Programming exercises: Provide theia clone information on redirect

src/main/java/de/tum/cit/aet/artemis/core/config/websocket/WebsocketConfiguration.java

@@ -19,7 +19,6 @@
 import java.util.regex.Pattern;
 
 import jakarta.annotation.Nullable;
-import jakarta.servlet.http.Cookie;
 import jakarta.validation.constraints.NotNull;
 
 import org.slf4j.Logger;
@@ -52,7 +51,6 @@
 import org.springframework.web.socket.server.HandshakeInterceptor;
 import org.springframework.web.socket.server.support.DefaultHandshakeHandler;
 import org.springframework.web.socket.sockjs.transport.handler.WebSocketTransportHandler;
-import org.springframework.web.util.WebUtils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Iterators;
@@ -202,8 +200,7 @@ public boolean beforeHandshake(@NotNull ServerHttpRequest request, @NotNull Serv
                     @NotNull Map<String, Object> attributes) {
                 if (request instanceof ServletServerHttpRequest servletRequest) {
                     attributes.put(IP_ADDRESS, servletRequest.getRemoteAddress());
-                    Cookie jwtCookie = WebUtils.getCookie(servletRequest.getServletRequest(), JWTFilter.JWT_COOKIE_NAME);
-                    return JWTFilter.isJwtCookieValid(tokenProvider, jwtCookie);
+                    return JWTFilter.extractValidJwt(servletRequest.getServletRequest(), tokenProvider) != null;
                 }
                 return false;
             }

src/main/java/de/tum/cit/aet/artemis/core/security/jwt/JWTCookieService.java

@@ -41,6 +41,17 @@ public ResponseCookie buildLoginCookie(boolean rememberMe) {
         return buildJWTCookie(jwt, duration);
     }
 
+    /**
+     * Builds the cookie with Theia flag
+     *
+     * @param duration the duration of the cookie and the jwt
+     * @return the login ResponseCookie containing the JWT
+     */
+    public ResponseCookie buildTheiaCookie(long duration) {
+        String jwt = tokenProvider.createToken(SecurityContextHolder.getContext().getAuthentication(), duration, "THEIA");
+        return buildJWTCookie(jwt, Duration.of(duration, ChronoUnit.MILLIS));
+    }
+
     /**
      * Builds the cookie containing the jwt for a logout and sets it in the response
      *

src/main/java/de/tum/cit/aet/artemis/core/security/jwt/JWTFilter.java

@@ -2,6 +2,7 @@
 
 import java.io.IOException;
 
+import jakarta.annotation.Nullable;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletRequest;
@@ -31,26 +32,70 @@ public JWTFilter(TokenProvider tokenProvider) {
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
         HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
-        Cookie jwtCookie = WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME);
-        if (isJwtCookieValid(this.tokenProvider, jwtCookie)) {
-            Authentication authentication = this.tokenProvider.getAuthentication(jwtCookie.getValue());
+
+        String jwtToken = extractValidJwt(httpServletRequest, this.tokenProvider);
+        if (jwtToken != null) {
+            Authentication authentication = this.tokenProvider.getAuthentication(jwtToken);
             SecurityContextHolder.getContext().setAuthentication(authentication);
         }
+
         filterChain.doFilter(servletRequest, servletResponse);
     }
 
