updated-auth

.rubocop.yml

@@ -1,3 +1,6 @@
 AllCops:
   Exclude:
     - 'spec/**/*'
+    - 'config/**/*'
+Style/Documentation:
+  Enabled: false

Gemfile.lock

@@ -18,12 +18,11 @@ GIT
 
 GIT
   remote: https://github.com/internetee/omniauth-tara.git
-  revision: 215f5e91b8c1a51b2fe9a72755585096252a2f93
+  revision: d7babe56fe666739a0aca4bc94ddc8629641d220
   specs:
-    omniauth-tara (0.4.0)
-      addressable (~> 2.5)
+    omniauth-tara (0.7.1)
       omniauth (>= 1.9, < 3)
-      openid_connect (~> 1.1)
+      openid_connect (~> 2.2)
 
 GEM
   remote: https://rubygems.org/
@@ -93,7 +92,7 @@ GEM
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    addressable (2.8.1)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     aes_key_wrap (1.1.0)
     annotate (3.2.0)
@@ -165,7 +164,7 @@ GEM
       railties (>= 5.0.0)
     faker (3.1.1)
       i18n (>= 1.8.11, < 2)
-    faraday (2.7.4)
+    faraday (2.7.10)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-follow_redirects (0.3.0)
@@ -181,7 +180,6 @@ GEM
       rails (>= 5.2)
     highline (2.1.0)
     hpricot (0.8.6)
-    httpclient (2.8.3)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     i18n-debug (1.2.0)
@@ -224,10 +222,10 @@ GEM
     marcel (1.0.2)
     matrix (0.4.2)
     method_source (1.0.0)
-    mini_mime (1.1.2)
-    minitest (5.18.1)
+    mini_mime (1.1.5)
+    minitest (5.19.0)
     msgpack (1.6.1)
-    net-imap (0.3.6)
+    net-imap (0.3.7)
       date
       net-protocol
     net-pop (0.1.2)
@@ -246,17 +244,19 @@ GEM
     omniauth-rails_csrf_protection (1.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    openid_connect (1.4.2)
+    openid_connect (2.2.0)
       activemodel
       attr_required (>= 1.0.0)
-      json-jwt (>= 1.15.0)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
       net-smtp
-      rack-oauth2 (~> 1.21)
-      swd (~> 1.3)
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
       tzinfo
       validate_email
       validate_url
-      webfinger (~> 1.2)
+      webfinger (~> 2.0)
     pagy (6.0.1)
     parallel (1.22.1)
     parser (3.2.1.1)
@@ -270,19 +270,20 @@ GEM
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.1)
+    public_suffix (5.0.3)
     puma (5.6.5)
       nio4r (~> 2.0)
     racc (1.7.1)
-    rack (2.2.7)
-    rack-oauth2 (1.21.3)
+    rack (2.2.8)
+    rack-oauth2 (2.2.0)
       activesupport
       attr_required
-      httpclient
+      faraday (~> 2.0)
+      faraday-follow_redirects
       json-jwt (>= 1.11.0)
       rack (>= 2.1.0)
-    rack-protection (3.0.6)
-      rack
+    rack-protection (3.1.0)
+      rack (~> 2.2, >= 2.2.4)
     rack-test (2.1.0)
       rack (>= 1.3)
     rails (7.0.6)
@@ -376,10 +377,11 @@ GEM
     smart_properties (1.17.0)
     stimulus-rails (1.2.1)
       railties (>= 6.0.0)
-    swd (1.3.0)
+    swd (2.0.2)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
     thor (1.2.2)
@@ -413,9 +415,10 @@ GEM
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
       selenium-webdriver (~> 4.0)
-    webfinger (1.2.0)
+    webfinger (2.1.2)
       activesupport
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     webmock (3.18.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)

