auto-register OmniAuth strategy, active_for_authentication guard, test helpers

Fivell · Fivell · commit 3e90441b95eb · 2026-04-10T11:08:20.000+02:00
- Engine auto-registers config.omniauth :openid_connect from gem config,
  eliminating ~20 lines of boilerplate from host app's devise.rb
- Engine auto-sets omniauth_path_prefix to /admin/auth
- Callback controller checks active_for_authentication? after provisioning,
  so disabled/locked users are rejected on initial OmniAuth sign-in
  (Devise only checks on session deserialization, not initial sign-in)
- Engine only prepends gem views if host app has no own login view override
- Add redirect_uri to Configuration for custom callback URLs
- Ship ActiveAdmin::Oidc::TestHelpers and RSpecSupport for host apps
  (stub_oidc_sign_in, stub_oidc_failure, oidc_mode tag filtering)
diff --git a/app/controllers/active_admin/oidc/devise/omniauth_callbacks_controller.rb b/app/controllers/active_admin/oidc/devise/omniauth_callbacks_controller.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "devise"
+require 'devise'
 
 module ActiveAdmin
   module Oidc
@@ -18,28 +18,38 @@ module Devise
       # (`:oidc`, from ActiveAdmin::Oidc::Engine::PROVIDER_NAME).
       class OmniauthCallbacksController < ::Devise::OmniauthCallbacksController
         def oidc
-          auth  = request.env["omniauth.auth"] || {}
-          info  = auth["info"] || {}
+          auth  = request.env['omniauth.auth'] || {}
+          info  = auth['info'] || {}
           # Defensive: an OIDC strategy is supposed to put a Hash at
           # extra.raw_info, but a misbehaving/custom strategy could
           # set something else (String, nil, Array). We only trust a
           # Hash-shaped value; anything else collapses to {} and we
           # rebuild `sub`/`email` from the top-level auth hash below.
-          extra = auth.dig("extra", "raw_info")
+          extra = auth.dig('extra', 'raw_info')
           extra = {} unless extra.is_a?(Hash)
 
           claims = extra.to_h.transform_keys(&:to_s)
-          claims["sub"]   = auth["uid"] if claims["sub"].blank? && auth["uid"].present?
-          claims["email"] = info["email"] if claims["email"].blank? && info["email"].present?
+          claims['sub']   = auth['uid'] if claims['sub'].blank? && auth['uid'].present?
+          claims['email'] = info['email'] if claims['email'].blank? && info['email'].present?
 
           admin_user = UserProvisioner.new(
             ActiveAdmin::Oidc.config,
-            claims:   claims,
+            claims: claims,
             provider: ActiveAdmin::Oidc::Engine::PROVIDER_NAME.to_s
           ).call
 
+          # Devise checks active_for_authentication? on session
+          # deserialization but NOT on initial OmniAuth sign-in.
+          # Guard here so disabled/locked users are rejected immediately.
+          unless admin_user.active_for_authentication?
+            message = admin_user.inactive_message
+            flash[:alert] = I18n.t("devise.failure.#{message}", default: message.to_s)
+            redirect_to after_omniauth_failure_path_for(resource_name)
+            return
+          end
+
           sign_in_and_redirect admin_user, event: :authentication
-          set_flash_message(:notice, :success, kind: "OIDC") if is_navigational_format?
+          set_flash_message(:notice, :success, kind: 'OIDC') if is_navigational_format?
         rescue ActiveAdmin::Oidc::ProvisioningError => e
           Rails.logger.warn("[activeadmin-oidc] denial: #{e.message}")
           flash[:alert] = ActiveAdmin::Oidc.config.access_denied_message
@@ -61,7 +71,7 @@ def failure
         # it's rarely what an admin user wants to see. ActiveAdmin
         # always mounts at `/admin`, so we go there directly.
         def after_sign_in_path_for(resource)
-          stored_location_for(resource) || "/admin"
+          stored_location_for(resource) || '/admin'
         end
       end
     end
diff --git a/lib/activeadmin/oidc/configuration.rb b/lib/activeadmin/oidc/configuration.rb
@@ -3,16 +3,17 @@
 module ActiveAdmin
   module Oidc
     class Configuration
-      DEFAULT_SCOPE               = "openid email profile"
+      DEFAULT_SCOPE               = 'openid email profile'
       DEFAULT_TIMEOUT             = 5
       DEFAULT_IDENTITY_ATTRIBUTE  = :email
       DEFAULT_IDENTITY_CLAIM      = :email
-      DEFAULT_LOGIN_BUTTON_LABEL  = "Sign in with SSO"
-      DEFAULT_ADMIN_USER_CLASS    = "AdminUser"
+      DEFAULT_LOGIN_BUTTON_LABEL  = 'Sign in with SSO'
+      DEFAULT_ADMIN_USER_CLASS    = 'AdminUser'
       DEFAULT_ACCESS_DENIED_MESSAGE =
-        "Your account has no permission to access this admin panel."
+        'Your account has no permission to access this admin panel.'
 
