# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.api.api

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

API controller for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Aug 20, 2011

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import time

import traceback

import logging

from sqlalchemy import or_

from kallithea import EXTERN_TYPE_INTERNAL

from kallithea.controllers.api import JSONRPCController, JSONRPCError

from kallithea.lib.auth import (

    PasswordGenerator, AuthUser, HasPermissionAllDecorator,

    HasPermissionAnyDecorator, HasPermissionAnyApi, HasRepoPermissionAnyApi,

    HasRepoGroupPermissionAnyApi, HasUserGroupPermissionAny)

from kallithea.lib.utils import map_groups, repo2db_mapper

from kallithea.lib.utils2 import (

    str2bool, time_to_datetime, safe_int, Optional, OAttr)

from kallithea.model.meta import Session

from kallithea.model.repo_group import RepoGroupModel

from kallithea.model.scm import ScmModel, UserGroupList

from kallithea.model.repo import RepoModel

from kallithea.model.user import UserModel

from kallithea.model.user_group import UserGroupModel

from kallithea.model.gist import GistModel

from kallithea.model.db import (

    Repository, Setting, UserIpMap, Permission, User, Gist,

    RepoGroup)

from kallithea.lib.compat import json

from kallithea.lib.exceptions import (

    DefaultUserException, UserGroupsAssignedException)

log = logging.getLogger(__name__)

def store_update(updates, attr, name):

    """

    Stores param in updates dict if it's not instance of Optional

    allows easy updates of passed in params

    """

    if not isinstance(attr, Optional):

        updates[name] = attr

def get_user_or_error(userid):

    """

    Get user by id or name or return JsonRPCError if not found

    :param userid:

    """

    user = UserModel().get_user(userid)

    if user is None:

        raise JSONRPCError("user `%s` does not exist" % (userid,))

    return user

def get_repo_or_error(repoid):

    """

    Get repo by id or name or return JsonRPCError if not found

    :param repoid:

    """

    repo = RepoModel().get_repo(repoid)

    if repo is None:

        raise JSONRPCError('repository `%s` does not exist' % (repoid,))

    return repo

def get_repo_group_or_error(repogroupid):

    """

    Get repo group by id or name or return JsonRPCError if not found

    :param repogroupid:

    """

    repo_group = RepoGroupModel()._get_repo_group(repogroupid)

    if repo_group is None:

        raise JSONRPCError(

            'repository group `%s` does not exist' % (repogroupid,))

    return repo_group

def get_user_group_or_error(usergroupid):

    """

    Get user group by id or name or return JsonRPCError if not found

    :param usergroupid:

    """

    user_group = UserGroupModel().get_group(usergroupid)

    if user_group is None:

        raise JSONRPCError('user group `%s` does not exist' % (usergroupid,))

    return user_group

def get_perm_or_error(permid, prefix=None):

    """

    Get permission by id or name or return JsonRPCError if not found

    :param permid:

    """

    perm = Permission.get_by_key(permid)

            .all()

        for user in users_list:

            result.append(user.get_api_data())

        return result

    @HasPermissionAllDecorator('hg.admin')

    def create_user(self, apiuser, username, email, password=Optional(''),

                    firstname=Optional(''), lastname=Optional(''),

                    active=Optional(True), admin=Optional(False),

                    extern_name=Optional(EXTERN_TYPE_INTERNAL),

                    extern_type=Optional(EXTERN_TYPE_INTERNAL)):

        """

        Creates new user. Returns new user object. This command can

        be executed only using api_key belonging to user with admin rights.

        :param apiuser: filled automatically from apikey

        :type apiuser: AuthUser

        :param username: new username

        :type username: str or int

        :param email: email

        :type email: str

        :param password: password

        :type password: Optional(str)

        :param firstname: firstname

        :type firstname: Optional(str)

        :param lastname: lastname

        :type lastname: Optional(str)

        :param active: active

        :type active: Optional(bool)

        :param admin: admin

        :type admin: Optional(bool)

        :param extern_name: name of extern

        :type extern_name: Optional(str)

        :param extern_type: extern_type

        :type extern_type: Optional(str)

        OUTPUT::

            id : <id_given_in_input>

            result: {

                      "msg" : "created new user `<username>`",

                      "user": <user_obj>

                    }

            error:  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "user `<username>` already exist"

            or

            "email `<email>` already exist"

            or

            "failed to create user `<username>`"

          }

        """

        if User.get_by_username(username):

            raise JSONRPCError("user `%s` already exist" % (username,))

        if User.get_by_email(email, case_insensitive=True):

            raise JSONRPCError("email `%s` already exist" % (email,))

        if Optional.extract(extern_name):

