Fix Broken SCIM integration (#171)

* Fix several bugs

Author: jastBytes

build/package/helm/gateway/files/policies/policies.rego

@@ -13,7 +13,11 @@ allowed_paths := [
 	"/domain.ClusterAccess/GetClusterAccess",
 ]
 
-scoped_paths := [{"path": "/scim/", "scope": "WRITE_SCIM"}]
+scoped_paths := [{"scope": "WRITE_SCIM", "paths": [
+	"/scim/",
+	"/eventsourcing.CommandHandler/Execute",
+	"/domain.User/",
+]}]
 
 command_path := "/eventsourcing.CommandHandler/Execute"
 
@@ -25,6 +29,7 @@ role_admin = "admin"
 
 # check if system admin
 is_system_admin {
+	print("entering is_system_admin")
 	some role in input.User.Roles
 	role.Scope == scope_system
 	role.Name == role_admin
@@ -33,6 +38,8 @@ is_system_admin {
 
 # check if user is tenant admin and adjusts rolebindings of other users of the tenant
 tenant_admin_rolebindings {
+	print("entering tenant_admin_rolebindings")
+
 	# check that it is a command
 	startswith(input.Path, command_path)
 	req := json.unmarshal(input.Request)
@@ -50,7 +57,7 @@ tenant_admin_rolebindings {
 	role.Name == role_admin
 	role.Resource == req.data.resource
 
-	print(input.User.Name, "is tenant admin and allowed to execute", req.type)
+	print(input.User.Name, "is tenant admin and allowed to execute", req.type, "for tenant", req.data.resource)
 }
 
 # authorized because system admin
@@ -65,16 +72,19 @@ authorized {
 
 # authorized via allowed_paths
 authorized {
+	print("entering allowed_paths")
 	some path in allowed_paths
 	startswith(input.Path, path)
 	print(path, "is allowed to everyone")
 }
 
 # authorized via scope
 authorized {
+	print("entering scoped_paths")
 	some scoped_path in scoped_paths
-	startswith(input.Path, scoped_path.path)
 	some scope in input.Authentication.Scopes
 	scope == scoped_path.scope
-	print("scope", scope, "allows access to path", scoped_path.path)
+	some path in scoped_path.paths
+	startswith(input.Path, path)
+	print("scope", scope, "allows access to path", path)
 }

build/package/helm/gateway/files/policies/policies_test.rego

@@ -3,6 +3,7 @@ package m8.authz
 alice_admin = {"User": {
 	"Id": "1234", "Name": "alice",
 	"Roles": [{"Name": "admin", "Scope": "system"}, {"Name": "admin", "Scope": "tenant", "Resource": "1234"}],
+	"Path": "/domain.User/GetAll",
 }}
 
 bob_tenant_admin = {

internal/gateway/auth/auth_token_test.go

@@ -17,6 +17,7 @@ package auth
 import (
 	"time"
 
+	"github.com/finleap-connect/monoskope/pkg/api/gateway"
 	"github.com/finleap-connect/monoskope/pkg/jwt"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -32,4 +33,11 @@ var _ = Describe("internal/gateway/auth/token", func() {
 		t.Expiry = jose_jwt.NewNumericDate(time.Now().UTC().Add(time.Hour * -12))
 		Expect(t.Validate(expectedIssuer)).To(HaveOccurred())
 	})
+
+	It("validate api token", func() {
+		t := NewApiToken(&jwt.StandardClaims{}, expectedIssuer, "me", expectedValidity, []gateway.AuthorizationScope{gateway.AuthorizationScope_WRITE_SCIM})
+		t.Expiry = jose_jwt.NewNumericDate(time.Now().UTC().Add(time.Hour * 1))
+		Expect(t.Validate(expectedIssuer)).ToNot(HaveOccurred())
+		Expect(t.Scope).To(Equal(gateway.AuthorizationScope_WRITE_SCIM.String()))
+	})
 })

internal/gateway/auth_server.go

@@ -92,7 +92,7 @@ func NewInsecureAuthServerClient(ctx context.Context, gatewayAddr string) (*grpc
 }
 
 func (s *authServer) Print(_ print.Context, msg string) error {
-	s.log.V(logger.DebugLevel).Info(msg)
+	s.log.V(logger.DebugLevel).WithValues("source", "rego").Info(msg)
 	return nil
 }
 
@@ -180,11 +180,6 @@ func (s *authServer) Check(ctx context.Context, req *gateway.CheckRequest) (*gat
 
 // validatePolicies validates the configured policies using OPA
 func (s *authServer) validatePolicies(ctx context.Context, req *gateway.CheckRequest, authToken *jwt.AuthToken) (bool, error) {
-	userId, err := uuid.Parse(authToken.Subject)
-	if err != nil {
-		return false, fmt.Errorf("failed to parse user id from token: %w", err)
-	}
-
 	input := policyInput{
 		User: policyUser{
 			Id:   authToken.Subject,
@@ -198,18 +193,21 @@ func (s *authServer) validatePolicies(ctx context.Context, req *gateway.CheckReq
 		CommandTypes: commands.CommandTypes,
 	}
 
