OIDC app creation with encrypted secrets and application roles

2025-10-24 14:47:24 +11:00
parent 831bd083c2
commit 12e0ef66ed
32 changed files with 1983 additions and 72 deletions
--- a/db/migrate/20251024012201_add_role_mapping_to_applications.rb
+++ b/db/migrate/20251024012201_add_role_mapping_to_applications.rb
@@ -0,0 +1,32 @@
+class AddRoleMappingToApplications < ActiveRecord::Migration[8.1]
+  def change
+    add_column :applications, :role_mapping_mode, :string, default: 'disabled', null: false
+    add_column :applications, :role_prefix, :string
+    add_column :applications, :managed_permissions, :json, default: {}
+    add_column :applications, :role_claim_name, :string, default: 'roles'
+
+    create_table :application_roles do |t|
+      t.references :application, null: false, foreign_key: true
+      t.string :name, null: false
+      t.string :display_name
+      t.text :description
+      t.json :permissions, default: {}
+      t.boolean :active, default: true
+
+      t.timestamps
+    end
+
+    add_index :application_roles, [:application_id, :name], unique: true
+
+    create_table :user_role_assignments do |t|
+      t.references :user, null: false, foreign_key: true
+      t.references :application_role, null: false, foreign_key: true
+      t.string :source, default: 'oidc' # 'oidc', 'manual', 'group_sync'
+      t.json :metadata, default: {}
+
+      t.timestamps
+    end
+
+    add_index :user_role_assignments, [:user_id, :application_role_id], unique: true
+  end
+end
--- a/db/migrate/20251024022837_add_description_to_applications.rb
+++ b/db/migrate/20251024022837_add_description_to_applications.rb
@@ -0,0 +1,5 @@
+class AddDescriptionToApplications < ActiveRecord::Migration[8.1]
+  def change
+    add_column :applications, :description, :text
+  end
+end
--- a/db/migrate/20251024032255_add_client_secret_hash_to_applications.rb
+++ b/db/migrate/20251024032255_add_client_secret_hash_to_applications.rb
@@ -0,0 +1,6 @@
+class AddClientSecretHashToApplications < ActiveRecord::Migration[8.1]
+  def change
+    add_column :applications, :client_secret_hash, :string
+    remove_column :applications, :client_secret, :string
+  end
+end
--- a/db/migrate/20251024033007_rename_client_secret_hash_to_client_secret_digest.rb
+++ b/db/migrate/20251024033007_rename_client_secret_hash_to_client_secret_digest.rb
@@ -0,0 +1,5 @@
+class RenameClientSecretHashToClientSecretDigest < ActiveRecord::Migration[8.1]
+  def change
+    rename_column :applications, :client_secret_hash, :client_secret_digest
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[8.1].define(version: 2025_10_23_234744) do
+ActiveRecord::Schema[8.1].define(version: 2025_10_24_033007) do
  create_table "application_groups", force: :cascade do |t|
    t.integer "application_id", null: false
    t.datetime "created_at", null: false
@@ -21,15 +21,33 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_23_234744) do
    t.index ["group_id"], name: "index_application_groups_on_group_id"
  end

+  create_table "application_roles", force: :cascade do |t|
+    t.boolean "active", default: true
+    t.integer "application_id", null: false
+    t.datetime "created_at", null: false
+    t.text "description"
+    t.string "display_name"
+    t.string "name", null: false
+    t.json "permissions", default: {}
+    t.datetime "updated_at", null: false
+    t.index ["application_id", "name"], name: "index_application_roles_on_application_id_and_name", unique: true
+    t.index ["application_id"], name: "index_application_roles_on_application_id"
+  end
+
  create_table "applications", force: :cascade do |t|
    t.boolean "active", default: true, null: false
    t.string "app_type", null: false
    t.string "client_id"
-    t.string "client_secret"
+    t.string "client_secret_digest"
    t.datetime "created_at", null: false
+    t.text "description"
+    t.json "managed_permissions", default: {}
    t.text "metadata"
    t.string "name", null: false
    t.text "redirect_uris"
+    t.string "role_claim_name", default: "roles"
+    t.string "role_mapping_mode", default: "disabled", null: false
+    t.string "role_prefix"
    t.string "slug", null: false
    t.datetime "updated_at", null: false
    t.index ["active"], name: "index_applications_on_active"
@@ -119,6 +137,18 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_23_234744) do
    t.index ["user_id"], name: "index_user_groups_on_user_id"
  end

+  create_table "user_role_assignments", force: :cascade do |t|
+    t.integer "application_role_id", null: false
+    t.datetime "created_at", null: false
+    t.json "metadata", default: {}
+    t.string "source", default: "oidc"
+    t.datetime "updated_at", null: false
+    t.integer "user_id", null: false
+    t.index ["application_role_id"], name: "index_user_role_assignments_on_application_role_id"
+    t.index ["user_id", "application_role_id"], name: "index_user_role_assignments_on_user_id_and_application_role_id", unique: true
+    t.index ["user_id"], name: "index_user_role_assignments_on_user_id"
+  end
+
  create_table "users", force: :cascade do |t|
    t.boolean "admin", default: false, null: false
    t.text "backup_codes"
@@ -135,6 +165,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_23_234744) do

  add_foreign_key "application_groups", "applications"
  add_foreign_key "application_groups", "groups"
+  add_foreign_key "application_roles", "applications"
  add_foreign_key "forward_auth_rule_groups", "forward_auth_rules"
  add_foreign_key "forward_auth_rule_groups", "groups"
  add_foreign_key "oidc_access_tokens", "applications"
@@ -144,4 +175,6 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_23_234744) do
  add_foreign_key "sessions", "users"
  add_foreign_key "user_groups", "groups"
  add_foreign_key "user_groups", "users"
+  add_foreign_key "user_role_assignments", "application_roles"
+  add_foreign_key "user_role_assignments", "users"
 end