"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

import formencode

from formencode import htmlfill

from pylons import request, session, tmpl_context as c, url, config

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from rhodecode.lib import helpers as h

from rhodecode.lib.utils2 import safe_unicode, str2bool, safe_int

from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator,\

    HasUserGroupPermissionAnyDecorator, HasPermissionAnyDecorator

from rhodecode.lib.base import BaseController, render

from rhodecode.model.scm import UserGroupList

from rhodecode.model.users_group import UserGroupModel

from rhodecode.model.repo import RepoModel

from rhodecode.model.db import User, UserGroup, UserGroupToPerm,\

    UserGroupRepoToPerm, UserGroupRepoGroupToPerm

from rhodecode.model.forms import UserGroupForm, UserGroupPermsForm,\

    CustomDefaultPermissionsForm

from rhodecode.model.meta import Session

from rhodecode.lib.utils import action_logger

from sqlalchemy.orm import joinedload

from webob.exc import HTTPInternalServerError

log = logging.getLogger(__name__)

class UsersGroupsController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    # To properly map this controller, ensure your config/routing.py

    # file has a resource setup:

    #     map.resource('users_group', 'users_groups')

        for gr in ugroup_repo_perms:

            c.users_group.permissions['repositories'][gr.repository.repo_name]  \

                = gr.permission.permission_name

        ugroup_group_perms = UserGroupRepoGroupToPerm.query()\

            .options(joinedload(UserGroupRepoGroupToPerm.permission))\

            .options(joinedload(UserGroupRepoGroupToPerm.group))\

            .filter(UserGroupRepoGroupToPerm.users_group_id == user_group_id)\

            .all()

        for gr in ugroup_group_perms:

            c.users_group.permissions['repositories_groups'][gr.group.group_name] \

                = gr.permission.permission_name

        c.group_members_obj = sorted((x.user for x in c.users_group.members),

                                     key=lambda u: u.username.lower())

        c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]

        c.available_members = sorted(((x.user_id, x.username) for x in

                                      User.query().all()),

                                     key=lambda u: u[1].lower())

        repo_model = RepoModel()

        c.users_array = repo_model.get_users_js()

        c.available_permissions = config['available_permissions']

    def __load_defaults(self, user_group_id):

        """

        Load defaults settings for edit, and update

        :param user_group_id:

        """

        user_group = UserGroup.get_or_404(user_group_id)

        data = user_group.get_dict()

        ug_model = UserGroupModel()

        data.update({

            'create_repo_perm': ug_model.has_perm(user_group,

                                                  'hg.create.repository'),

            'create_user_group_perm': ug_model.has_perm(user_group,

                                                  'hg.usergroup.create.true'),

            'fork_repo_perm': ug_model.has_perm(user_group,

                                                'hg.fork.repository'),

        })

        # fill user group users

        for p in user_group.user_user_group_to_perm:

            data.update({'u_perm_%s' % p.user.username:

                             p.permission.permission_name})

        return data

    def index(self, format='html'):

        """GET /users_groups: All items in the collection"""

        # url('users_groups')

        group_iter = UserGroupList(UserGroup().query().all(),

                                   perm_set=['usergroup.admin'])

        sk = lambda g: g.users_group_name

        c.users_groups_list = sorted(group_iter, key=sk)

        return render('admin/users_groups/users_groups.html')

    @HasPermissionAnyDecorator('hg.admin', 'hg.usergroup.create.true')

    def create(self):

        """POST /users_groups: Create a new item"""

        # url('users_groups')

        users_group_form = UserGroupForm()()

        try:

            form_result = users_group_form.to_python(dict(request.POST))

            UserGroupModel().create(name=form_result['users_group_name'],

                                    owner=self.rhodecode_user.user_id,

                                    active=form_result['users_group_active'])

        usr_gr = UserGroup.get_or_404(id)

        try:

            UserGroupModel().delete(usr_gr)

            Session().commit()

            h.flash(_('Successfully deleted user group'), category='success')

        except UserGroupsAssignedException, e:

            h.flash(e, category='error')

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('An error occurred during deletion of user group'),

                    category='error')

        return redirect(url('users_groups'))

    @HasUserGroupPermissionAnyDecorator('usergroup.admin')

    def set_user_group_perm_member(self, id):

