class Authz(object):
    """Decide who can do what."""

    knownActions = [
    # If you add a new action here, be sure to also update the documentation
    # at docs/manual/cfg-statustargets.rst.

    def __init__(self,
        self.auth = auth
        if auth:
            assert IAuth.providedBy(auth)

        self.useHttpHeader = useHttpHeader
        self.httpLoginUrl = httpLoginUrl

        self.config = dict( (a, default_action) for a in self.knownActions )
        self.config['view'] = view
        for act in self.knownActions:
            if act in kwargs:
                self.config[act] = kwargs[act]
                del kwargs[act]

        self.sessions = SessionManager()
        if kwargs:
            raise ValueError("unknown authorization action(s) " + ", ".join(kwargs.keys()))

    def session(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
            return self.sessions.get(cookie)
        return None
    def authenticated(self, request):
        if self.useHttpHeader:
            return request.getUser() != ''
        return self.session(request) != None

    def getUserInfo(self, user):
        if self.useHttpHeader:
            return dict(userName=user, fullName=user, email=user, groups=[ user ])
        s = self.sessions.getUser(user)
        if s:
            return s.infos

    def getUsername(self, request):
        """Get the userid of the user"""
        if self.useHttpHeader:
            return request.getUser()
        s = self.session(request)
        if s:
            return s.user
        return request.args.get("username", ["<unknown>"])[0]

    def getUsernameHTML(self, request):
        """Get the user formatted in html (with possible link to email)"""
        if self.useHttpHeader:
            return request.getUser()
        s = self.session(request)
        if s:
            return s.userInfosHTML()
        return "not authenticated?!"

    def getUsernameFull(self, request):
        """Get the full username as fullname <email>"""
        if self.useHttpHeader:
            return request.getUser()
        s = self.session(request)
        if s:
            return "%(fullName)s <%(email)s>" % (s.infos)
            return request.args.get("username", ["<unknown>"])[0]

    def getPassword(self, request):
        if self.useHttpHeader:
            return request.getPassword()
        return request.args.get("passwd", ["<no-password>"])[0]

    def advertiseAction(self, action, request):
        """Should the web interface even show the form for ACTION?"""
        if action not in self.knownActions:
            raise KeyError("unknown action")
        cfg = self.config.get(action, False)
        if cfg:
            if cfg == 'auth' or callable(cfg):
                return self.authenticated(request)
        return cfg

    def actionAllowed(self, action, request, *args):
        """Is this ACTION allowed, given this http REQUEST?"""
        if action not in self.knownActions:
            raise KeyError("unknown action")
        cfg = self.config.get(action, False)
        if cfg:
            if cfg == 'auth' or callable(cfg):
                if not self.auth:
                    return defer.succeed(False)
                def check_authenticate(res):
                    if callable(cfg) and not cfg(self.getUsername(request), *args):
                        return False
                    return True
                # retain old behaviour, if people have scripts
                # without cookie support
                passwd = self.getPassword(request)
                if self.authenticated(request):
                    return defer.succeed(check_authenticate(None))
                elif passwd != "<no-password>":
                    def check_login(cookie):
                        ret = False
                        if type(cookie) is str:
                            ret = check_authenticate(None)
                        return ret
                    d = self.login(request)
                    return d
                    return defer.succeed(False)
        return defer.succeed(cfg)

    def login(self, request):
        """Login one user, and return session cookie"""
        if self.authenticated(request):
            return defer.succeed(False)

        user = request.args.get("username", ["<unknown>"])[0]
        passwd = request.args.get("passwd", ["<no-password>"])[0]
        if user == "<unknown>" or passwd == "<no-password>":
            return defer.succeed(False)
        if not self.auth:
            return defer.succeed(False)
        d = defer.maybeDeferred(self.auth.authenticate, user, passwd)
        def check_authenticate(res):
            if res:
                cookie, s = self.sessions.new(user, self.auth.getUserInfo(user))
                request.addCookie(COOKIE_KEY, cookie, expires=s.getExpiration(),path="/")
                request.received_cookies = {COOKIE_KEY:cookie}
                return cookie
                return False
        return d

    def logout(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
class GoogleOAuth2AuthZ(object):
    """Decide who can do what."""

