#app_email_from = rhodecode-noreply@localhost

#error_message =

#email_prefix = [RhodeCode]

#smtp_server = mail.server.com

#smtp_username = 

#smtp_password = 

#smtp_port = 

#smtp_use_tls = false

#smtp_use_ssl = true

## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)

#smtp_auth = 

[server:main]

## PASTE

## nr of threads to spawn

#threadpool_workers = 5

## max request before thread respawn

#threadpool_max_requests = 10

## option to use threads of process

#use_threadpool = true

#use = egg:Paste#http

## WAITRESS

threads = 5

## 100GB

max_request_body_size = 107374182400

use = egg:waitress#main

host = 0.0.0.0

port = 5000

## prefix middleware for rc

#[filter:proxy-prefix]

#use = egg:PasteDeploy#prefix

#prefix = /<your-prefix>

[app:main]

use = egg:rhodecode

## enable proxy prefix middleware

#filter-with = proxy-prefix

full_stack = true

static_files = true

## Optional Languages

## en, fr, ja, pt_BR, zh_CN, zh_TW, pl

lang = en

cache_dir = %(here)s/data

index_dir = %(here)s/data/index

## uncomment and set this path to use archive download cache

#archive_cache_dir = /tmp/tarballcache

## change this to unique ID for security

app_instance_uuid = rc-production

## cut off limit for large diffs (size in bytes)

cut_off_limit = 256000

## use cache version of scm repo everywhere

vcs_full_cache = true

## force https in RhodeCode, fixes https redirects, assumes it's always https

force_https = false

## use Strict-Transport-Security headers

use_htsts = false

## number of commits stats will parse on each iteration

commit_parse_limit = 25

## number of items displayed in lightweight dashboard before paginating is shown

dashboard_items = 100

## use gravatar service to display avatars

use_gravatar = true

## path to git executable

git_path = git

## git rev filter option, --all is the default filter, if you need to

## hide all refs in changelog switch this to --branches --tags

git_rev_filter=--all

## RSS feed options

rss_cut_off_limit = 256000

rss_items_per_page = 10

rss_include_diff = false

## options for showing and identifying changesets

show_sha_length = 12

show_revision_number = true

## alternative_gravatar_url allows you to use your own avatar server application

## the following parts of the URL will be replaced

## {email}        user email

## {md5email}     md5 hash of the user email (like at gravatar.com)

## {size}         size of the image that is expected from the server application

## {scheme}       http/https from RhodeCode server

## {netloc}       network location from RhodeCode server

#alternative_gravatar_url = http://myavatarserver.com/getbyemail/{email}/{size}

#alternative_gravatar_url = http://myavatarserver.com/getbymd5/{md5email}?s={size}

## container auth options

container_auth_enabled = false

proxypass_auth_enabled = false

## default encoding used to convert from and to unicode

## can be also a comma seperated list of encoding in case of mixed encodings

default_encoding = utf8

## overwrite schema of clone url

## available vars:

## scheme - http/https

## user - current user

## pass - password 

## netloc - network location

## path - usually repo_name

#clone_uri = {scheme}://{user}{pass}{netloc}{path}

## issue tracking mapping for commits messages

## comment out issue_pat, issue_server, issue_prefix to enable

## pattern to get the issues from commit messages

## default one used here is #<numbers> with a regex passive group for `#`

## {id} will be all groups matched from this pattern

issue_pat = (?:\s*#)(\d+)

## server url to the issue, each {id} will be replaced with match

## fetched from the regex and {repo} is replaced with full repository name

## including groups {repo_name} is replaced with just name of repo

issue_server_link = https://myissueserver.com/{repo}/issue/{id}

## prefix to add to link to indicate it's an url

## #314 will be replaced by <issue_prefix><id>

issue_prefix = #

## issue_pat, issue_server_link, issue_prefix can have suffixes to specify

## multiple patterns, to other issues server, wiki or others

## below an example how to create a wiki pattern 

#  #wiki-some-id -> https://mywiki.com/some-id

#issue_pat_wiki = (?:wiki-)(.+)

