XWiki: add diagnostic and modern AuthService handling

- Added 05_set_authservice.yml to set XWikiPreferences.authenticationService to modern component hints (standard, oidc, ldap). - Added _auth_diag.yml to introspect registered AuthService components and verify the active preference. - Updated docker-compose.yml.j2 to use -Dxwiki.authentication.authservice instead of deprecated authclass syntax. - Temporarily included AuthDiag task in 01_core.yml for runtime verification. Context: https://chatgpt.com/share/69005d88-6bf8-800f-af41-73b0e5dc9c13
2025-11-01 18:59:19 +00:00 · 2025-10-28 07:07:42 +01:00
parent 295ae7e477
commit 2f46b99e4e
4 changed files with 151 additions and 4 deletions
--- a/roles/web-app-xwiki/tasks/01_core.yml
+++ b/roles/web-app-xwiki/tasks/01_core.yml
@@ -36,6 +36,12 @@
 - name: Load setup procedures for extensions
  include_tasks: 04_extensions.yml

+- name: "Set authentication service according to feature toggles"
+  include_tasks: 05_set_authservice.yml
+
+- name: "Run AuthDiag (temporary)"
+  include_tasks: _auth_diag.yml
+
 - block:
    - name:           "Create Final Docker Compose File"
      template:
--- a/roles/web-app-xwiki/tasks/05_set_authservice.yml
+++ b/roles/web-app-xwiki/tasks/05_set_authservice.yml
@@ -0,0 +1,73 @@
+---
+# Sets XWikiPreferences.authenticationService to modern component hint (standard, oidc, ldap)
+
+- name: "XWIKI | Compute target authservice hint"
+  set_fact:
+    _target_authservice: >-
+      {{
+        'oidc' if (XWIKI_OIDC_ENABLED | bool)
+        else ('ldap' if (XWIKI_LDAP_ENABLED | bool)
+        else 'standard')
+      }}
+
+- name: "XWIKI | PUT Groovy page SetAuthService"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'SetAuthService'] | url_join }}"
+    method: PUT
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200,201,202,204]
+    headers:
+      Content-Type: "application/xml"
+      Accept: "application/xml"
+    body: |
+      <page xmlns="http://www.xwiki.org">
+        <title>SetAuthService</title>
+        <content><![CDATA[
+        {% raw %}{{groovy}}{% endraw %}
+        try {
+          def doc = xwiki.getDocument('XWiki.XWikiPreferences')
+          def obj = doc.getObject('XWiki.XWikiPreferences', true)
+          obj.set('authenticationService', '{{ _target_authservice }}')
+          def engine = xcontext.context.getWiki()
+          engine.saveDocument(doc.getDocument(), "Set authentication service to {{ _target_authservice }}", true, xcontext.context)
+          print "OK::{{ _target_authservice }}"
+        } catch (Throwable t) {
+          print "ERROR::" + (t?.message ?: t?.toString())
+        }
+        {% raw %}{{/groovy}}{% endraw %}
+        ]]></content>
+        <syntax>xwiki/2.1</syntax>
+      </page>
+  register: _put_auth_page
+
+- name: "XWIKI | Execute SetAuthService"
+  uri:
+    url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/SetAuthService?xpage=plain"
+    method: GET
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200]
+    return_content: yes
+  register: _exec_auth_page
+  retries: 10
+  delay: 3
+  until: _exec_auth_page is succeeded
+
+- name: "ASSERT | Auth service set"
+  assert:
+    that:
+      - _exec_auth_page.content is search("OK::")
+    fail_msg: "Failed to set XWikiPreferences.authenticationService: {{ _exec_auth_page.content | default('no content') }}"
+
+- name: "XWIKI | Delete SetAuthService page"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'SetAuthService'] | url_join }}"
+    method: DELETE
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [204,200,202,404]
+  changed_when: false
--- a/roles/web-app-xwiki/tasks/_auth_diag.yml
+++ b/roles/web-app-xwiki/tasks/_auth_diag.yml
@@ -0,0 +1,68 @@
+# roles/web-app-xwiki/tasks/_auth_diag.yml
+- name: "XWIKI | PUT page XWiki.AuthDiag (Groovy)"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'AuthDiag'] | url_join }}"
+    method: PUT
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200,201,202,204]
+    headers:
+      Content-Type: "application/xml"
+      Accept: "application/xml"
+    body: |
+      <page xmlns="http://www.xwiki.org">
+        <title>AuthDiag</title>
+        <content><![CDATA[
+        {% raw %}{{groovy}}{% endraw %}
+        import org.xwiki.security.authservice.AuthService
+        try {
+          def cm = services.component.componentManager
+          def hints = cm.getComponentDescriptorList(AuthService).collect{ it.roleHint }.sort()
+
+          def doc = xwiki.getDocument('XWiki.XWikiPreferences')
+          def obj = doc.getObject('XWiki.XWikiPreferences', true)
+          def pref = (obj.get('authenticationService') ?: 'unset')
+
+          println "HINTS::" + hints
+          println "PREF::" + pref
+
+          def chosenHint = (pref ?: 'standard')
+          def hasChosen = hints.contains(chosenHint)
+          println "HAS_CHOSEN::" + hasChosen + "::" + chosenHint
+        } catch (Throwable t) {
+          println "ERROR::" + (t?.message ?: t?.toString())
+        }
+        {% raw %}{{/groovy}}{% endraw %}
+        ]]></content>
+        <syntax>xwiki/2.1</syntax>
+      </page>
+  register: _put_authdiag
+  changed_when: false
+
+- name: "XWIKI | Run AuthDiag"
+  uri:
+    url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/AuthDiag?xpage=plain"
+    method: GET
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200]
+    return_content: yes
+  register: _authdiag_run
+  changed_when: false
+
+- name: "DEBUG | AuthDiag output"
+  debug:
+    msg: "{{ _authdiag_run.content | regex_replace('<[^>]+>', '') | trim }}"
+
+# Optional sauber machen:
+- name: "XWIKI | DELETE AuthDiag page"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'AuthDiag'] | url_join }}"
+    method: DELETE
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [204,200,202,404]
+  changed_when: false
--- a/roles/web-app-xwiki/templates/docker-compose.yml.j2
+++ b/roles/web-app-xwiki/templates/docker-compose.yml.j2
@@ -8,10 +8,10 @@
      - "127.0.0.1:{{ XWIKI_HOST_PORT }}:{{ container_port }}"
    environment:
      JAVA_OPTS: >-
-{% if xwiki_oidc_enabled_switch| bool %}
-        -Dxwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
+{% if xwiki_oidc_enabled_switch | bool %}
+        -Dxwiki.authentication.authservice=oidc
 {% elif xwiki_ldap_enabled_switch | bool %}
-        -Dxwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
+        -Dxwiki.authentication.authservice=ldap
        -Dxwiki.authentication.ldap=1
        -Dxwiki.authentication.ldap.trylocal={{ (XWIKI_LDAP_TRYLOCAL | bool) | ternary(1, 0) }}
        -Dxwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup={{ XWIKI_LDAP_ADMIN_GROUP_DN }}
@@ -24,7 +24,7 @@
        -Dxwiki.authentication.ldap.fields_mapping={{ XWIKI_LDAP_FIELDS_MAPPING }}
        -Dxwiki.authentication.ldap.update_user=1
 {% else %}
-        -Dxwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
+        -Dxwiki.authentication.authservice=standard
 {% endif %}
    volumes:
      - "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties"