Require authentication for SCIM requests

Handling authentication through our regular warden strategies.

Permissions-wise the only thing we can check for is whether the authenticated
user is an admin. Though this will require us to grant admin privileges to
all SCIM clients, which might be more than we want to do.

Author: NobodysNightmare

app/controllers/scim_v2/scim_controller_mixins.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module ScimV2
+  module ScimControllerMixins
+    def self.included(base)
+      base.prepend(Overwrites)
+    end
+
+    module Overwrites
+      # Completely overwriting authenticate method of Scimitar
+      def authenticate
+        return handle_scim_error(Scimitar::AuthenticationError.new) unless OpenProject::FeatureDecisions.scim_api_active?
+
+        warden = request.env["warden"]
+        User.current = warden.authenticate! scope: :scim_v2
+
+        # Only admins are able to manage users, so that's the only permission we can check for it
+        handle_scim_error(Scimitar::AuthenticationError.new) unless User.current.admin?
+      end
+    end
+  end
+end

app/models/user.rb

@@ -764,3 +764,7 @@ def self.default_admin_account_changed?
     !User.active.find_by_login("admin").try(:current_password).try(:matches_plaintext?, "admin")
   end
 end
+
+# Fix for development (and non eagerloaded environments), where User.find(...) would not return service accounts before
+# they've been autoloaded.
+require "service_account"

config/initializers/scimitar.rb

@@ -33,8 +33,6 @@
     patch:  Scimitar::Supportable.unsupported
   })
   Scimitar.engine_configuration = Scimitar::EngineConfiguration.new(
-    token_authenticator: Proc.new do |_token, _options|
-      OpenProject::FeatureDecisions.scim_api_active?
-    end
+    application_controller_mixin: ScimV2::ScimControllerMixins
   )
 end

config/initializers/warden.rb

@@ -26,6 +26,17 @@
      anonymous_fallback]
 end
 
+OpenProject::Authentication.update_strategies(OpenProject::Authentication::Scope::SCIM_V2, { store: false }) do |_|
+  # TODO: reduce?
+  %i[global_basic_auth
+     user_basic_auth
+     basic_auth_failure
+     oauth
+     jwt_oidc
+     session
+     anonymous_fallback]
+end
+
 Rails.application.configure do |app|
   app.config.middleware.use OpenProject::Authentication::Manager
 end