user_user_groups_perms = Permission.get_default_user_group_perms(user_id)

    for perm in user_user_groups_perms:

        bump_permission(UK,

            perm.UserUserGroupToPerm.user_group.users_group_name,

            perm.Permission.permission_name)

    return permissions

class AuthUser(object):

    """

    Represents a Kallithea user, including various authentication and

    authorization information. Typically used to store the current user,

    but is also used as a generic user information data structure in

    parts of the code, e.g. user management.

    Constructed from a database `User` object, a user ID or cookie dict,

    it looks up the user (if needed) and copies all attributes to itself,

    adding various non-persistent data. If lookup fails but anonymous

    access to Kallithea is enabled, the default user is loaded instead.

    `AuthUser` does not by itself authenticate users. It's up to other parts of

    the code to check e.g. if a supplied password is correct, and if so, trust

    the AuthUser object as an authenticated user.

    However, `AuthUser` does refuse to load a user that is not `active`.

    Note that Kallithea distinguishes between the default user (an actual

    user in the database with username "default") and "no user" (no actual

    User object, AuthUser filled with blank values and username "None").

    If the default user is active, that will always be used instead of

    "no user". On the other hand, if the default user is disabled (and

    there is no login information), we instead get "no user"; this should

    only happen on the login page (as all other requests are redirected).

    `is_default_user` specifically checks if the AuthUser is the user named

    "default". Use `is_anonymous` to check for both "default" and "no user".

    """

    @classmethod

    def make(cls, dbuser=None, is_external_auth=False, ip_addr=None):

        """Create an AuthUser to be authenticated ... or return None if user for some reason can't be authenticated.

        Checks that a non-None dbuser is provided, is active, and that the IP address is ok.

        """

        assert ip_addr is not None

        if dbuser is None:

            log.info('No db user for authentication')

            return None

        if not dbuser.active:

            log.info('Db user %s not active', dbuser.username)

            return None

        allowed_ips = AuthUser.get_allowed_ips(dbuser.user_id, cache=True)

        if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

            log.info('Access for %s from %s forbidden - not in %s', dbuser.username, ip_addr, allowed_ips)

            return None

        return cls(dbuser=dbuser, is_external_auth=is_external_auth)

    def __init__(self, user_id=None, dbuser=None, is_external_auth=False):

        self.is_external_auth = is_external_auth # container auth - don't show logout option

        # These attributes will be overridden by fill_data, below, unless the

        # requested user cannot be found and the default anonymous user is

        # not enabled.

        self.user_id = None

        self.username = None

        self.api_key = None

        self.name = ''

        self.lastname = ''

        self.email = ''

        self.admin = False

        # Look up database user, if necessary.

        if user_id is not None:

            assert dbuser is None

            log.debug('Auth User lookup by USER ID %s', user_id)

            dbuser = UserModel().get(user_id)

            assert dbuser is not None

        else:

            assert dbuser is not None

            log.debug('Auth User lookup by database user %s', dbuser)

        log.debug('filling %s data', dbuser)

        self.is_anonymous = dbuser.is_default_user

        if dbuser.is_default_user and not dbuser.active:

            self.username = 'None'

            self.is_default_user = False

        else:

            # copy non-confidential database fields from a `db.User` to this `AuthUser`.

            for k, v in dbuser.get_dict().iteritems():

                assert k not in ['api_keys', 'permissions']

                setattr(self, k, v)

            self.is_default_user = dbuser.is_default_user

        log.debug('Auth User is now %s', self)

    @LazyProperty

    def permissions(self):

        return self.__get_perms(user=self, cache=False)

    def has_repository_permission_level(self, repo_name, level, purpose=None):

        required_perms = {

            'read': ['repository.read', 'repository.write', 'repository.admin'],

            'write': ['repository.write', 'repository.admin'],

            'admin': ['repository.admin'],

        }[level]

        actual_perm = self.permissions['repositories'].get(repo_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',

            self.username, level, repo_name, purpose, ok, actual_perm)

        return ok

    def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):

        required_perms = {

            'read': ['group.read', 'group.write', 'group.admin'],

            'write': ['group.write', 'group.admin'],

            'admin': ['group.admin'],

        }[level]

        actual_perm = self.permissions['repositories_groups'].get(repo_group_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',

            self.username, level, repo_group_name, purpose, ok, actual_perm)

        return ok

    def has_user_group_permission_level(self, user_group_name, level, purpose=None):

        required_perms = {

            'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],

            'write': ['usergroup.write', 'usergroup.admin'],

            'admin': ['usergroup.admin'],

        }[level]

        actual_perm = self.permissions['user_groups'].get(user_group_name)