app/controllers/auth/tara_controller.rb

@@ -0,0 +1,56 @@
+require 'countries'
+
+module Auth
+  class TaraController < ApplicationController
+    skip_authentication
+
+    before_action :clear_from_credentials, only: :callback
+
+    include TaraAccessable
+
+    rescue_from ActiveRecord::RecordNotFound, with: :no_user
+
+    def callback
+      if app_session
+        log_in app_session
+
+        redirect_to root_path, notice: t('.signed_in'), status: :see_other
+      else
+        flash.now[:danger] = I18n.t('.incorrect_details')
+        render 'sessions/new', status: :unprocessable_entity
+      end
+    end
+
+    def setup
+      request.env['omniauth.strategy'].options.merge!(options)
+
+      render plain: 'Omniauth setup phase', status: 404
+    end
+
+    def cancel
+      redirect_to root_path, notice: t(:sign_in_cancelled)
+    end
+
+    private
+
+    def no_user
+      render 'sessions/new', status: :unprocessable_entity
+    end
+
+    def app_session
+      @app_session ||= if tara_params_initiator == 'registrant'
+                         Registrant::RegistrantAuth.call(tara_params: @user_info)
+                       elsif tara_params_initiator == 'registrar'
+                         Registrar::RegistrarAuth.call(tara_params: @user_info)
+                       end
+    end
+
+    def clear_from_credentials
+      @user_info = user_hash.delete_if { |key, _| key == 'credentials' }
+    end
+
+    def user_hash
+      request.env['omniauth.auth']
+    end
+  end
+end

app/controllers/concerns/tara_accessable.rb

@@ -7,45 +7,35 @@ module TaraAccessable
     before_action :check_for_persisting_code, only: [:callback]
   end
 
-  def access_token(code)
-    auth = Base64.strict_encode64 [
-      URI.encode_www_form_component(identifier),
-      URI.encode_www_form_component(secret)
-    ].join(':')
-    headers = { 'Content-Type' => 'application/x-www-form-urlencoded',
-                'Authorization' => "Basic #{auth}" }
-
-    response = connection.post(eeid_token_url) do |request|
-      request.headers = headers
-      request.body = { code: }
-    end
-
-    JSON.parse(response.body)
-  end
-
-  def userinfo(access_token)
-    params = {
-      access_token:,
-      client_id: identifier
+  def tara_params_initiator
+    request.env['omniauth.params']['env']
+  end
+
+  # rubocop:disable Metrics/MethodLength
+  def options
+    {
+      name: 'tara',
+      scope: %w[openid idcard mid smartid],
+      state: SecureRandom.hex(10),
+      client_signing_alg: :RS256,
+      client_jwk_signing_key: ENV['tara_keys'],
+      send_scope_to_token_endpoint: false,
+      send_nonce: true,
+      issuer: ENV['tara_issuer'],
+      discovery: ENV['tara_discovery'],
+      client_options: {
+        scheme: ENV['tara_scheme'],
+        host: ENV['tara_host'],
+        port: ENV['tara_port'],
+        authorization_endpoint: ENV['tara_auth_endpoint'],
+        token_endpoint: ENV['tara_token_endpoint'],
+        userinfo_endpoint: nil, # Not implemented
+        jwks_uri: ENV['tara_jwks_uri'],
+        identifier: ENV['user_tara_identifier'],
+        secret: ENV['user_tara_secret'],
+        redirect_uri: "#{ENV['tara_base_redirect_url']}#{ENV['tara_redirect_path']}"
+      }
     }
-    response = connection.get("#{eeid_userinfo_url}?#{params.to_query}")
-    JSON.parse(response.body)
-  end
-
-  def connection
-    Faraday.new(eeid_host)
-  end
-
-  def eeid_host
-    'https://eeid.ee'
-  end
-
-  def eeid_token_url
-    '/oidc/token'
-  end
-
-  def eeid_userinfo_url
-    '/oidc/userinfo'
   end
 
   private

app/models/registrar_user.rb

@@ -12,14 +12,14 @@ class RegistrarUser < ApplicationRecord
   validate :password_match, if: :password_or_confirmation_present?
 
   def self.from_omniauth(tara_params)
-    full_name = "#{tara_params['given_name']} #{tara_params['family_name']}"
-    identity = tara_params['id_code'][2..]
+    full_name = "#{tara_params.dig('info', 'given_name')} #{tara_params.dig('info', 'family_name')}"
+    code = tara_params['uid'][2..]
 
-    user = RegistrarUser.find_by(code: identity)
+    user = RegistrarUser.find_by(code:)
     return if user.nil?
 
     user.name = full_name
-    user.code = identity
+    user.code = code
 
     user
   end