Fix OKTA authentication issues and add OIDC logout discovery

## What This PR Does

This PR fixes critical OKTA authentication issues and improves the CI/CD workflow:

### OKTA Authentication Fixes
1. **Fixed existing user login**: Users with existing accounts can now log in via OKTA by updating their provider/uid on first OKTA login
2. **Implemented proper OKTA logout**: Added custom sessions controller that redirects to OKTA's logout endpoint and clears both local and OKTA sessions
3. **Added ID token storage**: Stores the OIDC ID token in session for proper logout functionality
4. **Added prompt parameter support**: Enables forcing 2FA authentication when configured
5. **Comprehensive logging**: Added Rails.logger calls throughout authentication flow for better debugging

### LDAP Authentication Fixes
1. **Fixed email extraction**: Added fallback logic to extract email from various LDAP response formats
2. **Fixed CI configuration**: Corrected LDAP container port mapping (10389:10389)
3. **Added comprehensive unit tests**: 6 new tests covering various LDAP email scenarios

### CI/CD Improvements
1. **Workflow optimization**: Reordered to run linting before tests (fail fast approach)
2. **PostgreSQL security**: Fixed authentication from trust to password-based
3. **Fixed Rubocop warnings**: Added inline disables for test constants

Fixes #663

## Test Coverage
- Added 7 new OKTA unit tests (all passing)
- Added 6 new LDAP unit tests (all passing)
- Total test count: 107 examples, 0 failures
- All linting checks pass

## Related Issues
- Fixes #663 - Improve Okta OIDC authentication
- Related to #667 - Future enhancement for OIDC auto-discovery
- Related to #664 - Future enhancement for multiple OIDC providers

Co-Authored-By: Aaron Lippold <lippold@gmail.com>

Author: aaronlippold

.github/workflows/run-tests.yml

@@ -19,7 +19,9 @@ jobs:
       db:
         image: postgres:12
         env:
-          POSTGRES_HOST_AUTH_METHOD: trust
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_USER: postgres
+          POSTGRES_DB: test
         ports:
           - 5432:5432
         # needed because the postgres container does not provide a healthcheck
@@ -31,7 +33,7 @@ jobs:
       ldap:
         image: rroemhild/test-openldap
         ports:
-          - 389:10389
+          - 10389:10389
 
     steps:
       - uses: actions/checkout@v4
@@ -47,28 +49,34 @@ jobs:
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
           restore-keys: |
             ${{ runner.os }}-gems-
-      - name: Build and run tests
+      - name: Install dependencies
+        run: |
+          sudo apt-get -yqq install libpq-dev
+          echo "gem: --no-document" > ~/.gemrc
+          gem install bundler --conservative
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+          yarn install --frozen-lockfile
+      - name: Run Rubocop
+        run: bundle exec rubocop
+      - name: Run eslint
+        run: yarn lint:ci
+      - name: Setup database and run tests
         env:
-          DATABASE_URL: postgres://postgres:@localhost:5432/test
+          DATABASE_URL: postgres://postgres:postgres@localhost:5432/test
           RAILS_ENV: test
           # Options below this line are so we can test LDAP
           VULCAN_ENABLE_LDAP: true
+          VULCAN_LDAP_HOST: localhost
           VULCAN_LDAP_ATTRIBUTE: mail
           VULCAN_LDAP_BIND_DN: cn=admin,dc=planetexpress,dc=com
           VULCAN_LDAP_BASE: ou=people,dc=planetexpress,dc=com
-          VULCAN_LDAP_PORT: 389
+          VULCAN_LDAP_PORT: 10389
           VULCAN_LDAP_ADMIN_PASS: GoodNewsEveryone
         run: |
-          sudo apt-get -yqq install libpq-dev
-          echo "gem: --no-document" > ~/.gemrc
-          gem install bundler --conservative
-          bundle config path vendor/bundle
-          bin/setup
+          bundle exec rails db:create
+          bundle exec rails db:schema:load
           bundle exec rails spec
-      - name: Run Rubocop
-        run: bundle exec rubocop
-      - name: Run eslint
-        run: yarn lint:ci
       - name: Upload coverage results
         uses: actions/upload-artifact@v4
         if: always()

