Add configurable multi-provider SSO, SSO-only mode, and JIT controls via auth.yml (#441)

* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation - Introduced `config/auth.yml` for centralized auth configuration and documentation. - Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect. - Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`). - Enabled optional restriction of JIT creation by allowed email domains. - Enhanced OmniAuth initializer for dynamic provider setup and better configurability. - Refined login UI to handle local login disabling and emergency super-admin override. - Updated account creation flow to respect JIT mode and domain checks. - Added tests for SSO account creation, login form visibility, and emergency overrides. # Conflicts: # app/controllers/sessions_controller.rb * remove non-translation * Refactor authentication views to use translation keys and update locale files - Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support. - Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files. * Enhance OmniAuth provider configuration and refine local login override logic - Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub. - Improved local login logic to enforce stricter handling of super-admin override when local login is disabled. - Added test for invalid super-admin override credentials. * Document Google sign-in configuration for local development and self-hosted environments --------- Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>
2026-04-12 16:47:22 +00:00 · 2025-12-23 18:15:53 -05:00
parent 8972cb59f0
commit b23711ae0d
19 changed files with 788 additions and 97 deletions
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -43,6 +43,71 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
    assert_equal "Invalid email or password.", flash[:alert]
  end

+  test "redirects when local login is disabled" do
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(false)
+
+    post sessions_url, params: { email: @user.email, password: user_password_test }
+
+    assert_redirected_to new_session_path
+    assert_equal "Local password login is disabled. Please use single sign-on.", flash[:alert]
+  end
+
+  test "allows super admin local login when override enabled" do
+    super_admin = users(:sure_support_staff)
+
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(true)
+
+    post sessions_url, params: { email: super_admin.email, password: user_password_test }
+
+    assert_redirected_to root_path
+    assert Session.exists?(user_id: super_admin.id)
+  end
+
+  test "shows invalid credentials for super admin when override enabled but password is wrong" do
+    super_admin = users(:sure_support_staff)
+
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(true)
+
+    post sessions_url, params: { email: super_admin.email, password: "bad" }
+
+    assert_response :unprocessable_entity
+    assert_equal "Invalid email or password.", flash[:alert]
+  end
+
+  test "blocks non-super-admin local login when override enabled" do
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+    AuthConfig.stubs(:local_admin_override_enabled?).returns(true)
+
+    post sessions_url, params: { email: @user.email, password: user_password_test }
+
+    assert_redirected_to new_session_path
+    assert_equal "Local password login is disabled. Please use single sign-on.", flash[:alert]
+  end
+
+  test "renders multiple SSO provider buttons" do
+    AuthConfig.stubs(:local_login_form_visible?).returns(true)
+    AuthConfig.stubs(:password_features_enabled?).returns(true)
+    AuthConfig.stubs(:sso_providers).returns([
+      { id: "oidc", strategy: "openid_connect", name: "openid_connect", label: "Sign in with Keycloak", icon: "key" },
+      { id: "google", strategy: "google_oauth2", name: "google_oauth2", label: "Sign in with Google", icon: "google" }
+    ])
+
+    get new_session_path
+    assert_response :success
+
+    # Generic OIDC button
+    assert_match %r{/auth/openid_connect}, @response.body
+    assert_match /Sign in with Keycloak/, @response.body
+
+    # Google-branded button
+    assert_match %r{/auth/google_oauth2}, @response.body
+    assert_match /gsi-material-button/, @response.body
+    assert_match /Sign in with Google/, @response.body
+  end
+
  test "can sign out" do
    sign_in @user
    session_record = @user.sessions.last