Address outstanding issues: XStream deserialzation from existing

installs would have had altered behavior with the FullControl auth
strategy, erroneous return while creating the default user, added help
file, added ability to skip first user or cancel the wizard altogether.

core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java

@@ -43,10 +43,10 @@ import java.util.List;
  */
 public class FullControlOnceLoggedInAuthorizationStrategy extends AuthorizationStrategy {
     /**
-     * Whether to allow read access, default behavior
-     * previously was true
+     * Whether to allow anonymouos read access, default behavior
+     * previously was to do so
      */
-    private boolean allowAnonymousRead = true;
+    private boolean authenticatedReadOnly = false;
     
     @DataBoundConstructor
     public FullControlOnceLoggedInAuthorizationStrategy() {
@@ -54,7 +54,7 @@ public class FullControlOnceLoggedInAuthorizationStrategy extends AuthorizationS
 
     @Override
     public ACL getRootACL() {
-        return allowAnonymousRead ? ANONYMOUS_READ : AUTHENTICATED_READ;
+        return !authenticatedReadOnly ? ANONYMOUS_READ : AUTHENTICATED_READ;
     }
 
     public List<String> getGroups() {
@@ -65,12 +65,12 @@ public class FullControlOnceLoggedInAuthorizationStrategy extends AuthorizationS
      * If true, anonymous read access will be allowed
      */
     public boolean isAllowAnonymousRead() {
-        return allowAnonymousRead;
+        return !authenticatedReadOnly;
     }
     
     @DataBoundSetter
     public void setAllowAnonymousRead(boolean allowAnonymousRead) {
-        this.allowAnonymousRead = allowAnonymousRead;
+        this.authenticatedReadOnly = !allowAnonymousRead;
     }
 
     private static final SparseACL AUTHENTICATED_READ = new SparseACL(null);
@@ -83,7 +83,6 @@ public class FullControlOnceLoggedInAuthorizationStrategy extends AuthorizationS
         
         AUTHENTICATED_READ.add(ACL.EVERYONE, Jenkins.ADMINISTER, true);
         AUTHENTICATED_READ.add(ACL.ANONYMOUS, Jenkins.ADMINISTER, false);
-        AUTHENTICATED_READ.add(ACL.ANONYMOUS, Permission.READ, false);
     }
 
     /**

core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java

@@ -286,20 +286,31 @@ public class HudsonPrivateSecurityRealm extends AbstractPasswordBasedSecurityRea
             rsp.sendError(SC_UNAUTHORIZED,"First user was already created");
             return;
         }
-        String view = "firstUser.jelly";
+        
         User admin = null;
-        if(inSetup) {
-            admin = getUser(SetupWizard.initialSetupAdminUserName);
-            view = "setupWizardFirstUser.jelly";
-        }
-        User u = createAccount(req, rsp, false, view);
-        if (u!=null) {
-            tryToMakeAdmin(u);
+        try {
+            String view = "firstUser.jelly";
+            if(inSetup) {
+                admin = getUser(SetupWizard.initialSetupAdminUserName);
+                if(admin != null) {
+                    admin.delete(); // assume the new user may well be 'admin'
+                }
+                view = "setupWizardFirstUser.jelly";
+            }
+            
+            User u = createAccount(req, rsp, false, view);
+            if (u!=null) {
+                tryToMakeAdmin(u);
+                if(admin != null) {
+                    admin = null;
+                }
+                Jenkins.getInstance().setInstallState(InstallState.CREATE_ADMIN_USER.getNextState());
+                loginAndTakeBack(req, rsp, u);
+            }
+        } finally {
             if(admin != null) {
-                admin.delete();
+                admin.save(); // recreate this initial user if something failed
             }
-            Jenkins.getInstance().setInstallState(InstallState.CREATE_ADMIN_USER.getNextState());
-            loginAndTakeBack(req, rsp, u);
         }
     }
 