            # generate temporary password if user is external

            password = PasswordGenerator().gen_password(length=8)

        try:

            user = UserModel().create_or_update(

                username=Optional.extract(username),

                password=Optional.extract(password),

                email=Optional.extract(email),

                firstname=Optional.extract(firstname),

                lastname=Optional.extract(lastname),

                active=Optional.extract(active),

                admin=Optional.extract(admin),

                extern_type=Optional.extract(extern_type),

                extern_name=Optional.extract(extern_name)

            )

            Session().commit()

            return dict(

                msg='created new user `%s`' % username,

                user=user.get_api_data()

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to create user `%s`' % (username,))

    @HasPermissionAllDecorator('hg.admin')

    def update_user(self, apiuser, userid, username=Optional(None),

                    email=Optional(None),password=Optional(None),

                    firstname=Optional(None), lastname=Optional(None),

                    active=Optional(None), admin=Optional(None),

        """

        updates given user if such user exists. This command can

        be executed only using api_key belonging to user with admin rights.

        :param apiuser: filled automatically from apikey

        :type apiuser: AuthUser

        :param userid: userid to update

        :type userid: str or int

        :param username: new username

        :type username: str or int

        :param email: email

        :type email: str

        :param password: password

        :type password: Optional(str)

        :param firstname: firstname

        :type firstname: Optional(str)

        :param lastname: lastname

        :type lastname: Optional(str)

        :param active: active

        :type active: Optional(bool)

        :param admin: admin

        :type admin: Optional(bool)

        :param extern_name:

        :type extern_name: Optional(str)

        :param extern_type:

        :type extern_type: Optional(str)

        OUTPUT::

            id : <id_given_in_input>

            result: {

                      "msg" : "updated user ID:<userid> <username>",

                      "user": <user_object>,

                    }

            error:  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to update user `<username>`"

          }

        """

        user = get_user_or_error(userid)

        # only non optional arguments will be stored in updates

        updates = {}

        try:

            store_update(updates, username, 'username')

            store_update(updates, password, 'password')

            store_update(updates, email, 'email')

            store_update(updates, firstname, 'name')

            store_update(updates, lastname, 'lastname')

            store_update(updates, active, 'active')

            store_update(updates, admin, 'admin')

            store_update(updates, extern_name, 'extern_name')

            store_update(updates, extern_type, 'extern_type')

            user = UserModel().update_user(user, **updates)

            Session().commit()

            return dict(

                msg='updated user ID:%s %s' % (user.user_id, user.username),

                user=user.get_api_data()

            )

        except DefaultUserException:

            log.error(traceback.format_exc())

            raise JSONRPCError('editing default user is forbidden')

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError('failed to update user `%s`' % (userid,))

    @HasPermissionAllDecorator('hg.admin')

    def delete_user(self, apiuser, userid):

        """

        deletes given user if such user exists. This command can

        be executed only using api_key belonging to user with admin rights.

        :param apiuser: filled automatically from apikey

        :type apiuser: AuthUser

        :param userid: user to delete

        :type userid: str or int

        OUTPUT::

            id : <id_given_in_input>

            result: {

                      "msg" : "deleted user ID:<userid> <username>",

                      "user": null

                    }

            error:  null

            if not HasRepoGroupPermissionAnyApi('group.admin')(user=apiuser,

                                                               group_name=repo_group.group_name):

                raise JSONRPCError('repository group `%s` does not exist' % (repogroupid,))

        user = get_user_or_error(userid)

        perm = get_perm_or_error(perm, prefix='group.')

        apply_to_children = Optional.extract(apply_to_children)

        try:

            RepoGroupModel().add_permission(repo_group=repo_group,

                                            obj=user,

                                            obj_type="user",

                                            perm=perm,

                                            recursive=apply_to_children)

            Session().commit()

            return dict(

                msg='Granted perm: `%s` (recursive:%s) for user: `%s` in repo group: `%s`' % (

                    perm.permission_name, apply_to_children, user.username, repo_group.name

                ),

                success=True

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError(

                'failed to edit permission for user: `%s` in repo group: `%s`' % (

                    userid, repo_group.name))

    # permission check inside

    def revoke_user_permission_from_repo_group(self, apiuser, repogroupid, userid,

                                               apply_to_children=Optional('none')):

        """

        Revoke permission for user on given repository group. This command can

        be executed only using api_key belonging to user with admin rights, or

        user who has admin right to given repository group.

