"hg.register.manual_activate"],

                            "repositories": {"repo1": "repository.none"},

                            "repositories_groups": {"Group1": "group.read"}

                         },

                    }

            error:  null

        """

        if not HasPermissionAny('hg.admin')():

            # make sure normal user does not pass someone else userid,

            # he is not allowed to do that

            if not isinstance(userid, Optional) and userid != request.authuser.user_id:

                raise JSONRPCError(

                    'userid is not the same as your user'

                )

        if isinstance(userid, Optional):

            userid = request.authuser.user_id

        user = get_user_or_error(userid)

        data = user.get_api_data()

        data['permissions'] = AuthUser(user_id=user.user_id).permissions

        return data

    @HasPermissionAnyDecorator('hg.admin')

    def get_users(self):

        """

        Lists all existing users. This command can be executed only using api_key

        belonging to user with admin rights.

        OUTPUT::

            id : <id_given_in_input>

            result: [<user_object>, ...]

            error:  null

        """

        return [

            user.get_api_data()

            for user in User.query()

                .order_by(User.username)

                .filter_by(is_default_user=False)

        ]

    @HasPermissionAnyDecorator('hg.admin')

    def create_user(self, username, email, password=Optional(''),

                    active=Optional(True), admin=Optional(False),

                    extern_type=Optional(User.DEFAULT_AUTH_TYPE),

                    extern_name=Optional('')):

        """

        Creates new user. Returns new user object. This command can

        be executed only using api_key belonging to user with admin rights.

        :param username: new username

        :type username: str or int

        :param email: email

        :type email: str

        :param password: password

        :type password: Optional(str)

        :param firstname: firstname

        :type firstname: Optional(str)

        :param lastname: lastname

        :type lastname: Optional(str)

        :param active: active

        :type active: Optional(bool)

        :param admin: admin

        :type admin: Optional(bool)

        :param extern_name: name of extern

        :type extern_name: Optional(str)

        :param extern_type: extern_type

        :type extern_type: Optional(str)

        OUTPUT::

            id : <id_given_in_input>

            result: {

                      "msg" : "created new user `<username>`",

                      "user": <user_obj>

                    }

            error:  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "user `<username>` already exist"

            or

            "email `<email>` already exist"

            or

            "failed to create user `<username>`"

          }

        belonging to user with admin rights or user who has at least

        read access to user group.

        :param usergroupid: id of user_group to edit

        :type usergroupid: str or int

        OUTPUT::

            id : <id_given_in_input>

            result : None if group not exist

                     {

                       "users_group_id" : "<id>",

                       "group_name" :     "<groupname>",

                       "active":          "<bool>",

                       "members" :  [<user_obj>,...]

                     }

            error : null

        """

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

            if not HasUserGroupPermissionLevel('read')(user_group.users_group_name):

                raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

        data = user_group.get_api_data()

        return data

    # permission check inside

    def get_user_groups(self):

        """

        Lists all existing user groups. This command can be executed only using

        api_key belonging to user with admin rights or user who has at least

        read access to user group.

        OUTPUT::

            id : <id_given_in_input>

            result : [<user_group_obj>,...]

            error : null

        """

        return [

            user_group.get_api_data()

            for user_group in UserGroupList(UserGroup.query().all(), perm_level='read')

        ]

    @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')

                          owner=Optional(OAttr('apiuser')), active=Optional(True)):

        """

        Creates new user group. This command can be executed only using api_key

        belonging to user with admin rights or an user who has create user group

        permission

        :param group_name: name of new user group

        :type group_name: str

        :param description: group description

        :type description: str

        :param owner: owner of group. If not passed apiuser is the owner

        :type owner: Optional(str or int)

        :param active: group is active

        :type active: Optional(bool)

        OUTPUT::

            id : <id_given_in_input>

            result: {

                      "msg": "created new user group `<groupname>`",

                      "user_group": <user_group_object>

                    }

            error:  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "user group `<group name>` already exist"

            or

            "failed to create group `<group name>`"

