Development: Theia integration test

[janthoXO]

THIS PR SHOULD NOT BE MERGED AND IS ONLY FOR TESTING PURPOSES

Testserver States

Note

These badges show the state of the test servers.
Green = Currently available, Red = Currently locked
Click on the badges to get to the test servers.

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced AllowedTools annotation for method-level access control based on tool permissions.
  • Added ToolTokenType enumeration to represent different tool types.
  • Implemented ToolsInterceptor to manage access control using JWT tokens.
  • Enhanced JWT handling with new methods for token extraction and validation.
  • New endpoint to retrieve programming exercises by project key with access restrictions.
  • Added getToolToken method for generating tool-specific bearer tokens in AccountService.
  • Introduced getBuildConfig method in ProgrammingExerciseService to retrieve build configurations.

• Enhancements

  • Improved error handling and validation in various resource methods.
  • Detailed logging added to course-related methods for better performance tracking.
  • Enhanced participation management logic with stricter adherence to exercise rules and user permissions.
  • Simplified button rendering logic for programming exercises by removing the online IDE button.
  • Updated the authorize method to return an access token in a more structured format.

• Tests

  • Expanded test coverage for JWT filter functionality with additional test cases.
  • Updated tests to validate the visibility of buttons based on the new access control logic.
  • Enhanced test suite for CodeButtonComponent to include scenarios for Theia integration and button visibility.

@coderabbitai pause

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between ae35975 and 0bc0474.

📒 Files selected for processing (4)

• src/main/java/de/tum/cit/aet/artemis/core/web/CourseResource.java (3 hunks)
• src/main/webapp/app/overview/exercise-details/exercise-details-student-actions.component.html (0 hunks)
• src/main/webapp/app/shared/components/code-button/code-button.component.html (1 hunks)
• src/main/webapp/app/shared/components/code-button/code-button.component.ts (6 hunks)

💤 Files with no reviewable changes (1)

• src/main/webapp/app/overview/exercise-details/exercise-details-student-actions.component.html

🚧 Files skipped from review as they are similar to previous changes (1)

• src/main/webapp/app/shared/components/code-button/code-button.component.html

🧰 Additional context used

📓 Path-based instructions (2)

src/main/java/de/tum/cit/aet/artemis/core/web/CourseResource.java (1)

Pattern src/main/java/**/*.java: naming:CamelCase; principles:{single_responsibility,small_methods,no_duplication}; db:{perf_queries,datetime_not_timestamp}; rest:{stateless,singleton,delegate_logic,http_only,minimal_dtos}; dtos:{java_records,no_entities,min_data,single_resp}; di:constructor_injection; kiss:simple_code; file_handling:os_indep_paths; practices:{least_access,avoid_transactions,code_reuse,static_member_ref,prefer_primitives}; sql:{param_annotation,uppercase,avoid_subqueries};java:avoid_star_imports

src/main/webapp/app/shared/components/code-button/code-button.component.ts (1)

Pattern src/main/webapp/**/*.ts: angular_style:https://angular.io/guide/styleguide;methods_in_html:false;lazy_loading:true;code_reuse:true;tests:meaningful;types:PascalCase;enums:PascalCase;funcs:camelCase;props:camelCase;no_priv_prefix:true;strings:single_quotes;localize:true;btns:functionality;links:navigation;icons_text:newline;labels:associate;code_style:arrow_funcs,curly_braces,open_braces_same_line,indent_4;memory_leak_prevention:true;routes:naming_schema;chart_framework:ngx-charts;responsive_layout:true

🔇 Additional comments (4)

src/main/webapp/app/shared/components/code-button/code-button.component.ts (1)

275-276: Skip review due to existing comment

src/main/java/de/tum/cit/aet/artemis/core/web/CourseResource.java (3)

96-97: Imports are appropriate and follow guidelines

The added imports are necessary for the usage of the @AllowedTools annotation and ToolTokenType enum. They comply with the project's coding standards.

---

654-654: ⚠️ Potential issue

Potential unintended access restriction due to @AllowedTools annotation

Adding @AllowedTools(ToolTokenType.SCORPIO) to the getCoursesForDashboard method may unintentionally restrict access to this endpoint. Previously, all users with at least the role of student could access this method, but now only users with a token of type SCORPIO will have access.

Please confirm if it is intended to limit access exclusively to tools with the SCORPIO token. If not, consider adjusting the access control annotations to ensure legitimate users are not blocked.

Run the following script to identify all methods annotated with @AllowedTools and review their access control:

#!/bin/bash
# Description: List methods with @AllowedTools and their other security annotations to analyze access control.

# Search for methods annotated with @AllowedTools and display surrounding annotations
rg --multiline --heading --field-match-separator "@" '@AllowedTools' -A 5 --glob 'src/main/java/**/*.java'

---

589-589: ⚠️ Potential issue

Potential unintended access restriction due to @AllowedTools annotation

Adding @AllowedTools(ToolTokenType.SCORPIO) to the getCourseForDashboard method may unintentionally restrict access to this endpoint. Previously, all users with at least the role of student could access this method, but now only users with a token of type SCORPIO will have access.

