self.username = 'None'

        log.debug('Auth User is now %s' % self)

    def __get_perms(self, user, explicit=True, algo='higherwin', cache=False):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        :param explicit: In case there are permissions both for user and a group

            that user is part of, explicit flag will define if user will

            explicitly override permissions from group, if it's False it will

            make decision based on the algo

        :param algo: algorithm to decide what permission should be choose if

            it's multiple defined, eg user in two different groups. It also

            decides if explicit flag is turned off how to specify the permission

            for case when user is in a group + have defined separate permission

        """

        user_id = user.user_id

        user_is_admin = user.is_admin

        user_inherit_default_permissions = user.inherit_default_permissions

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

        return compute(user_id, user_is_admin,

                       user_inherit_default_permissions, explicit, algo)

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query()\

                .filter(UserApiKeys.user_id == self.user_id)\

                .filter(or_(UserApiKeys.expires == -1,

                            UserApiKeys.expires >= time.time())).all():

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

        return [x[0] for x in self.permissions['repositories'].iteritems()

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

        return [x[0] for x in self.permissions['repositories_groups'].iteritems()

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    @staticmethod

    def check_ip_allowed(user, ip_addr):

        """

        Check if the given IP address (a `str`) is allowed for the given

        user (an `AuthUser` or `db.User`).

        """

        allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True,

            inherit_from_default=user.inherit_default_permissions)

        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s' % (ip_addr, allowed_ips))

            return True

        else:

            log.info('Access for IP:%s forbidden, '

                     'not in %s' % (ip_addr, allowed_ips))

            return False

    def __repr__(self):

        return "<AuthUser('id:%s[%s] auth:%s')>"\

            % (self.user_id, self.username, self.is_authenticated)

    def set_authenticated(self, authenticated=True):

        if self.user_id != self.anonymous_user.user_id:

            self.is_authenticated = authenticated

    def to_cookie(self):

        """ Serializes this login session to a cookie `dict`. """

        return {

            'user_id': self.user_id,

            'is_authenticated': self.is_authenticated,

            'is_external_auth': self.is_external_auth,

        }

    @staticmethod

    def from_cookie(cookie):

        """

        Deserializes an `AuthUser` from a cookie `dict`.

        """

        au = AuthUser(

            user_id=cookie.get('user_id'),

            is_external_auth=cookie.get('is_external_auth', False),

        )

        if not au.is_authenticated and au.user_id is not None:

            # user is not authenticated and not empty

            au.set_authenticated(cookie.get('is_authenticated'))

        return au

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):

        _set = set()

        if inherit_from_default:

            default_ips = UserIpMap.query().filter(UserIpMap.user ==

                                            User.get_default_user(cache=True))

            if cache:

                default_ips = default_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_default"))

            # populate from default user

            for ip in default_ips:

                try:

                    _set.add(ip.ip_addr)

                except ObjectDeletedError:

                    # since we use heavy caching sometimes it happens that we get

                    # deleted objects here, we just skip them

                    pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        meta.Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def redirect_to_login(message=None):

    from kallithea.lib import helpers as h

    p = url.current()

    if message:

        h.flash(h.literal(message), category='warning')

    log.debug('Redirecting to login page, origin: %s' % p)

    return redirect(url('login_home', came_from=p, **request.GET))

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

HG_REMOTE_REPO = 'http://bitbucket.org/marcinkuzminski/vcs'

TEST_HG_REPO = jn(TESTS_TMP_PATH, HG_REPO)

TEST_HG_REPO_CLONE = jn(TESTS_TMP_PATH, 'vcshgclone%s' % uniq_suffix)

TEST_HG_REPO_PULL = jn(TESTS_TMP_PATH, 'vcshgpull%s' % uniq_suffix)

TEST_DIR = tempfile.gettempdir()

TEST_REPO_PREFIX = 'vcs-test'

# cached repos if any !

# comment out to get some other repos from bb or github

GIT_REMOTE_REPO = jn(TESTS_TMP_PATH, GIT_REPO)

HG_REMOTE_REPO = jn(TESTS_TMP_PATH, HG_REPO)

#skip ldap tests if LDAP lib is not installed

ldap_lib_installed = False

try:

    import ldap

    ldap.API_VERSION

    ldap_lib_installed = True

except ImportError:

    # means that python-ldap is not installed

    pass

def get_new_dir(title):

    """

    Returns always new directory path.