          }

        """

        if UserGroupModel().get_by_name(group_name):

            raise JSONRPCError("user group `%s` already exist" % (group_name,))

        try:

            if isinstance(owner, Optional):

                owner = request.authuser.user_id

            owner = get_user_or_error(owner)

            active = Optional.extract(active)

            description = Optional.extract(description)

            ug = UserGroupModel().create(name=group_name, description=description,

                                         owner=owner, active=active)

        if not HasPermissionAny('hg.admin')():

            if gist.owner_id != request.authuser.user_id:

                raise JSONRPCError('gist `%s` does not exist' % (gistid,))

        try:

            GistModel().delete(gist)

            Session().commit()

            return dict(

                msg='deleted gist ID:%s' % (gist.gist_access_id,),

                gist=None

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to delete gist ID:%s'

                               % (gist.gist_access_id,))

    # permission check inside

    def get_changeset(self, repoid, raw_id, with_reviews=Optional(False)):

        repo = get_repo_or_error(repoid)

        if not HasRepoPermissionLevel('read')(repo.repo_name):

            raise JSONRPCError('Access denied to repo %s' % repo.repo_name)

        changeset = repo.get_changeset(raw_id)

        if isinstance(changeset, EmptyChangeset):

            raise JSONRPCError('Changeset %s does not exist' % raw_id)

        info = dict(changeset.as_dict())

        with_reviews = Optional.extract(with_reviews)

        if with_reviews:

                reviews = ChangesetStatusModel().get_statuses(

                                    repo.repo_name, raw_id)

                info["reviews"] = reviews

        return info

    # permission check inside

    def get_pullrequest(self, pullrequest_id):

        """

        Get given pull request by id

        """

        pull_request = PullRequest.get(pullrequest_id)

        if pull_request is None:

            raise JSONRPCError('pull request `%s` does not exist' % (pullrequest_id,))

        if not HasRepoPermissionLevel('read')(pull_request.org_repo.repo_name):

            raise JSONRPCError('not allowed')

        return pull_request.get_api_data()

    # permission check inside

        """

        Add comment, close and change status of pull request.

        """

        apiuser = get_user_or_error(request.authuser.user_id)

        pull_request = PullRequest.get(pull_request_id)

        if pull_request is None:

            raise JSONRPCError('pull request `%s` does not exist' % (pull_request_id,))

        if (not HasRepoPermissionLevel('read')(pull_request.org_repo.repo_name)):

            raise JSONRPCError('No permission to add comment. User needs at least reading permissions'

                               ' to the source repository.')

        owner = apiuser.user_id == pull_request.owner_id

        reviewer = apiuser.user_id in [reviewer.user_id for reviewer in pull_request.reviewers]

        if close_pr and not (apiuser.admin or owner):

            raise JSONRPCError('No permission to close pull request. User needs to be admin or owner.')

        if status and not (apiuser.admin or owner or reviewer):

            raise JSONRPCError('No permission to change pull request status. User needs to be admin, owner or reviewer.')

        if pull_request.is_closed():

            raise JSONRPCError('pull request is already closed')

        comment = ChangesetCommentsModel().create(

            text=comment_msg,

            repo=pull_request.org_repo.repo_id,

            author=apiuser.user_id,

            pull_request=pull_request.pull_request_id,

            f_path=None,

            line_no=None,

            status_change=(ChangesetStatus.get_status_lbl(status)),

            closing_pr=close_pr

        )

        action_logger(apiuser,

                      'user_commented_pull_request:%s' % pull_request_id,

                      pull_request.org_repo, request.ip_addr)

        if status:

            ChangesetStatusModel().set_status(

                pull_request.org_repo_id,

                status,

                apiuser.user_id,

                comment,

                pull_request=pull_request_id

            )

        if close_pr:

            PullRequestModel().close_pull_request(pull_request_id)

            action_logger(apiuser,

                          'user_closed_pull_request:%s' % pull_request_id,

                          pull_request.org_repo, request.ip_addr)

        Session().commit()

        return True

        revision_data = [(x.raw_id, x.message)