Please confirm if it is intended to limit access exclusively to tools with the SCORPIO token. If not, consider adjusting the access control annotations to ensure legitimate users are not blocked.

Run the following script to identify all methods annotated with @AllowedTools and review their access control:

✅ Verification successful

Access restriction with @AllowedTools(ToolTokenType.SCORPIO) is intentional and consistent across the codebase.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: List methods with @AllowedTools and their other security annotations to analyze access control.

# Search for methods annotated with @AllowedTools and display surrounding annotations
rg --multiline --heading --field-match-separator "@" '@AllowedTools' -A 5 --glob 'src/main/java/**/*.java'

Length of output: 3806

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (1)

src/main/webapp/app/shared/components/code-button/code-button.component.ts (1)

386-389: Improve popup blocker handling

Add user feedback when the popup is blocked by the browser.

Apply this diff:

 const newWindow = window.open('', '_blank');
 if (!newWindow) {
+    console.error('Popup blocked! Please allow popups for this site to use the online IDE.');
+    // Consider showing a user-friendly notification here
     return;
 }

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0bc0474 and 3c596ac.

📒 Files selected for processing (1)

• src/main/webapp/app/shared/components/code-button/code-button.component.ts (6 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

src/main/webapp/app/shared/components/code-button/code-button.component.ts (1)

Pattern src/main/webapp/**/*.ts: angular_style:https://angular.io/guide/styleguide;methods_in_html:false;lazy_loading:true;code_reuse:true;tests:meaningful;types:PascalCase;enums:PascalCase;funcs:camelCase;props:camelCase;no_priv_prefix:true;strings:single_quotes;localize:true;btns:functionality;links:navigation;icons_text:newline;labels:associate;code_style:arrow_funcs,curly_braces,open_braces_same_line,indent_4;memory_leak_prevention:true;routes:naming_schema;chart_framework:ngx-charts;responsive_layout:true

🔇 Additional comments (3)

src/main/webapp/app/shared/components/code-button/code-button.component.ts (3)

13-13: LGTM: Clean import additions and property declarations

The new imports and property declarations are well-organized and follow Angular conventions.

Also applies to: 16-16, 19-20, 70-72, 76-76

---

87-87: LGTM: Proper dependency injection

The ProgrammingExerciseService is correctly injected following Angular's dependency injection pattern.

---

275-276: Existing security concern is still valid

A previous review has already raised concerns about including credentials in URLs.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

src/main/webapp/app/shared/components/code-button/code-button.component.ts (1)

374-380: Simplify artemisUrl construction using window.location.origin

The current URL construction is verbose and potentially error-prone. Using window.location.origin would be more concise and reliable.

-let artemisUrl: string = '';
-if (window.location.protocol) {
-    artemisUrl += window.location.protocol + '//';
-}
-if (window.location.host) {
-    artemisUrl += window.location.host;
-}
+const artemisUrl: string = window.location.origin;

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 3c596ac and 590fde4.

📒 Files selected for processing (1)

• src/main/webapp/app/shared/components/code-button/code-button.component.ts (6 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

src/main/webapp/app/shared/components/code-button/code-button.component.ts (1)

Pattern src/main/webapp/**/*.ts: angular_style:https://angular.io/guide/styleguide;methods_in_html:false;lazy_loading:true;code_reuse:true;tests:meaningful;types:PascalCase;enums:PascalCase;funcs:camelCase;props:camelCase;no_priv_prefix:true;strings:single_quotes;localize:true;btns:functionality;links:navigation;icons_text:newline;labels:associate;code_style:arrow_funcs,curly_braces,open_braces_same_line,indent_4;memory_leak_prevention:true;routes:naming_schema;chart_framework:ngx-charts;responsive_layout:true

🔇 Additional comments (3)

src/main/webapp/app/shared/components/code-button/code-button.component.ts (3)

13-13: LGTM: Clean import additions and property declarations

The new imports and property declarations are well-organized and follow Angular naming conventions.

Also applies to: 16-16, 19-20, 70-72, 76-76

---

87-87: LGTM: Proper dependency injection

The ProgrammingExerciseService is correctly injected following Angular's dependency injection pattern.

---

353-368: Consider potential race condition in Theia initialization

The initialization of Theia settings depends on both the profile info and the build config. If the exercise changes after the build config is retrieved but before the settings are applied, it could lead to inconsistent state.

Consider wrapping the initialization in a check:

 initTheia(profileInfo: ProfileInfo) {
     if (profileInfo.activeProfiles?.includes(PROFILE_THEIA) && this.exercise) {
         this.programmingExerciseService.getBuildConfig(this.exercise.id!).subscribe((buildConfig) => {
+            // Verify exercise hasn't changed during async operation
+            if (this.exercise?.id !== buildConfig.exerciseId) {
+                return;
+            }
             if (this.exercise) {
                 this.exercise.buildConfig = buildConfig;
                 // Rest of the code...
             }
         });
     }
 }

[iyannsch]

@coderabbitai pause