log = logging.getLogger(__name__)

@cli_base.register_command(config_file_initialize_app=True, hidden=True)

@click.argument('user-id', type=click.INT, required=True)

@click.argument('key-id', type=click.INT, required=True)

def ssh_serve(user_id, key_id):

    """Serve SSH repository protocol access.

    The trusted command that is invoked from .ssh/authorized_keys to serve SSH

    protocol access. The access will be granted as the specified user ID, and

    logged as using the specified key ID.

    """

    ssh_enabled = kallithea.CONFIG.get('ssh_enabled', False)

    if not str2bool(ssh_enabled):

        sys.stderr.write("SSH access is disabled.\n")

        return sys.exit(1)

    ssh_locale = kallithea.CONFIG.get('ssh_locale')

    if ssh_locale:

        os.environ['LC_ALL'] = ssh_locale # trumps everything, including LANG, except LANGUAGE

        os.environ['LANGUAGE'] = ssh_locale # trumps LC_ALL for GNU gettext message handling

    ssh_original_command = os.environ.get('SSH_ORIGINAL_COMMAND', '')

    client_ip = connection.group(1) if connection else '0.0.0.0'

    log.debug('ssh-serve was invoked for SSH command %r from %s', ssh_original_command, client_ip)

    if not ssh_original_command:

        if os.environ.get('SSH_CONNECTION'):

            sys.stderr.write("'kallithea-cli ssh-serve' can only provide protocol access over SSH. Interactive SSH login for this user is disabled.\n")

        else:

            sys.stderr.write("'kallithea-cli ssh-serve' cannot be called directly. It must be specified as command in an SSH authorized_keys file.\n")

        return sys.exit(1)

    try:

        ssh_command_parts = shlex.split(ssh_original_command)

    except ValueError as e:

        sys.stderr.write('Error parsing SSH command %r: %s\n' % (ssh_original_command, e))

        sys.exit(1)

    for VcsHandler in [MercurialSshHandler, GitSshHandler]:

        vcs_handler = VcsHandler.make(ssh_command_parts)

        if vcs_handler is not None:

            vcs_handler.serve(user_id, key_id, client_ip)

            assert False # serve is written so it never will terminate

    sys.stderr.write("This account can only be used for repository access. SSH command %r is not supported.\n" % ssh_original_command)

    sys.exit(1)

        m.connect("gist_delete", "/gists/{gist_id}/delete",

                  action="delete", conditions=dict(method=["POST"]))

        m.connect("edit_gist", "/gists/{gist_id}/edit",

                  action="edit", conditions=dict(method=["GET", "POST"]))

        m.connect("edit_gist_check_revision", "/gists/{gist_id}/edit/check_revision",

                  action="check_revision", conditions=dict(method=["POST"]))

        m.connect("gist", "/gists/{gist_id}",

                  action="show", conditions=dict(method=["GET"]))

        m.connect("gist_rev", "/gists/{gist_id}/{revision}",

                  revision="tip",

                  action="show", conditions=dict(method=["GET"]))

        m.connect("formatted_gist", "/gists/{gist_id}/{revision}/{format}",

                  revision="tip",

                  action="show", conditions=dict(method=["GET"]))

        m.connect("formatted_gist_file", "/gists/{gist_id}/{revision}/{format}/{f_path:.*}",

                  revision='tip',

                  action="show", conditions=dict(method=["GET"]))

    # ADMIN MAIN PAGES

    with rmap.submapper(path_prefix=ADMIN_PREFIX,

                        controller='admin/admin') as m:

        m.connect('admin_home', '', action='index')

                  action='add_repo')

    #==========================================================================

    # API V2

    #==========================================================================

    with rmap.submapper(path_prefix=ADMIN_PREFIX, controller='api/api',

                        action='_dispatch') as m:

        m.connect('api', '/api')

