Improve hyrax/seed/setup.json user creation (no hardcoded passwords, added Shibboleth support)

Creating users via hyrax/seed/setup.json currently requires putting hardcoded credentials into setup.json. Since this is a potential security issue, we have decided to remove the support for setting passwords at all through this file. Since User objects don't support a nil password, we will now simply generate a random 32 byte / 256 bit "password" (which may contain non-printable characters).

These passwords are not meant to be used/entered anyway, since login for all users (including admins) is supposed to use either Shibboleth or ORCID. However, since RDMS/Hyrax requires at least one admin user to exist at the first startup in order to create the CRC_1280_COLLECTION and the corresponding crc_1280_manager and crc_1280_member roles, this commit also adds support for pre-seeding Shibboleth accounts via hyrax/seed/setup.json.

Note that these users are primarily identified through their uid attribute, which contains their Pairwise ID obtained from the Shibboleth IDP, and not their email address. In fact, if the user's name or email address changes on the IDP, the corresponding values in RDMS's user database will be updated/replaced automatically with the new values obtained from the IDP.

Closes #33 (closed)

hyrax/app/models/user.rb

@@ -78,7 +78,7 @@ class User < ApplicationRecord
     if ENV.fetch('ORCID_RESTRICT_AUTHORIZATION', 'true') == 'false'
       user.display_name = auth.info.name
       user.email = auth.info.email || "#{auth.uid}@#{auth.provider.to_s}"
-      user.password = Devise.friendly_token[0,20]
+      user.password = SecureRandom.random_bytes(32)
     end
     user.save!
     user
@@ -108,7 +108,7 @@ class User < ApplicationRecord
     user.uid = attributes[:uid]
     user.display_name = attributes[:name]
     user.email = attributes[:email]
-    user.password = Devise.friendly_token[0,20]
+    user.password = SecureRandom.random_bytes(32)
 
     user.save!
     user