admin = True

            repos_list = Session().query(Repository) \

                         .filter(Repository.owner_id ==

                                 request.authuser.user_id).all()

        return RepoModel().get_repos_as_dict(repos_list, admin=admin)

    def my_account(self):

        c.active = 'profile'

        self.__load_data()

        c.perm_user = AuthUser(user_id=request.authuser.user_id)

        managed_fields = auth_modules.get_managed_fields(c.user)

        if 'hg.register.none' in def_user_perms:

            managed_fields.extend(['username', 'firstname', 'lastname', 'email'])

        c.readonly = lambda n: 'readonly' if n in managed_fields else None

        defaults = c.user.get_dict()

        update = False

        if request.POST:

            _form = UserForm(edit=True,

                             old_data={'user_id': request.authuser.user_id,

                                       'email': request.authuser.email})()

            form_result = {}

                h.flash(_('Authentication failed.'), 'error')

        else:

            # redirect if already logged in

            if not request.authuser.is_anonymous:

                raise HTTPFound(location=c.came_from)

            # continue to show login to default user

        return render('/login.html')

    @HasPermissionAnyDecorator('hg.admin', 'hg.register.auto_activate',

                               'hg.register.manual_activate')

    def register(self):

        c.auto_active = 'hg.register.auto_activate' in def_user_perms

        settings = Setting.get_app_settings()

        captcha_private_key = settings.get('captcha_private_key')

        c.captcha_active = bool(captcha_private_key)

        c.captcha_public_key = settings.get('captcha_public_key')

        if request.POST:

            register_form = RegisterForm()()

            try:

                form_result = register_form.to_python(dict(request.POST))

                form_result['active'] = c.auto_active

import ipaddr

from decorator import decorator

from sqlalchemy.orm import joinedload

from sqlalchemy.orm.exc import ObjectDeletedError

from tg import request

from tg.i18n import ugettext as _

from webob.exc import HTTPForbidden, HTTPFound

import kallithea

from kallithea.config.routing import url

from kallithea.lib.utils import get_repo_group_slug, get_repo_slug, get_user_group_slug

from kallithea.lib.utils2 import ascii_bytes, ascii_str, safe_bytes

from kallithea.model.db import (Permission, UserApiKeys, UserGroup, UserGroupMember, UserGroupRepoGroupToPerm, UserGroupRepoToPerm, UserGroupToPerm,

                                UserGroupUserGroupToPerm, UserIpMap, UserToPerm)

from kallithea.model.meta import Session

from kallithea.model.user import UserModel

log = logging.getLogger(__name__)

class PasswordGenerator(object):

    """

    This is a simple class for generating password from different sets of

    if len(hashed) == 64 and all(x in string.hexdigits for x in hashed):

        return hashlib.sha256(password).hexdigest() == hashed

    try:

        return bcrypt.checkpw(safe_bytes(password), ascii_bytes(hashed))

    except ValueError as e:

        # bcrypt will throw ValueError 'Invalid hashed_password salt' on all password errors

        log.error('error from bcrypt checking password: %s', e)

        return False

    log.error('check_password failed - no method found for hash length %s', len(hashed))

    return False

    PERM_WEIGHTS = Permission.PERM_WEIGHTS

        Assuming the permissions are comparable, set the new permission if it

        has higher weight, else drop it and keep the old permission.

        """

        new_perm_val = PERM_WEIGHTS[new_perm]

        cur_perm_val = PERM_WEIGHTS[cur_perm]

        if new_perm_val > cur_perm_val:

    #======================================================================

    # fetch default permissions

    #======================================================================

    default_repo_perms = Permission.get_default_perms(kallithea.DEFAULT_USER_ID)

    default_repo_groups_perms = Permission.get_default_group_perms(kallithea.DEFAULT_USER_ID)

    default_user_group_perms = Permission.get_default_user_group_perms(kallithea.DEFAULT_USER_ID)

    if user_is_admin:

        #==================================================================

        # admin users have all rights;

        # based on default permissions, just set everything to admin

        #==================================================================

        # repositories

        for perm in default_repo_perms:

            r_k = perm.repository.repo_name

            p = 'repository.admin'

        # repository groups

        for perm in default_repo_groups_perms:

            rg_k = perm.group.group_name

            p = 'group.admin'

        # user groups

        for perm in default_user_group_perms:

            u_k = perm.user_group.users_group_name

            p = 'usergroup.admin'

