Get rid of the redundant multiuser module

Signed-off-by: ivinokur <[email protected]>
Signed-off-by: Ihor Vinokut <[email protected]>

Author: vinokurig

assembly/assembly-wsmaster-war/pom.xml

@@ -35,10 +35,6 @@
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.auth0</groupId>
-            <artifactId>jwks-rsa</artifactId>
-        </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
@@ -67,10 +63,6 @@
             <groupId>io.jaegertracing</groupId>
             <artifactId>jaeger-tracerresolver</artifactId>
         </dependency>
-        <dependency>
-            <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt-api</artifactId>
-        </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt-impl</artifactId>
@@ -235,82 +227,6 @@
             <groupId>org.eclipse.che.infrastructure</groupId>
             <artifactId>infrastructure-openshift</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.infrastructure</groupId>
-            <artifactId>infrastructure-permission</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-authentication-commons</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-authorization</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-authorization-impl</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-permission</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-api-workspace-activity</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-keycloak-server</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-keycloak-token-provider</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-machine-authentication</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-oidc</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-devfile</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-logger</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-resource</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-system</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-user</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-workspace</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-permission-workspace-activity</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-personal-account</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.multiuser</groupId>
-            <artifactId>che-multiuser-sql-schema</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.persistence</groupId>
             <artifactId>org.eclipse.persistence.core</artifactId>

assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterModule.java

@@ -13,17 +13,13 @@
 
 import static com.google.inject.matcher.Matchers.subclassesOf;
 import static org.eclipse.che.inject.Matchers.names;
-import static org.eclipse.che.multiuser.api.permission.server.SystemDomain.SYSTEM_DOMAIN_ACTIONS;
 
-import com.auth0.jwk.JwkProvider;
 import com.google.inject.AbstractModule;
 import com.google.inject.TypeLiteral;
 import com.google.inject.assistedinject.FactoryModuleBuilder;
 import com.google.inject.multibindings.MapBinder;
 import com.google.inject.multibindings.Multibinder;
 import com.google.inject.name.Names;
-import io.jsonwebtoken.JwtParser;
-import io.jsonwebtoken.SigningKeyResolver;
 import java.util.HashMap;
 import java.util.Map;
 import org.eclipse.che.api.core.notification.RemoteSubscriptionStorage;
@@ -67,6 +63,7 @@
 import org.eclipse.che.api.workspace.server.WorkspaceStatusCache;
 import org.eclipse.che.api.workspace.server.devfile.DevfileModule;
 import org.eclipse.che.api.workspace.server.hc.ServersCheckerFactory;
+import org.eclipse.che.api.workspace.server.jpa.WorkspaceJpaModule;
 import org.eclipse.che.api.workspace.server.spi.provision.InternalEnvironmentProvisioner;
 import org.eclipse.che.api.workspace.server.spi.provision.MachineNameProvisioner;
 import org.eclipse.che.api.workspace.server.spi.provision.env.AgentAuthEnableEnvVarProvider;
@@ -82,22 +79,11 @@
 import org.eclipse.che.api.workspace.server.spi.provision.env.WorkspaceIdEnvVarProvider;
 import org.eclipse.che.api.workspace.server.spi.provision.env.WorkspaceNameEnvVarProvider;
 import org.eclipse.che.api.workspace.server.spi.provision.env.WorkspaceNamespaceNameEnvVarProvider;
+import org.eclipse.che.api.workspace.server.token.MachineTokenProvider;
 import org.eclipse.che.api.workspace.server.wsplugins.ChePluginsApplier;
 import org.eclipse.che.commons.observability.deploy.ExecutorWrapperModule;
 import org.eclipse.che.core.tracing.metrics.TracingMetricsModule;
 import org.eclipse.che.inject.DynaModule;
-import org.eclipse.che.multiuser.api.authentication.commons.token.HeaderRequestTokenExtractor;
-import org.eclipse.che.multiuser.api.authentication.commons.token.RequestTokenExtractor;
-import org.eclipse.che.multiuser.api.permission.server.PermissionChecker;
-import org.eclipse.che.multiuser.api.permission.server.PermissionCheckerImpl;
-import org.eclipse.che.multiuser.api.workspace.activity.MultiUserWorkspaceActivityModule;
-import org.eclipse.che.multiuser.machine.authentication.server.MachineAuthModule;
-import org.eclipse.che.multiuser.oidc.OIDCInfo;
-import org.eclipse.che.multiuser.oidc.OIDCInfoProvider;
-import org.eclipse.che.multiuser.oidc.OIDCJwkProvider;
-import org.eclipse.che.multiuser.oidc.OIDCJwtParserProvider;
-import org.eclipse.che.multiuser.oidc.OIDCSigningKeyResolver;
-import org.eclipse.che.multiuser.permission.user.UserServicePermissionsFilter;
 import org.eclipse.che.security.PBKDF2PasswordEncryptor;
 import org.eclipse.che.security.PasswordEncryptor;
 import org.eclipse.che.security.oauth.EmbeddedOAuthAPI;
@@ -108,6 +94,7 @@
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure;
 import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment;
 import org.eclipse.che.workspace.infrastructure.kubernetes.multiuser.oauth.KubernetesOidcProviderConfigFactory;
+import org.eclipse.che.workspace.infrastructure.kubernetes.multiuser.oauth.RequestTokenExtractor;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.SecureServerExposer;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.SecureServerExposerFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy.PassThroughProxySecureServerExposer;
@@ -120,7 +107,7 @@
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfraModule;
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfrastructure;
 import org.eclipse.che.workspace.infrastructure.openshift.environment.OpenShiftEnvironment;
-import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.KeycloakProviderConfigFactory;
+import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.HeaderRequestTokenExtractor;
 import org.eclipse.persistence.config.PersistenceUnitProperties;
 
