# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

Authentication modules

"""

import logging

import traceback

import importlib

from kallithea.lib.utils2 import str2bool

from kallithea.lib.compat import formatted_json, hybrid_property

from kallithea.lib.auth import PasswordGenerator

from kallithea.model.user import UserModel

from kallithea.model.db import Setting, User

from kallithea.model.meta import Session

from kallithea.model.user_group import UserGroupModel

log = logging.getLogger(__name__)

class LazyFormencode(object):

    def __init__(self, formencode_obj, *args, **kwargs):

        self.formencode_obj = formencode_obj

        self.args = args

        self.kwargs = kwargs

    def __call__(self, *args, **kwargs):

        from inspect import isfunction

        formencode_obj = self.formencode_obj

        if isfunction(formencode_obj):

            # case we wrap validators into functions

            formencode_obj = self.formencode_obj(*args, **kwargs)

        return formencode_obj(*self.args, **self.kwargs)

class KallitheaAuthPluginBase(object):

    auth_func_attrs = {

        "username": "unique username",

        "firstname": "first name",

        "lastname": "last name",

        "email": "email address",

        "groups": '["list", "of", "groups"]',

        "extern_name": "name in external source of record",

        "admin": 'True|False defines if user should be Kallithea admin',

        "active": 'True|False defines active state of user in Kallithea',

    }

    @property

    def validators(self):

        """

        Exposes Kallithea validators modules

        """

        # this is a hack to overcome issues with pylons threadlocals and

        # translator object _() not being registered properly.

        class LazyCaller(object):

            def __init__(self, name):

                self.validator_name = name

            def __call__(self, *args, **kwargs):

                from kallithea.model import validators as v

                obj = getattr(v, self.validator_name)

                #log.debug('Initializing lazy formencode object: %s', obj)

                return LazyFormencode(obj, *args, **kwargs)

        class ProxyGet(object):

            def __getattribute__(self, name):

                return LazyCaller(name)

        return ProxyGet()

    @hybrid_property

    def name(self):

        """

        Returns the name of this authentication plugin.

        :returns: string

        """

        raise NotImplementedError("Not implemented in base class")

    @hybrid_property

    def is_container_auth(self):

        """

        Returns bool if this module uses container auth.

        This property will trigger an automatic call to authenticate on

        a visit to the website or during a push/pull.

        :returns: bool

        """

        return False

    def accepts(self, user, accepts_empty=True):

        """

        and a settings object (containing all the keys needed as listed in settings()),

        authenticate this user's login attempt.

        Return None on failure. On success, return a dictionary with keys from

        KallitheaAuthPluginBase.auth_func_attrs.

        This is later validated for correctness.

        """

        raise NotImplementedError("not implemented in base class")

    def _authenticate(self, userobj, username, passwd, settings, **kwargs):

        """

        Wrapper to call self.auth() that validates call on it

        :param userobj: userobj

        :param username: username

        :param passwd: plaintext password

        :param settings: plugin settings

        """

        user_data = self.auth(userobj, username, passwd, settings, **kwargs)

        if user_data is not None:

            return self._validate_auth_return(user_data)

        return None

    def _validate_auth_return(self, user_data):

        if not isinstance(user_data, dict):

            raise Exception('returned value from auth must be a dict')

        for k in self.auth_func_attrs:

            if k not in user_data:

                raise Exception('Missing %s attribute from returned data' % k)

        return user_data

class KallitheaExternalAuthPlugin(KallitheaAuthPluginBase):

    def use_fake_password(self):

        """

        Return a boolean that indicates whether or not we should set the user's

        password to a random value when it is authenticated by this plugin.

        If your plugin provides authentication, then you will generally want this.

