Merge branch 'release/v9.9.1-4'

cloudogu · Jun 5, 2023 · e59094e · e59094e
2 parents 12eab9c + 107db63
commit e59094e
Show file tree

Hide file tree

Showing 15 changed files with 345 additions and 702 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v9.9.1-4] - 2023-06-05
+### Fixed
+- Temporary user creation during dogu start (#88)
+- Permissions of the temporary admin user used to import quality profiles (#88)
+- Add admin group to default permission template if it exists (#88)
+
+### Changed
+- Blocked updates from versions prior to 8.x
+
+### Added
+- German translations for permission docs
+
 ## [v9.9.1-3] - 2023-05-15
 ### Changed
 - Update CAS plugin to version v5.0.2 (#86)

diff --git a/Dockerfile b/Dockerfile
@@ -27,7 +27,7 @@ RUN echo "${CAS_PLUGIN_JAR_SHA256} *${BUILDER_HOME}/sonar-cas-plugin-${CAS_PLUGI
 FROM BASE
 
 LABEL NAME="official/sonar" \
-    VERSION="9.9.1-3" \
+    VERSION="9.9.1-4" \
     maintainer="[email protected]"
 
 RUN set -eux \

diff --git a/docs/operations/global_permission_de.md b/docs/operations/global_permission_de.md
@@ -0,0 +1,10 @@
+# Globale Berechtigungen
+
+Neben den projektbezogenen Berechtigungen (siehe [permission_template](permission_template_de.md)) existieren die
+globalen Berechtigungen, welche zum Start des Dogus eingerichtet werden. 
+
+Die Admin-Gruppe des Cloudogu EcoSystems erhält dabei generell die folgenden Berechtigungen:
+- admin
+- profileadmin
+- gateadmin
+- provisioning
diff --git a/docs/operations/permission_template_de.md b/docs/operations/permission_template_de.md
@@ -0,0 +1,31 @@
+# Permission template
+
+„Permission Templates“ sind ein Mechanismus von SonarQube, um Vorlagen für Projektberechtigungen zu erstellen. Die
+Admin-Gruppe des Cloudogu EcoSystems wird der Standardvorlage („Default Template“) beim Start des Dogus automatisch 
+hinzugefügt, um sicherzustellen, dass Nutzer mit der Admin-Gruppe die nötigen Berechtigungen auf allen Projekten besitzen.
+
+Die Admin-Gruppe des Cloudogu EcoSystems wird dabei mit folgenden Berechtigungen hinzugefügt:
+- admin
+- codeviewer
+- issueadmin
+- securityhotspotadmin
+- scan
+- user
+
+Die Einstellungen können unter `Administration -> Security -> Permisssion Templates` überprüft werden.
+*siehe setup.json für weitere Informationen*
+
+# Korrektur von falsch konfigurierten Projekten
+
+Neue Projekte, die mit der Standardvorlage angelegt wurden, mit der die Admin-Gruppe nicht verknüpft war, können 
+nachträglich korrigiert werden.
+
+Dazu sind folgende Schritte durchzuführen:
+- Konfigurationsschlüssel `/config/sonar/amend_projects_with_ces_admin_permissions` auf den Wert `all` setzen
+- Dogu neu starten z.B. mittels `cesapp restart sonar`
+- Dies sorgt dafür, dass die Admin-Gruppe allen Projekten mit den nötigen Berechtigungen hinzugefügt wird.
+- Nach erfolgreicher Korrektur der Berechtigungen wird der Konfigurationsschlüssel auf den Wert `none` gesetzt.
+
+*siehe Beschreibung `configuration` in der Datei `dogu.json` für weitere Informationen*
+
+Die Gruppe wird mittels API-Endpunkt `permissions/add_group` hinzugefügt.
diff --git a/docs/operations/permission_template_en.md b/docs/operations/permission_template_en.md
@@ -1,12 +1,13 @@
 # Permission template
 
-The permission template is a mechanism in SonarQube to setup *project permissions*. The default template will be changed
+The permission template is a mechanism in SonarQube to set up *project permissions*. The default template will be changed
 during the dogu startup to ensure that the CES_ADMIN group has access to administer new created projects. The following
 permissions will be set (admin codeviewer issueadmin securityhotspotadmin scan user ) this setup can be verified
 (`Administration -> Security -> Permisssion Templates`). *see setup.json for further details*
 
