The name of this setting was pretty outdated by now.
It might have disabled the entire API in the past, but that time
is long gone. By now the APIv3 can't be disabled at all and OpenProject
would fall apart if it was disabled.
The only thing that this setting changes, is whether users can create
an access token in their account settings and whether tokens created
this way are accepted by OpenProject. So naming and description have
been adapted accordingly.
Previously we'd be hiding the "change password" dialog on the
basis of an external authentication method existing. However, that's
not enough, because (at least with user remapping enabled) it's possible
that a user that logged in via password once, gained the ability to login
through SSO afterwards. Such a user then can use both mean to authenticate,
thus they also need to be able to change a potentially compromised password.
Much more work is needed here: Users need to be aware that their password still
works, they need to be able to delete a password if they only want to use SSO and
maybe there's also a use case for deleting an SSO association and going back to
password-based logins. However, all of these things require more UI changes and
some proper product development first.
This change is a first step to improve the situation.
* Re-creates the Registry and Errors under the Adapters namespace.
* Bring Authentication and Strategies to Adapters
* Make Strategies work with Result and clean up a bit of the code
* Setup SetPermissions Command and tests
* Moves create folder, need to add the input value
* Adds the create folder input
* RenameFile migrated
* Files Query and some Result Objects
* Gets the sync service working with the new commands/query
* UploadLinkQuery ported
* FileInfoQuery ported
* FilePathToIdMap moved
* Cleanup unused files and warnings
* Moves DeleteFolder. Updates tests of OneDriveSyncService
* Add some tests for the the inputs
* Start moving the bare minimum for the NextcloudSync
* Moves nextcloud FilePathToIdMap
* Create and Delete Folder nextcloud commands
* Port Nextcloud FileInfo and RenameFile
* Implements the changes necessary for create folder on the file picker
* Moves the CreateFolderService to the Adapters
* Move Nextcloud SetPermissions
* AuthCheck moved. Missing teests. Slowly moving the API to Adapters
* Adds note to figure out the open queries
* Move the user and group manipulation to adapters
* Moves Nextcloud FilesQuery
* Makes NextcloudSync to run on top of the new Adapter namespace
* Disable Peripherals::Registry
* Update CopyTemplateFolderService
* Makes services green again. Moves the new Nextcloud contract to Adapters
* Moves the new nextcloud contracts and fixes some the now broken tests
* Reintroduces the Internal namespace in OneDrive. Updates the contracts for Strategy to optionally take a storage (OIDC issues)
* Moves User and DownloadLink Queries and supporting code.
* Start to move the API over the new commands/queries
* Migrates the StorgeFilesAPI to the adapters
* FileLinksAPI cleared
* Updates the Storages API specs and implementations
* OpenStorage API done
* Update capabilities query
* Move connection validators and fix some broken tests
* Delete old code, update hidden dependencies.
* Adds missing handling for sso tokens
- Fix some Rubocop complains.
- Does not set user.firstname and user.lastname to stupid values.
To avoid confusion.
- Add inverse_of option to user_auth_provider_links -- provider association.
- Extract ScimitarSchemaExtension module to a dedicated file.
- Fix users/delete_service_spec.rb
- Disable Rails/HttpPositionalArguments completely.
It is often not relevant and breaks specs when rubocop -a is used.
- Support excludedAttributes for all enpoints in SCIM Server API
- Fix excludedAttributes to handle nested attributes correctly. e.g. name.givenName
- Respond with 403 whne User can't be deleted due to lack of permissions.
- Refactor scim related code by removing duplication where possible.
- Remove BasicAuth from supported auth schemes.
- Add specific specs to test SCIM authentication.
- Extend specs.
- Use ServiceAccount associated with ScimClient for making user changes
- Remove scoping by scim_client.auth_provider_id
So, SCIM Client has access to any not_builtin User.
- Associate user with AuthProvider configured in ScimModel
instead of choosing the first one.
- Use authenticated ServiceAccount in requests
- Scope User and Group requests by ScimClient related auth_provider_id
- Include ServiceAccount search to doorkeeper_oauth strategy
- Fix SCIM Server API specs.
- Implement excludedAttributes for GET requests.
- Handled uniqueness violations for group creatation.
- Make sure PATCH works with adding/replacing/removing group members.
- Pick one user email from a list: primary => work => first alphabetical.
- Mark group as inactive before DeleteJob is scheduled.
Handling authentication through our regular warden strategies.
Permissions-wise the only thing we can check for is whether the authenticated
user is an admin. Though this will require us to grant admin privileges to
all SCIM clients, which might be more than we want to do.
- Enable SCIM Patch.
- Use user_auth_provider_links instead of users.identity_url.
- Extend SCIM ActiveRecord base scopes to join and preload appropriate associations.
- Set a stub for user.firstname and user.lastname if they are not provided by SCIM client.
- Handle user unique constraint vialation according to SCIM spec.
- Move user_auth_provider_links association to principal as group needs it as well.
- Set user.mail dynamically from the list of emails provided by SCIM client.
- Change BaseServices::Create contract to accept model instance as a constructor parameter.
It gives an option to build associations before model creation.
- extend SCIM server API schema to include externalId.
- Adjust specs.
ServiceProviderConfig enpoint will communiczte that PATCH is not supported.
PATCH is optional according to the specificaiton.
Main reason for disabling it:
it requires special treatment of adding/removing group members,
because in OpenProject it should be done through service(Groups::UpdateSerivce which
uses Groups::AddUsersService underneath), not model association.
Important changes:
1. Use ignored_columns to try to avoid downtime.
2. Add unique constraint for auth_provider_id+external_id.
Co-authored-by: Jan Sandbrink <453584+username@users.noreply.github.com>
Previously we only got the slug name of the provider
as a string, which doesn't allow to further use the provider.
Converting it back into its AR representation allows to call
further methods on it, e.g. checking support for certain capabilities.
https://community.openproject.org/work_packages/57835
Let's assume we have two OpenProject threads sent request to Nextcloud and received Unauthorized. Then each does the following:
A. Send refresh token request on Nextcloud side.
B. Send original request but with new token received in A.
C. If B is successful then update token in OpenProject DB.
There are problems with above:
1. Before this commit the three operations above are not synchronized which leads to incostistent state when
token has been updated on Nextcloud side, but it is not saved in OpenProject DB.
2. Step B and C logic is wrong. Original request can be unsuccessful even with updated token. That's no reason to skip
updating the token in OpenProject DB.
What has changed in this commit?
The logic has been changed to the following:
1. Try to acquire a lock. Acquired?
A. Yes.
1. Send refresh token request on Nextcloud side.
2. Update token in OpenProject DB.
3. Relese the lock.
4. Send original request but with new token received in 1.
B. No. Then respond with error.
There are two main points introduced:
1. Advisory lock around refresh token request to Nextcloud and update token data in OpenProject DB.
2. Removal of wrong condition(when updating the token data in OpenProject DB depends on successful repetition of
original request to Nextcloud but with newly received token)
as-op