TDD step 6: Rails engine + dummy app + OmniAuth wiring

Fivell · Fivell · commit 89788abd5560 · 2026-04-09T20:46:34.000+02:00
Registers the gem's OmniauthCallbacksController via a singleton_class
prepend on ActiveAdmin::Devise inside a to_prepare callback so the
patch applies after ActionDispatch has set up controller autoloading.
Adds a minimal dummy Rails app under spec/dummy for request specs.
diff --git a/Gemfile b/Gemfile
@@ -3,3 +3,8 @@
 source "https://rubygems.org"
 
 gemspec
+
+# Pin Rails for the dev/test environment. The gemspec allows >= 7.2 at
+# runtime, but the dummy app and specs are validated against 7.2.
+gem "rails", "~> 7.2.0"
+gem "activerecord", "~> 7.2.0"
diff --git a/activeadmin-oidc.gemspec b/activeadmin-oidc.gemspec
@@ -39,6 +39,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "webmock",      ">= 3.19"
   spec.add_development_dependency "jwt",          ">= 2.7"
   spec.add_development_dependency "sqlite3",      ">= 1.7"
+  spec.add_development_dependency "sprockets-rails", ">= 3.4"
+  spec.add_development_dependency "sassc-rails",     ">= 2.1"
   spec.add_development_dependency "rake",         ">= 13.0"
   spec.add_development_dependency "rubocop",      ">= 1.60"
   spec.add_development_dependency "rubocop-rails", ">= 2.20"
diff --git a/app/controllers/active_admin/oidc/devise/omniauth_callbacks_controller.rb b/app/controllers/active_admin/oidc/devise/omniauth_callbacks_controller.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require "devise"
+
+module ActiveAdmin
+  module Oidc
+    module Devise
+      # Handles the OAuth callback from the IdP. Wiring:
+      #
+      #   # config/routes.rb (or inside ActiveAdmin::Devise.config)
+      #   devise_for :admin_users, ActiveAdmin::Devise.config.merge(
+      #     controllers: {
+      #       omniauth_callbacks: "active_admin/oidc/devise/omniauth_callbacks"
+      #     }
+      #   )
+      #
+      # The action name matches the provider name registered with Devise
+      # (`:oidc`, from ActiveAdmin::Oidc::Engine::PROVIDER_NAME).
+      class OmniauthCallbacksController < ::Devise::OmniauthCallbacksController
+        def oidc
+          auth   = request.env["omniauth.auth"] || {}
+          info   = auth["info"] || {}
+          extra  = auth.dig("extra", "raw_info") || {}
+
+          claims = extra.to_h.transform_keys(&:to_s)
+          claims["sub"]   = auth["uid"] if claims["sub"].blank? && auth["uid"].present?
+          claims["email"] = info["email"] if claims["email"].blank? && info["email"].present?
+
+          admin_user = UserProvisioner.new(
+            ActiveAdmin::Oidc.config,
+            claims:   claims,
+            provider: ActiveAdmin::Oidc::Engine::PROVIDER_NAME.to_s
+          ).call
+
+          sign_in_and_redirect admin_user, event: :authentication
+          set_flash_message(:notice, :success, kind: "OIDC") if is_navigational_format?
+        rescue ActiveAdmin::Oidc::ProvisioningError => e
+          Rails.logger.warn("[activeadmin-oidc] denial: #{e.message}")
+          flash[:alert] = ActiveAdmin::Oidc.config.access_denied_message
+          redirect_to after_omniauth_failure_path_for(resource_name)
+        end
+
+        def failure
+          Rails.logger.warn("[activeadmin-oidc] omniauth failure: #{failure_message}")
+          flash[:alert] = ActiveAdmin::Oidc.config.access_denied_message
+          redirect_to after_omniauth_failure_path_for(resource_name)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/activeadmin-oidc.rb b/lib/activeadmin-oidc.rb
@@ -30,3 +30,14 @@ def reset!
 require "activeadmin/oidc/discovery"
 require "activeadmin/oidc/presets/zitadel"
 require "activeadmin/oidc/user_provisioner"
+require "rails/engine"
+require "activeadmin/oidc/engine"
+require "activeadmin/oidc/omniauth_options"
+
+module ActiveAdmin
+  module Oidc
+    def self.omniauth_options
+      OmniauthOptions.build(config)
+    end
+  end
+end
diff --git a/lib/activeadmin/oidc/engine.rb b/lib/activeadmin/oidc/engine.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "rails/engine"
+
+module ActiveAdmin
+  module Oidc
+    # Mountable Rails engine. Ships the OmniauthCallbacksController the host
+    # app's Devise setup routes to, and exposes the hardcoded callback path
+    # all hosts share.
+    class Engine < ::Rails::Engine
+      # OmniAuth strategy name. The callback URL in the host app is
+      #   <host>/admin/auth/oidc/callback
+      # (ActiveAdmin mounts Devise under /admin by default.) Zitadel and
+      # other IdPs support multiple redirect URIs per app, so hardcoding
+      # this path keeps config surface small with no real downside.
