#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

# MA  02110-1301, USA.

import inspect

import logging

import types

import urllib

import traceback

import time

from rhodecode.lib.compat import izip_longest, json

from paste.response import replace_header

from pylons.controllers import WSGIController

from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \

HTTPBadRequest, HTTPError

from rhodecode.model.db import User

from rhodecode.lib.base import _get_ip_addr, _get_access_path

from rhodecode.lib.utils2 import safe_unicode

log = logging.getLogger('JSONRPC')

class JSONRPCError(BaseException):

    def __init__(self, message):

        self.message = message

        super(JSONRPCError, self).__init__()

    def __str__(self):

        return str(self.message)

def jsonrpc_error(message, retid=None, code=None):

    """

    Generate a Response object with a JSON-RPC error body

    """

    from pylons.controllers.util import Response

    return Response(

            body=json.dumps(dict(id=retid, result=None, error=message)),

            status=code,

            return jsonrpc_error(retid=self._req_id,

                                 message="JSON parse error ERR:%s RAW:%r" \

                                 % (e, urllib.unquote_plus(raw_body)))

        # check AUTH based on API KEY

        try:

            self._req_api_key = json_body['api_key']

            self._req_id = json_body['id']

            self._req_method = json_body['method']

            self._request_params = json_body['args']

            log.debug(

                'method: %s, params: %s' % (self._req_method,

                                            self._request_params)

            )

        except KeyError, e:

            return jsonrpc_error(retid=self._req_id,

                                 message='Incorrect JSON query missing %s' % e)

        # check if we can find this session using api_key

        try:

            u = User.get_by_api_key(self._req_api_key)

            if u is None:

                return jsonrpc_error(retid=self._req_id,

                                     message='Invalid API KEY')

            #check if we are allowed to use this IP

                return jsonrpc_error(retid=self._req_id,

                        message='request from IP:%s not allowed' % (ip_addr))

            else:

                log.info('Access for IP:%s allowed' % (ip_addr))

        except Exception, e:

            return jsonrpc_error(retid=self._req_id,

                                 message='Invalid API KEY')

        self._error = None

        try:

            self._func = self._find_method()

        except AttributeError, e:

            return jsonrpc_error(retid=self._req_id,

                                 message=str(e))

        # now that we have a method, add self._req_params to

        # self.kargs and dispatch control to WGIController

        argspec = inspect.getargspec(self._func)

        arglist = argspec[0][1:]

        defaults = map(type, argspec[3] or [])

        default_empty = types.NotImplementedType

        # kw arguments required by this method

        func_kwargs = dict(izip_longest(reversed(arglist), reversed(defaults),

                                        fillvalue=default_empty))

        # this is little trick to inject logged in user for

        # perms decorators to work they expect the controller class to have

from pylons.i18n.translation import _

from pylons.controllers.util import abort, redirect

from pylons import request, response, session, tmpl_context as c, url

import rhodecode.lib.helpers as h

from rhodecode.lib.auth import AuthUser, HasPermissionAnyDecorator

from rhodecode.lib.base import BaseController, render

from rhodecode.model.db import User

from rhodecode.model.forms import LoginForm, RegisterForm, PasswordResetForm

from rhodecode.model.user import UserModel

from rhodecode.model.meta import Session

log = logging.getLogger(__name__)

class LoginController(BaseController):

    def __before__(self):

        super(LoginController, self).__before__()

    def index(self):

        # redirect if already logged in

        c.came_from = request.GET.get('came_from')

            return redirect(url('home'))

        if request.POST:

            # import Login Form validator class

            login_form = LoginForm()

            try:

                session.invalidate()

                c.form_result = login_form.to_python(dict(request.POST))

                # form checks for username/password, now we're authenticated

                username = c.form_result['username']

                user = User.get_by_username(username, case_insensitive=True)

                auth_user = AuthUser(user.user_id)

                auth_user.set_authenticated()

                cs = auth_user.get_cookie_store()

                session['rhodecode_user'] = cs

                user.update_lastlogin()

                Session().commit()

