# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.changelog

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

changelog controller for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 21, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

from tg import request, session, tmpl_context as c

from tg.i18n import ugettext as _

from webob.exc import HTTPFound, HTTPNotFound, HTTPBadRequest

import kallithea.lib.helpers as h

from kallithea.config.routing import url

from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator

from kallithea.lib.base import BaseRepoController, render

from kallithea.lib.graphmod import graph_data

from kallithea.lib.page import RepoPage

from kallithea.lib.vcs.exceptions import RepositoryError, ChangesetDoesNotExistError, \

    ChangesetError, NodeDoesNotExistError, EmptyRepositoryError

from kallithea.lib.utils2 import safe_int, safe_str

log = logging.getLogger(__name__)

class ChangelogController(BaseRepoController):

    def _before(self, *args, **kwargs):

        super(ChangelogController, self)._before(*args, **kwargs)

        c.affected_files_cut_off = 60

    @staticmethod

    def __get_cs(rev, repo):

        """

        Safe way to get changeset. If error occur fail with error message.

        :param rev: revision to fetch

        :param repo: repo instance

        """

        try:

            return c.db_repo_scm_instance.get_changeset(rev)

        except EmptyRepositoryError as e:

        except RepositoryError as e:

            log.error(traceback.format_exc())

            h.flash(safe_str(e), category='error')

        raise HTTPBadRequest()

    @LoginRequired(allow_default_user=True)

    @HasRepoPermissionLevelDecorator('read')

    def index(self, repo_name, revision=None, f_path=None):

        limit = 2000

        default = 100

        if request.GET.get('size'):

            c.size = max(min(safe_int(request.GET.get('size')), limit), 1)

            session['changelog_size'] = c.size

            session.save()

        else:

            c.size = int(session.get('changelog_size', default))

        # min size must be 1

        c.size = max(c.size, 1)

        p = safe_int(request.GET.get('page'), 1)

        branch_name = request.GET.get('branch', None)

        if (branch_name and

            branch_name not in c.db_repo_scm_instance.branches and

            branch_name not in c.db_repo_scm_instance.closed_branches and

            not revision):

            raise HTTPFound(location=url('changelog_file_home', repo_name=c.repo_name,

                                    revision=branch_name, f_path=f_path or ''))

        if revision == 'tip':

            revision = None

        c.changelog_for_path = f_path

        try:

            if f_path:

                log.debug('generating changelog for path %s', f_path)

                # get the history for the file !

                tip_cs = c.db_repo_scm_instance.get_changeset()

                try:

                    collection = tip_cs.get_file_history(f_path)

                except (NodeDoesNotExistError, ChangesetError):

                    # this node is not present at tip !

                    try:

                        cs = self.__get_cs(revision, repo_name)

                        collection = cs.get_file_history(f_path)

                    except RepositoryError as e:

                        h.flash(safe_str(e), category='warning')

                        raise HTTPFound(location=h.url('changelog_home', repo_name=repo_name))

                collection = list(reversed(collection))

            else:

                collection = c.db_repo_scm_instance.get_changesets(start=0, end=revision,

                                                        branch_name=branch_name)

            c.total_cs = len(collection)

            c.cs_pagination = RepoPage(collection, page=p, item_count=c.total_cs,

                                    items_per_page=c.size, branch=branch_name,)

            page_revisions = [x.raw_id for x in c.cs_pagination]

            c.cs_comments = c.db_repo.get_comments(page_revisions)

            c.cs_statuses = c.db_repo.statuses(page_revisions)

        except EmptyRepositoryError as e:

            h.flash(safe_str(e), category='warning')

            raise HTTPFound(location=url('summary_home', repo_name=c.repo_name))

        except (RepositoryError, ChangesetDoesNotExistError, Exception) as e:

            log.error(traceback.format_exc())

            h.flash(safe_str(e), category='error')

            raise HTTPFound(location=url('changelog_home', repo_name=c.repo_name))

        c.branch_name = branch_name

        c.branch_filters = [('', _('None'))] + \

            [(k, k) for k in c.db_repo_scm_instance.branches.keys()]

        if c.db_repo_scm_instance.closed_branches:

            prefix = _('(closed)') + ' '

            c.branch_filters += [('-', '-')] + \

                [(k, prefix + k) for k in c.db_repo_scm_instance.closed_branches.keys()]

        revs = []

        if not f_path:

            revs = [x.revision for x in c.cs_pagination]

        c.jsdata = graph_data(c.db_repo_scm_instance, revs)

        c.revision = revision # requested revision ref

        c.first_revision = c.cs_pagination[0] # pagination is never empty here!

