ls1intum · krusche · Aug 12, 2024 · Jun 23, 2024 · Jun 26, 2024 · Jun 28, 2024
@@ -0,0 +1,59 @@
+package de.tum.in.www1.artemis.domain.participation;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+import jakarta.persistence.UniqueConstraint;
+
+import org.hibernate.annotations.Cache;
+import org.hibernate.annotations.CacheConcurrencyStrategy;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+import de.tum.in.www1.artemis.domain.DomainObject;
+import de.tum.in.www1.artemis.domain.User;
+
+/**
+ * A Participation.
+ */
+@Entity
+@Table(name = "participation_vcs_access_token", uniqueConstraints = { @UniqueConstraint(columnNames = { "user_id", "participation_id" }) })
+@Cache(usage = CacheConcurrencyStrategy.NONSTRICT_READ_WRITE)
+
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
+public class ParticipationVCSAccessToken extends DomainObject {
+
+    @ManyToOne
+    private User user;
+
+    @ManyToOne
+    private Participation participation;
+
+    @Column(name = "vcs_access_token", length = 50)
+    private String vcsAccessToken;
+
+    public void setUser(User user) {
+        this.user = user;
+    }
+
+    public User getUser() {
+        return user;
+    }
+
+    public void setParticipation(Participation participation) {
+        this.participation = participation;
+    }
+
+    public Participation getParticipation() {
+        return participation;
+    }
+
+    public String getVcsAccessToken() {
+        return vcsAccessToken;
+    }
+
+    public void setVcsAccessToken(String vcsAccessToken) {
+        this.vcsAccessToken = vcsAccessToken;
+    }
+}
@@ -0,0 +1,51 @@
+package de.tum.in.www1.artemis.repository;
+
+import static de.tum.in.www1.artemis.config.Constants.PROFILE_CORE;
+
+import java.util.List;
+import java.util.Optional;
+
+import org.springframework.context.annotation.Profile;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import de.tum.in.www1.artemis.domain.participation.ParticipationVCSAccessToken;
+import de.tum.in.www1.artemis.repository.base.ArtemisJpaRepository;
+
+@Profile(PROFILE_CORE)
+@Repository
+public interface ParticipationVCSAccessTokenRepository extends ArtemisJpaRepository<ParticipationVCSAccessToken, Long> {
+
+    @Query("""
+            SELECT DISTINCT p
+            FROM ParticipationVCSAccessToken p
+                LEFT JOIN FETCH p.participation
+                LEFT JOIN FETCH p.user
+            WHERE p.id = :participationVCSAccessTokenId
+            """)
+    Optional<ParticipationVCSAccessToken> findByIdWithParticipationAndUser(@Param("participationVCSAccessTokenId") long participationVCSAccessTokenId);
+
+    @Query("""
+            SELECT DISTINCT p
+            FROM ParticipationVCSAccessToken p
+                LEFT JOIN FETCH p.participation
+                Left JOIN FETCH p.user
+            WHERE p.user.id = :userId
+            """)
+    List<ParticipationVCSAccessToken> findByUserIdWithEagerParticipation(@Param("userId") Long userId);
+
+    @Query("""
+                   SELECT p
+                   FROM ParticipationVCSAccessToken p
+                   WHERE p.user.id = :userId AND p.participation.id = :participationId
+            """)
+    Optional<ParticipationVCSAccessToken> findByUserIdAndParticipationId(@Param("userId") Long userId, @Param("participationId") Long participationId);
+
+    @Query("""
+            SELECT DISTINCT p
+            FROM ParticipationVCSAccessToken p
+            WHERE p.user.id = :userId
+            """)
+    List<ParticipationVCSAccessToken> findByUserId(@Param("userId") Long userId);
+}
@@ -31,6 +31,7 @@
 import de.tum.in.www1.artemis.domain.enumeration.InitializationState;
 import de.tum.in.www1.artemis.domain.enumeration.SubmissionType;
 import de.tum.in.www1.artemis.domain.participation.Participant;
+import de.tum.in.www1.artemis.domain.participation.ParticipationVCSAccessToken;
 import de.tum.in.www1.artemis.domain.participation.ProgrammingExerciseStudentParticipation;
 import de.tum.in.www1.artemis.domain.participation.StudentParticipation;
 import de.tum.in.www1.artemis.domain.quiz.QuizExercise;
@@ -39,17 +40,20 @@
 import de.tum.in.www1.artemis.repository.BuildLogStatisticsEntryRepository;
 import de.tum.in.www1.artemis.repository.ParticipantScoreRepository;
 import de.tum.in.www1.artemis.repository.ParticipationRepository;
+import de.tum.in.www1.artemis.repository.ParticipationVCSAccessTokenRepository;
 import de.tum.in.www1.artemis.repository.ProgrammingExerciseRepository;
 import de.tum.in.www1.artemis.repository.ProgrammingExerciseStudentParticipationRepository;
 import de.tum.in.www1.artemis.repository.StudentParticipationRepository;
 import de.tum.in.www1.artemis.repository.StudentScoreRepository;
 import de.tum.in.www1.artemis.repository.SubmissionRepository;
 import de.tum.in.www1.artemis.repository.TeamRepository;
 import de.tum.in.www1.artemis.repository.TeamScoreRepository;
+import de.tum.in.www1.artemis.repository.UserRepository;
 import de.tum.in.www1.artemis.repository.hestia.CoverageReportRepository;
 import de.tum.in.www1.artemis.service.connectors.GitService;
 import de.tum.in.www1.artemis.service.connectors.ci.ContinuousIntegrationService;
 import de.tum.in.www1.artemis.service.connectors.localci.SharedQueueManagementService;
+import de.tum.in.www1.artemis.service.connectors.localvc.LocalVCPersonalAccessTokenManagementService;
 import de.tum.in.www1.artemis.service.connectors.vcs.VersionControlService;
 import de.tum.in.www1.artemis.web.rest.errors.EntityNotFoundException;
 