                # If they want to be remembered, update the cookie

                if c.form_result['remember'] is not False:

                    _year = (datetime.datetime.now() +

                             datetime.timedelta(seconds=60 * 60 * 24 * 365))

                    session._set_cookie_expires(_year)

import random

import logging

import traceback

import hashlib

from tempfile import _RandomNameSequence

from decorator import decorator

from pylons import config, url, request

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode import __platform__, is_windows, is_unix

from rhodecode.model.meta import Session

from rhodecode.lib.utils2 import str2bool, safe_unicode

from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError

from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug

from rhodecode.lib.auth_ldap import AuthLdap

from rhodecode.model import meta

from rhodecode.model.user import UserModel

from rhodecode.model.db import Permission, RhodeCodeSetting, User, UserIpMap

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """

    This is a simple class for generating password from different sets of

    characters

    usage::

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

        passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

class  AuthUser(object):

    """

    A simple object that handles all attributes of user in RhodeCode

    It does lookup based on API key,given user, or user present in session

    Then it fills all required information for such user. It also checks if

    anonymous access is enabled and if so, it returns default user as logged

    in

    """

    def __init__(self, user_id=None, api_key=None, username=None, ip_addr=None):

        self.user_id = user_id

        self.api_key = None

        self.username = username

        self.ip_addr = ip_addr

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.is_authenticated = False

        self.admin = False

        self.inherit_default_permissions = False

        self.permissions = {}

        self._api_key = api_key

        self.propagate_data()

        self._instance = None

    def propagate_data(self):

        user_model = UserModel()

        self.anonymous_user = User.get_by_username('default', cache=True)

        is_user_loaded = False

        # try go get user by api key

        if self._api_key and self._api_key != self.anonymous_user.api_key:

            log.debug('Auth User lookup by API KEY %s' % self._api_key)

            is_user_loaded = user_model.fill_data(self, api_key=self._api_key)

        # lookup by userid

        elif (self.user_id is not None and

              self.user_id != self.anonymous_user.user_id):

            log.debug('Auth User lookup by USER ID %s' % self.user_id)

            is_user_loaded = user_model.fill_data(self, user_id=self.user_id)

        # lookup by username

        elif self.username and \

            str2bool(config.get('container_auth_enabled', False)):

            log.debug('Auth User lookup by USER NAME %s' % self.username)

            dbuser = login_container_auth(self.username)

                log.debug('filling all attributes to object')

                for k, v in dbuser.get_dict().items():

                    setattr(self, k, v)

                self.set_authenticated()

                is_user_loaded = True

        else:

            log.debug('No data in %s that could been used to log in' % self)

        if not is_user_loaded:

            # if we cannot authenticate user try anonymous

            if self.anonymous_user.active is True:

                user_model.fill_data(self, user_id=self.anonymous_user.user_id)

                # then we set this user is logged in

                self.is_authenticated = True

            else:

                self.user_id = None

                self.username = None

                self.is_authenticated = False

        if not self.username:

            self.username = 'None'

        log.debug('Auth User is now %s' % self)

        user_model.fill_perms(self)

    @property

    def is_admin(self):

        return self.admin

    def __repr__(self):

        return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,

                                              self.is_authenticated)

    def set_authenticated(self, authenticated=True):

        if self.user_id != self.anonymous_user.user_id:

            self.is_authenticated = authenticated

    def get_cookie_store(self):

        return {'username': self.username,

                'user_id': self.user_id,

                'is_authenticated': self.is_authenticated}

    @classmethod

    def from_cookie_store(cls, cookie_store):

        """

        Creates AuthUser from a cookie store

        :param cls:

        :param cookie_store:

        """

        user_id = cookie_store.get('user_id')

        username = cookie_store.get('username')

        api_key = cookie_store.get('api_key')

        return AuthUser(user_id, api_key, username)

    @classmethod

        _set = set()

        for ip in user_ips:

            _set.add(ip.ip_addr)

        return _set or set(['0.0.0.0/0'])

