

middleware to handle permanent repo URLs, replacing PATH_INFO '/_123/yada' with

'/name/of/repo/yada' after looking 123 up in the database.

"""

from kallithea.lib.utils import fix_repo_id_name

from kallithea.lib.utils2 import safe_bytes, safe_str

class PermanentRepoUrl(object):

    def __init__(self, app, config):

        self.application = app

        self.config = config

    def __call__(self, environ, start_response):

        # Extract path_info as get_path_info does, but do it explicitly because

        # we also have to do the reverse operation when patching it back in

        if path_info.startswith('/'): # it must

            path_info = '/' + fix_repo_id_name(path_info[1:])

        return self.application(environ, start_response)