    def __init__(self, url, client_id, client_secret, root_uri, **kwargs):
        unknown = []
        self.permissions = {}
        for group in kwargs:
            self.permissions[group] = []
            for perm in kwargs[group]:
                if perm in Authz.knownActions:

        self.url = url
        self.client_id = client_id
        self.client_secret = client_secret
        self.root_uri = root_uri
        self.sessions = SessionManager()
        self.init_childs = False
        # This makes us get self.master as per baseweb.py:472
        self.auth = self
        # This makes the login form be a link
        self.useHttpHeader = True
        self.httpLoginUrl = "/_google_oauth2_handler"

        if unknown != []:
            raise ValueError("Unknown authorization action(s) " + ", ".join(unknown))

    def session(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
            return self.sessions.get(cookie)
        return None

    def authenticated(self, request):
        return self.session(request) is not None

    def getUserInfo(self, user):
        s = self.sessions.getUser(user)
        if s:
            return s.infos
        return None

    def getUsername(self, request):
        """Get the userid of the user"""
        s = self.session(request)
        if s:
            return s.user
        return "<unknown>"

    def getUsernameHTML(self, request):
        """Get the user formatted in html (with possible link to email)"""
        s = self.session(request)
        if s:
            return s.userInfosHTML()
        return "not authenticated?!"

    def getUsernameFull(self, request):
        """Get the full username as fullname <email>"""
        s = self.session(request)
        if s:
            return "%(fullName)s <%(email)s>" % (s.infos)
            return request.args.get("username", ["<unknown>"])[0]

    def create_childs(self, request):
        # We need to create the childs with this workaround
        #  because we won't get the site information prior
        #  to handling the very first request
        if not self.init_childs:
            self.init_childs = True
            request.site.resource.putChild("_google_oauth2_handler", GoogleOAuth2Handler(self))

    def shouldAllowAction(self, action, request):
        if action in self.permissions.get("all", []):
            return True

        s = self.getUsername(request)
        if s and not s == "<unknown>":
            if action in self.permissions.get("authenticated", []):
                return True
        return False

    def advertiseAction(self, action, request):
        """Should the web interface even show the form for ACTION?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return self.shouldAllowAction(action, request)

    def actionAllowed(self, action, request, *_):
        """Is this ACTION allowed, given this http REQUEST?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return defer.succeed(self.shouldAllowAction(action, request))

    def logout(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]

    def getLoginURL(self):
        oauth_params = {
            "redirect_uri": self.root_uri + "_google_oauth2_handler",
            "client_id": self.client_id,
            "response_type": "code",
            "scope": INFOSCOPE,
            "access_type": "offline",

        return "%s?%s" % (AUTHURI, urlencode(oauth_params))
class GithubOAuth2AuthZ(object):
    """Decide who can do what."""
    def __init__(self, url, client_id, client_secret, root_uri, **kwargs):
        unknown = []
        self.permissions = {}
        for group in kwargs:
            self.permissions[group] = []
            for perm in kwargs[group]:
                if perm in Authz.knownActions:

        self.url = url
        self.client_id = client_id
        self.client_secret = client_secret
        self.root_uri = root_uri
        self.sessions = SessionManager()
        self.init_childs = False
        # This makes us get self.master as per baseweb.py:472
        self.auth = self
        # This makes the login form be a link
        self.useHttpHeader = True
        self.httpLoginUrl = '/_github_oauth2_handler'

        if unknown != []:
            raise ValueError('Unknown authorization action(s) ' +
                             ', '.join(unknown))

    def session(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
            return self.sessions.get(cookie)
        return None

    def authenticated(self, request):
        return self.session(request) is not None

    def getUserInfo(self, user):
        s = self.sessions.getUser(user)
        if s:
            return s.infos
        return None

    def getUsername(self, request):
        """Get the userid of the user"""
        s = self.session(request)
        if s:
            return s.user
        return '<unknown>'

    def getUsernameHTML(self, request):
        """Get the user formatted in html (with possible link to email)"""
        s = self.session(request)
        if s:
            return s.userInfosHTML()
        return "not authenticated?!"

    def getUsernameFull(self, request):
        """Get the full username as fullname <email>"""
        s = self.session(request)
        if s:
            return "%(fullName)s <%(email)s>" % (s.infos)
            return request.args.get("username", ["<unknown>"])[0]

    def create_childs(self, request):
        # We need to create the childs with this workaround
        #  because we won't get the site information prior
        #  to handling the very first request
        if not self.init_childs:
            self.init_childs = True
            request.site.resource.putChild('_github_oauth2_handler', GithubOAuth2Handler(self))

    def shouldAllowAction(self, action, request):
        if action in self.permissions.get('all', []):
            return True

        s = self.getUsername(request)
        if s and not s == '<unknown>':
            if action in self.permissions.get('authenticated', []):
                return True
        return False

    def advertiseAction(self, action, request):
        """Should the web interface even show the form for ACTION?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return self.shouldAllowAction(action, request)

    def actionAllowed(self, action, request, *_):
        """Is this ACTION allowed, given this http REQUEST?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return defer.succeed(self.shouldAllowAction(action, request))

    def logout(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]

    def getLoginURL(self):
        oauth_params = {'redirect_uri': self.root_uri + '_github_oauth2_handler',
                        'client_id': self.client_id,
                        'response_type': 'code',
                        'access_type': 'offline'

        return "%s?%s" % (AUTHURI, urlencode(oauth_params))
class Authz(object):
    """Decide who can do what."""

