#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os

import sys

import uuid

import logging

from os.path import dirname as dn, join as jn

from rhodecode import __dbversion__, __py_version__

from rhodecode.model.user import UserModel

from rhodecode.lib.utils import ask_ok

from rhodecode.model import init_model

from rhodecode.model.db import User, Permission, RhodeCodeUi, \

    RhodeCodeSetting, UserToPerm, DbMigrateVersion, RepoGroup, \

    UserRepoGroupToPerm

from sqlalchemy.engine import create_engine

from rhodecode.model.repos_group import ReposGroupModel

#from rhodecode.model import meta

from rhodecode.model.meta import Session, Base

from rhodecode.model.repo import RepoModel

log = logging.getLogger(__name__)

def notify(msg):

    """

    Notification for migrations messages

    """

    ml = len(msg) + (4 * 2)

    print >> sys.stdout, ('*** %s ***\n%s' % (msg, '*' * ml)).upper()

class DbManage(object):

    def __init__(self, log_sql, dbconf, root, tests=False, cli_args={}):

        self.dbname = dbconf.split('/')[-1]

        self.tests = tests

        self.root = root

        self.dburi = dbconf

        self.log_sql = log_sql

        self.db_exists = False

        self.cli_args = cli_args

        self.init_db()

                .filter(UserRepoGroupToPerm.group == g)\

                .filter(UserRepoGroupToPerm.user == def_usr)\

                .scalar()

            if default is None:

                log.debug('missing default permission for group %s adding' % g)

                perm_obj = ReposGroupModel()._create_default_perms(g)

                self.sa.add(perm_obj)

    def reset_permissions(self, username):

        """

        Resets permissions to default state, usefull when old systems had

        bad permissions, we must clean them up

        :param username:

        :type username:

        """

        default_user = User.get_by_username(username)

        if not default_user:

            return

        u2p = UserToPerm.query()\

            .filter(UserToPerm.user == default_user).all()

        fixed = False

            for p in u2p:

                Session().delete(p)

            fixed = True

            self.populate_default_permissions()

        return fixed

    def update_repo_info(self):

        RepoModel.update_repoinfo()

    def config_prompt(self, test_repo_path='', retries=3):

        defaults = self.cli_args

        _path = defaults.get('repos_location')

        if retries == 3:

            log.info('Setting up repositories config')

        if _path is not None:

            path = _path

        elif not self.tests and not test_repo_path:

            path = raw_input(

                 'Enter a valid absolute path to store repositories. '

                 'All repositories in that path will be added automatically:'

            )

        else:

            path = test_repo_path

        self.sa.add(sett4)

        self.sa.add(sett5)

        self.sa.add(sett6)

        self.create_ldap_options()

        self.create_default_options()

        log.info('created ui config')

    def create_user(self, username, password, email='', admin=False):

        log.info('creating user %s' % username)

        UserModel().create_or_update(username, password, email,

                                     firstname='RhodeCode', lastname='Admin',

                                     active=True, admin=admin)

    def create_default_user(self):

        log.info('creating default user')

        # create default user for handling default permissions.

        UserModel().create_or_update(username='default',

                              password=str(uuid.uuid1())[:8],

                              email='anonymous@rhodecode.org',

                              firstname='Anonymous', lastname='User')

    def create_permissions(self):

        # module.(access|create|change|delete)_[name]

        # module.(none|read|write|admin)

        for p in Permission.PERMS:

            if not Permission.get_by_key(p[0]):

                new_perm = Permission()

                new_perm.permission_name = p[0]

                new_perm.permission_longname = p[0]

                self.sa.add(new_perm)

    def populate_default_permissions(self):

        log.info('creating default user permissions')

    @staticmethod

    def check_waitress():

        """

        Function executed at the end of setup

        """

        if not __py_version__ >= (2, 6):

            notify('Python2.5 detected, please switch '

                   'egg:waitress#main -> egg:Paste#http '

                   'in your .ini file')

    def create_or_update_hook(cls, key, val):

        new_ui = cls.get_by_key(key) or cls()

        new_ui.ui_section = 'hooks'

        new_ui.ui_active = True

        new_ui.ui_key = key

        new_ui.ui_value = val

        Session().add(new_ui)

    def __repr__(self):

        return '<DB:%s[%s:%s]>' % (self.__class__.__name__, self.ui_key,

                                   self.ui_value)

class User(Base, BaseModel):