+      PROVIDER_NAME = :oidc
+
+      # Prepended into ActiveAdmin::Devise's singleton class so that
+      # `ActiveAdmin::Devise.controllers` includes the gem's omniauth
+      # callbacks controller without any host-app wiring.
+      ControllersPatch = Module.new do
+        def controllers
+          super.merge(
+            omniauth_callbacks: "active_admin/oidc/devise/omniauth_callbacks"
+          )
+        end
+      end
+
+      # Apply the patch once ActiveAdmin::Devise is loadable. We use
+      # `to_prepare` rather than a regular initializer because
+      # `active_admin/devise` references `::Devise::SessionsController`
+      # at file load, and that constant isn't autoloadable until
+      # ActionDispatch has set up controller autoload paths — which
+      # only happens after the initializer phase.
+      initializer "activeadmin_oidc.register_controllers" do |app|
+        app.config.to_prepare do
+          require "active_admin/devise"
+          unless ::ActiveAdmin::Devise.singleton_class < ControllersPatch
+            ::ActiveAdmin::Devise.singleton_class.prepend(ControllersPatch)
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/activeadmin/oidc/omniauth_options.rb b/lib/activeadmin/oidc/omniauth_options.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module ActiveAdmin
+  module Oidc
+    # Builds the options hash the host app passes to
+    # `Devise.setup { |c| c.omniauth :openid_connect, ... }`. Shape is
+    # determined by the upstream `omniauth_openid_connect` gem.
+    module OmniauthOptions
+      module_function
+
+      def build(config = ActiveAdmin::Oidc.config)
+        config.validate!
+
+        {
+          name:          Engine::PROVIDER_NAME,
+          issuer:        config.issuer,
+          discovery:     true,
+          scope:         config.scope.to_s.split(/\s+/).map(&:to_sym),
+          response_type: :code,
+          pkce:          config.pkce,
+          client_options: {
+            identifier:   config.issuer && config.client_id,
+            secret:       config.client_secret,
+            port:         nil,
+            scheme:       nil,
+            host:         nil
+          }.compact
+        }
+      end
+    end
+  end
+end
diff --git a/spec/dummy/Rakefile b/spec/dummy/Rakefile
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative "config/application"
+Rails.application.load_tasks
diff --git a/spec/dummy/app/admin/dashboard.rb b/spec/dummy/app/admin/dashboard.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+ActiveAdmin.register_page "Dashboard" do
+  menu priority: 1, label: proc { I18n.t("active_admin.dashboard") }
+
+  content title: proc { I18n.t("active_admin.dashboard") } do
+    para "Dummy dashboard."
+  end
+end
diff --git a/spec/dummy/app/assets/config/manifest.js b/spec/dummy/app/assets/config/manifest.js
@@ -0,0 +1 @@
+// no assets needed for the dummy app
diff --git a/spec/dummy/app/controllers/application_controller.rb b/spec/dummy/app/controllers/application_controller.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class ApplicationController < ActionController::Base
+end
diff --git a/spec/dummy/app/models/admin_user.rb b/spec/dummy/app/models/admin_user.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class AdminUser < ApplicationRecord
+  devise :database_authenticatable, :omniauthable,
+         omniauth_providers: [:oidc]
+
+  validates :email, presence: true
+
+  serialize :oidc_raw_info, coder: JSON
+end
diff --git a/spec/dummy/app/models/application_record.rb b/spec/dummy/app/models/application_record.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end
diff --git a/spec/dummy/config.ru b/spec/dummy/config.ru
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative "config/environment"
+run Rails.application
+Rails.application.load_server
diff --git a/spec/dummy/config/application.rb b/spec/dummy/config/application.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require_relative "boot"
+
+require "rails"
+require "active_record/railtie"
+require "action_controller/railtie"
+require "action_view/railtie"
+require "action_mailer/railtie"
+begin
+  require "sprockets/railtie"
+rescue LoadError
+  # sprockets-rails is optional; dummy app uses ActiveAdmin's cssbundling/importmap defaults
+end
+
+Bundler.require(*Rails.groups)
+
+require "devise"
+require "activeadmin"
+
+# Load the gem under test.
+require "activeadmin-oidc"
+
+module Dummy
+  class Application < Rails::Application
+    config.load_defaults 7.2
+    config.eager_load = false
+    config.root = File.expand_path("..", __dir__)
+
+    config.secret_key_base = "test-secret-key-base-#{"x" * 64}"
+    config.hosts.clear
+
+    config.action_controller.allow_forgery_protection = false
+    config.session_store :cookie_store, key: "_dummy_session"
+    config.middleware.use ActionDispatch::Cookies
+    config.middleware.use config.session_store, config.session_options
+
+    config.action_dispatch.show_exceptions = :none
+    config.consider_all_requests_local = true
+    config.active_support.to_time_preserves_timezone = :zone if config.active_support.respond_to?(:to_time_preserves_timezone=)
+
+    config.logger = Logger.new($stdout)
+    config.log_level = ENV.fetch("DUMMY_LOG_LEVEL", "fatal").to_sym
+  end
+end
diff --git a/spec/dummy/config/boot.rb b/spec/dummy/config/boot.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../../Gemfile", __dir__)
+
+require "bundler/setup"
diff --git a/spec/dummy/config/environment.rb b/spec/dummy/config/environment.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative "application"
+Dummy::Application.initialize!