        """

        grant permission for given usergroup

        :param id:

        """

        user_group = UserGroup.get_or_404(id)

        form = UserGroupPermsForm()().to_python(request.POST)

        # set the permissions !

        #TODO: implement this

        #action_logger(self.rhodecode_user, 'admin_changed_repo_permissions',

        #              repo_name, self.ip_addr, self.sa)

        Session().commit()

        h.flash(_('User Group permissions updated'), category='success')

        return redirect(url('edit_users_group', id=id))

    @HasUserGroupPermissionAnyDecorator('usergroup.admin')

    def delete_user_group_perm_member(self, id):

        """

        DELETE an existing repository group permission user

        :param group_name:

        """

        try:

            obj_type = request.POST.get('obj_type')

            obj_id = None

            if obj_type == 'user':

                obj_id = safe_int(request.POST.get('user_id'))

            elif obj_type == 'user_group':

                obj_id = safe_int(request.POST.get('user_group_id'))

            if not c.rhodecode_user.is_admin:

                if obj_type == 'user' and c.rhodecode_user.user_id == obj_id:

                    msg = _('Cannot revoke permission for yourself as admin')

                    h.flash(msg, category='warning')

                    raise Exception('revoke admin permission on self')

            if obj_type == 'user':

                UserGroupModel().revoke_user_permission(user_group=id,

                                                        user=obj_id)

            elif obj_type == 'user_group':

            Session().commit()

        except Exception:

            log.error(traceback.format_exc())

            h.flash(_('An error occurred during revoking of permission'),

                    category='error')

            raise HTTPInternalServerError()

    def show(self, id, format='html'):

        """GET /users_groups/id: Show a specific item"""

        # url('users_group', id=ID)

    @HasUserGroupPermissionAnyDecorator('usergroup.admin')

    def edit(self, id, format='html'):

        """GET /users_groups/id/edit: Form to edit an existing item"""

        # url('edit_users_group', id=ID)

        c.users_group = UserGroup.get_or_404(id)

        self.__load_data(id)

        defaults = self.__load_defaults(id)

        return htmlfill.render(

            render('admin/users_groups/users_group_edit.html'),

            defaults=defaults,

class LdapImportError(Exception):

    pass

class DefaultUserException(Exception):

    pass

class UserOwnsReposException(Exception):

    pass

class UserGroupsAssignedException(Exception):

    pass

class StatusChangeOnClosedPullRequestError(Exception):

    pass

class AttachedForksError(Exception):

    pass

class HTTPLockedRC(HTTPClientError):

    """

    Special Exception For locked Repos in RhodeCode, the return code can

    be overwritten by _code keyword argument passed into constructors

    """

    code = 423

    title = explanation = 'Repository Locked'

    def __init__(self, reponame, username, *args, **kwargs):

        from rhodecode import CONFIG

        from rhodecode.lib.utils2 import safe_int

        _code = CONFIG.get('lock_ret_code')

        self.code = safe_int(_code, self.code)

        self.title = self.explanation = ('Repository `%s` locked by '

                                         'user `%s`' % (reponame, username))

        super(HTTPLockedRC, self).__init__(*args, **kwargs)

class NodeAlreadyChangedError(CommitError):

    pass

class NodeDoesNotExistError(CommitError):

    pass

class NodeNotChangedError(CommitError):

    pass

class NodeAlreadyAddedError(CommitError):

    pass

class NodeAlreadyRemovedError(CommitError):

    pass

class ImproperArchiveTypeError(VCSError):

    pass

class CommandError(VCSError):

    pass

        return datetime.date(*self.action_date.timetuple()[:3])

    user = relationship('User')

    repository = relationship('Repository', cascade='')

class UserGroup(Base, BaseModel):