     /**
-     * Checks if the cookie containing the jwt is valid
+     * Extracts the first valid jwt found in the cookie or the Authorization header
      *
-     * @param tokenProvider the artemis token provider used to generate and validate jwt's
-     * @param jwtCookie     the cookie containing the jwt
-     * @return true if the jwt is valid, false if missing or invalid
+     * @param httpServletRequest the http request
+     * @param tokenProvider      the Artemis token provider used to generate and validate jwt's
+     * @return the valid jwt or null if not found or invalid
+     */
+    public static @Nullable String extractValidJwt(HttpServletRequest httpServletRequest, TokenProvider tokenProvider) {
+        String jwtToken = getJwtFromCookie(WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME));
+        if (isJwtValid(tokenProvider, jwtToken)) {
+            return jwtToken;
+        }
+        jwtToken = getJwtFromBearer(httpServletRequest.getHeader("Authorization"));
+        if (isJwtValid(tokenProvider, jwtToken)) {
+            return jwtToken;
+        }
+        return null;
+    }
+
+    /**
+     * Extracts the jwt from the cookie
+     *
+     * @param jwtCookie the cookie with Key "jwt"
+     * @return the jwt or null if not found
      */
-    public static boolean isJwtCookieValid(TokenProvider tokenProvider, Cookie jwtCookie) {
+    private static @Nullable String getJwtFromCookie(Cookie jwtCookie) {
         if (jwtCookie == null) {
-            return false;
+            return null;
         }
-        String jwt = jwtCookie.getValue();
-        return StringUtils.hasText(jwt) && tokenProvider.validateTokenForAuthority(jwt);
+        return jwtCookie.getValue();
+    }
+
+    /**
+     * Extracts the jwt from the Authorization header
+     *
+     * @param jwtBearer the content of the Authorization header
+     * @return the jwt or null if not found
+     */
+    private static @Nullable String getJwtFromBearer(String jwtBearer) {
+        if (!StringUtils.hasText(jwtBearer) || !jwtBearer.startsWith("Bearer ")) {
+            return null;
+        }
+
+        return jwtBearer.substring(7).trim();
+    }
+
+    /**
+     * Checks if the jwt is valid
+     *
+     * @param tokenProvider the Artemis token provider used to generate and validate jwt's
+     * @param jwtToken      the jwt
+     * @return true if the jwt is valid, false if missing or invalid
+     */
+    private static boolean isJwtValid(TokenProvider tokenProvider, String jwtToken) {
+        return StringUtils.hasText(jwtToken) && tokenProvider.validateTokenForAuthority(jwtToken);
     }
 }

src/main/java/de/tum/cit/aet/artemis/core/security/jwt/TokenProvider.java

@@ -95,11 +95,26 @@ public long getTokenValidity(boolean rememberMe) {
      * @return JWT Token
      */
     public String createToken(Authentication authentication, boolean rememberMe) {
+        return createToken(authentication, getTokenValidity(rememberMe));
+    }
+
+    /**
+     * Create JWT Token a fully populated <code>Authentication</code> object.
+     *
+     * @param authentication Authentication Object
+     * @param duration       the Token lifetime
+     * @param tools          tools this token is used for
+     * @return JWT Token
+     */
+    public String createToken(Authentication authentication, long duration, String... tools) {
         String authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.joining(","));
 
+        String toolClaims = String.join(",", tools);
+
         long now = (new Date()).getTime();
-        Date validity = new Date(now + getTokenValidity(rememberMe));
-        return Jwts.builder().subject(authentication.getName()).claim(AUTHORITIES_KEY, authorities).signWith(key, Jwts.SIG.HS512).expiration(validity).compact();
+        Date validity = new Date(now + duration);
+        return Jwts.builder().subject(authentication.getName()).claim(AUTHORITIES_KEY, authorities).claim("tools", toolClaims).signWith(key, Jwts.SIG.HS512).expiration(validity)
+                .compact();
     }
 
     /**

src/main/java/de/tum/cit/aet/artemis/core/web/open/PublicUserJwtResource.java

@@ -2,6 +2,9 @@
 
 import static de.tum.cit.aet.artemis.core.config.Constants.PROFILE_CORE;
 
+import java.time.Duration;
+import java.util.Date;
+import java.util.Map;
 import java.util.Optional;
 
 import jakarta.servlet.ServletException;
@@ -27,14 +30,18 @@
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 import de.tum.cit.aet.artemis.core.dto.vm.LoginVM;
 import de.tum.cit.aet.artemis.core.exception.AccessForbiddenException;
 import de.tum.cit.aet.artemis.core.security.SecurityUtils;
 import de.tum.cit.aet.artemis.core.security.UserNotActivatedException;
+import de.tum.cit.aet.artemis.core.security.annotations.EnforceAtLeastStudent;
 import de.tum.cit.aet.artemis.core.security.annotations.EnforceNothing;
 import de.tum.cit.aet.artemis.core.security.jwt.JWTCookieService;
+import de.tum.cit.aet.artemis.core.security.jwt.JWTFilter;
+import de.tum.cit.aet.artemis.core.security.jwt.TokenProvider;
 import de.tum.cit.aet.artemis.core.service.connectors.SAML2Service;
 