-	roleBindings, err := s.roleBindingRepo.ByUserId(ctx, userId)
-	if err != nil {
-		return false, fmt.Errorf("failed get rolebindings for user: %w", err)
-	}
+	userId, err := uuid.Parse(authToken.Subject)
+	if err == nil {
+		roleBindings, err := s.roleBindingRepo.ByUserId(ctx, userId)
+		if err != nil {
+			return false, fmt.Errorf("failed get rolebindings for user: %w", err)
+		}
 
-	input.User.Roles = make([]policyRoles, 0)
-	for _, role := range roleBindings {
-		input.User.Roles = append(input.User.Roles, policyRoles{
-			Name:     role.Role,
-			Scope:    role.Scope,
-			Resource: role.Resource,
-		})
+		input.User.Roles = make([]policyRoles, 0)
+		for _, role := range roleBindings {
+			input.User.Roles = append(input.User.Roles, policyRoles{
+				Name:     role.Role,
+				Scope:    role.Scope,
+				Resource: role.Resource,
+			})
+		}
 	}
 
 	scopes := strings.Split(authToken.Scope, " ")

internal/gateway/testenv.go

@@ -238,7 +238,7 @@ func NewTestEnvWithParent(testeEnv *test.TestEnv) (*TestEnv, error) {
 
 	gatewayAuthServer, errAuthServer := NewAuthServer(context.Background(), localAddrAPIServer, authServer, env.PoliciesPath, userRoleBindingRepo)
 	if errAuthServer != nil {
-		return nil, err
+		return nil, errAuthServer
 	}
 
 	// Create gRPC server and register implementation

internal/scimserver/auth_handler.go

@@ -15,7 +15,6 @@
 package scimserver
 
 import (
-	"fmt"
 	"net/http"
 
 	"github.com/elimity-com/scim"
@@ -46,7 +45,7 @@ func (h *authHandler) withAuthContext(r *http.Request) (*http.Request, error) {
 			Detail: "Request unauthenticated with " + auth.AuthScheme,
 		}
 	}
-	md := metadata.Pairs(auth.HeaderAuthorization, fmt.Sprintf("%s %v", auth.AuthScheme, token))
+	md := metadata.Pairs(auth.HeaderAuthorization, token)
 	nCtx := metautils.NiceMD(md).ToIncoming(r.Context())
 	return r.WithContext(nCtx), nil
 }

internal/scimserver/server_test.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/cenkalti/backoff"
 	"github.com/finleap-connect/monoskope/internal/gateway/auth"
+	"github.com/finleap-connect/monoskope/pkg/api/gateway"
 	"github.com/finleap-connect/monoskope/pkg/domain/constants/roles"
 	"github.com/finleap-connect/monoskope/pkg/jwt"
 	"github.com/google/uuid"
@@ -36,17 +37,24 @@ import (
 var _ = Describe("internal/scimserver/Server", func() {
 	var userId uuid.UUID
 
-	getAdminAuthToken := func() string {
+	getAuthToken := func() string {
 		signer := testEnv.gatewayTestEnv.JwtTestEnv.CreateSigner()
-		token := auth.NewAuthToken(&jwt.StandardClaims{Name: testEnv.gatewayTestEnv.AdminUser.Name, Email: testEnv.gatewayTestEnv.AdminUser.Email}, testEnv.gatewayTestEnv.GetApiAddr(), testEnv.gatewayTestEnv.AdminUser.ID().String(), time.Minute*10)
+		token := auth.NewApiToken(
+			&jwt.StandardClaims{Name: testEnv.gatewayTestEnv.AdminUser.Name,
+				Email: testEnv.gatewayTestEnv.AdminUser.Email},
+			testEnv.gatewayTestEnv.GetApiAddr(),
+			"test",
+			time.Minute*10,
+			[]gateway.AuthorizationScope{gateway.AuthorizationScope_WRITE_SCIM},
+		)
 		authToken, err := signer.GenerateSignedToken(token)
 		Expect(err).ToNot(HaveOccurred())
 		return authToken
 	}
 
 	getRequest := func(method string, target string, body io.Reader) *http.Request {
 		req := httptest.NewRequest(method, target, body)
-		req.Header.Add("authorization", getAdminAuthToken())
+		req.Header.Add("authorization", auth.AuthScheme+" "+getAuthToken())
 		return req
 	}
 

internal/scimserver/suite_test.go

@@ -18,6 +18,7 @@ import (
 	"testing"
 
 	"github.com/finleap-connect/monoskope/internal/test"
+	"github.com/onsi/ginkgo"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
@@ -36,6 +37,7 @@ var _ = BeforeSuite(func() {
 	done := make(chan interface{})
 
 	go func() {
+		defer ginkgo.GinkgoRecover()
 		var err error
 		By("bootstrapping test env")
 		baseTestEnv = test.NewTestEnv("scimserver-testenv")