    __tablename__ = 'users'

    __table_args__ = (

        UniqueConstraint('username'), UniqueConstraint('email'),

        Index('u_username_idx', 'username'),

        Index('u_email_idx', 'email'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    DEFAULT_USER = 'default'

    user_id = Column("user_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    username = Column("username", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    password = Column("password", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    active = Column("active", Boolean(), nullable=True, unique=None, default=True)

    admin = Column("admin", Boolean(), nullable=True, unique=None, default=False)

    name = Column("firstname", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    lastname = Column("lastname", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    _email = Column("email", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    last_login = Column("last_login", DateTime(timezone=False), nullable=True, unique=None, default=None)

    ldap_dn = Column("ldap_dn", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    api_key = Column("api_key", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    inherit_default_permissions = Column("inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)

    user_log = relationship('UserLog')

    user_perms = relationship('UserToPerm', primaryjoin="User.user_id==UserToPerm.user_id", cascade='all')

    repositories = relationship('Repository')

    user_followers = relationship('UserFollowing', primaryjoin='UserFollowing.follows_user_id==User.user_id', cascade='all')

    followings = relationship('UserFollowing', primaryjoin='UserFollowing.user_id==User.user_id', cascade='all')

    repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')

    repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')

    group_member = relationship('UserGroupMember', cascade='all')

        _email = email(author)

        if _email:

            user = cls.get_by_email(_email, case_insensitive=True)

            if user:

                return user

        # Maybe we can match by username?

        _author = author_name(author)

        user = cls.get_by_username(_author, case_insensitive=True)

        if user:

            return user

    def update_lastlogin(self):

        """Update user lastlogin"""

        self.last_login = datetime.datetime.now()

        Session().add(self)

        log.debug('updated user %s lastlogin' % self.username)

    @classmethod

    def get_first_admin(cls):

        user = User.query().filter(User.admin == True).first()

        if user is None:

            raise Exception('Missing administrative account!')

        return user

    def get_api_data(self):

        """

        Common function for generating user related data for API

        """

        user = self

        data = dict(

            user_id=user.user_id,

            username=user.username,

            firstname=user.name,

            lastname=user.lastname,

            email=user.email,

            emails=user.emails,

            api_key=user.api_key,

            active=user.active,

            admin=user.admin,

            ldap_dn=user.ldap_dn,

            last_login=user.last_login,

            ip_addresses=user.ip_addresses

        )

        return data

    def __json__(self):

        data = dict(

            full_name=self.full_name,

        """

        Returns all children groups for this group including children of children

        """

        return self._recursive_objects(include_repos=False)

    def get_new_name(self, group_name):

        """

        returns new full group name based on parent and new name

        :param group_name:

        """

        path_prefix = (self.parent_group.full_path_splitted if

                       self.parent_group else [])

        return RepoGroup.url_sep().join(path_prefix + [group_name])

class Permission(Base, BaseModel):

    __tablename__ = 'permissions'

    __table_args__ = (

        Index('p_perm_name_idx', 'permission_name'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'},

    )

    PERMS = [

        ('repository.none', _('Repository no access')),

        ('repository.read', _('Repository read access')),

        ('repository.write', _('Repository write access')),

        ('repository.admin', _('Repository admin access')),

        ('group.none', _('Repository group no access')),

        ('group.read', _('Repository group read access')),

        ('group.write', _('Repository group write access')),

        ('group.admin', _('Repository group admin access')),

        ('usergroup.none', _('User group no access')),

        ('usergroup.read', _('User group read access')),

        ('usergroup.write', _('User group write access')),

        ('usergroup.admin', _('User group admin access')),

        ('hg.create.none', _('Repository creation disabled')),

        ('hg.create.repository', _('Repository creation enabled')),

        ('hg.fork.none', _('Repository forking disabled')),

        ('hg.fork.repository', _('Repository forking enabled')),

        ('hg.register.none', _('Register disabled')),

        ('hg.register.manual_activate', _('Register new user with RhodeCode '

                                          'with manual activation')),

        ('hg.register.auto_activate', _('Register new user with RhodeCode '

                                        'with auto activation')),

    ]

    # defines which permissions are more important higher the more important

    PERM_WEIGHTS = {

        'repository.none': 0,

        'repository.read': 1,

        'repository.write': 3,

        'repository.admin': 4,

        'group.none': 0,

        'group.read': 1,

        'group.write': 3,

        'group.admin': 4,

        'usergroup.none': 0,

        'usergroup.read': 1,

        'usergroup.write': 3,

        'usergroup.admin': 4,

        'hg.fork.none': 0,

        'hg.fork.repository': 1,

        'hg.create.none': 0,

        'hg.create.repository': 1

    }

    permission_id = Column("permission_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

from sqlalchemy.exc import DatabaseError

from rhodecode.model import BaseModel

from rhodecode.model.db import User, Permission, UserToPerm, UserRepoToPerm,\

    UserRepoGroupToPerm

from rhodecode.lib.utils2 import str2bool

log = logging.getLogger(__name__)

class PermissionModel(BaseModel):

