Merge with develop branch

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ConfigDto.java

@@ -29,6 +29,7 @@ import de.otto.edison.hal.Links;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
+import sonia.scm.security.AnonymousMode;
 
 import java.util.Set;
 
@@ -46,6 +47,7 @@ public class ConfigDto extends HalRepresentation {
   private boolean disableGroupingGrid;
   private String dateFormat;
   private boolean anonymousAccessEnabled;
+  private AnonymousMode anonymousMode;
   private String baseUrl;
   private boolean forceBaseUrl;
   private int loginAttemptLimit;

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ConfigDtoToScmConfigurationMapper.java

@@ -21,11 +21,14 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
+import org.mapstruct.AfterMapping;
 import org.mapstruct.Mapper;
+import org.mapstruct.MappingTarget;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 
 // Mapstruct does not support parameterized (i.e. non-default) constructors. Thus, we need to use field injection.
 @SuppressWarnings("squid:S3306")
@@ -33,4 +36,15 @@ import sonia.scm.config.ScmConfiguration;
 public abstract class ConfigDtoToScmConfigurationMapper {
 
   public abstract ScmConfiguration map(ConfigDto dto);
+
+  @AfterMapping // Should map anonymous mode from old flag if not send explicit
+  void mapAnonymousMode(@MappingTarget ScmConfiguration config, ConfigDto configDto) {
+    if (configDto.getAnonymousMode() == null) {
+      if (configDto.isAnonymousAccessEnabled()) {
+        config.setAnonymousMode(AnonymousMode.PROTOCOL_ONLY);
+      } else {
+        config.setAnonymousMode(AnonymousMode.OFF);
+      }
+    }
+  }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupCollectionResource.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import io.swagger.v3.oas.annotations.Operation;
@@ -31,6 +31,7 @@ import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import sonia.scm.group.Group;
 import sonia.scm.group.GroupManager;
+import sonia.scm.group.GroupPermissions;
 import sonia.scm.search.SearchRequest;
 import sonia.scm.search.SearchUtil;
 import sonia.scm.web.VndMediaType;
@@ -106,6 +107,7 @@ public class GroupCollectionResource {
                          @QueryParam("desc") boolean desc,
                          @DefaultValue("") @QueryParam("q") String search
   ) {
+    GroupPermissions.list().check();
     return adapter.getAll(page, pageSize, createSearchPredicate(search), sortBy, desc,
       pageResult -> groupCollectionToDtoMapper.map(page, pageSize, pageResult));
   }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexDtoGenerator.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import com.google.common.base.Strings;
@@ -35,6 +35,7 @@ import sonia.scm.config.ConfigurationPermissions;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.group.GroupPermissions;
 import sonia.scm.plugin.PluginPermissions;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.security.Authentications;
 import sonia.scm.security.PermissionPermissions;
 import sonia.scm.user.UserPermissions;
@@ -70,7 +71,7 @@ public class IndexDtoGenerator extends HalAppenderMapper {
       builder.single(link("loginInfo", loginInfoUrl));
     }
 
-    if (SecurityUtils.getSubject().isAuthenticated()) {
+    if (shouldAppendSubjectRelatedLinks()) {
       builder.single(link("me", resourceLinks.me().self()));
 
       if (Authentications.isAuthenticatedSubjectAnonymous()) {
@@ -120,4 +121,19 @@ public class IndexDtoGenerator extends HalAppenderMapper {
 
     return new IndexDto(builder.build(), embeddedBuilder.build(), scmContextProvider.getVersion());
   }
+
+  private boolean shouldAppendSubjectRelatedLinks() {
+    return isAuthenticatedSubjectNotAnonymous()
+      || isAuthenticatedSubjectAllowedToBeAnonymous();
+  }
+
+  private boolean isAuthenticatedSubjectAllowedToBeAnonymous() {
+    return Authentications.isAuthenticatedSubjectAnonymous()
+      && configuration.getAnonymousMode() == AnonymousMode.FULL;
+  }
+
+  private boolean isAuthenticatedSubjectNotAnonymous() {
+    return SecurityUtils.getSubject().isAuthenticated()
+      && !Authentications.isAuthenticatedSubjectAnonymous();
+  }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeDtoFactory.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import de.otto.edison.hal.Embedded;
@@ -30,7 +30,6 @@ import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.subject.Subject;
 import sonia.scm.group.GroupCollector;
-import sonia.scm.security.Authentications;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
 import sonia.scm.user.UserPermissions;
@@ -92,7 +91,7 @@ public class MeDtoFactory extends HalAppenderMapper {
     if (UserPermissions.changePublicKeys(user).isPermitted()) {
       linksBuilder.single(link("publicKeys", resourceLinks.user().publicKeys(user.getName())));
     }
-    if (userManager.isTypeDefault(user) && UserPermissions.changePassword(user).isPermitted() && !Authentications.isSubjectAnonymous(user.getName())) {
+    if (userManager.isTypeDefault(user) && UserPermissions.changePassword(user).isPermitted()) {
       linksBuilder.single(link("password", resourceLinks.me().passwordChange()));
     }
 