 /** @author andrew00x */
@@ -324,9 +311,6 @@ private void configureMultiUserMode(
     if (OpenShiftInfrastructure.NAME.equals(infrastructure)
         || KubernetesInfrastructure.NAME.equals(infrastructure)) {
       install(new ReplicationModule(persistenceProperties));
-      bind(
-          org.eclipse.che.multiuser.permission.workspace.infra.kubernetes
-              .BrokerServicePermissionFilter.class);
       configureJwtProxySecureProvisioner(infrastructure);
     } else {
       bind(RemoteSubscriptionStorage.class)
@@ -337,70 +321,24 @@ private void configureMultiUserMode(
           .to(org.eclipse.che.api.workspace.server.DefaultWorkspaceStatusCache.class);
     }
 
-    if (Boolean.parseBoolean(System.getenv("CHE_AUTH_NATIVEUSER"))) {
-      bind(KubernetesClientConfigFactory.class).to(KubernetesOidcProviderConfigFactory.class);
-    } else if (OpenShiftInfrastructure.NAME.equals(infrastructure)) {
-      bind(KubernetesClientConfigFactory.class).to(KeycloakProviderConfigFactory.class);
-    }
+    bind(KubernetesClientConfigFactory.class).to(KubernetesOidcProviderConfigFactory.class);
 
     persistenceProperties.put(
         PersistenceUnitProperties.EXCEPTION_HANDLER_CLASS,
         "org.eclipse.che.core.db.postgresql.jpa.eclipselink.PostgreSqlExceptionHandler");
 
-    install(
-        new org.eclipse.che.multiuser.permission.workspace.server.WorkspaceApiPermissionsModule());
-    install(
-        new org.eclipse.che.multiuser.permission.workspace.server.jpa
-            .MultiuserWorkspaceJpaModule());
-    install(new MultiUserWorkspaceActivityModule());
-    install(
-        new org.eclipse.che.multiuser.permission.devfile.server.jpa
-            .MultiuserUserDevfileJpaModule());
-    install(
-        new org.eclipse.che.multiuser.permission.devfile.server.UserDevfileApiPermissionsModule());
-
-    // Permission filters
-    bind(org.eclipse.che.multiuser.permission.system.SystemServicePermissionsFilter.class);
-    bind(org.eclipse.che.multiuser.permission.system.JvmServicePermissionsFilter.class);
-    bind(
-        org.eclipse.che.multiuser.permission.system.SystemEventsSubscriptionPermissionsCheck.class);
-
-    Multibinder<String> binder =
-        Multibinder.newSetBinder(binder(), String.class, Names.named(SYSTEM_DOMAIN_ACTIONS));
-    binder.addBinding().toInstance(UserServicePermissionsFilter.MANAGE_USERS_ACTION);
-    bind(org.eclipse.che.multiuser.permission.user.UserProfileServicePermissionsFilter.class);
-    bind(org.eclipse.che.multiuser.permission.user.UserServicePermissionsFilter.class);
-    bind(org.eclipse.che.multiuser.permission.logger.LoggerServicePermissionsFilter.class);
-
-    bind(org.eclipse.che.multiuser.permission.workspace.activity.ActivityPermissionsFilter.class);
-
-    bind(
-        org.eclipse.che.multiuser.permission.resource.filters.ResourceServicePermissionsFilter
-            .class);
-    bind(
-        org.eclipse.che.multiuser.permission.resource.filters
-            .FreeResourcesLimitServicePermissionsFilter.class);
-
-    if (Boolean.parseBoolean(System.getenv("CHE_AUTH_NATIVEUSER"))) {
-      bind(RequestTokenExtractor.class).to(HeaderRequestTokenExtractor.class);
-      if (KubernetesInfrastructure.NAME.equals(infrastructure)) {
-        bind(OIDCInfo.class).toProvider(OIDCInfoProvider.class).asEagerSingleton();
-        bind(SigningKeyResolver.class).to(OIDCSigningKeyResolver.class);
-        bind(JwtParser.class).toProvider(OIDCJwtParserProvider.class);
-        bind(JwkProvider.class).toProvider(OIDCJwkProvider.class);
-      }
-      bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
-      bind(ProfileDao.class).to(JpaProfileDao.class);
-      bind(OAuthAPI.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
-    }
+    bind(RequestTokenExtractor.class).to(HeaderRequestTokenExtractor.class);
+    bind(ProfileDao.class).to(JpaProfileDao.class);
+    bind(OAuthAPI.class).to(EmbeddedOAuthAPI.class).asEagerSingleton();
 
