web-app-xwiki: add SuperAdmin bootstrap support

- Added schema entry for superadminpassword - Added vars for XWIKI_SUPERADMIN_USERNAME/PASSWORD - Extended xwiki.properties.j2 to configure superadminpassword - Added 02_bootstrap_admin.yml to create XWiki admin via REST using SuperAdmin - Updated REST URLs to use XWIKI_REST_GENERAL - Enabled CSP flag unsafe-inline Conversation: https://chatgpt.com/share/68c39ddb-e9cc-800f-b32f-9d4c1e09e43e
2025-11-03 19:58:14 +00:00 · 2025-09-12 06:13:34 +02:00
parent 07b7c6484f
commit 2d71c461de
6 changed files with 61 additions and 3 deletions
--- a/roles/web-app-xwiki/config/main.yml
+++ b/roles/web-app-xwiki/config/main.yml
@@ -25,7 +25,9 @@ features:
 server:
  csp:
    whitelist:      {}
-    flags:          {}
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
  domains:
    canonical:
      - "x.wiki.{{ PRIMARY_DOMAIN }}"
--- a/roles/web-app-xwiki/schema/main.yml
+++ b/roles/web-app-xwiki/schema/main.yml
@@ -0,0 +1,6 @@
+credentials:
+  superadminpassword:
+    description: "Password for the xwiki superadmin"
+    algorithm: "alphanumeric"
+    validation:
+      min_length: 50
--- a/roles/web-app-xwiki/tasks/01_core.yml
+++ b/roles/web-app-xwiki/tasks/01_core.yml
@@ -29,9 +29,11 @@
  delay: 5
  until: xwiki_rest_up is succeeded

+- include_tasks: 02_bootstrap_admin.yml
+
 - name: "Check if OIDC extension installed"
  uri:
-    url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/wikis/xwiki/extensions/{{ XWIKI_EXT_OIDC_ID | urlencode }}"
+    url: "{{ XWIKI_REST_GENERAL }}/extensions/{{ XWIKI_EXT_OIDC_ID | urlencode }}"
    method: GET
    user: "{{ XWIKI_ADMIN_USER }}"
    password: "{{ XWIKI_ADMIN_PASS }}"
@@ -42,7 +44,7 @@

 - name: "Check if LDAP extension installed"
  uri:
-    url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/wikis/xwiki/extensions/{{ XWIKI_EXT_LDAP_ID | urlencode }}"
+    url: "{{ XWIKI_REST_GENERAL }}/extensions/{{ XWIKI_EXT_LDAP_ID | urlencode }}"
    method: GET
    user: "{{ XWIKI_ADMIN_USER }}"
    password: "{{ XWIKI_ADMIN_PASS }}"
--- a/roles/web-app-xwiki/tasks/02_bootstrap_admin.yml
+++ b/roles/web-app-xwiki/tasks/02_bootstrap_admin.yml
@@ -0,0 +1,42 @@
+---
+# Wait until REST endpoint is available (01_core usually ensures this, but we add safety)
+- name: "XWIKI | Wait until REST answers"
+  uri:
+    url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/"
+    status_code: [200,401]
+  register: _rest_ping
+  retries: 60
+  delay: 5
+  until: _rest_ping is succeeded
+
+# Check if the target admin already exists (404 = missing)
+- name: "XWIKI | Check if target admin user exists"
+  uri:
+    url: "{{ XWIKI_REST_GENERAL }}/users/{{ XWIKI_ADMIN_USER | urlencode }}"
+    method: GET
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD  }}"
+    force_basic_auth: true
+    status_code: [200,404]
+  register: _admin_exists
+
+# Create admin user if not existing
+- name: "XWIKI | Create admin user via REST"
+  uri:
+    url: "{{ XWIKI_REST_GENERAL }}/users"
+    method: POST
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD  }}"
+    force_basic_auth: true
+    status_code: 201
+    headers:
+      Content-Type: "application/xml"
+    body: |
+      <user>
+        <firstName>{{ users.administrator.firstname | default('Admin') }}</firstName>
+        <lastName>{{ users.administrator.lastname  | default('User') }}</lastName>
+        <email>{{ users.administrator.email }}</email>
+        <username>{{ XWIKI_ADMIN_USER }}</username>
+        <password>{{ XWIKI_ADMIN_PASS }}</password>
+      </user>
+  when: _admin_exists.status == 404
--- a/roles/web-app-xwiki/templates/xwiki.properties.j2
+++ b/roles/web-app-xwiki/templates/xwiki.properties.j2
@@ -14,3 +14,4 @@ oidc.userinfoclaims={{ XWIKI_OIDC_GROUPS_CLAIM }}
 oidc.groups.claim={{ XWIKI_OIDC_GROUPS_CLAIM }}
 oidc.groups.mapping=XWiki.XWikiAdminGroup={{ XWIKI_OIDC_ADMIN_PROVIDER_GROUP }}
 {% endif %}
+xwiki.superadminpassword={{ XWIKI_SUPERADMIN_PASSWORD }}
--- a/roles/web-app-xwiki/vars/main.yml
+++ b/roles/web-app-xwiki/vars/main.yml
@@ -32,8 +32,13 @@ XWIKI_ADMIN_USER:                     "{{ users.administrator.username }}"
 XWIKI_ADMIN_PASS:                     "{{ users.administrator.password }}"
 XWIKI_ADMIN_GROUP:                    "{{ application_id }}-administrator"

+# Superadministrator
+XWIKI_SUPERADMIN_PASSWORD:            "{{ applications | get_app_conf(application_id, 'credentials.superadminpassword') }}"
+XWIKI_SUPERADMIN_USERNAME:            "superadmin"
+
 # REST endpoint (local inside container)
 XWIKI_REST_BASE:                      "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/jobs?jobType=install&async=false"
+XWIKI_REST_GENERAL:                   "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/xwiki/rest/wikis/xwiki"

 # Extension IDs + Versions (pin versions explicitly)
 XWIKI_EXT_LDAP_ID:                    "org.xwiki.contrib.ldap:ldap-authenticator"