Improve hyrax/seed/setup.json user creation (no hardcoded passwords, added Shibboleth support)

Creating users via `hyrax/seed/setup.json` currently requires putting hardcoded credentials into `setup.json`. Since this is a potential security issue, we have decided to remove the support for setting passwords at all through this file. Since `User` objects don't support a `nil` password, we will now simply generate a random 32 byte / 256 bit "password" (which may contain non-printable characters). These passwords are not meant to be used/entered anyway, since login for all users (including admins) is supposed to use either Shibboleth or ORCID. However, since RDMS/Hyrax requires at least one admin user to exist at the first startup in order to create the `CRC_1280_COLLECTION` and the corresponding `crc_1280_manager` and `crc_1280_member` roles, this commit also adds support for pre-seeding Shibboleth accounts via `hyrax/seed/setup.json`. Note that these users are primarily identified through their `uid` attribute, which contains their Pairwise ID obtained from the Shibboleth IDP, and *not* their email address. In fact, if the user's name or email address changes on the IDP, the corresponding values in RDMS's user database will be updated/replaced automatically with the new values obtained from the IDP.

Improve hyrax/seed/setup.json user creation (no hardcoded passwords, added Shibboleth support)
2bbb4964 · Pascal Ernster · 237a70bd · 2bbb4964 · 2bbb4964
Verified Commit 2bbb4964 authored 2 years ago by Pascal Ernster
--- a/hyrax/lib/tasks/setup_hyrax.rake
+++ b/hyrax/lib/tasks/setup_hyrax.rake
@@ -20,7 +20,7 @@ namespace :rdms do

    admin = Role.where(name: "admin").first_or_create!
    seed["users"].each do |user|
-      newUser = User.where(email: user["email"]).first_or_create!(password: user["password"], display_name: user["name"])
+      newUser = User.where(email: user["email"]).first_or_create!(password: SecureRandom.random_bytes(32), display_name: user["name"], provider: user["provider"], uid: user["uid"])
      if user["role"] == "admin"
        unless admin.users.include?(newUser)
          admin.users << newUser

--- a/hyrax/seed/setup.json
+++ b/hyrax/seed/setup.json
 {
  "users": [{
-      "email": "admin@hyrax",
-      "password": "password",
-      "name": "hyrax Admin",
-      "role": "admin"
+      "email": "Jane.Doe@ruhr-uni-bochum.de",
+      "name": "Jane Doe",
+      "role": "admin",
+      "provider": "saml",
+      "uid": "JaneDoesShibbolethPairwiseID@ruhr-uni-bochum.de"
    },
    {
-      "email": "user@hyrax",
-      "password": "demouser",
-      "name": "Demo User",
-      "role": "user",
-      "depositor": true
-    },
-    {
-      "email": "workflow@hyrax",
-      "password": "workflow",
-      "name": "Workflow Admin",
-      "role": "admin"
+      "email": "John.Doe@ruhr-uni-bochum.de",
+      "name": "John Doe",
+      "role": "admin",
+      "provider": "saml",
+      "uid": "JohnDoesShibbolethPairwiseID@ruhr-uni-bochum.de"
    }
  ]
 }