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',

            self.username, level, user_group_name, purpose, ok, actual_perm)

        return ok

    @property

    def api_keys(self):

        return self._get_api_keys()

    def __get_perms(self, user, cache=False):

        """

        Fills user permission attribute with permissions taken from database

        works for permissions given for repositories, and for permissions that

        are granted to groups

        :param user: `AuthUser` instance

        """

        user_id = user.user_id

        user_is_admin = user.is_admin

        log.debug('Getting PERMISSION tree')

        compute = conditional_cache('short_term', 'cache_desc',

                                    condition=cache, func=_cached_perms_data)

        return compute(user_id, user_is_admin)

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query() \

                .filter_by(user_id=self.user_id, is_expired=False):

            api_keys.append(api_key.api_key)

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

        return [x[0] for x in self.permissions['repositories'].iteritems()

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

        return [x[0] for x in self.permissions['repositories_groups'].iteritems()

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

        return [x[0] for x in self.permissions['user_groups'].iteritems()

                if x[1] == 'usergroup.admin']

    def __repr__(self):

    def to_cookie(self):

        """ Serializes this login session to a cookie `dict`. """

        return {

            'user_id': self.user_id,

            'is_external_auth': self.is_external_auth,

        }

    @staticmethod

    def from_cookie(cookie, ip_addr):

        """

        Deserializes an `AuthUser` from a cookie `dict` ... or return None.

        """

        return AuthUser.make(

            dbuser=UserModel().get(cookie.get('user_id')),

            is_external_auth=cookie.get('is_external_auth', False),

            ip_addr=ip_addr,

        )

    @classmethod

    def get_allowed_ips(cls, user_id, cache=False):

        _set = set()

        default_ips = UserIpMap.query().filter(UserIpMap.user_id ==

                                        User.get_default_user(cache=True).user_id)

        if cache:

            default_ips = default_ips.options(FromCache("sql_cache_short",

                                              "get_user_ips_default"))

        for ip in default_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

        if cache:

            user_ips = user_ips.options(FromCache("sql_cache_short",

                                                  "get_user_ips_%s" % user_id))

        for ip in user_ips:

            try:

                _set.add(ip.ip_addr)

            except ObjectDeletedError:

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def _redirect_to_login(message=None):

    """Return an exception that must be raised. It will redirect to the login

    page which will redirect back to the current URL after authentication.

    The optional message will be shown in a flash message."""

    from kallithea.lib import helpers as h

    if message:

        h.flash(message, category='warning')

    p = request.path_qs

    log.debug('Redirecting to login page, origin: %s', p)

    return HTTPFound(location=url('login_home', came_from=p))

# Use as decorator

class LoginRequired(object):

    """Client must be logged in as a valid User, or we'll redirect to the login

    page.

    If the "default" user is enabled and allow_default_user is true, that is

    considered valid too.

    Also checks that IP address is allowed.

    """

    def __init__(self, allow_default_user=False):

        self.allow_default_user = allow_default_user

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = request.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        # regular user authentication

        if user.is_default_user:

            if self.allow_default_user:

                log.info('default user @ %s', loc)

                return func(*fargs, **fkwargs)

            log.info('default user is not accepted here @ %s', loc)

        elif user.is_anonymous: # default user is disabled and no proper authentication

            log.warning('user is anonymous and NOT authenticated with regular auth @ %s', loc)

        else: # regular authentication

            log.info('user %s authenticated with regular auth @ %s', user, loc)

            return func(*fargs, **fkwargs)

        raise _redirect_to_login()

# Use as decorator

class NotAnonymous(object):

    """Ensures that client is not logged in as the "default" user, and

    redirects to the login page otherwise. Must be used together with

    LoginRequired."""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = request.authuser

        log.debug('Checking that user %s is not anonymous @%s', user.username, cls)

        if user.is_default_user:

            raise _redirect_to_login(_('You need to be a registered user to '

                                       'perform this action'))

        else:

            return func(*fargs, **fkwargs)

class _PermsDecorator(object):

