Added proxy conf variables for xwiki

web-app-xwiki: verify extensions via Groovy page + new filter
- Added new filter 'xwiki_extension_status' (strips HTML, handles  ) -> returns 200/404 - Introduced checker tasks (_check_extension_via_groovy.yml) instead of REST probe - Added early assert: superadmin login before extension installation - Collect and assert probe results in 04_extensions.yml - Set OIDC extension version to 'latest' (empty string) https://chatgpt.com/share/68ca36cb-ac38-800f-8281-8dea480b6676
2025-12-07 18:05:09 +00:00 · 2025-09-17 07:19:29 +02:00 · 2025-09-17 06:20:28 +02:00 · 2025-09-17 05:18:03 +02:00 · 2025-09-17 05:08:02 +02:00 · 2025-09-17 03:30:40 +02:00
16 changed files with 315 additions and 228 deletions
--- a/roles/docker-compose/handlers/main.yml
+++ b/roles/docker-compose/handlers/main.yml
@@ -41,7 +41,7 @@
    - docker compose up
    - docker compose restart

- name: Build docker compose 
+- name: Build docker compose
  shell: |
    set -euo pipefail
    docker compose build || { 
--- a/roles/docker-compose/tasks/04_files.yml
+++ b/roles/docker-compose/tasks/04_files.yml
@@ -6,8 +6,8 @@
    - "{{ application_id | abs_role_path_by_application_id }}/templates/Dockerfile.j2"
    - "{{ application_id | abs_role_path_by_application_id }}/files/Dockerfile"
  notify: 
-    - docker compose up
    - docker compose build
+    - docker compose up
  register: create_dockerfile_result
  failed_when:
    - create_dockerfile_result is failed
--- a/roles/web-app-xwiki/config/main.yml
+++ b/roles/web-app-xwiki/config/main.yml
@@ -24,8 +24,12 @@ features:
  ldap:             false # Just OIDC or LDAP can be enabled
 server:
  csp:
-    whitelist:      {}
+    whitelist:
+      worker-src:
+        - "blob:"
    flags:
+      script-src:
+        unsafe-eval:    true
      script-src-elem:
        unsafe-inline:  true
  domains:
@@ -35,3 +39,23 @@ rbac:
  roles: {}
 ldap:
  local_enabled: true # Allows local login if LDAP is down
+
+plugins:
+  oidc:
+    enabled: true
+    items:
+      - id: "org.xwiki.contrib.oidc:oidc-authenticator"
+        version: ""
+
+  ldap:
+    enabled: false
+    items:
+      - id: "org.xwiki.contrib.ldap:ldap-authenticator"
+        version: "9.15.7"
+
+  # Example for Matomo
+  matomo:
+    enabled: false
+    items:
+      - id: "org.xwiki.contrib:matomo"
+        version: "1.0"
--- a/roles/web-app-xwiki/files/extension_installer_b64.groovy
+++ b/roles/web-app-xwiki/files/extension_installer_b64.groovy
@@ -0,0 +1,43 @@
+// Reads Base64 JSON from placeholder and avoids any quoting issues.
+import groovy.json.JsonSlurper
+import java.util.Base64
+
+def ext = services.extension
+def ns  = "wiki:xwiki"
+
+def b64 = '__WANTED_B64__'
+def json = new String(Base64.decoder.decode(b64), 'UTF-8')
+def wanted = new JsonSlurper().parseText(json) as List<Map>
+
+if (!wanted || wanted.isEmpty()) {
+  println "SKIP: no extensions requested"
+  return
+}
+
+wanted.each { e ->
+  def id  = (e.id ?: "").toString()
+  def ver = (e.version ?: "").toString().trim()
+  if (!id) { println "ERROR::<missing-id>::Empty extension id in wanted list"; return }
+
+  def already = ext.getInstalledExtension(id, ns)
+  if (already) { println "ALREADY_INSTALLED::${id}::${already.id?.version}"; return }
+
+  println "INSTALL_START::${id}::${ver ? ver : 'latest'}"
+  def job
+  try {
+    job = ver ? ext.install(id, ver, ns) : ext.install(id, null, ns)
+    job?.join()
+  } catch (Throwable t) {
+    println "ERROR::${id}::${(t?.message ?: t?.toString())}"
+  }
+
+  def st = job?.status?.state?.name()
+  if (st) println "STATE=${st}::${id}"
+
+  def err = job?.status?.error  // singular!
+  if (err) println "ERROR::${id}::${(err?.message ?: err?.toString())}"
+
+  def now = ext.getInstalledExtension(id, ns)
+  if (now) println "INSTALLED_OK::${id}::${now.id?.version}"
+  else     println "INSTALLED_MISSING::${id}"
+}
--- a/roles/web-app-xwiki/filter_plugins/xwiki_filters.py
+++ b/roles/web-app-xwiki/filter_plugins/xwiki_filters.py
@@ -74,9 +74,35 @@ def xwiki_job_id(response: Any, default: Optional[str] = None, strict: bool = Fa
    return default


