dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

First crack
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-10-23 16:45:00 +11:00
parent 1ff0a95392
commit 56f7dd7b3c
54 changed files with 1249 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
app/models/application.rb Normal file
View File

@@ -0,0 +1,70 @@
class Application < ApplicationRecord
has_many :application_groups, dependent: :destroy
has_many :allowed_groups, through: :application_groups, source: :group
has_many :oidc_authorization_codes, dependent: :destroy
has_many :oidc_access_tokens, dependent: :destroy
validates :name, presence: true
validates :slug, presence: true, uniqueness: { case_sensitive: false },
format: { with: /\A[a-z0-9\-]+\z/, message: "only lowercase letters, numbers, and hyphens" }
validates :app_type, presence: true,
inclusion: { in: %w[oidc trusted_header saml] }
validates :client_id, uniqueness: { allow_nil: true }
normalizes :slug, with: ->(slug) { slug.strip.downcase }
before_validation :generate_client_credentials, on: :create, if: :oidc?
# Scopes
scope :active, -> { where(active: true) }
scope :oidc, -> { where(app_type: "oidc") }
scope :trusted_header, -> { where(app_type: "trusted_header") }
scope :saml, -> { where(app_type: "saml") }
# Type checks
def oidc?
app_type == "oidc"
end
def trusted_header?
app_type == "trusted_header"
end
def saml?
app_type == "saml"
end
# Access control
def user_allowed?(user)
return false unless active?
return false unless user.active?
# If no groups are specified, allow all active users
return true if allowed_groups.empty?
# Otherwise, user must be in at least one of the allowed groups
(user.groups & allowed_groups).any?
end
# OIDC helpers
def parsed_redirect_uris
return [] unless redirect_uris.present?
JSON.parse(redirect_uris)
rescue JSON::ParserError
redirect_uris.split("\n").map(&:strip).reject(&:blank?)
end
def parsed_metadata
return {} unless metadata.present?
JSON.parse(metadata)
rescue JSON::ParserError
{}
end
private
def generate_client_credentials
self.client_id ||= SecureRandom.urlsafe_base64(32)
self.client_secret ||= SecureRandom.urlsafe_base64(48)
end
end