.gitignore

@@ -28,7 +28,8 @@
 
 # Do not commit Docker environment files
 /.env
-/.env-prod
+/.env.*
+.env.*
 
 # Do not commit coverage
 /coverage
@@ -39,3 +40,24 @@
 /yarn-error.log
 yarn-debug.log*
 .yarn-integrity
+
+# Ignore generated assets
+/app/assets/builds/
+
+# Ignore development logs
+*.log
+foreman.log
+rails_*.log
+dev_output.log
+
+# Ignore local development files
+CLAUDE.md
+OKTA_SESSION_RECOVERY.md
+PR_MESSAGE.md
+*.backup
+*_backup/
+benchmark-tmp/
+vulcan-wiki-local/
+
+# Ruby version management
+.ruby-gemset

.nvmrc

@@ -0,0 +1 @@
+16

ENVIRONMENT_VARIABLES.md

@@ -0,0 +1,154 @@
+# Vulcan Environment Variables
+
+This document lists all environment variables that can be used to configure Vulcan.
+
+## System Configuration
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_CONFIG` | Override path to vulcan.yml config file | `config/vulcan.yml` | `/etc/vulcan/config.yml` |
+| `VULCAN_ENV` | Override Rails environment | Uses `RAILS_ENV` | `production` |
+
+## Database Configuration
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `DATABASE_URL` | PostgreSQL connection string | - | `postgres://user:pass@localhost:5432/vulcan_development` |
+| `VULCAN_VUE_DATABASE_PASSWORD` | PostgreSQL password (production only) | - | `postgres_password` |
+
+## General Application Settings
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_APP_URL` | Application URL | `http://localhost:3000` | `https://vulcan.example.com` |
+| `VULCAN_WELCOME_TEXT` | Welcome message on login page | `Welcome to Vulcan` | `Welcome to MITRE Vulcan` |
+| `VULCAN_CONTACT_EMAIL` | Contact email for notifications | `do_not_reply@vulcan` | `admin@example.com` |
+
+## Authentication Settings
+
+### Local Login
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_ENABLE_LOCAL_LOGIN` | Enable local username/password login | `true` | `true` or `false` |
+| `VULCAN_ENABLE_EMAIL_CONFIRMATION` | Require email confirmation for new users | `false` | `true` or `false` |
+| `VULCAN_SESSION_TIMEOUT` | Session timeout in minutes | `60` | `120` |
+
+### User Registration
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_ENABLE_USER_REGISTRATION` | Allow new users to register | `true` | `true` or `false` |
+
+### OIDC/OAuth (e.g., Okta)
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_ENABLE_OIDC` | Enable OIDC authentication | `false` | `true` or `false` |
+| `VULCAN_OIDC_PROVIDER_TITLE` | Display name for OIDC provider | `OIDC Provider` | `Okta` |
+| `VULCAN_OIDC_ISSUER_URL` | OIDC issuer URL | - | `https://dev-12345.okta.com` |
+| `VULCAN_OIDC_HOST` | OIDC provider hostname | - | `dev-12345.okta.com` |
+| `VULCAN_OIDC_CLIENT_ID` | OIDC client ID | - | `0oa1b2c3d4e5f6g7h8i9j` |
+| `VULCAN_OIDC_CLIENT_SECRET` | OIDC client secret | - | `secret_key_here` |
+| `VULCAN_OIDC_REDIRECT_URI` | OIDC redirect URI | - | `https://vulcan.example.com/users/auth/oidc/callback` |
+| `VULCAN_OIDC_AUTHORIZATION_URL` | OIDC authorization endpoint | - | `https://dev-12345.okta.com/oauth2/default/v1/authorize` |
+| `VULCAN_OIDC_TOKEN_URL` | OIDC token endpoint | - | `https://dev-12345.okta.com/oauth2/default/v1/token` |
+| `VULCAN_OIDC_USERINFO_URL` | OIDC userinfo endpoint | - | `https://dev-12345.okta.com/oauth2/default/v1/userinfo` |
+| `VULCAN_OIDC_JWKS_URI` | OIDC JWKS endpoint | - | `https://dev-12345.okta.com/oauth2/default/v1/keys` |
+| `VULCAN_OIDC_PORT` | OIDC provider port | `443` | `443` |
+| `VULCAN_OIDC_SCHEME` | OIDC provider scheme | `https` | `https` |
+| `VULCAN_OIDC_CLIENT_SIGNING_ALG` | OIDC signing algorithm | `RS256` | `RS256` |
+| `VULCAN_OIDC_PROMPT` | OIDC prompt parameter | - | `login` (forces re-authentication) |
+
+### LDAP
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_ENABLE_LDAP` | Enable LDAP authentication | `false` | `true` or `false` |
