eclipse-che · vinokurig · Jun 7, 2024
@@ -35,10 +35,6 @@
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.auth0</groupId>
-            <artifactId>jwks-rsa</artifactId>
-        </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
@@ -67,10 +63,6 @@
             <groupId>io.jaegertracing</groupId>
             <artifactId>jaeger-tracerresolver</artifactId>
         </dependency>
-        <dependency>
-            <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt-api</artifactId>
-        </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-impl</artifactId>
@@ -239,78 +231,6 @@
             <groupId>org.eclipse.che.infrastructure</groupId>
             <artifactId>infrastructure-permission</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-authentication-commons</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-authorization</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-authorization-impl</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-permission</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-workspace-activity</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-keycloak-server</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-keycloak-token-provider</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-machine-authentication</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-oidc</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-devfile</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-logger</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-resource</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-system</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-user</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-workspace</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-workspace-activity</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-personal-account</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-sql-schema</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.persistence</groupId>
             <artifactId>org.eclipse.persistence.core</artifactId>

@@ -13,17 +13,14 @@
 
 import static com.google.inject.matcher.Matchers.subclassesOf;
 import static org.eclipse.che.inject.Matchers.names;
-import static org.eclipse.che.multiuser.api.permission.server.SystemDomain.SYSTEM_DOMAIN_ACTIONS;
+// import static org.eclipse.che.multiuser.api.permission.server.SystemDomain.SYSTEM_DOMAIN_ACTIONS;
 
-import com.auth0.jwk.JwkProvider;
 import com.google.inject.AbstractModule;
 import com.google.inject.TypeLiteral;
 import com.google.inject.assistedinject.FactoryModuleBuilder;
 import com.google.inject.multibindings.MapBinder;
 import com.google.inject.multibindings.Multibinder;
 import com.google.inject.name.Names;
-import io.jsonwebtoken.JwtParser;
-import io.jsonwebtoken.SigningKeyResolver;
 import java.util.HashMap;
 import java.util.Map;
 import org.eclipse.che.api.core.notification.RemoteSubscriptionStorage;
@@ -67,6 +64,7 @@
 import org.eclipse.che.api.workspace.server.WorkspaceStatusCache;
 import org.eclipse.che.api.workspace.server.devfile.DevfileModule;
 import org.eclipse.che.api.workspace.server.hc.ServersCheckerFactory;
+import org.eclipse.che.api.workspace.server.jpa.WorkspaceJpaModule;
 import org.eclipse.che.api.workspace.server.spi.provision.InternalEnvironmentProvisioner;
 import org.eclipse.che.api.workspace.server.spi.provision.MachineNameProvisioner;
 import org.eclipse.che.api.workspace.server.spi.provision.env.AgentAuthEnableEnvVarProvider;
@@ -82,22 +80,11 @@
 import org.eclipse.che.api.workspace.server.spi.provision.env.WorkspaceIdEnvVarProvider;
 import org.eclipse.che.api.workspace.server.spi.provision.env.WorkspaceNameEnvVarProvider;
 import org.eclipse.che.api.workspace.server.spi.provision.env.WorkspaceNamespaceNameEnvVarProvider;
+import org.eclipse.che.api.workspace.server.token.MachineTokenProvider;
 import org.eclipse.che.api.workspace.server.wsplugins.ChePluginsApplier;
 import org.eclipse.che.commons.observability.deploy.ExecutorWrapperModule;
 import org.eclipse.che.core.tracing.metrics.TracingMetricsModule;
 import org.eclipse.che.inject.DynaModule;
-import org.eclipse.che.multiuser.api.authentication.commons.token.HeaderRequestTokenExtractor;
-import org.eclipse.che.multiuser.api.authentication.commons.token.RequestTokenExtractor;
-import org.eclipse.che.multiuser.api.permission.server.PermissionChecker;
-import org.eclipse.che.multiuser.api.permission.server.PermissionCheckerImpl;
-import org.eclipse.che.multiuser.api.workspace.activity.MultiUserWorkspaceActivityModule;
-import org.eclipse.che.multiuser.machine.authentication.server.MachineAuthModule;
-import org.eclipse.che.multiuser.oidc.OIDCInfo;
-import org.eclipse.che.multiuser.oidc.OIDCInfoProvider;
-import org.eclipse.che.multiuser.oidc.OIDCJwkProvider;
-import org.eclipse.che.multiuser.oidc.OIDCJwtParserProvider;
-import org.eclipse.che.multiuser.oidc.OIDCSigningKeyResolver;
-import org.eclipse.che.multiuser.permission.user.UserServicePermissionsFilter;
 import org.eclipse.che.security.PBKDF2PasswordEncryptor;
 import org.eclipse.che.security.PasswordEncryptor;
 import org.eclipse.che.security.oauth.EmbeddedOAuthAPI;
@@ -108,6 +95,7 @@
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure;
 import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment;
 import org.eclipse.che.workspace.infrastructure.kubernetes.multiuser.oauth.KubernetesOidcProviderConfigFactory;
+import org.eclipse.che.workspace.infrastructure.kubernetes.multiuser.oauth.RequestTokenExtractor;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.SecureServerExposer;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.SecureServerExposerFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy.PassThroughProxySecureServerExposer;
@@ -120,6 +108,7 @@
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfraModule;
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfrastructure;
 import org.eclipse.che.workspace.infrastructure.openshift.environment.OpenShiftEnvironment;
+import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.HeaderRequestTokenExtractor;
 import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.KeycloakProviderConfigFactory;
 import org.eclipse.persistence.config.PersistenceUnitProperties;
 