        return render('changelog/changelog.html')

    @LoginRequired(allow_default_user=True)

    @HasRepoPermissionLevelDecorator('read')

    def changelog_details(self, cs):

        if request.environ.get('HTTP_X_PARTIAL_XHR'):

            c.cs = c.db_repo_scm_instance.get_changeset(cs)

            return render('changelog/changelog_details.html')

        raise HTTPNotFound()

log = logging.getLogger(__name__)

def _get_reviewer(user_id):

    """Look up user by ID and validate it as a potential reviewer."""

    try:

        user = User.get(int(user_id))

    except ValueError:

        user = None

    if user is None or user.is_default_user:

        h.flash(_('Invalid reviewer "%s" specified') % user_id, category='error')

        raise HTTPBadRequest()

    return user

class PullrequestsController(BaseRepoController):

    def _get_repo_refs(self, repo, rev=None, branch=None, branch_rev=None):

        """return a structure with repo's interesting changesets, suitable for

        the selectors in pullrequest.html

        rev: a revision that must be in the list somehow and selected by default

        branch: a branch that must be in the list and selected by default - even if closed

        branch_rev: a revision of which peers should be preferred and available."""

        # list named branches that has been merged to this named branch - it should probably merge back

        peers = []

        if rev:

            rev = safe_str(rev)

        if branch:

            branch = safe_str(branch)

        if branch_rev:

            branch_rev = safe_str(branch_rev)

            # a revset not restricting to merge() would be better

            # (especially because it would get the branch point)

            # ... but is currently too expensive

            # including branches of children could be nice too

            peerbranches = set()

            for i in repo._repo.revs(

                "sort(parents(branch(id(%s)) and merge()) - branch(id(%s)), -rev)",

                branch_rev, branch_rev):

                for abranch in repo.get_changeset(i).branches:

                    if abranch not in peerbranches:

                        n = 'branch:%s:%s' % (abranch, repo.get_changeset(abranch).raw_id)

                        peers.append((n, abranch))

                        peerbranches.add(abranch)

        selected = None

        tiprev = repo.tags.get('tip')

        tipbranch = None

        branches = []

        for abranch, branchrev in repo.branches.iteritems():

            n = 'branch:%s:%s' % (abranch, branchrev)

            desc = abranch

            if branchrev == tiprev:

                tipbranch = abranch

                desc = '%s (current tip)' % desc

            branches.append((n, desc))

            if rev == branchrev:

                selected = n

            if branch == abranch:

                if not rev:

                    selected = n

                branch = None

        if branch:  # branch not in list - it is probably closed

            branchrev = repo.closed_branches.get(branch)

            if branchrev:

                n = 'branch:%s:%s' % (branch, branchrev)

                branches.append((n, _('%s (closed)') % branch))

                selected = n

                branch = None

            if branch:

                log.debug('branch %r not found in %s', branch, repo)

        bookmarks = []

        for bookmark, bookmarkrev in repo.bookmarks.iteritems():

            n = 'book:%s:%s' % (bookmark, bookmarkrev)

            bookmarks.append((n, bookmark))

            if rev == bookmarkrev:

                selected = n

        tags = []

        for tag, tagrev in repo.tags.iteritems():

            if tag == 'tip':

                continue

            n = 'tag:%s:%s' % (tag, tagrev)

            tags.append((n, tag))

            # note: even if rev == tagrev, don't select the static tag - it must be chosen explicitly

        # prio 1: rev was selected as existing entry above

        # prio 2: create special entry for rev; rev _must_ be used

        specials = []

        if rev and selected is None:

            selected = 'rev:%s:%s' % (rev, rev)

            specials = [(selected, '%s: %s' % (_("Changeset"), rev[:12]))]

        # prio 3: most recent peer branch

        if peers and not selected:

            selected = peers[0][0]

