QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-08 06:44:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
03e59c8b3c03d2adaec74190403ac030d6794966
sure/config/initializers/flipper.rb
Josh Waldrep 14993d871c feat: comprehensive SSO/OIDC upgrade with enterprise features 
Multi-provider SSO support:
   - Database-backed SSO provider management with admin UI
   - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0
   - Flipper feature flag (db_sso_providers) for dynamic provider loading
   - ProviderLoader service for YAML or database configuration

   Admin functionality:
   - Admin::SsoProvidersController for CRUD operations
   - Admin::UsersController for super_admin role management
   - Pundit policies for authorization
   - Test connection endpoint for validating provider config

   User provisioning improvements:
   - JIT (just-in-time) account creation with configurable default role
   - Changed default JIT role from admin to member (security)
   - User attribute sync on each SSO login
   - Group/role mapping from IdP claims

   SSO identity management:
   - Settings::SsoIdentitiesController for users to manage connected accounts
   - Issuer validation for OIDC identities
   - Unlink protection when no password set

   Audit logging:
   - SsoAuditLog model tracking login, logout, link, unlink, JIT creation
   - Captures IP address, user agent, and metadata

   Advanced OIDC features:
   - Custom scopes per provider
   - Configurable prompt parameter (login, consent, select_account, none)
   - RP-initiated logout (federated logout to IdP)
   - id_token storage for logout

   SAML 2.0 support:
   - omniauth-saml gem integration
   - IdP metadata URL or manual configuration
   - Certificate and fingerprint validation
   - NameID format configuration
2026-01-03 17:56:42 -05:00

46 lines
1.6 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
require "flipper"
require "flipper/adapters/active_record"
require "flipper/adapters/memory"
# Configure Flipper with ActiveRecord adapter for database-backed feature flags
# Falls back to memory adapter if tables don't exist yet (during migrations)
Flipper.configure do |config|
config.adapter do
begin
Flipper::Adapters::ActiveRecord.new
rescue ActiveRecord::NoDatabaseError, ActiveRecord::StatementInvalid, NameError
# Tables don't exist yet, use memory adapter as fallback
Flipper::Adapters::Memory.new
end
end
end
# Initialize feature flags IMMEDIATELY (not in after_initialize)
# This must happen before OmniAuth initializer runs
unless Rails.env.test?
begin
# Feature flag to control SSO provider source (YAML vs DB)
# ENV: AUTH_PROVIDERS_SOURCE=db|yaml
# Default: "db" for self-hosted, "yaml" for managed
auth_source = ENV.fetch("AUTH_PROVIDERS_SOURCE") do
Rails.configuration.app_mode.self_hosted? ? "db" : "yaml"
end.downcase
# Ensure feature exists before enabling/disabling
Flipper.add(:db_sso_providers) unless Flipper.exist?(:db_sso_providers)
if auth_source == "db"
Flipper.enable(:db_sso_providers)
else
Flipper.disable(:db_sso_providers)
end
rescue ActiveRecord::NoDatabaseError, ActiveRecord::StatementInvalid
# Database not ready yet (e.g., during initial setup or migrations)
# This is expected during db:create or initial setup
rescue StandardError => e
Rails.logger.warn("[Flipper] Error initializing feature flags: #{e.message}")
end
end
Reference in New Issue View Git Blame Copy Permalink