    """Base class for controller decorators with multiple permissions"""

    def __init__(self, *required_perms):

        self.required_perms = required_perms # usually very short - a list is thus fine

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = request.authuser

        log.debug('checking %s permissions %s for %s %s',

          self.__class__.__name__, self.required_perms, cls, user)

        if self.check_permissions(user):

            log.debug('Permission granted for %s %s', cls, user)

            return func(*fargs, **fkwargs)

        else:

            log.info('Permission denied for %s %s', cls, user)

            if user.is_default_user:

                raise _redirect_to_login(_('You need to be signed in to view this page'))

            else:

                raise HTTPForbidden()

    def check_permissions(self, user):

        raise NotImplementedError()

class HasPermissionAnyDecorator(_PermsDecorator):

    """

    Checks the user has any of the given global permissions.

    """

    def check_permissions(self, user):

        global_permissions = user.permissions['global'] # usually very short

        return any(p in global_permissions for p in self.required_perms)

class _PermDecorator(_PermsDecorator):

    """Base class for controller decorators with a single permission"""

    def __init__(self, required_perm):

        _PermsDecorator.__init__(self, [required_perm])

        self.required_perm = required_perm

class HasRepoPermissionLevelDecorator(_PermDecorator):

    """

    Checks the user has at least the specified permission level for the requested repository.

    """

    def check_permissions(self, user):

        repo_name = get_repo_slug(request)

        return user.has_repository_permission_level(repo_name, self.required_perm)

class HasRepoGroupPermissionLevelDecorator(_PermDecorator):

    """

    Checks the user has any of given permissions for the requested repository group.

    """

    def check_permissions(self, user):

        repo_group_name = get_repo_group_slug(request)

        return user.has_repository_group_permission_level(repo_group_name, self.required_perm)

    def count(self):

        return len(self.revisions)

    def tag(self, name, user, revision=None, message=None, date=None, **opts):

        """

        Creates and returns a tag for the given ``revision``.

        :param name: name for new tag

        :param user: full username, i.e.: "Joe Doe <joe.doe@example.com>"

        :param revision: changeset id for which new tag would be created

        :param message: message of the tag's commit

        :param date: date of tag's commit

        :raises TagAlreadyExistError: if tag with same name already exists

        """

        raise NotImplementedError

    def remove_tag(self, name, user, message=None, date=None):

        """

        Removes tag with the given ``name``.

        :param name: name of the tag to be removed

        :param user: full username, i.e.: "Joe Doe <joe.doe@example.com>"

        :param message: message of the tag's removal commit

        :param date: date of tag's removal commit

        :raises TagDoesNotExistError: if tag with given name does not exists

        """

        raise NotImplementedError

    def get_diff(self, rev1, rev2, path=None, ignore_whitespace=False,

            context=3):

        """

        Returns (git like) *diff*, as plain text. Shows changes introduced by

        ``rev2`` since ``rev1``.

        :param rev1: Entry point from which diff is shown. Can be

          ``self.EMPTY_CHANGESET`` - in this case, patch showing all

          the changes since empty state of the repository until ``rev2``

        :param rev2: Until which revision changes should be shown.

        :param ignore_whitespace: If set to ``True``, would not show whitespace

          changes. Defaults to ``False``.

        :param context: How many lines before/after changed lines should be

          shown. Defaults to ``3``.

        """

        raise NotImplementedError

    # ========== #

    # COMMIT API #

    # ========== #

    @LazyProperty

    def in_memory_changeset(self):

        """

        Returns ``InMemoryChangeset`` object for this repository.

        """

        raise NotImplementedError

    def add(self, filenode, **kwargs):

        """

        Commit api function that will add given ``FileNode`` into this

        repository.

        :raises ``NodeAlreadyExistsError``: if there is a file with same path

          already in repository

        :raises ``NodeAlreadyAddedError``: if given node is already marked as

          *added*

        """

        raise NotImplementedError

    def remove(self, filenode, **kwargs):

        """

        Commit api function that will remove given ``FileNode`` into this

        repository.

        :raises ``EmptyRepositoryError``: if there are no changesets yet

        :raises ``NodeDoesNotExistError``: if there is no file with given path

        """

        raise NotImplementedError

    def commit(self, message, **kwargs):

        """

        Persists current changes made on this repository and returns newly

        created changeset.

