Add configurable multi-provider SSO, SSO-only mode, and JIT controls via auth.yml (#441)

* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation

- Introduced `config/auth.yml` for centralized auth configuration and documentation.
- Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect.
- Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`).
- Enabled optional restriction of JIT creation by allowed email domains.
- Enhanced OmniAuth initializer for dynamic provider setup and better configurability.
- Refined login UI to handle local login disabling and emergency super-admin override.
- Updated account creation flow to respect JIT mode and domain checks.
- Added tests for SSO account creation, login form visibility, and emergency overrides.

# Conflicts:
#	app/controllers/sessions_controller.rb

* remove non-translation

* Refactor authentication views to use translation keys and update locale files

- Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support.
- Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files.

* Enhance OmniAuth provider configuration and refine local login override logic

- Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub.
- Improved local login logic to enforce stricter handling of super-admin override when local login is disabled.
- Added test for invalid super-admin override credentials.

* Document Google sign-in configuration for local development and self-hosted environments

---------

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>

test/controllers/oidc_accounts_controller_test.rb

@@ -107,6 +107,50 @@ class OidcAccountsControllerTest < ActionController::TestCase
     assert_select "strong", text: new_user_auth["email"]
   end
 
+  test "does not show create account button when JIT link-only mode" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    AuthConfig.stubs(:jit_link_only?).returns(true)
+    AuthConfig.stubs(:allowed_oidc_domain?).returns(true)
+
+    get :link
+    assert_response :success
+
+    assert_select "h3", text: "Create New Account"
+    # No create account button rendered
+    assert_select "button", text: "Create Account", count: 0
+    assert_select "p", text: /New account creation via single sign-on is disabled/
+  end
+
+  test "create_user redirects when JIT link-only mode" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    AuthConfig.stubs(:jit_link_only?).returns(true)
+    AuthConfig.stubs(:allowed_oidc_domain?).returns(true)
+
+    assert_no_difference [ "User.count", "OidcIdentity.count", "Family.count" ] do
+      post :create_user
+    end
+
+    assert_redirected_to new_session_path
+    assert_equal "SSO account creation is disabled. Please contact an administrator.", flash[:alert]
+  end
+
+  test "create_user redirects when email domain not allowed" do
+    disallowed_auth = new_user_auth.merge("email" => "newuser@notallowed.com")
+    session[:pending_oidc_auth] = disallowed_auth
+
+    AuthConfig.stubs(:jit_link_only?).returns(false)
+    AuthConfig.stubs(:allowed_oidc_domain?).with(disallowed_auth["email"]).returns(false)
+
+    assert_no_difference [ "User.count", "OidcIdentity.count", "Family.count" ] do
+      post :create_user
+    end
+
+    assert_redirected_to new_session_path
+    assert_equal "SSO account creation is disabled. Please contact an administrator.", flash[:alert]
+  end
+
   test "should create new user account via OIDC" do
     session[:pending_oidc_auth] = new_user_auth
 

test/controllers/password_resets_controller_test.rb

@@ -27,4 +27,25 @@ class PasswordResetsControllerTest < ActionDispatch::IntegrationTest
       params: { user: { password: "password", password_confirmation: "password" } }
     assert_redirected_to new_session_url
   end
+
+  test "all actions redirect when password features are disabled" do
+    AuthConfig.stubs(:password_features_enabled?).returns(false)
+
+    get new_password_reset_path
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+
+    post password_reset_path, params: { email: @user.email }
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+
+    get edit_password_reset_path(token: @user.generate_token_for(:password_reset))
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+
+    patch password_reset_path(token: @user.generate_token_for(:password_reset)),
+      params: { user: { password: "password", password_confirmation: "password" } }
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+  end
 end

test/controllers/sessions_controller_test.rb

@@ -43,6 +43,71 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     assert_equal "Invalid email or password.", flash[:alert]
   end
 
+  test "redirects when local login is disabled" do
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(false)
+
+    post sessions_url, params: { email: @user.email, password: user_password_test }
+
+    assert_redirected_to new_session_path
+    assert_equal "Local password login is disabled. Please use single sign-on.", flash[:alert]
+  end
+
+  test "allows super admin local login when override enabled" do
+    super_admin = users(:sure_support_staff)
+
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(true)
+
+    post sessions_url, params: { email: super_admin.email, password: user_password_test }
+
+    assert_redirected_to root_path
+    assert Session.exists?(user_id: super_admin.id)
+  end
+
+  test "shows invalid credentials for super admin when override enabled but password is wrong" do
+    super_admin = users(:sure_support_staff)
+
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(true)
+
+    post sessions_url, params: { email: super_admin.email, password: "bad" }
+
+    assert_response :unprocessable_entity
+    assert_equal "Invalid email or password.", flash[:alert]
+  end
+
+  test "blocks non-super-admin local login when override enabled" do
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(true)
+
+    post sessions_url, params: { email: @user.email, password: user_password_test }
+
+    assert_redirected_to new_session_path
+    assert_equal "Local password login is disabled. Please use single sign-on.", flash[:alert]
+  end
+
+  test "renders multiple SSO provider buttons" do
+    AuthConfig.stubs(:local_login_form_visible?).returns(true)
+    AuthConfig.stubs(:password_features_enabled?).returns(true)
+    AuthConfig.stubs(:sso_providers).returns([
+      { id: "oidc", strategy: "openid_connect", name: "openid_connect", label: "Sign in with Keycloak", icon: "key" },
+      { id: "google", strategy: "google_oauth2", name: "google_oauth2", label: "Sign in with Google", icon: "google" }
+    ])
+
+    get new_session_path
+    assert_response :success
+
+    # Generic OIDC button
+    assert_match %r{/auth/openid_connect}, @response.body
+    assert_match /Sign in with Keycloak/, @response.body
+
+    # Google-branded button
+    assert_match %r{/auth/google_oauth2}, @response.body
+    assert_match /gsi-material-button/, @response.body
+    assert_match /Sign in with Google/, @response.body
+  end
+
   test "can sign out" do
     sign_in @user
     session_record = @user.sessions.last