@@ -100,13 +104,18 @@ public class ParticipationService {
 
     private final ProfileService profileService;
 
+    private final UserRepository userRepository;
+
+    private final ParticipationVCSAccessTokenRepository participationVCSAccessTokenRepository;
+
     public ParticipationService(GitService gitService, Optional<ContinuousIntegrationService> continuousIntegrationService, Optional<VersionControlService> versionControlService,
             BuildLogEntryService buildLogEntryService, ParticipationRepository participationRepository, StudentParticipationRepository studentParticipationRepository,
             ProgrammingExerciseStudentParticipationRepository programmingExerciseStudentParticipationRepository, ProgrammingExerciseRepository programmingExerciseRepository,
             SubmissionRepository submissionRepository, TeamRepository teamRepository, UriService uriService, ResultService resultService,
             CoverageReportRepository coverageReportRepository, BuildLogStatisticsEntryRepository buildLogStatisticsEntryRepository,
             ParticipantScoreRepository participantScoreRepository, StudentScoreRepository studentScoreRepository, TeamScoreRepository teamScoreRepository,
-            Optional<SharedQueueManagementService> localCISharedBuildJobQueueService, ProfileService profileService) {
+            Optional<SharedQueueManagementService> localCISharedBuildJobQueueService, ProfileService profileService, UserRepository userRepository,
+            ParticipationVCSAccessTokenRepository participationVCSAccessTokenRepository) {
         this.gitService = gitService;
         this.continuousIntegrationService = continuousIntegrationService;
         this.versionControlService = versionControlService;
@@ -126,6 +135,8 @@ public ParticipationService(GitService gitService, Optional<ContinuousIntegratio
         this.teamScoreRepository = teamScoreRepository;
         this.localCISharedBuildJobQueueService = localCISharedBuildJobQueueService;
         this.profileService = profileService;
+        this.userRepository = userRepository;
+        this.participationVCSAccessTokenRepository = participationVCSAccessTokenRepository;
     }
 