    # USER JOURNAL

    rmap.connect('journal', '%s/journal' % ADMIN_PREFIX,

                 controller='journal', action='index')

    rmap.connect('journal_rss', '%s/journal/rss' % ADMIN_PREFIX,

                 controller='journal', action='journal_rss')

    rmap.connect('journal_atom', '%s/journal/atom' % ADMIN_PREFIX,

                 controller='journal', action='journal_atom')

    rmap.connect('public_journal', '%s/public_journal' % ADMIN_PREFIX,

                 controller='journal', action="public_journal")

    rmap.connect('public_journal_rss', '%s/public_journal/rss' % ADMIN_PREFIX,

                 controller='journal', action="public_journal_rss")

    rmap.connect('public_journal_rss_old', '%s/public_journal_rss' % ADMIN_PREFIX,

                 controller='journal', action="public_journal_rss")

            [(k, v) for (k, v) in _auth_cache.items() if

             (v + KallitheaAuthPlugin.AUTH_CACHE_TTL > ts)])

        _auth_cache = cleared_cache

    @hybrid_property

    def name(self):

        return "pam"

    def settings(self):

        settings = [

            {

                "name": "service",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "PAM service name to use for authentication",

                "default": "login",

                "formname": "PAM service name"

            },

            {

                "name": "gecos",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Regex for extracting user name/email etc "

                               "from Unix userinfo",

                "formname": "Gecos Regex"

            }

        ]

        return settings

    def use_fake_password(self):

        return True

    def auth(self, userobj, username, password, settings, **kwargs):

        if not username:

            log.debug('Empty username - skipping...')

            return None

        if username not in _auth_cache:

            # Need lock here, as PAM authentication is not thread safe

            _pam_lock.acquire()

            try:

                auth_result = pam_authenticate(username, password,

                                               settings["service"])

                # cache result only if we properly authenticated

                if auth_result:

                    _auth_cache[username] = time.time()

            finally:

                _pam_lock.release()

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Dec 4, 2011

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import difflib

import logging

import re

from tg.i18n import ugettext as _

from kallithea.lib import helpers as h

from kallithea.lib.utils2 import safe_unicode

from kallithea.lib.vcs.backends.base import EmptyChangeset

from kallithea.lib.vcs.exceptions import VCSError

from kallithea.lib.vcs.nodes import FileNode, SubModuleNode

log = logging.getLogger(__name__)

def _safe_id(idstring):

    The HTML spec says that id attributes 'must begin with

    a letter ([A-Za-z]) and may be followed by any number

    of letters, digits ([0-9]), hyphens ("-"), underscores

    ("_"), colons (":"), and periods (".")'. These regexps

    are slightly over-zealous, in that they remove colons

    and periods unnecessarily.

    Whitespace is transformed into underscores, and then

    anything which is not a hyphen or a character that

    matches \w (alphanumerics and underscore) is removed.

    """

    # Transform all whitespace to underscore

    idstring = re.sub(r'\s', "_", idstring)

    # Remove everything that is not a hyphen or a member of \w

    idstring = re.sub(r'(?!-)\W', "", idstring).lower()

    return idstring

def as_html(table_class='code-difftable', line_class='line',

            old_lineno_class='lineno old', new_lineno_class='lineno new',

            no_lineno_class='lineno',

            code_class='code', enable_comments=False, parsed_lines=None):

    def _replace(match_obj):

        url = match_obj.group('url')

        if url is not None:

            return '<a href="%(url)s">%(url)s</a>' % {'url': url}

        mention = match_obj.group('mention')

        if mention is not None:

            return '<b>%s</b>' % mention

        hash_ = match_obj.group('hash')

        if hash_ is not None and repo_name is not None:

            from kallithea.config.routing import url  # doh, we need to re-import url to mock it later

            return '<a class="changeset_hash" href="%(url)s">%(hash)s</a>' % {

                 'url': url('changeset_home', repo_name=repo_name, revision=hash_),

                 'hash': hash_,

                }

        bold = match_obj.group('bold')

