OIDC app creation with encrypted secrets and application roles

2025-10-24 14:47:24 +11:00
parent 831bd083c2
commit 12e0ef66ed
32 changed files with 1983 additions and 72 deletions
--- a/app/services/oidc_jwt_service.rb
+++ b/app/services/oidc_jwt_service.rb
@@ -27,6 +27,11 @@ class OidcJwtService
      # Add admin claim if user is admin
      payload[:admin] = true if user.admin?

+      # Add role-based claims if role mapping is enabled
+      if application.role_mapping_enabled?
+        add_role_claims!(payload, user, application)
+      end
+
      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
    end

@@ -88,5 +93,50 @@ class OidcJwtService
    def key_id
      @key_id ||= Digest::SHA256.hexdigest(public_key.to_pem)[0..15]
    end
+
+    # Add role-based claims to the JWT payload
+    def add_role_claims!(payload, user, application)
+      user_roles = application.user_roles(user)
+      return if user_roles.empty?
+
+      role_names = user_roles.pluck(:name)
+
+      # Filter roles by prefix if configured
+      if application.role_prefix.present?
+        role_names = role_names.select { |role| role.start_with?(application.role_prefix) }
+      end
+
+      return if role_names.empty?
+
+      # Add roles using the configured claim name
+      claim_name = application.role_claim_name.presence || 'roles'
+      payload[claim_name] = role_names
+
+      # Add role permissions if configured
+      managed_permissions = application.parsed_managed_permissions
+      if managed_permissions['include_permissions'] == true
+        role_permissions = user_roles.map do |role|
+          {
+            name: role.name,
+            display_name: role.display_name,
+            permissions: role.permissions
+          }
+        end
+        payload['role_permissions'] = role_permissions
+      end
+
+      # Add role metadata if configured
+      if managed_permissions['include_metadata'] == true
+        role_metadata = user_roles.map do |role|
+          assignment = role.user_role_assignments.find_by(user: user)
+          {
+            name: role.name,
+            source: assignment&.source,
+            assigned_at: assignment&.created_at
+          }
+        end
+        payload['role_metadata'] = role_metadata
+      end
+    end
  end
 end
--- a/app/services/role_mapping_engine.rb
+++ b/app/services/role_mapping_engine.rb
@@ -0,0 +1,127 @@
+class RoleMappingEngine
+  class << self
+    # Sync user roles from OIDC claims
+    def sync_user_roles!(user, application, claims)
+      return unless application.role_mapping_enabled?
+
+      # Extract roles from claims
+      external_roles = extract_roles_from_claims(application, claims)
+
+      case application.role_mapping_mode
+      when 'oidc_managed'
+        sync_oidc_managed_roles!(user, application, external_roles)
+      when 'hybrid'
+        sync_hybrid_roles!(user, application, external_roles)
+      end
+    end
+
+    # Check if user is allowed based on roles
+    def user_allowed_with_roles?(user, application, claims = nil)
+      return application.user_allowed_with_roles?(user) unless claims
+
+      if application.oidc_managed_roles?
+        external_roles = extract_roles_from_claims(application, claims)
+        return false if external_roles.empty?
+
+        # Check if any external role matches configured application roles
+        application.application_roles.active.exists?(name: external_roles)
+      elsif application.hybrid_roles?
+        # Allow access if either group-based or role-based access works
+        application.user_allowed?(user) ||
+        (external_roles.present? &&
+         application.application_roles.active.exists?(name: external_roles))
+      else
+        application.user_allowed?(user)
+      end
+    end
+
+    # Get available roles for a user in an application
+    def user_available_roles(user, application)
+      return [] unless application.role_mapping_enabled?
+
+      application.application_roles.active
+    end
+
+    # Map external roles to internal roles
+    def map_external_to_internal_roles(application, external_roles)
+      return [] if external_roles.empty?
+
+      configured_roles = application.application_roles.active.pluck(:name)
+
+      # Apply role prefix filtering
+      if application.role_prefix.present?
+        external_roles = external_roles.select { |role| role.start_with?(application.role_prefix) }
+      end
+
+      # Find matching internal roles
+      external_roles & configured_roles
+    end
+
+    private
+
+    # Extract roles from various claim sources
+    def extract_roles_from_claims(application, claims)
+      claim_name = application.role_claim_name.presence || 'roles'
+
+      # Try the configured claim name first
+      roles = claims[claim_name]
+
+      # Fallback to common claim names if not found
+      roles ||= claims['roles']
+      roles ||= claims['groups']
+      roles ||= claims['http://schemas.microsoft.com/ws/2008/06/identity/claims/role']
+
+      # Ensure roles is an array
+      case roles
+      when String
+        [roles]
+      when Array
+        roles
+      else
+        []
+      end
+    end
+
+    # Sync roles for OIDC managed mode (replace existing roles)
+    def sync_oidc_managed_roles!(user, application, external_roles)
+      # Map external roles to internal roles
+      internal_roles = map_external_to_internal_roles(application, external_roles)
+
+      # Get current OIDC-managed roles
+      current_assignments = user.user_role_assignments
+                           .joins(:application_role)
+                           .where(application_role: { application: application })
+                           .oidc_managed
+                           .includes(:application_role)
+
+      current_role_names = current_assignments.map { |assignment| assignment.application_role.name }
+
+      # Remove roles that are no longer in external roles
+      roles_to_remove = current_role_names - internal_roles
+      roles_to_remove.each do |role_name|
+        application.remove_role_from_user!(user, role_name)
+      end
+
+      # Add new roles
+      roles_to_add = internal_roles - current_role_names
+      roles_to_add.each do |role_name|
+        application.assign_role_to_user!(user, role_name, source: 'oidc',
+                                       metadata: { synced_at: Time.current })
+      end
+    end
+
+    # Sync roles for hybrid mode (merge with existing roles)
+    def sync_hybrid_roles!(user, application, external_roles)
+      # Map external roles to internal roles
+      internal_roles = map_external_to_internal_roles(application, external_roles)
+
+      # Only add new roles, don't remove manually assigned ones
+      internal_roles.each do |role_name|
+        next if application.user_has_role?(user, role_name)
+
+        application.assign_role_to_user!(user, role_name, source: 'oidc',
+                                       metadata: { synced_at: Time.current })
+      end
+    end
+  end
+end