+def xwiki_extension_status(raw: str) -> int:
+    """
+    Parse the output of the Groovy CheckExtension page.
+
+    - Strips HTML tags and entities (&nbsp;)
+    - Returns 200 if extension is INSTALLED, otherwise 404
+
+    Args:
+        raw: Raw HTTP body from the checker page.
+
+    Returns:
+        200 if installed, 404 if missing/unknown.
+    """
+    if raw is None:
+        return 404
+
+    text = re.sub(r"<[^>]+>", "", str(raw))
+    text = text.replace("&nbsp;", " ").replace("\u00A0", " ")
+    text = text.strip()
+
+    if text.startswith("INSTALLED::"):
+        return 200
+    return 404
+
+
 class FilterModule(object):
    """Custom filters for XWiki helpers."""
    def filters(self):
        return {
            "xwiki_job_id": xwiki_job_id,
+            "xwiki_extension_status": xwiki_extension_status,
        }
--- a/roles/web-app-xwiki/tasks/01_core.yml
+++ b/roles/web-app-xwiki/tasks/01_core.yml
@@ -1,19 +1,35 @@
 - name: Validate XWiki variables
  include_tasks: 02_validation.yml

- name: "load docker, db and proxy for {{ application_id }}"
-  include_role: 
-    name: sys-stk-full-stateful
-  vars:
-    docker_compose_flush_handlers: false
+- block:
+    - name: "load docker, db and proxy for {{ application_id }}"
+      include_role: 
+        name: sys-stk-full-stateful
+      vars:
+        docker_compose_flush_handlers: false

- name: Deploy Bootstrap Config
-  include_tasks: _flush_config.yml
+    - name: Deploy Bootstrap Config
+      include_tasks: _flush_config.yml
  vars:
    xwiki_oidc_enabled_switch:        false
    xwiki_ldap_enabled_switch:        false
    xwiki_superadmin_enabled_switch:  true

+- name: "ASSERT | superadmin can authenticate (needed for installer)"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI, 'spaces'] | url_join }}"
+    method: GET
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200]
+  register: _super_check_ext
+
+- name: "FAIL | superadmin authentication failed (extensions phase)"
+  fail:
+    msg: "superadmin authentication failed (check xwiki.cfg in image / password / Dockerfile build)"
+  when: _super_check_ext.status != 200
+
 - name: Load setup procedures for admin
  include_tasks: 03_administrator.yml
  when: not (XWIKI_SSO_ENABLED | bool)
@@ -21,8 +37,15 @@
 - name: Load setup procedures for extensions
  include_tasks: 04_extensions.yml

- name: Deploy Final Config
-  include_tasks: _flush_config.yml
+- block:
+    - name:           "Create Final Docker Compose File"
+      template:
+        src:          "docker-compose.yml.j2"
+        dest:         "{{ docker_compose.files.docker_compose }}"
+      notify:         docker compose up
+    
+    - name: Deploy Final Config
+      include_tasks: _flush_config.yml
  vars:
    xwiki_oidc_enabled_switch:        "{{ XWIKI_OIDC_ENABLED | bool }}"
    xwiki_ldap_enabled_switch:        "{{ XWIKI_LDAP_ENABLED | bool }}"
--- a/roles/web-app-xwiki/tasks/04_extensions.yml
+++ b/roles/web-app-xwiki/tasks/04_extensions.yml
@@ -1,152 +1,102 @@
-# roles/web-app-xwiki/tasks/04_extensions.yml
+# Installs OIDC / LDAP using a temporary Groovy page that calls the
+# Extension Script Service (services.extension.install).
+# Avoids REST job API and any Namespace class import for portability.
 #
-# Canonical install flow for XWiki 16.10.x in this setup:
-# - PUT /rest/jobs with query params (install, async=false, media=json, namespaces, extensions)
-# - Pass lists via <rest><list>…</list></rest> in query parameters
-# - Minimal XML body (<jobRequest/>) just to satisfy the REST layer
-# - Restart once (handler: docker compose restart), then verify via the 'installed' repository
+# Flow:
+#  - Bootstrap config renders with both auth backends OFF (already in your role).
+#  - This file installs required extensions on the current wiki.
+#  - Final config later turns auth ON (already in your role).
 #
-# Requires in xwiki.properties:
-# extension.repositories=xwiki-public:maven:https://nexus.xwiki.org/nexus/content/groups/public/,central:maven:https://repo1.maven.org/maven2/
+# Notes:
+#  - We print machine-readable markers so Ansible can assert deterministically.
+#  - We protect XWiki's {{groovy}} wiki macro from Jinja by using {% raw %}…{% endraw %}.

