From be55bf3e11a1a0095c8559f4e248b02303ae753e Mon Sep 17 00:00:00 2001
From: Matt Jankowski <matt@jankowski.online>
Date: Tue, 11 Jun 2024 10:45:08 -0400
Subject: [PATCH] Move omniauth feature enabled checks to `config_for` yml

---
 app/controllers/application_controller.rb     |  4 +--
 .../concerns/web_app_controller_concern.rb    |  2 +-
 app/helpers/application_helper.rb             |  2 +-
 app/helpers/registration_helper.rb            |  2 +-
 app/serializers/initial_state_serializer.rb   |  2 +-
 config/application.rb                         |  3 +++
 config/initializers/3_omniauth.rb             |  6 ++---
 .../initializers/content_security_policy.rb   |  2 +-
 config/omniauth.yml                           |  6 +++++
 spec/helpers/application_helper_spec.rb       | 25 +++++++++++--------
 spec/requests/omniauth_callbacks_spec.rb      |  6 ++---
 11 files changed, 36 insertions(+), 24 deletions(-)
 create mode 100644 config/omniauth.yml

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 66e0f7e305..8041d4eb3d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -80,7 +80,7 @@ class ApplicationController < ActionController::Base
   end
 
   def after_sign_out_path_for(_resource_or_scope)
-    if ENV['OMNIAUTH_ONLY'] == 'true' && ENV['OIDC_ENABLED'] == 'true'
+    if Rails.configuration.x.omniauth.only && Rails.configuration.x.omniauth.oidc_enabled
       '/auth/auth/openid_connect/logout'
     else
       new_user_session_path
@@ -138,7 +138,7 @@ class ApplicationController < ActionController::Base
   end
 
   def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
+    Rails.configuration.x.omniauth.only
   end
 
   def sso_account_settings
diff --git a/app/controllers/concerns/web_app_controller_concern.rb b/app/controllers/concerns/web_app_controller_concern.rb
index b8c909877b..3ef9521de0 100644
--- a/app/controllers/concerns/web_app_controller_concern.rb
+++ b/app/controllers/concerns/web_app_controller_concern.rb
@@ -11,7 +11,7 @@ module WebAppControllerConcern
   end
 
   def skip_csrf_meta_tags?
-    !(ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil?
+    !(ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && Rails.configuration.x.omniauth.only && Devise.omniauth_providers.length == 1) && current_user.nil?
   end
 
   def set_app_body_class
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 7563ae6105..00ea936982 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -49,7 +49,7 @@ module ApplicationHelper
   end
 
   def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
+    Rails.configuration.x.omniauth.only
   end
 
   def link_to_login(name = nil, html_options = nil, &block)
diff --git a/app/helpers/registration_helper.rb b/app/helpers/registration_helper.rb
index ef5462ac88..685c8b62e4 100644
--- a/app/helpers/registration_helper.rb
+++ b/app/helpers/registration_helper.rb
@@ -12,7 +12,7 @@ module RegistrationHelper
   end
 
   def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
+    Rails.configuration.x.omniauth.only
   end
 
   def ip_blocked?(remote_ip)
diff --git a/app/serializers/initial_state_serializer.rb b/app/serializers/initial_state_serializer.rb
index 72aaabcfcb..4258ae4e34 100644
--- a/app/serializers/initial_state_serializer.rb
+++ b/app/serializers/initial_state_serializer.rb
@@ -124,6 +124,6 @@ class InitialStateSerializer < ActiveModel::Serializer
   end
 
   def sso_redirect
-    "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
+    "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && Rails.configuration.x.omniauth.only && Devise.omniauth_providers.length == 1
   end
 end
diff --git a/config/application.rb b/config/application.rb
index 65407da05c..cd4dd7512b 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -111,6 +111,9 @@ module Mastodon
       end
     end
 
+    # Load config/omniauth.yml settings
+    config.x.omniauth = config_for(:omniauth)
+
     config.to_prepare do
       Doorkeeper::AuthorizationsController.layout 'modal'
       Doorkeeper::AuthorizedApplicationsController.layout 'admin'
diff --git a/config/initializers/3_omniauth.rb b/config/initializers/3_omniauth.rb
index aa8ba1a056..e5e24e056e 100644
--- a/config/initializers/3_omniauth.rb
+++ b/config/initializers/3_omniauth.rb
@@ -10,7 +10,7 @@ end
 
 Devise.setup do |config|
   # CAS strategy
-  if ENV['CAS_ENABLED'] == 'true'
+  if Rails.configuration.x.omniauth.cas_enabled
     cas_options = {}
     cas_options[:display_name] = ENV['CAS_DISPLAY_NAME']
     cas_options[:url] = ENV['CAS_URL'] if ENV['CAS_URL']
@@ -39,7 +39,7 @@ Devise.setup do |config|
   end
 