+| `VULCAN_LDAP_HOST` | LDAP server hostname | `localhost` | `ldap.example.com` |
+| `VULCAN_LDAP_PORT` | LDAP server port | `389` | `636` |
+| `VULCAN_LDAP_TITLE` | Display name for LDAP | `LDAP` | `Corporate LDAP` |
+| `VULCAN_LDAP_ATTRIBUTE` | LDAP attribute for user lookup | `uid` | `sAMAccountName` |
+| `VULCAN_LDAP_ENCRYPTION` | LDAP encryption method | `plain` | `simple_tls` or `start_tls` |
+| `VULCAN_LDAP_BIND_DN` | LDAP bind DN | - | `cn=admin,dc=example,dc=com` |
+| `VULCAN_LDAP_ADMIN_PASS` | LDAP bind password | - | `ldap_password` |
+| `VULCAN_LDAP_BASE` | LDAP search base | - | `dc=example,dc=com` |
+
+## Email/SMTP Settings
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_ENABLE_SMTP` | Enable SMTP for sending emails | `false` | `true` or `false` |
+| `VULCAN_SMTP_ADDRESS` | SMTP server address | - | `smtp.gmail.com` |
+| `VULCAN_SMTP_PORT` | SMTP server port | - | `587` |
+| `VULCAN_SMTP_DOMAIN` | SMTP domain | - | `example.com` |
+| `VULCAN_SMTP_SERVER_USERNAME` | SMTP username | - | `notifications@example.com` |
+| `VULCAN_SMTP_SERVER_PASSWORD` | SMTP password | - | `smtp_password` |
+| `VULCAN_SMTP_AUTHENTICATION` | SMTP authentication method | - | `plain` |
+| `VULCAN_SMTP_OPENSSL_VERIFY_MODE` | OpenSSL verify mode for SMTP | - | `none` |
+| `VULCAN_SMTP_TLS` | Use TLS for SMTP | - | `true` or `false` |
+| `VULCAN_SMTP_ENABLE_STARTTLS_AUTO` | Enable STARTTLS auto | - | `true` or `false` |
+
+## Slack Integration
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_ENABLE_SLACK_COMMS` | Enable Slack notifications | `false` | `true` or `false` |
+| `VULCAN_SLACK_API_TOKEN` | Slack API token | - | `xoxb-your-token` |
+| `VULCAN_SLACK_CHANNEL_ID` | Slack channel ID | - | `C1234567890` |
+
+## Project Settings
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `VULCAN_PROJECT_CREATE_PERMISSION_ENABLED` | Require permission to create projects | `true` | `true` or `false` |
+
+## Development Environment
+
+For local development, create a `.env` file in the project root with your settings:
+
+```bash
+# Database
+DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/vulcan_vue_development
+
+# Enable OIDC (example for Okta)
+VULCAN_ENABLE_OIDC=true
+VULCAN_OIDC_PROVIDER_TITLE=Okta
+VULCAN_OIDC_ISSUER_URL=https://dev-12345.okta.com
+VULCAN_OIDC_HOST=dev-12345.okta.com
+VULCAN_OIDC_CLIENT_ID=your_client_id
+VULCAN_OIDC_CLIENT_SECRET=your_client_secret
+
+# Disable local login when using OIDC
+VULCAN_ENABLE_LOCAL_LOGIN=false
+```
+
+## Production Environment
+
+In production, set these as actual environment variables through your deployment platform (Docker, Kubernetes, etc.) rather than using `.env` files.
+
+## Docker Deployment
+
+When using Docker, you can set environment variables in:
+- `docker-compose.yml` using the `environment:` section
+- `.env-prod` file referenced in docker-compose.yml
+- Container runtime with `-e` flags
+
+## Rails/Framework Settings
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `RAILS_MASTER_KEY` | Rails master key for credentials | - | Generated by Rails |
+| `RAILS_LOG_TO_STDOUT` | Log to stdout instead of files | - | `true` |
+| `RAILS_SERVE_STATIC_FILES` | Serve static files in production | - | `true` |
+| `FORCE_SSL` | Force SSL connections | - | `true` |
+
+## GitHub OAuth (Optional)
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `GITHUB_APP_ID` | GitHub OAuth app ID | - | `your_github_app_id` |
+| `GITHUB_APP_SECRET` | GitHub OAuth app secret | - | `your_github_app_secret` |
+
+## Notes
+
+- Boolean values: Use `true` or `false` (case-insensitive)
+- All boolean environment variables default to `false` unless otherwise specified
+- Variables marked with `-` in the Default column are required when the feature is enabled
+- Sensitive values (passwords, secrets) should never be committed to version control

