Add OpenID-Connect authentication support

[jvlcek]

https://www.pivotaltracker.com/n/projects/1610127/stories/121849185

The changes introduced by this PR will provide support for enabling OpenID-Connect
authentication.

This PR depends on PR16495

Steps for Testing/QA [Optional]

1. Install and configure Identity and Access Management server, such as Keycloak, for the OpenID-Connect provider type
2. Install and configure the Apache module: mod_auth_openidc on the ManageIQ appliance to point to the Identity and Access Management server configured in step 1
3. Log into the appliance as admin and configure authentication for OpenId-Connect by checking the Provider Type: button Enable OpenID-Connect
4. Log out and back in by selecting the Log In to Corporate System button on the log in screen specifying valid credentials, as configured on the Identity and Access Management server

[jvlcek]

@miq-bot add_labels authentication, enhancement, gaprindashvili/no

[miq-bot]

@jvlcek Cannot apply the following label because they are not recognized: authentication

[jvlcek]

@miq-bot add_label wip

[abellotti]

probably left over from debugging all this fun stuff

[jvlcek]

Good. Catch. 👍

[miq-bot]

This pull request is not mergeable. Please rebase and repush.

[miq-bot]

This pull request is not mergeable. Please rebase and repush.

[miq-bot]

@jvlcek Cannot apply the following label because they are not recognized: authentication

[jvlcek]

@miq-bot remove_label wip

[jvlcek]

@eclarizio and @himdel Please review.

[eclarizio]

I'm not super well versed in this area, but is there any way we can add specs to cover primarily the code that was moved into the #identity_provider_login method? Maybe even extracting all of that logic out into a service so that it can be unit tested without having to set up a bunch of variables for the dashboard_controller?

This is a similar approach to the PrivilegeCheckerService that I remember we were looking at while debugging this problem before, but again, not sure if you think that is a good strategy to employ here or not.

[jvlcek]

@eclarizio Thank you for the feedback. I'll take a look at PrivilegeCHeckerService .

JoeV

[jvlcek]

@eclarizio As we discussed extracting logic in the new #identity_provider_login method into a service does not seem like a good solution.

I believe I have addressed your fundamental concern of having spec tests to exercise the logic in the new #identity_provider_login method by adding a context "OIDC support" do test to the dashboard_controller_spec.rb.

The existing context "SAML support" do test was already exercising some of the logic in the new #identity_provider_login method.

Please let me know if this addresses your fundamental concern.

Thank you! JoeV

[eclarizio]

@jvlcek Yeah, sounds good to me! 👍

[miq-bot]

Some comments on commits jvlcek/manageiq-ui-classic@fd09be0~...ab0960a

spec/controllers/dashboard_controller_spec.rb

• ⚠️ - 127 - Detected allow_any_instance_of. This RSpec method is highly discouraged, please only use when absolutely necessary.

[miq-bot]

Checked commits jvlcek/manageiq-ui-classic@fd09be0~...ab0960a with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
8 files checked, 1 offense detected

**

• 💣 💥 🔥 🚒 - Linter/Haml - Linter::Haml STDERR:

warning: parser/current is loading parser/ruby23, which recognizes
warning: 2.3.6-compliant syntax, but you are running 2.3.3.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.