    """

    Permissions model for RhodeCode

    """

    cls = Permission

    def update(self, form_result):

        perm_user = User.get_by_username(username=form_result['perm_user_name'])

        try:

            def _make_new(usr, perm_name):

                new = UserToPerm()

                new.user = usr

                new.permission = Permission.get_by_key(perm_name)

                return new

            # clear current entries, to make this function idempotent

            # it will fix even if we define more permissions or permissions

            # are somehow missing

            for p in u2p:

                self.sa.delete(p)

            #create fresh set of permissions

            for def_perm_key in ['default_repo_perm', 'default_group_perm',

                                 'default_register', 'default_create',

                                 'default_fork']:

                p = _make_new(perm_user, form_result[def_perm_key])

                self.sa.add(p)

            if form_result['overwrite_default_repo'] == True:

                _def_name = form_result['default_repo_perm'].split('repository.')[-1]

                _def = Permission.get_by_key('repository.' + _def_name)

                # repos

                for r2p in self.sa.query(UserRepoToPerm)\

                               .filter(UserRepoToPerm.user == perm_user)\

                               .all():

                    #don't reset PRIVATE repositories

                    if not r2p.repository.private:

                        r2p.permission = _def

                        self.sa.add(r2p)

            if form_result['overwrite_default_group'] == True:

                _def_name = form_result['default_group_perm'].split('group.')[-1]

                # groups

                _def = Permission.get_by_key('group.' + _def_name)

                for g2p in self.sa.query(UserRepoGroupToPerm)\

                               .filter(UserRepoGroupToPerm.user == perm_user)\

                               .all():

                    g2p.permission = _def

                    self.sa.add(g2p)

            self.sa.commit()

        except (DatabaseError,):

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

import os

import unittest

from rhodecode.tests import *

from rhodecode.tests.fixture import Fixture

from rhodecode.model.repos_group import ReposGroupModel

from rhodecode.model.repo import RepoModel

from rhodecode.model.user import UserModel

from rhodecode.model.meta import Session

from rhodecode.model.users_group import UserGroupModel

from rhodecode.lib.auth import AuthUser

fixture = Fixture()

class TestPermissions(unittest.TestCase):

    def __init__(self, methodName='runTest'):

        super(TestPermissions, self).__init__(methodName=methodName)

    def setUp(self):

        self.u1 = UserModel().create_or_update(

            username=u'u1', password=u'qweqwe',

            email=u'u1@rhodecode.org', firstname=u'u1', lastname=u'u1'

        )

        self.u2 = UserModel().create_or_update(

            username=u'u2', password=u'qweqwe',

            email=u'u2@rhodecode.org', firstname=u'u2', lastname=u'u2'

        )

        self.u3 = UserModel().create_or_update(

            username=u'u3', password=u'qweqwe',

            email=u'u3@rhodecode.org', firstname=u'u3', lastname=u'u3'

        )

        self.anon = User.get_by_username('default')

        self.a1 = UserModel().create_or_update(

        a1_auth = AuthUser(user_id=self.a1.user_id)

        perms = {

            'repositories_groups': {},

            'global': set([u'hg.admin']),

            'repositories': {u'vcs_test_hg': u'repository.admin'}

        }

        self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],

                         perms['repositories'][HG_REPO])

        new_perm = 'repository.write'

        RepoModel().grant_user_permission(repo=HG_REPO, user=self.a1,

                                          perm=new_perm)

        Session().commit()

