authentication and permission libraries

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 4, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

from __future__ import with_statement

import time

import random

import logging

import traceback

import hashlib

import itertools

import collections

from tempfile import _RandomNameSequence

from decorator import decorator

from pylons import url, request

from pylons.controllers.util import abort, redirect

from pylons.i18n.translation import _

from sqlalchemy import or_

from sqlalchemy.orm.exc import ObjectDeletedError

from sqlalchemy.orm import joinedload

from kallithea import __platform__, is_windows, is_unix

from kallithea.lib.vcs.utils.lazy import LazyProperty

from kallithea.model import meta

from kallithea.model.meta import Session

from kallithea.model.user import UserModel

from kallithea.model.db import User, Repository, Permission, \

    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

    RepoGroup, UserGroupRepoGroupToPerm, UserIpMap, UserGroupUserGroupToPerm, \

    UserGroup, UserApiKeys

from kallithea.lib.utils2 import safe_unicode, aslist

from kallithea.lib.utils import get_repo_slug, get_repo_group_slug, \

    get_user_group_slug, conditional_cache

from kallithea.lib.caching_query import FromCache

log = logging.getLogger(__name__)

class PasswordGenerator(object):

        if not user.ip_allowed:

            from kallithea.lib import helpers as h

            h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),

                    category='warning')

            ip_access_valid = False

        # check if we used an APIKEY and it's a valid one

        # defined whitelist of controllers which API access will be enabled

        _api_key = request.GET.get('api_key', '')

        api_access_valid = allowed_api_access(loc, api_key=_api_key)

        # explicit controller is enabled or API is in our whitelist

        if self.api_access or api_access_valid:

            log.debug('Checking API KEY access for %s' % cls)

            if _api_key and _api_key in user.api_keys:

                api_access_valid = True

                log.debug('API KEY ****%s is VALID' % _api_key[-4:])

            else:

                api_access_valid = False

                if not _api_key:

                    log.debug("API KEY *NOT* present in request")

                else:

                    log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:])

        log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))

        reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'

        if ip_access_valid and (user.is_authenticated or api_access_valid):

            log.info('user %s authenticating with:%s IS authenticated on func %s '

                     % (user, reason, loc)

            )

            return func(*fargs, **fkwargs)

        else:

            log.warning('user %s authenticating with:%s NOT authenticated on func: %s: '

                     'IP_ACCESS:%s API_ACCESS:%s'

                     % (user, reason, loc, ip_access_valid, api_access_valid)

            )

            p = url.current()

            log.debug('redirecting to login page with %s' % p)

            return redirect(url('login_home', came_from=p))

class NotAnonymous(object):

    """

    Must be logged in to execute this function else

    redirect to login page"""