 /**
@@ -49,12 +56,15 @@ public class PublicUserJwtResource {
 
     private final JWTCookieService jwtCookieService;
 
+    private final TokenProvider tokenProvider;
+
     private final AuthenticationManager authenticationManager;
 
     private final Optional<SAML2Service> saml2Service;
 
-    public PublicUserJwtResource(JWTCookieService jwtCookieService, AuthenticationManager authenticationManager, Optional<SAML2Service> saml2Service) {
+    public PublicUserJwtResource(JWTCookieService jwtCookieService, TokenProvider tokenProvider, AuthenticationManager authenticationManager, Optional<SAML2Service> saml2Service) {
         this.jwtCookieService = jwtCookieService;
+        this.tokenProvider = tokenProvider;
         this.authenticationManager = authenticationManager;
         this.saml2Service = saml2Service;
     }
@@ -69,7 +79,7 @@ public PublicUserJwtResource(JWTCookieService jwtCookieService, AuthenticationMa
      */
     @PostMapping("authenticate")
     @EnforceNothing
-    public ResponseEntity<Void> authorize(@Valid @RequestBody LoginVM loginVM, @RequestHeader("User-Agent") String userAgent, HttpServletResponse response) {
+    public ResponseEntity<Map<String, String>> authorize(@Valid @RequestBody LoginVM loginVM, @RequestHeader("User-Agent") String userAgent, HttpServletResponse response) {
 
         var username = loginVM.getUsername();
         var password = loginVM.getPassword();
@@ -86,14 +96,44 @@ public ResponseEntity<Void> authorize(@Valid @RequestBody LoginVM loginVM, @Requ
             ResponseCookie responseCookie = jwtCookieService.buildLoginCookie(rememberMe);
             response.addHeader(HttpHeaders.SET_COOKIE, responseCookie.toString());
 
-            return ResponseEntity.ok().build();
+            return ResponseEntity.ok(Map.of("access_token", responseCookie.getValue()));
         }
         catch (BadCredentialsException ex) {
             log.warn("Wrong credentials during login for user {}", loginVM.getUsername());
             return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
         }
     }
 
+    /**
+     * Sends a theia token back as cookie and bearer token
+     *
+     * @param request  HTTP request
+     * @param response HTTP response
+     * @return the ResponseEntity with status 200 (ok), 401 (unauthorized)
+     */
+    @PostMapping("theia-token")
+    @EnforceAtLeastStudent
+    public ResponseEntity<String> getTheiaToken(@RequestParam(name = "as-cookie", defaultValue = "false") boolean asCookie, HttpServletRequest request,
+            HttpServletResponse response) {
+        // remaining time in milliseconds
+        var jwtToken = JWTFilter.extractValidJwt(request, tokenProvider);
+        if (jwtToken == null) {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+        }
+
+        // get validity of the token
+        long tokenRemainingTime = tokenProvider.getExpirationDate(jwtToken).getTime() - new Date().getTime();
+
+        // 1 day validity
+        long maxDuration = Duration.ofDays(1).toMillis();
+        ResponseCookie responseCookie = jwtCookieService.buildTheiaCookie(Math.min(tokenRemainingTime, maxDuration));
+
+        if (asCookie) {
+            response.addHeader(HttpHeaders.SET_COOKIE, responseCookie.toString());
+        }
+        return ResponseEntity.ok(responseCookie.getValue());
+    }
+
     /**
      * Authorizes a User logged in with SAML2
      *

src/main/java/de/tum/cit/aet/artemis/programming/domain/ProgrammingExerciseBuildConfig.java

@@ -25,6 +25,7 @@
 @Entity
 @Table(name = "programming_exercise_build_config")
 @JsonInclude(JsonInclude.Include.NON_EMPTY)
+@JsonIgnoreProperties(value = { "programmingExercise" })
 public class ProgrammingExerciseBuildConfig extends DomainObject {
 
     private static final Logger log = LoggerFactory.getLogger(ProgrammingExerciseBuildConfig.class);
@@ -64,7 +65,6 @@ public class ProgrammingExerciseBuildConfig extends DomainObject {
     private String dockerFlags;
 