    #==================================================================

    # SET DEFAULTS GLOBAL, REPOS, REPOSITORY GROUPS

    #==================================================================

    # default global permissions taken from the default user

    default_global_perms = UserToPerm.query() \

        .filter(UserToPerm.user_id == kallithea.DEFAULT_USER_ID) \

        .options(joinedload(UserToPerm.permission))

    for perm in default_global_perms:

    # defaults for repositories, taken from default user

    for perm in default_repo_perms:

        r_k = perm.repository.repo_name

        if perm.repository.owner_id == user_id:

            p = 'repository.admin'

        elif perm.repository.private:

            p = 'repository.none'

        else:

            p = perm.permission.permission_name

    # defaults for repository groups taken from default user permission

    # on given group

    for perm in default_repo_groups_perms:

        rg_k = perm.group.group_name

        p = perm.permission.permission_name

    # defaults for user groups taken from default user permission

    # on given user group

    for perm in default_user_group_perms:

        u_k = perm.user_group.users_group_name

        p = perm.permission.permission_name

    #======================================================================

    # !! Augment GLOBALS with user permissions if any found !!

    #======================================================================

    # USER GROUPS comes first

    # user group global permissions

    user_perms_from_users_groups = Session().query(UserGroupToPerm) \

        .options(joinedload(UserGroupToPerm.permission)) \

        .join((UserGroupMember, UserGroupToPerm.users_group_id ==

               UserGroupMember.users_group_id)) \

        .filter(UserGroupMember.user_id == user_id) \

        .join((UserGroup, UserGroupMember.users_group_id ==

               UserGroup.users_group_id)) \

        .filter(UserGroup.users_group_active == True) \

        .order_by(UserGroupToPerm.users_group_id) \

        .all()

    # need to group here by groups since user can be in more than

    # one group

    _grouped = [[x, list(y)] for x, y in

                itertools.groupby(user_perms_from_users_groups,

                                  lambda x:x.users_group)]

    for gr, perms in _grouped:

        for perm in perms:

    # user specific global permissions

    user_perms = Session().query(UserToPerm) \

            .options(joinedload(UserToPerm.permission)) \

            .filter(UserToPerm.user_id == user_id).all()

    for perm in user_perms:

    # for each kind of global permissions, only keep the one with heighest weight

    kind_max_perm = {}

        kind = perm.rsplit('.', 1)[0]

        kind_max_perm[kind] = perm

    ## END GLOBAL PERMISSIONS

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORIES !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository and

    # fill in his permission from it.

    #======================================================================

    # user group for repositories permissions

    user_repo_perms_from_users_groups = \

     Session().query(UserGroupRepoToPerm) \

        .join((UserGroup, UserGroupRepoToPerm.users_group_id ==

               UserGroup.users_group_id)) \

        .filter(UserGroup.users_group_active == True) \

        .join((UserGroupMember, UserGroupRepoToPerm.users_group_id ==

               UserGroupMember.users_group_id)) \

        .filter(UserGroupMember.user_id == user_id) \

        .options(joinedload(UserGroupRepoToPerm.repository)) \

        .options(joinedload(UserGroupRepoToPerm.permission)) \

        .all()

    for perm in user_repo_perms_from_users_groups:

            perm.repository.repo_name,

            perm.permission.permission_name)

    # user permissions for repositories

    user_repo_perms = Permission.get_default_perms(user_id)

    for perm in user_repo_perms:

            perm.repository.repo_name,

            perm.permission.permission_name)

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORY GROUPS !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository groups and

    # fill in his permission from it.

    #======================================================================

    # user group for repo groups permissions

    user_repo_group_perms_from_users_groups = \

     Session().query(UserGroupRepoGroupToPerm) \

     .join((UserGroup, UserGroupRepoGroupToPerm.users_group_id ==

            UserGroup.users_group_id)) \

     .filter(UserGroup.users_group_active == True) \

     .join((UserGroupMember, UserGroupRepoGroupToPerm.users_group_id

            == UserGroupMember.users_group_id)) \

     .filter(UserGroupMember.user_id == user_id) \

     .options(joinedload(UserGroupRepoGroupToPerm.permission)) \

     .all()

    for perm in user_repo_group_perms_from_users_groups:

            perm.group.group_name,

            perm.permission.permission_name)