        # prio 4: tip revision

        if not selected:

            if h.is_hg(repo):

                if tipbranch:

                    selected = 'branch:%s:%s' % (tipbranch, tiprev)

                else:

                    selected = 'tag:null:' + repo.EMPTY_CHANGESET

                    tags.append((selected, 'null'))

            else:

                if 'master' in repo.branches:

                    selected = 'branch:master:%s' % repo.branches['master']

                else:

                    k, v = repo.branches.items()[0]

                    selected = 'branch:%s:%s' % (k, v)

        groups = [(specials, _("Special")),

                  (peers, _("Peer branches")),

                  (bookmarks, _("Bookmarks")),

                  (branches, _("Branches")),

                  (tags, _("Tags")),

                  ]

        return [g for g in groups if g[0]], selected

    def _is_allowed_to_change_status(self, pull_request):

        if pull_request.is_closed():

            return False

        owner = request.authuser.user_id == pull_request.owner_id

        reviewer = PullRequestReviewer.query() \

            .filter(PullRequestReviewer.pull_request == pull_request) \

            .filter(PullRequestReviewer.user_id == request.authuser.user_id) \

            .count() != 0

        return request.authuser.admin or owner or reviewer

    @LoginRequired(allow_default_user=True)

    @HasRepoPermissionLevelDecorator('read')

    def show_all(self, repo_name):

        c.from_ = request.GET.get('from_') or ''

        c.closed = request.GET.get('closed') or ''

        p = safe_int(request.GET.get('page'), 1)

        q = PullRequest.query(include_closed=c.closed, sorted=True)

        if c.from_:

            q = q.filter_by(org_repo=c.db_repo)

        else:

            q = q.filter_by(other_repo=c.db_repo)

        c.pull_requests = q.all()

        c.pullrequests_pager = Page(c.pull_requests, page=p, items_per_page=100)

        return render('/pullrequests/pullrequest_show_all.html')

    @LoginRequired()

    def show_my(self):

        c.closed = request.GET.get('closed') or ''

        c.my_pull_requests = PullRequest.query(

            include_closed=c.closed,

            sorted=True,

        ).filter_by(owner_id=request.authuser.user_id).all()

        c.participate_in_pull_requests = []

        c.participate_in_pull_requests_todo = []

        done_status = set([ChangesetStatus.STATUS_APPROVED, ChangesetStatus.STATUS_REJECTED])

        for pr in PullRequest.query(

            include_closed=c.closed,

            reviewer_id=request.authuser.user_id,

            sorted=True,

        ):

            status = pr.user_review_status(request.authuser.user_id) # very inefficient!!!

            if status in done_status:

                c.participate_in_pull_requests.append(pr)

            else:

                c.participate_in_pull_requests_todo.append(pr)

        return render('/pullrequests/pullrequest_show_my.html')

    @LoginRequired()

    @HasRepoPermissionLevelDecorator('read')

    def index(self):

        org_repo = c.db_repo

        org_scm_instance = org_repo.scm_instance

        try:

            org_scm_instance.get_changeset()

        except EmptyRepositoryError as e:

                    category='warning')

            raise HTTPFound(location=url('summary_home', repo_name=org_repo.repo_name))

        org_rev = request.GET.get('rev_end')

        # rev_start is not directly useful - its parent could however be used

        # as default for other and thus give a simple compare view

        rev_start = request.GET.get('rev_start')

        other_rev = None

        if rev_start:

            starters = org_repo.get_changeset(rev_start).parents

            if starters:

                other_rev = starters[0].raw_id

            else:

                other_rev = org_repo.scm_instance.EMPTY_CHANGESET

        branch = request.GET.get('branch')

        c.cs_repos = [(org_repo.repo_name, org_repo.repo_name)]

        c.default_cs_repo = org_repo.repo_name

        c.cs_refs, c.default_cs_ref = self._get_repo_refs(org_scm_instance, rev=org_rev, branch=branch)

        default_cs_ref_type, default_cs_branch, default_cs_rev = c.default_cs_ref.split(':')

        if default_cs_ref_type != 'branch':

            default_cs_branch = org_repo.get_changeset(default_cs_rev).branch

        # add org repo to other so we can open pull request against peer branches on itself

        c.a_repos = [(org_repo.repo_name, '%s (self)' % org_repo.repo_name)]

        if org_repo.parent:

            # add parent of this fork also and select it.

            # use the same branch on destination as on source, if available.

            c.a_repos.append((org_repo.parent.repo_name, '%s (parent)' % org_repo.parent.repo_name))

            c.a_repo = org_repo.parent

            c.a_refs, c.default_a_ref = self._get_repo_refs(

                    org_repo.parent.scm_instance, branch=default_cs_branch, rev=other_rev)

        else:

            c.a_repo = org_repo

            c.a_refs, c.default_a_ref = self._get_repo_refs(org_scm_instance, rev=other_rev)

