import formencode

import logging

import traceback

log = logging.getLogger(__name__)

class PermissionsController(BaseController):

    """REST Controller styled on the Atom Publishing Protocol"""

    # To properly map this controller, ensure your config/routing.py

    # file has a resource setup:

    #     map.resource('permission', 'permissions')

    @LoginRequired()

    @HasPermissionAllDecorator('hg.admin')

    def __before__(self):

        c.admin_user = session.get('admin_user')

        c.admin_username = session.get('admin_username')

        super(PermissionsController, self).__before__()

        self.perms_choices = [('repository.none', _('None'),),

                              ('repository.read', _('Read'),),

                              ('repository.write', _('Write'),),

                              ('repository.admin', _('Admin'),)]

        self.register_choices = [

            ('hg.register.manual_activate',

                            _('allowed with manual account activation')),

            ('hg.register.auto_activate',

                            _('allowed with automatic account activation')), ]

        self.create_choices = [('hg.create.none', _('Disabled')),

                               ('hg.create.repository', _('Enabled'))]

    def index(self, format='html'):

        """GET /permissions: All items in the collection"""

        # url('permissions')

    def create(self):

        """POST /permissions: Create a new item"""

        # url('permissions')

    def new(self, format='html'):

        """GET /permissions/new: Form to create a new item"""

        # url('new_permission')

    def update(self, id):

        """PUT /permissions/id: Update an existing item"""

        # Forms posted to this method should contain a hidden field:

    def delete(self, id):

        """DELETE /permissions/id: Delete an existing item"""

        # Forms posted to this method should contain a hidden field:

        #    <input type="hidden" name="_method" value="DELETE" />

        # Or using helpers:

        #    h.form(url('permission', id=ID),

        #           method='delete')

        # url('permission', id=ID)

    def show(self, id, format='html'):

        """GET /permissions/id: Show a specific item"""

        # url('permission', id=ID)

    def edit(self, id, format='html'):

        """GET /permissions/id/edit: Form to edit an existing item"""

        #url('edit_permission', id=ID)

        c.perms_choices = self.perms_choices

        c.register_choices = self.register_choices

        c.create_choices = self.create_choices

        if id == 'default':

                if p.permission.permission_name.startswith('repository.'):

                    defaults['default_perm'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.register.'):

                    defaults['default_register'] = p.permission.permission_name

                if p.permission.permission_name.startswith('hg.create.'):

                    defaults['default_create'] = p.permission.permission_name

            return htmlfill.render(

                        render('admin/permissions/permissions.html'),

                        defaults=defaults,

                        encoding="UTF-8",

                        force_defaults=True,)

        else:

            return redirect(url('admin_home'))

            log.debug('Rescanning directories with destroy=%s', rm_obsolete)

            initial = HgModel().repo_scan(g.paths[0][1], g.baseui)

            for repo_name in initial.keys():

                invalidate_cache('get_repo_cached_%s' % repo_name)

            repo2db_mapper(initial, rm_obsolete)

            h.flash(_('Repositories successfully rescanned'), category='success')

        if setting_id == 'whoosh':

            repo_location = get_hg_ui_settings()['paths_root_path']

            full_index = request.POST.get('full_index', False)

            task = run_task(tasks.whoosh_index, repo_location, full_index)

            h.flash(_('Whoosh reindex task scheduled'), category='success')

        if setting_id == 'global':

            application_form = ApplicationSettingsForm()()

            try:

                form_result = application_form.to_python(dict(request.POST))

                try:

                    hgsettings1 = self.sa.query(RhodeCodeSettings)\

                    hgsettings1.app_settings_value = form_result['rhodecode_title']

                    hgsettings2 = self.sa.query(RhodeCodeSettings)\

                    hgsettings2.app_settings_value = form_result['rhodecode_realm']

                    self.sa.add(hgsettings1)

                    self.sa.add(hgsettings2)

                    self.sa.commit()

                    set_rhodecode_config(config)

                    h.flash(_('Updated application settings'),

                            category='success')

                except:

                    log.error(traceback.format_exc())

                    h.flash(_('error occurred during updating application settings'),

                            category='error')

                    self.sa.rollback()

            except formencode.Invalid, errors:

                return htmlfill.render(

                     render('admin/settings/settings.html'),

                     defaults=errors.value,

                     errors=errors.error_dict or {},

                     prefix_error=False,

        # url('user', id=ID)

        user_model = UserModel()

        try:

            user_model.delete(id)

            h.flash(_('sucessfully deleted user'), category='success')

        except DefaultUserException, e:

            h.flash(str(e), category='warning')

        except Exception:

            h.flash(_('An error occured during deletion of user'),

                    category='error')            

        return redirect(url('users'))

    def show(self, id, format='html'):