    # user explicit permissions for repository groups

    user_repo_groups_perms = Permission.get_default_group_perms(user_id)

    for perm in user_repo_groups_perms:

            perm.group.group_name,

            perm.permission.permission_name)

    #======================================================================

    # !! PERMISSIONS FOR USER GROUPS !!

    #======================================================================

    # user group for user group permissions

    user_group_user_groups_perms = \

     Session().query(UserGroupUserGroupToPerm) \

     .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id

            == UserGroup.users_group_id)) \

     .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id

            == UserGroupMember.users_group_id)) \

     .filter(UserGroupMember.user_id == user_id) \

     .join((UserGroup, UserGroupMember.users_group_id ==

            UserGroup.users_group_id), aliased=True, from_joinpoint=True) \

     .filter(UserGroup.users_group_active == True) \

     .options(joinedload(UserGroupUserGroupToPerm.permission)) \

     .all()

    for perm in user_group_user_groups_perms:

            perm.target_user_group.users_group_name,

            perm.permission.permission_name)

    # user explicit permission for user groups

    user_user_groups_perms = Permission.get_default_user_group_perms(user_id)

    for perm in user_user_groups_perms:

            perm.user_group.users_group_name,

            perm.permission.permission_name)

class AuthUser(object):

    """

    Represents a Kallithea user, including various authentication and

    authorization information. Typically used to store the current user,

    but is also used as a generic user information data structure in

    parts of the code, e.g. user management.

    Constructed from a database `User` object, a user ID or cookie dict,

    it looks up the user (if needed) and copies all attributes to itself,

    adding various non-persistent data. If lookup fails but anonymous

        self.is_anonymous = dbuser.is_default_user

        if dbuser.is_default_user and not dbuser.active:

            self.username = 'None'

            self.is_default_user = False

        else:

            # copy non-confidential database fields from a `db.User` to this `AuthUser`.

            for k, v in dbuser.get_dict().items():

                assert k not in ['api_keys', 'permissions']

                setattr(self, k, v)

            self.is_default_user = dbuser.is_default_user

        log.debug('Auth User is now %s', self)

        log.debug('Getting PERMISSION tree for %s', self)

    def has_repository_permission_level(self, repo_name, level, purpose=None):

        required_perms = {

            'read': ['repository.read', 'repository.write', 'repository.admin'],

            'write': ['repository.write', 'repository.admin'],

            'admin': ['repository.admin'],

        }[level]

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',

            self.username, level, repo_name, purpose, ok, actual_perm)

        return ok

    def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):

        required_perms = {

            'read': ['group.read', 'group.write', 'group.admin'],

            'write': ['group.write', 'group.admin'],

            'admin': ['group.admin'],

        }[level]

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',

            self.username, level, repo_group_name, purpose, ok, actual_perm)

        return ok

    def has_user_group_permission_level(self, user_group_name, level, purpose=None):

        required_perms = {

            'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],

            'write': ['usergroup.write', 'usergroup.admin'],

            'admin': ['usergroup.admin'],

        }[level]

        ok = actual_perm in required_perms

        log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',

            self.username, level, user_group_name, purpose, ok, actual_perm)

        return ok

    @property

    def api_keys(self):

        return self._get_api_keys()

    def _get_api_keys(self):

        api_keys = [self.api_key]

        for api_key in UserApiKeys.query() \

        return api_keys

    @property

    def is_admin(self):

        return self.admin

    @property

    def repositories_admin(self):

        """

        Returns list of repositories you're an admin of

        """

                if x[1] == 'repository.admin']

    @property

    def repository_groups_admin(self):

        """

        Returns list of repository groups you're an admin of

        """

                if x[1] == 'group.admin']

    @property

    def user_groups_admin(self):

        """

        Returns list of user groups you're an admin of

        """

                if x[1] == 'usergroup.admin']

    def __repr__(self):

        return "<%s %s: %r>" % (self.__class__.__name__, self.user_id, self.username)

    def to_cookie(self):

        """ Serializes this login session to a cookie `dict`. """

        return {

            'user_id': self.user_id,

            'is_external_auth': self.is_external_auth,

        }

                raise HTTPForbidden()

    def check_permissions(self, user):

        raise NotImplementedError()

class HasPermissionAnyDecorator(_PermsDecorator):

    """

    Checks the user has any of the given global permissions.

