mirror of
https://github.com/we-promise/sure.git
synced 2026-04-09 07:14:47 +00:00
14993d871c
Multi-provider SSO support: - Database-backed SSO provider management with admin UI - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0 - Flipper feature flag (db_sso_providers) for dynamic provider loading - ProviderLoader service for YAML or database configuration Admin functionality: - Admin::SsoProvidersController for CRUD operations - Admin::UsersController for super_admin role management - Pundit policies for authorization - Test connection endpoint for validating provider config User provisioning improvements: - JIT (just-in-time) account creation with configurable default role - Changed default JIT role from admin to member (security) - User attribute sync on each SSO login - Group/role mapping from IdP claims SSO identity management: - Settings::SsoIdentitiesController for users to manage connected accounts - Issuer validation for OIDC identities - Unlink protection when no password set Audit logging: - SsoAuditLog model tracking login, logout, link, unlink, JIT creation - Captures IP address, user agent, and metadata Advanced OIDC features: - Custom scopes per provider - Configurable prompt parameter (login, consent, select_account, none) - RP-initiated logout (federated logout to IdP) - id_token storage for logout SAML 2.0 support: - omniauth-saml gem integration - IdP metadata URL or manual configuration - Certificate and fingerprint validation - NameID format configuration
60 lines
1.6 KiB
Ruby
60 lines
1.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "test_helper"
|
|
|
|
class UserPolicyTest < ActiveSupport::TestCase
|
|
def setup
|
|
@super_admin = users(:family_admin)
|
|
@super_admin.update!(role: :super_admin)
|
|
|
|
@regular_user = users(:family_member)
|
|
@regular_user.update!(role: :member)
|
|
|
|
@other_user = users(:sure_support_staff)
|
|
@other_user.update!(role: :member)
|
|
end
|
|
|
|
test "super admin can view index" do
|
|
assert UserPolicy.new(@super_admin, User).index?
|
|
end
|
|
|
|
test "regular user cannot view index" do
|
|
assert_not UserPolicy.new(@regular_user, User).index?
|
|
end
|
|
|
|
test "nil user cannot view index" do
|
|
assert_not UserPolicy.new(nil, User).index?
|
|
end
|
|
|
|
test "super admin can update another user" do
|
|
assert UserPolicy.new(@super_admin, @regular_user).update?
|
|
end
|
|
|
|
test "super admin cannot update themselves" do
|
|
assert_not UserPolicy.new(@super_admin, @super_admin).update?
|
|
end
|
|
|
|
test "regular user cannot update anyone" do
|
|
assert_not UserPolicy.new(@regular_user, @other_user).update?
|
|
end
|
|
|
|
test "nil user cannot update anyone" do
|
|
assert_not UserPolicy.new(nil, @regular_user).update?
|
|
end
|
|
|
|
test "scope returns all users for super admin" do
|
|
scope = UserPolicy::Scope.new(@super_admin, User).resolve
|
|
assert_equal User.count, scope.count
|
|
end
|
|
|
|
test "scope returns no users for regular user" do
|
|
scope = UserPolicy::Scope.new(@regular_user, User).resolve
|
|
assert_equal 0, scope.count
|
|
end
|
|
|
|
test "scope returns no users for nil user" do
|
|
scope = UserPolicy::Scope.new(nil, User).resolve
|
|
assert_equal 0, scope.count
|
|
end
|
|
end
|