        """GET /users/id: Show a specific item"""

        # url('user', id=ID)

    def edit(self, id, format='html'):

        """GET /users/id/edit: Form to edit an existing item"""

        # url('edit_user', id=ID)

        c.user = self.sa.query(User).get(id)

        if not c.user:

            return redirect(url('users'))

        if c.user.username == 'default':

            return redirect(url('users'))

        defaults = c.user.__dict__

        return htmlfill.render(

            render('admin/users/user_edit.html'),

            defaults=defaults,

            encoding="UTF-8",

            force_defaults=False

        )    

"""

from formencode import htmlfill

from pylons import request, response, session, tmpl_context as c, url

from pylons.controllers.util import abort, redirect

from rhodecode.lib.auth import AuthUser, HasPermissionAnyDecorator

from rhodecode.lib.base import BaseController, render

import rhodecode.lib.helpers as h

from pylons.i18n.translation import _

from rhodecode.model.forms import LoginForm, RegisterForm, PasswordResetForm

from rhodecode.model.user import UserModel

import formencode

import logging

log = logging.getLogger(__name__)

class LoginController(BaseController):

    def __before__(self):

        super(LoginController, self).__before__()

    def index(self):

        #redirect if already logged in

        c.came_from = request.GET.get('came_from', None)

            return redirect(url('home'))

        if request.POST:

            #import Login Form validator class

            login_form = LoginForm()

            try:

                c.form_result = login_form.to_python(dict(request.POST))

                username = c.form_result['username']

                user = UserModel().get_by_username(username)

                auth_user = AuthUser()

                auth_user.username = user.username

                auth_user.is_authenticated = True

                auth_user.is_admin = user.admin

                auth_user.user_id = user.user_id

                auth_user.name = user.name

                auth_user.lastname = user.lastname

                session['rhodecode_user'] = auth_user

                session.save()

                log.info('user %s is now authenticated', username)

                user.update_lastlogin()

                if c.came_from:

                    return redirect(c.came_from)

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; version 2

# of the License or (at your opinion) any later version of the license.

# 

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# 

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

# MA  02110-1301, USA.

"""

Created on April 4, 2010

@author: marcink

"""

from pylons import config, session, url, request

from pylons.controllers.util import abort, redirect

from rhodecode.lib.utils import get_repo_slug

from rhodecode.model import meta

from rhodecode.model.caching_query import FromCache

from rhodecode.model.db import User, RepoToPerm, Repository, Permission, \

    UserToPerm    

import bcrypt

from decorator import decorator

import logging

import random

log = logging.getLogger(__name__) 

class PasswordGenerator(object):

    """This is a simple class for generating password from

        different sets of characters

        usage:

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters of alphabet

        print passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)        

    """

    ALPHABETS_NUM = r'''1234567890'''#[0]

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''#[1]

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''#[2]

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''    #[3]

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM + ALPHABETS_SPECIAL#[4]

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM#[5]

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM#[6]

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM#[7]

    def __init__(self, passwd=''):

        self.passwd = passwd

    def gen_password(self, len, type):

        self.passwd = ''.join([random.choice(type) for _ in xrange(len)])

        return self.passwd

def get_crypt_password(password):

    """Cryptographic function used for password hashing based on sha1

    :param password: password to hash

    """    

    return bcrypt.hashpw(password, bcrypt.gensalt(10))

def check_password(password, hashed):

    return bcrypt.hashpw(password, hashed) == hashed

def authfunc(environ, username, password):

    user = UserModel().get_by_username(username, cache=False)

    if user:

        if user.active:

            if user.username == username and check_password(password, user.password):

                log.info('user %s authenticated correctly', username)

                return True

        else:

            log.error('user %s is disabled', username)

    return False

class  AuthUser(object):

    """

    A simple object that handles a mercurial username for authentication

    """

    def __init__(self):

        self.username = 'None'

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.user_id = None

        self.is_authenticated = False

        self.is_admin = False

        self.permissions = {}

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't wannt to check each time from db for new 

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config:

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session()

        all_perms = sa.query(Permission).all()

    except:

        pass

    finally:

        meta.Session.remove()

    config['available_permissions'] = [x.permission_name for x in all_perms]

def set_base_path(config):

    config['base_path'] = config['pylons.app_globals'].base_path

def fill_perms(user):

    """

    Fills user permission attribute with permissions taken from database

    :param user:

    """

    sa = meta.Session()

    user.permissions['repositories'] = {}

    user.permissions['global'] = set()