     @OneToOne(mappedBy = "buildConfig")
-    @JsonIgnoreProperties("buildConfig")
     private ProgrammingExercise programmingExercise;
 
     @Column(name = "testwise_coverage_enabled")

src/main/java/de/tum/cit/aet/artemis/programming/repository/ProgrammingExerciseBuildConfigRepository.java

@@ -35,4 +35,14 @@ default void generateBuildPlanAccessSecretIfNotExists(ProgrammingExerciseBuildCo
     default void loadAndSetBuildConfig(ProgrammingExercise programmingExercise) {
         programmingExercise.setBuildConfig(getProgrammingExerciseBuildConfigElseThrow(programmingExercise));
     }
+
+    /**
+     * Find a build config by its programming exercise's id and throw an Exception if it cannot be found
+     *
+     * @param programmingExerciseId of the programming exercise.
+     * @return The programming exercise related to the given id
+     */
+    default ProgrammingExerciseBuildConfig findByExerciseIdElseThrow(long programmingExerciseId) {
+        return getValueElseThrow(findByProgrammingExerciseId(programmingExerciseId));
+    }
 }

src/main/java/de/tum/cit/aet/artemis/programming/web/ProgrammingExerciseResource.java

@@ -58,6 +58,7 @@
 import de.tum.cit.aet.artemis.core.security.annotations.EnforceAtLeastEditor;
 import de.tum.cit.aet.artemis.core.security.annotations.EnforceAtLeastInstructor;
 import de.tum.cit.aet.artemis.core.security.annotations.EnforceAtLeastTutor;
+import de.tum.cit.aet.artemis.core.security.annotations.enforceRoleInExercise.EnforceAtLeastStudentInExercise;
 import de.tum.cit.aet.artemis.core.security.annotations.enforceRoleInExercise.EnforceAtLeastTutorInExercise;
 import de.tum.cit.aet.artemis.core.service.AuthorizationCheckService;
 import de.tum.cit.aet.artemis.core.service.CourseService;
@@ -71,13 +72,15 @@
 import de.tum.cit.aet.artemis.plagiarism.service.PlagiarismDetectionConfigHelper;
 import de.tum.cit.aet.artemis.programming.domain.AuxiliaryRepository;
 import de.tum.cit.aet.artemis.programming.domain.ProgrammingExercise;
+import de.tum.cit.aet.artemis.programming.domain.ProgrammingExerciseBuildConfig;
 import de.tum.cit.aet.artemis.programming.domain.ProgrammingExerciseTestCase;
 import de.tum.cit.aet.artemis.programming.domain.ProgrammingLanguage;
 import de.tum.cit.aet.artemis.programming.dto.BuildLogStatisticsDTO;
 import de.tum.cit.aet.artemis.programming.dto.CheckoutDirectoriesDTO;
 import de.tum.cit.aet.artemis.programming.dto.ProgrammingExerciseResetOptionsDTO;
 import de.tum.cit.aet.artemis.programming.dto.ProgrammingExerciseTestCaseStateDTO;
 import de.tum.cit.aet.artemis.programming.repository.BuildLogStatisticsEntryRepository;
+import de.tum.cit.aet.artemis.programming.repository.ProgrammingExerciseBuildConfigRepository;
 import de.tum.cit.aet.artemis.programming.repository.ProgrammingExerciseRepository;
 import de.tum.cit.aet.artemis.programming.repository.ProgrammingExerciseTestCaseRepository;
 import de.tum.cit.aet.artemis.programming.repository.SolutionProgrammingExerciseParticipationRepository;
@@ -114,6 +117,8 @@ public class ProgrammingExerciseResource {
 
     private final ProgrammingExerciseTestCaseRepository programmingExerciseTestCaseRepository;
 