   # SAML strategy
-  if ENV['SAML_ENABLED'] == 'true'
+  if Rails.configuration.x.omniauth.saml_enabled
     saml_options = {}
     saml_options[:display_name] = ENV['SAML_DISPLAY_NAME']
     saml_options[:assertion_consumer_service_url] = ENV['SAML_ACS_URL'] if ENV['SAML_ACS_URL']
@@ -71,7 +71,7 @@ Devise.setup do |config|
   end
 
   # OpenID Connect Strategy
-  if ENV['OIDC_ENABLED'] == 'true'
+  if Rails.configuration.x.omniauth.oidc_enabled
     oidc_options = {}
     oidc_options[:display_name] = ENV['OIDC_DISPLAY_NAME'] # OPTIONAL
     oidc_options[:issuer] = ENV['OIDC_ISSUER'] if ENV['OIDC_ISSUER'] # NEED
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index e43e38786c..b225694c68 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -14,7 +14,7 @@ media_hosts = policy.media_hosts
 
 def sso_host
   return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'
-  return unless ENV['OMNIAUTH_ONLY'] == 'true'
+  return unless Rails.configuration.omniauth.only
   return unless Devise.omniauth_providers.length == 1
 
   provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
diff --git a/config/omniauth.yml b/config/omniauth.yml
new file mode 100644
index 0000000000..9ff5fd5397
--- /dev/null
+++ b/config/omniauth.yml
@@ -0,0 +1,6 @@
+---
+shared:
+  only: <%= ENV.fetch('OMNIAUTH_ONLY', 'false') == 'true' %>
+  cas_enabled: <%= ENV.fetch('CAS_ENABLED', 'false') == 'true' %>
+  oidc_enabled: <%= ENV.fetch('OIDC_ENABLED', 'false') == 'true' %>
+  saml_enabled: <%= ENV.fetch('SAML_ENABLED', 'false') == 'true' %>
diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
index 56974513be..0b897c012d 100644
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -88,9 +88,10 @@ describe ApplicationHelper do
 
     context 'when in omniauth only mode' do
       around do |example|
-        ClimateControl.modify OMNIAUTH_ONLY: 'true' do
-          example.run
-        end
+        original = Rails.configuration.x.omniauth.only
+        Rails.configuration.x.omniauth.only = true
+        example.run
+        Rails.configuration.x.omniauth.only = original
       end
 
       it 'redirects to joinmastodon site' do
@@ -106,11 +107,12 @@ describe ApplicationHelper do
   end
 
   describe 'omniauth_only?' do
-    context 'when env var is set to true' do
+    context 'when configuration is set to true' do
       around do |example|
-        ClimateControl.modify OMNIAUTH_ONLY: 'true' do
-          example.run
-        end
+        original = Rails.configuration.x.omniauth.only
+        Rails.configuration.x.omniauth.only = true
+        example.run
+        Rails.configuration.x.omniauth.only = original
       end
 
       it 'returns true' do
@@ -118,11 +120,12 @@ describe ApplicationHelper do
       end
     end
 
-    context 'when env var is not set' do
+    context 'when configuration is false' do
       around do |example|
-        ClimateControl.modify OMNIAUTH_ONLY: nil do
-          example.run
-        end
+        original = Rails.configuration.x.omniauth.only
+        Rails.configuration.x.omniauth.only = false
+        example.run
+        Rails.configuration.x.omniauth.only = original
       end
 
       it 'returns false' do
diff --git a/spec/requests/omniauth_callbacks_spec.rb b/spec/requests/omniauth_callbacks_spec.rb
index 095535e485..3550bb0516 100644
--- a/spec/requests/omniauth_callbacks_spec.rb
+++ b/spec/requests/omniauth_callbacks_spec.rb
@@ -129,15 +129,15 @@ describe 'OmniAuth callbacks' do
     end
   end
 
-  describe '#openid_connect', if: ENV['OIDC_ENABLED'] == 'true' && ENV['OIDC_SCOPE'].present? do
+  describe '#openid_connect', if: Rails.configuration.x.omniauth.oidc_enabled && ENV['OIDC_SCOPE'].present? do
     include_examples 'omniauth provider callbacks', :openid_connect
   end
 
-  describe '#cas', if: ENV['CAS_ENABLED'] == 'true' do
+  describe '#cas', if: Rails.configuration.x.omniauth.cas_enabled do
     include_examples 'omniauth provider callbacks', :cas
   end
 
-  describe '#saml', if: ENV['SAML_ENABLED'] == 'true' do
+  describe '#saml', if: Rails.configuration.x.omniauth.saml_enabled do
     include_examples 'omniauth provider callbacks', :saml
   end
 end