diff --git a/roles/web-app-xwiki/config/main.yml b/roles/web-app-xwiki/config/main.yml index e5f66a1f..5eb0303f 100644 --- a/roles/web-app-xwiki/config/main.yml +++ b/roles/web-app-xwiki/config/main.yml @@ -25,7 +25,9 @@ features: server: csp: whitelist: {} - flags: {} + flags: + script-src-elem: + unsafe-inline: true domains: canonical: - "x.wiki.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-xwiki/schema/main.yml b/roles/web-app-xwiki/schema/main.yml index e69de29b..a048fd05 100644 --- a/roles/web-app-xwiki/schema/main.yml +++ b/roles/web-app-xwiki/schema/main.yml @@ -0,0 +1,6 @@ +credentials: + superadminpassword: + description: "Password for the xwiki superadmin" + algorithm: "alphanumeric" + validation: + min_length: 50 \ No newline at end of file diff --git a/roles/web-app-xwiki/tasks/01_core.yml b/roles/web-app-xwiki/tasks/01_core.yml index 33caa3ea..8865b009 100644 --- a/roles/web-app-xwiki/tasks/01_core.yml +++ b/roles/web-app-xwiki/tasks/01_core.yml @@ -29,9 +29,11 @@ delay: 5 until: xwiki_rest_up is succeeded +- include_tasks: 02_bootstrap_admin.yml + - name: "Check if OIDC extension installed" uri: - url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/wikis/xwiki/extensions/{{ XWIKI_EXT_OIDC_ID | urlencode }}" + url: "{{ XWIKI_REST_GENERAL }}/extensions/{{ XWIKI_EXT_OIDC_ID | urlencode }}" method: GET user: "{{ XWIKI_ADMIN_USER }}" password: "{{ XWIKI_ADMIN_PASS }}" @@ -42,7 +44,7 @@ - name: "Check if LDAP extension installed" uri: - url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/wikis/xwiki/extensions/{{ XWIKI_EXT_LDAP_ID | urlencode }}" + url: "{{ XWIKI_REST_GENERAL }}/extensions/{{ XWIKI_EXT_LDAP_ID | urlencode }}" method: GET user: "{{ XWIKI_ADMIN_USER }}" password: "{{ XWIKI_ADMIN_PASS }}" diff --git a/roles/web-app-xwiki/tasks/02_bootstrap_admin.yml b/roles/web-app-xwiki/tasks/02_bootstrap_admin.yml new file mode 100644 index 00000000..e3259aad --- /dev/null +++ b/roles/web-app-xwiki/tasks/02_bootstrap_admin.yml @@ -0,0 +1,42 @@ +--- +# Wait until REST endpoint is available (01_core usually ensures this, but we add safety) +- name: "XWIKI | Wait until REST answers" + uri: + url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/" + status_code: [200,401] + register: _rest_ping + retries: 60 + delay: 5 + until: _rest_ping is succeeded + +# Check if the target admin already exists (404 = missing) +- name: "XWIKI | Check if target admin user exists" + uri: + url: "{{ XWIKI_REST_GENERAL }}/users/{{ XWIKI_ADMIN_USER | urlencode }}" + method: GET + user: "{{ XWIKI_SUPERADMIN_USERNAME }}" + password: "{{ XWIKI_SUPERADMIN_PASSWORD }}" + force_basic_auth: true + status_code: [200,404] + register: _admin_exists + +# Create admin user if not existing +- name: "XWIKI | Create admin user via REST" + uri: + url: "{{ XWIKI_REST_GENERAL }}/users" + method: POST + user: "{{ XWIKI_SUPERADMIN_USERNAME }}" + password: "{{ XWIKI_SUPERADMIN_PASSWORD }}" + force_basic_auth: true + status_code: 201 + headers: + Content-Type: "application/xml" + body: | + + {{ users.administrator.firstname | default('Admin') }} + {{ users.administrator.lastname | default('User') }} + {{ users.administrator.email }} + {{ XWIKI_ADMIN_USER }} + {{ XWIKI_ADMIN_PASS }} + + when: _admin_exists.status == 404 diff --git a/roles/web-app-xwiki/templates/xwiki.properties.j2 b/roles/web-app-xwiki/templates/xwiki.properties.j2 index 8d00a159..faaba1e4 100644 --- a/roles/web-app-xwiki/templates/xwiki.properties.j2 +++ b/roles/web-app-xwiki/templates/xwiki.properties.j2 @@ -14,3 +14,4 @@ oidc.userinfoclaims={{ XWIKI_OIDC_GROUPS_CLAIM }} oidc.groups.claim={{ XWIKI_OIDC_GROUPS_CLAIM }} oidc.groups.mapping=XWiki.XWikiAdminGroup={{ XWIKI_OIDC_ADMIN_PROVIDER_GROUP }} {% endif %} +xwiki.superadminpassword={{ XWIKI_SUPERADMIN_PASSWORD }} diff --git a/roles/web-app-xwiki/vars/main.yml b/roles/web-app-xwiki/vars/main.yml index 4439e772..b96470fc 100644 --- a/roles/web-app-xwiki/vars/main.yml +++ b/roles/web-app-xwiki/vars/main.yml @@ -32,8 +32,13 @@ XWIKI_ADMIN_USER: "{{ users.administrator.username }}" XWIKI_ADMIN_PASS: "{{ users.administrator.password }}" XWIKI_ADMIN_GROUP: "{{ application_id }}-administrator" +# Superadministrator +XWIKI_SUPERADMIN_PASSWORD: "{{ applications | get_app_conf(application_id, 'credentials.superadminpassword') }}" +XWIKI_SUPERADMIN_USERNAME: "superadmin" + # REST endpoint (local inside container) XWIKI_REST_BASE: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/jobs?jobType=install&async=false" +XWIKI_REST_GENERAL: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/wikis/xwiki" # Extension IDs + Versions (pin versions explicitly) XWIKI_EXT_LDAP_ID: "org.xwiki.contrib.ldap:ldap-authenticator"