Add support for customizable user authentication

Gemfile.lock

@@ -225,6 +225,7 @@ GEM
 PLATFORMS
   arm64-darwin-21
   arm64-darwin-22
+  arm64-darwin-23
   x86_64-linux
 
 DEPENDENCIES

README.md

@@ -149,7 +149,8 @@ These config options are namespaced in `config.console1984`:
 | `protected_urls`                            | The list of URLs corresponding with external systems to protect.                                                                                                                                                       |
 | `session_logger`                            | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`.                                                                                                                 |
 | `username_resolver`                         | Configure how the current user is determined for a given console session. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
- | `ask_for_username_if_empty`                 | If `true`, the console will ask for a username if it is empty. If `false`, it will raise an error if no username is set. Defaults to `false`.                                                                          |
+| `ask_for_username_if_empty`                 | If `true`, the console will ask for a username if it is empty. If `false`, it will raise an error if no username is set. Defaults to `false`.                                                                          |
+| `user_authentication`                       | Can be set to a proc or other callable object that will receive the username as its sole argument. Can be used to implement user authentication and should raise an exception if authentication fails. Defaults to `nil`. |
 | `production_data_warning`                   | The text to show when a console session starts.                                                                                                                                                                        |
 | `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode.                                                                                                                                                               |
 | `enter_protected_mode_warning`              | The text to show when user go backs to protected mode.                                                                                                                                                                 |

lib/console1984/config.rb

@@ -13,6 +13,7 @@ class Console1984::Config
     incinerate incinerate_after incineration_queue
     protections_config
     base_record_class
+    user_authentication
     debug test_mode
   ]
 
@@ -56,6 +57,7 @@ def set_defaults
       self.incinerate_after = 30.days
       self.incineration_queue = "console1984_incineration"
       self.ask_for_username_if_empty = false
+      self.user_authentication = nil
 
       self.base_record_class = "::ApplicationRecord"
 

lib/console1984/supervisor.rb

@@ -58,7 +58,9 @@ def require_dependencies
     end
 
     def start_session
-      session_logger.start_session current_username, ask_for_session_reason
+      username = current_username
+      Console1984.config.user_authentication&.call username
+      session_logger.start_session username, ask_for_session_reason
     end
 
     def stop_session

test/supervisor_test.rb

@@ -26,4 +26,29 @@ class IncinerationTest < ActiveSupport::TestCase
   ensure
     Console1984.config.ask_for_username_if_empty = original
   end
+
+  test "can start a session if user_authentication is callable" do
+    original, Console1984.config.user_authentication = Console1984.config.user_authentication, ->(username) { true }
+    Console1984.username_resolver.username = "jorge"
+
+    assert_nothing_raised do
+      type_when_prompted "No reason" do
+        @supervisor.start
+      end
+    end
+  ensure
+    Console1984.config.user_authentication = original
+  end
+
+  test "cannot start a session if user_authentication is callable and raises an exception" do
+    original, Console1984.config.user_authentication = Console1984.config.user_authentication, ->(username) { raise "Authentication failed!" }
+    Console1984.username_resolver.username = "jorge"
+
+    e = assert_raises RuntimeError do
+      @supervisor.start
+    end
+    assert_equal "Authentication failed!", e.message
+  ensure
+    Console1984.config.user_authentication = original
+  end
 end