Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use

app/models/application.rb

@@ -1,53 +1,48 @@
 class Application < ApplicationRecord
-  has_secure_password :client_secret
+  has_secure_password :client_secret, validations: false
 
   has_many :application_groups, dependent: :destroy
   has_many :allowed_groups, through: :application_groups, source: :group
   has_many :oidc_authorization_codes, dependent: :destroy
   has_many :oidc_access_tokens, dependent: :destroy
   has_many :oidc_user_consents, dependent: :destroy
-  has_many :application_roles, dependent: :destroy
-  has_many :user_role_assignments, through: :application_roles
 
   validates :name, presence: true
   validates :slug, presence: true, uniqueness: { case_sensitive: false },
                   format: { with: /\A[a-z0-9\-]+\z/, message: "only lowercase letters, numbers, and hyphens" }
   validates :app_type, presence: true,
-                      inclusion: { in: %w[oidc saml] }
+                      inclusion: { in: %w[oidc forward_auth] }
   validates :client_id, uniqueness: { allow_nil: true }
-  validates :role_mapping_mode, inclusion: { in: %w[disabled oidc_managed hybrid] }, allow_blank: true
+  validates :client_secret, presence: true, if: :oidc?
+  validates :domain_pattern, presence: true, uniqueness: { case_sensitive: false }, if: :forward_auth?
 
   normalizes :slug, with: ->(slug) { slug.strip.downcase }
+  normalizes :domain_pattern, with: ->(pattern) { pattern&.strip&.downcase }
 
   before_validation :generate_client_credentials, on: :create, if: :oidc?
 
+  # Default header configuration for ForwardAuth
+  DEFAULT_HEADERS = {
+    user: 'X-Remote-User',
+    email: 'X-Remote-Email',
+    name: 'X-Remote-Name',
+    groups: 'X-Remote-Groups',
+    admin: 'X-Remote-Admin'
+  }.freeze
+
   # Scopes
   scope :active, -> { where(active: true) }
   scope :oidc, -> { where(app_type: "oidc") }
-  scope :saml, -> { where(app_type: "saml") }
-  scope :oidc_managed_roles, -> { where(role_mapping_mode: "oidc_managed") }
-  scope :hybrid_roles, -> { where(role_mapping_mode: "hybrid") }
+  scope :forward_auth, -> { where(app_type: "forward_auth") }
+  scope :ordered, -> { order(domain_pattern: :asc) }
 
   # Type checks
   def oidc?
     app_type == "oidc"
   end
 
-  def saml?
-    app_type == "saml"
-  end
-
-  # Role mapping checks
-  def role_mapping_enabled?
-    role_mapping_mode.in?(['oidc_managed', 'hybrid'])
-  end
-
-  def oidc_managed_roles?
-    role_mapping_mode == 'oidc_managed'
-  end
-
-  def hybrid_roles?
-    role_mapping_mode == 'hybrid'
+  def forward_auth?
+    app_type == "forward_auth"
   end
 
   # Access control
@@ -77,49 +72,72 @@ class Application < ApplicationRecord
     {}
   end
 
-  def parsed_managed_permissions
-    return {} unless managed_permissions.present?
-    managed_permissions.is_a?(Hash) ? managed_permissions : JSON.parse(managed_permissions)
+  # ForwardAuth helpers
+  def parsed_headers_config
+    return {} unless headers_config.present?
+    headers_config.is_a?(Hash) ? headers_config : JSON.parse(headers_config)
   rescue JSON::ParserError
     {}
   end
 
-  # Role management methods
-  def user_roles(user)
-    application_roles.joins(:user_role_assignments)
-                    .where(user_role_assignments: { user: user })
-                    .active
+  # Check if a domain matches this application's pattern (for ForwardAuth)
+  def matches_domain?(domain)
+    return false if domain.blank? || !forward_auth?
+
+    pattern = domain_pattern.gsub('.', '\.')
+    pattern = pattern.gsub('*', '[^.]*')
+
+    regex = Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
+    regex.match?(domain.downcase)
   end
 
