Merge pull request #1698 from internetee/add-tara-to-registrant

Expand TARA auth logic to registrant portal

app/controllers/registrant/sessions_controller.rb

@@ -1,81 +1,6 @@
 class Registrant::SessionsController < Devise::SessionsController
   layout 'registrant/application'
 
-  def login_mid
-    @user = User.new
-  end
-
-  def mid
-    phone = params[:user][:phone]
-    endpoint = "#{ENV['sk_digi_doc_service_endpoint']}"
-    client = Digidoc::Client.new(endpoint)
-    client.logger = Rails.application.config.logger unless Rails.env.test?
-
-    # country_codes = {'+372' => 'EST'}
-    response = client.authenticate(
-      phone: "+372#{phone}",
-      message_to_display: 'Authenticating',
-      service_name: ENV['sk_digi_doc_service_name'] || 'Testing'
-    )
-
-    if response.faultcode
-      render json: { message: response.detail.message }, status: :unauthorized
-      return
-    end
-
-    @user = RegistrantUser.find_or_create_by_mid_data(response)
-
-    if @user.persisted?
-      session[:user_country] = response.user_country
-      session[:user_id_code] = response.user_id_code
-      session[:mid_session_code] = client.session_code
-
-      render json: {
-        message: t(:confirmation_sms_was_sent_to_your_phone_verification_code_is, { code: response.challenge_id })
-      }, status: :ok
-    else
-      render json: { message: t(:no_such_user) }, status: :unauthorized
-    end
-  end
-
-  def mid_status
-    endpoint = "#{ENV['sk_digi_doc_service_endpoint']}"
-    client = Digidoc::Client.new(endpoint)
-    client.logger = Rails.application.config.logger unless Rails.env.test?
-    client.session_code = session[:mid_session_code]
-    auth_status = client.authentication_status
-
-    case auth_status.status
-    when 'OUTSTANDING_TRANSACTION'
-      render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok
-    when 'USER_AUTHENTICATED'
-      @user = RegistrantUser.find_by(registrant_ident: "#{session[:user_country]}-#{session[:user_id_code]}")
-
-      sign_in(:registrant_user, @user)
-      flash[:notice] = t(:welcome)
-      flash.keep(:notice)
-      render js: "window.location = '#{registrant_root_path}'"
-    when 'NOT_VALID'
-      render json: { message: t(:user_signature_is_invalid) }, status: :bad_request
-    when 'EXPIRED_TRANSACTION'
-      render json: { message: t(:session_timeout) }, status: :bad_request
-    when 'USER_CANCEL'
-      render json: { message: t(:user_cancelled) }, status: :bad_request
-    when 'MID_NOT_READY'
-      render json: { message: t(:mid_not_ready) }, status: :bad_request
-    when 'PHONE_ABSENT'
-      render json: { message: t(:phone_absent) }, status: :bad_request
-    when 'SENDING_ERROR'
-      render json: { message: t(:sending_error) }, status: :bad_request
-    when 'SIM_ERROR'
-      render json: { message: t(:sim_error) }, status: :bad_request
-    when 'INTERNAL_ERROR'
-      render json: { message: t(:internal_error) }, status: :bad_request
-    else
-      render json: { message: t(:internal_error) }, status: :bad_request
-    end
-  end
-
   private
 
   def after_sign_in_path_for(_resource_or_scope)

app/controllers/sso/tara_controller.rb

@@ -0,0 +1,40 @@
+module Sso
+  class TaraController < ApplicationController
+    skip_authorization_check
+
+    def registrant_callback
+      user = RegistrantUser.find_or_create_by_omniauth_data(user_hash)
+      callback(user, registrar: false)
+    end
+
+    def registrar_callback
+      user = ApiUser.from_omniauth(user_hash)
+      callback(user, registrar: true)
+    end
+
+    # rubocop:disable Style/AndOr
+    def callback(user, registrar: true)
+      session[:omniauth_hash] = user_hash
+      (show_error(registrar: registrar) and return) unless user
+
+      flash[:notice] = t(:signed_in_successfully)
+      sign_in_and_redirect(registrar ? :registrar_user : :registrant_user, user)
+    end
+    # rubocop:enable Style/AndOr
+
+    def cancel
+      redirect_to root_path, notice: t(:sign_in_cancelled)
+    end
+
+    def show_error(registrar: true)
+      path = registrar ? new_registrar_user_session_url : new_registrant_user_session_url
+      redirect_to path, alert: t(:no_such_user)
+    end
+
+    private
+
+    def user_hash
+      request.env['omniauth.auth']
+    end
+  end
+end

app/models/api_user.rb

@@ -47,12 +47,6 @@ def set_defaults
     self.active = true unless saved_change_to_active?
   end
 