    __tablename__ = 'users_groups'

    __table_args__ = (

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'},

    )

    users_group_id = Column("users_group_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    users_group_name = Column("users_group_name", String(255, convert_unicode=False, assert_unicode=None), nullable=False, unique=True, default=None)

    users_group_active = Column("users_group_active", Boolean(), nullable=True, unique=None, default=None)

    inherit_default_permissions = Column("users_group_inherit_default_permissions", Boolean(), nullable=False, unique=None, default=True)

    user_id = Column("user_id", Integer(), ForeignKey('users.user_id'), nullable=False, unique=False, default=None)

    members = relationship('UserGroupMember', cascade="all, delete, delete-orphan", lazy="joined")

    users_group_to_perm = relationship('UserGroupToPerm', cascade='all')

    users_group_repo_to_perm = relationship('UserGroupRepoToPerm', cascade='all')

    users_group_repo_group_to_perm = relationship('UserGroupRepoGroupToPerm', cascade='all')

    user_user_group_to_perm = relationship('UserUserGroupToPerm ', cascade='all')

    user = relationship('User')

    def __unicode__(self):

        return u"<%s('id:%s:%s')>" % (self.__class__.__name__,

                                      self.users_group_id,

                                      self.users_group_name)

    @classmethod

    def get_by_group_name(cls, group_name, cache=False,

                          case_insensitive=False):

        if case_insensitive:

            q = cls.query().filter(cls.users_group_name.ilike(group_name))

        else:

            q = cls.query().filter(cls.users_group_name == group_name)

        if cache:

            q = q.options(FromCache(

                            "sql_cache_short",

                            "get_user_%s" % _hash_key(group_name)

                          )

            )

        return q.scalar()

    @classmethod

    def get(cls, users_group_id, cache=False):

    __table_args__ = (

        UniqueConstraint('repository_id', 'users_group_id', 'permission_id'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)

    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)

    repository_id = Column("repository_id", Integer(), ForeignKey('repositories.repo_id'), nullable=False, unique=None, default=None)

    users_group = relationship('UserGroup')

    permission = relationship('Permission')

    repository = relationship('Repository')

    @classmethod

    def create(cls, users_group, repository, permission):

        n = cls()

        n.users_group = users_group

        n.repository = repository

        n.permission = permission

        Session().add(n)

        return n

    def __unicode__(self):

class UserGroupUserGroupToPerm(Base, BaseModel):

    __tablename__ = 'user_group_user_group_to_perm'

    __table_args__ = (

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)

    user_group_id = Column("user_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)

    permission = relationship('Permission')

    @classmethod

    def create(cls, target_user_group, user_group, permission):

        n = cls()

        n.target_user_group = target_user_group

        n.user_group = user_group

        n.permission = permission

        Session().add(n)

        return n

    def __unicode__(self):

class UserGroupToPerm(Base, BaseModel):

    __tablename__ = 'users_group_to_perm'

    __table_args__ = (

        UniqueConstraint('users_group_id', 'permission_id',),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

    users_group_to_perm_id = Column("users_group_to_perm_id", Integer(), nullable=False, unique=True, default=None, primary_key=True)

    users_group_id = Column("users_group_id", Integer(), ForeignKey('users_groups.users_group_id'), nullable=False, unique=None, default=None)

    permission_id = Column("permission_id", Integer(), ForeignKey('permissions.permission_id'), nullable=False, unique=None, default=None)

    users_group = relationship('UserGroup')

    permission = relationship('Permission')

class UserRepoGroupToPerm(Base, BaseModel):

    __tablename__ = 'user_repo_group_to_perm'

    __table_args__ = (

        UniqueConstraint('user_id', 'group_id', 'permission_id'),

        {'extend_existing': True, 'mysql_engine': 'InnoDB',

         'mysql_charset': 'utf8'}

    )

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

import itertools

import collections

from pylons import url

from pylons.i18n.translation import _

from sqlalchemy.exc import DatabaseError

from sqlalchemy.orm import joinedload

from rhodecode.lib.utils2 import safe_unicode, generate_api_key

from rhodecode.lib.caching_query import FromCache

from rhodecode.model import BaseModel

from rhodecode.model.db import User, UserRepoToPerm, Repository, Permission, \

    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

    Notification, RepoGroup, UserRepoGroupToPerm, UserGroupRepoGroupToPerm, \

from rhodecode.lib.exceptions import DefaultUserException, \

    UserOwnsReposException

from rhodecode.model.meta import Session

log = logging.getLogger(__name__)

PERM_WEIGHTS = Permission.PERM_WEIGHTS

class UserModel(BaseModel):

    cls = User

    def get(self, user_id, cache=False):

        user = self.sa.query(User)

        if cache:

            user = user.options(FromCache("sql_cache_short",

                                          "get_user_%s" % user_id))

        return user.get(user_id)

    def get_user(self, user):

        return self._get_user(user)

    def get_by_username(self, username, cache=False, case_insensitive=False):