        if bold is not None:

            return '<b>*%s*</b>' % _urlify(bold[1:-1])

        if stylize:

            seen = match_obj.group('seen')

            if seen:

                return '<div class="label label-meta" data-tag="see">see =&gt; %s</div>' % seen

            license = match_obj.group('license')

            if license:

            tagtype = match_obj.group('tagtype')

            if tagtype:

                tagvalue = match_obj.group('tagvalue')

                return '<div class="label label-meta" data-tag="%s">%s =&gt; <a href="/%s">%s</a></div>' % (tagtype, tagtype, tagvalue, tagvalue)

            lang = match_obj.group('lang')

            if lang:

                return '<div class="label label-meta" data-tag="lang">%s</div>' % lang

            tag = match_obj.group('tag')

            if tag:

                return '<div class="label label-meta" data-tag="%s">%s</div>' % (tag, tag)

        return match_obj.group(0)

    def _urlify(s):

        """

        Extract urls from text and make html links out of them

        """

        return _URLIFY_RE.sub(_replace, s)

    if truncate is None:

        s = s.rstrip()

    else:

        s = truncatef(s, truncate, whole_word=True)

    s = html_escape(s)

    s = _urlify(s)

    @classmethod

    def _flavored_markdown(cls, text):

        """

        Github style flavored markdown

        :param text:

        """

        from hashlib import md5

        # Extract pre blocks.

        extractions = {}

        def pre_extraction_callback(matchobj):

            digest = md5(matchobj.group(0)).hexdigest()

            extractions[digest] = matchobj.group(0)

            return "{gfm-extraction-%s}" % digest

        pattern = re.compile(r'<pre>.*?</pre>', re.MULTILINE | re.DOTALL)

        text = re.sub(pattern, pre_extraction_callback, text)

        # Prevent foo_bar_baz from ending up with an italic word in the middle.

        def italic_callback(matchobj):

            s = matchobj.group(0)

            if list(s).count('_') >= 2:

            return s

        text = re.sub(r'^(?! {4}|\t)\w+_\w+_\w[\w_]*', italic_callback, text)

        # In very clear cases, let newlines become <br /> tags.

        def newline_callback(matchobj):

            if len(matchobj.group(1)) == 1:

                return matchobj.group(0).rstrip() + '  \n'

            else:

                return matchobj.group(0)

        pattern = re.compile(r'^[\w\<][^\n]*(\n+)', re.MULTILINE)

        text = re.sub(pattern, newline_callback, text)

        # Insert pre block extractions.

        def pre_insert_callback(matchobj):

            return '\n\n' + extractions[matchobj.group(1)]

        text = re.sub(r'{gfm-extraction-([0-9a-f]{32})\}',

                      pre_insert_callback, text)

        return text

    @classmethod

    def render(cls, source, filename=None):

        """

        Renders a given filename using detected renderer

            for k, v in docutils_settings.iteritems():

                directives.register_directive(k, v)

            parts = publish_parts(source=source,

                                  writer_name="html4css1",

                                  settings_overrides=docutils_settings)

            return parts['html_title'] + parts["fragment"]

        except ImportError:

            log.warning('Install docutils to use this function')

            return cls.plain(source)

        except Exception:

            log.error(traceback.format_exc())

            if safe:

                log.debug('Falling back to render in plain mode')

                return cls.plain(source)

            else:

                raise

    @classmethod

    def rst_with_mentions(cls, source):

        def wrapp(match_obj):

            uname = match_obj.groups()[0]

        mention_hl = MENTIONS_REGEX.sub(wrapp, source).strip()

        return cls.rst(mention_hl)