#issue_server_link_wiki = https://mywiki.com/{id}

#issue_prefix_wiki = WIKI-

## instance-id prefix

## a prefix key for this instance used for cache invalidation when running 

## multiple instances of rhodecode, make sure it's globally unique for 

## all running rhodecode instances. Leave empty if you don't use it

instance_id = 

## alternative return HTTP header for failed authentication. Default HTTP

## response is 401 HTTPUnauthorized. Currently HG clients have troubles with 

## handling that. Set this variable to 403 to return HTTPForbidden

auth_ret_code =

## locking return code. When repository is locked return this HTTP code. 2XX

## codes don't break the transactions while 4XX codes do

lock_ret_code = 423

####################################

###        CELERY CONFIG        ####

####################################

use_celery = false

broker.host = localhost

broker.vhost = rabbitmqhost

broker.port = 5672

broker.user = rabbitmq

broker.password = qweqwe

celery.imports = rhodecode.lib.celerylib.tasks

celery.result.backend = amqp

celery.result.dburi = amqp://

celery.result.serialier = json

#celery.send.task.error.emails = true

#celery.amqp.task.result.expires = 18000

celeryd.concurrency = 2

#app_email_from = rhodecode-noreply@localhost

#error_message =

#email_prefix = [RhodeCode]

#smtp_server = mail.server.com

#smtp_username = 

#smtp_password = 

#smtp_port = 

#smtp_use_tls = false

#smtp_use_ssl = true

## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)

#smtp_auth = 

[server:main]

## PASTE

## nr of threads to spawn

#threadpool_workers = 5

## max request before thread respawn

#threadpool_max_requests = 10

## option to use threads of process

#use_threadpool = true

#use = egg:Paste#http

## WAITRESS

threads = 5

## 100GB

max_request_body_size = 107374182400

use = egg:waitress#main

host = 127.0.0.1

port = 8001

## prefix middleware for rc

#[filter:proxy-prefix]

#use = egg:PasteDeploy#prefix

#prefix = /<your-prefix>

[app:main]

use = egg:rhodecode

## enable proxy prefix middleware

#filter-with = proxy-prefix

full_stack = true

static_files = true

## Optional Languages

## en, fr, ja, pt_BR, zh_CN, zh_TW, pl

lang = en

cache_dir = %(here)s/data

index_dir = %(here)s/data/index

## uncomment and set this path to use archive download cache

#archive_cache_dir = /tmp/tarballcache

## change this to unique ID for security

app_instance_uuid = rc-production

## cut off limit for large diffs (size in bytes)

cut_off_limit = 256000

## use cache version of scm repo everywhere

vcs_full_cache = true

## force https in RhodeCode, fixes https redirects, assumes it's always https

force_https = false

## use Strict-Transport-Security headers

use_htsts = false

## number of commits stats will parse on each iteration

commit_parse_limit = 25

## number of items displayed in lightweight dashboard before paginating is shown

dashboard_items = 100

## use gravatar service to display avatars

use_gravatar = true

## path to git executable

git_path = git

## git rev filter option, --all is the default filter, if you need to

## hide all refs in changelog switch this to --branches --tags

git_rev_filter=--all

## RSS feed options

rss_cut_off_limit = 256000

rss_items_per_page = 10

rss_include_diff = false

## options for showing and identifying changesets

show_sha_length = 12

show_revision_number = true

## alternative_gravatar_url allows you to use your own avatar server application

## the following parts of the URL will be replaced

## {email}        user email

## {md5email}     md5 hash of the user email (like at gravatar.com)

## {size}         size of the image that is expected from the server application

## {scheme}       http/https from RhodeCode server

## {netloc}       network location from RhodeCode server

#alternative_gravatar_url = http://myavatarserver.com/getbyemail/{email}/{size}

#alternative_gravatar_url = http://myavatarserver.com/getbymd5/{md5email}?s={size}