        :raises ``NothingChangedError``: if no changes has been made

        """

        raise NotImplementedError

    def get_state(self):

        """

        Returns dictionary with ``added``, ``changed`` and ``removed`` lists

        containing ``FileNode`` objects.

        """

        raise NotImplementedError

    def get_config_value(self, section, name, config_file=None):

        """

        Returns configuration value for a given [``section``] and ``name``.

        :param section: Section we want to retrieve value from

        :param name: Name of configuration we want to retrieve

        :param config_file: A path to file which should be used to retrieve

          configuration from (might also be a list of file paths)

        """

        raise NotImplementedError

    def get_user_name(self, config_file=None):

        """

        Returns user's name from global configuration file.

        :param config_file: A path to file which should be used to retrieve

          configuration from (might also be a list of file paths)

        """

        raise NotImplementedError

    def get_user_email(self, config_file=None):

        """

        Returns user's email from global configuration file.

        :param config_file: A path to file which should be used to retrieve

          configuration from (might also be a list of file paths)

        """

        raise NotImplementedError

    # =========== #

    # WORKDIR API #

    # =========== #

    @LazyProperty

    def workdir(self):

        """

        Returns ``Workdir`` instance for this repository.

        """

        raise NotImplementedError

class BaseChangeset(object):

    """

    Each backend should implement it's changeset representation.

    **Attributes**

        ``repository``

            repository object within which changeset exists

        ``id``

            may be ``raw_id`` or i.e. for mercurial's tip just ``tip``

        ``raw_id``

            raw changeset representation (i.e. full 40 length sha for git

            backend)

        ``short_id``

            shortened (if apply) version of ``raw_id``; it would be simple

            shortcut for ``raw_id[:12]`` for git/mercurial backends or same

            as ``raw_id`` for subversion

        ``revision``

            revision number as integer

        ``files``

            list of ``FileNode`` (``Node`` with NodeKind.FILE) objects

        ``dirs``

            list of ``DirNode`` (``Node`` with NodeKind.DIR) objects

        ``nodes``

            combined list of ``Node`` objects

        ``author``

            author of the changeset, as unicode

        ``message``

            message of the changeset, as unicode

        ``parents``

            list of parent changesets

        ``last``

            ``True`` if this is last changeset in repository, ``False``

            otherwise; trying to access this attribute while there is no

            changesets would raise ``EmptyRepositoryError``

    """

    def __str__(self):

        return '<%s at %s:%s>' % (self.__class__.__name__, self.revision,

            self.short_id)

    def __repr__(self):

        return self.__str__()

    def __eq__(self, other):

        if type(self) is not type(other):

            return False

        return self.raw_id == other.raw_id

    def __json__(self, with_file_list=False):

        if with_file_list:

            return dict(

                short_id=self.short_id,

                raw_id=self.raw_id,

                revision=self.revision,

                message=self.message,

                date=self.date,

                author=self.author,

                added=[safe_unicode(el.path) for el in self.added],

                changed=[safe_unicode(el.path) for el in self.changed],

                removed=[safe_unicode(el.path) for el in self.removed],

            )

        else:

            return dict(

                short_id=self.short_id,

                raw_id=self.raw_id,

                revision=self.revision,

                message=self.message,

                date=self.date,

                author=self.author,

            )

    @LazyProperty

    def last(self):

        if self.repository is None:

            raise ChangesetError("Cannot check if it's most recent revision")

        return self.raw_id == self.repository.revisions[-1]

    @LazyProperty

    def parents(self):

        """

        Returns list of parents changesets.

        """

        raise NotImplementedError

    @LazyProperty

    def children(self):

        """

        Returns list of children changesets.

        """

        raise NotImplementedError

    @LazyProperty

    def id(self):

        """

        Returns string identifying this changeset.

        """

        raise NotImplementedError

    @LazyProperty

    def raw_id(self):

        """

        Returns raw string identifying this changeset.

        """

        raise NotImplementedError

    @LazyProperty

    def short_id(self):

        """

        Returns shortened version of ``raw_id`` attribute, as string,

        identifying this changeset, useful for web representation.

        """

        raise NotImplementedError

    @LazyProperty

    def revision(self):

        """

        Returns integer identifying this changeset.

