from formencode import htmlfill

from pylons import request, tmpl_context as c

from pylons.i18n.translation import _, ungettext

from webob.exc import HTTPFound, HTTPForbidden, HTTPNotFound, HTTPInternalServerError

import kallithea

from kallithea.config.routing import url

from kallithea.lib import helpers as h

from kallithea.lib.compat import json

from kallithea.lib.auth import LoginRequired, \

    HasPermissionAny

from kallithea.lib.base import BaseController, render

from kallithea.model.db import RepoGroup, Repository

from kallithea.model.scm import RepoGroupList, AvailableRepoGroupChoices

from kallithea.model.repo_group import RepoGroupModel

from kallithea.model.forms import RepoGroupForm, RepoGroupPermsForm

from kallithea.model.meta import Session

from kallithea.model.repo import RepoModel

from kallithea.lib.utils2 import safe_int

from sqlalchemy.sql.expression import func

class RepoGroupsController(BaseController):

    @LoginRequired()

    def __before__(self):

        super(RepoGroupsController, self).__before__()

    def __load_defaults(self, extras=(), exclude=()):

        """extras is used for keeping current parent ignoring permissions

        exclude is used for not moving group to itself TODO: also exclude descendants

        Note: only admin can create top level groups

        """

        exclude_group_ids = set(rg.group_id for rg in exclude)

        c.repo_groups = [rg for rg in repo_groups

                         if rg[0] not in exclude_group_ids]

        repo_model = RepoModel()

        c.users_array = repo_model.get_users_js()

        c.user_groups_array = repo_model.get_user_groups_js()

    def __load_data(self, group_id):

        """

        Load defaults settings for edit, and update

    def _revoke_perms_on_yourself(self, form_result):

        _up = filter(lambda u: request.authuser.username == u[0],

                     form_result['perms_updates'])

        _new = filter(lambda u: request.authuser.username == u[0],

                      form_result['perms_new'])

        if _new and _new[0][1] != 'group.admin' or _up and _up[0][1] != 'group.admin':

            return True

        return False

    def index(self, format='html'):

        _list = RepoGroup.query(sorted=True).all()

        repo_groups_data = []

        total_records = len(group_iter)

        _tmpl_lookup = kallithea.CONFIG['pylons.app_globals'].mako_lookup

        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

        repo_group_name = lambda repo_group_name, children_groups: (

            template.get_def("repo_group_name")

            .render(repo_group_name, children_groups, _=_, h=h, c=c)

        )

        repo_group_actions = lambda repo_group_id, repo_group_name, gr_count: (

            template.get_def("repo_group_actions")

            .render(repo_group_id, repo_group_name, gr_count, _=_, h=h, c=c,

        raise HTTPFound(location=url('repos_group_home', group_name=gr.group_name))

    def new(self):

        if HasPermissionAny('hg.admin')('group create'):

            #we're global admin, we're ok and we can create TOP level groups

            pass

        else:

            # we pass in parent group into creation form, thus we know

            # what would be the group, we can check perms here !

            group_id = safe_int(request.GET.get('parent_group'))

            group = RepoGroup.get(group_id) if group_id else None

            group_name = group.group_name if group else None

                pass

            else:

                raise HTTPForbidden()

        self.__load_defaults()

        return render('admin/repo_groups/repo_group_add.html')

    def update(self, group_name):

        c.repo_group = RepoGroup.guess_instance(group_name)

        self.__load_defaults(extras=[c.repo_group.parent_group],

                             exclude=[c.repo_group])

        # TODO: kill allow_empty_group - it is only used for redundant form validation!

        if HasPermissionAny('hg.admin')('group edit'):

            #we're global admin, we're ok and we can create TOP level groups

            allow_empty_group = True

        elif not c.repo_group.parent_group:

            allow_empty_group = True

        else:

                defaults=errors.value,

                errors=errors.error_dict or {},

                prefix_error=False,

                encoding="UTF-8",

                force_defaults=False)

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('Error occurred during update of repository group %s') \

                    % request.POST.get('group_name'), category='error')

        raise HTTPFound(location=url('edit_repo_group', group_name=group_name))

    def delete(self, group_name):

        gr = c.repo_group = RepoGroup.guess_instance(group_name)

        repos = gr.repositories.all()

        if repos:

            h.flash(_('This group contains %s repositories and cannot be '

