(str(60 * 24 * 30), _('1 month')),

        ]

        c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]

        c.user_api_keys = ApiKeyModel().get_api_keys(self.authuser.user_id,

                                                     show_expired=show_expired)

        return render('admin/my_account/my_account.html')

    def my_account_api_keys_add(self):

        lifetime = safe_int(request.POST.get('lifetime'), -1)

        description = request.POST.get('description')

        ApiKeyModel().create(self.authuser.user_id, description, lifetime)

        Session().commit()

        return redirect(url('my_account_api_keys'))

    def my_account_api_keys_delete(self):

        api_key = request.POST.get('del_api_key')

        user_id = self.authuser.user_id

        if request.POST.get('del_api_key_builtin'):

            user = User.get(user_id)

            if user:

                user.api_key = generate_api_key(user.username)

                Session().add(user)

                Session().commit()

        elif api_key:

            ApiKeyModel().delete(api_key, self.authuser.user_id)

            Session().commit()

        return redirect(url('my_account_api_keys'))

            force_defaults=False)

    def add_api_key(self, id):

        c.user = User.get_or_404(id)

        if c.user.username == User.DEFAULT_USER:

            h.flash(_("You can't edit this user"), category='warning')

            return redirect(url('users'))

        lifetime = safe_int(request.POST.get('lifetime'), -1)

        description = request.POST.get('description')

        ApiKeyModel().create(c.user.user_id, description, lifetime)

        Session().commit()

        return redirect(url('edit_user_api_keys', id=c.user.user_id))

    def delete_api_key(self, id):

        c.user = User.get_or_404(id)

        if c.user.username == User.DEFAULT_USER:

            h.flash(_("You can't edit this user"), category='warning')

            return redirect(url('users'))

        api_key = request.POST.get('del_api_key')

        if request.POST.get('del_api_key_builtin'):

            user = User.get(c.user.user_id)

            if user:

                user.api_key = generate_api_key(user.username)

                Session().add(user)

                Session().commit()

        elif api_key:

            ApiKeyModel().delete(api_key, c.user.user_id)

            Session().commit()

        return redirect(url('edit_user_api_keys', id=c.user.user_id))

    def update_account(self, id):

        pass

    def edit_perms(self, id):

        c.user = User.get_or_404(id)

        if c.user.username == User.DEFAULT_USER:

            h.flash(_("You can't edit this user"), category='warning')

            return redirect(url('users'))

                                 message="Content-Length is 0")

        raw_body = environ['wsgi.input'].read(length)

        try:

            json_body = json.loads(raw_body)

        except ValueError, e:

            # catch JSON errors Here

            return jsonrpc_error(retid=self._req_id,

                                 message="JSON parse error ERR:%s RAW:%r"

                                 % (e, raw_body))

        try:

            self._req_api_key = json_body['api_key']

            self._req_id = json_body['id']

            self._req_method = json_body['method']

            self._request_params = json_body['args']

            if not isinstance(self._request_params, dict):

                self._request_params = {}

            log.debug(

                'method: %s, params: %s' % (self._req_method,

                                            self._request_params)

            )

        except KeyError, e:

            return jsonrpc_error(retid=self._req_id,

                                 message='Incorrect JSON query missing %s' % e)

        # check if we can find this session using api_key

        try:

            u = User.get_by_api_key(self._req_api_key)

            if u is None:

                return jsonrpc_error(retid=self._req_id,

            #check if we are allowed to use this IP

            auth_u = AuthUser(u.user_id, self._req_api_key, ip_addr=ip_addr)

            if not auth_u.ip_allowed:

                return jsonrpc_error(retid=self._req_id,

                        message='request from IP:%s not allowed' % (ip_addr,))

            else:

                log.info('Access for IP:%s allowed' % (ip_addr,))

        except Exception, e:

            return jsonrpc_error(retid=self._req_id,

        self._error = None

        try:

            self._func = self._find_method()

        except AttributeError, e:

            return jsonrpc_error(retid=self._req_id,

                                 message=str(e))

        # now that we have a method, add self._req_params to

        # self.kargs and dispatch control to WGIController

        argspec = inspect.getargspec(self._func)

        arglist = argspec[0][1:]

        if USER_SESSION_ATTR not in arglist:

            return jsonrpc_error(

                retid=self._req_id,

                message='This method [%s] does not support '

                         'authentication (missing %s param)' % (

                                    self._func.__name__, USER_SESSION_ATTR)

            )

        # get our arglist and check if we provided them as args

        for arg, default in func_kwargs.iteritems():

            if arg == USER_SESSION_ATTR:

                # this is checked before so we don't need validate it

                continue

            # skip the required param check if it's default value is

            # NotImplementedType (default_empty)

            if default == default_empty and arg not in self._request_params:

                return jsonrpc_error(

                    retid=self._req_id,

                    message=(

                        'Missing non optional `%s` arg in JSON DATA' % arg

                    )

                )

        :param apiuser: filled automatically from apikey

        :type apiuser: AuthUser

        :param userid: user to get data for

        :type userid: Optional(str or int)

        OUTPUT::

            id : <id_given_in_input>

            result: None if user does not exist or

                    {

                        "user_id" :     "<user_id>",

                        "api_key" :     "<api_key>",

                        "username" :    "<username>",

                        "firstname":    "<firstname>",

                        "lastname" :    "<lastname>",

                        "email" :       "<email>",

                        "emails":       "[<list of all emails including additional ones>]",

                        "ip_addresses": "[<ip_address_for_user>,...]",

                        "active" :      "<bool: user active>",

                        "admin" :       "<bool: user is admin>",

                        "extern_name" : "<extern_name>",

                        "extern_type" : "<extern type>

                        "last_login":   "<last_login>",

                        "permissions": {

def get_crypt_password(password):

    return KallitheaCrypto.hash_string(password)

def check_password(password, hashed):

    return KallitheaCrypto.hash_check(password, hashed)

def generate_api_key(str_, salt=None):

    """

    :param str_:

    :param salt:

    """

    if salt is None:

        salt = _RandomNameSequence().next()

    return hashlib.sha1(str_ + salt).hexdigest()

class CookieStoreWrapper(object):

        return self.get_api_keys()

    def propagate_data(self):

        user_model = UserModel()

        self.anonymous_user = User.get_default_user(cache=True)

        is_user_loaded = False

        # lookup by userid

        if self.user_id is not None and self.user_id != self.anonymous_user.user_id:

            log.debug('Auth User lookup by USER ID %s' % self.user_id)

            is_user_loaded = user_model.fill_data(self, user_id=self.user_id)

        elif self._api_key and self._api_key != self.anonymous_user.api_key:

            is_user_loaded = user_model.fill_data(self, api_key=self._api_key)

        # lookup by username

        elif self.username:

            log.debug('Auth User lookup by USER NAME %s' % self.username)

            is_user_loaded = user_model.fill_data(self, username=self.username)

        else:

            log.debug('No data in %s that could been used to log in' % self)

        if not is_user_loaded:

            # if we cannot authenticate user try anonymous

            if self.anonymous_user.active:

    repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')

    repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')

    group_member = relationship('UserGroupMember', cascade='all')

    notifications = relationship('UserNotification', cascade='all')

    # notifications assigned to this user

    user_created_notifications = relationship('Notification', cascade='all')

    # comments created by this user

    user_comments = relationship('ChangesetComment', cascade='all')

    #extra emails for this user

    user_emails = relationship('UserEmailMap', cascade='all')

    user_api_keys = relationship('UserApiKeys', cascade='all')

    @hybrid_property

    def email(self):

        return self._email

    @email.setter

    def email(self, val):

        self._email = val.lower() if val else None

    @property

    repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')

    repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')

    group_member = relationship('UserGroupMember', cascade='all')

    notifications = relationship('UserNotification', cascade='all')

    # notifications assigned to this user

    user_created_notifications = relationship('Notification', cascade='all')

    # comments created by this user

    user_comments = relationship('ChangesetComment', cascade='all')

    #extra emails for this user

    user_emails = relationship('UserEmailMap', cascade='all')

    user_api_keys = relationship('UserApiKeys', cascade='all')