        """

        raise NotImplementedError

    @LazyProperty

    def committer(self):

        """

        Returns Committer for given commit

        """

        raise NotImplementedError

    @LazyProperty

    def committer_name(self):

        """

        Returns Author name for given commit

        """

        return author_name(self.committer)

    @LazyProperty

    def committer_email(self):

        """

        Returns Author email address for given commit

        """

        return author_email(self.committer)

    @LazyProperty

    def author(self):

        """

        Returns Author for given commit

        """

        raise NotImplementedError

    @LazyProperty

    def author_name(self):

        """

        Returns Author name for given commit

        """

        return author_name(self.author)

    @LazyProperty

    def author_email(self):

        """

        Returns Author email address for given commit

        """

        return author_email(self.author)

    def get_file_mode(self, path):

        """

        Returns stat mode of the file at the given ``path``.

        """

        raise NotImplementedError

    def get_file_content(self, path):

        """

        Returns content of the file at the given ``path``.

        """

        raise NotImplementedError

    def get_file_size(self, path):

        """

        Returns size of the file at the given ``path``.

        """

        raise NotImplementedError

    def get_file_changeset(self, path):

        """

        Returns last commit of the file at the given ``path``.

        """

        raise NotImplementedError

    def get_file_history(self, path):

        """

        Returns history of file as reversed list of ``Changeset`` objects for

        which file at given ``path`` has been modified.

        """

        raise NotImplementedError

    def get_nodes(self, path):

        """

        Returns combined ``DirNode`` and ``FileNode`` objects list representing

        state of changeset at the given ``path``.

        :raises ``ChangesetError``: if node at the given ``path`` is not

          instance of ``DirNode``

        """

        raise NotImplementedError

    def get_node(self, path):

        """

        Returns ``Node`` object from the given ``path``.

        :raises ``NodeDoesNotExistError``: if there is no node at the given

          ``path``

        """

        raise NotImplementedError

    def fill_archive(self, stream=None, kind='tgz', prefix=None):

        """

        Fills up given stream.

        :param stream: file like object.

        :param kind: one of following: ``zip``, ``tar``, ``tgz``

            or ``tbz2``. Default: ``tgz``.

        :param prefix: name of root directory in archive.

            Default is repository name and changeset's raw_id joined with dash.

            repo-tip.<kind>

        """

        raise NotImplementedError

    def get_chunked_archive(self, **kwargs):

# -*- coding: utf-8 -*-

"""

    vcs.nodes

    ~~~~~~~~~

    Module holding everything related to vcs nodes.

    :created_on: Apr 8, 2010

    :copyright: (c) 2010-2011 by Marcin Kuzminski, Lukasz Balcerzak.

"""

import functools

import mimetypes

import posixpath

import stat

from kallithea.lib.vcs.backends.base import EmptyChangeset

from kallithea.lib.vcs.exceptions import NodeError, RemovedFileNodeError

from kallithea.lib.vcs.utils import safe_bytes, safe_str, safe_unicode

from kallithea.lib.vcs.utils.lazy import LazyProperty

class NodeKind:

    SUBMODULE = -1

    DIR = 1

    FILE = 2

class NodeState:

    ADDED = u'added'

    CHANGED = u'changed'

    NOT_CHANGED = u'not changed'

    REMOVED = u'removed'

class NodeGeneratorBase(object):

    """

    Base class for removed added and changed filenodes, it's a lazy generator

    class that will create filenodes only on iteration or call

    The len method doesn't need to create filenodes at all

    """

    def __init__(self, current_paths, cs):

        self.cs = cs

        self.current_paths = current_paths

    def __call__(self):

        return [n for n in self]

    def __getitem__(self, key):

        assert isinstance(key, slice), key

        for p in self.current_paths[key]:

            yield self.cs.get_node(p)

    def __len__(self):

        return len(self.current_paths)

    def __iter__(self):

        for p in self.current_paths:

            yield self.cs.get_node(p)

class AddedFileNodesGenerator(NodeGeneratorBase):

    """

    Class holding Added files for current changeset

    """

    pass

class ChangedFileNodesGenerator(NodeGeneratorBase):

    """

    Class holding Changed files for current changeset

    """

    pass

class RemovedFileNodesGenerator(NodeGeneratorBase):

    """

    Class holding removed files for current changeset

    """

    def __iter__(self):

        for p in self.current_paths:

            yield RemovedFileNode(path=p)

    def __getitem__(self, key):

        assert isinstance(key, slice), key

        for p in self.current_paths[key]:

            yield RemovedFileNode(path=p)

@functools.total_ordering

class Node(object):