Forbid manual updates to email, handle, display for SCIM-managed users

[smatting]

Implements https://wearezeta.atlassian.net/browse/SQSERVICES-171

[fisx]

I think we're using property as a technical term for something else. What about managed-by-scim? Or user-managed-by-scim?

[smatting]

Renamed to managed-by-scim

[fisx]

move to update section below line 401?

[fisx]

Suggested change

	when
	( userManagedBy u == ManagedByScim
	&& allowScim == ForbidSCIMUpdates
	)
	unless
	( userManagedBy u /= ManagedByScim
	|| old handle == new handle -- pseudo-code
	|| allowScim /= ForbidSCIMUpdates
	)

[smatting]

done

[fisx]

like above, you could change this to unless ....

[smatting]

done

[fisx]

Failures:

  test-integration/Test/Spar/Scim/UserSpec.hs:1594:23: 
  1) Spar.Scim.User, email validation, enabled in team, gives user email
       uncaught exception: ErrorCall
       Assertions failed:
        1: 201 =/= 500
       
       Response was:
       
       Response {responseStatus = Status {statusCode = 500, statusMessage = "Internal Server Error"}, responseVersion = HTTP/1.1, responseHeaders = [("Transfer-Encoding","chunked"),("Date","Fri, 08 Jan 2021 11:26:14 GMT"),("Server","Warp/3.3.13"),("Content-Type","application/json")], responseBody = Just "{\"code\":500,\"message\":\"{\\\"status\\\":\\\"500\\\",\\\"schemas\\\":[\\\"urn:ietf:params:scim:api:messages:2.0:Error\\\"],\\\"detail\\\":\\\"{\\\\\\\"code\\\\\\\":403,\\\\\\\"message\\\\\\\":\\\\\\\"Updating \\\\\\\\\\\\\\\"email\\\\\\\\\\\\\\\" is not allowed, because it is managed by SCIM\\\\\\\",\\\\\\\"label\\\\\\\":\\\\\\\"property-managed-by-scim\\\\\\\"}\\\"}\",\"label\":\"server-error\"}", responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose}
       CallStack (from HasCallStack):
         error, called at src/Bilge/Assert.hs:88:5 in bilge-0.22.0-LWSwcj5o3J5utdi7oQriS:Bilge.Assert
         <!!, called at test-integration/Util/Scim.hs:191:5 in main:Util.Scim
         createUser, called at test-integration/Test/Spar/Scim/UserSpec.hs:1579:29 in main:Test.Spar.Scim.UserSpec
         setup, called at test-integration/Test/Spar/Scim/UserSpec.hs:1594:23 in main:Test.Spar.Scim.UserSpec

  To rerun use: --match "/Spar.Scim.User/email validation/enabled in team/gives user email/"

Randomized with seed 1959313722

I think when spar is calling an internal brig end-point here to trigger email validation, and that end-point needs to call changeEmail of changeSelfEmail with AllowSCIMUpdates, not ForbidSCIMUpdates.

You should check if there are any other calls to this end-point and make sure that it's always AllowSCIMUpdates, or else make it a query parameter (mandatory if you want to be more certain the integration tests capture anything you've missed).

[smatting]

Fixed the failing test by allow scim updates on the internal endpoint /i/self/email (I failed to see this before).
I think this is a safe choice, because only public endpoints change their behaviour now.