     /**
@@ -222,14 +233,24 @@ private StudentParticipation createNewParticipationWithInitializationDate(Exerci
         else {
             participation = new StudentParticipation();
         }
+        User user = userRepository.getUser();
         participation.setInitializationState(InitializationState.UNINITIALIZED);
         participation.setExercise(exercise);
         participation.setParticipant(participant);
+
         // StartedDate is used to link a Participation to a test exam exercise
         if (initializationDate != null) {
             participation.setInitializationDate(initializationDate);
         }
-        return studentParticipationRepository.saveAndFlush(participation);
+        participation = studentParticipationRepository.saveAndFlush(participation);
+
+        ParticipationVCSAccessToken participationVCSAccessToken = new ParticipationVCSAccessToken();
+        participationVCSAccessToken.setUser(user);
+        participationVCSAccessToken.setParticipation(participation);
+        participationVCSAccessToken.setVcsAccessToken(LocalVCPersonalAccessTokenManagementService.generateSecureVCSAccessToken());
+        participationVCSAccessTokenRepository.save(participationVCSAccessToken);
+
+        return participation;
     }
 
     /**

@@ -54,8 +54,8 @@ public class GitLabPersonalAccessTokenManagementService extends VcsTokenManageme
     /**
      * The config parameter for enabling VCS access tokens.
      */
-    @Value("${artemis.version-control.version-control-access-token:#{false}}")
-    private Boolean versionControlAccessToken;
+    @Value("${artemis.version-control.version-control-access-token:#{true}}")
+    private Boolean useVersionControlAccessToken;
 
     public GitLabPersonalAccessTokenManagementService(UserRepository userRepository, GitLabApi gitlabApi, @Qualifier("gitlabRestTemplate") RestTemplate restTemplate) {
         this.userRepository = userRepository;
@@ -72,7 +72,7 @@ public GitLabPersonalAccessTokenManagementService(UserRepository userRepository,
      */
     @Override
     public void createAccessToken(User user, Duration lifetime) {
-        if (versionControlAccessToken) {
+        if (useVersionControlAccessToken) {
             if (user.getVcsAccessToken() != null) {
                 throw new IllegalArgumentException("User already has an access token");
             }
@@ -115,7 +115,7 @@ private void savePersonalAccessTokenOfUser(ImpersonationToken token, User user)
      */
     @Override
     public void renewAccessToken(User user, Duration newLifetime) {
-        if (versionControlAccessToken) {
+        if (useVersionControlAccessToken) {
             if (user.getVcsAccessToken() == null) {
                 throw new IllegalArgumentException("User has no VCS access token to be renewed");
             }

@@ -43,7 +43,7 @@ public void contribute(Info.Builder builder) {
         // TODO: only activate this when access tokens are available and make sure this does not lead to issues
         // TODO: If activated, reflect this in LocalVCInfoContributorTest
         // with the account.service.ts and its check if the access token is required
-        builder.withDetail(Constants.INFO_VERSION_CONTROL_ACCESS_TOKEN_DETAIL, false);
+        builder.withDetail(Constants.INFO_VERSION_CONTROL_ACCESS_TOKEN_DETAIL, true);
 
