feat: OIDC configuration in global Settings (ENV or DB)

- Add oidc_* attributes to Setting, migration and Config helpers - Secrets and OidcRoleSyncConfig read from Config (ENV overrides DB) - GlobalSettingsLive: OIDC section with disabled fields when ENV set - OIDC role sync tests use DataCase for DB access
2026-02-24 13:55:19 +01:00 · 2026-02-24 13:55:19 +01:00 · 8edbbac95f
commit 8edbbac95f
parent f29bbb02a2
8 changed files with 487 additions and 136 deletions
--- a/test/mv/oidc_role_sync_config_test.exs
+++ b/test/mv/oidc_role_sync_config_test.exs
@ -1,21 +1,22 @@
 defmodule Mv.OidcRoleSyncConfigTest do
  @moduledoc """
  Tests for OIDC role sync configuration (OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM).
+  Reads via Mv.Config (ENV first, then Settings).
  """
-  use ExUnit.Case, async: false
+  use Mv.DataCase, async: false

  alias Mv.OidcRoleSyncConfig

  describe "oidc_admin_group_name/0" do
    test "returns nil when OIDC_ADMIN_GROUP_NAME is not configured" do
-      restore = put_config(admin_group_name: nil)
+      restore = clear_env("OIDC_ADMIN_GROUP_NAME")
      on_exit(restore)

      assert OidcRoleSyncConfig.oidc_admin_group_name() == nil
    end

-    test "returns configured admin group name when set" do
-      restore = put_config(admin_group_name: "mila-admin")
+    test "returns configured admin group name when set via ENV" do
+      restore = set_env("OIDC_ADMIN_GROUP_NAME", "mila-admin")
      on_exit(restore)

      assert OidcRoleSyncConfig.oidc_admin_group_name() == "mila-admin"
@ -24,26 +25,35 @@ defmodule Mv.OidcRoleSyncConfigTest do

  describe "oidc_groups_claim/0" do
    test "returns default \"groups\" when OIDC_GROUPS_CLAIM is not configured" do
-      restore = put_config(groups_claim: nil)
+      restore = clear_env("OIDC_GROUPS_CLAIM")
      on_exit(restore)

      assert OidcRoleSyncConfig.oidc_groups_claim() == "groups"
    end

-    test "returns configured claim name when OIDC_GROUPS_CLAIM is set" do
-      restore = put_config(groups_claim: "ak_groups")
+    test "returns configured claim name when OIDC_GROUPS_CLAIM is set via ENV" do
+      restore = set_env("OIDC_GROUPS_CLAIM", "ak_groups")
      on_exit(restore)

      assert OidcRoleSyncConfig.oidc_groups_claim() == "ak_groups"
    end
  end

-  defp put_config(opts) do
-    current = Application.get_env(:mv, :oidc_role_sync, [])
-    Application.put_env(:mv, :oidc_role_sync, Keyword.merge(current, opts))
+  defp set_env(key, value) do
+    previous = System.get_env(key)
+    System.put_env(key, value)

    fn ->
-      Application.put_env(:mv, :oidc_role_sync, current)
+      if previous, do: System.put_env(key, previous), else: System.delete_env(key)
+    end
+  end
+
+  defp clear_env(key) do
+    previous = System.get_env(key)
+    System.delete_env(key)
+
+    fn ->
+      if previous, do: System.put_env(key, previous)
    end
  end
 end