feat(enterprise): support bearer tokens in SCIM authentication (#15233)

coadler · web-flow · commit 487b37b228b8 · 2024-10-25T11:52:57.000-05:00
diff --git a/enterprise/coderd/scim.go b/enterprise/coderd/scim.go
@@ -35,8 +35,13 @@ func (api *API) scimEnabledMW(next http.Handler) http.Handler {
 }
 
 func (api *API) scimVerifyAuthHeader(r *http.Request) bool {
+	bearer := []byte("Bearer ")
 	hdr := []byte(r.Header.Get("Authorization"))
 
+	if len(hdr) >= len(bearer) && subtle.ConstantTimeCompare(hdr[:len(bearer)], bearer) == 1 {
+		hdr = hdr[len(bearer):]
+	}
+
 	return len(api.SCIMAPIKey) != 0 && subtle.ConstantTimeCompare(hdr, api.SCIMAPIKey) == 1
 }
 
diff --git a/enterprise/coderd/scim_test.go b/enterprise/coderd/scim_test.go
@@ -56,6 +56,12 @@ func setScimAuth(key []byte) func(*http.Request) {
 	}
 }
 
+func setScimAuthBearer(key []byte) func(*http.Request) {
+	return func(r *http.Request) {
+		r.Header.Set("Authorization", "Bearer "+string(key))
+	}
+}
+
 //nolint:gocritic // SCIM authenticates via a special header and bypasses internal RBAC.
 func TestScim(t *testing.T) {
 	t.Parallel()
@@ -163,6 +169,62 @@ func TestScim(t *testing.T) {
 			require.Empty(t, notifyEnq.Sent)
 		})
 
+		t.Run("OK_Bearer", func(t *testing.T) {
+			t.Parallel()
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+
+			// given
+			scimAPIKey := []byte("hi")
+			mockAudit := audit.NewMock()
+			notifyEnq := &testutil.FakeNotificationsEnqueuer{}
+			client, _ := coderdenttest.New(t, &coderdenttest.Options{
+				Options: &coderdtest.Options{
+					Auditor:               mockAudit,
+					NotificationsEnqueuer: notifyEnq,
+				},
+				SCIMAPIKey:   scimAPIKey,
+				AuditLogging: true,
+				LicenseOptions: &coderdenttest.LicenseOptions{
+					AccountID: "coolin",
+					Features: license.Features{
+						codersdk.FeatureSCIM:     1,
+						codersdk.FeatureAuditLog: 1,
+					},
+				},
+			})
+			mockAudit.ResetLogs()
+
+			// when
+			sUser := makeScimUser(t)
+			res, err := client.Request(ctx, "POST", "/scim/v2/Users", sUser, setScimAuthBearer(scimAPIKey))
+			require.NoError(t, err)
+			defer res.Body.Close()
+			require.Equal(t, http.StatusOK, res.StatusCode)
+
+			// then
+			// Expect audit logs
+			aLogs := mockAudit.AuditLogs()
+			require.Len(t, aLogs, 1)
+			af := map[string]string{}
+			err = json.Unmarshal([]byte(aLogs[0].AdditionalFields), &af)
+			require.NoError(t, err)
+			assert.Equal(t, coderd.SCIMAuditAdditionalFields, af)
+			assert.Equal(t, database.AuditActionCreate, aLogs[0].Action)
+
+			// Expect users exposed over API
+			userRes, err := client.Users(ctx, codersdk.UsersRequest{Search: sUser.Emails[0].Value})
+			require.NoError(t, err)
+			require.Len(t, userRes.Users, 1)
+			assert.Equal(t, sUser.Emails[0].Value, userRes.Users[0].Email)
+			assert.Equal(t, sUser.UserName, userRes.Users[0].Username)
+			assert.Len(t, userRes.Users[0].OrganizationIDs, 1)
+
+			// Expect zero notifications (SkipNotifications = true)
+			require.Empty(t, notifyEnq.Sent)
+		})
+
 		t.Run("OKNoDefault", func(t *testing.T) {
 			t.Parallel()
 

Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,13 @@ func (api *API) scimEnabledMW(next http.Handler) http.Handler {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`func (api API) scimVerifyAuthHeader(r http.Request) bool {`
	`38`	`+ bearer := []byte("Bearer ")`
`38`	`39`	`hdr := []byte(r.Header.Get("Authorization"))`
`39`	`40`
	`41`	`+ if len(hdr) >= len(bearer) && subtle.ConstantTimeCompare(hdr[:len(bearer)], bearer) == 1 {`
	`42`	`+ hdr = hdr[len(bearer):]`
	`43`	`+ }`
	`44`	`+`
`40`	`45`	`return len(api.SCIMAPIKey) != 0 && subtle.ConstantTimeCompare(hdr, api.SCIMAPIKey) == 1`
`41`	`46`	`}`
`42`	`47`