    :param config: kallithea.CONFIG

    """

    from kallithea.lib.vcs import conf

    from kallithea.lib.utils2 import aslist

    conf.settings.BACKENDS = {

        'hg': 'kallithea.lib.vcs.backends.hg.MercurialRepository',

        'git': 'kallithea.lib.vcs.backends.git.GitRepository',

    }

    conf.settings.GIT_EXECUTABLE_PATH = config.get('git_path', 'git')

    conf.settings.GIT_REV_FILTER = config.get('git_rev_filter', '--all').strip()

    conf.settings.DEFAULT_ENCODINGS = aslist(config.get('default_encoding',

                                                        'utf-8'), sep=',')

def set_indexer_config(config):

    """

    Update Whoosh index mapping

    :param config: kallithea.CONFIG

    """

    from kallithea.config import conf

    log.debug('adding extra into INDEX_EXTENSIONS')

    log.debug('adding extra into INDEX_FILENAMES')

def map_groups(path):

    """

    Given a full path to a repository, create all nested groups that this

    repo is inside. This function creates parent-child relationships between

    groups and creates default perms for all new groups.

    :param paths: full path to repository

    """

    sa = meta.Session()

    groups = path.split(Repository.url_sep())

    parent = None

    group = None

    # last element is repo in nested groups structure

    groups = groups[:-1]

    rgm = RepoGroupModel()

    owner = User.get_first_admin()

    for lvl, group_name in enumerate(groups):

        group_name = u'/'.join(groups[:lvl] + [group_name])

        group = RepoGroup.get_by_group_name(group_name)

        desc = '%s group' % group_name

        #    if not k.startswith('_') and not hasattr(EXT, k):

        #        setattr(EXT, k, getattr(rcextensions, k))

#==============================================================================

# MISC

#==============================================================================

def check_git_version():

    """

    Checks what version of git is installed in system, and issues a warning

    if it's too old for Kallithea to work properly.

    """

    from kallithea import BACKENDS

    from kallithea.lib.vcs.backends.git.repository import GitRepository

    from kallithea.lib.vcs.conf import settings

    from distutils.version import StrictVersion

    if 'git' not in BACKENDS:

        return None

    stdout, stderr = GitRepository._run_git_command(['--version'], _bare=True,

                                                    _safe=True)

    if m:

        ver = StrictVersion(m.group(0))

    else:

        ver = StrictVersion('0.0.0')

    req_ver = StrictVersion('1.7.4')

    log.debug('Git executable: "%s" version %s detected: %s',

              settings.GIT_EXECUTABLE_PATH, ver, stdout)

    if stderr:

        log.warning('Error detecting git version: %r', stderr)

    elif ver < req_ver:

        log.warning('Kallithea detected git version %s, which is too old '

                    'for the system to function properly. '

                    'Please upgrade to version %s or later.' % (ver, req_ver))

    return ver

#===============================================================================

# CACHE RELATED METHODS

#===============================================================================

# set cache regions for beaker so celery can utilise it

def setup_cache_regions(settings):

    :param replace: char to find and replace multiple instances

    Examples::

    >>> recursive_replace("Mighty---Mighty-Bo--sstones",'-')

    'Mighty-Mighty-Bo-sstones'

    """

    if str_.find(replace * 2) == -1:

        return str_

    else:

        str_ = str_.replace(replace * 2, replace)

        return recursive_replace(str_, replace)

def repo_name_slug(value):

    """

    Return slug of name of repository

    This function is called on each creation/modification

    of repository to prevent bad names in repo

    """

    slug = remove_formatting(value)

    slug = strip_tags(slug)

        slug = slug.replace(c, '-')

    slug = recursive_replace(slug, '-')

    slug = collapse(slug, '-')

    return slug

def ask_ok(prompt, retries=4, complaint='Yes or no please!'):

    while True:

        ok = raw_input(prompt)

        if ok in ('y', 'ye', 'yes'):

            return True

        if ok in ('n', 'no', 'nop', 'nope'):

            return False

        retries = retries - 1

        if retries < 0:

            raise IOError

        print complaint