 ![default template overview](figures/default_template_ces_admin_permissions.png)
 
+# Fix wrong project permissions
 
 The permissions for projects created without correct CES_ADMIN group permissions can be changed later using a specific config-key.
 (set `amend_projects_with_ces_admin_permissions` to `all` -> restart sonar -> CES_ADMIN group will be added to all projects).

diff --git a/dogu.json b/dogu.json
@@ -1,6 +1,6 @@
 {
   "Name": "official/sonar",
-  "Version": "9.9.1-3",
+  "Version": "9.9.1-4",
   "DisplayName": "SonarQube",
   "Description": "SonarQube is an open source quality management platform, dedicated to continuously analyze and measure source code quality",
   "Category": "Development Apps",
@@ -133,7 +133,7 @@
     },
     {
       "Name": "amend_projects_with_ces_admin_permissions",
-      "Description": "If set to 'all', the ces-admin group will be enabled to administer all project. This key will automatically reset to 'none' afterwards.",
+      "Description": "If set to 'all', the ces-admin group will be enabled to administer all projects. This key will automatically reset to 'none' afterwards.",
       "Optional": true
     },
     {

diff --git a/resources/PasswordHasher.java b/resources/PasswordHasher.java
@@ -0,0 +1,30 @@
+import java.util.Base64;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+
+public class PasswordHasher {
+    private static final int KEY_LEN = 512;
+    private static final int HASH_ITERATIONS = 100_000;
+    private static final int PARAM_SALT_INDEX = 0;
+    private static final int PARAM_PASSWORD_INDEX = 1;
+
+    public static void main(String[] args) {
+        var saltStr = args[PARAM_SALT_INDEX];
+        var password = args[PARAM_PASSWORD_INDEX];
+        byte[] salt = Base64.getDecoder().decode(saltStr);
+        var hashedPassword = hash(salt, password, HASH_ITERATIONS);
+        hashedPassword = String.format("%d$%s", HASH_ITERATIONS, hashedPassword);
+        System.out.print(hashedPassword);
+    }
+
+    private static String hash(byte[] salt, String password, int iterations) {
+        try {
+            SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
+            PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterations, KEY_LEN);
+            byte[] hash = skf.generateSecret(spec).getEncoded();
+            return Base64.getEncoder().encodeToString(hash);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+}
diff --git a/resources/post-upgrade.sh b/resources/post-upgrade.sh
@@ -4,17 +4,13 @@ set -o nounset
 set -o pipefail
 
 # import util functions:
-# execute_sql_statement_on_database()
-# getSHA1PW()
-# remove_temporary_admin_user functions()
+# functions()
 # wait_for_sonar_status_endpoint()
 # wait_for_sonar_to_get_up()
 # wait_for_sonar_to_get_healthy()
-# set_successful_first_start_flag()
-# remove_temporary_admin_user()
-# remove_temporary_admin_group()
+# remove_user()
+# remove_group()
 # add_temporary_admin_group()
-# create_temporary_admin_user_with_temporary_admin_group()
 # shellcheck disable=SC1091
 source "${STARTUP_DIR}/util.sh"
 