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

    except Exception:

        pass

    finally:

        meta.Session.remove()

    config['available_permissions'] = [x.permission_name for x in all_perms]

#==============================================================================

# CHECK DECORATORS

#==============================================================================

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = cls.rhodecode_user

        api_access_ok = False

        if self.api_access:

            log.debug('Checking API KEY access for %s' % cls)

            if user.api_key == request.GET.get('api_key'):

                api_access_ok = True

            else:

                log.debug("API KEY token not valid")

        log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))

            reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'

            log.info('user %s is authenticated and granted access to %s '

                     'using %s' % (user.username, loc, reason)

            )

            return func(*fargs, **fkwargs)

        else:

            log.warn('user %s NOT authenticated on func: %s' % (

                user, loc)

            )

            p = url.current()

            log.debug('redirecting to login page with %s' % p)

            return redirect(url('login_home', came_from=p))

class NotAnonymous(object):

    """

    Must be logged in to execute this function else

    redirect to login page"""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

"""The base Controller API

Provides the BaseController class for subclassing.

"""

import logging

import time

import traceback

from paste.auth.basic import AuthBasicAuthenticator

from paste.httpexceptions import HTTPUnauthorized, HTTPForbidden

from paste.httpheaders import WWW_AUTHENTICATE, AUTHORIZATION

from pylons import config, tmpl_context as c, request, session, url

from pylons.controllers import WSGIController

from pylons.controllers.util import redirect

from pylons.templating import render_mako as render

from rhodecode import __version__, BACKENDS

from rhodecode.lib.utils2 import str2bool, safe_unicode, AttributeDict,\

    safe_str, safe_int

from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\

from rhodecode.lib.utils import get_repo_slug, invalidate_cache

from rhodecode.model import meta

from rhodecode.model.db import Repository, RhodeCodeUi, User, RhodeCodeSetting

from rhodecode.model.notification import NotificationModel

from rhodecode.model.scm import ScmModel

from rhodecode.model.meta import Session

log = logging.getLogger(__name__)

def _get_ip_addr(environ):

    proxy_key = 'HTTP_X_REAL_IP'

    proxy_key2 = 'HTTP_X_FORWARDED_FOR'

    def_key = 'REMOTE_ADDR'

    ip = environ.get(proxy_key2)

    if ip:

        return ip

    ip = environ.get(proxy_key)

    if ip:

        return ip

                      traceback.format_exc()

                      )

            )

        return '/'.join(data)

    def _invalidate_cache(self, repo_name):

        """

        Set's cache for this repository for invalidation on next access

        :param repo_name: full repo name, also a cache key

        """

        invalidate_cache('get_repo_cached_%s' % repo_name)

    def _check_permission(self, action, user, repo_name, ip_addr=None):

        """

        Checks permissions using action (push/pull) user and repository

        name

        :param action: push or pull action

        :param user: user instance

        :param repo_name: repository name

        """

        #check IP

            return False

        else:

            log.info('Access for IP:%s allowed' % (ip_addr))

        if action == 'push':

            if not HasPermissionAnyMiddleware('repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        else:

            #any other action need at least read permission

            if not HasPermissionAnyMiddleware('repository.read',

                                              'repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        return True

    def _get_ip_addr(self, environ):

        return _get_ip_addr(environ)

    def _check_ssl(self, environ, start_response):

        """

            raise AttributeError('email %s is present is user table' % email)

        return email

    @hybrid_property

    def email(self):

        return self._email

    @email.setter

    def email(self, val):

        self._email = val.lower() if val else None

class UserIpMap(Base, BaseModel):

    __tablename__ = 'user_ip_map'

    __table_args__ = (

        UniqueConstraint('user_id', 'ip_addr'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    __mapper_args__ = {}

    ip_id = Column("ip_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)

    ip_addr = Column("ip_addr", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=False, default=None)

    user = relationship('User', lazy='joined')