            ##TODO: do this^^

            if not gr.inherit_default_permissions:

                # NEED TO IGNORE all configurable permissions and

                # replace them with explicitly set

                user.permissions[GLOBAL] = user.permissions[GLOBAL]\

                                                .difference(_configurable)

            for perm in perms:

                user.permissions[GLOBAL].add(perm.permission.permission_name)

        # user specific global permissions

        user_perms = self.sa.query(UserToPerm)\

                .options(joinedload(UserToPerm.permission))\

                .filter(UserToPerm.user_id == uid).all()

        if not user.inherit_default_permissions:

            # NEED TO IGNORE all configurable permissions and

            # replace them with explicitly set

            user.permissions[GLOBAL] = user.permissions[GLOBAL]\

                                            .difference(_configurable)

            for perm in user_perms:

                user.permissions[GLOBAL].add(perm.permission.permission_name)

        ## END GLOBAL PERMISSIONS

        #======================================================================

        # !! PERMISSIONS FOR REPOSITORIES !!

        #======================================================================

        #======================================================================

        # check if user is part of user groups for this repository and

        # fill in his permission from it. _choose_perm decides of which

        # permission should be selected based on selected method

        #======================================================================

        # user group for repositories permissions

        user_repo_perms_from_users_groups = \

         self.sa.query(UserGroupRepoToPerm, Permission, Repository,)\

            .join((Repository, UserGroupRepoToPerm.repository_id ==

                   Repository.repo_id))\

            .join((Permission, UserGroupRepoToPerm.permission_id ==

                   Permission.permission_id))\

            .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==

                   UserGroupMember.users_group_id))\

            .filter(UserGroupMember.user_id == uid)\

            .all()

        multiple_counter = collections.defaultdict(int)

        for perm in user_repo_perms_from_users_groups:

            r_k = perm.UserGroupRepoToPerm.repository.repo_name

        multiple_counter = collections.defaultdict(int)

        for perm in user_repo_group_perms_from_users_groups:

            g_k = perm.UserGroupRepoGroupToPerm.group.group_name

            multiple_counter[g_k] += 1

            p = perm.Permission.permission_name

            cur_perm = user.permissions[GK][g_k]

            if multiple_counter[g_k] > 1:

                p = _choose_perm(p, cur_perm)

            user.permissions[GK][g_k] = p

        # user explicit permissions for repository groups

        user_repo_groups_perms = Permission.get_default_group_perms(uid)

        for perm in user_repo_groups_perms:

            rg_k = perm.UserRepoGroupToPerm.group.group_name

            p = perm.Permission.permission_name

            cur_perm = user.permissions[GK][rg_k]

            if not explicit:

                p = _choose_perm(p, cur_perm)

            user.permissions[GK][rg_k] = p

        #======================================================================

        # !! PERMISSIONS FOR USER GROUPS !!

        #======================================================================

        #user explicit permission for user groups

        user_user_groups_perms = Permission.get_default_user_group_perms(uid)

        for perm in user_user_groups_perms:

            u_k = perm.UserUserGroupToPerm.user_group.users_group_name

            p = perm.Permission.permission_name

            cur_perm = user.permissions[UK][u_k]

            if not explicit:

                p = _choose_perm(p, cur_perm)

            user.permissions[UK][u_k] = p

        return user

    def has_perm(self, user, perm):

        perm = self._get_perm(perm)

        user = self._get_user(user)

        return UserToPerm.query().filter(UserToPerm.user == user)\

            .filter(UserToPerm.permission == perm).scalar() is not None

    def grant_perm(self, user, perm):

        """

        Grant user global permissions

        :param user:

    :created_on: Oct 1, 2011

    :author: nvinot

    :copyright: (C) 2011-2011 Nicolas Vinot <aeris@imirhil.fr>

    :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

import traceback

from rhodecode.model import BaseModel

from rhodecode.model.db import UserGroupMember, UserGroup,\

log = logging.getLogger(__name__)

class UserGroupModel(BaseModel):

    cls = UserGroup

    def _get_user_group(self, users_group):

        return self._get_instance(UserGroup, users_group,

                                  callback=UserGroup.get_by_group_name)

    def _create_default_perms(self, user_group):