-    install(new MachineAuthModule());
+    install(new WorkspaceJpaModule());
+    bind(TokenValidator.class).to(NotImplementedTokenValidator.class);
+    bind(MachineTokenProvider.class).to(MachineTokenProvider.EmptyMachineTokenProvider.class);
 
     // User and profile - use profile from keycloak and other stuff is JPA
     bind(PasswordEncryptor.class).to(PBKDF2PasswordEncryptor.class);
     bind(UserDao.class).to(JpaUserDao.class);
     bind(PreferenceDao.class).to(JpaPreferenceDao.class);
-    bind(PermissionChecker.class).to(PermissionCheckerImpl.class);
 
     bindConstant().annotatedWith(Names.named("che.agents.auth_enabled")).to(true);
   }

assembly/assembly-wsmaster-war/src/main/java/org/eclipse/che/api/deploy/WsMasterServletModule.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2025 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -17,10 +17,8 @@
 import org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter;
 import org.eclipse.che.inject.ConfigurationException;
 import org.eclipse.che.inject.DynaModule;
-import org.eclipse.che.multiuser.keycloak.server.deploy.KeycloakServletModule;
-import org.eclipse.che.multiuser.machine.authentication.server.MachineLoginFilter;
-import org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter;
 import org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesInfrastructure;
+import org.eclipse.che.workspace.infrastructure.kubernetes.multiuser.oauth.OidcTokenInitializationFilter;
 import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftInfrastructure;
 import org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter;
 import org.everrest.guice.servlet.GuiceEverrestServlet;
@@ -47,14 +45,7 @@ protected void configureServlets() {
     // Matching group SHOULD contain forward slash.
     serveRegex("^(?!/websocket.?)(.*)")
         .with(GuiceEverrestServlet.class, ImmutableMap.of("openapi.context.id", "org.eclipse.che"));
-
-    if (Boolean.parseBoolean(System.getenv("CHE_AUTH_NATIVEUSER"))) {
-      LOG.info("Running in native-user mode ...");
-      configureNativeUserMode();
-    } else {
-      LOG.info("Running in classic multi-user mode ...");
-      configureMultiUserMode();
-    }
+    configureNativeUserMode();
 
     if (Boolean.valueOf(System.getenv("CHE_METRICS_ENABLED"))) {
       install(new org.eclipse.che.core.metrics.MetricsServletModule());
@@ -71,11 +62,6 @@ private boolean isCheCorsEnabled() {
     }
   }
 
-  private void configureMultiUserMode() {
-    filterRegex(".*").through(MachineLoginFilter.class);
-    install(new KeycloakServletModule());
-  }
-
   private void configureNativeUserMode() {
     final String infrastructure = System.getenv("CHE_INFRASTRUCTURE_ACTIVE");
     if (OpenShiftInfrastructure.NAME.equals(infrastructure)) {

assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/web.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2012-2021 Red Hat, Inc.
+    Copyright (c) 2012-2025 Red Hat, Inc.
     This program and the accompanying materials are made
     available under the terms of the Eclipse Public License 2.0
     which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -36,8 +36,4 @@
         <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
     </resource-env-ref>
 
-    <listener>
-        <listener-class>org.eclipse.che.multiuser.api.authentication.commons.DestroySessionListener</listener-class>
-    </listener>
-
 </web-app>