                         for x in map(pr.org_repo.get_changeset, pr.revisions)]

        email_kwargs = {

            'pr_title': pr.title,

            'pr_title_short': h.shorter(pr.title, 50),

            'pr_user_created': user.full_name_and_username,

            'pr_repo_url': h.canonical_url('summary_home', repo_name=pr.other_repo.repo_name),

            'pr_url': pr_url,

            'pr_revisions': revision_data,

            'repo_name': pr.other_repo.repo_name,

            'org_repo_name': pr.org_repo.repo_name,

            'pr_nice_id': pr.nice_id(),

            'pr_target_repo': h.canonical_url('summary_home',

                               repo_name=pr.other_repo.repo_name),

            'pr_target_branch': other_ref_name,

            'pr_source_repo': h.canonical_url('summary_home',

                               repo_name=pr.org_repo.repo_name),

            'pr_source_branch': org_ref_name,

            'pr_owner': pr.owner,

            'pr_owner_username': pr.owner.username,

            'pr_username': user.username,

            'threading': threading,

            'is_mention': False,

            }

        if reviewers:

            NotificationModel().create(created_by=user, subject=subject, body=body,

                                       recipients=reviewers,

                                       type_=Notification.TYPE_PULL_REQUEST,

                                       email_kwargs=email_kwargs)

        if mention_recipients:

            email_kwargs['is_mention'] = True

            subject = _('[Mention]') + ' ' + subject

            # FIXME: this subject is wrong and unused!

            NotificationModel().create(created_by=user, subject=subject, body=body,

                                       recipients=mention_recipients,

                                       type_=Notification.TYPE_PULL_REQUEST,

                                       email_kwargs=email_kwargs)

    def mention_from_description(self, user, pr, old_description=''):

        mention_recipients = (extract_mentioned_users(pr.description) -

                              extract_mentioned_users(old_description))

        log.debug("Mentioning %s", mention_recipients)

        self.add_reviewers(user, pr, set(), mention_recipients)

    def remove_reviewers(self, user, pull_request, reviewers):

        """Remove specified users from being reviewers of the PR."""

        PullRequestReviewer.query() \

            .filter_by(pull_request=pull_request) \

            .filter(PullRequestReviewer.user_id.in_(r.user_id for r in reviewers)) \

            .delete(synchronize_session='fetch') # the default of 'evaluate' is not available

    def delete(self, pull_request):

        pull_request = PullRequest.guess_instance(pull_request)

        Session().delete(pull_request)

        if pull_request.org_repo.scm_instance.alias == 'git':

            # remove a ref under refs/pull/ so that commits can be garbage-collected

            try:

                del pull_request.org_repo.scm_instance._repo["refs/pull/%d/head" % pull_request.pull_request_id]

            except KeyError:

                pass

    def close_pull_request(self, pull_request):

        pull_request = PullRequest.guess_instance(pull_request)

        pull_request.status = PullRequest.STATUS_CLOSED

        pull_request.updated_on = datetime.datetime.now()

class CreatePullRequestAction(object):

    class ValidationError(Exception):

        pass

    class Empty(ValidationError):

        pass

    class AmbiguousAncestor(ValidationError):

        pass

    class Unauthorized(ValidationError):

        pass

    @staticmethod

    def is_user_authorized(org_repo, other_repo):

        """Performs authorization check with only the minimum amount of

        information needed for such a check, rather than a full command

        object.

        """

        if (h.HasRepoPermissionLevel('read')(org_repo.repo_name) and

            h.HasRepoPermissionLevel('read')(other_repo.repo_name)):

            return True

        return False

        review = fixture.review_changeset(self.REPO, self.TEST_REVISION, "approved")

        id_, params = _build_data(self.apikey, 'get_changeset',

                                  repoid=self.REPO, raw_id = self.TEST_REVISION)

        response = api_call(self, params)

        result = json.loads(response.body)["result"]

        assert result["raw_id"] == self.TEST_REVISION

        assert not result.has_key("reviews")

    def test_api_get_changeset_with_reviews(self):

        reviewobjs = fixture.review_changeset(self.REPO, self.TEST_REVISION, "approved")

