mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 14:31:25 +00:00
14993d871c
Multi-provider SSO support: - Database-backed SSO provider management with admin UI - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0 - Flipper feature flag (db_sso_providers) for dynamic provider loading - ProviderLoader service for YAML or database configuration Admin functionality: - Admin::SsoProvidersController for CRUD operations - Admin::UsersController for super_admin role management - Pundit policies for authorization - Test connection endpoint for validating provider config User provisioning improvements: - JIT (just-in-time) account creation with configurable default role - Changed default JIT role from admin to member (security) - User attribute sync on each SSO login - Group/role mapping from IdP claims SSO identity management: - Settings::SsoIdentitiesController for users to manage connected accounts - Issuer validation for OIDC identities - Unlink protection when no password set Audit logging: - SsoAuditLog model tracking login, logout, link, unlink, JIT creation - Captures IP address, user agent, and metadata Advanced OIDC features: - Custom scopes per provider - Configurable prompt parameter (login, consent, select_account, none) - RP-initiated logout (federated logout to IdP) - id_token storage for logout SAML 2.0 support: - omniauth-saml gem integration - IdP metadata URL or manual configuration - Certificate and fingerprint validation - NameID format configuration
109 lines
2.9 KiB
Ruby
109 lines
2.9 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class SsoAuditLog < ApplicationRecord
|
|
belongs_to :user, optional: true
|
|
|
|
# Event types for SSO audit logging
|
|
EVENT_TYPES = %w[
|
|
login
|
|
login_failed
|
|
logout
|
|
logout_idp
|
|
link
|
|
unlink
|
|
jit_account_created
|
|
].freeze
|
|
|
|
validates :event_type, presence: true, inclusion: { in: EVENT_TYPES }
|
|
|
|
scope :recent, -> { order(created_at: :desc) }
|
|
scope :for_user, ->(user) { where(user: user) }
|
|
scope :by_event, ->(event) { where(event_type: event) }
|
|
|
|
class << self
|
|
# Log a successful SSO login
|
|
def log_login!(user:, provider:, request:, metadata: {})
|
|
create!(
|
|
user: user,
|
|
event_type: "login",
|
|
provider: provider,
|
|
ip_address: request.remote_ip,
|
|
user_agent: request.user_agent&.truncate(500),
|
|
metadata: metadata
|
|
)
|
|
end
|
|
|
|
# Log a failed SSO login attempt
|
|
def log_login_failed!(provider:, request:, reason:, metadata: {})
|
|
create!(
|
|
user: nil,
|
|
event_type: "login_failed",
|
|
provider: provider,
|
|
ip_address: request.remote_ip,
|
|
user_agent: request.user_agent&.truncate(500),
|
|
metadata: metadata.merge(reason: reason)
|
|
)
|
|
end
|
|
|
|
# Log a logout (local only)
|
|
def log_logout!(user:, request:, metadata: {})
|
|
create!(
|
|
user: user,
|
|
event_type: "logout",
|
|
provider: nil,
|
|
ip_address: request.remote_ip,
|
|
user_agent: request.user_agent&.truncate(500),
|
|
metadata: metadata
|
|
)
|
|
end
|
|
|
|
# Log a federated logout (to IdP)
|
|
def log_logout_idp!(user:, provider:, request:, metadata: {})
|
|
create!(
|
|
user: user,
|
|
event_type: "logout_idp",
|
|
provider: provider,
|
|
ip_address: request.remote_ip,
|
|
user_agent: request.user_agent&.truncate(500),
|
|
metadata: metadata
|
|
)
|
|
end
|
|
|
|
# Log an account link (existing user links SSO identity)
|
|
def log_link!(user:, provider:, request:, metadata: {})
|
|
create!(
|
|
user: user,
|
|
event_type: "link",
|
|
provider: provider,
|
|
ip_address: request.remote_ip,
|
|
user_agent: request.user_agent&.truncate(500),
|
|
metadata: metadata
|
|
)
|
|
end
|
|
|
|
# Log an account unlink (user disconnects SSO identity)
|
|
def log_unlink!(user:, provider:, request:, metadata: {})
|
|
create!(
|
|
user: user,
|
|
event_type: "unlink",
|
|
provider: provider,
|
|
ip_address: request.remote_ip,
|
|
user_agent: request.user_agent&.truncate(500),
|
|
metadata: metadata
|
|
)
|
|
end
|
|
|
|
# Log JIT account creation via SSO
|
|
def log_jit_account_created!(user:, provider:, request:, metadata: {})
|
|
create!(
|
|
user: user,
|
|
event_type: "jit_account_created",
|
|
provider: provider,
|
|
ip_address: request.remote_ip,
|
|
user_agent: request.user_agent&.truncate(500),
|
|
metadata: metadata
|
|
)
|
|
end
|
|
end
|
|
end
|