        # gather forks and add to this list ... even though it is rare to

        # request forks to pull from their parent

        for fork in org_repo.forks:

            c.a_repos.append((fork.repo_name, fork.repo_name))

        return render('/pullrequests/pullrequest.html')

    @LoginRequired()

    @HasRepoPermissionLevelDecorator('read')

    @jsonify

    def repo_info(self, repo_name):

        repo = c.db_repo

        refs, selected_ref = self._get_repo_refs(repo.scm_instance)

        return {

            'description': repo.description.split('\n', 1)[0],

            'selected_ref': selected_ref,

            'refs': refs,

            }

    @LoginRequired()

    @HasRepoPermissionLevelDecorator('read')

    def create(self, repo_name):

        repo = c.db_repo

        try:

            _form = PullRequestForm(repo.repo_id)().to_python(request.POST)

        except formencode.Invalid as errors:

            log.error(traceback.format_exc())

            log.error(str(errors))

            msg = _('Error creating pull request: %s') % errors.msg

            h.flash(msg, 'error')

            raise HTTPBadRequest

        # heads up: org and other might seem backward here ...

        org_ref = _form['org_ref'] # will have merge_rev as rev but symbolic name

        org_repo = Repository.guess_instance(_form['org_repo'])

        other_ref = _form['other_ref'] # will have symbolic name and head revision

        other_repo = Repository.guess_instance(_form['other_repo'])

        reviewers = []

        title = _form['pullrequest_title']

        description = _form['pullrequest_desc'].strip()

        owner = User.get(request.authuser.user_id)

        try:

            cmd = CreatePullRequestAction(org_repo, other_repo, org_ref, other_ref, title, description, owner, reviewers)

        except CreatePullRequestAction.ValidationError as e:

            h.flash(str(e), category='error', logf=log.error)

            raise HTTPNotFound

        try:

            pull_request = cmd.execute()

            Session().commit()

        except Exception:

            h.flash(_('Error occurred while creating pull request'),

                    category='error')

            log.error(traceback.format_exc())

            raise HTTPFound(location=url('pullrequest_home', repo_name=repo_name))

        h.flash(_('Successfully opened new pull request'),

                category='success')

        raise HTTPFound(location=pull_request.url())

    def create_new_iteration(self, old_pull_request, new_rev, title, description, reviewers):

        owner = User.get(request.authuser.user_id)

        new_org_rev = self._get_ref_rev(old_pull_request.org_repo, 'rev', new_rev)

        new_other_rev = self._get_ref_rev(old_pull_request.other_repo, old_pull_request.other_ref_parts[0], old_pull_request.other_ref_parts[1])

        try:

            cmd = CreatePullRequestIterationAction(old_pull_request, new_org_rev, new_other_rev, title, description, owner, reviewers)

        except CreatePullRequestAction.ValidationError as e:

            h.flash(str(e), category='error', logf=log.error)

            raise HTTPNotFound

        try:

            pull_request = cmd.execute()

            Session().commit()

        except Exception:

            h.flash(_('Error occurred while creating pull request'),

                    category='error')

            log.error(traceback.format_exc())

            raise HTTPFound(location=old_pull_request.url())

        h.flash(_('New pull request iteration created'),

                category='success')

        raise HTTPFound(location=pull_request.url())

    # pullrequest_post for PR editing

    @LoginRequired()

    @HasRepoPermissionLevelDecorator('read')

    def post(self, repo_name, pull_request_id):

        pull_request = PullRequest.get_or_404(pull_request_id)

        if pull_request.is_closed():

            raise HTTPForbidden()

        assert pull_request.other_repo.repo_name == repo_name

        # only owner or admin can update it

        owner = pull_request.owner_id == request.authuser.user_id

        repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)

        if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):

            raise HTTPForbidden()