-# 1) Probe what is already installed
- name: "Probe OIDC extension"
-  include_tasks: _probe_extension.yml
+- name: "XWIKI | Build Groovy installer code from static file (base64 payload)"
  vars:
-    ext_id: "{{ XWIKI_EXT_OIDC_ID }}"
-    ext_version: "{{ XWIKI_EXT_OIDC_VERSION }}"
-    ext_enabled: "{{ XWIKI_OIDC_ENABLED }}"
-    result_var: "xwiki_oidc_ext"
-
- name: "Probe LDAP extension"
-  include_tasks: _probe_extension.yml
-  vars:
-    ext_id: "{{ XWIKI_EXT_LDAP_ID }}"
-    ext_version: "{{ XWIKI_EXT_LDAP_VERSION }}"
-    ext_enabled: "{{ XWIKI_LDAP_ENABLED }}"
-    result_var: "xwiki_ldap_ext"
-
-# 2) Build the list of extensions to install (enabled + missing)
- name: "Initialize extension install list"
+    _wanted_b64: "{{ XWIKI_PLUGINS | to_json | b64encode }}"
  set_fact:
-    extensions_to_install: []
+    _install_code: >-
+      {{ lookup('file', 'roles/web-app-xwiki/files/extension_installer_b64.groovy')
+         | regex_replace('__WANTED_B64__', _wanted_b64) }}

- name: "Queue OIDC extension for install"
-  when:
-    - XWIKI_OIDC_ENABLED | bool
-    - xwiki_oidc_ext.status | int != 200
-  set_fact:
-    extensions_to_install: "{{ extensions_to_install + [ {'id': XWIKI_EXT_OIDC_ID, 'version': XWIKI_EXT_OIDC_VERSION} ] }}"
-
- name: "Queue LDAP extension for install"
-  when:
-    - XWIKI_LDAP_ENABLED | bool
-    - xwiki_ldap_ext is defined
-    - xwiki_ldap_ext.status | int != 200
-  set_fact:
-    extensions_to_install: "{{ extensions_to_install + [ {'id': XWIKI_EXT_LDAP_ID, 'version': XWIKI_EXT_LDAP_VERSION} ] }}"
-
-# 3) Build XML payloads for the request BODY (not query params)
- name: "Build XML payloads for job body"
-  when: extensions_to_install | length > 0
-  set_fact:
-    namespaces_xml_rest: "<rest><list><string>wiki:xwiki</string></list></rest>"
-    extensions_xml_rest: >-
-      <rest><list>{% for ext in extensions_to_install -%}
-      <extension><id>{{ ext.id }}</id><version>{{ ext.version }}</version><namespace>wiki:xwiki</namespace></extension>
-      {%- endfor %}</list></rest>
-
-# 4) Install extensions synchronously using BODY properties
- name: "Install extensions via PUT (body properties, sync)"
-  when: extensions_to_install | length > 0
+- name: "XWIKI | PUT installer page Main.InstallExtensions"
  uri:
-    url: "{{ XWIKI_REST_EXTENSION_INSTALL }}?jobType=install&async=false&media=json"
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'InstallExtensions'] | url_join }}"
    method: PUT
    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
    force_basic_auth: true
+    status_code: [200, 201, 202, 204]
    headers:
-      Accept: "application/json"
      Content-Type: "application/xml"
+      Accept: "application/xml"
    body: |
-      <jobRequest xmlns="http://www.xwiki.org">
-        <request>
-          <properties>
-            <property>
-              <key>namespaces</key>
-              <value><![CDATA[{{ namespaces_xml_rest }}]]></value>
-            </property>
-            <property>
-              <key>extensions</key>
-              <value><![CDATA[{{ extensions_xml_rest }}]]></value>
-            </property>
-            <property>
-              <key>interactive</key>
-              <value><rest><boolean>false</boolean></rest></value>
-            </property>
-          </properties>
-        </request>
-      </jobRequest>
-    status_code: [200, 201, 202]
-    return_content: yes
-  register: xwiki_install_job
-  notify: docker compose restart
-  changed_when: xwiki_install_job.json.state == 'FINISHED'
+      <page xmlns="http://www.xwiki.org">
+        <title>InstallExtensions</title>
+        <content><![CDATA[
+        {% raw %}{{groovy}}{% endraw %}
+        {{ _install_code | indent(8, False) }}
+        {% raw %}{{/groovy}}{% endraw %}
+        ]]></content>
+        <syntax>xwiki/2.1</syntax>
+      </page>
+  register: _put_page