    @hybrid_property

    def email(self):

        return self._email

    @email.setter

    def email(self, val):

        self._email = val.lower() if val else None

    @property

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.model.api_key

~~~~~~~~~~~~~~~~~~~~~~~

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Sep 8, 2013

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

from __future__ import with_statement

import time

import logging

    repo_to_perm = relationship('UserRepoToPerm', primaryjoin='UserRepoToPerm.user_id==User.user_id', cascade='all')

    repo_group_to_perm = relationship('UserRepoGroupToPerm', primaryjoin='UserRepoGroupToPerm.user_id==User.user_id', cascade='all')

    group_member = relationship('UserGroupMember', cascade='all')

    notifications = relationship('UserNotification', cascade='all')

    # notifications assigned to this user

    user_created_notifications = relationship('Notification', cascade='all')

    # comments created by this user

    user_comments = relationship('ChangesetComment', cascade='all')

    #extra emails for this user

    user_emails = relationship('UserEmailMap', cascade='all')

    user_api_keys = relationship('UserApiKeys', cascade='all')

    @hybrid_property

    def email(self):

        return self._email

    @email.setter

    def email(self, val):

        self._email = val.lower() if val else None

    @property

        return True

    def fill_data(self, auth_user, user_id=None, api_key=None, username=None):

        """

        Fetches auth_user by user_id,or api_key if present.

        Fills auth_user attributes with those taken from database.

        Additionally sets is_authenticated if lookup fails

        present in database

        :param auth_user: instance of user to set attributes

        :param user_id: user id to fetch by

        :param username: username to fetch by

        """

        if user_id is None and api_key is None and username is None:

            raise Exception('You need to pass user_id, api_key or username')

        dbuser = None

        if user_id is not None:

            dbuser = self.get(user_id)

        elif api_key is not None:

            dbuser = self.get_by_api_key(api_key)

        elif username is not None:

            dbuser = self.get_by_username(username)

  <table class="noborder">

    <tr>

        <td style="width: 450px"><div class="truncate autoexpand" style="width:120px;font-size:16px;font-family: monospace">${c.user.api_key}</div></td>

        <td>

            <span class="btn btn-mini btn-success disabled">${_('Built-in')}</span>

        </td>

        <td>${_('expires')}: ${_('never')}</td>

        <td>

            ${h.form(url('my_account_api_keys'),method='delete')}

                ${h.hidden('del_api_key',c.user.api_key)}

                ${h.hidden('del_api_key_builtin',1)}

                <button class="btn btn-mini btn-danger" type="submit"

                    ${_('reset')}

                </button>

            ${h.end_form()}

        </td>

    </tr>

    %if c.user_api_keys:

        %for api_key in c.user_api_keys:

          <tr class="${'expired' if api_key.expired else ''}">

            <td style="width: 450px"><div class="truncate autoexpand" style="width:120px;font-size:16px;font-family: monospace">${api_key.api_key}</div></td>

            <td>${api_key.description}</td>

            <td style="min-width: 80px">

                 %if api_key.expires == -1:

                 %else:

                    %if api_key.expired:

                        ${_('expired')}: ${h.age(h.time_to_datetime(api_key.expires))}

                    %else:

                        ${_('expires')}: ${h.age(h.time_to_datetime(api_key.expires))}

                    %endif

                 %endif

            </td>

            <td>

                ${h.form(url('my_account_api_keys'),method='delete')}

                    ${h.hidden('del_api_key',api_key.api_key)}

                    <button class="btn btn-mini btn-danger" type="submit"

                        <i class="icon-minus-circled"></i>

                        ${_('remove')}

                    </button>

                ${h.end_form()}

            </td>

          </tr>

        %endfor

    %else:

    %endif

  </table>

</div>

<div>

    ${h.form(url('my_account_api_keys'), method='post')}

    <div class="form">

        <!-- fields -->

        <div class="fields">

             <div class="field">

                <div class="label">

                </div>

                <div class="input">

                    ${h.text('description', class_='medium', placeholder=_('Description'))}

                    ${h.select('lifetime', '', c.lifetime_options)}