+    private final ProgrammingExerciseBuildConfigRepository programmingExerciseBuildConfigRepository;
+
     private final UserRepository userRepository;
 
     private final CourseService courseService;
@@ -157,9 +162,9 @@ public class ProgrammingExerciseResource {
     private final Environment environment;
 
     public ProgrammingExerciseResource(ProgrammingExerciseRepository programmingExerciseRepository, ProgrammingExerciseTestCaseRepository programmingExerciseTestCaseRepository,
-            UserRepository userRepository, AuthorizationCheckService authCheckService, CourseService courseService,
-            Optional<ContinuousIntegrationService> continuousIntegrationService, Optional<VersionControlService> versionControlService, ExerciseService exerciseService,
-            ExerciseDeletionService exerciseDeletionService, ProgrammingExerciseService programmingExerciseService,
+            ProgrammingExerciseBuildConfigRepository programmingExerciseBuildConfigRepository, UserRepository userRepository, AuthorizationCheckService authCheckService,
+            CourseService courseService, Optional<ContinuousIntegrationService> continuousIntegrationService, Optional<VersionControlService> versionControlService,
+            ExerciseService exerciseService, ExerciseDeletionService exerciseDeletionService, ProgrammingExerciseService programmingExerciseService,
             ProgrammingExerciseRepositoryService programmingExerciseRepositoryService, ProgrammingExerciseTaskService programmingExerciseTaskService,
             StudentParticipationRepository studentParticipationRepository, StaticCodeAnalysisService staticCodeAnalysisService,
             GradingCriterionRepository gradingCriterionRepository, CourseRepository courseRepository, GitService gitService, AuxiliaryRepositoryService auxiliaryRepositoryService,
@@ -170,6 +175,7 @@ public ProgrammingExerciseResource(ProgrammingExerciseRepository programmingExer
         this.programmingExerciseTaskService = programmingExerciseTaskService;
         this.programmingExerciseRepository = programmingExerciseRepository;
         this.programmingExerciseTestCaseRepository = programmingExerciseTestCaseRepository;
+        this.programmingExerciseBuildConfigRepository = programmingExerciseBuildConfigRepository;
         this.userRepository = userRepository;
         this.courseService = courseService;
         this.authCheckService = authCheckService;
@@ -494,6 +500,21 @@ public ResponseEntity<ProgrammingExercise> getProgrammingExercise(@PathVariable
         return ResponseEntity.ok().body(programmingExercise);
     }
 
+    /**
+     * GET /programming-exercises/:exerciseId/build-config : get the build config of "exerciseId" programmingExercise.
+     *
+     * @param exerciseId the id of the programmingExercise to retrieve the config for
+     * @return the ResponseEntity with status 200 (OK) and with body the programmingExerciseBuildConfig, or with status 404 (Not Found)
+     */
+    @GetMapping("programming-exercises/{exerciseId}/build-config")
+    @EnforceAtLeastStudentInExercise
+    public ResponseEntity<ProgrammingExerciseBuildConfig> getBuildConfig(@PathVariable long exerciseId) {
+        log.debug("REST request to get build config of ProgrammingExercise : {}", exerciseId);
+        var buildConfig = programmingExerciseBuildConfigRepository.findByExerciseIdElseThrow(exerciseId);
+
+        return ResponseEntity.ok().body(buildConfig);
+    }
+
     /**
      * GET /programming-exercises/:exerciseId/with-participations/ : get the "exerciseId" programmingExercise.
      *

src/main/resources/config/application-theia.yml

@@ -6,7 +6,7 @@ theia:
         # Upper level key is the language category (must match the language key in the programming-exercise configuration)
         java:
             # Lower level key can be multiple flavors of the image, e.g. version, tag, or additional dependencies
-            Java-17: "my-registry/my-image:my-tag"
+            java17: "my-registry/my-image:my-tag"
             # Add more flavors here (e.g. Java-11, Java-8, etc.)
         # Add more languages here (e.g. c, python, etc.)
         c:

src/main/webapp/app/core/auth/account.service.ts

@@ -385,4 +385,12 @@ export class AccountService implements IAccountService {
         const params = new HttpParams().set('participationId', participationId);
         return this.http.put<string>('api/account/participation-vcs-access-token', null, { observe: 'response', params, responseType: 'text' as 'json' });
     }
+
+    /**
+     * Trades the current cookie for a new bearer token which is also able to authenticate the user.
+     * The Cookie stays valid, a new bearer token is generated on every call.
+     */
+    rekeyCookieToBearerToken() {
+        return this.http.post<string>('api/public/theia-token', null, { responseType: 'text' as 'json' });
+    }
 }