# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.login

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Login controller for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 22, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import formencode

import urlparse

from formencode import htmlfill

from webob.exc import HTTPFound

from pylons.i18n.translation import _

from pylons.controllers.util import redirect

from pylons import request, session, tmpl_context as c, url

import kallithea.lib.helpers as h

from kallithea.lib.auth import AuthUser, HasPermissionAnyDecorator

from kallithea.lib.base import BaseController, log_in_user, render

from kallithea.lib.exceptions import UserCreationError

from kallithea.lib.utils2 import safe_str

from kallithea.model.db import User, Setting

from kallithea.model.forms import LoginForm, RegisterForm, PasswordResetForm

from kallithea.model.user import UserModel

from kallithea.model.meta import Session

log = logging.getLogger(__name__)

class LoginController(BaseController):

    def __before__(self):

        super(LoginController, self).__before__()

    def _validate_came_from(self, came_from):

        """Return True if came_from is valid and can and should be used"""

        if not came_from:

            return False

        parsed = urlparse.urlparse(came_from)

        server_parsed = urlparse.urlparse(url.current())

        allowed_schemes = ['http', 'https']

        if parsed.scheme and parsed.scheme not in allowed_schemes:

            log.error('Suspicious URL scheme detected %s for url %s' %

                     (parsed.scheme, parsed))

            return False

        if server_parsed.netloc != parsed.netloc:

            log.error('Suspicious NETLOC detected %s for url %s server url '

                      'is: %s' % (parsed.netloc, parsed, server_parsed))

            return False

        return True

    def _redirect_to_origin(self, origin):

        '''redirect to the original page, preserving any get arguments given'''

        request.GET.pop('came_from', None)

        raise HTTPFound(location=url(origin, **request.GET))

    def index(self):

        c.came_from = safe_str(request.GET.get('came_from', ''))

        if not self._validate_came_from(c.came_from):

            c.came_from = url('home')

        not_default = self.authuser.username != User.DEFAULT_USER

        ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr)

        # redirect if already logged in

        if self.authuser.is_authenticated and not_default and ip_allowed:

            return self._redirect_to_origin(c.came_from)

        if request.POST:

            # import Login Form validator class

            login_form = LoginForm()

            try:

                c.form_result = login_form.to_python(dict(request.POST))

                # form checks for username/password, now we're authenticated

                username = c.form_result['username']

                user = User.get_by_username(username, case_insensitive=True)

            except formencode.Invalid, errors:

                defaults = errors.value

                # remove password from filling in form again

                del defaults['password']

                return htmlfill.render(

                    render('/login.html'),

                    defaults=errors.value,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8",

                    force_defaults=False)

            except UserCreationError, e:

                # container auth or other auth functions that create users on

                # the fly can throw this exception signaling that there's issue

                # with user creation, explanation should be provided in

                # Exception itself

                h.flash(e, 'error')

            else:

                log_in_user(user, c.form_result['remember'])

                return self._redirect_to_origin(c.came_from)

        return render('/login.html')

    @HasPermissionAnyDecorator('hg.admin', 'hg.register.auto_activate',

                               'hg.register.manual_activate')

    def register(self):

        c.auto_active = 'hg.register.auto_activate' in User.get_default_user()\

            .AuthUser.permissions['global']

        settings = Setting.get_app_settings()

        captcha_private_key = settings.get('captcha_private_key')

        c.captcha_active = bool(captcha_private_key)

        c.captcha_public_key = settings.get('captcha_public_key')

        if request.POST:

            register_form = RegisterForm()()

            try:

                form_result = register_form.to_python(dict(request.POST))

                form_result['active'] = c.auto_active

                if c.captcha_active:

                    from kallithea.lib.recaptcha import submit

                    response = submit(request.POST.get('recaptcha_challenge_field'),

                                      request.POST.get('recaptcha_response_field'),

                                      private_key=captcha_private_key,

                                      remoteip=self.ip_addr)

                    if c.captcha_active and not response.is_valid:

                        _value = form_result

                        _msg = _('Bad captcha')

                        error_dict = {'recaptcha_field': _msg}

                        raise formencode.Invalid(_msg, _value, None,

                                                 error_dict=error_dict)

                UserModel().create_registration(form_result)

                h.flash(_('You have successfully registered into Kallithea'),

                        category='success')

                Session().commit()

                return redirect(url('login_home'))

            except formencode.Invalid, errors:

                return htmlfill.render(

                    render('/register.html'),

                    defaults=errors.value,

                    errors=errors.error_dict or {},

                    prefix_error=False,

                    encoding="UTF-8",

                    force_defaults=False)

            except UserCreationError, e:

                # container auth or other auth functions that create users on

def _filter_proxy(ip):

    """

    HEADERS can have multiple ips inside the left-most being the original

    client, and each successive proxy that passed the request adding the IP

    address where it received the request from.