        _form = PullRequestPostForm()().to_python(request.POST)

        cur_reviewers = set(pull_request.get_reviewer_users())

        new_reviewers = set(_get_reviewer(s) for s in _form['review_members'])

        old_reviewers = set(_get_reviewer(s) for s in _form['org_review_members'])

        other_added = cur_reviewers - old_reviewers

        other_removed = old_reviewers - cur_reviewers

        if other_added:

            h.flash(_('Meanwhile, the following reviewers have been added: %s') %

                    (', '.join(u.username for u in other_added)),

                    category='warning')

        if other_removed:

            h.flash(_('Meanwhile, the following reviewers have been removed: %s') %

                    (', '.join(u.username for u in other_removed)),

                    category='warning')

        if _form['updaterev']:

            return self.create_new_iteration(pull_request,

                                      _form['updaterev'],

                                      _form['pullrequest_title'],

                                      _form['pullrequest_desc'],

                                      new_reviewers)

        added_reviewers = new_reviewers - old_reviewers - cur_reviewers

        removed_reviewers = (old_reviewers - new_reviewers) & cur_reviewers

        old_description = pull_request.description

        pull_request.title = _form['pullrequest_title']

        pull_request.description = _form['pullrequest_desc'].strip() or _('No description')

        pull_request.owner = User.get_by_username(_form['owner'])

        user = User.get(request.authuser.user_id)

        PullRequestModel().mention_from_description(user, pull_request, old_description)

        PullRequestModel().add_reviewers(user, pull_request, added_reviewers)

        PullRequestModel().remove_reviewers(user, pull_request, removed_reviewers)

        Session().commit()

        h.flash(_('Pull request updated'), category='success')

        raise HTTPFound(location=pull_request.url())

    @LoginRequired()

    @HasRepoPermissionLevelDecorator('read')

    @jsonify

    def delete(self, repo_name, pull_request_id):

        pull_request = PullRequest.get_or_404(pull_request_id)

        # only owner can delete it !

        if pull_request.owner_id == request.authuser.user_id:

            PullRequestModel().delete(pull_request)

            Session().commit()

            self.username, level, repo_name, purpose, ok, actual_perm)

        return ok

    def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):

        required_perms = {

            'read': ['group.read', 'group.write', 'group.admin'],

            'write': ['group.write', 'group.admin'],

            'admin': ['group.admin'],

        }[level]

        actual_perm = self.permissions['repositories_groups'].get(repo_group_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',

            self.username, level, repo_group_name, purpose, ok, actual_perm)

        return ok

    def has_user_group_permission_level(self, user_group_name, level, purpose=None):

        required_perms = {

            'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],

            'write': ['usergroup.write', 'usergroup.admin'],

            'admin': ['usergroup.admin'],

        }[level]

        actual_perm = self.permissions['user_groups'].get(user_group_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',

            self.username, level, user_group_name, purpose, ok, actual_perm)

        return ok

    @property

    def api_keys(self):

        return self._get_api_keys()

    def __get_perms(self, user, explicit=True, cache=False):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        :param explicit: In case there are permissions both for user and a group

            that user is part of, explicit flag will define if user will

            explicitly override permissions from group, if it's False it will

            compute the decision

        """

        user_id = user.user_id

        user_is_admin = user.is_admin

        user_inherit_default_permissions = user.inherit_default_permissions

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

        return compute(user_id, user_is_admin,

                       user_inherit_default_permissions, explicit)

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query() \

                .filter_by(user_id=self.user_id, is_expired=False):

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

        return [x[0] for x in self.permissions['repositories'].iteritems()

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

        return [x[0] for x in self.permissions['repositories_groups'].iteritems()

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    @staticmethod

    def check_ip_allowed(user, ip_addr):

        """

        Check if the given IP address (a `str`) is allowed for the given

        user (an `AuthUser` or `db.User`).

        """

        allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True,

            inherit_from_default=user.inherit_default_permissions)

        if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

            log.debug('IP:%s is in range of %s', ip_addr, allowed_ips)

            return True

        else:

            log.info('Access for IP:%s forbidden, '

                     'not in %s' % (ip_addr, allowed_ips))

            return False

    def __repr__(self):

        return "<AuthUser('id:%s[%s] auth:%s')>" \

            % (self.user_id, self.username, (self.is_authenticated or self.is_default_user))

    def to_cookie(self):

        """ Serializes this login session to a cookie `dict`. """

        return {

            'user_id': self.user_id,

            'is_external_auth': self.is_external_auth,

        }

    @staticmethod

    def from_cookie(cookie):

        """

        Deserializes an `AuthUser` from a cookie `dict`.