@@ -39,47 +35,15 @@ function reinstall_plugins() {
   fi
 }
 
-function migrate_cas_identity_provider_in_db() {
-  echo "Migrating DB: Update accounts associated with identity provider CAS to SonarQube..."
-  execute_sql_statement_on_database "update users set external_identity_provider='sonarqube' where external_identity_provider='cas';"
-}
-
-function add_temporary_admin_user_sonar_7() {
-  # temporarily create admin user and add to admin groups
-  TEMPORARY_ADMIN_USER=${1}
-  TEMPORARY_ADMIN_PASSWORD=${2}
-  SALT=$(doguctl random)
-  HASHED_PW=$(getSHA1PW "${TEMPORARY_ADMIN_PASSWORD}" "${SALT}")
-  execute_sql_statement_on_database "INSERT INTO users (login, name, crypted_password, salt, hash_method, active, external_login, external_identity_provider, user_local, is_root, onboarded, uuid, external_id)
-  VALUES ('${TEMPORARY_ADMIN_USER}', 'Temporary Administrator', '${HASHED_PW}', '${SALT}', 'SHA1', true, '${TEMPORARY_ADMIN_USER}', 'sonarqube', true, true, true, '${TEMPORARY_ADMIN_USER}', '${TEMPORARY_ADMIN_USER}');"
-
-  ADMIN_ID_PSQL_OUTPUT=$(PGPASSWORD="${DATABASE_USER_PASSWORD}" psql --host "${DATABASE_IP}" --username "${DATABASE_USER}" --dbname "${DATABASE_DB}" -1 -c "SELECT uuid FROM users WHERE login='${TEMPORARY_ADMIN_USER}';")
-  ADMIN_ID=$(echo "${ADMIN_ID_PSQL_OUTPUT}" | awk 'NR==3' | cut -d " " -f 2)
-  if [[ -z ${ADMIN_ID} ]]; then
-    # id has only one digit
-    ADMIN_ID=$(echo "${ADMIN_ID_PSQL_OUTPUT}" | awk 'NR==3' | cut -d " " -f 3)
-  fi
-  execute_sql_statement_on_database "INSERT INTO groups_users (user_uuid, group_uuid) VALUES (${ADMIN_ID}, 1);"
-  execute_sql_statement_on_database "INSERT INTO groups_users (user_uuid, group_uuid) VALUES (${ADMIN_ID}, 2);"
-}
-
 function run_post_upgrade() {
   FROM_VERSION="${1}"
   TO_VERSION="${2}"
-  TO_MAJOR_VERSION=$(echo "${TO_VERSION}" | cut -d '.' -f1)
   WAIT_TIMEOUT=600
   CURL_LOG_LEVEL="--silent"
   FAILED_PLUGIN_NAMES=""
 
   echo "Running post-upgrade script..."
 
-  # Migrate saved extensions folder to its own volume
-  if [[ ${FROM_VERSION} == "6.7.6-1" ]]; then
-    mkdir -p /opt/sonar/extensions
-    cp -R /opt/sonar/data/extensions/* /opt/sonar/extensions/
-    rm -rf /opt/sonar/data/extensions
-  fi
-
   echo "Waiting for SonarQube status endpoint to be available (max. ${WAIT_TIMEOUT} seconds)..."
   wait_for_sonar_status_endpoint ${WAIT_TIMEOUT}
 
@@ -106,51 +70,6 @@ function run_post_upgrade() {
     echo "No db migration is needed"
   fi
 
