# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.auth

~~~~~~~~~~~~~~~~~~

authentication and permission libraries

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 4, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import time

import os

import logging

import traceback

import hashlib

import itertools

import collections

from decorator import decorator

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from webhelpers.pylonslib import secure_form

from sqlalchemy import or_

from sqlalchemy.orm.exc import ObjectDeletedError

from sqlalchemy.orm import joinedload

from kallithea import __platform__, is_windows, is_unix

from kallithea.lib.vcs.utils.lazy import LazyProperty

from kallithea.model import meta

from kallithea.model.meta import Session

from kallithea.model.user import UserModel

from kallithea.model.db import User, Repository, Permission, \

    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

    RepoGroup, UserGroupRepoGroupToPerm, UserIpMap, UserGroupUserGroupToPerm, \

    UserGroup, UserApiKeys

from kallithea.lib.utils2 import safe_unicode, aslist

from kallithea.lib.utils import get_repo_slug, get_repo_group_slug, \

    get_user_group_slug, conditional_cache

from kallithea.lib.caching_query import FromCache

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """

    This is a simple class for generating password from different sets of

    characters

    usage::

        passwd_gen = PasswordGenerator()

        #print 8-letter password containing only big and small letters

            of alphabet

        passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)

    """

    ALPHABETS_NUM = r'''1234567890'''

    ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''

    ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''

    ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''

    ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \

        + ALPHABETS_NUM + ALPHABETS_SPECIAL

    ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM

    ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL

    ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM

    ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM

    def gen_password(self, length, alphabet=ALPHABETS_FULL):

        assert len(alphabet) <= 256, alphabet

        l = []

        while len(l) < length:

            i = ord(os.urandom(1))

            if i < len(alphabet):

                l.append(alphabet[i])

        return ''.join(l)

class KallitheaCrypto(object):

    @classmethod

    def hash_string(cls, str_):

        """

        Cryptographic function used for password hashing based on pybcrypt

        or Python's own OpenSSL wrapper on windows

        :param password: password to hash

        """

        if is_windows:

            return hashlib.sha256(str_).hexdigest()

        elif is_unix:

            import bcrypt

            return bcrypt.hashpw(str_, bcrypt.gensalt(10))

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

    @classmethod

    def hash_check(cls, password, hashed):

        """

        Checks matching password with it's hashed value, runs different

        implementation based on platform it runs on

        :param password: password

        :param hashed: password in hashed form

        """

        if is_windows:

            return hashlib.sha256(password).hexdigest() == hashed

        elif is_unix:

            import bcrypt

            return bcrypt.hashpw(password, hashed) == hashed

        else:

            raise Exception('Unknown or unsupported platform %s' \

                            % __platform__)

                    pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate pylons globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current pylons config instance

    """

    log.info('getting information about all available permissions')

    try:

        sa = meta.Session

        all_perms = sa.query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        meta.Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def redirect_to_login(message=None):

    from kallithea.lib import helpers as h

    p = request.path_qs

    if message:

        h.flash(h.literal(message), category='warning')

    log.debug('Redirecting to login page, origin: %s', p)

    return redirect(url('login_home', came_from=p))

class LoginRequired(object):

    """

    Must be logged in to execute this function else

    redirect to login page

    :param api_access: if enabled this checks only for valid auth token

        and grants access based on valid token

    """

    def __init__(self, api_access=False):

        self.api_access = api_access

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = controller.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        if not AuthUser.check_ip_allowed(user, controller.ip_addr):

            return redirect_to_login(_('IP %s not allowed') % controller.ip_addr)

        # check if we used an API key and it's a valid one

        api_key = request.GET.get('api_key')

        if api_key is not None:

            # explicit controller is enabled or API is in our whitelist

            if self.api_access or allowed_api_access(loc, api_key=api_key):

                if api_key in user.api_keys:

                    log.info('user %s authenticated with API key ****%s @ %s',

                             user, api_key[-4:], loc)

                    return func(*fargs, **fkwargs)

                else:

                    log.warning('API key ****%s is NOT valid', api_key[-4:])

                    return redirect_to_login(_('Invalid API key'))

            else:

                # controller does not allow API access

                log.warning('API access to %s is not allowed', loc)

                return abort(403)

        # Only allow the following HTTP request methods. (We sometimes use POST

        # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only

        # used for the route lookup, and does not affect request.method.)

        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:

            return abort(405)

        # CSRF protection: Whenever a request has ambient authority (whether

        # through a session cookie or its origin IP address), it must include

        # the correct token, unless the HTTP method is GET or HEAD (and thus

        # guaranteed to be side effect free. In practice, the only situation

        # where we allow side effects without ambient authority is when the

        # authority comes from an API key; and that is handled above.

        if request.method not in ['GET', 'HEAD']:

            token = request.POST.get(secure_form.token_key)

            if not token or token != secure_form.authentication_token():

                log.error('CSRF check failed')

                return abort(403)

        # WebOb already ignores request payload parameters for anything other

        # than POST/PUT, but double-check since other Kallithea code relies on

        # this assumption.

        if request.method not in ['POST', 'PUT'] and request.POST:

            log.error('%r request with payload parameters; WebOb should have stopped this', request.method)

            return abort(400)

        # regular user authentication

        if user.is_authenticated:

            log.info('user %s authenticated with regular auth @ %s', user, loc)

            return func(*fargs, **fkwargs)

        else:

            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

            return redirect_to_login()

class NotAnonymous(object):

    """

    Must be logged in to execute this function else

    redirect to login page"""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        self.user = cls.authuser

        log.debug('Checking if user is not anonymous @%s', cls)

        anonymous = self.user.username == User.DEFAULT_USER

        if anonymous:

            return redirect_to_login(_('You need to be a registered user to '

                    'perform this action'))

        else:

            return func(*fargs, **fkwargs)

class PermsDecorator(object):

    """Base class for controller decorators"""

    def __init__(self, *required_perms):

        self.required_perms = set(required_perms)

        self.user_perms = None

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        self.user = cls.authuser

        self.user_perms = self.user.permissions

        log.debug('checking %s permissions %s for %s %s',

          self.__class__.__name__, self.required_perms, cls, self.user)

        if self.check_permissions():

            log.debug('Permission granted for %s %s', cls, self.user)

            return func(*fargs, **fkwargs)

        else:

            log.debug('Permission denied for %s %s', cls, self.user)

            anonymous = self.user.username == User.DEFAULT_USER

            if anonymous:

                return redirect_to_login(_('You need to be signed in to view this page'))

            else:

                # redirect with forbidden ret code

                return abort(403)

    def check_permissions(self):

        """Dummy function for overriding"""

        raise Exception('You have to write this function in child class')

class HasPermissionAllDecorator(PermsDecorator):

    """

    Checks for access permission for all given predicates. All of them

    have to be meet in order to fulfill the request

    """

    def check_permissions(self):

        if self.required_perms.issubset(self.user_perms.get('global')):

            return True

        return False