change auth strategy from warden to Azure AD UMGs

[Sarah Smulligan (Smullz622)]

Fixes #228

I wasn't quite able to wrap this up, but it's mostly there. Everything works locally, new authorized users and admin umg groups have been created, & the feature specs are fixed.

To be completed:

• fix failing request specs
• add azure tests
• add remainder of authorized users (currently just has dev team, Binky, & Justin, I was waiting for everything to be wrapped up before adding remaining users) Moved here: Release tasks #266

[Alex Kiessling (ajkiessl)]

Jesse LE (@jlandiseigsti)
Sarah Smulligan (@Smullz622)

This is done and ready for review. Some of the things I did:

• Removed GET from list of omniauth request methods. This protects from CSRF attacks.
• Changed GUIAuthController to require auto_login before each action. This redirects to a page that automatically "clicks" a hidden login button, forcing a POST to the omniauth endpoint and passing along CSRF tokens.
• Fixed up the feature and request specs that had not yet implemented login_gui_user
• Use ClimateControl to set ENV variables in mock authentication for tests
• Replace gui_auth_spec.rb with sessions_controller_spec.rb to test the sessions controller actions and the auto_login before_action.

[Jesse LE (jlandiseigsti)]

Every thing looks good to me.

Are we going to implement logout separately?

[Jesse LE (jlandiseigsti)]

Is this connected to anything at the moment?

[Alex Kiessling (ajkiessl)]

The RailsAdmin UI actually has a link in the top right to log out. That hooks into this route. I think that's just a default for RailsAdmin, though. We could implement a logout button in the future, but I think we'd need a neutral landing page for that. Everything is behind auth, so you'd just get logged back in after logging out.

[Alex Kiessling (ajkiessl)]

It would be pretty simple to remove the auto login stuff, and replace it with login and log out buttons, though. Most of our other apps do that. But I'm curious to see how the auto login works.