    knownActions = [
        # If you add a new action here, be sure to also update the documentation
        # at docs/cfg-statustargets.texinfo

    def __init__(self,
        self.auth = auth
        if auth:
            assert IAuth.providedBy(auth)

        self.useHttpHeader = useHttpHeader
        self.httpLoginUrl = httpLoginUrl

        self.config = dict((a, default_action) for a in self.knownActions)
        for act in self.knownActions:
            if act in kwargs:
                self.config[act] = kwargs[act]
                del kwargs[act]

        self.sessions = SessionManager()
        if kwargs:
            raise ValueError("unknown authorization action(s) " +
                             ", ".join(kwargs.keys()))

    def session(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
            return self.sessions.get(cookie)
        return None

    def authenticated(self, request):
        if self.useHttpHeader:
            return request.getUser() != ''
        return self.session(request) != None

    def getUserInfo(self, user):
        if self.useHttpHeader:
            return dict(userName=user,
        s = self.sessions.getUser(user)
        if s:
            return s.infos

    def getUsername(self, request):
        """Get the userid of the user"""
        if self.useHttpHeader:
            return request.getUser()
        s = self.session(request)
        if s:
            return s.user
        return request.args.get("username", ["<unknown>"])[0]

    def getUsernameHTML(self, request):
        """Get the user formatated in html (with possible link to email)"""
        if self.useHttpHeader:
            return request.getUser()
        s = self.session(request)
        if s:
            return s.userInfosHTML()
        return "not authenticated?!"

    def getUsernameFull(self, request):
        """Get the full username as fullname <email>"""
        if self.useHttpHeader:
            return request.getUser()
        s = self.session(request)
        if s:
            return "%(fullName)s <%(email)s>" % (s.infos)
            return request.args.get("username", ["<unknown>"])[0]

    def getPassword(self, request):
        if self.useHttpHeader:
            return request.getPassword()
        return request.args.get("passwd", ["<no-password>"])[0]

    def advertiseAction(self, action, request):
        """Should the web interface even show the form for ACTION?"""
        if action not in self.knownActions:
            raise KeyError("unknown action")
        cfg = self.config.get(action, False)
        if cfg:
            if cfg == 'auth' or callable(cfg):
                return self.authenticated(request)
        return cfg

    def actionAllowed(self, action, request, *args):
        """Is this ACTION allowed, given this http REQUEST?"""
        if action not in self.knownActions:
            raise KeyError("unknown action")
        cfg = self.config.get(action, False)
        if cfg:
            if cfg == 'auth' or callable(cfg):
                if not self.auth:
                    return defer.succeed(False)

                def check_authenticate(res):
                    if callable(cfg) and not cfg(self.getUsername(request), *
                        return False
                    return True

                # retain old behaviour, if people have scripts
                # without cookie support
                passwd = self.getPassword(request)
                if self.authenticated(request):
                    return defer.succeed(check_authenticate(None))
                elif passwd != "<no-password>":

                    def check_login(cookie):
                        ret = False
                        if type(cookie) is str:
                            ret = check_authenticate(None)
                        return ret

                    d = self.login(request)
                    return d
                    return defer.succeed(False)
        return defer.succeed(cfg)

    def login(self, request):
        """Login one user, and return session cookie"""
        if self.authenticated(request):
            return defer.succeed(False)

        user = request.args.get("username", ["<unknown>"])[0]
        passwd = request.args.get("passwd", ["<no-password>"])[0]
        if user == "<unknown>" or passwd == "<no-password>":
            return defer.succeed(False)
        if not self.auth:
            return defer.succeed(False)
        d = defer.maybeDeferred(self.auth.authenticate, user, passwd)

        def check_authenticate(res):
            if res:
                cookie, s = self.sessions.new(user,
                request.received_cookies = {COOKIE_KEY: cookie}
                return cookie
                return False

        return d

    def logout(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
class OpenIDAuthz(object):

    """Decide who can do what."""

