Skip to content

Add granular RBAC SSO support#7733

Open
hardillb wants to merge 9 commits into
mainfrom
sso-granular-rbac
Open

Add granular RBAC SSO support#7733
hardillb wants to merge 9 commits into
mainfrom
sso-granular-rbac

Conversation

@hardillb

@hardillb hardillb commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

fixes #7396

Description

Includes both SMAL and LDAP

Also includes a fix for the direct SSO login buttons on login page

Related Issue(s)

#7396

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
  • Link to Changelog Entry PR, or note why one is not needed.

Labels

  • Includes a DB migration? -> add the area:migration label

fixes #7396

Includes both SMAL and LDAP

Also includes a fix for the direct SSO login buttons on login page
@hardillb hardillb requested a review from knolleary July 6, 2026 12:06
@hardillb hardillb self-assigned this Jul 6, 2026
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 51.11111% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.96%. Comparing base (cababe3) to head (3d80889).
⚠️ Report is 8 commits behind head on main.

Files with missing lines Patch % Lines
forge/ee/lib/sso/index.js 48.83% 44 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7733      +/-   ##
==========================================
- Coverage   75.39%   74.96%   -0.44%     
==========================================
  Files         428      429       +1     
  Lines       22540    22790     +250     
  Branches     5945     6032      +87     
==========================================
+ Hits        16994    17084      +90     
- Misses       5546     5706     +160     
Flag Coverage Δ
backend 74.96% <51.11%> (-0.44%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@knolleary knolleary left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done a first pass and spotted a couple things.

It would be helpful to have some more inline comments (similar to the existing code) to help make the logic more explicit.

I need to spend some more time testing it to verify the behaviour.

Comment thread forge/db/models/Team.js
hasApplication: async function (nameOrId) {
const applicationId = M.Application.decodeHashid(nameOrId)
const application = await app.db.models.Application.findOne({
where: {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing a where clause to ensure its an Application in this team.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will fix

Comment thread forge/ee/lib/sso/index.js
if (application) {
if (providerOpts.groupAllTeams || (providerOpts.groupTeams || []).includes(teamSlug)) {
if (desiredTeamApplicationroles[team.hashid]) {
desiredTeamApplicationroles[team.hashid][application.hashid] = Math.max(desiredTeamApplicationroles[teamSlug][application.hashid] || 0, applicationRole)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a mix of team.hashid and teamSlug when keying into desiredTeamApplicationroles to read from it, but its only written to via team.hashid. Need to verify if that's intentional.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, they probably should all be teamSlug

Given it's at the team level and we only ever use slugs for team ids in group names it should be OK. But I didn't test with 2 groups for the same application (one name, one hash id) with different role values, I will do that and push needed changes.

@knolleary fixed things based on first pass comments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SSO: enable SAML group management of granular RBAC

2 participants