                      'deleted') % len(repos), category='warning')

            raise HTTPFound(location=url('repos_groups'))

        children = gr.children.all()

        if children:

            h.flash(_('This group contains %s subgroups and cannot be deleted'

                      % (len(children))), category='warning')

    def show_by_name(self, group_name):

        """

        This is a proxy that does a lookup group_name -> id, and shows

        the group by id view instead

        """

        group_name = group_name.rstrip('/')

        id_ = RepoGroup.get_by_group_name(group_name)

        if id_:

            return self.show(group_name)

        raise HTTPNotFound

    def show(self, group_name):

        c.active = 'settings'

        c.group = c.repo_group = RepoGroup.guess_instance(group_name)

        groups = RepoGroup.query(sorted=True).filter_by(parent_group=c.group).all()

        c.groups = self.scm_model.get_repo_groups(groups)

        repos_list = Repository.query(sorted=True).filter_by(group=c.group).all()

        repos_data = RepoModel().get_repos_as_dict(repos_list=repos_list,

                                                   admin=False, short_name=True)

        #json used to render the grid

        c.data = json.dumps(repos_data)

        return render('admin/repo_groups/repo_group_show.html')

    def edit(self, group_name):

        c.active = 'settings'

        c.repo_group = RepoGroup.guess_instance(group_name)

        self.__load_defaults(extras=[c.repo_group.parent_group],

                             exclude=[c.repo_group])

        defaults = self.__load_data(c.repo_group.group_id)

        return htmlfill.render(

            render('admin/repo_groups/repo_group_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )

    def edit_repo_group_advanced(self, group_name):

        c.active = 'advanced'

        c.repo_group = RepoGroup.guess_instance(group_name)

        return render('admin/repo_groups/repo_group_edit.html')

    def edit_repo_group_perms(self, group_name):

        c.active = 'perms'

        c.repo_group = RepoGroup.guess_instance(group_name)

        self.__load_defaults()

        defaults = self.__load_data(c.repo_group.group_id)

        return htmlfill.render(

            render('admin/repo_groups/repo_group_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )

    def update_perms(self, group_name):

        """

        Update permissions for given repository group

        :param group_name:

        """

        c.repo_group = RepoGroup.guess_instance(group_name)

        valid_recursive_choices = ['none', 'repos', 'groups', 'all']

        form_result = RepoGroupPermsForm(valid_recursive_choices)().to_python(request.POST)

        if not request.authuser.is_admin:

            if self._revoke_perms_on_yourself(form_result):

        # this can be potentially heavy operation

        RepoGroupModel()._update_permissions(c.repo_group,

                                             form_result['perms_new'],

                                             form_result['perms_updates'],

                                             recursive)

        #TODO: implement this

        #action_logger(request.authuser, 'admin_changed_repo_permissions',

        #              repo_name, request.ip_addr, self.sa)

        Session().commit()

        h.flash(_('Repository group permissions updated'), category='success')

        raise HTTPFound(location=url('edit_repo_group_perms', group_name=group_name))

    def delete_perms(self, group_name):

        try:

            obj_type = request.POST.get('obj_type')

            obj_id = None

            if obj_type == 'user':

                obj_id = safe_int(request.POST.get('user_id'))

            elif obj_type == 'user_group':

                obj_id = safe_int(request.POST.get('user_group_id'))

            if not request.authuser.is_admin:

                if obj_type == 'user' and request.authuser.user_id == obj_id:

                    msg = _('Cannot revoke permission for yourself as admin')

    def _load_repo(self):

        repo_obj = c.db_repo

        if repo_obj is None:

            h.not_mapped_error(c.repo_name)

            raise HTTPFound(location=url('repos'))

        return repo_obj

    def __load_defaults(self, repo=None):

        top_perms = ['hg.create.repository']

        if HasPermissionAny('hg.create.write_on_repogroup.true')():

        extras = [] if repo is None else [repo.group]

        c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs(repo)

    def __load_data(self):

        """

