Require authentication for SCIM requests

app/controllers/scim_v2/scim_controller_mixins.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module ScimV2
+  module ScimControllerMixins
+    def self.included(base)
+      base.prepend(Overwrites)
+    end
+
+    module Overwrites
+      # Completely overwriting authenticate method of Scimitar
+      def authenticate
+        return handle_scim_error(Scimitar::AuthenticationError.new) unless OpenProject::FeatureDecisions.scim_api_active?
+
+        warden = request.env["warden"]
+        User.current = warden.authenticate! scope: :scim_v2
+
+        # Only admins are able to manage users, so that's the only permission we can check for it
+        handle_scim_error(Scimitar::AuthenticationError.new) unless User.current.admin?
+      end
+    end
+  end
+end

app/models/user.rb

@@ -764,3 +764,7 @@ def self.default_admin_account_changed?
     !User.active.find_by_login("admin").try(:current_password).try(:matches_plaintext?, "admin")
   end
 end
+
+# Fix for development (and non eagerloaded environments), where User.find(...) would not return service accounts before
+# they've been autoloaded.
+require "service_account"

config/initializers/scimitar.rb

@@ -33,8 +33,6 @@
     patch:  Scimitar::Supportable.unsupported
   })
   Scimitar.engine_configuration = Scimitar::EngineConfiguration.new(
-    token_authenticator: Proc.new do |_token, _options|
-      OpenProject::FeatureDecisions.scim_api_active?
-    end
+    application_controller_mixin: ScimV2::ScimControllerMixins
   )
 end

config/initializers/warden.rb

@@ -1,27 +1,35 @@
-Rails.application.config.after_initialize do
-  namespace = OpenProject::Authentication::Strategies::Warden
+# frozen_string_literal: true
 
-  strategies = [
-    [:basic_auth_failure, namespace::BasicAuthFailure,  "Basic"],
-    [:global_basic_auth,  namespace::GlobalBasicAuth,   "Basic"],
-    [:user_basic_auth,    namespace::UserBasicAuth,     "Basic"],
-    [:oauth,              namespace::DoorkeeperOAuth,   "Bearer"],
-    [:anonymous_fallback, namespace::AnonymousFallback, "Basic"],
-    [:jwt_oidc,           namespace::JwtOidc,           "Bearer"],
-    [:session,            namespace::Session,           "Session"]
-  ]
+namespace = OpenProject::Authentication::Strategies::Warden
 
-  strategies.each do |name, clazz, auth_scheme|
-    OpenProject::Authentication.add_strategy(name, clazz, auth_scheme)
-  end
+strategies = [
+  [:basic_auth_failure, namespace::BasicAuthFailure,  "Basic"],
+  [:global_basic_auth,  namespace::GlobalBasicAuth,   "Basic"],
+  [:user_basic_auth,    namespace::UserBasicAuth,     "Basic"],
+  [:oauth,              namespace::DoorkeeperOAuth,   "Bearer"],
+  [:anonymous_fallback, namespace::AnonymousFallback, "Basic"],
+  [:jwt_oidc,           namespace::JwtOidc,           "Bearer"],
+  [:session,            namespace::Session,           "Session"]
+]
 
-  OpenProject::Authentication.update_strategies(OpenProject::Authentication::Scope::API_V3, { store: false }) do |_|
-    %i[global_basic_auth
-       user_basic_auth
-       basic_auth_failure
-       oauth
-       jwt_oidc
-       session
-       anonymous_fallback]
-  end
+strategies.each do |name, clazz, auth_scheme|
+  OpenProject::Authentication.add_strategy(name, clazz, auth_scheme)
+end
+
+OpenProject::Authentication.update_strategies(OpenProject::Authentication::Scope::API_V3, { store: false }) do |_|
+  %i[global_basic_auth
+     user_basic_auth
+     basic_auth_failure
+     oauth
+     jwt_oidc
+     session
+     anonymous_fallback]
+end
+
+OpenProject::Authentication.update_strategies(OpenProject::Authentication::Scope::SCIM_V2, { store: false }) do |_|
+  %i[oauth jwt_oidc session]
+end
+
+Rails.application.configure do |app|
+  app.config.middleware.use OpenProject::Authentication::Manager, intercept_401: false
 end

lib/api/root_api.rb

@@ -44,8 +44,6 @@ class RootAPI < Grape::API
 
     content_type :json, "application/json; charset=utf-8"
 
-    use OpenProject::Authentication::Manager
-
     helpers API::Caching::Helpers
     module Helpers
       include ::API::Helpers::RaiseQueryErrors