       attr_accessor :issuer, :client_id, :client_secret, :scope,
+                    :redirect_uri,
                     :login_button_label, :timeout,
                     :identity_attribute, :identity_claim,
                     :access_denied_message, :on_login, :admin_user_class
@@ -26,6 +27,7 @@ def reset!
         @client_id             = nil
         @client_secret         = nil
         @scope                 = DEFAULT_SCOPE
+        @redirect_uri          = nil
         @login_button_label    = DEFAULT_LOGIN_BUTTON_LABEL
         @timeout               = DEFAULT_TIMEOUT
         @identity_attribute    = DEFAULT_IDENTITY_ATTRIBUTE
@@ -48,12 +50,10 @@ def pkce=(value)
       end
 
       def validate!
-        raise ConfigurationError, "issuer is required"    if issuer.blank?
-        raise ConfigurationError, "client_id is required" if client_id.blank?
-        raise ConfigurationError, "on_login is required"  if on_login.nil?
-        unless on_login.respond_to?(:call)
-          raise ConfigurationError, "on_login must be callable (respond to #call)"
-        end
+        raise ConfigurationError, 'issuer is required'    if issuer.blank?
+        raise ConfigurationError, 'client_id is required' if client_id.blank?
+        raise ConfigurationError, 'on_login is required'  if on_login.nil?
+        raise ConfigurationError, 'on_login must be callable (respond to #call)' unless on_login.respond_to?(:call)
 
         true
       end
diff --git a/lib/activeadmin/oidc/engine.rb b/lib/activeadmin/oidc/engine.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "rails/engine"
+require 'rails/engine'
 
 module ActiveAdmin
   module Oidc
@@ -13,41 +13,83 @@ class Engine < ::Rails::Engine
       def self.oidc_enabled?
         admin_class = ActiveAdmin::Oidc.config.admin_user_class
         klass = admin_class.is_a?(String) ? admin_class.safe_constantize : admin_class
-        klass&.respond_to?(:devise_modules) && klass.devise_modules.include?(:omniauthable)
+        klass.respond_to?(:devise_modules) && klass.devise_modules.include?(:omniauthable)
       end
 
       ControllersPatch = Module.new do
         def controllers
           result = super
           if Engine.oidc_enabled?
             result = result.merge(
-              omniauth_callbacks: "active_admin/oidc/devise/omniauth_callbacks"
+              omniauth_callbacks: 'active_admin/oidc/devise/omniauth_callbacks'
             )
           end
           result
         end
       end
 
-      initializer "activeadmin_oidc.register_controllers" do |app|
+      initializer 'activeadmin_oidc.register_controllers' do |app|
         app.config.to_prepare do
-          require "active_admin/devise"
+          require 'active_admin/devise'
           unless ::ActiveAdmin::Devise.singleton_class < ControllersPatch
             ::ActiveAdmin::Devise.singleton_class.prepend(ControllersPatch)
           end
         end
       end
 