    @classmethod

    def _get_ip_range(cls, ip_addr):

        from rhodecode.lib import ipaddr

        net = ipaddr.IPv4Network(ip_addr)

        return [str(net.network), str(net.broadcast)]

    def __json__(self):

        return dict(

          ip_addr=self.ip_addr,

          ip_range=self._get_ip_range(self.ip_addr)

        )

class UserLog(Base, BaseModel):

    __tablename__ = 'user_logs'

    __table_args__ = (

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'},

    )

    user_log_id = Column("user_log_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=True, unique=None, default=None)

    username = Column("username", String(255, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)

    users model for RhodeCode

    :created_on: Apr 9, 2010

    :author: marcink

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

import itertools

import collections

from pylons import url

from pylons.i18n.translation import _

from sqlalchemy.exc import DatabaseError

from sqlalchemy.orm import joinedload

from rhodecode.lib.utils2 import safe_unicode, generate_api_key

from rhodecode.lib.caching_query import FromCache

from rhodecode.model import BaseModel

from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \

    UserToPerm, UsersGroupRepoToPerm, UsersGroupToPerm, UsersGroupMember, \

    Notification, RepoGroup, UserRepoGroupToPerm, UsersGroupRepoGroupToPerm, \

    UserEmailMap, UserIpMap

from rhodecode.lib.exceptions import DefaultUserException, \

    UserOwnsReposException

log = logging.getLogger(__name__)

PERM_WEIGHTS = Permission.PERM_WEIGHTS

class UserModel(BaseModel):

    cls = User

	box-shadow: 0 2px 2px rgba(0, 0, 0, 0.6);

	-webkit-border-radius: 4px 4px 4px 4px;

	-khtml-border-radius: 4px 4px 4px 4px;

	-moz-border-radius: 4px 4px 4px 4px;

	border-radius: 4px 4px 4px 4px;

}

#footer div#footer-inner p {

	padding: 15px 25px 15px 0;

	color: #FFF;

	font-weight: 700;

}

#footer div#footer-inner .footer-link {

	float: left;

	padding-left: 10px;

}

#footer div#footer-inner .footer-link a,#footer div#footer-inner .footer-link-right a

	{

	color: #FFF;

}

#login div.title {

	clear: both;

	overflow: hidden;

	position: relative;

	background-color: #003B76; 

	background-repeat : repeat-x;

	background-image : -khtml-gradient( linear, left top, left bottom, from(#003B76), to(#00376E)); 

	background-image : -moz-linear-gradient( top, #003b76, #00376e); 

	background-image : -ms-linear-gradient( top, #003b76, #00376e);

	background-image : -webkit-gradient( linear, left top, left bottom, color-stop( 0%, #003b76), color-stop( 100%, #00376e));

	background-image : -webkit-linear-gradient( top, #003b76, #00376e));

	background-image : -o-linear-gradient( top, #003b76, #00376e));

	background-image : linear-gradient( top, #003b76, #00376e); 

	filter : progid : DXImageTransform.Microsoft.gradient ( startColorstr = '#003b76', endColorstr = '#00376e', GradientType = 0);

	margin: 0 auto;

	padding: 0;

}

#login div.inner {

	background: #FFF url("../images/login.png") no-repeat top left;

	border-top: none;

	border-bottom: none;

	margin: 0 auto;

	padding: 20px;

}

#login div.form div.fields div.field div.label {

	width: 173px;

	float: left;

	text-align: right;

	margin: 2px 10px 0 0;

	padding: 5px 0 0 5px;

}

#login div.form div.fields div.field div.input input {

	background: #FFF;

	border-top: 1px solid #b3b3b3;

	border-left: 1px solid #b3b3b3;

	border-right: 1px solid #eaeaea;

	border-bottom: 1px solid #eaeaea;

	color: #000;

	font-size: 11px;

	margin: 0;

	padding: 7px 7px 6px;

}

#login div.form div.fields div.buttons {

	clear: both;

	overflow: hidden;

	border-top: 1px solid #DDD;

	text-align: right;

	margin: 0;

	padding: 10px 0 0;

}

#login div.form div.links {

	clear: both;

	overflow: hidden;

	margin: 10px 0 0;