         // Store ssh url template
         try {

@@ -0,0 +1,43 @@
+package de.tum.in.www1.artemis.service.connectors.localvc;
+
+import static de.tum.in.www1.artemis.config.Constants.PROFILE_LOCALVC;
+
+import java.security.SecureRandom;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Service;
+
+import de.tum.in.www1.artemis.web.rest.UserResource;
+
+@Service
+@Profile(PROFILE_LOCALVC)
+public class LocalVCPersonalAccessTokenManagementService {
+
+    private static final Logger log = LoggerFactory.getLogger(UserResource.class);
+
+    @Value("${artemis.version-control.version-control-access-token:#{false}}")
+    private boolean versionControlAccessToken;
+
+    @Value("${artemis.version-control.vc-access-token-max-lifetime-in-days:365}")
+    private int vcMaxLifetimeInDays;
+
+    private static final String TOKEN_PREFIX = "vcpat-";
+
+    private static final int RANDOM_STRING_LENGTH = 40;
+
+    private static final String CHARACTERS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+    public static String generateSecureVCSAccessToken() {
+        SecureRandom secureRandom = new SecureRandom();
+        StringBuilder randomString = new StringBuilder(RANDOM_STRING_LENGTH);
+
+        for (int i = 0; i < RANDOM_STRING_LENGTH; i++) {
+            int randomIndex = secureRandom.nextInt(CHARACTERS.length());
+            randomString.append(CHARACTERS.charAt(randomIndex));
+        }
+        return TOKEN_PREFIX + randomString.toString();
+    }
+}
@@ -14,7 +14,6 @@
 
 import jakarta.servlet.http.HttpServletRequest;
 
-import org.apache.commons.lang3.StringUtils;
 import org.eclipse.jgit.api.Git;
 import org.eclipse.jgit.api.errors.GitAPIException;
 import org.eclipse.jgit.errors.RepositoryNotFoundException;
@@ -44,6 +43,7 @@
 import de.tum.in.www1.artemis.exception.localvc.LocalVCAuthException;
 import de.tum.in.www1.artemis.exception.localvc.LocalVCForbiddenException;
 import de.tum.in.www1.artemis.exception.localvc.LocalVCInternalException;
+import de.tum.in.www1.artemis.repository.ParticipationVCSAccessTokenRepository;
 import de.tum.in.www1.artemis.repository.ProgrammingExerciseRepository;
 import de.tum.in.www1.artemis.repository.UserRepository;
 import de.tum.in.www1.artemis.security.SecurityUtils;
@@ -95,6 +95,8 @@ public class LocalVCServletService {
 
     private static URL localVCBaseUrl;
 
+    private final ParticipationVCSAccessTokenRepository participationVCSAccessTokenRepository;
+
     @Value("${artemis.version-control.url}")
     public void setLocalVCBaseUrl(URL localVCBaseUrl) {
         LocalVCServletService.localVCBaseUrl = localVCBaseUrl;
@@ -122,7 +124,8 @@ public LocalVCServletService(AuthenticationManager authenticationManager, UserRe
             RepositoryAccessService repositoryAccessService, AuthorizationCheckService authorizationCheckService,
             ProgrammingExerciseParticipationService programmingExerciseParticipationService, AuxiliaryRepositoryService auxiliaryRepositoryService,
             ContinuousIntegrationTriggerService ciTriggerService, ProgrammingSubmissionService programmingSubmissionService,
-            ProgrammingMessagingService programmingMessagingService, ProgrammingTriggerService programmingTriggerService) {
+            ProgrammingMessagingService programmingMessagingService, ProgrammingTriggerService programmingTriggerService,
+            ParticipationVCSAccessTokenRepository participationVCSAccessTokenRepository) {
         this.authenticationManager = authenticationManager;
         this.userRepository = userRepository;
         this.programmingExerciseRepository = programmingExerciseRepository;
@@ -134,6 +137,7 @@ public LocalVCServletService(AuthenticationManager authenticationManager, UserRe
         this.programmingSubmissionService = programmingSubmissionService;
         this.programmingMessagingService = programmingMessagingService;
         this.programmingTriggerService = programmingTriggerService;
+        this.participationVCSAccessTokenRepository = participationVCSAccessTokenRepository;
     }
 
     /**
@@ -205,8 +209,6 @@ public void authenticateAndAuthorizeGitRequest(HttpServletRequest request, Repos
             }
         }
 
-        User user = authenticateUser(authorizationHeader);
-
         // Optimization.
         // For each git command (i.e. 'git fetch' or 'git push'), the git client sends three requests.
         // The URLs of the first two requests end on '[repository URI]/info/refs'. The third one ends on '[repository URI]/git-receive-pack' (for push) and '[repository
@@ -223,6 +225,8 @@ public void authenticateAndAuthorizeGitRequest(HttpServletRequest request, Repos
 