        :returns: boolean

        """

        raise NotImplementedError("Not implemented in base class")

    def _authenticate(self, userobj, username, passwd, settings, **kwargs):

        user_data = super(KallitheaExternalAuthPlugin, self)._authenticate(

            userobj, username, passwd, settings, **kwargs)

        if user_data is not None:

            if self.use_fake_password():

                # Randomize the PW because we don't need it, but don't want

                # them blank either

                passwd = PasswordGenerator().gen_password(length=8)

            log.debug('Updating or creating user info from %s plugin',

                      self.name)

            user = UserModel().create_or_update(

                password=passwd,

                email=user_data["email"],

                firstname=user_data["firstname"],

                lastname=user_data["lastname"],

                active=user_data["active"],

                admin=user_data["admin"],

                extern_name=user_data["extern_name"],

                extern_type=self.name

            )

            # enforce user is just in given groups, all of them has to be ones

            # created from plugins. We store this info in _group_data JSON field

            groups = user_data['groups'] or []

            UserGroupModel().enforce_groups(user, groups, self.name)

            Session().commit()

        return user_data

def loadplugin(plugin):

    """

    Imports, instantiates, and returns the authentication plugin in the module named by plugin

    (e.g., plugin='kallithea.lib.auth_modules.auth_internal'). Returns an instance of the

    KallitheaAuthPluginBase subclass on success, raises exceptions on failure.

    raises:

        AttributeError -- no KallitheaAuthPlugin class in the module

        TypeError -- if the KallitheaAuthPlugin is not a subclass of ours KallitheaAuthPluginBase

        ImportError -- if we couldn't import the plugin at all

    """

    log.debug("Importing %s", plugin)

    if not plugin.startswith(u'kallithea.lib.auth_modules.auth_'):

        parts = plugin.split(u'.lib.auth_modules.auth_', 1)

        if len(parts) == 2:

            _module, pn = parts

            plugin = u'kallithea.lib.auth_modules.auth_' + pn

    PLUGIN_CLASS_NAME = "KallitheaAuthPlugin"

    try:

        module = importlib.import_module(plugin)

    except (ImportError, TypeError):

        log.error(traceback.format_exc())

        # TODO: make this more error prone, if by some accident we screw up

        # the plugin name, the crash is pretty bad and hard to recover

        raise

    log.debug("Loaded auth plugin from %s (module:%s, file:%s)",

              plugin, module.__name__, module.__file__)

    pluginclass = getattr(module, PLUGIN_CLASS_NAME)

    if not issubclass(pluginclass, KallitheaAuthPluginBase):

        Return None on failure. On success, return a dictionary of the form:

            see: KallitheaAuthPluginBase.auth_func_attrs

        :param userobj:

        :param username:

        :param password:

        :param settings:

        :param kwargs:

        """

        environ = kwargs.get('environ')

        if not environ:

            log.debug('Empty environ data skipping...')

            return None

        if not userobj:

            userobj = self.get_user('', environ=environ, settings=settings)

        # we don't care passed username/password for container auth plugins.

        # only way to log in is using environ

        username = None

        if userobj:

            username = safe_str(getattr(userobj, 'username'))

        if not username:

            # we don't have any objects in DB, user doesn't exist, extract

            # username from environ based on the settings

            username = self._get_username(environ, settings)

        # if cannot fetch username, it's a no-go for this plugin to proceed

        if not username:

            return None

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = environ.get(settings.get('email_header'), getattr(userobj, 'email', ''))

        firstname = environ.get(settings.get('firstname_header'), getattr(userobj, 'firstname', ''))

        lastname = environ.get(settings.get('lastname_header'), getattr(userobj, 'lastname', ''))

        user_data = {

            'username': username,

            'firstname': safe_unicode(firstname or username),

            'lastname': safe_unicode(lastname or ''),

            'groups': [],

            'email': email or '',

            'admin': admin or False,

            'active': active,

            'extern_name': username,

        }

        log.info('user `%s` authenticated correctly', user_data['username'])

        return user_data

    def get_managed_fields(self):

        fields = ['username', 'password']

        if(Setting.get_by_name('auth_container_email_header').app_settings_value):

            fields.append('email')

        if(Setting.get_by_name('auth_container_firstname_header').app_settings_value):

            fields.append('firstname')

        if(Setting.get_by_name('auth_container_lastname_header').app_settings_value):

            fields.append('lastname')

        return fields

                "formname": "Application Name"

            },

            {

                "name": "app_password",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "The password to authenticate to CROWD",

                "default": "",

                "formname": "Application Password"

            },

            {

                "name": "admin_groups",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "A comma separated list of group names that identify users as Kallithea Administrators",

                "formname": "Admin Groups"

            }

        ]

        return settings

    def use_fake_password(self):

        return True

    def user_activation_state(self):

        def_user_perms = User.get_default_user().AuthUser.permissions['global']

        return 'hg.extern_activate.auto' in def_user_perms

    def auth(self, userobj, username, password, settings, **kwargs):

        """

        Given a user object (which may be null), username, a plaintext password,

        and a settings object (containing all the keys needed as listed in settings()),

        authenticate this user's login attempt.