        id_, params = _build_data(self.apikey, 'get_changeset',

                                  repoid=self.REPO, raw_id = self.TEST_REVISION,

                                  with_reviews = True)

        response = api_call(self, params)

        result = json.loads(response.body)["result"]

        assert result["raw_id"] == self.TEST_REVISION

        assert result.has_key("reviews")

        assert len(result["reviews"]) == 1

        review = result["reviews"][0]

        expected = {

            'status': 'approved',

            'modified_at': reviewobjs[0].modified_at.isoformat()[:-3],

            'reviewer': 'test_admin',

        }

        assert review == expected

    def test_api_get_changeset_that_does_not_exist(self):

        """ Fetch changeset status for non-existant changeset.

        revision id is the above git hash used in the test above with the

        last 3 nibbles replaced with 0xf.  Should not exist for git _or_ hg.

        """

        id_, params = _build_data(self.apikey, 'get_changeset',

                                  repoid=self.REPO, raw_id = '7ab37bc680b4aa72c34d07b230c866c28e9fcfff')

        response = api_call(self, params)

        expected = u'Changeset %s does not exist' % ('7ab37bc680b4aa72c34d07b230c866c28e9fcfff',)

        self._compare_error(id_, expected, given=response.body)

    def test_api_get_changeset_without_permission(self):

        review = fixture.review_changeset(self.REPO, self.TEST_REVISION, "approved")

        RepoModel().revoke_user_permission(repo=self.REPO, user=self.TEST_USER_LOGIN)

        RepoModel().revoke_user_permission(repo=self.REPO, user="default")

        id_, params = _build_data(self.apikey_regular, 'get_changeset',

                                  repoid=self.REPO, raw_id = self.TEST_REVISION)

        response = api_call(self, params)

        expected = u'Access denied to repo %s' % self.REPO

        self._compare_error(id_, expected, given=response.body)

    def test_api_get_pullrequest(self):

        random_id = random.randrange(1, 9999)

        params = json.dumps({

            "id": random_id,

            "api_key": self.apikey,

            "method": 'get_pullrequest',

            "args": {"pullrequest_id": pull_request_id},

        })

        response = api_call(self, params)

        pullrequest = PullRequest().get(pull_request_id)

        expected = {

            "status": "new",

            "pull_request_id": pull_request_id,

            "description": "No description",

            "url": "/%s/pull-request/%s/_/%s" % (self.REPO, pull_request_id, "stable"),

            "reviewers": [{"username": "test_regular"}],

            "org_repo_url": "http://localhost:80/%s" % self.REPO,

            "org_ref_parts": ["branch", "stable", self.TEST_PR_SRC],

            "other_ref_parts": ["branch", "default", self.TEST_PR_DST],

            "comments": [{"username": TEST_USER_ADMIN_LOGIN, "text": "",

                         "comment_id": pullrequest.comments[0].comment_id}],

            "owner": TEST_USER_ADMIN_LOGIN,

            "statuses": [{"status": "under_review", "reviewer": TEST_USER_ADMIN_LOGIN, "modified_at": "2000-01-01T00:00:00.000"} for i in range(0, len(self.TEST_PR_REVISIONS))],

            "title": "get test",

            "revisions": self.TEST_PR_REVISIONS,

        }

        self._compare_ok(random_id, expected,

                         given=re.sub("\d\d\d\d\-\d\d\-\d\dT\d\d\:\d\d\:\d\d\.\d\d\d",

                                      "2000-01-01T00:00:00.000", response.body))

    def test_api_close_pullrequest(self):

        random_id = random.randrange(1, 9999)

        params = json.dumps({

            "id": random_id,

            "api_key": self.apikey,

            "method": "comment_pullrequest",

            "args": {"pull_request_id": pull_request_id, "close_pr": True},

        })

        response = api_call(self, params)

        self._compare_ok(random_id, True, given=response.body)

        pullrequest = PullRequest().get(pull_request_id)

        assert pullrequest.comments[-1].text == ''

        assert pullrequest.status == PullRequest.STATUS_CLOSED

        assert pullrequest.is_closed() == True

    def test_api_status_pullrequest(self):

        random_id = random.randrange(1, 9999)

        params = json.dumps({

            "id": random_id,

            "api_key": User.get_by_username(TEST_USER_REGULAR2_LOGIN).api_key,

            "method": "comment_pullrequest",

            "args": {"pull_request_id": pull_request_id, "status": ChangesetStatus.STATUS_APPROVED},