         ProgrammingExercise exercise = getProgrammingExerciseOrThrow(projectKey);
 
+        User user = authenticateUser(authorizationHeader, exercise);
+
         // Check that offline IDE usage is allowed.
         if (Boolean.FALSE.equals(exercise.isAllowOfflineIde()) && authorizationCheckService.isOnlyStudentInCourse(exercise.getCourseViaExerciseGroupOrCourseMember(), user)) {
             throw new LocalVCForbiddenException();
@@ -235,7 +239,7 @@ public void authenticateAndAuthorizeGitRequest(HttpServletRequest request, Repos
         log.debug("Authorizing user {} for repository {} took {}", user.getLogin(), localVCRepositoryUri, TimeLogUtil.formatDurationFrom(timeNanoStart));
     }
 
-    private User authenticateUser(String authorizationHeader) throws LocalVCAuthException {
+    private User authenticateUser(String authorizationHeader, ProgrammingExercise exercise) throws LocalVCAuthException {
 
         UsernameAndPassword usernameAndPassword = extractUsernameAndPassword(authorizationHeader);
 
@@ -249,9 +253,20 @@ private User authenticateUser(String authorizationHeader) throws LocalVCAuthExce
 
             // Note: we first check if the user has used a vcs access token instead of a password
 
-            if (user.isPresent() && !StringUtils.isEmpty(user.get().getVcsAccessToken()) && Objects.equals(user.get().getVcsAccessToken(), password)) {
+            if (user.isPresent()) { // !StringUtils.isEmpty(user.get().getVcsAccessToken()) && Objects.equals(user.get().getVcsAccessToken(), password)) {
                 // user is authenticated by using the correct access token
-                return user.get();
+                // var studentParticipation = programmingExerciseParticipationService.findStudentParticipationByExerciseAndStudentId(exercise, user.get().getLogin());
+                var participationVCSAccessToken = participationVCSAccessTokenRepository.findByUserId(user.get().getId()).getFirst();
+
+                // todo dont get first but the correct one for the participation
+                // todo entholzer - get token corresponding to only the participation
+                if (Objects.equals(participationVCSAccessToken.getVcsAccessToken(), password)) {
+                    User suser = user.get();
+                    suser.setVcsAccessToken(participationVCSAccessToken.getVcsAccessToken());
+                    return suser;
+                }
+                // suser.setVcsAccessToken();
+                throw new LocalVCAuthException(new AccessForbiddenException());
             }
 
             // if the user does not have an access token or has used a password, we try to authenticate the user with it

@@ -42,12 +42,12 @@ public class VcsTokenRenewalService {
     /**
      * The config parameter for enabling VCS access tokens.
      */
-    private final boolean versionControlAccessToken;
+    private final boolean useVersionControlAccessToken;
 
     // note: we inject the configuration value here to easily test with different ones
     public VcsTokenRenewalService(@Value("${artemis.version-control.version-control-access-token:#{false}}") boolean versionControlAccessToken,
             Optional<VcsTokenManagementService> vcsTokenManagementService, UserRepository userRepository) {
-        this.versionControlAccessToken = versionControlAccessToken;
+        this.useVersionControlAccessToken = versionControlAccessToken;
         this.vcsTokenManagementService = vcsTokenManagementService;
         this.userRepository = userRepository;
     }
@@ -59,7 +59,7 @@ public VcsTokenRenewalService(@Value("${artemis.version-control.version-control-
      */
     @Scheduled(cron = "0 0 4 * * SUN") // Every sunday at 4 am
     public void renewAllVcsAccessTokens() {
-        if (versionControlAccessToken && vcsTokenManagementService.isPresent()) {
+        if (useVersionControlAccessToken && vcsTokenManagementService.isPresent()) {
             log.info("Started scheduled access token renewal");
             int renewedAccessTokenCount = renewExpiringAccessTokens();
             int createdAccessTokenCount = createMissingAccessTokens();