-  class << self
-    def find_by_id_card(id_card)
-      find_by(identity_code: id_card.personal_code)
-    end
-  end
-
   def to_s
     username
   end

app/models/registrant_user.rb

@@ -1,7 +1,7 @@
 class RegistrantUser < User
   attr_accessor :idc_data
 
-  devise :trackable, :timeoutable, :id_card_authenticatable
+  devise :trackable, :timeoutable
 
   def ability
     @ability ||= Ability.new(self)
@@ -66,21 +66,17 @@ def find_or_create_by_api_data(user_data = {})
       find_or_create_by_user_data(user_data)
     end
 
-    def find_or_create_by_mid_data(response)
-      user_data = { first_name: response.user_givenname, last_name: response.user_surname,
-                    ident: response.user_id_code, country_code: response.user_country }
+    def find_or_create_by_omniauth_data(omniauth_hash)
+      uid = omniauth_hash['uid']
+      identity_code = uid.slice(2..-1)
+      country_code = uid.slice(0..1)
+      first_name = omniauth_hash.dig('info', 'first_name')
+      last_name = omniauth_hash.dig('info', 'last_name')
 
-      find_or_create_by_user_data(user_data)
-    end
-
-    def find_by_id_card(id_card)
-      registrant_ident = "#{id_card.country_code}-#{id_card.personal_code}"
-      username = [id_card.first_name, id_card.last_name].join("\s")
+      user_data = { first_name: first_name, last_name: last_name,
+                    ident: identity_code, country_code: country_code }
 
-      user = find_or_initialize_by(registrant_ident: registrant_ident)
-      user.username = username
-      user.save!
-      user
+      find_or_create_by_user_data(user_data)
     end
 
     private

app/views/registrant/sessions/new.html.erb

@@ -8,11 +8,6 @@
             <%= t '.hint' %>
         </div>
         <br/>
-        <%= link_to '/registrant/login/mid' do %>
-            <%= image_tag 'mid.gif' %>
-        <% end %>
-        <%= link_to registrant_id_card_sign_in_path, method: :post do %>
-            <%= image_tag 'id_card.gif' %>
-        <% end %>
+        <%= link_to t(:sign_in), "/auth/rant_tara", method: :post, class: 'btn btn-lg btn-primary btn-block' %>
     </div>
-</div>
+</div>

config/application.yml.sample

@@ -163,9 +163,13 @@ tara_secret: 'secret'
 tara_redirect_uri: 'redirect_url'
 tara_keys: "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
 
-# Email validation setting for Truemail gem. Possible values: 'regex', 'mx', 'smtp'
+tara_rant_identifier: 'identifier'
+tara_rant_secret: 'secret'
+tara_rant_redirect_uri: 'redirect_uri'
+
 default_email_validation_type: 'regex'
 
+
 # Since the keys for staging are absent from the repo, we need to supply them separate for testing.
 test:
   payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem'

config/initializers/devise.rb

@@ -280,10 +280,4 @@
   # When using OmniAuth, Devise cannot automatically set OmniAuth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
-
-  require 'devise/models/id_card_authenticatable'
-  require 'devise/strategies/id_card_authenticatable'
-
-  routes = [nil, :new, :destroy]
-  config.add_module :id_card_authenticatable, strategy: true, route: { session: routes }
 end

config/initializers/omniauth.rb

@@ -16,6 +16,10 @@
 secret = ENV['tara_secret']
 redirect_uri = ENV['tara_redirect_uri']
 
+registrant_identifier = ENV['tara_rant_identifier']
+registrant_secret = ENV['tara_rant_secret']
+registrant_redirect_uri = ENV['tara_rant_redirect_uri']
+
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider "tara", {
       callback_path: '/registrar/open_id/callback',
@@ -43,4 +47,30 @@
           redirect_uri: redirect_uri,
       },
   }
+
+  provider "tara", {
+      callback_path: '/registrant/open_id/callback',
+      name: 'rant_tara',
+      scope: ['openid'],
+      client_signing_alg: :RS256,
+      client_jwk_signing_key: signing_keys,
+      send_scope_to_token_endpoint: false,
+      send_nonce: true,
+      issuer: issuer,
+
+      client_options: {
+          scheme: 'https',
+          host: host,
+
+          authorization_endpoint: '/oidc/authorize',
+          token_endpoint: '/oidc/token',
+          userinfo_endpoint: nil, # Not implemented
+          jwks_uri: '/oidc/jwks',
+
+          # Registry
+          identifier: registrant_identifier,
+          secret: registrant_secret,
+          redirect_uri: registrant_redirect_uri,
+      },
+  }
 end

config/locales/registrant/sessions.en.yml

@@ -2,11 +2,7 @@ en:
   registrant:
     sessions:
       new:
-        header: Log in
+        header: Sign in with identity document
         hint:  >-
-          Access currently available only to Estonian citizens and e-residents with Estonian ID-card
-          or Mobile-ID.
-
-      login_mid:
-        header: Log in with mobile-id
-        submit_btn: Login
+          Sign in using Estonian (incl. e-residents) ID card, mobile ID,
+          Bank link or other EU citizen's electronic ID supported by EIDAS.