@@ -349,60 +338,19 @@ private void configureMultiUserMode(
         PersistenceUnitProperties.EXCEPTION_HANDLER_CLASS,
         "org.eclipse.che.core.db.postgresql.jpa.eclipselink.PostgreSqlExceptionHandler");
 
-    install(
-        new org.eclipse.che.multiuser.permission.workspace.server.WorkspaceApiPermissionsModule());
-    install(
-        new org.eclipse.che.multiuser.permission.workspace.server.jpa
-            .MultiuserWorkspaceJpaModule());
-    install(new MultiUserWorkspaceActivityModule());
-    install(
-        new org.eclipse.che.multiuser.permission.devfile.server.jpa
-            .MultiuserUserDevfileJpaModule());
-    install(
-        new org.eclipse.che.multiuser.permission.devfile.server.UserDevfileApiPermissionsModule());
-
-    // Permission filters
-    bind(org.eclipse.che.multiuser.permission.system.SystemServicePermissionsFilter.class);
-    bind(org.eclipse.che.multiuser.permission.system.JvmServicePermissionsFilter.class);
-    bind(
-        org.eclipse.che.multiuser.permission.system.SystemEventsSubscriptionPermissionsCheck.class);
-
-    Multibinder<String> binder =
-        Multibinder.newSetBinder(binder(), String.class, Names.named(SYSTEM_DOMAIN_ACTIONS));
-    binder.addBinding().toInstance(UserServicePermissionsFilter.MANAGE_USERS_ACTION);
-    bind(org.eclipse.che.multiuser.permission.user.UserProfileServicePermissionsFilter.class);
-    bind(org.eclipse.che.multiuser.permission.user.UserServicePermissionsFilter.class);
-    bind(org.eclipse.che.multiuser.permission.logger.LoggerServicePermissionsFilter.class);
-
-    bind(org.eclipse.che.multiuser.permission.workspace.activity.ActivityPermissionsFilter.class);
-
-    bind(
-        org.eclipse.che.multiuser.permission.resource.filters.ResourceServicePermissionsFilter
-            .class);
-    bind(
-        org.eclipse.che.multiuser.permission.resource.filters
-            .FreeResourcesLimitServicePermissionsFilter.class);
-
-    if (Boolean.parseBoolean(System.getenv("CHE_AUTH_NATIVEUSER"))) {
-      bind(RequestTokenExtractor.class).to(HeaderRequestTokenExtractor.class);
-      if (KubernetesInfrastructure.NAME.equals(infrastructure)) {
-        bind(OIDCInfo.class).toProvider(OIDCInfoProvider.class).asEagerSingleton();
-        bind(SigningKeyResolver.class).to(OIDCSigningKeyResolver.class);
-        bind(JwtParser.class).toProvider(OIDCJwtParserProvider.class);
-        bind(JwkProvider.class).toProvider(OIDCJwkProvider.class);
-      }
-      bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
-      bind(ProfileDao.class).to(JpaProfileDao.class);
-      bind(OAuthAPI.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
-    }
+    bind(RequestTokenExtractor.class).to(HeaderRequestTokenExtractor.class);
+    bind(ProfileDao.class).to(JpaProfileDao.class);
+    bind(OAuthAPI.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
 
-    install(new MachineAuthModule());
+    install(new WorkspaceJpaModule());
+    bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
+    bind(MachineTokenProvider.class).to(MachineTokenProvider.EmptyMachineTokenProvider.class);
 
     // User and profile - use profile from keycloak and other stuff is JPA
     bind(PasswordEncryptor.class).to(PBKDF2PasswordEncryptor.class);
     bind(UserDao.class).to(JpaUserDao.class);
     bind(PreferenceDao.class).to(JpaPreferenceDao.class);
-    bind(PermissionChecker.class).to(PermissionCheckerImpl.class);
+    //    bind(PermissionChecker.class).to(PermissionCheckerImpl.class);
 
     bindConstant().annotatedWith(Names.named("che.agents.auth_enabled")).to(true);
   }