    :param ip:

    """

    if ',' in ip:

        _ips = ip.split(',')

        _first_ip = _ips[0].strip()

        log.debug('Got multiple IPs %s, using %s' % (','.join(_ips), _first_ip))

        return _first_ip

    return ip

def _get_ip_addr(environ):

    proxy_key = 'HTTP_X_REAL_IP'

    proxy_key2 = 'HTTP_X_FORWARDED_FOR'

    def_key = 'REMOTE_ADDR'

    ip = environ.get(proxy_key)

    if ip:

        return _filter_proxy(ip)

    ip = environ.get(proxy_key2)

    if ip:

        return _filter_proxy(ip)

    ip = environ.get(def_key, '0.0.0.0')

    return _filter_proxy(ip)

def _get_access_path(environ):

    path = environ.get('PATH_INFO')

    org_req = environ.get('pylons.original_request')

    if org_req:

        path = org_req.environ.get('PATH_INFO')

    return path

def log_in_user(user, remember):

    """

    Log a `User` in and update session and cookies. If `remember` is True,

    the session cookie is set to expire in a year; otherwise, it expires at

    the end of the browser session.

    """

    user.update_lastlogin()

    meta.Session().commit()

    auth_user = AuthUser(user_id=user.user_id)

    auth_user.set_authenticated()

    # Start new session to prevent session fixation attacks.

    session.invalidate()

    cs = auth_user.get_cookie_store()

    session['authuser'] = cs

    # If they want to be remembered, update the cookie

    if remember:

        t = datetime.datetime.now() + datetime.timedelta(days=365)

        session._set_cookie_expires(t)

    session.save()

    log.info('user %s is now authenticated and stored in '

             'session, session attrs %s', user.username, cs)

    # dumps session attrs back to cookie

    session._update_cookie_out()

class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):

    def __init__(self, realm, authfunc, auth_http_code=None):

        self.realm = realm

        self.authfunc = authfunc

        self._rc_auth_http_code = auth_http_code

    def build_authentication(self):

        head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)

        if self._rc_auth_http_code and self._rc_auth_http_code == '403':

            # return 403 if alternative http return code is specified in

            # Kallithea config

            return paste.httpexceptions.HTTPForbidden(headers=head)

        return paste.httpexceptions.HTTPUnauthorized(headers=head)

    def authenticate(self, environ):

        authorization = paste.httpheaders.AUTHORIZATION(environ)

        if not authorization:

            return self.build_authentication()

        (authmeth, auth) = authorization.split(' ', 1)

        if 'basic' != authmeth.lower():

            return self.build_authentication()

        auth = auth.strip().decode('base64')

        _parts = auth.split(':', 1)

        if len(_parts) == 2:

            username, password = _parts

            if self.authfunc(username, password, environ):

                return username

        return self.build_authentication()

    __call__ = authenticate

class BaseVCSController(object):

    def __init__(self, application, config):

        self.application = application

        self.config = config

        # base path of repo locations

        self.basepath = self.config['base_path']

        #authenticate this VCS request using authfunc

        self.authenticate = BasicAuth('', auth_modules.authenticate,

                                      config.get('auth_ret_code'))

        self.ip_addr = '0.0.0.0'

    def _handle_request(self, environ, start_response):

        raise NotImplementedError()

            </script>''' % c.ga_code

        c.site_name = rc_config.get('title')

        c.clone_uri_tmpl = rc_config.get('clone_uri_tmpl')

        ## INI stored

        c.visual.allow_repo_location_change = str2bool(config.get('allow_repo_location_change', True))

        c.visual.allow_custom_hooks_settings = str2bool(config.get('allow_custom_hooks_settings', True))

        c.instance_id = config.get('instance_id')

        c.issues_url = config.get('bugtracker', url('issues_url'))

        # END CONFIG VARS

        c.repo_name = get_repo_slug(request)  # can be empty

        c.backends = BACKENDS.keys()

        c.unread_notifications = NotificationModel()\

                        .get_unread_cnt_for_user(c.authuser.user_id)

        self.cut_off_limit = safe_int(config.get('cut_off_limit'))

        c.my_pr_count = PullRequestModel().get_pullrequest_cnt_for_user(c.authuser.user_id)

        self.sa = meta.Session

        self.scm_model = ScmModel(self.sa)

    @staticmethod

    def _determine_auth_user(api_key, session_authuser):

        """

        Create an `AuthUser` object given the IP address of the request, the

        API key (if any), and the authuser from the session.