        """

        au = AuthUser(

            user_id=cookie.get('user_id'),

            is_external_auth=cookie.get('is_external_auth', False),

        )

        au.is_authenticated = True

        return au

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):

        _set = set()

        if inherit_from_default:

            default_ips = UserIpMap.query().filter(UserIpMap.user_id ==

                                            User.get_default_user(cache=True).user_id)

            if cache:

                default_ips = default_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_default"))

            # populate from default user

            for ip in default_ips:

                try:

                    _set.add(ip.ip_addr)

                except ObjectDeletedError:

                    # since we use heavy caching sometimes it happens that we get

                    # deleted objects here, we just skip them

                    pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current config instance

    """

    log.info('getting information about all available permissions')

    try:

        all_perms = Session().query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def _redirect_to_login(message=None):

    """Return an exception that must be raised. It will redirect to the login

    page which will redirect back to the current URL after authentication.

    The optional message will be shown in a flash message."""

    from kallithea.lib import helpers as h

    if message:

    p = request.path_qs

    log.debug('Redirecting to login page, origin: %s', p)

    return HTTPFound(location=url('login_home', came_from=p))

# Use as decorator

class LoginRequired(object):

    """Client must be logged in as a valid User, or we'll redirect to the login

    page.

    If the "default" user is enabled and allow_default_user is true, that is

    considered valid too.

    Also checks that IP address is allowed, and if using API key instead

    of regular cookie authentication, checks that API key access is allowed

    (based on `api_access` parameter and the API view whitelist).

    """

    def __init__(self, api_access=False, allow_default_user=False):

        self.api_access = api_access

        self.allow_default_user = allow_default_user

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = request.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        # Check if we used an API key to authenticate.

        api_key = user.authenticating_api_key

        if api_key is not None:

            # Check that controller is enabled for API key usage.

            if not self.api_access and not allowed_api_access(loc, api_key=api_key):

                # controller does not allow API access

                log.warning('API access to %s is not allowed', loc)

                raise HTTPForbidden()

            log.info('user %s authenticated with API key ****%s @ %s',

                     user, api_key[-4:], loc)

            return func(*fargs, **fkwargs)

        # CSRF protection: Whenever a request has ambient authority (whether

        # through a session cookie or its origin IP address), it must include

        # the correct token, unless the HTTP method is GET or HEAD (and thus

        # guaranteed to be side effect free. In practice, the only situation

        # where we allow side effects without ambient authority is when the

        # authority comes from an API key; and that is handled above.

        if request.method not in ['GET', 'HEAD']:

            token = request.POST.get(secure_form.token_key)

            if not token or token != secure_form.authentication_token():

                log.error('CSRF check failed')

                raise HTTPForbidden()

        # regular user authentication

        if user.is_authenticated:

            log.info('user %s authenticated with regular auth @ %s', user, loc)

            return func(*fargs, **fkwargs)

        elif user.is_default_user:

            if self.allow_default_user:

                log.info('default user @ %s', loc)

                return func(*fargs, **fkwargs)

            log.info('default user is not accepted here @ %s', loc)

        else:

            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

        raise _redirect_to_login()

# Use as decorator

class NotAnonymous(object):

    """Ensures that client is not logged in as the "default" user, and

    redirects to the login page otherwise. Must be used together with

    LoginRequired."""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = request.authuser

        log.debug('Checking that user %s is not anonymous @%s', user.username, cls)

        if user.is_default_user:

            raise _redirect_to_login(_('You need to be a registered user to '

                                       'perform this action'))

        else:

            return func(*fargs, **fkwargs)

class _PermsDecorator(object):

    """Base class for controller decorators with multiple permissions"""

    def __init__(self, *required_perms):

        self.required_perms = required_perms # usually very short - a list is thus fine

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = request.authuser

        log.debug('checking %s permissions %s for %s %s',

          self.__class__.__name__, self.required_perms, cls, user)

        if self.check_permissions(user):

            log.debug('Permission granted for %s %s', cls, user)

            return func(*fargs, **fkwargs)

        else:

            log.info('Permission denied for %s %s', cls, user)

            if user.is_default_user:

                raise _redirect_to_login(_('You need to be signed in to view this page'))

            else:

                raise HTTPForbidden()

    def check_permissions(self, user):

        raise NotImplementedError()

class HasPermissionAnyDecorator(_PermsDecorator):

    """

    Checks the user has any of the given global permissions.