    #===========================================================================

    # fetch default permissions

    #===========================================================================

    default_perms = sa.query(RepoToPerm, Repository, Permission)\

        .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\

        .join((Permission, RepoToPerm.permission_id == Permission.permission_id))\

        .filter(RepoToPerm.user == default_user).all()

    if user.is_admin:

        #=======================================================================

        # #admin have all default rights set to admin        

        #=======================================================================

        user.permissions['global'].add('hg.admin')

        for perm in default_perms:

            p = 'repository.admin'

            user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p

    else:

        #=======================================================================

        # set default permissions

        #=======================================================================

        #default global

        default_global_perms = sa.query(UserToPerm)\

            .filter(UserToPerm.user == sa.query(User).filter(User.username == 

        #=======================================================================

        # #overwrite default with user permissions if any

        #=======================================================================

        user_perms = sa.query(RepoToPerm, Permission, Repository)\

            .join((Repository, RepoToPerm.repository_id == Repository.repo_id))\

            .join((Permission, RepoToPerm.permission_id == Permission.permission_id))\

            .filter(RepoToPerm.user_id == user.user_id).all()

        for perm in user_perms:

            if perm.Repository.user_id == user.user_id:#set admin if owner

                p = 'repository.admin'

            else:

                p = perm.Permission.permission_name

            user.permissions['repositories'][perm.RepoToPerm.repository.repo_name] = p

    meta.Session.remove()         

    return user

def get_user(session):

    """

    Gets user from session, and wraps permissions into user

    :param session:

    """

    user = session.get('rhodecode_user', AuthUser())

    if user.is_authenticated:

    user = fill_perms(user)

    session['rhodecode_user'] = user

    session.save()

    return user

#===============================================================================

# CHECK DECORATORS

#===============================================================================

class LoginRequired(object):

    """Must be logged in to execute this function else redirect to login page"""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        user = session.get('rhodecode_user', AuthUser())

        log.debug('Checking login required for user:%s', user.username)

        if user.is_authenticated:

            log.debug('user %s is authenticated', user.username)

            return func(*fargs, **fkwargs)

        else:

            log.warn('user %s not authenticated', user.username)

            p = ''

                p += '?' + request.environ.get('QUERY_STRING')

            log.debug('redirecting to login page with %s', p)                

            return redirect(url('login_home', came_from=p))

class PermsDecorator(object):

    """Base class for decorators"""

    def __init__(self, *required_perms):

        available_perms = config['available_permissions']

        for perm in required_perms:

            if perm not in available_perms:

                raise Exception("'%s' permission is not defined" % perm)

        self.required_perms = set(required_perms)

        self.user_perms = None

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

#        _wrapper.__name__ = func.__name__

#        _wrapper.__dict__.update(func.__dict__)

#        _wrapper.__doc__ = func.__doc__

        if self.check_permissions():

            return func(*fargs, **fkwargs)

        else:

            #redirect with forbidden ret code

            return abort(403)

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAllDecorator(PermsDecorator):

    """Checks for access permission for all given predicates. All of them 

    have to be meet in order to fulfill the request

    """

    def check_permissions(self):

        if self.required_perms.issubset(self.user_perms.get('global')):

            return True

        return False

class HasPermissionAnyDecorator(PermsDecorator):

    """Checks for access permission for any of given predicates. In order to 

    fulfill the request any of predicates must be meet

    """

#===============================================================================

# CHECK FUNCTIONS

#===============================================================================

class PermsFunction(object):

    """Base function for other check functions"""

    def __init__(self, *perms):

        available_perms = config['available_permissions']

        for perm in perms:

            if perm not in available_perms:

                raise Exception("'%s' permission in not defined" % perm)

        self.required_perms = set(perms)

        self.user_perms = None

        self.granted_for = ''

        self.repo_name = None

    def __call__(self, check_Location=''):

        user = session.get('rhodecode_user', False)

        if not user:

            return False

        self.user_perms = user.permissions

        self.granted_for = user.username        

        if self.check_permissions():

            return True

        else:

            return False 

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAll(PermsFunction):

    def check_permissions(self):

        if self.required_perms.issubset(self.user_perms.get('global')):

            return True

        return False

class HasPermissionAny(PermsFunction):

    def check_permissions(self):

        if self.required_perms.intersection(self.user_perms.get('global')):

            return True

        return False

class HasRepoPermissionAll(PermsFunction):

    def __call__(self, repo_name=None, check_Location=''):

        self.repo_name = repo_name

        return super(HasRepoPermissionAll, self).__call__(check_Location)

    def create_user(self, username, password, email='', admin=False):

        log.info('creating administrator user %s', username)

        new_user = User()

        new_user.username = username

        new_user.password = get_crypt_password(password)

        new_user.name = 'RhodeCode'

        new_user.lastname = 'Admin'

        new_user.email = email

        new_user.admin = admin

        new_user.active = True

        try:

            self.sa.add(new_user)

            self.sa.commit()

        except:

            self.sa.rollback()

            raise

    def create_default_user(self):

        log.info('creating default user')