@@ -101,5 +100,4 @@ public class MeDtoFactory extends HalAppenderMapper {
 
     return new MeDto(linksBuilder.build(), embeddedBuilder.build());
   }
-
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ScmConfigurationToConfigDtoMapper.java

@@ -27,9 +27,12 @@ package sonia.scm.api.v2.resources;
 import de.otto.edison.hal.Links;
 import org.mapstruct.AfterMapping;
 import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
 import org.mapstruct.MappingTarget;
+import org.mapstruct.Named;
 import sonia.scm.config.ConfigurationPermissions;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 
 import javax.inject.Inject;
 
@@ -44,6 +47,15 @@ public abstract class ScmConfigurationToConfigDtoMapper extends BaseMapper<ScmCo
   @Inject
   private ResourceLinks resourceLinks;
 
+  @Mapping(target = "anonymousAccessEnabled", source = "anonymousMode", qualifiedByName = "mapAnonymousAccess")
+  @Mapping(target = "attributes", ignore = true)
+  public abstract ConfigDto map(ScmConfiguration scmConfiguration);
+
+  @Named("mapAnonymousAccess")
+  boolean mapAnonymousAccess(AnonymousMode anonymousMode) {
+    return anonymousMode != AnonymousMode.OFF;
+  }
+
   @AfterMapping
   void appendLinks(ScmConfiguration config, @MappingTarget ConfigDto target) {
     Links.Builder linksBuilder = linkingTo().self(resourceLinks.config().self());

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserCollectionResource.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import io.swagger.v3.oas.annotations.Operation;
@@ -34,6 +34,7 @@ import sonia.scm.search.SearchRequest;
 import sonia.scm.search.SearchUtil;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
+import sonia.scm.user.UserPermissions;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -108,6 +109,7 @@ public class UserCollectionResource {
                          @DefaultValue("false") @QueryParam("desc") boolean desc,
                          @DefaultValue("") @QueryParam("q") String search
   ) {
+    UserPermissions.list().check();
     return adapter.getAll(page, pageSize, createSearchPredicate(search), sortBy, desc,
       pageResult -> userCollectionToDtoMapper.map(page, pageSize, pageResult));
   }

scm-webapp/src/main/java/sonia/scm/filter/PropagatePrincipleFilter.java

@@ -33,6 +33,7 @@ import org.apache.shiro.subject.Subject;
 import sonia.scm.Priority;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.web.filter.HttpFilter;
 import sonia.scm.web.filter.PropagatePrincipleServletRequestWrapper;
 
@@ -89,7 +90,7 @@ public class PropagatePrincipleFilter extends HttpFilter
   private boolean hasPermission(Subject subject)
   {
     return ((configuration != null)
-      && configuration.isAnonymousAccessEnabled()) || subject.isAuthenticated()
+      && configuration.getAnonymousMode() != AnonymousMode.OFF) || subject.isAuthenticated()
         || subject.isRemembered();
   }
 

scm-webapp/src/main/java/sonia/scm/lifecycle/SetupContextListener.java

@@ -31,6 +31,7 @@ import org.slf4j.LoggerFactory;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.plugin.Extension;
+import sonia.scm.security.AnonymousMode;
 import sonia.scm.security.PermissionAssigner;
 import sonia.scm.security.PermissionDescriptor;
 import sonia.scm.user.User;
@@ -94,7 +95,7 @@ public class SetupContextListener implements ServletContextListener {
     }
 
     private boolean anonymousUserRequiredButNotExists() {
-      return scmConfiguration.isAnonymousAccessEnabled() && !userManager.contains(SCMContext.USER_ANONYMOUS);
+      return scmConfiguration.getAnonymousMode() != AnonymousMode.OFF && !userManager.contains(SCMContext.USER_ANONYMOUS);
     }
 
     private boolean shouldCreateAdminAccount() {

scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java

@@ -92,6 +92,7 @@ public class BearerRealm extends AuthenticatingRealm
     checkArgument(token instanceof BearerToken, "%s is required", BearerToken.class);
 
     BearerToken bt = (BearerToken) token;
+
     AccessToken accessToken = tokenResolver.resolve(bt);
 
     return helper.authenticationInfoBuilder(accessToken.getSubject())

scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenResolver.java

@@ -21,22 +21,24 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.security;
 
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
-import java.util.Set;
-import javax.inject.Inject;
 import org.apache.shiro.authc.AuthenticationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import sonia.scm.plugin.Extension;
 
+import javax.inject.Inject;
+import java.util.Set;
+
 /**
  * Jwt implementation of {@link AccessTokenResolver}.
- * 
+ *
  * @author Sebastian Sdorra
  * @since 2.0.0
  */
@@ -47,7 +49,7 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
    * the logger for JwtAccessTokenResolver
    */
   private static final Logger LOG = LoggerFactory.getLogger(JwtAccessTokenResolver.class);
-  
+
   private final SecureKeyResolver keyResolver;
   private final Set<AccessTokenValidator> validators;
 