## container auth options

container_auth_enabled = false

proxypass_auth_enabled = false

## default encoding used to convert from and to unicode

## can be also a comma seperated list of encoding in case of mixed encodings

default_encoding = utf8

## overwrite schema of clone url

## available vars:

## scheme - http/https

## user - current user

## pass - password 

## netloc - network location

## path - usually repo_name

#clone_uri = {scheme}://{user}{pass}{netloc}{path}

## issue tracking mapping for commits messages

## comment out issue_pat, issue_server, issue_prefix to enable

## pattern to get the issues from commit messages

## default one used here is #<numbers> with a regex passive group for `#`

## {id} will be all groups matched from this pattern

issue_pat = (?:\s*#)(\d+)

## server url to the issue, each {id} will be replaced with match

## fetched from the regex and {repo} is replaced with full repository name

## including groups {repo_name} is replaced with just name of repo

issue_server_link = https://myissueserver.com/{repo}/issue/{id}

## prefix to add to link to indicate it's an url

## #314 will be replaced by <issue_prefix><id>

issue_prefix = #

## issue_pat, issue_server_link, issue_prefix can have suffixes to specify

## multiple patterns, to other issues server, wiki or others

## below an example how to create a wiki pattern 

#  #wiki-some-id -> https://mywiki.com/some-id

#issue_pat_wiki = (?:wiki-)(.+)

#issue_server_link_wiki = https://mywiki.com/{id}

#issue_prefix_wiki = WIKI-

## instance-id prefix

## a prefix key for this instance used for cache invalidation when running 

## multiple instances of rhodecode, make sure it's globally unique for 

## all running rhodecode instances. Leave empty if you don't use it

instance_id = 

## alternative return HTTP header for failed authentication. Default HTTP

## response is 401 HTTPUnauthorized. Currently HG clients have troubles with 

## handling that. Set this variable to 403 to return HTTPForbidden

auth_ret_code =

## locking return code. When repository is locked return this HTTP code. 2XX

## codes don't break the transactions while 4XX codes do

lock_ret_code = 423

####################################

###        CELERY CONFIG        ####

####################################

use_celery = false

broker.host = localhost

broker.vhost = rabbitmqhost

broker.port = 5672

broker.user = rabbitmq

broker.password = qweqwe

celery.imports = rhodecode.lib.celerylib.tasks

celery.result.backend = amqp

celery.result.dburi = amqp://

celery.result.serialier = json

#celery.send.task.error.emails = true

#celery.amqp.task.result.expires = 18000

celeryd.concurrency = 2

#app_email_from = rhodecode-noreply@localhost

#error_message =

#email_prefix = [RhodeCode]

#smtp_server = mail.server.com

#smtp_username = 

#smtp_password = 

#smtp_port = 

#smtp_use_tls = false

#smtp_use_ssl = true

## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)

#smtp_auth = 

[server:main]

## PASTE

## nr of threads to spawn

#threadpool_workers = 5

## max request before thread respawn

#threadpool_max_requests = 10

## option to use threads of process

#use_threadpool = true

#use = egg:Paste#http

## WAITRESS

threads = 5

## 100GB

max_request_body_size = 107374182400

use = egg:waitress#main

host = 127.0.0.1

port = 5000

## prefix middleware for rc

#[filter:proxy-prefix]

#use = egg:PasteDeploy#prefix

#prefix = /<your-prefix>

[app:main]

