mirror of
https://github.com/we-promise/sure.git
synced 2026-04-10 15:54:48 +00:00
14993d871c
Multi-provider SSO support: - Database-backed SSO provider management with admin UI - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0 - Flipper feature flag (db_sso_providers) for dynamic provider loading - ProviderLoader service for YAML or database configuration Admin functionality: - Admin::SsoProvidersController for CRUD operations - Admin::UsersController for super_admin role management - Pundit policies for authorization - Test connection endpoint for validating provider config User provisioning improvements: - JIT (just-in-time) account creation with configurable default role - Changed default JIT role from admin to member (security) - User attribute sync on each SSO login - Group/role mapping from IdP claims SSO identity management: - Settings::SsoIdentitiesController for users to manage connected accounts - Issuer validation for OIDC identities - Unlink protection when no password set Audit logging: - SsoAuditLog model tracking login, logout, link, unlink, JIT creation - Captures IP address, user agent, and metadata Advanced OIDC features: - Custom scopes per provider - Configurable prompt parameter (login, consent, select_account, none) - RP-initiated logout (federated logout to IdP) - id_token storage for logout SAML 2.0 support: - omniauth-saml gem integration - IdP metadata URL or manual configuration - Certificate and fingerprint validation - NameID format configuration
195 lines
5.5 KiB
Ruby
195 lines
5.5 KiB
Ruby
require "test_helper"
|
|
|
|
class OidcAccountsControllerTest < ActionController::TestCase
|
|
setup do
|
|
@user = users(:family_admin)
|
|
end
|
|
|
|
def pending_auth
|
|
{
|
|
"provider" => "openid_connect",
|
|
"uid" => "new-uid-12345",
|
|
"email" => @user.email,
|
|
"name" => "Bob Dylan",
|
|
"first_name" => "Bob",
|
|
"last_name" => "Dylan"
|
|
}
|
|
end
|
|
|
|
test "should show link page when pending auth exists" do
|
|
session[:pending_oidc_auth] = pending_auth
|
|
get :link
|
|
assert_response :success
|
|
end
|
|
|
|
test "should redirect to login when no pending auth" do
|
|
get :link
|
|
assert_redirected_to new_session_path
|
|
assert_equal "No pending OIDC authentication found", flash[:alert]
|
|
end
|
|
|
|
test "should create OIDC identity with valid password" do
|
|
session[:pending_oidc_auth] = pending_auth
|
|
|
|
assert_difference "OidcIdentity.count", 1 do
|
|
post :create_link,
|
|
params: {
|
|
email: @user.email,
|
|
password: user_password_test
|
|
}
|
|
end
|
|
|
|
assert_redirected_to root_path
|
|
assert_not_nil @user.oidc_identities.find_by(
|
|
provider: pending_auth["provider"],
|
|
uid: pending_auth["uid"]
|
|
)
|
|
end
|
|
|
|
test "should reject linking with invalid password" do
|
|
session[:pending_oidc_auth] = pending_auth
|
|
|
|
assert_no_difference "OidcIdentity.count" do
|
|
post :create_link,
|
|
params: {
|
|
email: @user.email,
|
|
password: "wrongpassword"
|
|
}
|
|
end
|
|
|
|
assert_response :unprocessable_entity
|
|
assert_equal "Invalid email or password", flash[:alert]
|
|
end
|
|
|
|
test "should redirect to MFA when user has MFA enabled" do
|
|
@user.setup_mfa!
|
|
@user.enable_mfa!