core/src/main/java/jenkins/install/SetupWizard.java

@@ -14,16 +14,20 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 
+import org.kohsuke.stapler.HttpResponse;
+import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
+
 import hudson.BulkChange;
 import hudson.ExtensionList;
 import hudson.model.User;
 import hudson.model.UserProperty;
-import hudson.security.AuthorizationStrategy;
 import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
 import hudson.security.HudsonPrivateSecurityRealm;
 import hudson.security.PermissionAdder;
 import hudson.security.SecurityRealm;
 import hudson.security.csrf.DefaultCrumbIssuer;
+import hudson.util.HttpResponses;
 import hudson.util.PluginServletFilter;
 import jenkins.model.Jenkins;
 import jenkins.security.s2m.AdminWhitelistRule;
@@ -36,7 +40,7 @@ public class SetupWizard {
     /**
      * The security token parameter name
      */
-    public static String initialSetupAdminUserName = "initial-setup-admin-user";
+    public static String initialSetupAdminUserName = "admin";
 
     private final Logger LOGGER = Logger.getLogger(SetupWizard.class.getName());
 
@@ -52,18 +56,16 @@ public class SetupWizard {
             String randomUUID = UUID.randomUUID().toString().replace("-", "").toLowerCase(Locale.ENGLISH);
             admin = securityRealm.createAccount(SetupWizard.initialSetupAdminUserName, randomUUID);
             admin.addProperty(new SetupWizard.AuthenticationKey(randomUUID));
-
-            AuthorizationStrategy as = Jenkins.getInstance().getAuthorizationStrategy();
-            for (PermissionAdder adder : ExtensionList.lookup(PermissionAdder.class)) {
-                if (adder.add(as, admin, Jenkins.ADMINISTER)) {
-                    return;
-                }
-            }
             
             // Lock Jenkins down:
             FullControlOnceLoggedInAuthorizationStrategy authStrategy = new FullControlOnceLoggedInAuthorizationStrategy();
             authStrategy.setAllowAnonymousRead(false);
             j.setAuthorizationStrategy(authStrategy);
+
+            // there probably aren't any implementors yet, but just in case
+            for (PermissionAdder adder : ExtensionList.lookup(PermissionAdder.class)) {
+                adder.add(authStrategy, admin, Jenkins.ADMINISTER);
+            }
             
             // Shut down all the ports we can by default:
             j.setSlaveAgentPort(-1); // -1 to disable
@@ -114,13 +116,14 @@ public class SetupWizard {
     /**
      * Remove the setupWizard filter, ensure all updates are written to disk, etc
      */
-    public void doCompleteSetupWizard() {
+    public HttpResponse doCompleteInstall(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
+        Jenkins j = Jenkins.getActiveInstance();
+        j.setInstallState(InstallState.INITIAL_SETUP_COMPLETED);
         InstallUtil.saveLastExecVersion();
-        try {
-            PluginServletFilter.removeFilter(FORCE_SETUP_WIZARD_FILTER);
-        } catch (ServletException e) {
-            throw new AssertionError(e); // never happen because our Filter.init is no-op
-        }
+        PluginServletFilter.removeFilter(FORCE_SETUP_WIZARD_FILTER);
+        // Also, clean up the setup wizard if it's completed
+        j.setSetupWizard(null);
+        return HttpResponses.okJSON();
     }
 
     // Stores a user property for the authentication key, which is really the auto-generated user's password

core/src/main/java/jenkins/model/Jenkins.java

@@ -936,12 +936,7 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
      */
     @Restricted(NoExternalUse.class)
     public void setInstallState(@Nonnull InstallState newState) {
-        InstallState prior = installState;
         installState = newState;
-        if(setupWizard != null && !newState.equals(prior) && newState.isSetupComplete()) {
-            setupWizard.doCompleteSetupWizard();
-            setupWizard = null;
-        }
     }
 
     /**
@@ -3916,6 +3911,13 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
     public SetupWizard getSetupWizard() {
         return setupWizard;
     }
+    
+    /**
+     * Sets the setup wizard
+     */
+    public void setSetupWizard(SetupWizard setupWizard) {
+        this.setupWizard = setupWizard;
+    }
 
     /**
      * Exposes the current user to <tt>/me</tt> URL.

core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/help-allowAnonymousRead.html