        # cannot really downgrade admins permissions !? they still get's set as

        # admin !

        u1_auth = AuthUser(user_id=self.a1.user_id)

        self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],

                         perms['repositories'][HG_REPO])

    def test_default_group_perms(self):

        self.g1 = fixture.create_group('test1', skip_if_exists=True)

        self.g2 = fixture.create_group('test2', skip_if_exists=True)

        u1_auth = AuthUser(user_id=self.u1.user_id)

        perms = {

            'repositories_groups': {u'test1': 'group.read', u'test2': 'group.read'},

            'repositories': {u'vcs_test_hg': u'repository.read'}

        }

        self.assertEqual(u1_auth.permissions['repositories'][HG_REPO],

                         perms['repositories'][HG_REPO])

        self.assertEqual(u1_auth.permissions['repositories_groups'],

                         perms['repositories_groups'])

    def test_default_admin_group_perms(self):

        self.g1 = fixture.create_group('test1', skip_if_exists=True)

        self.g2 = fixture.create_group('test2', skip_if_exists=True)

        a1_auth = AuthUser(user_id=self.a1.user_id)

        perms = {

            'repositories_groups': {u'test1': 'group.admin', u'test2': 'group.admin'},

            'global': set(['hg.admin']),

            'repositories': {u'vcs_test_hg': 'repository.admin'}

        }

        self.assertEqual(a1_auth.permissions['repositories'][HG_REPO],

                         perms['repositories'][HG_REPO])

        self.assertEqual(a1_auth.permissions['repositories_groups'],

                         perms['repositories_groups'])

    def test_propagated_permission_from_users_group_by_explicit_perms_exist(self):

        # make group

        self.ug1 = fixture.create_user_group('G1')

        UserGroupModel().add_user_to_group(self.ug1, self.u1)

        # set permission to lower

        new_perm = 'repository.none'

        RepoModel().grant_user_permission(repo=HG_REPO, user=self.u1, perm=new_perm)

        self.assertEqual(a1_auth.permissions['repositories_groups'],

                         {u'group1': u'group.none'})

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories_groups'],

                         {u'group1': u'group.read'})

    def test_inherited_permissions_from_default_on_user_enabled(self):

        user_model = UserModel()

        # enable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.none')

        user_model.grant_perm(usr, 'hg.create.repository')

        user_model.revoke_perm(usr, 'hg.fork.none')

        user_model.grant_perm(usr, 'hg.fork.repository')

        # make sure inherit flag is turned on

        self.u1.inherit_default_permissions = True

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        self.assertEqual(u1_auth.permissions['global'],

                         set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

    def test_inherited_permissions_from_default_on_user_disabled(self):

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        # make sure inherit flag is turned on

        self.u1.inherit_default_permissions = True

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        self.assertEqual(u1_auth.permissions['global'],

                         set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

    def test_non_inherited_permissions_from_default_on_user_enabled(self):

        user_model = UserModel()

        # enable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.none')

        user_model.grant_perm(usr, 'hg.create.repository')

        user_model.revoke_perm(usr, 'hg.fork.none')

        user_model.grant_perm(usr, 'hg.fork.repository')

        #disable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.repository')

        user_model.grant_perm(self.u1, 'hg.create.none')

        user_model.revoke_perm(self.u1, 'hg.fork.repository')

        user_model.grant_perm(self.u1, 'hg.fork.none')

        # make sure inherit flag is turned off

        self.u1.inherit_default_permissions = False

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have non inherited permissions from he's

        # explicitly set permissions

        self.assertEqual(u1_auth.permissions['global'],

                         set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

    def test_non_inherited_permissions_from_default_on_user_disabled(self):

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        #enable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.none')

        user_model.grant_perm(self.u1, 'hg.create.repository')

        user_model.revoke_perm(self.u1, 'hg.fork.none')

        user_model.grant_perm(self.u1, 'hg.fork.repository')

        # make sure inherit flag is turned off

        self.u1.inherit_default_permissions = False

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have non inherited permissions from he's

        # explicitly set permissions

        self.assertEqual(u1_auth.permissions['global'],

                         set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

    def test_owner_permissions_doesnot_get_overwritten_by_group(self):

        #create repo as USER,

        self.test_repo = fixture.create_repo(name='myownrepo',

                                             repo_type='hg',

                                             cur_user=self.u1)

        #he has permissions of admin as owner

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')

        #set his permission as user group, he should still be admin

        self.ug1 = fixture.create_user_group('G1')

        UserGroupModel().add_user_to_group(self.ug1, self.u1)

        RepoModel().grant_users_group_permission(self.test_repo,

                                                 group_name=self.ug1,

                                                 perm='repository.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')

    def test_owner_permissions_doesnot_get_overwritten_by_others(self):

        #create repo as USER,

        self.test_repo = fixture.create_repo(name='myownrepo',

                                             repo_type='hg',

                                             cur_user=self.u1)

        #he has permissions of admin as owner

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')

        #set his permission as user, he should still be admin

        RepoModel().grant_user_permission(self.test_repo, user=self.u1,

                                          perm='repository.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],

                         'repository.admin')