        Return None on failure. On success, return a dictionary of the form:

            see: KallitheaAuthPluginBase.auth_func_attrs

        This is later validated for correctness

        """

        if not username or not password:

            log.debug('Empty username or password skipping...')

            return None

        log.debug("Crowd settings: \n%s", formatted_json(settings))

        server = CrowdServer(**settings)

        server.set_credentials(settings["app_name"], settings["app_password"])

        crowd_user = server.user_auth(username, password)

        log.debug("Crowd returned: \n%s", formatted_json(crowd_user))

        if not crowd_user["status"]:

            return None

        res = server.user_groups(crowd_user["name"])

        log.debug("Crowd groups: \n%s", formatted_json(res))

        crowd_user["groups"] = [x["name"] for x in res["groups"]]

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = getattr(userobj, 'email', '')

        firstname = getattr(userobj, 'firstname', '')

        lastname = getattr(userobj, 'lastname', '')

        user_data = {

            'username': crowd_user["name"] or username,

            'firstname': crowd_user["first-name"] or firstname,

            'lastname': crowd_user["last-name"] or lastname,

            'groups': crowd_user["groups"],

            'email': crowd_user["email"] or email,

            'admin': admin,

            'active': active,

            'extern_name': crowd_user["name"],

        }

        # set an admin if we're in admin_groups of crowd

        for group in settings["admin_groups"].split(","):

            if group in user_data["groups"]:

                user_data["admin"] = True

        log.debug("Final crowd user object: \n%s", formatted_json(user_data))

        log.info('user %s authenticated correctly', user_data['username'])

        return user_data

    def get_managed_fields(self):

        return ['username', 'firstname', 'lastname', 'email', 'password']

log = logging.getLogger(__name__)

class KallitheaAuthPlugin(auth_modules.KallitheaAuthPluginBase):

    def __init__(self):

        pass

    @hybrid_property

    def name(self):

        # Also found as kallithea.lib.model.db.User.DEFAULT_AUTH_TYPE

        return 'internal'

    def settings(self):

        return []

    def user_activation_state(self):

        def_user_perms = User.get_default_user().AuthUser.permissions['global']

        return 'hg.register.auto_activate' in def_user_perms

    def accepts(self, user, accepts_empty=True):

        """

        Custom accepts for this auth that doesn't accept empty users. We

        know that user exists in database.

        """

        return super(KallitheaAuthPlugin, self).accepts(user,

                                                        accepts_empty=False)

    def auth(self, userobj, username, password, settings, **kwargs):

        if not userobj:

            log.debug('userobj was:%s skipping', userobj)

            return None

        if userobj.extern_type != self.name:

            log.warning("userobj:%s extern_type mismatch got:`%s` expected:`%s`",

                     userobj, userobj.extern_type, self.name)

            return None

        if not username:

            log.debug('Empty username - skipping...')

            return None

        user_data = {

            "username": userobj.username,

            "firstname": userobj.firstname,

            "lastname": userobj.lastname,

            "groups": [],

            "email": userobj.email,

            "admin": userobj.admin,

            "active": userobj.active,

            "extern_name": userobj.user_id,

        }

        log.debug(formatted_json(user_data))

        if userobj.active:

            from kallithea.lib import auth

            password_match = auth.check_password(password, userobj.password)

            if userobj.is_default_user and userobj.active:

                log.info('user %s authenticated correctly as anonymous user',

                         username)

                return user_data

            elif userobj.username == username and password_match:

                log.info('user %s authenticated correctly', user_data['username'])

                return user_data

            log.error("user %s had a bad password", username)

            return None

        else:

            log.warning('user %s tried auth but is disabled', username)

            return None

    def get_managed_fields(self):