|
|
|
|
session[:pending_oidc_auth] = pending_auth
|
|
|
|
post :create_link,
|
|
params: {
|
|
email: @user.email,
|
|
password: user_password_test
|
|
}
|
|
|
|
assert_redirected_to verify_mfa_path
|
|
end
|
|
|
|
test "should reject create_link when no pending auth" do
|
|
post :create_link, params: {
|
|
email: @user.email,
|
|
password: user_password_test
|
|
}
|
|
|
|
assert_redirected_to new_session_path
|
|
assert_equal "No pending OIDC authentication found", flash[:alert]
|
|
end
|
|
|
|
# New user registration tests
|
|
def new_user_auth
|
|
{
|
|
"provider" => "openid_connect",
|
|
"uid" => "new-uid-99999",
|
|
"email" => "newuser@example.com",
|
|
"name" => "New User",
|
|
"first_name" => "New",
|
|
"last_name" => "User"
|
|
}
|
|
end
|
|
|
|
test "should show create account option for new user" do
|
|
session[:pending_oidc_auth] = new_user_auth
|
|
|
|
get :link
|
|
assert_response :success
|
|
assert_select "h3", text: "Create New Account"
|
|
assert_select "strong", text: new_user_auth["email"]
|
|
end
|
|
|
|
test "does not show create account button when JIT link-only mode" do
|
|
session[:pending_oidc_auth] = new_user_auth
|
|
|
|
AuthConfig.stubs(:jit_link_only?).returns(true)
|
|
AuthConfig.stubs(:allowed_oidc_domain?).returns(true)
|
|
|
|
get :link
|
|
assert_response :success
|
|
|
|
assert_select "h3", text: "Create New Account"
|
|
# No create account button rendered
|
|
assert_select "button", text: "Create Account", count: 0
|
|
assert_select "p", text: /New account creation via single sign-on is disabled/
|
|
end
|
|
|
|
test "create_user redirects when JIT link-only mode" do
|
|
session[:pending_oidc_auth] = new_user_auth
|
|
|
|
AuthConfig.stubs(:jit_link_only?).returns(true)
|
|
AuthConfig.stubs(:allowed_oidc_domain?).returns(true)
|
|
|
|
assert_no_difference [ "User.count", "OidcIdentity.count", "Family.count" ] do
|
|
post :create_user
|
|
end
|
|
|
|
assert_redirected_to new_session_path
|
|
assert_equal "SSO account creation is disabled. Please contact an administrator.", flash[:alert]
|
|
end
|
|
|
|
test "create_user redirects when email domain not allowed" do
|
|
disallowed_auth = new_user_auth.merge("email" => "newuser@notallowed.com")
|
|
session[:pending_oidc_auth] = disallowed_auth
|
|
|
|
AuthConfig.stubs(:jit_link_only?).returns(false)
|
|
AuthConfig.stubs(:allowed_oidc_domain?).with(disallowed_auth["email"]).returns(false)
|
|
|
|
assert_no_difference [ "User.count", "OidcIdentity.count", "Family.count" ] do
|
|
post :create_user
|
|
end
|
|
|
|
assert_redirected_to new_session_path
|
|
assert_equal "SSO account creation is disabled. Please contact an administrator.", flash[:alert]
|
|
end
|
|
|
|
test "should create new user account via OIDC" do
|
|
session[:pending_oidc_auth] = new_user_auth
|
|
|
|
assert_difference [ "User.count", "OidcIdentity.count", "Family.count" ], 1 do
|
|
post :create_user
|
|
end
|
|
|
|
assert_redirected_to root_path
|
|
assert_equal "Welcome! Your account has been created.", flash[:notice]
|
|
|
|
# Verify user was created with correct details
|
|
new_user = User.find_by(email: new_user_auth["email"])
|
|
assert_not_nil new_user
|
|
assert_equal new_user_auth["first_name"], new_user.first_name
|
|
assert_equal new_user_auth["last_name"], new_user.last_name
|
|
assert_equal "member", new_user.role
|
|
|
|
# Verify OIDC identity was created
|
|
oidc_identity = new_user.oidc_identities.first
|
|
assert_not_nil oidc_identity
|
|
assert_equal new_user_auth["provider"], oidc_identity.provider
|
|
assert_equal new_user_auth["uid"], oidc_identity.uid
|
|
end
|
|
|
|
test "should create session after OIDC registration" do
|
|
session[:pending_oidc_auth] = new_user_auth
|
|
|
|
post :create_user
|
|
|
|
# Verify session was created
|
|
new_user = User.find_by(email: new_user_auth["email"])
|
|
assert Session.exists?(user_id: new_user.id)
|
|
end
|
|
|
|
test "should reject create_user when no pending auth" do
|
|
post :create_user
|
|
|
|
assert_redirected_to new_session_path
|
|
assert_equal "No pending OIDC authentication found", flash[:alert]
|
|
end
|
|
end
|