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2024 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -17,10 +17,8 @@
 import org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter;
 import org.eclipse.che.inject.ConfigurationException;
 import org.eclipse.che.inject.DynaModule;
-import org.eclipse.che.multiuser.keycloak.server.deploy.KeycloakServletModule;
-import org.eclipse.che.multiuser.machine.authentication.server.MachineLoginFilter;
-import org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter;
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure;
+import org.eclipse.che.workspace.infrastructure.kubernetes.multiuser.oauth.OidcTokenInitializationFilter;
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfrastructure;
 import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter;
 import org.everrest.guice.servlet.GuiceEverrestServlet;
@@ -53,7 +51,7 @@ protected void configureServlets() {
       configureNativeUserMode();
     } else {
       LOG.info("Running in classic multi-user mode ...");
-      configureMultiUserMode();
+      //      configureMultiUserMode();
     }
 
     if (Boolean.valueOf(System.getenv("CHE_METRICS_ENABLED"))) {
@@ -71,10 +69,10 @@ private boolean isCheCorsEnabled() {
     }
   }
 
-  private void configureMultiUserMode() {
-    filterRegex(".*").through(MachineLoginFilter.class);
-    install(new KeycloakServletModule());
-  }
+  //  private void configureMultiUserMode() {
+  //    filterRegex(".*").through(MachineLoginFilter.class);
+  //    install(new KeycloakServletModule());
+  //  }
 
   private void configureNativeUserMode() {
     final String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2012-2021 Red Hat, Inc.
+    Copyright (c) 2012-2024 Red Hat, Inc.
     This program and the accompanying materials are made
     available under the terms of the Eclipse Public License 2.0
     which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -36,8 +36,8 @@
         <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
     </resource-env-ref>
 
-    <listener>
-        <listener-class>org.eclipse.che.multiuser.api.authentication.commons.DestroySessionListener</listener-class>
-    </listener>
+<!--    <listener>-->
+<!--        <listener-class>org.eclipse.che.multiuser.api.authentication.commons.DestroySessionListener</listener-class>-->
+<!--    </listener>-->
 
 </web-app>
@@ -38,14 +38,6 @@
             <groupId>org.eclipse.che.infrastructure</groupId>
             <artifactId>infrastructure-kubernetes</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-permission</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-workspace</artifactId>
-        </dependency>
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2024 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -14,16 +14,14 @@
 import static org.eclipse.che.workspace.infrastructure.kubernetes.wsplugins.events.BrokerService.BROKER_RESULT_METHOD;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.wsplugins.events.BrokerService.BROKER_STATUS_CHANGED_METHOD;
 
-import javax.inject.Inject;
 import javax.inject.Singleton;
 import org.eclipse.che.api.core.ForbiddenException;
-import org.eclipse.che.api.core.jsonrpc.commons.RequestHandlerManager;
 import org.eclipse.che.api.workspace.shared.dto.RuntimeIdentityDto;
 import org.eclipse.che.api.workspace.shared.dto.event.BrokerStatusChangedEvent;
 import org.eclipse.che.commons.env.EnvironmentContext;
 import org.eclipse.che.commons.subject.Subject;
-import org.eclipse.che.multiuser.api.permission.server.jsonrpc.JsonRpcPermissionsFilterAdapter;
-import org.eclipse.che.multiuser.permission.workspace.server.WorkspaceDomain;
+// import org.eclipse.che.multiuser.api.permission.server.jsonrpc.JsonRpcPermissionsFilterAdapter;
+// import org.eclipse.che.multiuser.permission.workspace.server.WorkspaceDomain;
 import org.eclipse.che.workspace.infrastructure.kubernetes.wsplugins.events.BrokerService;
 
 /**
@@ -32,14 +30,13 @@
  * @author Sergii Leshchenko
  */
 @Singleton
-public class BrokerServicePermissionFilter extends JsonRpcPermissionsFilterAdapter {
-  @Inject
-  public void register(RequestHandlerManager requestHandlerManager) {
-    requestHandlerManager.registerMethodInvokerFilter(
-        this, BROKER_STATUS_CHANGED_METHOD, BROKER_RESULT_METHOD);
-  }
+public class BrokerServicePermissionFilter {
+  //  @Inject
+  //  public void register(RequestHandlerManager requestHandlerManager) {
+  //    requestHandlerManager.registerMethodInvokerFilter(
+  //        this, BROKER_STATUS_CHANGED_METHOD, BROKER_RESULT_METHOD);
+  //  }
 
-  @Override
   public void doAccept(String method, Object... params) throws ForbiddenException {
     String workspaceId;
     switch (method) {
@@ -56,10 +53,10 @@ public void doAccept(String method, Object... params) throws ForbiddenException
     }
 
     Subject currentSubject = EnvironmentContext.getCurrent().getSubject();
-    if (!currentSubject.hasPermission(
-        WorkspaceDomain.DOMAIN_ID, workspaceId, WorkspaceDomain.RUN)) {
-      throw new ForbiddenException(
-          "User doesn't have the required permissions to the specified workspace");
-    }
+    //    if (!currentSubject.hasPermission(
+    //        WorkspaceDomain.DOMAIN_ID, workspaceId, WorkspaceDomain.RUN)) {
+    //      throw new ForbiddenException(
+    //          "User doesn't have the required permissions to the specified workspace");
+    //    }
   }
 }