        # Note: 'username' should only be editable (at least for user) if self registration is enabled

        return []

        if not username or not password:

            log.debug('Empty username or password skipping...')

            return None

        kwargs = {

            'server': settings.get('host', ''),

            'base_dn': settings.get('base_dn', ''),

            'port': settings.get('port'),

            'bind_dn': settings.get('dn_user'),

            'bind_pass': settings.get('dn_pass'),

            'tls_kind': settings.get('tls_kind'),

            'tls_reqcert': settings.get('tls_reqcert'),

            'cacertdir': settings.get('cacertdir'),

            'ldap_filter': settings.get('filter'),

            'search_scope': settings.get('search_scope'),

            'attr_login': settings.get('attr_login'),

            'ldap_version': 3,

        }

        if kwargs['bind_dn'] and not kwargs['bind_pass']:

            log.debug('Using dynamic binding.')

            kwargs['bind_dn'] = kwargs['bind_dn'].replace('$login', username)

            kwargs['bind_pass'] = password

        log.debug('Checking for ldap authentication')

        try:

            aldap = AuthLdap(**kwargs)

            (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)

            log.debug('Got ldap DN response %s', user_dn)

            get_ldap_attr = lambda k: ldap_attrs.get(settings.get(k), [''])[0]

            # old attrs fetched from Kallithea database

            admin = getattr(userobj, 'admin', False)

            active = getattr(userobj, 'active', self.user_activation_state())

            email = getattr(userobj, 'email', '')

            firstname = getattr(userobj, 'firstname', '')

            lastname = getattr(userobj, 'lastname', '')

            user_data = {

                'username': username,

                'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),

                'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),

                'groups': [],

                'email': get_ldap_attr('attr_email') or email,

                'admin': admin,

                'active': active,

                'extern_name': user_dn,

            }

            log.info('user %s authenticated correctly', user_data['username'])

            return user_data

        except LdapUsernameError:

            log.info('Error authenticating %s with LDAP: User not found', username)

        except LdapPasswordError:

            log.info('Error authenticating %s with LDAP: Password error', username)

        except LdapImportError:

            log.error('Error authenticating %s with LDAP: LDAP not available', username)

        return None

    def get_managed_fields(self):

        return ['username', 'firstname', 'lastname', 'email', 'password']

                "description": "Regex for extracting user name/email etc "

                               "from Unix userinfo",

                "default": "(?P<last_name>.+),\s*(?P<first_name>\w+)",

                "formname": "Gecos Regex"

            }

        ]

        return settings

    def use_fake_password(self):

        return True

    def auth(self, userobj, username, password, settings, **kwargs):

        if not username:

            log.debug('Empty username - skipping...')

            return None

        if username not in _auth_cache:

            # Need lock here, as PAM authentication is not thread safe

            _pam_lock.acquire()

            try:

                auth_result = pam_authenticate(username, password,

                                               settings["service"])

                # cache result only if we properly authenticated

                if auth_result:

                    _auth_cache[username] = time.time()

            finally:

                _pam_lock.release()

            if not auth_result:

                log.error("PAM was unable to authenticate user: %s", username)

                return None

        else:

            log.debug("Using cached auth for user: %s", username)

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = getattr(userobj, 'email', '') or "%s@%s" % (username, socket.gethostname())

        firstname = getattr(userobj, 'firstname', '')

        lastname = getattr(userobj, 'lastname', '')

        user_data = {

            'username': username,

            'firstname': firstname,

            'lastname': lastname,

            'groups': [g.gr_name for g in grp.getgrall() if username in g.gr_mem],

            'email': email,

            'admin': admin,

            'active': active,

            'extern_name': username,

        }

        try:

            user_pw_data = pwd.getpwnam(username)

            regex = settings["gecos"]

            match = re.search(regex, user_pw_data.pw_gecos)

            if match:

                user_data["firstname"] = match.group('first_name')

                user_data["lastname"] = match.group('last_name')

        except Exception:

            log.warning("Cannot extract additional info for PAM user %s", username)

            pass

        log.debug("pamuser: \n%s", formatted_json(user_data))

        log.info('user %s authenticated correctly', user_data['username'])

        return user_data

    def get_managed_fields(self):

        return ['username', 'password']