Gemfile

@@ -76,6 +76,8 @@ group :development do
   gem 'letter_opener'
   gem 'spring'
   gem 'spring-watcher-listen', '~> 2.0.0'
+  # Process manager for Procfile-based applications (development only)
+  gem 'foreman'
 end
 
 group :test do
@@ -98,6 +100,8 @@ group :development, :test do
   gem 'factory_bot_rails', '~> 5.2.0'
   gem 'rspec-mocks'
   gem 'rspec-rails', '~> 4.0.0'
+  # Load environment variables from .env files in development and test
+  gem 'dotenv-rails'
 end
 
 # Windows and Mac do not include zoneinfo files, so bundle the tzinfo-data gem

Gemfile.lock

@@ -118,6 +118,10 @@ GEM
     docile (1.4.0)
     domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
+    dotenv (2.8.1)
+    dotenv-rails (2.8.1)
+      dotenv (= 2.8.1)
+      railties (>= 3.2)
     erubi (1.12.0)
     erubis (2.7.0)
     factory_bot (5.2.0)
@@ -136,6 +140,7 @@ GEM
       ffi (> 1.9, < 2)
     ffaker (2.20.0)
     ffi (1.15.5)
+    foreman (0.88.1)
     fuzzyurl (0.9.0)
     gitlab_omniauth-ldap (2.2.0)
       net-ldap (~> 0.16)
@@ -544,9 +549,11 @@ DEPENDENCIES
   capybara (>= 2.15)
   database_cleaner-active_record
   devise
+  dotenv-rails
   factory_bot_rails (~> 5.2.0)
   fast_excel
   ffaker (~> 2.10)
+  foreman
   gitlab_omniauth-ldap (~> 2.2.0)
   haml-rails (~> 2.0)
   highline (~> 2.0)

README.md

@@ -16,7 +16,7 @@ Vulcan models the STIG intent form and the process of aligning security controls
 * Enable looking up related controls (controls using the same SRG ID) in published STIGs while auhtoring or reviewing a control.
 * View DISA published STIG Contents.
 * Confidential data in the database is encrypted using symmetric encryption
-* Authenticate via the local server, through GitHub, and through configuring an LDAP server.
+* Authenticate via the local server, through GitHub, LDAP, or OKTA/OIDC providers
 * Email and Slack notification enabled
 
 ## Latest Release: [v2.1.8](https://github.com/mitre/vulcan/releases/tag/v2.1.8)
@@ -82,8 +82,43 @@ For testing purposes in the development environment, you can use the following c
 
 See `docker-compose.yml` for container configuration options.
 
+For a complete list of environment variables that can be used to configure Vulcan, see [ENVIRONMENT_VARIABLES.md](ENVIRONMENT_VARIABLES.md).
+
 Documentation on how to configure additional Vulcan settings such as SMTP, LDAP, etc, are available on the [Vulcan website](https://vulcan.mitre.org/docs/config.html).
 
+### OKTA/OIDC Authentication
+
+Vulcan supports authentication via OKTA or any OpenID Connect (OIDC) provider. To enable OKTA authentication:
+
+1. **Create an OKTA Application**:
+   - Log into your OKTA admin dashboard
+   - Create a new "Web" application
+   - Set the Sign-in redirect URI to: `http://your-domain/users/auth/oidc/callback`
+   - Set the Sign-out redirect URI to: `http://your-domain`
+   - Note your Client ID and Client Secret
+
+2. **Configure Vulcan Environment Variables**:
+   ```bash
+   # Enable OIDC authentication
+   VULCAN_ENABLE_OIDC=true
+   
+   # OKTA configuration
+   VULCAN_OIDC_ISSUER_URL=https://your-domain.okta.com
+   VULCAN_OIDC_CLIENT_ID=your-client-id-from-okta
+   VULCAN_OIDC_CLIENT_SECRET=your-client-secret-from-okta
+   VULCAN_OIDC_REDIRECT_URI=http://your-domain/users/auth/oidc/callback
+   
+   # Optional: Force re-authentication on each login
+   VULCAN_OIDC_PROMPT=login
+   
+   # Optional: Custom provider display name (defaults to "OIDC")
+   VULCAN_OIDC_PROVIDER_TITLE=Okta
+   ```
+
+3. **Restart Vulcan** to apply the configuration changes
+
+Users will now see a "Login with Okta" button on the sign-in page. First-time users will have accounts automatically created upon successful OKTA authentication.
+
 ## Tasks
 
 ### STIG/SRG Puller Task