-# 5) Restart once so new classes are loaded
- name: "Restart XWiki after install"
-  when: extensions_to_install | length > 0
-  meta: flush_handlers
-
-# 6) Wait for REST to be ready again
- name: "Wait until XWiki REST is ready after restart"
+- name: "XWIKI | Execute installer page"
  uri:
-    url: "{{ XWIKI_REST_BASE }}"
-    status_code: [200, 401]
-    follow_redirects: none
-    return_content: no
-  register: xwiki_rest_up_after
+    url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/InstallExtensions?xpage=plain"
+    method: GET
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200]
+    return_content: yes
+    timeout: 300
+  register: _exec_page
+  retries: 20
+  delay: 15
+  until: _exec_page is succeeded
+
+- name: "XWIKI | Verify requested extensions via Groovy checker"
+  include_tasks: _check_extension_via_groovy.yml
+  loop: "{{ XWIKI_PLUGINS }}"
+  loop_control:
+    loop_var: plugin
+    label: "{{ plugin.id }}"
+  vars:
+    ext_id: "{{ plugin.id }}"
+    result_var: "probe_{{ plugin.id | regex_replace('[^A-Za-z0-9_]', '_') }}"
+
+- name: "XWIKI | Collect probe results"
+  set_fact:
+    _xwiki_probe_results: "{{ _xwiki_probe_results | default([]) + [ {
+      'id': plugin.id,
+      'status': (
+        (hostvars[inventory_hostname]['probe_' ~ (plugin.id | regex_replace('[^A-Za-z0-9_]', '_'))]
+         | default({})).status
+        | default(404) | int
+      )
+      } ] }}"
+  loop: "{{ XWIKI_PLUGINS }}"
+  loop_control:
+    loop_var: plugin
  changed_when: false
-  retries: 60
-  delay: 5
-  until:
-    - xwiki_rest_up_after is succeeded
-    - (xwiki_rest_up_after.redirected is not defined) or (not xwiki_rest_up_after.redirected)

-# 7) Re-probe from 'installed' repository
- name: "Re-probe OIDC extension (installed repo)"
-  include_tasks: _probe_extension.yml
+# Fail if any extension is missing
+- name: "XWIKI | Assert all requested extensions are installed"
  vars:
-    ext_id: "{{ XWIKI_EXT_OIDC_ID }}"
-    ext_version: "{{ XWIKI_EXT_OIDC_VERSION }}"
-    ext_enabled: "{{ XWIKI_OIDC_ENABLED }}"
-    result_var: "xwiki_oidc_ext_after"
-
- name: "Re-probe LDAP extension (installed repo)"
-  include_tasks: _probe_extension.yml
-  vars:
-    ext_id: "{{ XWIKI_EXT_LDAP_ID }}"
-    ext_version: "{{ XWIKI_EXT_LDAP_VERSION }}"
-    ext_enabled: "{{ XWIKI_LDAP_ENABLED }}"
-    result_var: "xwiki_ldap_ext_after"
-
-# 8) Fail fast if something requested is still missing
- name: "FAIL: OIDC missing after install"
+    missing: "{{ _xwiki_probe_results | selectattr('status','equalto',404) | map(attribute='id') | list }}"
  fail:
-    msg: >-
-      OIDC extension ({{ XWIKI_EXT_OIDC_ID }} {{ XWIKI_EXT_OIDC_VERSION }}) is NOT detected
-      after install (HTTP {{ xwiki_oidc_ext_after.status | default('n/a') }}).
-      Check 'extension.repositories' in xwiki.properties and network/DNS.
-  when:
-    - XWIKI_OIDC_ENABLED | bool
-    - xwiki_oidc_ext_after.status | int != 200
+    msg: "Missing extensions: {{ missing | join(', ') }}"
+  when: missing | length > 0