                </div>

             </div>

            <div class="buttons">

              ${h.submit('save',_('Add'),class_="btn")}

              ${h.reset('reset',_('Reset'),class_="btn")}

            </div>

        </div>

    </div>

  <table class="noborder">

    <tr>

        <td style="width: 450px"><div class="truncate autoexpand" style="width:120px;font-size:16px;font-family: monospace">${c.user.api_key}</div></td>

        <td>

            <span class="btn btn-mini btn-success disabled">${_('Built-in')}</span>

        </td>

        <td>${_('expires')}: ${_('never')}</td>

        <td>

            ${h.form(url('edit_user_api_keys', id=c.user.user_id),method='delete')}

                ${h.hidden('del_api_key',c.user.api_key)}

                ${h.hidden('del_api_key_builtin',1)}

                <button class="btn btn-mini btn-danger" type="submit"

                    ${_('reset')}

                </button>

            ${h.end_form()}

        </td>

    </tr>

    %if c.user_api_keys:

        %for api_key in c.user_api_keys:

          <tr class="${'expired' if api_key.expired else ''}">

            <td style="width: 450px"><div class="truncate autoexpand" style="width:120px;font-size:16px;font-family: monospace">${api_key.api_key}</div></td>

            <td>${api_key.description}</td>

            <td style="min-width: 80px">

                 %if api_key.expires == -1:

                 %else:

                    %if api_key.expired:

                        ${_('expired')}: ${h.age(h.time_to_datetime(api_key.expires))}

                    %else:

                        ${_('expires')}: ${h.age(h.time_to_datetime(api_key.expires))}

                    %endif

                 %endif

            </td>

            <td>

                ${h.form(url('edit_user_api_keys', id=c.user.user_id),method='delete')}

                    ${h.hidden('del_api_key',api_key.api_key)}

                    <button class="btn btn-mini btn-danger" type="submit"

                        <i class="icon-minus-circled"></i>

                        ${_('remove')}

                    </button>

                ${h.end_form()}

            </td>

          </tr>

        %endfor

    %else:

    %endif

  </table>

</div>

<div>

    ${h.form(url('edit_user_api_keys', id=c.user.user_id), method='put')}

    <div class="form">

        <!-- fields -->

        <div class="fields">

             <div class="field">

                <div class="label">

                </div>

                <div class="input">

                    ${h.text('description', class_='medium', placeholder=_('Description'))}

                    ${h.select('lifetime', '', c.lifetime_options)}

                </div>

             </div>

            <div class="buttons">

              ${h.submit('save',_('Add'),class_="btn")}

              ${h.reset('reset',_('Reset'),class_="btn")}

            </div>

        </div>

    </div>

    def test_OAttr_object(self):

        from kallithea.controllers.api.api import OAttr

        oattr1 = OAttr('apiuser')

        self.assertEqual('<OptionalAttr:apiuser>', repr(oattr1))

        self.assertEqual(oattr1(), oattr1)

    def test_api_wrong_key(self):

        id_, params = _build_data('trololo', 'get_user')

        response = api_call(self, params)

        self._compare_error(id_, expected, given=response.body)

    def test_api_missing_non_optional_param(self):

        id_, params = _build_data(self.apikey, 'get_repo')

        response = api_call(self, params)

        expected = 'Missing non optional `repoid` arg in JSON DATA'

        self._compare_error(id_, expected, given=response.body)

    def test_api_missing_non_optional_param_args_null(self):

        id_, params = _build_data(self.apikey, 'get_repo')

        params = params.replace('"args": {}', '"args": null')

    @parameterized.expand([

        ('forever', -1),

        ('5mins', 60*5),

        ('30days', 60*60*24*30),

    ])

    def test_add_api_keys(self, desc, lifetime):

        self.log_user()

        user = User.get_by_username(TEST_USER_REGULAR_LOGIN)

        user_id = user.user_id

        response = self.app.post(url('edit_user_api_keys', id=user_id),

                 {'_method': 'put', 'description': desc, 'lifetime': lifetime, '_authentication_token': self.authentication_token()})

        try:

            response = response.follow()

            user = User.get(user_id)

            for api_key in user.api_keys:

                response.mustcontain(api_key)

        finally:

            for api_key in UserApiKeys.query().filter(UserApiKeys.user_id == user_id).all():

                Session().delete(api_key)

                Session().commit()

    def test_remove_api_key(self):