-  if [[ ${FROM_VERSION} == "6"* ]] && [[ ${TO_VERSION} == "7.9"* ]]; then
-    TEMPORARY_ADMIN_USER=$(doguctl random)
-    PW=$(doguctl random)
-    SALT=$(doguctl random)
-    HASH=$(getSHA1PW "${PW}" "${SALT}")
-    add_temporary_admin_user_sonar_7 "${TEMPORARY_ADMIN_USER}" "${HASH}" "${SALT}"
-    # reinstall missing plugins if there are any
-    if doguctl config install_plugins >/dev/null; then
-
-      echo "Waiting for SonarQube to get up (max ${WAIT_TIMEOUT} seconds)..."
-      wait_for_sonar_to_get_up ${WAIT_TIMEOUT}
-
-      echo "Waiting for SonarQube to get healthy (max. ${WAIT_TIMEOUT} seconds)..."
-      # default admin credentials (admin, admin) are used
-      wait_for_sonar_to_get_healthy ${WAIT_TIMEOUT} "${TEMPORARY_ADMIN_USER}" "${PW}" ${CURL_LOG_LEVEL}
-
-      reinstall_plugins "${TEMPORARY_ADMIN_USER}" "${PW}"
-
-      doguctl config --remove install_plugins
-    fi
-
-    remove_temporary_admin_user "${TEMPORARY_ADMIN_USER}"
-  fi
-
-  if [[ ${FROM_VERSION} == "6.7.6-1" ]]; then
-    # grant further permissions to CES admin group via API
-    # TODO: Extract grant_permission_to_group_via_rest_api function from startup.sh into util.sh and use it instead
-    CES_ADMIN_GROUP=$(doguctl config --global admin_group)
-    DOGU_ADMIN_PASSWORD=$(doguctl config -e dogu_admin_password)
-    echo "Waiting for SonarQube to get up (max. ${WAIT_TIMEOUT} seconds)..."
-    wait_for_sonar_to_get_up "${WAIT_TIMEOUT}"
-    echo "Waiting for SonarQube to get healthy (max. ${WAIT_TIMEOUT} seconds)..."
-    wait_for_sonar_to_get_healthy ${WAIT_TIMEOUT} "${DOGU_ADMIN}" "${DOGU_ADMIN_PASSWORD}" ${CURL_LOG_LEVEL}
-    # grant profileadmin permission
-    curl ${CURL_LOG_LEVEL} --fail -u "${DOGU_ADMIN}":"${DOGU_ADMIN_PASSWORD}" -X POST "http://localhost:9000/sonar/api/permissions/add_group?permission=profileadmin&groupName=${CES_ADMIN_GROUP}"
-    # grant gateadmin permission
-    curl ${CURL_LOG_LEVEL} --fail -u "${DOGU_ADMIN}":"${DOGU_ADMIN_PASSWORD}" -X POST "http://localhost:9000/sonar/api/permissions/add_group?permission=gateadmin&groupName=${CES_ADMIN_GROUP}"
-    # grant provisioning permission
-    curl ${CURL_LOG_LEVEL} --fail -u "${DOGU_ADMIN}":"${DOGU_ADMIN_PASSWORD}" -X POST "http://localhost:9000/sonar/api/permissions/add_group?permission=provisioning&groupName=${CES_ADMIN_GROUP}"
-  fi
-
-  if [[ "${TO_MAJOR_VERSION}" -eq 8 ]]; then
-    migrate_cas_identity_provider_in_db
-  fi
-
   if [[ ${FROM_VERSION} == "8"* ]] && [[ ${TO_VERSION} == "9.9"* ]]; then
     # reinstall missing plugins if there are any
     if doguctl config install_plugins >/dev/null; then
@@ -159,15 +78,16 @@ function run_post_upgrade() {
       TEMPORARY_ADMIN_PASSWORD=$(doguctl random)
 
       # remove user in case it already exists
-      remove_temporary_admin_user "${TEMPORARY_ADMIN_USER}"
-      remove_temporary_admin_group "${TEMPORARY_ADMIN_GROUP}"
+      remove_user "${TEMPORARY_ADMIN_USER}"
+      remove_group "${TEMPORARY_ADMIN_GROUP}"
 
       echo "Waiting for SonarQube to get up (max ${WAIT_TIMEOUT} seconds)..."
       wait_for_sonar_to_get_up ${WAIT_TIMEOUT}
 
       echo "Creating temporary user \"${TEMPORARY_ADMIN_USER}\"..."
       add_temporary_admin_group "${TEMPORARY_ADMIN_GROUP}"
-      create_temporary_admin_user_with_temporary_admin_group "${TEMPORARY_ADMIN_USER}" "${TEMPORARY_ADMIN_PASSWORD}" "${TEMPORARY_ADMIN_GROUP}" ${CURL_LOG_LEVEL}
+      add_user "${TEMPORARY_ADMIN_USER}" "${TEMPORARY_ADMIN_PASSWORD}"
+      assign_group "${TEMPORARY_ADMIN_USER}" "${TEMPORARY_ADMIN_GROUP}"
 
       echo "Waiting for SonarQube to get healthy (max. ${WAIT_TIMEOUT} seconds)..."
       # default admin credentials (admin, admin) are used
@@ -176,8 +96,8 @@ function run_post_upgrade() {
       reinstall_plugins "${TEMPORARY_ADMIN_USER}" "${TEMPORARY_ADMIN_PASSWORD}"
 
       echo "Remove temporary admin user"
-      remove_temporary_admin_user "${TEMPORARY_ADMIN_USER}"
-      remove_temporary_admin_group "${TEMPORARY_ADMIN_GROUP}"
+      remove_user "${TEMPORARY_ADMIN_USER}"
+      remove_group "${TEMPORARY_ADMIN_GROUP}"
 
       doguctl config --remove install_plugins
     fi