-  def user_has_role?(user, role_name)
-    user_roles(user).exists?(name: role_name)
+  # Policy determination based on user status (for ForwardAuth)
+  def policy_for_user(user)
+    return 'deny' unless active?
+    return 'deny' unless user.active?
+
+    # If no groups specified, bypass authentication
+    return 'bypass' if allowed_groups.empty?
+
+    # If user is in allowed groups, determine auth level
+    if user_allowed?(user)
+      # Require 2FA if user has TOTP configured, otherwise one factor
+      user.totp_enabled? ? 'two_factor' : 'one_factor'
+    else
+      'deny'
+    end
   end
 
-  def assign_role_to_user!(user, role_name, source: 'manual', metadata: {})
-    role = application_roles.active.find_by!(name: role_name)
-    role.assign_to_user!(user, source: source, metadata: metadata)
+  # Get effective header configuration (for ForwardAuth)
+  def effective_headers
+    DEFAULT_HEADERS.merge(parsed_headers_config.symbolize_keys)
   end
 
-  def remove_role_from_user!(user, role_name)
-    role = application_roles.find_by!(name: role_name)
-    role.remove_from_user!(user)
-  end
+  # Generate headers for a specific user (for ForwardAuth)
+  def headers_for_user(user)
+    headers = {}
+    effective = effective_headers
 
-  # Enhanced access control with roles
-  def user_allowed_with_roles?(user)
-    return user_allowed?(user) unless role_mapping_enabled?
+    # Only generate headers that are configured (not set to nil/false)
+    effective.each do |key, header_name|
+      next unless header_name.present?  # Skip disabled headers
 
-    # For OIDC managed roles, check if user has any roles assigned
-    if oidc_managed_roles?
-      return user_roles(user).exists?
+      case key
+      when :user, :email, :name
+        headers[header_name] = user.email_address
+      when :groups
+        headers[header_name] = user.groups.pluck(:name).join(",") if user.groups.any?
+      when :admin
+        headers[header_name] = user.admin? ? "true" : "false"
+      end
     end
 
-    # For hybrid mode, either group-based access or role-based access works
-    if hybrid_roles?
-      return user_allowed?(user) || user_roles(user).exists?
-    end
+    headers
+  end
 
-    user_allowed?(user)
+  # Check if all headers are disabled (for ForwardAuth)
+  def headers_disabled?
+    headers_config.present? && effective_headers.values.all?(&:blank?)
   end
 
   # Generate and return a new client secret

app/models/application_role.rb

@@ -1,26 +0,0 @@
-class ApplicationRole < ApplicationRecord
-  belongs_to :application
-  has_many :user_role_assignments, dependent: :destroy
-  has_many :users, through: :user_role_assignments
-
-  validates :name, presence: true, uniqueness: { scope: :application_id }
-  validates :display_name, presence: true
-
-  scope :active, -> { where(active: true) }
-
-  def user_has_role?(user)
-    user_role_assignments.exists?(user: user)
-  end
-
-  def assign_to_user!(user, source: 'oidc', metadata: {})
-    user_role_assignments.find_or_create_by!(user: user) do |assignment|
-      assignment.source = source
-      assignment.metadata = metadata
-    end
-  end
-
-  def remove_from_user!(user)
-    assignment = user_role_assignments.find_by(user: user)
-    assignment&.destroy
-  end
-end