    """

    from kallithea.tests.vcs.utils import get_normalized_path

    name = TEST_REPO_PREFIX

    if title:

        name = '-'.join((name, title))

    hex = hashlib.sha1(str(time.time())).hexdigest()

    name = '-'.join((name, hex))

    path = os.path.join(TEST_DIR, name)

    return get_normalized_path(path)

import logging

class NullHandler(logging.Handler):

    def emit(self, record):

        pass

def init_stack(config=None):

    if not config:

        config = pylons.test.pylonsapp.config

    url._push_object(URLGenerator(config['routes.map'], environ))

    pylons.app_globals._push_object(config['pylons.app_globals'])

    pylons.config._push_object(config)

    pylons.tmpl_context._push_object(ContextObj())

    # Initialize a translator for tests that utilize i18n

    translator = _get_translator(pylons.config.get('lang'))

    pylons.translator._push_object(translator)

    h = NullHandler()

    logging.getLogger("kallithea").addHandler(h)

class BaseTestCase(unittest.TestCase):

    def __init__(self, *args, **kwargs):

        self.wsgiapp = pylons.test.pylonsapp

        init_stack(self.wsgiapp.config)

        unittest.TestCase.__init__(self, *args, **kwargs)

    def remove_all_notifications(self):

        Notification.query().delete()

        # Because query().delete() does not (by default) trigger cascades.

        # http://docs.sqlalchemy.org/en/rel_0_7/orm/collections.html#passive-deletes

        UserNotification.query().delete()

        Session().commit()

class TestController(BaseTestCase):

    def __init__(self, *args, **kwargs):

        BaseTestCase.__init__(self, *args, **kwargs)

        self.app = TestApp(self.wsgiapp)

        self.maxDiff = None

        self.index_location = config['app_conf']['index_dir']

    def log_user(self, username=TEST_USER_ADMIN_LOGIN,

                 password=TEST_USER_ADMIN_PASS):

        self._logged_username = username

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': username,

                                  'password': password})

        if 'invalid user name' in response.body:

            self.fail('could not login using %s %s' % (username, password))

        self.assertEqual(response.status, '302 Found')

        response = response.follow()

        return response.session['authuser']

    def _get_logged_user(self):

        return User.get_by_username(self._logged_username)

    def authentication_token(self):

        return self.app.get(url('authentication_token')).body

    def checkSessionFlash(self, response, msg, skip=0):

        if 'flash' not in response.session:

            self.fail(safe_str(u'msg `%s` not found - session has no flash ' % msg))

        try:

            level, m = response.session['flash'][-1 - skip]

            if msg in m:

                return

        except IndexError:

            pass

        self.fail(safe_str(u'msg `%s` not found in session flash (skipping %s): %s' %

                           (msg, skip,

                            ', '.join('`%s`' % m for level, m in response.session['flash']))))

# -*- coding: utf-8 -*-

from __future__ import with_statement

import re

import mock

from kallithea.tests import *

from kallithea.tests.fixture import Fixture

from kallithea.lib.utils2 import generate_api_key

from kallithea.lib.auth import check_password

from kallithea.lib import helpers as h

from kallithea.model.api_key import ApiKeyModel

from kallithea.model import validators

from kallithea.model.db import User, Notification

from kallithea.model.meta import Session

fixture = Fixture()

class TestLoginController(TestController):

    def setUp(self):

        self.remove_all_notifications()

        self.assertEqual(Notification.query().all(), [])

    def test_index(self):

        response = self.app.get(url(controller='login', action='index'))

        self.assertEqual(response.status, '200 OK')

        # Test response...

    def test_login_admin_ok(self):