        # create default permission

        default_perm = 'usergroup.read'

        def_user = User.get_default_user()

        for p in def_user.user_perms:

            if p.permission.permission_name.startswith('usergroup.'):

                default_perm = p.permission.permission_name

                break

        user_group_to_perm = UserUserGroupToPerm()

        user_group_to_perm.permission = Permission.get_by_key(default_perm)

        user_group_to_perm.user_group = user_group

        user_group_to_perm.user_id = def_user.user_id

        return user_group_to_perm

    def _update_permissions(self, user_group, perms_new=None,

                            perms_updates=None):

        if not perms_new:

            perms_new = []

        if not perms_updates:

            perms_updates = []

        # update permissions

        for member, perm, member_type in perms_updates:

            if member_type == 'user':

                # this updates existing one

                self.grant_user_permission(

                    user_group=user_group, user=member, perm=perm

                )

            else:

                self.grant_users_group_permission(

                )

        # set new permissions

        for member, perm, member_type in perms_new:

            if member_type == 'user':

                self.grant_user_permission(

                    user_group=user_group, user=member, perm=perm

                )

            else:

                self.grant_users_group_permission(

                )

    def get(self, users_group_id, cache=False):

        return UserGroup.get(users_group_id)

    def get_group(self, users_group):

        return self._get_user_group(users_group)

    def get_by_name(self, name, cache=False, case_insensitive=False):

        return UserGroup.get_by_group_name(name, cache, case_insensitive)

    def create(self, name, owner, active=True):

        try:

            new_user_group = UserGroup()

            new_user_group.user = self._get_user(owner)

            new_user_group.users_group_name = name

            new_user_group.users_group_active = active

            self.sa.add(new_user_group)

            perm_obj = self._create_default_perms(new_user_group)

            self.sa.add(perm_obj)

            self.grant_user_permission(user_group=new_user_group,

                                       user=owner, perm='usergroup.admin')

        obj.permission = permission

        self.sa.add(obj)

        log.debug('Granted perm %s to %s on %s' % (perm, user, user_group))

    def revoke_user_permission(self, user_group, user):

        """

        Revoke permission for user on given repository group

        :param user_group: Instance of ReposGroup, repositories_group_id,

            or repositories_group name

        :param user: Instance of User, user_id or username

        """

        user_group = self._get_user_group(user_group)

        user = self._get_user(user)

        obj = self.sa.query(UserUserGroupToPerm)\

            .filter(UserUserGroupToPerm.user == user)\

            .filter(UserUserGroupToPerm.user_group == user_group)\

            .scalar()

        if obj:

            self.sa.delete(obj)

            log.debug('Revoked perm on %s on %s' % (user_group, user))

            </td>

            <td>

            </td>

            %endif

        </tr>

    %endfor

    ## USER GROUPS

    %for g2p in c.repos_group.users_group_to_perm:

        <tr id="id${id(g2p.users_group.users_group_name)}">

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.none')}</td>

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.read')}</td>

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.write')}</td>

            <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.admin')}</td>

            <td style="white-space: nowrap;">

                <img class="perm-gravatar" src="${h.url('/images/icons/group.png')}"/>${g2p.users_group.users_group_name}

            </td>

            <td>

                <span class="delete_icon action_button" onclick="ajaxActionRevoke(${g2p.users_group.users_group_id}, 'user_group', '${'id%s'%id(g2p.users_group.users_group_name)}')">

                ${_('revoke')}

                </span>

            </td>

        </tr>

    %endfor

    _tmpl = h.literal("""' \

        <td><input type="radio" value="group.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.read" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td><input type="radio" value="group.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \

        <td class="ac"> \

            <div class="perm_ac" id="perm_ac_{0}"> \

                <input class="yui-ac-input" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text"> \

                <input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">  \

                <div id="perm_container_{0}"></div> \

            </div> \

        </td> \

        <td></td>'""")

    %>

    ## ADD HERE DYNAMICALLY NEW INPUTS FROM THE '_tmpl'

    <tr class="new_members last_new_member" id="add_perm_input"></tr>

    <tr>

        <td colspan="6">

            <span id="add_perm" class="add_icon" style="cursor: pointer;">

            ${_('Add another member')}

            </span>

        </td>

    </tr>

    <tr>