Add plugin wizard initialization step (#2045)

Adds a new initialization step after setting up the initial administration account that allows administrators to initialize the instance with a selection of plugin sets. Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com> Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com> Co-authored-by: Matthias Thieroff <matthias.thieroff@cloudogu.com>
2025-12-22 08:19:47 +01:00 · 2022-05-31 15:14:52 +02:00
parent 6216945f0d
commit 1b18191c57
63 changed files with 2294 additions and 135 deletions
--- a/scm-webapp/src/main/java/sonia/scm/initialization/InitializationAuthenticationService.java
+++ b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationAuthenticationService.java
@@ -0,0 +1,89 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import org.apache.shiro.authc.AuthenticationException;
+import sonia.scm.security.AccessToken;
+import sonia.scm.security.AccessTokenBuilderFactory;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.security.PermissionAssigner;
+import sonia.scm.security.PermissionDescriptor;
+import sonia.scm.web.security.AdministrationContext;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
+@Singleton
+public class InitializationAuthenticationService {
+
+  private static final String INITIALIZATION_SUBJECT = "SCM-INIT";
+
+  private final AccessTokenBuilderFactory tokenBuilderFactory;
+  private final PermissionAssigner permissionAssigner;
+  private final AccessTokenCookieIssuer cookieIssuer;
+  private final InitializationCookieIssuer initializationCookieIssuer;
+
+  private final AdministrationContext administrationContext;
+
+  @Inject
+  public InitializationAuthenticationService(AccessTokenBuilderFactory tokenBuilderFactory, PermissionAssigner permissionAssigner, AccessTokenCookieIssuer cookieIssuer, InitializationCookieIssuer initializationCookieIssuer, AdministrationContext administrationContext) {
+    this.tokenBuilderFactory = tokenBuilderFactory;
+    this.permissionAssigner = permissionAssigner;
+    this.cookieIssuer = cookieIssuer;
+    this.initializationCookieIssuer = initializationCookieIssuer;
+    this.administrationContext = administrationContext;
+  }
+
+  public void validateToken(AccessToken token) {
+    if (token == null || !INITIALIZATION_SUBJECT.equals(token.getSubject())) {
+      throw new AuthenticationException("Could not authenticate to initialization realm because of missing or invalid token.");
+    }
+  }
+
+  public void setPermissions() {
+    administrationContext.runAsAdmin(() -> permissionAssigner.setPermissionsForUser(
+      InitializationRealm.INIT_PRINCIPAL,
+      Set.of(new PermissionDescriptor("plugin:read,write"))
+    ));
+  }
+
+  public void authenticate(HttpServletRequest request, HttpServletResponse response) {
+    AccessToken initToken =
+      tokenBuilderFactory.create()
+        .subject(INITIALIZATION_SUBJECT)
+        .expiresIn(365, TimeUnit.DAYS)
+        .refreshableFor(0, TimeUnit.SECONDS)
+        .build();
+    initializationCookieIssuer.authenticateForInitialization(request, response, initToken);
+  }
+
+  public void invalidateCookies(HttpServletRequest request, HttpServletResponse response) {
+    cookieIssuer.invalidate(request, response);
+  }
+}