        self.log_user()

        user = User.get_by_username(TEST_USER_REGULAR_LOGIN)

        user_id = user.user_id

        response = self.app.post(url('edit_user_api_keys', id=user_id),

                {'_method': 'put', 'description': 'desc', 'lifetime': -1, '_authentication_token': self.authentication_token()})

        response = response.follow()

        #now delete our key

        keys = UserApiKeys.query().filter(UserApiKeys.user_id == user_id).all()

        self.assertEqual(1, len(keys))

        response = self.app.post(url('edit_user_api_keys', id=user_id),

                 {'_method': 'delete', 'del_api_key': keys[0].api_key, '_authentication_token': self.authentication_token()})

        keys = UserApiKeys.query().filter(UserApiKeys.user_id == user_id).all()

        self.assertEqual(0, len(keys))

    def test_reset_main_api_key(self):

        self.log_user()

        user = User.get_by_username(TEST_USER_REGULAR_LOGIN)

        user_id = user.user_id

        api_key = user.api_key

        response = self.app.get(url('edit_user_api_keys', id=user_id))

        response.mustcontain(api_key)

        response.mustcontain('expires: never')

        response = self.app.post(url('edit_user_api_keys', id=user_id),

                 {'_method': 'delete', 'del_api_key_builtin': api_key, '_authentication_token': self.authentication_token()})

        response = response.follow()

        response.mustcontain(no=[api_key])

                                 action='changeset_raw',

                                 repo_name=HG_REPO, revision='tip', api_key=new_api_key.api_key),

                             status=200)

    def test_access_page_via_expired_api_key(self):

        whitelist = self._get_api_whitelist(['ChangesetController:changeset_raw'])

        with mock.patch('kallithea.CONFIG', whitelist):

            self.assertEqual(['ChangesetController:changeset_raw'],

                             whitelist['api_access_controllers_whitelist'])

            new_api_key = ApiKeyModel().create(TEST_USER_ADMIN_LOGIN, u'test')

            Session().commit()

            new_api_key.expires = 0

            Session().add(new_api_key)

            Session().commit()

            with fixture.anon_access(False):

                self.app.get(url(controller='changeset',

                                 action='changeset_raw',

                                 repo_name=HG_REPO, revision='tip',

                                 api_key=new_api_key.api_key),

                             status=302)

        response.mustcontain('expires: never')

    @parameterized.expand([

        ('forever', -1),

        ('5mins', 60*5),

        ('30days', 60*60*24*30),

    ])

    def test_my_account_add_api_keys(self, desc, lifetime):

        usr = self.log_user('test_regular2', 'test12')

        user = User.get(usr['user_id'])

        response = self.app.post(url('my_account_api_keys'),

                                 {'description': desc, 'lifetime': lifetime, '_authentication_token': self.authentication_token()})

        try:

            response = response.follow()

            user = User.get(usr['user_id'])

            for api_key in user.api_keys:

                response.mustcontain(api_key)

        finally:

            for api_key in UserApiKeys.query().all():

                Session().delete(api_key)

                Session().commit()

    def test_my_account_remove_api_key(self):

        usr = self.log_user('test_regular2', 'test12')

        user = User.get(usr['user_id'])

        response = self.app.post(url('my_account_api_keys'),

                                 {'description': 'desc', 'lifetime': -1, '_authentication_token': self.authentication_token()})

        response = response.follow()

        #now delete our key

        keys = UserApiKeys.query().all()

        self.assertEqual(1, len(keys))

        response = self.app.post(url('my_account_api_keys'),

                 {'_method': 'delete', 'del_api_key': keys[0].api_key, '_authentication_token': self.authentication_token()})

        keys = UserApiKeys.query().all()

        self.assertEqual(0, len(keys))

    def test_my_account_reset_main_api_key(self):

        usr = self.log_user('test_regular2', 'test12')

        user = User.get(usr['user_id'])

        api_key = user.api_key

        response = self.app.get(url('my_account_api_keys'))

        response.mustcontain(api_key)

        response.mustcontain('expires: never')

        response = self.app.post(url('my_account_api_keys'),

                 {'_method': 'delete', 'del_api_key_builtin': api_key, '_authentication_token': self.authentication_token()})

        response = response.follow()

        response.mustcontain(no=[api_key])