Implements the Authentication Configuration Checks (opf#18377)

* Implements SSO tests
* Implements some rudimentary OAuth2 tests
* Incorporates feedback
* Adds a user bound request on SSO

Author: mereghost

modules/storages/app/common/storages/peripherals/connection_validators/check_result.rb

@@ -45,8 +45,14 @@ def self.success(key)
           new(key:, state: :success, message: nil, timestamp: Time.zone.now)
         end
 
+        def self.warning(key, message)
+          new(key:, state: :warning, message: message, timestamp: Time.zone.now)
+        end
+
         def success? = state == :success
         def failure? = state == :failure
+        def warning? = state == :warning
+        def skipped? = state == :skipped
       end
     end
   end

modules/storages/app/common/storages/peripherals/connection_validators/nextcloud/authentication_validator.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module Storages
+  module Peripherals
+    module ConnectionValidators
+      module Nextcloud
+        class AuthenticationValidator < BaseValidator
+          def initialize(storage)
+            super
+            @user = User.current
+          end
+
+          private
+
+          def validate
+            @storage.authenticate_via_idp? ? validate_sso : validate_oauth
+          end
+
+          def validate_oauth
+            register_checks(:existing_token, :user_bound_request)
+
+            oauth_token
+            user_bound_request
+          end
+
+          def oauth_token
+            if OAuthClientToken.where(user: @user, oauth_client: @storage.oauth_client).any?
+              pass_check(:existing_token)
+            else
+              warn_check(:existing_token, message(:oauth_token_missing), halt_validation: true)
+            end
+          end
+
+          def user_bound_request
+            Registry["nextcloud.queries.user"].call(storage: @storage, auth_strategy:).on_failure do
+              fail_check(:user_bound_request, message("oauth_request_#{it.result}"))
+            end
+
+            pass_check(:user_bound_request)
+          end
+
+          def auth_strategy = Registry["nextcloud.authentication.user_bound"].call(storage: @storage, user: @user)
+
+          def validate_sso
+            register_checks(:non_provisioned_user, :provisioned_user_provider, :token_negotiable, :user_bound_request)
+
+            non_provisioned_user
+            non_oidc_provisioned_user
+            token_negotiable
+            user_bound_request
+          end
+
+          def non_provisioned_user
+            if @user.identity_url.present?
+              pass_check(:non_provisioned_user)
+            else
+              warn_check(:non_provisioned_user, message(:oidc_non_provisioned_user), halt_validation: true)
+            end
+          end
+
+          def non_oidc_provisioned_user
+            if @user.authentication_provider.is_a?(OpenIDConnect::Provider)
+              pass_check(:provisioned_user_provider)
+            else
+              warn_check(:provisioned_user_provider, message(:oidc_non_oidc_user), halt_validation: true)
+            end
+          end
+
+          def token_negotiable
+            service = OpenIDConnect::UserTokens::FetchService.new(user: @user)
+
+            result = service.access_token_for(audience: @storage.audience)
+            return pass_check(:token_negotiable) if result.success?
+
+            error_code = case result.failure
+                         in { code: /token_exchange/ | :unable_to_exchange_token }
+                           :oidc_cant_exchange_token
+                         in { code: /token_refresh/ }
+                           :oidc_cant_refresh_token
+                         in { code: :no_token_for_audience }
+                           :oidc_cant_acquire_token
+                         else
+                           :unknown_error
+                         end
+
+            fail_check(:token_negotiable, message(error_code))
+          end
+        end
+      end
+    end
+  end
+end

modules/storages/app/common/storages/peripherals/connection_validators/nextcloud/base_configuration_validator.rb

@@ -32,30 +32,23 @@ module Storages
   module Peripherals
     module ConnectionValidators
       module Nextcloud
-        class BaseConfigurationValidator
-          def initialize(storage)
-            @storage = storage
-            @results = build_result_list
-          end
+        class BaseConfigurationValidator < BaseValidator
+          private
 
-          def call
-            catch :interrupted do
-              capabilities_request_failed
-              host_url_not_found
-              missing_dependencies
-              version_mismatch
-            end
+          def validate
+            register_checks(:capabilities_request, :host_url_accessible, :dependencies_check, :dependencies_versions)
 
-            @results
+            capabilities_request_status
+            host_url_not_found
+            missing_dependencies
+            version_mismatch
           end
 
-          private
-
-          def capabilities_request_failed
+          def capabilities_request_status
             if capabilities.failure? && capabilities.result != :not_found
-              fail_check(__method__, message(:error))
+              fail_check(:capabilities_request, message(:error))
             else
-              pass_check(__method__)
+              pass_check(:capabilities_request)
             end
           end
 