-      initializer "activeadmin_oidc.prepend_view_paths" do |app|
+      initializer 'activeadmin_oidc.prepend_view_paths' do |app|
         app.config.to_prepare do
           if Engine.oidc_enabled?
-            require "active_admin/devise"
-            view_path = File.expand_path("../../../app/views", __dir__)
-            ::ActiveAdmin::Devise::SessionsController.prepend_view_path(view_path)
+            require 'active_admin/devise'
+            # Only prepend the gem's SSO-only login view if the host app
+            # doesn't ship its own override. This avoids the need for hosts
+            # to re-prepend their views after the gem.
+            host_view = ::Rails.root.join(
+              'app/views/active_admin/devise/sessions/new.html.erb'
+            )
+            unless host_view.exist?
+              view_path = File.expand_path('../../../app/views', __dir__)
+              ::ActiveAdmin::Devise::SessionsController.prepend_view_path(view_path)
+            end
           end
         end
       end
 
-      initializer "activeadmin_oidc.filter_parameters" do |app|
+      # Automatically register the OmniAuth :openid_connect strategy with
+      # Devise when the gem is configured, so host apps don't have to
+      # duplicate the config.omniauth boilerplate in devise.rb.
+      # Runs before Devise's own initializer so the strategy is available
+      # when the model calls `devise :omniauthable`.
+      initializer 'activeadmin_oidc.register_omniauth_strategy', before: 'devise.omniauth' do
+        cfg = ActiveAdmin::Oidc.config
+        next if cfg.issuer.blank? || cfg.client_id.blank?
+
+        require 'omniauth_openid_connect'
+
+        ::Devise.setup do |devise|
+          # ActiveAdmin mounts Devise under /admin, so OmniAuth middleware
+          # must intercept /admin/auth/:provider.
+          devise.omniauth_path_prefix ||= '/admin/auth'
+
+          devise.omniauth :openid_connect,
+                          name: PROVIDER_NAME,
+                          scope: (cfg.scope || 'openid email profile').split,
+                          response_type: :code,
+                          issuer: cfg.issuer,
+                          discovery: true,
+                          pkce: cfg.pkce,
+                          client_options: {
+                            identifier: cfg.client_id,
+                            secret: cfg.client_secret.presence,
+                            redirect_uri: cfg.redirect_uri,
+                            port: nil,
+                            scheme: nil,
+                            host: nil
+                          }.compact
+        end
+      end
+
+      initializer 'activeadmin_oidc.filter_parameters' do |app|
         app.config.filter_parameters |= %i[code id_token access_token refresh_token state nonce]
       end
     end
diff --git a/lib/activeadmin/oidc/test_helpers.rb b/lib/activeadmin/oidc/test_helpers.rb
@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'omniauth'
+
+module ActiveAdmin
+  module Oidc
+    # Test helpers for host apps. Include in your RSpec config:
+    #
+    #   require "activeadmin/oidc/test_helpers"
+    #
+    #   RSpec.configure do |config|
+    #     config.include ActiveAdmin::Oidc::TestHelpers, oidc_mode: true
+    #     config.after(:each, :oidc_mode) { reset_oidc_stubs }
+    #   end
+    #
+    # Then in specs tagged `oidc_mode: true`:
+    #
+    #   before { stub_oidc_sign_in(sub: "alice-sub", claims: { "email" => "a@b" }) }
+    #
+    module TestHelpers
+      DEFAULT_CLAIMS = {
+        'preferred_username' => 'alice',
+        'email' => 'alice@test',
+        'roles' => ['admin']
+      }.freeze
+
+      # Stubs OmniAuth to return a successful OIDC auth hash.
+      # Merges the given claims with DEFAULT_CLAIMS.
+      def stub_oidc_sign_in(sub: 'alice-sub', claims: {})
+        merged = DEFAULT_CLAIMS.merge(claims.transform_keys(&:to_s))
+        OmniAuth.config.test_mode = true
+        OmniAuth.config.mock_auth[:oidc] = OmniAuth::AuthHash.new(
+          provider: 'oidc',
+          uid: sub,
+          info: {
+            email: merged['email'],
+            name: merged['name'],
+            nickname: merged['preferred_username']
+          },
+          credentials: {},
+          extra: { raw_info: merged.merge('sub' => sub) }
+        )
+      end
+
+      # Stubs OmniAuth to simulate a strategy failure.
+      def stub_oidc_failure(message_key = :invalid_credentials)
+        OmniAuth.config.test_mode = true
+        OmniAuth.config.mock_auth[:oidc] = message_key
+      end
+
+      # Resets OmniAuth test mode. Call in an `after` hook.
+      def reset_oidc_stubs
+        OmniAuth.config.mock_auth[:oidc] = nil
+        OmniAuth.config.test_mode = false
+      end
+    end
+
+    # RSpec support for oidc_mode tag filtering.
+    # Require this file in spec_helper or rails_helper to auto-configure:
+    #
+    #   require "activeadmin/oidc/test_helpers"
+    #
+    # Specs tagged `oidc_mode: true` will be skipped unless the AdminUser
+    # model has :omniauthable loaded. Set CI_RUN_OIDC=true in your CI job
+    # to run only OIDC-tagged specs.
+    module RSpecSupport
+      def self.install!
+        return unless defined?(RSpec)
+
+        RSpec.configure do |config|
+          config.include TestHelpers, oidc_mode: true
+          config.after(:each, :oidc_mode) { reset_oidc_stubs }
+
+          config.before(:each, :oidc_mode) do
+            admin_class = ActiveAdmin::Oidc.config.admin_user_class
+            klass = admin_class.is_a?(String) ? admin_class.safe_constantize : admin_class
+            unless klass.respond_to?(:devise_modules) && klass.devise_modules.include?(:omniauthable)
+              skip 'requires OIDC mode (run with config/oidc.yml in place and CI_RUN_OIDC=true)'
+            end
+          end
+
+          if ENV['CI_RUN_OIDC'].present?
+            config.filter_run_including oidc_mode: true
+          else
+            config.filter_run_excluding oidc_mode: true
+          end
+        end
+      end
+    end
+  end
+end
+
+# Auto-install RSpec support when required during a test run.
+ActiveAdmin::Oidc::RSpecSupport.install!
diff --git a/spec/dummy/app/models/admin_user.rb b/spec/dummy/app/models/admin_user.rb
@@ -7,4 +7,8 @@ class AdminUser < ApplicationRecord
   validates :email, presence: true
 
