Baffle-WAF/baffle-hub
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
85252a1a070883e0da08105c19581bf596a828f0
baffle-hub/app/models/user.rb
Dan Milne 85252a1a07 Much work.
2025-11-04 10:32:05 +11:00

65 lines
1.7 KiB
Ruby
Raw Blame History

class User < ApplicationRecord
has_secure_password
has_many :sessions, dependent: :destroy
normalizes :email_address, with: ->(e) { e.strip.downcase }
enum :role, { admin: 0, user: 1, viewer: 2 }, default: :user
validates :email_address, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
validates :role, presence: true
before_validation :set_first_user_as_admin, on: :create
def self.from_oidc(auth_hash)
# Extract user info from OIDC auth hash
email = auth_hash.dig('info', 'email')
return nil unless email
user = find_or_initialize_by(email_address: email)
# Map OIDC groups to role
if auth_hash.dig('extra', 'raw_info', 'groups')
user.role = map_oidc_groups_to_role(auth_hash.dig('extra', 'raw_info', 'groups'))
end
# Don't override password for OIDC users
user.save!(validate: false) if user.new_record?
user
end
def admin?
role == 'admin'
end
def viewer?
role == 'viewer'
end
private
def set_first_user_as_admin
return if User.any?
self.role = 'admin'
end
def self.map_oidc_groups_to_role(groups)
groups = Array(groups)
# Check admin groups first
admin_groups = ENV['OIDC_ADMIN_GROUPS']&.split(',')&.map(&:strip)
return 'admin' if admin_groups && (admin_groups & groups).any?
# Check user groups
user_groups = ENV['OIDC_USER_GROUPS']&.split(',')&.map(&:strip)
return 'user' if user_groups && (user_groups & groups).any?
# Check viewer groups
viewer_groups = ENV['OIDC_VIEWER_GROUPS']&.split(',')&.map(&:strip)
return 'viewer' if viewer_groups && (viewer_groups & groups).any?
# Default to user if no group matches
'user'
end
end
Reference in New Issue View Git Blame Copy Permalink