- name: "FAIL: LDAP missing after install"
-  fail:
-    msg: >-
-      LDAP extension ({{ XWIKI_EXT_LDAP_ID }} {{ XWIKI_EXT_LDAP_VERSION }}) is NOT detected
-      after install (HTTP {{ xwiki_ldap_ext_after.status | default('n/a') }}).
-      Check 'extension.repositories' in xwiki.properties and network/DNS.
-  when:
-    - XWIKI_LDAP_ENABLED | bool
-    - xwiki_ldap_ext_after.status | int != 200
+- name: "XWIKI | Delete installer page"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'InstallExtensions'] | url_join }}"
+    method: DELETE
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [204, 200, 202, 404]
+  register: _delete_page
+  changed_when: _delete_page.status != 404
--- a/roles/web-app-xwiki/tasks/_check_extension_via_groovy.yml
+++ b/roles/web-app-xwiki/tasks/_check_extension_via_groovy.yml
@@ -0,0 +1,63 @@
+# PUT a temporary Groovy page that checks installed extensions
+- name: "XWIKI | PUT checker page XWiki.CheckExtension"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'CheckExtension'] | url_join }}"
+    method: PUT
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200, 201, 202, 204]
+    headers:
+      Content-Type: "application/xml"
+      Accept: "application/xml"
+    body: |
+      <page xmlns="http://www.xwiki.org">
+        <title>CheckExtension</title>
+        <content><![CDATA[
+        {% raw %}{{groovy}}{% endraw %}
+        def ns = "wiki:xwiki"
+        def id = (request.getParameter("id") ?: "").toString()
+        if (!id) { print "ERROR::missing-id"; return }
+        def ext = services.extension.getInstalledExtension(id, ns)
+        if (ext) {
+          print "INSTALLED::${ext.id?.id}::${ext.id?.version}"
+        } else {
+          print "MISSING::${id}"
+        }
+        {% raw %}{{/groovy}}{% endraw %}
+        ]]></content>
+        <syntax>xwiki/2.1</syntax>
+      </page>
+  register: _put_checker
+  changed_when: false
+
+# Call the page to check a single extension
+- name: "XWIKI | Check installed via Groovy for {{ ext_id }}"
+  uri:
+    url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/CheckExtension?xpage=plain&id={{ ext_id | urlencode }}"
+    method: GET
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [200]
+    return_content: yes
+  register: _check_output
+  changed_when: false
+
+- name: "XWIKI | Save Groovy check result for {{ ext_id }}"
+  set_fact:
+    "{{ result_var }}":
+      status: "{{ _check_output.content | xwiki_extension_status }}"
+      raw: "{{ _check_output.content }}"
+
+# Cleanup (optional; you can leave the page, but we remove it to keep things tidy)
+- name: "XWIKI | Delete checker page"
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'CheckExtension'] | url_join }}"
+    method: DELETE
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    status_code: [204, 200, 202, 404]
+  register: _delete_checker
+  changed_when: _delete_checker.status != 404
--- a/roles/web-app-xwiki/tasks/_flush_config.yml
+++ b/roles/web-app-xwiki/tasks/_flush_config.yml
@@ -1,9 +1,3 @@
- name: "Render xwiki.cfg"
-  template:
-    src: "xwiki.cfg.j2"
-    dest: "{{ XWIKI_HOST_CONF_PATH }}"
-  notify: docker compose up
-
 - name: "Deploy xwiki.properties"
  template:
    src: "xwiki.properties.j2"