    """

    def check_permissions(self, user):

class _PermDecorator(_PermsDecorator):

    """Base class for controller decorators with a single permission"""

    def __init__(self, required_perm):

        _PermsDecorator.__init__(self, [required_perm])

        self.required_perm = required_perm

class HasRepoPermissionLevelDecorator(_PermDecorator):

    """

            and instead evaluating it directly in a boolean context,

            which could have security implications.

        """

        raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')

    def __call__(self, *a, **b):

        raise NotImplementedError()

class HasPermissionAny(_PermsFunction):

    def __call__(self, purpose=None):

        log.debug('Check %s for global %s (%s): %s',

            request.authuser.username, self.required_perms, purpose, ok)

        return ok

class _PermFunction(_PermsFunction):

    """Base function for other check functions with a single permission"""

    def __init__(self, required_perm):

        _PermsFunction.__init__(self, [required_perm])

        self.required_perm = required_perm

#==============================================================================

# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH

#==============================================================================

class HasPermissionAnyMiddleware(object):

    def __init__(self, *perms):

        self.required_perms = set(perms)

    def __call__(self, authuser, repo_name, purpose=None):

        try:

        except KeyError:

            ok = False

        log.debug('Middleware check %s for %s for repo %s (%s): %s', authuser.username, self.required_perms, repo_name, purpose, ok)

        return ok

def check_ip_access(source_ip, allowed_ips=None):

    """

    Checks if source_ip is a subnet of any of allowed_ips.

    :param source_ip:

        password to a random value when it is authenticated by this plugin.

        If your plugin provides authentication, then you will generally want this.

        :returns: boolean

        """

        raise NotImplementedError("Not implemented in base class")

    def _authenticate(self, userobj, username, passwd, settings, **kwargs):

        user_data = super(KallitheaExternalAuthPlugin, self)._authenticate(

            userobj, username, passwd, settings, **kwargs)

        if user_data is not None:

            if userobj is None: # external authentication of unknown user that will be created soon

                active = 'hg.extern_activate.auto' in def_user_perms

            else:

                active = userobj.active

            if self.use_fake_password():

                # Randomize the PW because we don't need it, but don't want

                # them blank either

                passwd = PasswordGenerator().gen_password(length=8)

            log.debug('Updating or creating user info from %s plugin',

                      self.name)

            user = UserModel().create_or_update(

            .filter(Repository.repo_name == repo_name)

        return repo.scalar()

    def get_all_user_repos(self, user):

        """

        Gets all repositories that user have at least read access

        :param user:

        """

        from kallithea.lib.auth import AuthUser

        auth_user = AuthUser(dbuser=User.guess_instance(user))

        repos = [repo_name

            if perm in ['repository.read', 'repository.write', 'repository.admin']

            ]

        return Repository.query().filter(Repository.repo_name.in_(repos))

    @classmethod

    def _render_datatable(cls, tmpl, *args, **kwargs):

        from tg import app_globals, request

        from tg import tmpl_context as c

        from tg.i18n import ugettext as _

        _tmpl_lookup = app_globals.mako_lookup

        template = _tmpl_lookup.get_template('data_table/_dt_elements.html')

        if hasattr(self, 'g2'):

            RepoGroupModel().delete(self.g2.group_id)

        if hasattr(self, 'ug2'):

            UserGroupModel().delete(self.ug2, force=True)

        if hasattr(self, 'ug1'):

            UserGroupModel().delete(self.ug1, force=True)

        Session().commit()

    def test_default_perms_set(self):

        u1_auth = AuthUser(user_id=self.u1.user_id)

        new_perm = 'repository.write'

        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1,

                                          perm=new_perm)

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

    def test_default_admin_perms_set(self):

        a1_auth = AuthUser(user_id=self.a1.user_id)

        new_perm = 'repository.write'

        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.a1,

                                          perm=new_perm)

        Session().commit()

        # cannot really downgrade admins permissions !? they still gets set as

        # admin !

        u1_auth = AuthUser(user_id=self.a1.user_id)

    def test_default_group_perms(self):

        self.g1 = fixture.create_repo_group('test1', skip_if_exists=True)

        self.g2 = fixture.create_repo_group('test2', skip_if_exists=True)

        u1_auth = AuthUser(user_id=self.u1.user_id)

    def test_default_admin_group_perms(self):

        self.g1 = fixture.create_repo_group('test1', skip_if_exists=True)

        self.g2 = fixture.create_repo_group('test2', skip_if_exists=True)

        a1_auth = AuthUser(user_id=self.a1.user_id)

    def test_propagated_permission_from_users_group_by_explicit_perms_exist(self):

        # make group

        self.ug1 = fixture.create_user_group('G1')

        UserGroupModel().add_user_to_group(self.ug1, self.u1)

        # set user permission none

        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1, perm='repository.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # grant perm for group this should override permission from user

        RepoModel().grant_user_group_permission(repo=base.HG_REPO,

                                                 group_name=self.ug1,

                                                 perm='repository.write')

        # verify that user group permissions win

        u1_auth = AuthUser(user_id=self.u1.user_id)

    def test_propagated_permission_from_users_group(self):

        # make group

        self.ug1 = fixture.create_user_group('G1')

        UserGroupModel().add_user_to_group(self.ug1, self.u3)

        # grant perm for group this should override default permission from user

        new_perm_gr = 'repository.write'

        RepoModel().grant_user_group_permission(repo=base.HG_REPO,

                                                 group_name=self.ug1,

                                                 perm=new_perm_gr)

        # check perms

        u3_auth = AuthUser(user_id=self.u3.user_id)

    def test_propagated_permission_from_users_group_lower_weight(self):

        # make group

        self.ug1 = fixture.create_user_group('G1')

        # add user to group

        UserGroupModel().add_user_to_group(self.ug1, self.u1)

        # set permission to lower

        new_perm_h = 'repository.write'

        RepoModel().grant_user_permission(repo=base.HG_REPO, user=self.u1,

                                          perm=new_perm_h)

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # grant perm for group this should NOT override permission from user

        # since it's lower than granted

        new_perm_l = 'repository.read'

        RepoModel().grant_user_group_permission(repo=base.HG_REPO,

                                                 group_name=self.ug1,

                                                 perm=new_perm_l)

        # check perms

        u1_auth = AuthUser(user_id=self.u1.user_id)

    def test_repo_in_group_permissions(self):

        self.g1 = fixture.create_repo_group('group1', skip_if_exists=True)

        self.g2 = fixture.create_repo_group('group2', skip_if_exists=True)

        # both perms should be read !

        u1_auth = AuthUser(user_id=self.u1.user_id)

        a1_auth = AuthUser(user_id=self.anon.user_id)

        # Change perms to none for both groups

        RepoGroupModel().grant_user_permission(repo_group=self.g1,

                                               user=self.anon,

                                               perm='group.none')

        RepoGroupModel().grant_user_permission(repo_group=self.g2,

                                               user=self.anon,

                                               perm='group.none')

        u1_auth = AuthUser(user_id=self.u1.user_id)

        a1_auth = AuthUser(user_id=self.anon.user_id)

        # add repo to group

        name = db.URL_SEP.join([self.g1.group_name, 'test_perm'])

        self.test_repo = fixture.create_repo(name=name,

                                             repo_type='hg',

                                             repo_group=self.g1,

                                             cur_user=self.u1,)

        u1_auth = AuthUser(user_id=self.u1.user_id)

        a1_auth = AuthUser(user_id=self.anon.user_id)

        # grant permission for u2 !

        RepoGroupModel().grant_user_permission(repo_group=self.g1, user=self.u2,

                                               perm='group.read')

        RepoGroupModel().grant_user_permission(repo_group=self.g2, user=self.u2,

                                               perm='group.read')

        Session().commit()

        assert self.u1 != self.u2

        # u1 and anon should have not change perms while u2 should !

        u1_auth = AuthUser(user_id=self.u1.user_id)

        u2_auth = AuthUser(user_id=self.u2.user_id)

        a1_auth = AuthUser(user_id=self.anon.user_id)

    def test_repo_group_user_as_user_group_member(self):

        # create Group1

        self.g1 = fixture.create_repo_group('group1', skip_if_exists=True)

        a1_auth = AuthUser(user_id=self.anon.user_id)

        # set default permission to none

        RepoGroupModel().grant_user_permission(repo_group=self.g1,

                                               user=self.anon,

                                               perm='group.none')

        # make group

        self.ug1 = fixture.create_user_group('G1')

        # add user to group

        UserGroupModel().add_user_to_group(self.ug1, self.u1)

        Session().commit()

        # check if user is in the group

        members = [x.user_id for x in UserGroupModel().get(self.ug1.users_group_id).members]

        assert members == [self.u1.user_id]

        # add some user to that group

        # check his permissions

        a1_auth = AuthUser(user_id=self.anon.user_id)