Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use

2025-11-04 13:21:55 +11:00
parent 4d1bc1ab66
commit ef15db77f9
46 changed files with 341 additions and 2917 deletions
--- a/app/services/oidc_jwt_service.rb
+++ b/app/services/oidc_jwt_service.rb
@@ -27,11 +27,14 @@ class OidcJwtService
      # Add admin claim if user is admin
      payload[:admin] = true if user.admin?

-      # Add role-based claims if role mapping is enabled
-      if application.role_mapping_enabled?
-        add_role_claims!(payload, user, application)
+      # Merge custom claims from groups
+      user.groups.each do |group|
+        payload.merge!(group.parsed_custom_claims)
      end

+      # Merge custom claims from user (overrides group claims)
+      payload.merge!(user.parsed_custom_claims)
+
      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
    end

@@ -93,50 +96,5 @@ class OidcJwtService
    def key_id
      @key_id ||= Digest::SHA256.hexdigest(public_key.to_pem)[0..15]
    end
-
-    # Add role-based claims to the JWT payload
-    def add_role_claims!(payload, user, application)
-      user_roles = application.user_roles(user)
-      return if user_roles.empty?
-
-      role_names = user_roles.pluck(:name)
-
-      # Filter roles by prefix if configured
-      if application.role_prefix.present?
-        role_names = role_names.select { |role| role.start_with?(application.role_prefix) }
-      end
-
-      return if role_names.empty?
-
-      # Add roles using the configured claim name
-      claim_name = application.role_claim_name.presence || 'roles'
-      payload[claim_name] = role_names
-
-      # Add role permissions if configured
-      managed_permissions = application.parsed_managed_permissions
-      if managed_permissions['include_permissions'] == true
-        role_permissions = user_roles.map do |role|
-          {
-            name: role.name,
-            display_name: role.display_name,
-            permissions: role.permissions
-          }
-        end
-        payload['role_permissions'] = role_permissions
-      end
-
-      # Add role metadata if configured
-      if managed_permissions['include_metadata'] == true
-        role_metadata = user_roles.map do |role|
-          assignment = role.user_role_assignments.find_by(user: user)
-          {
-            name: role.name,
-            source: assignment&.source,
-            assigned_at: assignment&.created_at
-          }
-        end
-        payload['role_metadata'] = role_metadata
-      end
-    end
  end
 end
--- a/app/services/role_mapping_engine.rb
+++ b/app/services/role_mapping_engine.rb
@@ -1,127 +0,0 @@
-class RoleMappingEngine
-  class << self
-    # Sync user roles from OIDC claims
-    def sync_user_roles!(user, application, claims)
-      return unless application.role_mapping_enabled?
-
-      # Extract roles from claims
-      external_roles = extract_roles_from_claims(application, claims)
-
-      case application.role_mapping_mode
-      when 'oidc_managed'
-        sync_oidc_managed_roles!(user, application, external_roles)
-      when 'hybrid'
-        sync_hybrid_roles!(user, application, external_roles)
-      end
-    end
-
-    # Check if user is allowed based on roles
-    def user_allowed_with_roles?(user, application, claims = nil)
-      return application.user_allowed_with_roles?(user) unless claims
-
-      if application.oidc_managed_roles?
-        external_roles = extract_roles_from_claims(application, claims)
-        return false if external_roles.empty?
-
-        # Check if any external role matches configured application roles
-        application.application_roles.active.exists?(name: external_roles)
-      elsif application.hybrid_roles?
-        # Allow access if either group-based or role-based access works
-        application.user_allowed?(user) ||
-        (external_roles.present? &&
-         application.application_roles.active.exists?(name: external_roles))
-      else
-        application.user_allowed?(user)
-      end
-    end
-
-    # Get available roles for a user in an application
-    def user_available_roles(user, application)
-      return [] unless application.role_mapping_enabled?
-
-      application.application_roles.active
-    end
-
-    # Map external roles to internal roles
-    def map_external_to_internal_roles(application, external_roles)
-      return [] if external_roles.empty?
-
-      configured_roles = application.application_roles.active.pluck(:name)
-
-      # Apply role prefix filtering
-      if application.role_prefix.present?
-        external_roles = external_roles.select { |role| role.start_with?(application.role_prefix) }
-      end
-
-      # Find matching internal roles
-      external_roles & configured_roles
-    end
-
-    private
-
-    # Extract roles from various claim sources
-    def extract_roles_from_claims(application, claims)
-      claim_name = application.role_claim_name.presence || 'roles'
-
-      # Try the configured claim name first
-      roles = claims[claim_name]
-
-      # Fallback to common claim names if not found
-      roles ||= claims['roles']
-      roles ||= claims['groups']
-      roles ||= claims['http://schemas.microsoft.com/ws/2008/06/identity/claims/role']
-
-      # Ensure roles is an array
-      case roles
-      when String
-        [roles]
-      when Array
-        roles
-      else
-        []
-      end
-    end
-
-    # Sync roles for OIDC managed mode (replace existing roles)
-    def sync_oidc_managed_roles!(user, application, external_roles)
-      # Map external roles to internal roles
-      internal_roles = map_external_to_internal_roles(application, external_roles)
-
-      # Get current OIDC-managed roles
-      current_assignments = user.user_role_assignments
-                           .joins(:application_role)
-                           .where(application_role: { application: application })
-                           .oidc_managed
-                           .includes(:application_role)
-
-      current_role_names = current_assignments.map { |assignment| assignment.application_role.name }
-
-      # Remove roles that are no longer in external roles
-      roles_to_remove = current_role_names - internal_roles
-      roles_to_remove.each do |role_name|
-        application.remove_role_from_user!(user, role_name)
-      end
-
-      # Add new roles
-      roles_to_add = internal_roles - current_role_names
-      roles_to_add.each do |role_name|
-        application.assign_role_to_user!(user, role_name, source: 'oidc',
-                                       metadata: { synced_at: Time.current })
-      end
-    end
-
-    # Sync roles for hybrid mode (merge with existing roles)
-    def sync_hybrid_roles!(user, application, external_roles)
-      # Map external roles to internal roles
-      internal_roles = map_external_to_internal_roles(application, external_roles)
-
-      # Only add new roles, don't remove manually assigned ones
-      internal_roles.each do |role_name|
-        next if application.user_has_role?(user, role_name)
-
-        application.assign_role_to_user!(user, role_name, source: 'oidc',
-                                       metadata: { synced_at: Time.current })
-      end
-    end
-  end
-end