[EC-261] SCIM (#2105)

* scim project stub

* some scim models and v2 controllers

* implement some v2 scim endpoints

* fix spacing

* api key auth

* EC-261 - SCIM Org API Key and connection type config

* EC-261 - Fix lint errors/formatting

* updates for okta implementation testing

* fix var ref

* updates from testing with Okta

* implement scim context via provider parsing

* support single and list of ids for add/remove groups

* log ops not handled

* touch up scim context

* group list filtering

* EC-261 - Additional SCIM provider types

* EC-265 - UseScim flag and license update

* EC-265 - SCIM provider type of default (0)

* EC-265 - Add Scim URL and update connection validation

* EC-265 - Model validation and cleanup for SCIM keys

* implement scim org connection

* EC-265 - Ensure ServiceUrl is not persisted to DB

* EC-265 - Exclude provider type from DB if not configured

* EC-261 - EF Migrations for SCIM

* add docker builds for scim

* EC-261 - Fix failing permissions tests

* EC-261 - Fix unit tests and pgsql migrations

* Formatting fixes from linter

* EC-265 - Remove service URL from scim config

* EC-265 - Fix unit tests, removed wayward validation

* EC-265 - Require self-hosted for billing sync org conn

* EC-265 - Fix formatting issues - whitespace

* EC-261 - PR feedback and cleanup

* scim constants rename

* no scim settings right now

* update project name

* delete package lock

* update appsettings configs for scim

* use default scim provider for context

Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>

bitwarden_license/src/Scim/Utilities/ApiKeyAuthenticationHandler.cs

@@ -0,0 +1,83 @@
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Scim.Context;
+using IdentityModel;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Options;
+
+namespace Bit.Scim.Utilities
+{
+    public class ApiKeyAuthenticationHandler : AuthenticationHandler<ApiKeyAuthenticationOptions>
+    {
+        private readonly IOrganizationRepository _organizationRepository;
+        private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
+        private readonly IScimContext _scimContext;
+
+        public ApiKeyAuthenticationHandler(
+            IOptionsMonitor<ApiKeyAuthenticationOptions> options,
+            ILoggerFactory logger,
+            UrlEncoder encoder,
+            ISystemClock clock,
+            IOrganizationRepository organizationRepository,
+            IOrganizationApiKeyRepository organizationApiKeyRepository,
+            IScimContext scimContext) :
+            base(options, logger, encoder, clock)
+        {
+            _organizationRepository = organizationRepository;
+            _organizationApiKeyRepository = organizationApiKeyRepository;
+            _scimContext = scimContext;
+        }
+
+        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            if (!_scimContext.OrganizationId.HasValue || _scimContext.Organization == null)
+            {
+                Logger.LogWarning("No organization.");
+                return AuthenticateResult.Fail("Invalid parameters");
+            }
+
+            if (!Request.Headers.TryGetValue("Authorization", out var authHeader) || authHeader.Count != 1)
+            {
+                Logger.LogWarning("An API request was received without the Authorization header");
+                return AuthenticateResult.Fail("Invalid parameters");
+            }
+            var apiKey = authHeader.ToString();
+            if (apiKey.StartsWith("Bearer "))
+            {
+                apiKey = apiKey.Substring(7);
+            }
+
+            if (!_scimContext.Organization.Enabled || !_scimContext.Organization.UseScim ||
+                _scimContext.ScimConfiguration == null || !_scimContext.ScimConfiguration.Enabled)
+            {
+                Logger.LogInformation("Org {organizationId} not able to use Scim.", _scimContext.OrganizationId);
+                return AuthenticateResult.Fail("Invalid parameters");
+            }
+
+            var orgApiKey = (await _organizationApiKeyRepository
+                .GetManyByOrganizationIdTypeAsync(_scimContext.Organization.Id, OrganizationApiKeyType.Scim))
+                .FirstOrDefault();
+            if (orgApiKey?.ApiKey != apiKey)
+            {
+                Logger.LogWarning("An API request was received with an invalid API key: {apiKey}", apiKey);
+                return AuthenticateResult.Fail("Invalid parameters");
+            }
+
+            Logger.LogInformation("Org {organizationId} authenticated", _scimContext.OrganizationId);
+
+            var claims = new[]
+            {
+                new Claim(JwtClaimTypes.ClientId, $"organization.{_scimContext.OrganizationId.Value}"),
+                new Claim("client_sub", _scimContext.OrganizationId.Value.ToString()),
+                new Claim(JwtClaimTypes.Scope, "api.scim"),
+            };
+            var identity = new ClaimsIdentity(claims, nameof(ApiKeyAuthenticationHandler));
+            var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity),
+                ApiKeyAuthenticationOptions.DefaultScheme);
+
+            return AuthenticateResult.Success(ticket);
+        }
+    }
+}