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': TEST_USER_ADMIN_LOGIN,

                                  'password': TEST_USER_ADMIN_PASS})

        self.assertEqual(response.status, '302 Found')

        response = response.follow()

        response.mustcontain('/%s' % HG_REPO)

    def test_login_regular_ok(self):

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': TEST_USER_REGULAR_LOGIN,

                                  'password': TEST_USER_REGULAR_PASS})

        self.assertEqual(response.status, '302 Found')

        response = response.follow()

        response.mustcontain('/%s' % HG_REPO)

    def test_login_ok_came_from(self):

        test_came_from = '/_admin/users'

        response = self.app.post(url(controller='login', action='index',

                                     came_from=test_came_from),

                                 {'username': TEST_USER_ADMIN_LOGIN,

                                  'password': TEST_USER_ADMIN_PASS})

        self.assertEqual(response.status, '302 Found')

        response = response.follow()

        self.assertEqual(response.status, '200 OK')

        response.mustcontain('Users Administration')

    def test_login_do_not_remember(self):

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': TEST_USER_REGULAR_LOGIN,

                                  'password': TEST_USER_REGULAR_PASS,

                                  'remember': False})

        self.assertIn('Set-Cookie', response.headers)

        for cookie in response.headers.getall('Set-Cookie'):

            self.assertFalse(re.search(r';\s+(Max-Age|Expires)=', cookie, re.IGNORECASE),

                'Cookie %r has expiration date, but should be a session cookie' % cookie)

    def test_login_remember(self):

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': TEST_USER_REGULAR_LOGIN,

                                  'password': TEST_USER_REGULAR_PASS,

                                  'remember': True})

        self.assertIn('Set-Cookie', response.headers)

        for cookie in response.headers.getall('Set-Cookie'):

            self.assertTrue(re.search(r';\s+(Max-Age|Expires)=', cookie, re.IGNORECASE),

                'Cookie %r should have expiration date, but is a session cookie' % cookie)

    def test_logout(self):

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': TEST_USER_REGULAR_LOGIN,

                                  'password': TEST_USER_REGULAR_PASS})

        # Verify that a login session has been established.

        response = self.app.get(url(controller='login', action='index'))

        response = response.follow()

        self.assertIn('authuser', response.session)

        response.click('Log Out')

        # Verify that the login session has been terminated.

        response = self.app.get(url(controller='login', action='index'))

        self.assertNotIn('authuser', response.session)

    @parameterized.expand([

          ('data:text/html,<script>window.alert("xss")</script>',),

          ('mailto:test@example.com',),

          ('file:///etc/passwd',),

          ('ftp://some.ftp.server',),

          ('http://other.domain/bl%C3%A5b%C3%A6rgr%C3%B8d',),

    ])

    def test_login_bad_came_froms(self, url_came_from):

        response = self.app.post(url(controller='login', action='index',

                                     came_from=url_came_from),

                                 {'username': TEST_USER_ADMIN_LOGIN,

                                  'password': TEST_USER_ADMIN_PASS})

        self.assertEqual(response.status, '302 Found')

        self.assertEqual(response._environ['paste.testing_variables']

                         ['tmpl_context'].came_from, '/')

        response = response.follow()

        self.assertEqual(response.status, '200 OK')

    def test_login_short_password(self):

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': TEST_USER_ADMIN_LOGIN,

                                  'password': 'as'})

        self.assertEqual(response.status, '200 OK')

        response.mustcontain('Enter 3 characters or more')

    def test_login_wrong_username_password(self):

        response = self.app.post(url(controller='login', action='index'),

                                 {'username': 'error',

                                  'password': 'test12'})

        response.mustcontain('Invalid username')

        response.mustcontain('Invalid password')

    # verify that get arguments are correctly passed along login redirection

    @parameterized.expand([

        ({'foo':'one', 'bar':'two'}, ('foo=one', 'bar=two')),

        ({'blue': u'blå'.encode('utf-8'), 'green':u'grøn'},

             ('blue=bl%C3%A5', 'green=gr%C3%B8n')),

    ])

    def test_redirection_to_login_form_preserves_get_args(self, args, args_encoded):