def log_in_user(user, remember, is_external_auth):

    """

    Log a `User` in and update session and cookies. If `remember` is True,

    the session cookie is set to expire in a year; otherwise, it expires at

    the end of the browser session.

    Returns populated `AuthUser` object.

    """

    user.update_lastlogin()

    meta.Session().commit()

    auth_user = AuthUser(dbuser=user,

                         is_external_auth=is_external_auth)

    # It should not be possible to explicitly log in as the default user.

    assert not auth_user.is_default_user

    auth_user.is_authenticated = True

    # Start new session to prevent session fixation attacks.

    session.invalidate()

    session['authuser'] = cookie = auth_user.to_cookie()

    # If they want to be remembered, update the cookie.

    # NOTE: Assumes that beaker defaults to browser session cookie.

    if remember:

        t = datetime.datetime.now() + datetime.timedelta(days=365)

        session._set_cookie_expires(t)

    session.save()

    log.info('user %s is now authenticated and stored in '

             'session, session attrs %s', user.username, cookie)

    # dumps session attrs back to cookie

    session._update_cookie_out()

    return auth_user

class BasicAuth(paste.auth.basic.AuthBasicAuthenticator):

    def __init__(self, realm, authfunc, auth_http_code=None):

        self.realm = realm

        self.authfunc = authfunc

        self._rc_auth_http_code = auth_http_code

    def build_authentication(self):

        head = paste.httpheaders.WWW_AUTHENTICATE.tuples('Basic realm="%s"' % self.realm)

        if self._rc_auth_http_code and self._rc_auth_http_code == '403':

            # return 403 if alternative http return code is specified in

            # Kallithea config

            return paste.httpexceptions.HTTPForbidden(headers=head)

        return paste.httpexceptions.HTTPUnauthorized(headers=head)

    def authenticate(self, environ):

        authorization = paste.httpheaders.AUTHORIZATION(environ)

        if not authorization:

            return self.build_authentication()

        (authmeth, auth) = authorization.split(' ', 1)

        if 'basic' != authmeth.lower():

            return self.build_authentication()

        auth = auth.strip().decode('base64')

        _parts = auth.split(':', 1)

        if len(_parts) == 2:

            username, password = _parts

            if self.authfunc(username, password, environ) is not None:

                return username

        return self.build_authentication()

    __call__ = authenticate

class BaseVCSController(object):

    """Base controller for handling Mercurial/Git protocol requests

    (coming from a VCS client, and not a browser).

    """

    def __init__(self, application, config):

        self.application = application

        self.config = config

        # base path of repo locations

        self.basepath = self.config['base_path']

        # authenticate this VCS request using the authentication modules

        self.authenticate = BasicAuth('', auth_modules.authenticate,

                                      config.get('auth_ret_code'))

    def _authorize(self, environ, start_response, action, repo_name, ip_addr):

        """Authenticate and authorize user.

        Since we're dealing with a VCS client and not a browser, we only

        support HTTP basic authentication, either directly via raw header

        inspection, or by using container authentication to delegate the

        authentication to the web server.

        Returns (user, None) on successful authentication and authorization.

        Returns (None, wsgi_app) to send the wsgi_app response to the client.

        """

        else:

                          'repository as anonymous user')

            username = None

            #==============================================================

            # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

            # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

            #==============================================================

            # try to auth based on environ, container auth methods

            log.debug('Running PRE-AUTH for container based authentication')

            pre_auth = auth_modules.authenticate('', '', environ)

            if pre_auth is not None and pre_auth.get('username'):

                username = pre_auth['username']

            log.debug('PRE-AUTH got %s as username', username)

            # If not authenticated by the container, running basic auth

            if not username:

                result = self.authenticate(environ)

                if isinstance(result, str):

                    paste.httpheaders.AUTH_TYPE.update(environ, 'basic')

                    paste.httpheaders.REMOTE_USER.update(environ, result)

                    username = result

                else:

                    return None, result.wsgi_application

            #==============================================================

            # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

            #==============================================================

            try:

                user = User.get_by_username_or_email(username)

                if user is None or not user.active:

                    return None, webob.exc.HTTPForbidden()

            except Exception:

                log.error(traceback.format_exc())

                return None, webob.exc.HTTPInternalServerError()

            #check permissions for this repository

            perm = self._check_permission(action, user, repo_name, ip_addr)

            if not perm:

                return None, webob.exc.HTTPForbidden()

        return user, None

    def _handle_request(self, environ, start_response):

        raise NotImplementedError()

    def _get_by_id(self, repo_name):

        """

        Gets a special pattern _<ID> from clone url and tries to replace it

        with a repository_name for support of _<ID> permanent URLs

        :param repo_name:

        """

        data = repo_name.split('/')

        if len(data) >= 2:

            from kallithea.lib.utils import get_repo_by_id

            by_id_match = get_repo_by_id(repo_name)

            if by_id_match:

                data[1] = safe_str(by_id_match)

        return '/'.join(data)

    def _invalidate_cache(self, repo_name):

        """

        Sets cache for this repository for invalidation on next access

        :param repo_name: full repo name, also a cache key

        """

        ScmModel().mark_for_invalidation(repo_name)

    def _check_permission(self, action, user, repo_name, ip_addr=None):

        """

        Checks permissions using action (push/pull) user and repository

        name

        :param action: push or pull action

        :param user: `User` instance

        :param repo_name: repository name

        """

        # check IP

        ip_allowed = AuthUser.check_ip_allowed(user, ip_addr)

        if ip_allowed:

            log.info('Access for IP:%s allowed', ip_addr)

        else:

            return False

        if action == 'push':

            if not HasPermissionAnyMiddleware('repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        else:

            #any other action need at least read permission

            if not HasPermissionAnyMiddleware('repository.read',

                                              'repository.write',

                                              'repository.admin')(user,

                                                                  repo_name):

                return False

        return True

    def _get_ip_addr(self, environ):

        return _get_ip_addr(environ)

    def _check_locking_state(self, environ, action, repo, user_id):

        """

        Checks locking on this repository, if locking is enabled and lock is

        present returns a tuple of make_lock, locked, locked_by.

        make_lock can have 3 states None (do nothing) True, make lock

        False release lock, This value is later propagated to hooks, which

        do the locking. Think about this as signals passed to hooks what to do.