QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-10 15:54:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,128 Commits 84 Branches 48 Tags
e573896efe6dee2ee71fa187a869b4e593603565
Commit Graph

4 Commits

Author SHA1 Message Date
Juan José Mata
19aeac3a84 Normalize legacy SSO icon values before validation (#955) 2026-02-10 23:14:58 +01:00
soky srm
696ff0966b Initial security fixes (#461) 
* Initial sec

* Update PII fields

* FIX add tests

* FIX safely read plaintext data on rake backfill

* Update user.rb

* FIX tests

* encryption_ready? block

* Test conditional to encryption on

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
 2026-01-23 22:05:28 +01:00
Josh Waldrep
b2ecc6bc67 refactor: improve SSO provider management and logging 
- Simplified `name_id_format` selection logic in SSO provider form.
- Switched raw database query to sanitized SQL in client secret tests.
- Added condition to log JIT account creation only when identity persists.
- Sanitized failure reasons in SSO login failure handling.
- Added SSO provider connection test policy tests for super admin and regular users.
 2026-01-03 21:13:24 -05:00
Josh Waldrep
14993d871c feat: comprehensive SSO/OIDC upgrade with enterprise features 
Multi-provider SSO support:
   - Database-backed SSO provider management with admin UI
   - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0
   - Flipper feature flag (db_sso_providers) for dynamic provider loading
   - ProviderLoader service for YAML or database configuration

   Admin functionality:
   - Admin::SsoProvidersController for CRUD operations
   - Admin::UsersController for super_admin role management
   - Pundit policies for authorization
   - Test connection endpoint for validating provider config

   User provisioning improvements:
   - JIT (just-in-time) account creation with configurable default role
   - Changed default JIT role from admin to member (security)
   - User attribute sync on each SSO login
   - Group/role mapping from IdP claims

   SSO identity management:
   - Settings::SsoIdentitiesController for users to manage connected accounts
   - Issuer validation for OIDC identities
   - Unlink protection when no password set

   Audit logging:
   - SsoAuditLog model tracking login, logout, link, unlink, JIT creation
   - Captures IP address, user agent, and metadata

   Advanced OIDC features:
   - Custom scopes per provider
   - Configurable prompt parameter (login, consent, select_account, none)
   - RP-initiated logout (federated logout to IdP)
   - id_token storage for logout

   SAML 2.0 support:
   - omniauth-saml gem integration
   - IdP metadata URL or manual configuration
   - Certificate and fingerprint validation
   - NameID format configuration
 2026-01-03 17:56:42 -05:00