        Load defaults settings for edit, and update

        """

        c.repo_info = self._load_repo()

        self.__load_defaults(c.repo_info)

        defaults = RepoModel()._get_defaults(c.repo_name)

        defaults['clone_uri'] = c.repo_info.clone_uri_hidden # don't show password

import time

import traceback

import logging

from sqlalchemy import or_

from pylons import request

from kallithea.controllers.api import JSONRPCController, JSONRPCError

from kallithea.lib.auth import (

    PasswordGenerator, AuthUser, HasPermissionAnyDecorator,

    HasPermissionAnyDecorator, HasPermissionAny, HasRepoPermissionLevel,

from kallithea.lib.utils import map_groups, repo2db_mapper

from kallithea.lib.utils2 import (

    str2bool, time_to_datetime, safe_int, Optional, OAttr)

from kallithea.model.meta import Session

from kallithea.model.repo_group import RepoGroupModel

from kallithea.model.scm import ScmModel, UserGroupList

from kallithea.model.repo import RepoModel

from kallithea.model.user import UserModel

from kallithea.model.user_group import UserGroupModel

from kallithea.model.gist import GistModel

from kallithea.model.db import (

    Repository, Setting, UserIpMap, Permission, User, Gist,

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError('repository group `%s` does not exist' % (repogroupid,))

        user = get_user_or_error(userid)

        perm = get_perm_or_error(perm, prefix='group.')

        apply_to_children = Optional.extract(apply_to_children)

        try:

            RepoGroupModel().add_permission(repo_group=repo_group,

                                            obj=user,

                                            obj_type="user",

                                            perm=perm,

                                            recursive=apply_to_children)

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError('repository group `%s` does not exist' % (repogroupid,))

        user = get_user_or_error(userid)

        apply_to_children = Optional.extract(apply_to_children)

        try:

            RepoGroupModel().delete_permission(repo_group=repo_group,

                                               obj=user,

                                               obj_type="user",

                                               recursive=apply_to_children)

            Session().commit()

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        perm = get_perm_or_error(perm, prefix='group.')

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError(

                    'repository group `%s` does not exist' % (repogroupid,))

            # check if we have at least read permission for this user group !

            _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)

            if not HasUserGroupPermissionAny(*_perms)(

                    user_group_name=user_group.users_group_name):

                raise JSONRPCError(

                    'user group `%s` does not exist' % (usergroupid,))

        apply_to_children = Optional.extract(apply_to_children)

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAny('hg.admin')():

                raise JSONRPCError(

                    'repository group `%s` does not exist' % (repogroupid,))

            # check if we have at least read permission for this user group !

            _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)

            if not HasUserGroupPermissionAny(*_perms)(

                    user_group_name=user_group.users_group_name):

                raise JSONRPCError(

                    'user group `%s` does not exist' % (usergroupid,))

        apply_to_children = Optional.extract(apply_to_children)

from kallithea.model.forms import RepoForkForm

from kallithea.model.scm import ScmModel, AvailableRepoGroupChoices

log = logging.getLogger(__name__)

class ForksController(BaseRepoController):

    def __before__(self):

        super(ForksController, self).__before__()

    def __load_defaults(self):

        if HasPermissionAny('hg.create.write_on_repogroup.true')():

        c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs()

        c.can_update = Ui.get_by_key('hooks', Ui.HOOK_UPDATE).ui_active

    def __load_data(self):

        """

        Load defaults settings for edit, and update

        """

        self.__load_defaults()

        c.repo_info = c.db_repo

    def has_repository_permission_level(self, repo_name, level, purpose=None):

        required_perms = {

            'read': ['repository.read', 'repository.write', 'repository.admin'],

            'write': ['repository.write', 'repository.admin'],

            'admin': ['repository.admin'],

        }[level]

        actual_perm = self.permissions['repositories'].get(repo_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',

            self.username, level, repo_name, purpose, ok, actual_perm)

        return ok

    @property

    def api_keys(self):

        return self._get_api_keys()

    def __get_perms(self, user, explicit=True, algo='higherwin', cache=False):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        :param explicit: In case there are permissions both for user and a group

class HasRepoPermissionLevelDecorator(_PermsDecorator):

    """

    Checks the user has at least the specified permission level for the requested repository.

    """

    def check_permissions(self, user):

        repo_name = get_repo_slug(request)

        (level,) = self.required_perms

        return user.has_repository_permission_level(repo_name, level)

    """

    Checks the user has any of given permissions for the requested repository group.

