Merge pull request opf#18436 from opf/jwt-client-credentials

JWT: Allow authentication through client credentials

Author: NobodysNightmare

Diff for: app/models/service_account.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+class ServiceAccount < User
+  alias_attribute(:name, :lastname)
+  validates :name, presence: true
+  validates :name, length: { maximum: 256 }
+
+  has_one :service_account_association, dependent: :destroy
+
+  def to_s
+    name
+  end
+
+  def available_custom_fields = []
+
+  def logged? = false
+
+  def builtin? = true
+
+  def mail = ""
+
+  def time_zone
+    ActiveSupport::TimeZone[Setting.user_default_timezone.presence || "Etc/UTC"]
+  end
+
+  def rss_key = nil
+end

Diff for: app/models/service_account_association.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+class ServiceAccountAssociation < ApplicationRecord
+  belongs_to :service_account
+  belongs_to :service, polymorphic: true
+end

Diff for: db/migrate/20250324133701_create_service_account_associations.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+class CreateServiceAccountAssociations < ActiveRecord::Migration[7.1]
+  def change
+    create_table :service_account_associations do |t|
+      t.belongs_to :service_account, null: false, index: { unique: true }
+      t.belongs_to :service, null: false, index: false # necessary index covered by composite
+      t.string :service_type, null: false
+
+      t.timestamps null: false
+
+      t.index %i[service_type service_id], unique: true
+    end
+  end
+end

Diff for: lib_static/open_project/authentication/strategies/warden/jwt_oidc.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OpenProject
   module Authentication
     module Strategies
@@ -24,7 +26,11 @@ def authenticate!
               ->(payload_and_provider) do
                 payload, provider = payload_and_provider
                 user = User.find_by(identity_url: "#{provider.slug}:#{payload['sub']}")
-                success!(user) if user
+                if user
+                  success!(user)
+                else
+                  fail_with_header!(error: "invalid_token", error_description: "The user identified by the token is not known")
+                end
               end,
               ->(error) { fail_with_header!(error: "invalid_token", error_description: error) }
             )

Diff for: spec/factories/service_account_factory.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+FactoryBot.define do
+  factory :service_account, parent: :user, class: "ServiceAccount" do
+    transient do
+      service { nil }
+    end
+
+    after(:create) do |instance, evaluator|
+      if evaluator.service.present?
+        instance.create_service_account_association!(service: evaluator.service)
+      end
+    end
+  end
+end

Diff for: spec/requests/api/v3/authentication_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #-- copyright
 # OpenProject is an open source project management software.
 # Copyright (C) the OpenProject GmbH
@@ -421,10 +423,11 @@ def set_basic_auth_header(user, password)
         .to_return(status: 200, body: JWT::JWK::Set.new(jwk_response).export.to_json, headers: {})
     end
     let(:jwk_response) { jwk }
+    let(:user) { create(:user, identity_url: "keycloak:#{token_sub}") }
 
     before do
       create(:oidc_provider, slug: "keycloak")
-      create(:user, identity_url: "keycloak:#{token_sub}")
+      user.save!
       keys_request_stub
 
       header "Authorization", "Bearer #{token}"
@@ -511,5 +514,18 @@ def set_basic_auth_header(user, password)
           .to eq(%{Bearer realm="OpenProject API", error="invalid_token", error_description="#{error}"})
       end
     end
+
+    context "when user identified by token is not known" do
+      let(:user) { create(:user, identity_url: "keycloak:not-the-token-sub") }
+
+      it "fails with HTTP 401 Unauthorized" do
+        get resource
+        expect(last_response).to have_http_status :unauthorized
+        expect(JSON.parse(last_response.body)).to eq(error_response_body)
+        error = "The user identified by the token is not known"
+        expect(last_response.header["WWW-Authenticate"])
+          .to eq(%{Bearer realm="OpenProject API", error="invalid_token", error_description="#{error}"})
+      end
+    end
   end
 end

Diff for: spec/workers/principals/delete_job_integration_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #-- copyright
 # OpenProject is an open source project management software.
 # Copyright (C) the OpenProject GmbH
@@ -516,6 +518,25 @@
       end
     end
 
+    context "with a service account" do
+      describe "service account association" do
+        let(:principal) { create(:service_account, service:) }
+        let(:service) { create(:oauth_application) }
+
+        before do
+          principal.save!
+        end
+
+        it "deletes the service account association" do
+          expect { job }.to change(ServiceAccountAssociation, :count).from(1).to(0)
+        end
+
+        it "does not delete the service associated to the service account" do
+          expect { job }.not_to change(Doorkeeper::Application, :count)
+        end
+      end
+    end
+
     context "with a placeholder user" do
       let(:principal) { create(:placeholder_user) }