        })

        response = api_call(self, params)

        pullrequest = PullRequest().get(pull_request_id)

        self._compare_error(random_id, "No permission to change pull request status. User needs to be admin, owner or reviewer.", given=response.body)

        assert ChangesetStatus.STATUS_UNDER_REVIEW == ChangesetStatusModel().calculate_pull_request_result(pullrequest)[2]

        params = json.dumps({

            "id": random_id,

            "api_key": User.get_by_username(TEST_USER_REGULAR_LOGIN).api_key,

            "method": "comment_pullrequest",

            "args": {"pull_request_id": pull_request_id, "status": ChangesetStatus.STATUS_APPROVED},

        })

        response = api_call(self, params)

        self._compare_ok(random_id, True, given=response.body)

        pullrequest = PullRequest().get(pull_request_id)

        assert ChangesetStatus.STATUS_APPROVED == ChangesetStatusModel().calculate_pull_request_result(pullrequest)[2]

    def test_api_comment_pullrequest(self):

        random_id = random.randrange(1, 9999)

        params = json.dumps({

            "id": random_id,

            "api_key": self.apikey,

            "method": "comment_pullrequest",

            "args": {"pull_request_id": pull_request_id, "comment_msg": "Looks good to me"},

        })

        response = api_call(self, params)

        self._compare_ok(random_id, True, given=response.body)

        pullrequest = PullRequest().get(pull_request_id)

        assert pullrequest.comments[-1].text == u'Looks good to me'

    def load_resource(self, resource_name, strip=True):

        with open(os.path.join(FIXTURES, resource_name), 'rb') as f:

            source = f.read()

            if strip:

                source = source.strip()

        return source

    def commit_change(self, repo, filename, content, message, vcs_type,

                      parent=None, newfile=False, author=None):

        repo = Repository.get_by_repo_name(repo)

        _cs = parent

        if parent is None:

            _cs = EmptyChangeset(alias=vcs_type)

        if author is None:

            author = TEST_USER_ADMIN_LOGIN

        if newfile:

            nodes = {

                filename: {

                    'content': content

                }

            }

            cs = ScmModel().create_nodes(

                user=TEST_USER_ADMIN_LOGIN, repo=repo,

                message=message,

                nodes=nodes,

                parent_cs=_cs,

                author=author,

            )

        else:

            cs = ScmModel().commit_change(

                repo=repo.scm_instance, repo_name=repo.repo_name,

                cs=parent, user=TEST_USER_ADMIN_LOGIN,

                author=author,

                message=message,

                content=content,

                f_path=filename

            )

        return cs

    def review_changeset(self, repo, revision, status, author=TEST_USER_ADMIN_LOGIN):

        comment = ChangesetCommentsModel().create(u"review comment", repo, author, revision=revision, send_email=False)

        csm = ChangesetStatusModel().set_status(repo, ChangesetStatus.STATUS_APPROVED, author, comment, revision=revision)

        Session().commit()

        return csm

        org_ref = 'branch:stable:%s' % pr_src_rev

        other_ref = 'branch:default:%s' % pr_dst_rev

        with test_context(testcontroller.app): # needed to be able to mock request user

            org_repo = other_repo = Repository.get_by_repo_name(repo_name)

            owner_user = User.get_by_username(TEST_USER_ADMIN_LOGIN)

            reviewers = [User.get_by_username(TEST_USER_REGULAR_LOGIN)]

            request.authuser = request.user = AuthUser(dbuser=owner_user)

            # creating a PR sends a message with an absolute URL - without routing that requires mocking

            with mock.patch.object(helpers, 'url', (lambda arg, qualified=False, **kwargs: ('https://localhost' if qualified else '') + '/fake/' + arg)):

                pull_request = cmd.execute()