        #create default user for handling default permissions.

        def_user = User()

        def_user.username = 'default'

        def_user.password = get_crypt_password(str(uuid.uuid1())[:8])

        def_user.admin = False

        def_user.active = False

        try:

            self.sa.add(def_user)

            self.sa.commit()

        except:

            self.sa.rollback()

            raise

    def create_permissions(self):

        #module.(access|create|change|delete)_[name]

        #module.(read|write|owner)

        perms = [('repository.none', 'Repository no access'),

                 ('repository.read', 'Repository read access'),

                 ('repository.write', 'Repository write access'),

                 ('repository.admin', 'Repository admin access'),

                 ('hg.admin', 'Hg Administrator'),

                 ('hg.create.repository', 'Repository create'),

                 ('hg.create.none', 'Repository creation disabled'),

                 ('hg.register.none', 'Register disabled'),

                 ('hg.register.manual_activate', 'Register new user with rhodecode without manual activation'),

                 ('hg.register.auto_activate', 'Register new user with rhodecode without auto activation'),

                ]

        filter_extra_fields = False

        rhodecode_title = UnicodeString(strip=True, min=1, not_empty=True)

        rhodecode_realm = UnicodeString(strip=True, min=1, not_empty=True)

    return _ApplicationSettingsForm

def ApplicationUiSettingsForm():

    class _ApplicationUiSettingsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = False

        web_push_ssl = OneOf(['true', 'false'], if_missing='false')

        paths_root_path = All(ValidPath(), UnicodeString(strip=True, min=1, not_empty=True))

        hooks_changegroup_update = OneOf(['True', 'False'], if_missing=False)

        hooks_changegroup_repo_size = OneOf(['True', 'False'], if_missing=False)

        hooks_pretxnchangegroup_push_logger = OneOf(['True', 'False'], if_missing=False)

        hooks_preoutgoing_pull_logger = OneOf(['True', 'False'], if_missing=False)

    return _ApplicationUiSettingsForm

def DefaultPermissionsForm(perms_choices, register_choices, create_choices):

    class _DefaultPermissionsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        overwrite_default = OneOf(['true', 'false'], if_missing='false')

        default_perm = OneOf(perms_choices)

        default_register = OneOf(register_choices)

        default_create = OneOf(create_choices)

    return _DefaultPermissionsForm

            self.sa = Session()

        else:

            self.sa = sa

    def get_permission(self, permission_id, cache=False):

        perm = self.sa.query(Permission)

        if cache:

            perm = perm.options(FromCache("sql_cache_short",

                                          "get_permission_%s" % permission_id))

        return perm.get(permission_id)

    def get_permission_by_name(self, name, cache=False):

        perm = self.sa.query(Permission)\

            .filter(Permission.permission_name == name)

        if cache:

            perm = perm.options(FromCache("sql_cache_short",

                                          "get_permission_%s" % name))

        return perm.scalar()

    def update(self, form_result):

        perm_user = self.sa.query(User)\

                .filter(User.username == form_result['perm_user_name']).scalar()

        u2p = self.sa.query(UserToPerm).filter(UserToPerm.user == perm_user).all()

        if len(u2p) != 3:

        try:

            #stage 1 change defaults    

            for p in u2p:

                if p.permission.permission_name.startswith('repository.'):

                    self.sa.add(p)

                if p.permission.permission_name.startswith('hg.register.'):

                    self.sa.add(p)

                if p.permission.permission_name.startswith('hg.create.'):

                    self.sa.add(p)

            #stage 2 update all default permissions for repos if checked

            if form_result['overwrite_default'] == 'true':

                    self.sa.add(r2p)

            self.sa.commit()

        except:

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

            self.sa.add(new_user)

            self.sa.commit()

        except:

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

    def delete(self, user_id):

        try:

            user = self.get(user_id, cache=False)

            if user.username == 'default':

                raise DefaultUserException(

                                _("You can't remove this user since it's"

                                  " crucial for entire application"))

            self.sa.delete(user)

            self.sa.commit()

        except:

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

    def reset_password(self, data):

        from rhodecode.lib.celerylib import tasks, run_task

        run_task(tasks.reset_user_password, data['email'])