    """

    def check_permissions(self, user):

        repo_group_name = get_repo_group_slug(request)

class HasUserGroupPermissionAnyDecorator(_PermsDecorator):

    """

    Checks for access permission for any of given predicates for specific

    user group. In order to fulfill the request any of predicates must be meet

    """

    def check_permissions(self, user):

        user_group_name = get_user_group_slug(request)

        try:

            return user.permissions['user_groups'][user_group_name] in self.required_perms

        log.debug('Check %s for global %s (%s): %s' %

            (request.user.username, self.required_perms, purpose, ok))

        return ok

class HasRepoPermissionLevel(_PermsFunction):

    def __call__(self, repo_name, purpose=None):

        (level,) = self.required_perms

        return request.user.has_repository_permission_level(repo_name, level, purpose)

    def __call__(self, group_name, purpose=None):

class HasUserGroupPermissionAny(_PermsFunction):

    def __call__(self, user_group_name, purpose=None):

        try:

            ok = request.user.permissions['user_groups'][user_group_name] in self.required_perms

        except KeyError:

            ok = False

        log.debug('Check %s %s for user group %s (%s): %s' %

            (request.user.username, self.required_perms, user_group_name, purpose, ok))

        html = """<i class="%s"></i>""" % ico

        return literal(html)

    # returned callbacks we need to call to get

    return [lambda: literal(action), action_params_func, action_parser_icon]

#==============================================================================

# PERMS

#==============================================================================

from kallithea.lib.auth import HasPermissionAny, \

#==============================================================================

# GRAVATAR URL

#==============================================================================

def gravatar_div(email_address, cls='', size=30, **div_attributes):

    """Return an html literal with a div around a gravatar if they are enabled.

    Extra keyword parameters starting with 'div_' will get the prefix removed

    and '_' changed to '-' and be used as attributes on the div. The default

    class is 'gravatar'.

    """

    from pylons import tmpl_context as c

import kallithea

from kallithea.lib.vcs import get_backend

from kallithea.lib.vcs.exceptions import RepositoryError

from kallithea.lib.vcs.utils.lazy import LazyProperty

from kallithea.lib.vcs.nodes import FileNode

from kallithea.lib.vcs.backends.base import EmptyChangeset

from kallithea import BACKENDS

from kallithea.lib import helpers as h

from kallithea.lib.utils2 import safe_str, safe_unicode, get_server_url, \

    _set_extras

    HasUserGroupPermissionAny, HasPermissionAny, HasPermissionAny

from kallithea.lib.utils import get_filesystem_repos, make_ui, \

    action_logger

from kallithea.model.base import BaseModel

from kallithea.model.db import Repository, Ui, CacheInvalidation, \

    UserFollowing, UserLog, User, RepoGroup, PullRequest

from kallithea.lib.hooks import log_push_action

from kallithea.lib.exceptions import NonRelativePathError, IMCCommitError

log = logging.getLogger(__name__)

class RepoList(_PermCheckIterator):

    def __init__(self, db_repo_list, perm_level, extra_kwargs=None):

        super(RepoList, self).__init__(obj_list=db_repo_list,

                    obj_attr='repo_name', perm_set=[perm_level],

                    perm_checker=HasRepoPermissionLevel,

                    extra_kwargs=extra_kwargs)

class RepoGroupList(_PermCheckIterator):

        super(RepoGroupList, self).__init__(obj_list=db_repo_group_list,

                    extra_kwargs=extra_kwargs)

class UserGroupList(_PermCheckIterator):

    def __init__(self, db_user_group_list, perm_set=None, extra_kwargs=None):

        if not perm_set:

            perm_set = ['usergroup.read', 'usergroup.write', 'usergroup.admin']

        super(UserGroupList, self).__init__(obj_list=db_user_group_list,

                    obj_attr='users_group_name', perm_set=perm_set,

                    perm_checker=HasUserGroupPermissionAny,

    def get_repos(self, repos):

        """Return the repos the user has access to"""

        return RepoList(repos, perm_level='read')

    def get_repo_groups(self, groups=None):

        """Return the repo groups the user has access to

        If no groups are specified, use top level groups.

        """

        if groups is None:

            groups = RepoGroup.query() \

                .filter(RepoGroup.parent_group_id == None).all()

    def mark_for_invalidation(self, repo_name):

        """

        Mark caches of this repo invalid in the database.

        :param repo_name: the repo for which caches should be marked invalid

        """

        CacheInvalidation.set_invalidate(repo_name)

        repo = Repository.get_by_repo_name(repo_name)

        if repo is not None:

            repo.update_changeset_cache()

            if has_hook or force_create:

                log.debug('writing %s hook file !', h_type)

                try:

                    with open(_hook_file, 'wb') as f:

                        tmpl = tmpl.replace('_TMPL_', kallithea.__version__)

                        f.write(tmpl)

                    os.chmod(_hook_file, 0755)

                except IOError as e:

                    log.error('error writing %s: %s', _hook_file, e)

            else:

                log.debug('skipping writing hook file')

    """Return group_id,string tuples with choices for all the repo groups where

    the user has the necessary permissions.

