Move SSO clients from config to database

- Add sso_clients table (migration 000010) with client_id, redirect_uri, tags (JSON), enabled flag, and audit timestamps - Add SSOClient model struct and audit events - Implement DB CRUD with 10 unit tests - Add REST API: GET/POST/PATCH/DELETE /v1/sso/clients (policy-gated) - Add gRPC SSOClientService with 5 RPCs (admin-only) - Add mciasctl sso list/create/get/update/delete commands - Add web UI admin page at /sso-clients with HTMX create/toggle/delete - Migrate handleSSOAuthorize and handleSSOTokenExchange to use DB - Remove SSOConfig, SSOClient struct, lookup methods from config - Simplify: client_id = service_name for policy evaluation Security: - SSO client CRUD is admin-only (policy-gated REST, requireAdmin gRPC) - redirect_uri must use https:// (validated at DB layer) - Disabled clients are rejected at both authorize and token exchange - All mutations write audit events Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 23:47:53 -07:00
parent 4430ce38a4
commit df7773229c
24 changed files with 2284 additions and 217 deletions
--- a/web/templates/fragments/sso_client_row.html
+++ b/web/templates/fragments/sso_client_row.html
@@ -0,0 +1,31 @@
+{{define "sso_client_row"}}
+<tr id="sso-client-row-{{.ClientID}}">
+  <td><strong>{{.ClientID}}</strong></td>
+  <td><code style="font-size:0.85em">{{.RedirectURI}}</code></td>
+  <td>{{range .Tags}}<span class="badge">{{.}}</span> {{end}}</td>
+  <td>
+    {{if .Enabled}}<span class="badge badge-active">enabled</span>
+    {{else}}<span class="badge badge-inactive">disabled</span>{{end}}
+  </td>
+  <td class="d-flex gap-1">
+    {{if .Enabled}}
+    <button class="btn btn-sm btn-secondary"
+            hx-patch="/sso-clients/{{.ClientID}}/toggle"
+            hx-vals='{"enabled":"false"}'
+            hx-target="#sso-client-row-{{.ClientID}}"
+            hx-swap="outerHTML">Disable</button>
+    {{else}}
+    <button class="btn btn-sm btn-primary"
+            hx-patch="/sso-clients/{{.ClientID}}/toggle"
+            hx-vals='{"enabled":"true"}'
+            hx-target="#sso-client-row-{{.ClientID}}"
+            hx-swap="outerHTML">Enable</button>
+    {{end}}
+    <button class="btn btn-sm btn-danger"
+            hx-delete="/sso-clients/{{.ClientID}}"
+            hx-target="#sso-client-row-{{.ClientID}}"
+            hx-swap="outerHTML"
+            hx-confirm="Delete SSO client '{{.ClientID}}'? This cannot be undone.">Delete</button>
+  </td>
+</tr>
+{{end}}