--- a/roles/web-app-xwiki/tasks/_probe_extension.yml
+++ b/roles/web-app-xwiki/tasks/_probe_extension.yml
@@ -1,44 +0,0 @@
-# roles/web-app-xwiki/tasks/_probe_extension.yml
-# Probes the 'installed' extension repository to check if a given extension is present.
-# Uses the wiki-namespaced REST base (/rest/wikis/xwiki) and falls back to /{id}/{version} if needed.
-
- name: "XWIKI | Probe extension {{ ext_id }} (installed repo)"
-  when: ext_enabled | bool
-  uri:
-    url: "{{ [XWIKI_REST_XWIKI, 'repositories/installed/extensions', ext_id | urlencode] | url_join }}?namespace={{ 'wiki:xwiki' | urlencode }}"
-    method: GET
-    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
-    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
-    force_basic_auth: true
-    follow_redirects: none
-    return_content: no
-    headers:
-      Accept: "application/xml"
-    status_code: [200, 401, 404]
-  register: _probe
-  changed_when: false
-
-# Some XWiki builds/versions answer on /{id}/{version}. Try that if plain /{id} returned 404.
- name: "XWIKI | Probe extension {{ ext_id }} with version (fallback)"
-  when:
-    - ext_enabled | bool
-    - (_probe.status | default(404)) | int == 404
-    - ext_version is defined
-  uri:
-    url: "{{ [XWIKI_REST_XWIKI, 'repositories/installed/extensions', ext_id | urlencode, ext_version] | url_join }}?namespace={{ 'wiki:xwiki' | urlencode }}"
-    method: GET
-    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
-    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
-    force_basic_auth: true
-    follow_redirects: none
-    return_content: no
-    headers:
-      Accept: "application/xml"
-    status_code: [200, 401, 404]
-  register: _probe_v
-  changed_when: false
-
- name: "XWIKI | Save probe result for {{ ext_id }}"
-  when: ext_enabled | bool
-  set_fact:
-    "{{ result_var }}": "{{ (_probe_v if (_probe_v is defined) else _probe) }}"
--- a/roles/web-app-xwiki/templates/Dockerfile.j2
+++ b/roles/web-app-xwiki/templates/Dockerfile.j2
@@ -1 +1,5 @@
 FROM {{ XWIKI_IMAGE }}:{{ XWIKI_VERSION }}
+RUN cat >> /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg <<EOF
+xwiki.superadmin=1
+xwiki.superadminpassword={{ XWIKI_SUPERADMIN_PASSWORD }}
+EOF
--- a/roles/web-app-xwiki/templates/docker-compose.yml.j2
+++ b/roles/web-app-xwiki/templates/docker-compose.yml.j2
@@ -8,11 +8,28 @@
    hostname: '{{ XWIKI_HOSTNAME}}'
    ports:
      - "127.0.0.1:{{ XWIKI_HOST_PORT }}:{{ container_port }}"
+    environment:
+      JAVA_OPTS: >-
+{% if xwiki_oidc_enabled_switch| bool %}
+        -Dxwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
+{% elif xwiki_ldap_enabled_switch | bool %}
+        -Dxwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
+        -Dxwiki.authentication.ldap=1
+        -Dxwiki.authentication.ldap.trylocal={{ (XWIKI_LDAP_TRYLOCAL | bool) | ternary(1, 0) }}
+        -Dxwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup={{ XWIKI_LDAP_ADMIN_GROUP_DN }}
+        -Dxwiki.authentication.ldap.mode_group_sync=always
+        -Dxwiki.authentication.ldap.server={{ XWIKI_LDAP_SERVER }}
+        -Dxwiki.authentication.ldap.port={{ XWIKI_LDAP_PORT }}
+        -Dxwiki.authentication.ldap.base_DN={{ XWIKI_LDAP_BASE_DN }}
+        -Dxwiki.authentication.ldap.bind_DN={{ XWIKI_LDAP_BIND_DN }}
