external controller tests + rubocop fixes

app/controllers/external_controller.rb

@@ -41,6 +41,8 @@ def create_user
       return redirect_to root_path(error: Rails.configuration.custom_error_msgs[:invite_token_invalid])
     end
 
+    return render_error status: :forbidden unless valid_domain?(user_info[:email])
+
     # Create the user if they dont exist
     if new_user
       user = UserCreator.new(user_params: user_info, provider: current_provider, role: default_role).call
@@ -164,4 +166,15 @@ def build_user_info(credentials)
       verified: true
     }
   end
+
+  def valid_domain?(email)
+    specific_domain_emails = SettingGetter.new(setting_name: 'SpecificEmailDomainSignUp', provider: current_provider).call
+    return true if specific_domain_emails.blank?
+
+    domains = specific_domain_emails.split(',')
+    domains.each do |domain|
+      return true if email.end_with?(domain)
+    end
+    false
+  end
 end

db/data/20240806205559_add_domain_specific_email_signup_to_site_settings.rb

@@ -6,13 +6,13 @@ def up
 
     SiteSetting.create!(setting:, value: '', provider: 'greenlight') unless SiteSetting.exists?(setting:, provider: 'greenlight')
 
-    Tenant.all.each do |tenant|
+    Tenant.find_each do |tenant|
       SiteSetting.create!(setting:, value: '', provider: tenant.name) unless SiteSetting.exists?(setting:, provider: tenant.name)
     end
   end
 
   def down
-    Tenant.all.each do |tenant|
+    Tenant.find_each do |tenant|
       SiteSetting.find_by(setting: Setting.find_by(name: 'Maintenance'), provider: tenant.name)&.destroy
     end
 

spec/controllers/external_controller_spec.rb

@@ -18,7 +18,7 @@
 
 require 'rails_helper'
 
-RSpec.describe ExternalController, type: :controller do
+RSpec.describe ExternalController do
   let(:fake_setting_getter) { instance_double(SettingGetter) }
 
   describe '#create_user' do
@@ -80,7 +80,7 @@
 
       expect do
         get :create_user, params: { provider: 'openid_connect' }
-      end.to change(User, :count).by(0)
+      end.not_to change(User, :count)
     end
 
     it 'looks the user up based on email' do
@@ -90,7 +90,7 @@
 
       expect do
         get :create_user, params: { provider: 'openid_connect' }
-      end.to change(User, :count).by(0)
+      end.not_to change(User, :count)
     end
 
     context 'redirect' do
@@ -325,6 +325,79 @@
       end
     end
 
+    context 'Specific Email Domain Signup' do
+      context 'restricted domain not set' do
+        before do
+          site_settings = instance_double(SettingGetter)
+          allow(SettingGetter).to receive(:new).with(setting_name: 'SpecificEmailDomainSignUp', provider: 'greenlight').and_return(site_settings)
+          allow(site_settings).to receive(:call).and_return('')
+        end
+
+        it 'creates the user' do
+          request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+
+          expect { get :create_user, params: { provider: 'openid_connect' } }.to change(User, :count).from(0).to(1)
+        end
+      end
+
+      context 'restricted domain set to 1 domain' do
+        before do
+          site_settings = instance_double(SettingGetter)
+          allow(SettingGetter).to receive(:new).with(setting_name: 'SpecificEmailDomainSignUp', provider: 'greenlight').and_return(site_settings)
+          allow(site_settings).to receive(:call).and_return('@domain.com')
+        end
+
+        it 'creates the user if the domain is allowed' do
+          request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+          request.env['omniauth.auth'][:info][:email] = '[email protected]'
+
+          expect { get :create_user, params: { provider: 'openid_connect' } }.to change(User, :count).from(0).to(1)
+        end
+
+        it 'does not create if the domain is not allowed' do
+          request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+
+          expect { get :create_user, params: { provider: 'openid_connect' } }.not_to change(User, :count)
+        end
+      end
+
+      context 'restricted domain set to multiple domain' do
+        before do
+          site_settings = instance_double(SettingGetter)
+          allow(SettingGetter).to receive(:new).with(setting_name: 'SpecificEmailDomainSignUp', provider: 'greenlight').and_return(site_settings)
+          allow(site_settings).to receive(:call).and_return('@example.com,@test.com,@domain.com')
+        end
+
+        it 'creates the user if the domain is allowed 1' do
+          request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+          request.env['omniauth.auth'][:info][:email] = '[email protected]'
+
+          expect { get :create_user, params: { provider: 'openid_connect' } }.to change(User, :count).from(0).to(1)
+        end
+
+        it 'creates the user if the domain is allowed 2' do
+          request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+          request.env['omniauth.auth'][:info][:email] = '[email protected]'
+
+          expect { get :create_user, params: { provider: 'openid_connect' } }.to change(User, :count).from(0).to(1)
+        end
+
+        it 'creates the user if the domain is allowed 3' do
+          request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+          request.env['omniauth.auth'][:info][:email] = '[email protected]'
+
+          expect { get :create_user, params: { provider: 'openid_connect' } }.to change(User, :count).from(0).to(1)
+        end
+
+        it 'does not create if the domain is not allowed' do
+          request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+          request.env['omniauth.auth'][:info][:email] = '[email protected]'
+
+          expect { get :create_user, params: { provider: 'openid_connect' } }.not_to change(User, :count)
+        end
+      end
+    end
+
     context 'Role mapping' do
       let!(:role1) { create(:role, name: 'role1') }