@@ -64,9 +57,9 @@ def version_mismatch
             capabilities_result = capabilities.result
 
             if capabilities_result.app_version < min_app_version
-              fail_check(__method__, message(:app_version_mismatch))
+              fail_check(:dependencies_versions, message(:app_version_mismatch))
             else
-              pass_check(__method__)
+              pass_check(:dependencies_versions)
             end
           end
 
@@ -75,24 +68,20 @@ def missing_dependencies
             app_name = I18n.t("storages.dependencies.nextcloud.integration_app")
 
             if capabilities_result.app_disabled?
-              fail_check(__method__, message(:missing_dependencies, dependency: app_name))
+              fail_check(:dependencies_check, message(:missing_dependencies, dependency: app_name))
             else
-              pass_check(__method__)
+              pass_check(:dependencies_check)
             end
           end
 
           def host_url_not_found
             if capabilities.result == :not_found
-              fail_check(__method__, message(:host_not_found))
+              fail_check(:host_url_accessible, message(:host_not_found))
             else
-              pass_check(__method__)
+              pass_check(:host_url_accessible)
             end
           end
 
-          def message(key, context = {})
-            I18n.t("storages.health.connection_validation.#{key}", **context)
-          end
-
           def noop = StorageInteraction::AuthenticationStrategies::Noop.strategy
 
           def capabilities
@@ -105,28 +94,6 @@ def nextcloud_dependencies
           end
 
           def path_to_config = Rails.root.join("modules/storages/config/nextcloud_dependencies.yml")
-
-          def fail_check(key, message)
-            update_result(key, CheckResult.failure(key, message))
-            throw :interrupted
-          end
-
-          def pass_check(key)
-            update_result(key, CheckResult.success(key))
-          end
-
-          def update_result(method, value)
-            @results[method.to_sym] = value
-          end
-
-          def build_result_list
-            {
-              capabilities_request_failed: CheckResult.skipped(:capabilities_request_failed),
-              host_url_not_found: CheckResult.skipped(:host_url_not_found),
-              missing_dependencies: CheckResult.skipped(:missing_dependencies),
-              version_mismatch: CheckResult.skipped(:version_mismatch)
-            }
-          end
         end
       end
     end

modules/storages/app/common/storages/peripherals/connection_validators/nextcloud/base_validator.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module Storages
+  module Peripherals
+    module ConnectionValidators
+      module Nextcloud
+        class BaseValidator
+          def initialize(storage)
+            @storage = storage
+          end
+
+          def call
+            catch :interrupted do
+              validate
+            end
+
+            @results
+          end
+
+          private
+
+          def validate = raise Errors::SubclassResponsibility
+
+          def register_checks(*keys)
+            @results = keys.to_h { [it, CheckResult.skipped(it)] }
+          end
+
+          def update_result(key, value)
+            if @results&.has_key?(key)
+              @results[key] = value
+            else
+              raise ArgumentError, "Check #{key} not registered."
+            end
+          end
+
+          def pass_check(key)
+            update_result(key, CheckResult.success(key))
+          end
+
+          def fail_check(key, message)
+            update_result(key, CheckResult.failure(key, message))
+            throw :interrupted
+          end
+
+          def warn_check(key, message, halt_validation: false)
+            update_result(key, CheckResult.warning(key, message))
+            throw :interrupted if halt_validation
+          end
+
+          def message(key, context = {})
+            I18n.t("storages.health.connection_validation.#{key}", **context)
+          end
+        end
+      end
+    end
+  end
+end

modules/storages/config/locales/en.yml

@@ -243,6 +243,9 @@ en:
         host_not_found: No Nextcloud server found at the configured host url. Please check the configuration.
         missing_dependencies: 'A required dependency is missing on the file storage. Please add the following dependency: %{dependency}.'
         not_configured: The connection could not be validated. Please finish configuration first.
+        oauth_request_not_found: OpenProject couldn't find the root folder of Nextcloud using the current logged-in user. Please check the server logs for further information.
+        oauth_request_unauthorized: The current user isn't authorized to see the main folder of Nextcloud or we couldn't acquire a token. Please check the server logs for further information.
+        oauth_token_missing: OpenProject cannot test the user level communication with Nextcloud as there's no token for the current user.
         oidc_cant_acquire_token: Your OpenID Connect setup doesn't provide the necessary audience, nor provides token exchange capabilities. Please check out our documentation for more information.
         oidc_cant_exchange_token: There seems to be a problem with the Token Exchange setup on your OpenID Connect Provider. Please check its configuration and try again.
         oidc_cant_refresh_token: There was an error while trying to check your access to the storage. Please check the server logs for further information.