    Top level is -1.

    """

    groups = RepoGroup.query().all()

    if HasPermissionAny('hg.admin')('available repo groups'):

        groups.append(None)

    else:

        if top_perms and HasPermissionAny(*top_perms)('available repo groups'):

            groups.append(None)

        for extra in extras:

            if not any(rg == extra for rg in groups):

                groups.append(extra)

    return RepoGroup.groups_choices(groups=groups)

from formencode.validators import (

    UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set,

    NotEmpty, IPAddress, CIDR, String, FancyValidator

)

from kallithea.lib.compat import OrderedSet

from kallithea.lib import ipaddr

from kallithea.lib.utils import repo_name_slug

from kallithea.lib.utils2 import str2bool, aslist

from kallithea.model.db import RepoGroup, Repository, UserGroup, User

from kallithea.lib.exceptions import LdapImportError

from kallithea.config.routing import ADMIN_PREFIX

# silence warnings and pylint

UnicodeString, OneOf, Int, Number, Regex, Email, Bool, StringBoolean, Set, \

    NotEmpty, IPAddress, CIDR, String, FancyValidator

log = logging.getLogger(__name__)

def UniqueListFromString():

    class _UniqueListFromString(formencode.FancyValidator):

        """

        Split value on ',' and make unique while preserving order

        def _to_python(self, value, state):

            #root location

            if value == -1:

                return None

            return value

        def validate_python(self, value, state):

            gr = RepoGroup.get(value)

            gr_name = gr.group_name if gr is not None else None # None means ROOT location

            # create repositories with write permission on group is set to true

            create_on_write = HasPermissionAny('hg.create.write_on_repogroup.true')()

                                            'can write into group validator')

                                            'can write into group validator')

            forbidden = not (group_admin or (group_write and create_on_write))

            can_create_repos = HasPermissionAny('hg.admin', 'hg.create.repository')

            gid = (old_data['repo_group'].get('group_id')

                   if (old_data and 'repo_group' in old_data) else None)

            value_changed = gid != value

            new = not old_data

            # do check if we changed the value, there's a case that someone got

            # revoked write permissions to a repository, he still created, we

            # don't need to check permission if he didn't change the value of

            # groups in form box

            if value_changed or new:

                return None

            return value

        def validate_python(self, value, state):

            gr = RepoGroup.get(value)

            gr_name = gr.group_name if gr is not None else None # None means ROOT location

            if can_create_in_root and gr is None:

                #we can create in root, we're fine no validations required

                return

            forbidden_in_root = gr is None and not can_create_in_root

            if forbidden_in_root or forbidden:

                msg = self.message('permission_denied', state)

                raise formencode.Invalid(msg, value, state,

                    error_dict=dict(parent_group_id=msg)

                )

    return _validator

def ValidPerms(type_='repo'):

    if type_ == 'repo_group':

        EMPTY_PERM = 'group.none'

                    %endfor

                    ${c.group.group_name}

                %endif

            </div>

            %if request.authuser.username != 'default':

              <ul class="pull-right links">

                <li>

                <%

                    gr_name = c.group.group_name if c.group else None

                    # create repositories with write permission on group is set to true

                    create_on_write = h.HasPermissionAny('hg.create.write_on_repogroup.true')()

                %>

                %if h.HasPermissionAny('hg.admin','hg.create.repository')() or (group_admin or (group_write and create_on_write)):

                  %if c.group:

                        <a href="${h.url('new_repo',parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i> ${_('Add Repository')}</a>

                            <a href="${h.url('new_repos_group', parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i> ${_('Add Repository Group')}</a>

                        %endif

                  %else:

                    <a href="${h.url('new_repo')}" class="btn btn-default btn-xs"><i class="icon-plus"></i> ${_('Add Repository')}</a>

                    %if h.HasPermissionAny('hg.admin')():

                        <a href="${h.url('new_repos_group')}" class="btn btn-default btn-xs"><i class="icon-plus"></i> ${_('Add Repository Group')}</a>

                    %endif

                  %endif