   serialize :oidc_raw_info, coder: JSON
+
+  def active_for_authentication?
+    super && enabled?
+  end
 end
diff --git a/spec/dummy/db/schema.rb b/spec/dummy/db/schema.rb
@@ -9,6 +9,7 @@
     t.string   :uid
     t.text     :oidc_raw_info
     t.string   :department
+    t.boolean  :enabled, default: true
     t.timestamps
   end
 
diff --git a/spec/requests/omniauth_callback_spec.rb b/spec/requests/omniauth_callback_spec.rb
@@ -149,6 +149,23 @@ def trigger_callback
     end
   end
 
+  context "disabled user (active_for_authentication? returns false)" do
+    it "does not sign in the user and redirects to login" do
+      AdminUser.create!(
+        email:    "disabled@example.com",
+        provider: "oidc",
+        uid:      "sub-disabled",
+        enabled:  false
+      )
+
+      OmniAuth.config.mock_auth[:oidc] =
+        build_auth_hash(uid: "sub-disabled", email: "disabled@example.com")
+
+      trigger_callback
+      expect(response).to redirect_to("/admin/login")
+    end
+  end
+
   context "OmniAuth strategy failure (e.g. invalid_credentials)" do
     before do
       OmniAuth.config.mock_auth[:oidc] = :invalid_credentials