use = egg:rhodecode

## enable proxy prefix middleware

#filter-with = proxy-prefix

full_stack = true

static_files = true

## Optional Languages

## en, fr, ja, pt_BR, zh_CN, zh_TW, pl

lang = en

cache_dir = %(here)s/data

index_dir = %(here)s/data/index

## uncomment and set this path to use archive download cache

#archive_cache_dir = /tmp/tarballcache

## change this to unique ID for security

app_instance_uuid = ${app_instance_uuid}

## cut off limit for large diffs (size in bytes)

cut_off_limit = 256000

## use cache version of scm repo everywhere

vcs_full_cache = true

## force https in RhodeCode, fixes https redirects, assumes it's always https

force_https = false

## use Strict-Transport-Security headers

use_htsts = false

## number of commits stats will parse on each iteration

commit_parse_limit = 25

## number of items displayed in lightweight dashboard before paginating is shown

dashboard_items = 100

## use gravatar service to display avatars

use_gravatar = true

## path to git executable

git_path = git

## git rev filter option, --all is the default filter, if you need to

## hide all refs in changelog switch this to --branches --tags

git_rev_filter=--all

## RSS feed options

rss_cut_off_limit = 256000

rss_items_per_page = 10

rss_include_diff = false

## options for showing and identifying changesets

show_sha_length = 12

show_revision_number = true

## alternative_gravatar_url allows you to use your own avatar server application

## the following parts of the URL will be replaced

## {email}        user email

## {md5email}     md5 hash of the user email (like at gravatar.com)

## {size}         size of the image that is expected from the server application

## {scheme}       http/https from RhodeCode server

## {netloc}       network location from RhodeCode server

#alternative_gravatar_url = http://myavatarserver.com/getbyemail/{email}/{size}

#alternative_gravatar_url = http://myavatarserver.com/getbymd5/{md5email}?s={size}

## container auth options

container_auth_enabled = false

proxypass_auth_enabled = false

## default encoding used to convert from and to unicode

## can be also a comma seperated list of encoding in case of mixed encodings

default_encoding = utf8

## overwrite schema of clone url

## available vars:

## scheme - http/https

## user - current user

## pass - password 

## netloc - network location

## path - usually repo_name

#clone_uri = {scheme}://{user}{pass}{netloc}{path}

## issue tracking mapping for commits messages

## comment out issue_pat, issue_server, issue_prefix to enable

## pattern to get the issues from commit messages

## default one used here is #<numbers> with a regex passive group for `#`

## {id} will be all groups matched from this pattern

issue_pat = (?:\s*#)(\d+)

## server url to the issue, each {id} will be replaced with match

## fetched from the regex and {repo} is replaced with full repository name

## including groups {repo_name} is replaced with just name of repo

issue_server_link = https://myissueserver.com/{repo}/issue/{id}

## prefix to add to link to indicate it's an url

## #314 will be replaced by <issue_prefix><id>

issue_prefix = #

## issue_pat, issue_server_link, issue_prefix can have suffixes to specify

## multiple patterns, to other issues server, wiki or others

## below an example how to create a wiki pattern 

#  #wiki-some-id -> https://mywiki.com/some-id

#issue_pat_wiki = (?:wiki-)(.+)

#issue_server_link_wiki = https://mywiki.com/{id}

#issue_prefix_wiki = WIKI-

## instance-id prefix

## a prefix key for this instance used for cache invalidation when running 

## multiple instances of rhodecode, make sure it's globally unique for 

## all running rhodecode instances. Leave empty if you don't use it

instance_id = 

## alternative return HTTP header for failed authentication. Default HTTP

## response is 401 HTTPUnauthorized. Currently HG clients have troubles with 

## handling that. Set this variable to 403 to return HTTPForbidden

auth_ret_code =

## locking return code. When repository is locked return this HTTP code. 2XX

## codes don't break the transactions while 4XX codes do

lock_ret_code = 423

####################################

###        CELERY CONFIG        ####

####################################

use_celery = false

broker.host = localhost

broker.vhost = rabbitmqhost

broker.port = 5672

broker.user = rabbitmq

broker.password = qweqwe

celery.imports = rhodecode.lib.celerylib.tasks

celery.result.backend = amqp

celery.result.dburi = amqp://

celery.result.serialier = json

#celery.send.task.error.emails = true

#celery.amqp.task.result.expires = 18000

celeryd.concurrency = 2

# -*- coding: utf-8 -*-

"""

    rhodecode.lib.auth

    ~~~~~~~~~~~~~~~~~~

    authentication and permission libraries

    :created_on: Apr 4, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import random

import logging

import traceback

import hashlib

from tempfile import _RandomNameSequence

from decorator import decorator

from pylons import config, url, request

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from sqlalchemy.orm.exc import ObjectDeletedError

from rhodecode import __platform__, is_windows, is_unix

from rhodecode.model.meta import Session

from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError,\

    LdapImportError

from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug,\

    get_user_group_slug

from rhodecode.lib.auth_ldap import AuthLdap

from rhodecode.model import meta

from rhodecode.model.user import UserModel

from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap

from rhodecode.lib.caching_query import FromCache

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """

    This is a simple class for generating password from different sets of

    characters

    usage::

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

        passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM

    def __init__(self, passwd=''):

        self.passwd = passwd

    def gen_password(self, length, type_=None):

        if type_ is None:

            type_ = self.ALPHABETS_FULL

        self.passwd = ''.join([random.choice(type_) for _ in xrange(length)])

        return self.passwd

class RhodeCodeCrypto(object):

    @classmethod

    def hash_string(cls, str_):

        """

        Cryptographic function used for password hashing based on pybcrypt

        or pycrypto in windows

        :param password: password to hash

        """

        if is_windows:

            from hashlib import sha256

            return sha256(str_).hexdigest()

        elif is_unix:

            import bcrypt

            return bcrypt.hashpw(str_, bcrypt.gensalt(10))

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

    @classmethod

    def hash_check(cls, password, hashed):

        """

        Checks matching password with it's hashed value, runs different

        implementation based on platform it runs on

        :param password: password

        :param hashed: password in hashed form

        """

        if is_windows:

            from hashlib import sha256

            return sha256(password).hexdigest() == hashed

        elif is_unix:

            import bcrypt

            return bcrypt.hashpw(password, hashed) == hashed

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

def get_crypt_password(password):

    return RhodeCodeCrypto.hash_string(password)

def check_password(password, hashed):

    return RhodeCodeCrypto.hash_check(password, hashed)

def generate_api_key(str_, salt=None):

        allowed_ips = AuthUser.get_allowed_ips(self.user_id, cache=True)

        if check_ip_access(source_ip=self.ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s' % (self.ip_addr, allowed_ips))

            return True

        else:

            log.info('Access for IP:%s forbidden, '

                     'not in %s' % (self.ip_addr, allowed_ips))

            return False

    def __repr__(self):

        return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,

                                              self.is_authenticated)

    def set_authenticated(self, authenticated=True):

        if self.user_id != self.anonymous_user.user_id:

            self.is_authenticated = authenticated

    def get_cookie_store(self):

        return {'username': self.username,

                'user_id': self.user_id,

                'is_authenticated': self.is_authenticated}

    @classmethod

    def from_cookie_store(cls, cookie_store):

        """

        Creates AuthUser from a cookie store

        :param cls:

        :param cookie_store:

        """

        user_id = cookie_store.get('user_id')

        username = cookie_store.get('username')

        api_key = cookie_store.get('api_key')

        return AuthUser(user_id, api_key, username)

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False):

        _set = set()

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

    except Exception:

        pass

    finally:

        meta.Session.remove()

    config['available_permissions'] = [x.permission_name for x in all_perms]

#==============================================================================

# CHECK DECORATORS

#==============================================================================

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = cls.rhodecode_user

        loc = "%s:%s" % (cls.__class__.__name__, func.__name__)

        #check IP

        ip_access_ok = True

        if not user.ip_allowed:

            from rhodecode.lib import helpers as h

            h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),

                    category='warning')

            ip_access_ok = False

        api_access_ok = False

            log.debug('Checking API KEY access for %s' % cls)

            if user.api_key == request.GET.get('api_key'):

                api_access_ok = True

            else:

                log.debug("API KEY token not valid")

        log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))

        if (user.is_authenticated or api_access_ok) and ip_access_ok:

            reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'

            log.info('user %s is authenticated and granted access to %s '

                     'using %s' % (user.username, loc, reason)

            )

            return func(*fargs, **fkwargs)