        :param apiuser: filled automatically from apikey

        :type apiuser: AuthUser

        :param repogroupid: name or id of repository group

        :type repogroupid: str or int

        :param userid:

        :type userid:

        :param apply_to_children: 'none', 'repos', 'groups', 'all'

        :type apply_to_children: str

        OUTPUT::

            id : <id_given_in_input>

            result: {

                      "msg" : "Revoked perm (recursive:<apply_to_children>) for user: `<username>` in repo group: `<repo_group_name>`",

                      "success": true

                    }

            error:  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to edit permission for user: `<userid>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        if not HasPermissionAnyApi('hg.admin')(user=apiuser):

            # check if we have admin permission for this repo group !

            if not HasRepoGroupPermissionAnyApi('group.admin')(user=apiuser,

                                                               group_name=repo_group.group_name):

                raise JSONRPCError('repository group `%s` does not exist' % (repogroupid,))

        user = get_user_or_error(userid)

        apply_to_children = Optional.extract(apply_to_children)

        try:

            RepoGroupModel().delete_permission(repo_group=repo_group,

                                               obj=user,

                                               obj_type="user",

                                               recursive=apply_to_children)

            Session().commit()

            return dict(

                msg='Revoked perm (recursive:%s) for user: `%s` in repo group: `%s`' % (

                    apply_to_children, user.username, repo_group.name

                ),

                success=True

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError(

                'failed to edit permission for user: `%s` in repo group: `%s`' % (

                    userid, repo_group.name))

    # permission check inside

    def grant_user_group_permission_to_repo_group(

            self, apiuser, repogroupid, usergroupid, perm,

        """

        Grant permission for user group on given repository group, or update

        existing one if found. This command can be executed only using

        api_key belonging to user with admin rights, or user who has admin

        right to given repository group.

        :param apiuser: filled automatically from apikey

        :type apiuser: AuthUser

        :param repogroupid: name or id of repository group

        :type repogroupid: str or int

        :param usergroupid: id of usergroup

        :type usergroupid: str or int

        :param perm: (group.(none|read|write|admin))

        :type perm: str

        :param apply_to_children: 'none', 'repos', 'groups', 'all'

        :type apply_to_children: str

        OUTPUT::

          id : <id_given_in_input>

          result : {

            "msg" : "Granted perm: `<perm>` (recursive:<apply_to_children>) for user group: `<usersgroupname>` in repo group: `<repo_group_name>`",

            "success": true

          }

          error :  null

        ERROR OUTPUT::

          id : <id_given_in_input>

          result : null

          error :  {

            "failed to edit permission for user group: `<usergroup>` in repo group: `<repo_group_name>`"

          }

        """

        repo_group = get_repo_group_or_error(repogroupid)

        perm = get_perm_or_error(perm, prefix='group.')

        user_group = get_user_group_or_error(usergroupid)

        if not HasPermissionAnyApi('hg.admin')(user=apiuser):

            # check if we have admin permission for this repo group !

            _perms = ('group.admin',)

            if not HasRepoGroupPermissionAnyApi(*_perms)(

                    user=apiuser, group_name=repo_group.group_name):

                raise JSONRPCError(

                    'repository group `%s` does not exist' % (repogroupid,))

            # check if we have at least read permission for this user group !

            _perms = ('usergroup.read', 'usergroup.write', 'usergroup.admin',)

            if not HasUserGroupPermissionAny(*_perms)(

                    user=apiuser, user_group_name=user_group.users_group_name):

                raise JSONRPCError(

                    'user group `%s` does not exist' % (usergroupid,))

        apply_to_children = Optional.extract(apply_to_children)

        try:

            RepoGroupModel().add_permission(repo_group=repo_group,

                                            obj=user_group,

                                            obj_type="user_group",

                                            perm=perm,

                                            recursive=apply_to_children)

            Session().commit()

            return dict(

                msg='Granted perm: `%s` (recursive:%s) for user group: `%s` in repo group: `%s`' % (

                        perm.permission_name, apply_to_children,

                        user_group.users_group_name, repo_group.name

                    ),

                success=True

            )

        except Exception:

            log.error(traceback.format_exc())

            raise JSONRPCError(

                'failed to edit permission for user group: `%s` in '

                'repo group: `%s`' % (

                    usergroupid, repo_group.name

                )

            )

    # permission check inside

    def revoke_user_group_permission_from_repo_group(

            self, apiuser, repogroupid, usergroupid,

            apply_to_children=Optional('none')):

        """

        Revoke permission for user group on given repository. This command can be

        executed only using api_key belonging to user with admin rights, or

        user who has admin right to given repository group.

        :param apiuser: filled automatically from apikey

        :type apiuser: AuthUser

        :param repogroupid: name or id of repository group

        :type repogroupid: str or int

        :param usergroupid:

        :param apply_to_children: 'none', 'repos', 'groups', 'all'

        :type apply_to_children: str