@@ -56,7 +58,7 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
     this.keyResolver = keyResolver;
     this.validators = validators;
   }
-  
+
   @Override
   public JwtAccessToken resolve(BearerToken bearerToken) {
     try {
@@ -71,6 +73,8 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
       validate(token);
 
       return token;
+    } catch (ExpiredJwtException ex) {
+      throw new TokenExpiredException("The jwt token has been expired", ex);
     } catch (JwtException ex) {
       throw new AuthenticationException("signature is invalid", ex);
     }
@@ -92,5 +96,5 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
   private String createValidationFailedMessage(AccessTokenValidator validator, AccessToken accessToken) {
     return String.format("token %s is invalid, marked by validator %s", accessToken.getId(), validator.getClass());
   }
-  
+
 }

scm-webapp/src/main/java/sonia/scm/update/repository/AnonymousModeUpdateStep.java

@@ -0,0 +1,104 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.update.repository;
+
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import sonia.scm.SCMContextProvider;
+import sonia.scm.config.ScmConfiguration;
+import sonia.scm.migration.UpdateStep;
+import sonia.scm.plugin.Extension;
+import sonia.scm.security.AnonymousMode;
+import sonia.scm.store.ConfigurationStore;
+import sonia.scm.store.ConfigurationStoreFactory;
+import sonia.scm.store.StoreConstants;
+import sonia.scm.version.Version;
+
+import javax.inject.Inject;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import static sonia.scm.version.Version.parse;
+
+@Extension
+public class AnonymousModeUpdateStep implements UpdateStep {
+
+  private final SCMContextProvider contextProvider;
+  private final ConfigurationStore<ScmConfiguration> configStore;
+
+  @Inject
+  public AnonymousModeUpdateStep(SCMContextProvider contextProvider, ConfigurationStoreFactory configurationStoreFactory) {
+    this.contextProvider = contextProvider;
+    this.configStore = configurationStoreFactory.withType(ScmConfiguration.class).withName("config").build();
+  }
+
+  @Override
+  public void doUpdate() throws JAXBException {
+    Path configFile = determineConfigDirectory().resolve("config" + StoreConstants.FILE_EXTENSION);
+
+    if (configFile.toFile().exists()) {
+      PreUpdateScmConfiguration oldConfig = getPreUpdateScmConfigurationFromOldConfig(configFile);
+      ScmConfiguration config = configStore.get();
+      if (oldConfig.isAnonymousAccessEnabled()) {
+        config.setAnonymousMode(AnonymousMode.PROTOCOL_ONLY);
+      } else {
+        config.setAnonymousMode(AnonymousMode.OFF);
+      }
+      configStore.set(config);
+    }
+  }
+
+  @Override
+  public Version getTargetVersion() {
+    return parse("2.4.0");
+  }
+
+  @Override
+  public String getAffectedDataType() {
+    return "config.xml";
+  }
+
+  private PreUpdateScmConfiguration getPreUpdateScmConfigurationFromOldConfig(Path configFile) throws JAXBException {
+    JAXBContext jaxbContext = JAXBContext.newInstance(AnonymousModeUpdateStep.PreUpdateScmConfiguration.class);
+    return (AnonymousModeUpdateStep.PreUpdateScmConfiguration) jaxbContext.createUnmarshaller().unmarshal(configFile.toFile());
+  }
+
+  private Path determineConfigDirectory() {
+    return contextProvider.resolve(Paths.get(StoreConstants.CONFIG_DIRECTORY_NAME));
+  }
+
+  @XmlRootElement(name = "scm-config")
+  @XmlAccessorType(XmlAccessType.FIELD)
+  @NoArgsConstructor
+  @Getter
+  static class PreUpdateScmConfiguration {
+    private boolean anonymousAccessEnabled;
+  }
+}

scm-webapp/src/main/java/sonia/scm/user/AnonymousUserDeletionEventHandler.java

@@ -31,6 +31,7 @@ import sonia.scm.HandlerEventType;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.plugin.Extension;
+import sonia.scm.security.AnonymousMode;
 
 import javax.inject.Inject;
 
@@ -38,7 +39,7 @@ import javax.inject.Inject;
 @Extension
 public class AnonymousUserDeletionEventHandler {
 
-  private ScmConfiguration scmConfiguration;
+  private final ScmConfiguration scmConfiguration;
 
   @Inject
   public AnonymousUserDeletionEventHandler(ScmConfiguration scmConfiguration) {
@@ -55,6 +56,6 @@ public class AnonymousUserDeletionEventHandler {
   private boolean isAnonymousUserDeletionNotAllowed(UserEvent event) {
     return event.getEventType() == HandlerEventType.BEFORE_DELETE
       && event.getItem().getName().equals(SCMContext.USER_ANONYMOUS)
-      && scmConfiguration.isAnonymousAccessEnabled();
+      && scmConfiguration.getAnonymousMode() != AnonymousMode.OFF;
   }
 }