            Session().commit()

        return pull_request.pull_request_id

#==============================================================================

# Global test environment setup

#==============================================================================

def create_test_env(repos_test_path, config):

    """

    Makes a fresh database and

    install test repository into tmp dir

    """

    # PART ONE create db

    dbconf = config['sqlalchemy.url']

    log.debug('making test db %s', dbconf)

    # create test dir if it doesn't exist

    if not os.path.isdir(repos_test_path):

        log.debug('Creating testdir %s', repos_test_path)

        os.makedirs(repos_test_path)

    dbmanage = DbManage(dbconf=dbconf, root=config['here'],

                        tests=True)

    dbmanage.create_tables(override=True)

    # for tests dynamically set new root paths based on generated content

    dbmanage.create_settings(dbmanage.config_prompt(repos_test_path))

    dbmanage.create_default_user()

    dbmanage.admin_prompt()

    dbmanage.create_permissions()

    dbmanage.populate_default_permissions()

    Session().commit()

    # PART TWO make test repo

    log.debug('making test vcs repositories')

    idx_path = config['index_dir']

    data_path = config['cache_dir']

    #clean index and data

    if idx_path and os.path.exists(idx_path):

        log.debug('remove %s', idx_path)

        shutil.rmtree(idx_path)

    if data_path and os.path.exists(data_path):

        log.debug('remove %s', data_path)

        shutil.rmtree(data_path)

from kallithea.model.db import Repository

from kallithea.model.meta import Session

from kallithea.model.repo_group import RepoGroupModel

from kallithea.tests.base import TestController, url

from kallithea.tests.fixture import Fixture

fixture = Fixture()

class TestRepoGroupsController(TestController):

    def test_case_insensitivity(self):

        self.log_user()

        response = self.app.post(url('repos_groups'),

                                 fixture._get_repo_group_create_params(group_name=group_name,

                                                                 _authentication_token=self.authentication_token()))

        # try to create repo group with swapped case

        swapped_group_name = group_name.swapcase()

        response = self.app.post(url('repos_groups'),

                                 fixture._get_repo_group_create_params(group_name=swapped_group_name,

                                                                 _authentication_token=self.authentication_token()))

        response.mustcontain('already exists')

        RepoGroupModel().delete(group_name)

        Session().commit()

from kallithea.model.user import UserModel

from kallithea.model.meta import Session

from kallithea.model.user_group import UserGroupModel

from kallithea.lib.auth import AuthUser

from kallithea.model.permission import PermissionModel

fixture = Fixture()

class TestPermissions(TestController):

    @classmethod

    def setup_class(cls):

        #recreate default user to get a clean start

        PermissionModel().create_default_permissions(user=User.DEFAULT_USER,

                                                     force=True)

        Session().commit()

    def setup_method(self, method):

        self.u1 = UserModel().create_or_update(

            username=u'u1', password=u'qweqwe',

            email=u'u1@example.com', firstname=u'u1', lastname=u'u1'

        )

        self.u2 = UserModel().create_or_update(

            username=u'u2', password=u'qweqwe',

            email=u'u2@example.com', firstname=u'u2', lastname=u'u2'

        )

        self.u3 = UserModel().create_or_update(

            username=u'u3', password=u'qweqwe',

            email=u'u3@example.com', firstname=u'u3', lastname=u'u3'

        )

        self.anon = User.get_default_user()

        self.a1 = UserModel().create_or_update(

            username=u'a1', password=u'qweqwe',

            email=u'a1@example.com', firstname=u'a1', lastname=u'a1', admin=True

        )

        Session().commit()

    def teardown_method(self, method):

        if hasattr(self, 'test_repo'):

            RepoModel().delete(repo=self.test_repo)

        UserModel().delete(self.u1)

        UserModel().delete(self.u2)

        UserModel().delete(self.u3)

        UserModel().delete(self.a1)

        if hasattr(self, 'g1'):

            RepoGroupModel().delete(self.g1.group_id)

        if hasattr(self, 'g2'):

            RepoGroupModel().delete(self.g2.group_id)

        if hasattr(self, 'ug2'):