+        -Dxwiki.authentication.ldap.bind_pass={{ XWIKI_LDAP_BIND_PASS }}
+        -Dxwiki.authentication.ldap.fields_mapping={{ XWIKI_LDAP_FIELDS_MAPPING }}
+        -Dxwiki.authentication.ldap.update_user=1
+{% else %}
+        -Dxwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
+{% endif %}
    volumes:
-      - "{{ XWIKI_HOST_CONF_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg"
      - "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties"
-      - "{{ XWIKI_HOST_CONF_PATH }}:{{ [XWIKI_DOCK_DATA_DIR, 'xwiki.cfg'] | path_join }}"
-      - "{{ XWIKI_HOST_PROPERTIES_PATH }}:{{ [XWIKI_DOCK_DATA_DIR, 'xwiki.properties'] | path_join }}"
      - 'data:{{ XWIKI_DOCK_DATA_DIR }}'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
--- a/roles/web-app-xwiki/templates/env.j2
+++ b/roles/web-app-xwiki/templates/env.j2
@@ -4,3 +4,4 @@ DB_HOST="{{ database_host }}"
 DB_PORT="{{ database_port }}"
 DB_DATABASE="{{ database_name }}"
 DB_TYPE="{{ 'mariadb' if database_type == 'mariadb' else 'postgresql' }}"
+XWIKI_SUPERADMIN_PASSWORD="{{ XWIKI_SUPERADMIN_PASSWORD }}"
--- a/roles/web-app-xwiki/templates/xwiki.cfg.j2
+++ b/roles/web-app-xwiki/templates/xwiki.cfg.j2
@@ -1,25 +0,0 @@
-# ---- Authentication selection
-{% if xwiki_oidc_enabled_switch | bool %}
-xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
-{% elif xwiki_ldap_enabled_switch | bool %}
-xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
-xwiki.authentication.ldap=1
-xwiki.authentication.ldap.trylocal={{ (XWIKI_LDAP_TRYLOCAL | bool) | ternary(1, 0) }}
-xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup={{ XWIKI_LDAP_ADMIN_GROUP_DN }}
-xwiki.authentication.ldap.mode_group_sync=always
-xwiki.authentication.ldap.server={{ XWIKI_LDAP_SERVER }}
-xwiki.authentication.ldap.port={{ XWIKI_LDAP_PORT }}
-xwiki.authentication.ldap.base_DN={{ XWIKI_LDAP_BASE_DN }}
-xwiki.authentication.ldap.bind_DN={{ XWIKI_LDAP_BIND_DN }}
-xwiki.authentication.ldap.bind_pass={{ XWIKI_LDAP_BIND_PASS }}
-xwiki.authentication.ldap.fields_mapping={{ XWIKI_LDAP_FIELDS_MAPPING }}
-xwiki.authentication.ldap.update_user=1
-{% else %}
-xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
-{% endif %}
-
-{% if xwiki_superadmin_enabled_switch | bool %}
-# ---- Superadmin must live in xwiki.cfg (not in xwiki.properties)
-xwiki.superadminpassword={{ XWIKI_SUPERADMIN_PASSWORD }}
-xwiki.superadmin=1
-{% endif %}
--- a/roles/web-app-xwiki/templates/xwiki.properties.j2
+++ b/roles/web-app-xwiki/templates/xwiki.properties.j2
@@ -1,8 +1,14 @@
+# Proxy
+xwiki.url.protocol={{ WEB_PROTOCOL }}
+xwiki.url.host={{ domain }}
+xwiki.url.port={{ WEB_PORT }}
+
 ############################################
 # OIDC
 # Render this block only while the OIDC switch is ON in _flush_config.yml.
 # During bootstrap we keep it OFF to avoid ClassNotFoundException before the extension is installed.
 {% if xwiki_oidc_enabled_switch | bool %}
+oidc.showLoginButton=true
 oidc.provider={{ XWIKI_OIDC_PROVIDER }}
 oidc.endpoint.authorization={{ XWIKI_OIDC_AUTHORIZATION }}
 oidc.endpoint.token={{ XWIKI_OIDC_TOKEN }}
@@ -26,6 +32,8 @@ distribution.defaultUI=org.xwiki.platform:xwiki-platform-distribution-flavor-mai
 distribution.skip=false
 distribution.wizard.enabled=true