    def __init__(self,
        unknown = []
        self.permissions = {}
        for group in kwargs:
            # Work around the limitations of python identifiers:
            # python identifiers don't support dashes, while unix group names do
            # This is admittedly a hack, but if you have a better way: a PR is welcome
            group = group.replace('_DASH_', '-')

            self.permissions[group] = []
            for perm in kwargs[group]:
                if perm in Authz.knownActions:

        self.openid_provider = openid_provider
        self.sessions = SessionManager()
        self.init_childs = False
        if not check_certificate:
        # This makes us get self.master as per baseweb.py:472
        self.auth = self
        # This makes the login form be a link
        self.useHttpHeader = True

        if unknown != []:
            raise ValueError('Unknown authorization action(s) ' +
                             ', '.join(unknown))

    def session(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
            return self.sessions.get(cookie)
        return None

    def authenticated(self, request):
        return self.session(request) is not None

    def getUserInfo(self, user):
        s = self.sessions.getUser(user)
        if s:
            return s.infos
        return None

    def getUsername(self, request):
        """Get the userid of the user"""
        s = self.session(request)
        if s:
            return s.user
        return '<unknown>'

    def getUsernameHTML(self, request):
        """Get the user formatted in html (with possible link to email)"""
        s = self.session(request)
        if s:
            return s.userInfosHTML().decode('UTF-8')
        return "not authenticated?!"

    def getUsernameFull(self, request):
        """Get the full username as fullname <email>"""
        s = self.session(request)
        if s:
            return "%(fullName)s <%(email)s>" % (s.infos)
            return request.args.get("username", ["<unknown>"])[0]

    def getPassword(self, request):
        return '<no-password>'

    def create_childs(self, request):
        # We need to create the childs with this workaround
        #  because we won't get the site information prior
        #  to handling the very first request
        if not self.init_childs:
            self.init_childs = True
            status = request.site.buildbot_service.master.status
            root = status.getBuildbotURL()
            self.httpLoginUrl = '%s/_openid_start/' % root

    def shouldAllowAction(self, action, request):

        if action in self.permissions.get('_all_', []):
            return True
        s = self.sessions.getUser(request)
        if s:
            if action in self.permissions.get('_authenticated_', []):
                return True
            for group in s.infos['groups']:
                if action in self.permissions.get(group, []):
                    return True
        return False

    def advertiseAction(self, action, request):
        """Should the web interface even show the form for ACTION?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return self.shouldAllowAction(action, request)

    def actionAllowed(self, action, request, *args):
        """Is this ACTION allowed, given this http REQUEST?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return defer.succeed(self.shouldAllowAction(action, request))

    def logout(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
class OpenIDAuthz(object):

    """Decide who can do what."""

    def __init__(self,
        unknown = []
        self.permissions = {}
        for group in kwargs:
            self.permissions[group] = []
            for perm in kwargs[group]:
                if perm in Authz.knownActions:

        self.openid_provider = openid_provider
        self.sessions = SessionManager()
        self.init_childs = False
        if not check_certificate:
        # This makes us get self.master as per baseweb.py:472
        self.auth = self
        # This makes the login form be a link
        self.useHttpHeader = True
        self.httpLoginUrl = '/_openid_start/'

        if unknown != []:
            raise ValueError('Unknown authorization action(s) ' +
                             ', '.join(unknown))

    def session(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]
            return self.sessions.get(cookie)
        return None

    def authenticated(self, request):
        return self.session(request) is not None

    def getUserInfo(self, user):
        s = self.sessions.getUser(user)
        if s:
            return s.infos
        return None

    def getUsername(self, request):
        """Get the userid of the user"""
        s = self.session(request)
        if s:
            return s.user
        return '<unknown>'

    def getUsernameHTML(self, request):
        """Get the user formatted in html (with possible link to email)"""
        s = self.session(request)
        if s:
            return s.userInfosHTML()
        return "not authenticated?!"

    def getUsernameFull(self, request):
        """Get the full username as fullname <email>"""
        s = self.session(request)
        if s:
            return "%(fullName)s <%(email)s>" % (s.infos)
            return request.args.get("username", ["<unknown>"])[0]

    def getPassword(self, request):
        return '<no-password>'

    def create_childs(self, request):
        # We need to create the childs with this workaround
        #  because we won't get the site information prior
        #  to handling the very first request
        if not self.init_childs:
            self.init_childs = True
            status = request.site.buildbot_service.master.status
            root = status.getBuildbotURL()

    def shouldAllowAction(self, action, request):

        if action in self.permissions.get('_all_', []):
            return True
        s = self.sessions.getUser(request)
        if s:
            if action in self.permissions.get('_authenticated_', []):
                return True
            for group in s.infos['groups']:
                if action in self.permissions.get(group, []):
                    return True
        return False

    def advertiseAction(self, action, request):
        """Should the web interface even show the form for ACTION?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return self.shouldAllowAction(action, request)

    def actionAllowed(self, action, request, *args):
        """Is this ACTION allowed, given this http REQUEST?"""
        if action not in Authz.knownActions:
            raise KeyError("unknown action")
        return defer.succeed(self.shouldAllowAction(action, request))

    def logout(self, request):
        if COOKIE_KEY in request.received_cookies:
            cookie = request.received_cookies[COOKIE_KEY]