        """

        # Authenticate by API key

        if api_key:

            # when using API_KEY we are sure user exists.

            return AuthUser(api_key=api_key)

        # Authenticate by session cookie

        cookie_store = CookieStoreWrapper(session_authuser)

        user_id = cookie_store.get('user_id')

        if user_id is not None:

            try:

                auth_user = AuthUser(user_id=user_id)

            except UserCreationError as e:

                # container auth or other auth functions that create users on

                # the fly can throw UserCreationError to signal issues with

                # user creation. Explanation should be provided in the

                # exception object.

                from kallithea.lib import helpers as h

            else:

                authenticated = cookie_store.get('is_authenticated')

                if not auth_user.is_authenticated and auth_user.user_id is not None:

                    # user is not authenticated and not empty

                    auth_user.set_authenticated(authenticated)

                return auth_user

        # User is anonymous

        return AuthUser()

    def __call__(self, environ, start_response):

        """Invoke the Controller"""

        # WSGIController.__call__ dispatches to the Controller method

        # the request is routed to. This routing information is

        # available in environ['pylons.routes_dict']

        try:

            self.ip_addr = _get_ip_addr(environ)

            # make sure that we update permissions each time we call controller

            #set globals for auth user

            self.authuser = c.authuser = request.user = self._determine_auth_user(

                request.GET.get('api_key'),

                session.get('authuser'),

            )

            log.info('IP: %s User: %s accessed %s',

                self.ip_addr, self.authuser,

                safe_unicode(_get_access_path(environ)),

            )

            return WSGIController.__call__(self, environ, start_response)

        finally:

            meta.Session.remove()

class BaseRepoController(BaseController):

    """

    Base class for controllers responsible for loading all needed data for

    repository loaded items are

    c.db_repo_scm_instance: instance of scm repository

    c.db_repo: instance of db

    c.repository_followers: number of followers

    c.repository_forks: number of forks

    c.repository_following: weather the current user is following the current repo

    """

    def __before__(self):

        super(BaseRepoController, self).__before__()

        if c.repo_name:  # extracted from routes

            _dbr = Repository.get_by_repo_name(c.repo_name)

            if not _dbr:

                return

            log.debug('Found repository in database %s with state `%s`'

                       'auth_ldap_base_dn': '',

                       'auth_ldap_filter': '',

                       'auth_ldap_search_scope': 'BASE',

                       'auth_ldap_attr_login': '',

                       'auth_ldap_attr_firstname': '',

                       'auth_ldap_attr_lastname': '',

                       'auth_ldap_attr_email': ''})

        test_url = url(controller='admin/auth_settings',

                       action='auth_settings')

        response = self.app.post(url=test_url, params=params)

        response.mustcontain("""<span class="error-message">"""

                             """Please enter a number</span>""")

    def test_ldap_error_form(self):

        self.log_user()

        if not ldap_lib_installed:

            raise SkipTest('skipping due to missing ldap lib')

        params = self._enable_plugins('kallithea.lib.auth_modules.auth_internal,kallithea.lib.auth_modules.auth_ldap')

        params.update({'auth_ldap_host': 'Host',

                       'auth_ldap_port': '123',

                       'auth_ldap_tls_kind': 'PLAIN',

                       'auth_ldap_tls_reqcert': 'NEVER',

                       'auth_ldap_dn_user': '',

                       'auth_ldap_dn_pass': '',

                       'auth_ldap_base_dn': '',

                       'auth_ldap_filter': '',

                       'auth_ldap_search_scope': 'BASE',

                       'auth_ldap_attr_login': '',  # <----- missing required input

                       'auth_ldap_attr_firstname': '',

                       'auth_ldap_attr_lastname': '',

                       'auth_ldap_attr_email': ''})

        test_url = url(controller='admin/auth_settings',

                       action='auth_settings')

        response = self.app.post(url=test_url, params=params)

        response.mustcontain("""<span class="error-message">The LDAP Login"""

                             """ attribute of the CN must be specified""")

    def test_ldap_login(self):

        pass

    def test_ldap_login_incorrect(self):

        pass