Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use

db/migrate/20251104014854_add_custom_claims_to_groups_and_users.rb

@@ -0,0 +1,6 @@
+class AddCustomClaimsToGroupsAndUsers < ActiveRecord::Migration[8.1]
+  def change
+    add_column :groups, :custom_claims, :json, default: {}, null: false
+    add_column :users, :custom_claims, :json, default: {}, null: false
+  end
+end

db/migrate/20251104014928_add_forward_auth_fields_to_applications.rb

@@ -0,0 +1,10 @@
+class AddForwardAuthFieldsToApplications < ActiveRecord::Migration[8.1]
+  def change
+    # Add ForwardAuth-specific fields
+    add_column :applications, :domain_pattern, :string
+    add_column :applications, :headers_config, :json, default: {}, null: false
+
+    # Add index on domain_pattern for lookup performance
+    add_index :applications, :domain_pattern, unique: true, where: "domain_pattern IS NOT NULL"
+  end
+end

db/migrate/20251104014955_migrate_forward_auth_rules_to_applications.rb

@@ -0,0 +1,71 @@
+class MigrateForwardAuthRulesToApplications < ActiveRecord::Migration[8.1]
+  def up
+    # Temporarily define models for migration
+    forward_auth_rule_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "forward_auth_rules"
+      has_many :forward_auth_rule_groups, foreign_key: :forward_auth_rule_id, dependent: :destroy
+      has_many :allowed_groups, through: :forward_auth_rule_groups, source: :group, class_name: "MigrateForwardAuthRulesToApplications::Group"
+    end
+
+    forward_auth_rule_group_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "forward_auth_rule_groups"
+      belongs_to :forward_auth_rule, class_name: "MigrateForwardAuthRulesToApplications::ForwardAuthRule"
+      belongs_to :group, class_name: "MigrateForwardAuthRulesToApplications::Group"
+    end
+
+    group_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "groups"
+    end
+
+    application_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "applications"
+      has_many :application_groups, foreign_key: :application_id, dependent: :destroy
+    end
+
+    application_group_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "application_groups"
+      belongs_to :application, class_name: "MigrateForwardAuthRulesToApplications::Application"
+      belongs_to :group, class_name: "MigrateForwardAuthRulesToApplications::Group"
+    end
+
+    # Assign to constants so we can reference them
+    stub_const("MigrateForwardAuthRulesToApplications::ForwardAuthRule", forward_auth_rule_class)
+    stub_const("MigrateForwardAuthRulesToApplications::ForwardAuthRuleGroup", forward_auth_rule_group_class)
+    stub_const("MigrateForwardAuthRulesToApplications::Group", group_class)
+    stub_const("MigrateForwardAuthRulesToApplications::Application", application_class)
+    stub_const("MigrateForwardAuthRulesToApplications::ApplicationGroup", application_group_class)
+
+    # Migrate each ForwardAuthRule to an Application
+    forward_auth_rule_class.find_each do |rule|
+      # Create Application from ForwardAuthRule
+      app = application_class.create!(
+        name: rule.domain_pattern.titleize,
+        slug: rule.domain_pattern.parameterize.presence || "forward-auth-#{rule.id}",
+        app_type: 'forward_auth',
+        domain_pattern: rule.domain_pattern,
+        headers_config: rule.headers_config || {},
+        active: rule.active
+      )
+
+      # Migrate group associations
+      forward_auth_rule_group_class.where(forward_auth_rule_id: rule.id).find_each do |far_group|
+        application_group_class.create!(
+          application_id: app.id,
+          group_id: far_group.group_id
+        )
+      end
+    end
+  end
+
+  def down
+    # Remove all forward_auth applications created by this migration
+    Application.where(app_type: 'forward_auth').destroy_all
+  end
+
+  private
+
+  def stub_const(name, value)
+    parts = name.split("::")
+    parts[0..-2].inject(Object) { |mod, part| mod.const_get(part) }.const_set(parts.last, value)
+  end
+end

db/migrate/20251104015034_remove_role_related_tables_and_columns.rb

@@ -0,0 +1,15 @@
+class RemoveRoleRelatedTablesAndColumns < ActiveRecord::Migration[8.1]
+  def change
+    # Remove join table first (due to foreign keys)
+    drop_table :user_role_assignments if table_exists?(:user_role_assignments)
+
+    # Remove application_roles table
+    drop_table :application_roles if table_exists?(:application_roles)
+
+    # Remove role-related columns from applications
+    remove_column :applications, :role_mapping_mode, :string if column_exists?(:applications, :role_mapping_mode)
+    remove_column :applications, :role_prefix, :string if column_exists?(:applications, :role_prefix)
+    remove_column :applications, :role_claim_name, :string if column_exists?(:applications, :role_claim_name)
+    remove_column :applications, :managed_permissions, :json if column_exists?(:applications, :managed_permissions)
+  end
+end

db/migrate/20251104015104_remove_forward_auth_tables.rb

@@ -0,0 +1,9 @@
+class RemoveForwardAuthTables < ActiveRecord::Migration[8.1]
+  def change
+    # Remove join table first (due to foreign keys)
+    drop_table :forward_auth_rule_groups if table_exists?(:forward_auth_rule_groups)
+
+    # Remove forward_auth_rules table
+    drop_table :forward_auth_rules if table_exists?(:forward_auth_rules)
+  end
+end