+<div>
+  If checked, this will allow users who are not authenticated to access Jenkins in a read-only mode.
+</div>

core/src/main/resources/jenkins/install/pluginSetupWizard.properties

@@ -38,6 +38,11 @@ installWizard_installIncomplete_banner=Resume Installation
 installWizard_installIncomplete_message=Jenknins was restarted during installation and some plugins didn't seem to get installed.
 installWizard_installIncomplete_resumeInstallationButtonLabel=Resume
 installWizard_saveFirstUser=Save and Finish
+installWizard_skipFirstUser=Skip
+installWizard_firstUserSkippedMessage=<div class="alert alert-warning fade in">\
+You've skipped creating an admin user. To log in, use the username: 'admin' and \
+the security token you used to access the setup wizard.\
+</div>
 installWizard_addFirstUser_title=Create an Admin User
 installWizard_configureProxy_label=Configure Proxy
 installWizard_configureProxy_save=Save and Continue

war/src/main/js/api/pluginManager.js

@@ -149,7 +149,7 @@ exports.incompleteInstallStatus = function(handler, correlationId) {
  * Call this to complete the installation without installing anything
  */
 exports.completeInstall = function(handler) {
-	jenkins.get('/updateCenter/completeInstall', function() {
+	jenkins.get('/setupWizard/completeInstall', function() {
 		handler.call({ isError: false });
 	}, {
 		timeout: pluginManagerErrorTimeoutMillis,

war/src/main/js/pluginSetupWizardGui.js

@@ -193,6 +193,12 @@ var createPluginSetupWizard = function(appendTarget) {
 				currentPanel = panel;
 				$container.append(html);
 				decorate($container);
+				
+				var $modalHeader = $container.find('.modal-header');
+				if($modalHeader.length > 0) {
+					$modalHeader.prepend(
+						'<button type="button" class="close" aria-label="Close"><span aria-hidden="true">&times;</span></button>');
+				}
 
 				if(oncomplete) {
 					oncomplete();
@@ -396,7 +402,7 @@ var createPluginSetupWizard = function(appendTarget) {
 
 	// Called to complete the installation
 	var finishInstallation = function() {
-		jenkins.goTo('/');
+		closeInstaller();
 	};
 
 	// load the plugin data, callback
@@ -667,6 +673,11 @@ var createPluginSetupWizard = function(appendTarget) {
 		securityConfig.saveFirstUser($('iframe[src]').contents().find('form:not(.no-json)'), handleSubmit, handleSubmit);
 	};
 	
+	var skipFirstUser = function() {
+		$('button').prop({disabled:true});
+		setPanel(setupCompletePanel, {message: translations.installWizard_firstUserSkippedMessage});
+	};
+	
 	// call to setup the proxy
 	var setupProxy = function() {
 		setPanel(proxyConfigPanel, {}, enableButtonsAfterFrameLoad);
@@ -749,6 +760,7 @@ var createPluginSetupWizard = function(appendTarget) {
 		'.resume-installation': resumeInstallation,
 		'.install-done-restart': restartJenkins,
 		'.save-first-user:not([disabled])': saveFirstUser,
+		'.skip-first-user': skipFirstUser,
 		'.show-proxy-config': setupProxy,
 		'.save-proxy-config': saveProxyConfig,
 		'.skip-plugin-installs': function() { installPlugins([]); }

war/src/main/js/templates/firstUserPanel.hbs

@@ -7,6 +7,9 @@
 	</div>
 </div>
 <div class="modal-footer">
+    <button type="button" class="btn btn-link skip-first-user" disabled>
+        {{translations.installWizard_skipFirstUser}}
+    </button>
 	<button type="button" class="btn btn-primary save-first-user" disabled>
 		{{translations.installWizard_saveFirstUser}}
 	</button>

war/src/main/js/templates/setupCompletePanel.hbs

@@ -4,6 +4,8 @@
 <div class="modal-body">
 	<div class="jumbotron welcome-panel success-panel">
 		<h1>{{translations.installWizard_installComplete_banner}}</h1>
+		
+		{{{message}}}
 
 		{{#if restartRequired}}
 		<p>{{translations.installWizard_installComplete_message}} {{translations.installWizard_installComplete_restartRequiredMessage}}</p>