diff --git a/spec/dummy/config/environments/test.rb b/spec/dummy/config/environments/test.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+Rails.application.configure do
+  config.cache_classes = true
+  config.eager_load = false
+  config.public_file_server.enabled = true
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+  config.action_dispatch.show_exceptions = :none
+  config.action_controller.allow_forgery_protection = false
+  config.active_support.deprecation = :stderr
+  config.active_support.disallowed_deprecation = :raise
+  config.action_mailer.delivery_method = :test
+  config.action_mailer.default_url_options = { host: "www.example.com" }
+  config.i18n.raise_on_missing_translations = false
+  config.log_level = :fatal
+end
diff --git a/spec/dummy/config/initializers/active_admin.rb b/spec/dummy/config/initializers/active_admin.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+ActiveAdmin.setup do |config|
+  config.site_title = "Dummy"
+  config.authentication_method = :authenticate_admin_user!
+  config.current_user_method   = :current_admin_user
+  config.logout_link_path = :destroy_admin_user_session_path
+
+  config.root_to = "dashboard#index"
+  config.comments = false
+
+  config.default_namespace = :admin
+
+  config.namespace :admin do |admin|
+    admin.build_menu :default do |menu|
+      menu.add label: "Dashboard", priority: 1, url: "/admin"
+    end
+  end
+end
diff --git a/spec/dummy/config/initializers/activeadmin_oidc.rb b/spec/dummy/config/initializers/activeadmin_oidc.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+ActiveAdmin::Oidc.configure do |c|
+  c.issuer    = "https://idp.example.com"
+  c.client_id = "client-abc"
+  # client_secret intentionally blank so PKCE auto-enables in specs.
+  c.on_login = ->(admin_user, claims) {
+    # Default dummy on_login: accept, set department if provided.
+    admin_user.department = claims["department"] if claims.key?("department")
+    true
+  }
+end
diff --git a/spec/dummy/config/initializers/devise.rb b/spec/dummy/config/initializers/devise.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+Devise.setup do |config|
+  config.mailer_sender = "please-change-me@example.com"
+  require "devise/orm/active_record"
+
+  config.case_insensitive_keys = [:email]
+  config.strip_whitespace_keys = [:email]
+  config.skip_session_storage = [:http_auth]
+  config.stretches = Rails.env.test? ? 1 : 11
+  config.reconfirmable = true
+  config.expire_all_remember_me_on_sign_out = true
+  config.password_length = 6..128
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
+  config.reset_password_within = 6.hours
+  config.sign_out_via = :delete
+
+  # Wire omniauth_openid_connect via the gem. Deliberately lazy so that
+  # specs that `reset!` the config mid-test work without warnings — we
+  # register a minimal fake provider up front and rely on the test suite
+  # to mock omniauth.auth.
+  require "omniauth_openid_connect"
+
+  config.omniauth :openid_connect,
+                  name:          :oidc,
+                  issuer:        "https://idp.example.com",
+                  discovery:     false,
+                  scope:         %i[openid email profile],
+                  response_type: :code,
+                  client_options: {
+                    identifier: "client-abc",
+                    secret:     "client-secret",
+                    port:       443,
+                    scheme:     "https",
+                    host:       "idp.example.com",
+                    authorization_endpoint: "/oauth/authorize",
+                    token_endpoint:         "/oauth/token",
+                    userinfo_endpoint:      "/oauth/userinfo",
+                    jwks_uri:               "/oauth/keys"
+                  }
+end
diff --git a/spec/dummy/config/routes.rb b/spec/dummy/config/routes.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+Rails.application.routes.draw do
+  devise_for :admin_users, ActiveAdmin::Devise.config
+  ActiveAdmin.routes(self)
+  root to: redirect("/admin")
+end
diff --git a/spec/dummy/db/schema.rb b/spec/dummy/db/schema.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+ActiveRecord::Schema[7.2].define(version: 0) do
+  create_table :admin_users, force: :cascade do |t|
+    t.string   :email
+    t.string   :username
+    t.string   :encrypted_password, default: "", null: false
+    t.string   :provider
+    t.string   :uid
+    t.text     :oidc_raw_info
+    t.string   :department
+    t.timestamps
+  end
+
+  add_index :admin_users, :email, unique: true
+  add_index :admin_users, %i[provider uid], unique: true,
+                                            where: "provider IS NOT NULL AND uid IS NOT NULL",
+                                            name: "index_admin_users_on_provider_and_uid"
+end
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
diff --git a/spec/requests/boot_spec.rb b/spec/requests/boot_spec.rb
diff --git a/spec/support/active_record_setup.rb b/spec/support/active_record_setup.rb
diff --git a/spec/unit/_active_record_setup.rb b/spec/unit/_active_record_setup.rb
diff --git a/spec/unit/user_provisioner_spec.rb b/spec/unit/user_provisioner_spec.rb

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +# frozen_string_literal: true
++
 +class ApplicationController < ActionController::Base
 +end