            UserGroupModel().delete(self.ug2, force=True)

        if hasattr(self, 'ug1'):

            UserGroupModel().delete(self.ug1, force=True)

        Session().commit()

    def test_default_perms_set(self):

        u1_auth = AuthUser(user_id=self.u1.user_id)

        perms = {

            'repositories_groups': {},

            'global': set(['hg.create.repository', 'repository.read',

                           'hg.register.manual_activate']),

            'repositories': {HG_REPO: 'repository.read'}

        }

        assert u1_auth.permissions['repositories'][HG_REPO] == perms['repositories'][HG_REPO]

        new_perm = 'repository.write'

        RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1,

                                          perm=new_perm)

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['repositories'][HG_REPO] == new_perm

    def test_default_admin_perms_set(self):

        a1_auth = AuthUser(user_id=self.a1.user_id)

        perms = {

            'repositories_groups': {},

            'global': set(['hg.admin', 'hg.create.write_on_repogroup.true']),

            'repositories': {HG_REPO: 'repository.admin'}

        }

        assert a1_auth.permissions['repositories'][HG_REPO] == perms['repositories'][HG_REPO]

        new_perm = 'repository.write'

        RepoModel().grant_user_permission(repo=HG_REPO, user=self.a1,

                                          perm=new_perm)

        Session().commit()

        # cannot really downgrade admins permissions !? they still gets set as

        # admin !

        u1_auth = AuthUser(user_id=self.a1.user_id)

        assert u1_auth.permissions['repositories'][HG_REPO] == perms['repositories'][HG_REPO]

    def test_default_group_perms(self):

        self.g1 = fixture.create_repo_group(u'test1', skip_if_exists=True)

from kallithea.lib.auth_modules import auth_ldap, authenticate

from kallithea.model.db import Setting, User

from kallithea.model.meta import Session

import uuid

import pytest

@pytest.fixture

def arrange_ldap_auth(set_test_settings):

    set_test_settings(

        ('auth_plugins', 'kallithea.lib.auth_modules.auth_ldap', 'list'),

        ('auth_ldap_enabled', True, 'bool'),

        ('auth_ldap_attr_firstname', 'test_ldap_firstname'),

        ('auth_ldap_attr_lastname', 'test_ldap_lastname'),

        ('auth_ldap_attr_email', 'test_ldap_email'))

class _AuthLdapMock():

    def __init__(self, **kwargs):

        pass

    def authenticate_ldap(self, username, password):

                               test_ldap_email=['spam ldap email'])

def test_update_user_attributes_from_ldap(monkeypatch, create_test_user,

                                          arrange_ldap_auth):

    """Authenticate user with mocked LDAP, verify attributes are updated.

    """

    # Arrange test user.

    uniqifier = uuid.uuid4()

    username = 'test-user-{0}'.format(uniqifier)

    assert User.get_by_username(username) is None

    user_input = dict(username='test-user-{0}'.format(uniqifier),

                      password='spam password',

                      email='spam-email-{0}'.format(uniqifier),

                      active=True,

                      admin=False)

    user = create_test_user(user_input)

    # Arrange LDAP auth.

    monkeypatch.setattr(auth_ldap, 'AuthLdap', _AuthLdapMock)

    # Authenticate with LDAP.

    user_data = authenticate(username, 'password')

    # Verify that authenication succeeded and retrieved correct attributes

    # from LDAP.

    assert user_data is not None

    assert user_data.get('email') == 'spam ldap email'

    # Verify that authentication overwrote user attributes with the ones

    # retrieved from LDAP.

    assert user.email == 'spam ldap email'

def test_init_user_attributes_from_ldap(monkeypatch, arrange_ldap_auth):

    """Authenticate unknown user with mocked LDAP, verify user is created.

    """

    # Arrange test user.

    uniqifier = uuid.uuid4()

    username = 'test-user-{0}'.format(uniqifier)

    assert User.get_by_username(username) is None

    # Arrange LDAP auth.

    monkeypatch.setattr(auth_ldap, 'AuthLdap', _AuthLdapMock)