app/models/forward_auth_rule.rb

@@ -1,94 +0,0 @@
-class ForwardAuthRule < ApplicationRecord
-  has_many :forward_auth_rule_groups, dependent: :destroy
-  has_many :allowed_groups, through: :forward_auth_rule_groups, source: :group
-
-  validates :domain_pattern, presence: true, uniqueness: { case_sensitive: false }
-  validates :active, inclusion: { in: [true, false] }
-
-  normalizes :domain_pattern, with: ->(pattern) { pattern.strip.downcase }
-
-  # Default header configuration
-  DEFAULT_HEADERS = {
-    user: 'X-Remote-User',
-    email: 'X-Remote-Email',
-    name: 'X-Remote-Name',
-    groups: 'X-Remote-Groups',
-    admin: 'X-Remote-Admin'
-  }.freeze
-
-  # Scopes
-  scope :active, -> { where(active: true) }
-  scope :ordered, -> { order(domain_pattern: :asc) }
-
-  # Check if a domain matches this rule
-  def matches_domain?(domain)
-    return false if domain.blank?
-
-    pattern = domain_pattern.gsub('.', '\.')
-    pattern = pattern.gsub('*', '[^.]*')
-
-    regex = Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
-    regex.match?(domain.downcase)
-  end
-
-  # Access control for forward auth
-  def user_allowed?(user)
-    return false unless active?
-    return false unless user.active?
-
-    # If no groups are specified, allow all active users (bypass)
-    return true if allowed_groups.empty?
-
-    # Otherwise, user must be in at least one of the allowed groups
-    (user.groups & allowed_groups).any?
-  end
-
-  # Policy determination based on user status and rule configuration
-  def policy_for_user(user)
-    return 'deny' unless active?
-    return 'deny' unless user.active?
-
-    # If no groups specified, bypass authentication
-    return 'bypass' if allowed_groups.empty?
-
-    # If user is in allowed groups, determine auth level
-    if user_allowed?(user)
-      # Require 2FA if user has TOTP configured, otherwise one factor
-      user.totp_enabled? ? 'two_factor' : 'one_factor'
-    else
-      'deny'
-    end
-  end
-
-  # Get effective header configuration (rule-specific + defaults)
-  def effective_headers
-    DEFAULT_HEADERS.merge((headers_config || {}).symbolize_keys)
-  end
-
-  # Generate headers for a specific user
-  def headers_for_user(user)
-    headers = {}
-    effective = effective_headers
-
-    # Only generate headers that are configured (not set to nil/false)
-    effective.each do |key, header_name|
-      next unless header_name.present?  # Skip disabled headers
-
-      case key
-      when :user, :email, :name
-        headers[header_name] = user.email_address
-      when :groups
-        headers[header_name] = user.groups.pluck(:name).join(",") if user.groups.any?
-      when :admin
-        headers[header_name] = user.admin? ? "true" : "false"
-      end
-    end
-
-    headers
-  end
-
-  # Check if all headers are disabled
-  def headers_disabled?
-    headers_config.present? && effective_headers.values.all?(&:blank?)
-  end
-end

app/models/forward_auth_rule_group.rb

@@ -1,6 +0,0 @@
-class ForwardAuthRuleGroup < ApplicationRecord
-  belongs_to :forward_auth_rule
-  belongs_to :group
-
-  validates :forward_auth_rule_id, uniqueness: { scope: :group_id }
-end

app/models/group.rb

@@ -6,4 +6,9 @@ class Group < ApplicationRecord
 
   validates :name, presence: true, uniqueness: { case_sensitive: false }
   normalizes :name, with: ->(name) { name.strip.downcase }
+
+  # Parse custom_claims JSON field
+  def parsed_custom_claims
+    custom_claims || {}
+  end
 end

app/models/user.rb

@@ -3,8 +3,6 @@ class User < ApplicationRecord
   has_many :sessions, dependent: :destroy
   has_many :user_groups, dependent: :destroy
   has_many :groups, through: :user_groups
-  has_many :user_role_assignments, dependent: :destroy
-  has_many :application_roles, through: :user_role_assignments
   has_many :oidc_user_consents, dependent: :destroy
 
   # Token generation for passwordless flows
@@ -97,6 +95,11 @@ class User < ApplicationRecord
     oidc_user_consents.destroy_all
   end
 
+  # Parse custom_claims JSON field
+  def parsed_custom_claims
+    custom_claims || {}
+  end
+
   private
 
   def generate_backup_codes

app/models/user_role_assignment.rb

@@ -1,15 +0,0 @@
-class UserRoleAssignment < ApplicationRecord
-  belongs_to :user
-  belongs_to :application_role
-
-  validates :user, uniqueness: { scope: :application_role }
-  validates :source, inclusion: { in: %w[oidc manual group_sync] }
-
-  scope :oidc_managed, -> { where(source: 'oidc') }
-  scope :manually_assigned, -> { where(source: 'manual') }
-  scope :group_synced, -> { where(source: 'group_sync') }
-
-  def sync_from_oidc?
-    source == 'oidc'
-  end
-end