+logging.rootLogger=DEBUG, console
+
 # Persist data in the Docker volume
 environment.permanentDirectory={{ XWIKI_DOCK_DATA_DIR }}

--- a/roles/web-app-xwiki/vars/main.yml
+++ b/roles/web-app-xwiki/vars/main.yml
@@ -1,9 +1,10 @@
 # General
 application_id:                       "web-app-xwiki"
 database_type:                        "{{ applications | get_app_conf(application_id, 'docker.services.database.type') }}"
+domain:                               "{{ domains | get_domain(application_id) }}"

 container_port:                       8080
-container_hostname:                   "{{ domains | get_domain(application_id) }}"
+container_hostname:                   "{{ domain }}"

 # XWiki

@@ -44,12 +45,6 @@ XWIKI_REST_XWIKI:                     "{{ [XWIKI_REST_BASE, 'wikis/xwiki'] | url
 XWIKI_REST_XWIKI_PAGES:               "{{ [XWIKI_REST_BASE, 'wikis/xwiki/spaces/XWiki/pages'] | url_join }}"
 XWIKI_REST_EXTENSION_INSTALL:         "{{ [XWIKI_REST_BASE, 'jobs'] | url_join }}"

-# Extension IDs + Versions (pin versions explicitly)
-XWIKI_EXT_LDAP_ID:                    "org.xwiki.contrib.ldap:ldap-authenticator"
-XWIKI_EXT_LDAP_VERSION:               "9.15.7"
-XWIKI_EXT_OIDC_ID:                    "org.xwiki.contrib.oidc:oidc-authenticator"
-XWIKI_EXT_OIDC_VERSION:               "2.19.2"
-
 # LDAP configuration (mapped to LDAP.* context)
 XWIKI_LDAP_SERVER:                    "{{ LDAP.SERVER.DOMAIN }}"
 XWIKI_LDAP_PORT:                      "{{ LDAP.SERVER.PORT }}"
@@ -71,3 +66,11 @@ XWIKI_OIDC_CLIENT_SECRET:             "{{ OIDC.CLIENT.SECRET }}"
 XWIKI_OIDC_SCOPES:                    "openid email profile {{ RBAC.GROUP.CLAIM }}"
 XWIKI_OIDC_GROUPS_CLAIM:              "{{ RBAC.GROUP.CLAIM }}"
 XWIKI_OIDC_ADMIN_PROVIDER_GROUP:      "{{ [RBAC.GROUP.NAME, XWIKI_ADMIN_GROUP] | path_join }}"
+
+# Collect enabled plugin items from config/main.yml
+XWIKI_PLUGINS: >-
+  {{
+    (applications | get_app_conf(application_id, 'plugins'))
+    | dict2items | selectattr('value.enabled','equalto', true)
+    | map(attribute='value.items') | list | sum(start=[])
+  }}
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	1dceabfd46	Added proxy conf variables for xwiki	2025-09-17 07:19:29 +02:00
Kevin Veen-Birkenbach	c64ac0b4dc	web-app-xwiki: verify extensions via Groovy page + new filter - Added new filter 'xwiki_extension_status' (strips HTML, handles  ) -> returns 200/404 - Introduced checker tasks (_check_extension_via_groovy.yml) instead of REST probe - Added early assert: superadmin login before extension installation - Collect and assert probe results in 04_extensions.yml - Set OIDC extension version to 'latest' (empty string) https://chatgpt.com/share/68ca36cb-ac38-800f-8281-8dea480b6676	2025-09-17 06:20:28 +02:00
Kevin Veen-Birkenbach	e94aac1d78	Removed non existing plugin	2025-09-17 05:18:03 +02:00
Kevin Veen-Birkenbach	c274c1a5d4	refactor(xwiki): move extension installer logic into static Groovy file and switch to plugins dict - Added 'plugins' section in config/main.yml to declare enabled extensions in a structured way - Introduced new static file 'files/extension_installer_b64.groovy' that decodes Base64 JSON of requested plugins - Simplified 04_extensions.yml: now builds installer code from static file and removed hardcoded OIDC/LDAP checks - Dropped redundant XWIKI_EXT_* variables in vars/main.yml - Added XWIKI_PLUGINS fact to collect enabled plugin items from config/main.yml This refactor makes extension installation more generic, easier to unit test, and extendable beyond OIDC/LDAP. See: https://chatgpt.com/share/68ca25e3-cbc4-800f-a45e-2b152369811a	2025-09-17 05:08:02 +02:00
Kevin Veen-Birkenbach	62493ac5a9	XWiki: increase installer execution timeout and add retries The task 'XWIKI \| Execute installer page' now uses: - timeout: 300 (allow up to 5 min per request) - retries: 20 - delay: 15 - until: condition This prevents early failures during the first Distribution Wizard bootstrap when hundreds of extensions are still being installed. Context: https://chatgpt.com/share/68ca0f18-2124-800f-a70d-df1811966107	2025-09-17 03:30:40 +02:00
Kevin Veen-Birkenbach	cc2b9d476f	Added blob csp rule for xwiki	2025-09-17 02:47:01 +02:00
Kevin Veen-Birkenbach	d9c527e2e2	Changed handler order	2025-09-17 02:36:17 +02:00
Kevin Veen-Birkenbach	eafdacc378	Optimized CSP for XWIKI	2025-09-17 02:33:28 +02:00
Kevin Veen-Birkenbach	c93ec6d43a	feat(web-app-xwiki): install OIDC/LDAP via temporary Groovy page (PUT→execute→verify→delete) Replace REST jobs flow with services.extension.install executed from a transient XWiki.InstallExtensions page. - Build wishlist from Ansible vars; print machine-readable markers; assert success. - Execute from XWiki space; delete page afterwards; fix delete changed_when. - Use Jinja raw + indent for clean macro embedding. https://chatgpt.com/share/68c9ebf5-f5e0-800f-9b80-372b4b31e772	2025-09-17 01:00:25 +02:00
Kevin Veen-Birkenbach	0839b8e37f	fix(xwiki): enable superadmin flag in xwiki.cfg and always force Distribution Wizard - Added 'xwiki.superadmin=1' alongside the password in 'xwiki.cfg' to properly activate the superadmin account during bootstrap. - Simplified 'xwiki.properties': Distribution Wizard config is now always present instead of conditional on the superadmin switch. - Ensures that the Distribution Wizard ('distribution.wizard.enabled=true') and flavor bootstrap run automatically on first startup. - This fixes the issue where REST endpoints (/rest/jobs, /repositories) stayed at 404 because the DW never executed. Ref: https://chat.openai.com/share/7a5d58d2-8e91-4e34-8fa0-8b7d62494e4a	2025-09-16 23:53:14 +02:00