[SCIM 3/4]: SCIM client token CRUD + Bearer auth

[jmpesp]

Implement the CRUD routines for the tokens that will be used to authenticate SCIM clients for SamlScim Silos. Also implement the Bearer based authentication for SCIM clients.

Fill in the skeleton of CrdbScimProviderStore, which when implemented will complete the SCIM implementation in Nexus.

[david-crespo]

Why is this needed?

[david-crespo]

Yeah, I can't find a spot where the external-scim opctx needs to do this. Is it intended for the unimplemented list users operation etc?

[david-crespo]

I think it would be good for this name to make clearer that it handles token authentication. scim_idp_get_provider sounds like a lookup. It might even make sense to split it into two pieces, one that is the authn and one that gets the provider based on the token. But that's silly if they're always called together, and you don't really want to return the token back to the call site either. scim_token_auth_and_get_provider is a bit much I guess.

[david-crespo]

This might be more relevant in the next PR, when you implement the actual SCIM operations, but it could make sense to mirror op_context_for_external_api and wrap up the authentication and the creation of the op context into one operation. Right now it looks like the unimplemented SCIM things don't take and OpContext but they will need to in order to do DB operations. Or at least, that's how I think it should work: op context created at top level at authn time and then passed into the provider methods.

omicron/nexus/src/context.rs

Lines 335 to 359 in ef318b3

	/// Authenticates an incoming request to the external API and produces a new
	/// operation context for it
	pub(crate) async fn op_context_for_external_api(
	rqctx: &dropshot::RequestContext<ApiContext>,
	) -> Result<OpContext, dropshot::HttpError> {
	let apictx = rqctx.context();
	OpContext::new_async(
	&rqctx.log,
	async {
	let authn = Arc::new(
	apictx.context.external_authn.authn_request(rqctx).await?,
	);
	let datastore = Arc::clone(apictx.context.nexus.datastore());
	let authz = authz::Context::new(
	Arc::clone(&authn),
	Arc::clone(&apictx.context.authz),
	datastore,
	);
	Ok((authn, authz))
	},
	|metadata| OpContext::load_request_metadata(rqctx, metadata),
	OpKind::ExternalApiRequest,
	)
	.await
	}

[david-crespo]

I had a good conversation with the Codex CLI about the choice to effectively bypass the existing authn schemes setup here, treating these calls as "unauthed" from the point of view of the main authn system. The robot was pretty persuasive but I think the choice is worth pointing out and documenting in comments, probably on the scim_idp_get_provider.

https://gist.github.com/david-crespo/14d25cb770f9e10195f6d0ea45286874

[david-crespo]

This seems to me too lenient of a check. Any silo viewer has ListChildren on the silo. Maybe that's fine considering the list of tokens doesn't actually tell you anything. But it's something to think about.

omicron/nexus/db-queries/tests/output/authz-roles.out

Lines 183 to 195 in ef318b3

	resource: Silo "silo1"
	USER Q R LC RP M MP CC D
	fleet-admin ✘ ✔ ✘ ✔ ✔ ✔ ✘ ✔
	fleet-collaborator ✘ ✔ ✘ ✔ ✔ ✔ ✘ ✔
	fleet-viewer ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘
	silo1-admin ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔
	silo1-collaborator ✘ ✔ ✔ ✔ ✘ ✘ ✔ ✘
	silo1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘
	silo1-proj1-admin ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘
	silo1-proj1-collaborator ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘
	silo1-proj1-viewer ✘ ✔ ✘ ✔ ✘ ✘ ✘ ✘
	unauthenticated ! ! ! ! ! ! ! !

The only way I know of to make this more restrictive is to create a "synthetic" authz resource representing the list of scim tokens for a given silo and then do the authz checks against that. Here's an example of a synthetic authz list resource with its own permissions distinct from silo ListChildren:

omicron/nexus/auth/src/authz/api_resources.rs

Lines 672 to 695 in ef318b3

	/// Synthetic resource describing the list of Identity Providers associated with
	/// a Silo
	#[derive(Clone, Debug, Eq, PartialEq)]
	pub struct SiloIdentityProviderList(Silo);
	impl SiloIdentityProviderList {
	pub fn new(silo: Silo) -> SiloIdentityProviderList {
	SiloIdentityProviderList(silo)
	}
	pub fn silo(&self) -> &Silo {
	&self.0
	}
	}
	impl oso::PolarClass for SiloIdentityProviderList {
	fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
	oso::Class::builder()
	.with_equality_check()
	.add_attribute_getter("silo", |list: &SiloIdentityProviderList| {
	list.0.clone()
	})
	}
	}

[david-crespo]

I don't think you need to specify ListChildren here, you can just do .fetch() and let the datastore method handle the permission relevant on the token list.

[papertigers]

Do you mind filing a follow up ticket for this and noting it in the comment

[papertigers]

do we need filters for where we are not past the expired time here and other places?

[papertigers]

Suggested change

	let token = match header.to_str() {
	Ok(v) => v,
	Err(_) => {
	return Err(Error::Unauthenticated {
	internal_message: "Invalid bearer token".to_string(),
	});
	}
	};
	let Ok(token) = header.to_str() else {
	return Err(Error::Unauthenticated {
	internal_message: "Invalid bearer token".to_string(),
	});
	};

[papertigers]

I don't remember where we landed on this but assuming this logic is correct we are going to require operators to use Bearer xxx-xxx-xxx-xxx on the IdP side rather than just a raw header value?

Also the logic could simply become:

        let Some(token) = token.strip_prefix(BEARER) else {
            return Err(Error::Unauthenticated {
                internal_message: "Invalid bearer token".to_string(),
            });
        };

Then that could be passed to scim_idp_lookup_token_by_bearer() directly.

[papertigers]

Just going off of the comment here, but can we add a test that a non fleet admin cannot create a SCIM client token?