decidim-mpassid 0.18.0

data/app/controllers/decidim/mpassid/verification/authorizations_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Mpassid
+    module Verification
+      class AuthorizationsController < ::Decidim::ApplicationController
+        skip_before_action :store_current_location
+
+        def new
+          # Do enforce the permission here because it would cause
+          # re-authorizations not to work as the authorization already exists.
+          # In case the user wants to re-authorize themselves, they can just
+          # hit this endpoint again.
+          redirect_to decidim.user_mpassid_omniauth_authorize_path
+        end
+      end
+    end
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,21 @@
+---
+en:
+  decidim:
+    authorization_handlers:
+      mpassid_nids:
+        explanation: Identify yourself using the MPASSid identity service.
+        name: MPASSid identity
+    mpassid:
+      omniauth_callbacks:
+        failure:
+          already_authorized: Another user has already authorized themselves with the same identity.
+          conditions: The authentication request was not handled within an allowed timeframe. Please try again.
+          identity_bound_to_other_user: Another user has already been identified using this identity. Please sign out and sign in again directly using MPASSid.
+          session_expiration: Authentication session expired. Please try again.
+          success_status: Authentication failed or cancelled. Please try again.
+      verification:
+        authorizations:
+          create:
+            success: You have been successfully authorized through MPASSid
+          destroy:
+            success: Authorization sucessfully reset.

data/config/locales/fi.yml

@@ -0,0 +1,20 @@
+fi:
+  decidim:
+    authorization_handlers:
+      mpassid_nids:
+        explanation: Tunnista itsesi MPASSid-tunnistuspalvelun avulla.
+        name: MPASSid tunnistus
+    mpassid:
+      omniauth_callbacks:
+        failure:
+          already_authorized: Toinen käyttäjä on tunnistanut itsensä jo samalla henkilöllisyydellä.
+          conditions: Tunnistuspyyntöä ei käsitelty sallitun aikarajan sisällä. Yritä uudestaan.
+          identity_bound_to_other_user: Toinen käyttäjä on jo tunnistanut itsensä tällä henkilöllisyydellä. Kirjaudu ulos ja kirjaudu uudestaan sisään käyttäen suoraan MPASSid-tunnistusta.
+          session_expiration: Tunnistusistunto vanhentui. Yritä uudestaan.
+          success_status: Tunnistus epäonnistui tai peruutettiin. Yritä uudestaan.
+      verification:
+        authorizations:
+          create:
+            success: Sinut on onnistuneesti tunnistettu MPASSid-palvelun avulla
+          destroy:
+            success: Varmennus tyhjennetty onnistuneesti.

data/config/locales/sv.yml

@@ -0,0 +1,20 @@
+sv:
+  decidim:
+    authorization_handlers:
+      mpassid_nids:
+        explanation: Identifiera dig själv med MPASSid-identifikation.
+        name: MPASSid-identifikation
+    mpassid:
+      omniauth_callbacks:
+        failure:
+          already_authorized: En annan användare har redan godkänt sig med samma identitet.
+          conditions: Autentiseringsbegäran hanterades inte inom en tillåten tidsram. Var god försök igen.
+          identity_bound_to_other_user: En annan användare har redan identifierats med denna identitet. Logga ut och logga in igen direkt med MPASSid.
+          session_expiration: Autentiseringssessionen har gått ut. Var god försök igen.
+          success_status: Autentiseringen misslyckades eller avbröts. Var god försök igen.
+      verification:
+        authorizations:
+          create:
+            success: Du har godkänts med MPASSid
+          destroy:
+            success: Tillståndet återställs efterhand.

data/lib/decidim/mpassid.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require "omniauth"
+require "omniauth-mpassid"
+
+require_relative "mpassid/version"
+require_relative "mpassid/engine"
+require_relative "mpassid/verification"
+require_relative "mpassid/mail_interceptors"
+
+module Decidim
+  module Mpassid
+    include ActiveSupport::Configurable
+
+    @configured = false
+
+    # :production - For MPASSid production environment
+    # :test - For MPASSid test environment
+    config_accessor :mode, instance_reader: false
+
+    # Defines the auto email domain to generate verified email addresses upon
+    # the user's registration automatically that have format similar to
+    # "mpassid-identifier@auto-email-domain.fi"
+    config_accessor :auto_email_domain
+
+    config_accessor :sp_entity_id, instance_reader: false
+
+    # Extra configuration for the omniauth strategy
+    config_accessor :extra do
+      {}
+    end
+
+    # Allows customizing the authorization workflow e.g. for adding custom
+    # workflow options or configuring an action authorizer for the
+    # particular needs.
+    config_accessor :workflow_configurator do
+      lambda do |workflow|
+        # By default, expiration is set to 0 minutes which means it will
+        # never expire.
+        workflow.expires_in = 0.minutes
+      end
+    end
+
+    # Allows customizing how the authorization metadata gets collected from
+    # the SAML attributes passed from the authorization endpoint.
+    config_accessor :metadata_collector_class do
+      Decidim::Mpassid::Verification::MetadataCollector
+    end
+
+    def self.configured?
+      @configured
+    end
+
+    def self.configure
+      @configured = true
+      super
+    end
+
+    def self.mode
+      return config.mode if config.mode
+      return :production unless Rails.application.secrets.omniauth
+      return :production unless Rails.application.secrets.omniauth[:mpassid]
+
+      # Read the mode from the secrets
+      secrets = Rails.application.secrets.omniauth[:mpassid]
+      secrets[:mode] == "test" ? :test : :production
+    end
+
+    def self.sp_entity_id
+      return config.sp_entity_id if config.sp_entity_id
+
+      "#{application_host}/users/auth/mpassid/metadata"
+    end
+
+    def self.omniauth_settings
+      settings = {
+        mode: mode,
+        sp_entity_id: sp_entity_id
+      }
+      settings.merge!(config.extra) if config.extra.is_a?(Hash)
+      settings
+    end
+
+    # Used to determine the default service provider entity ID in case not
+    # specifically set by the `sp_entity_id` configuration option.
+    def self.application_host
+      conf = Rails.application.config
+      url_options = conf.action_controller.default_url_options
+      url_options = conf.action_mailer.default_url_options if !url_options || !url_options[:host]
+      url_options ||= {}
+
+      host = url_options[:host]
+      port = url_options[:port]
+      if host.blank?
+        # Default to local development environment
+        host = "http://localhost"
+        port ||= 3000
+      end
+
+      return "#{host}:#{port}" if port && ![80, 443].include?(port.to_i)
+
+      host
+    end
+  end
+end

data/lib/decidim/mpassid/engine.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Mpassid
+    class Engine < ::Rails::Engine
+      isolate_namespace Decidim::Mpassid
+
+      routes do
+        devise_scope :user do
+          # Manually map the SAML omniauth routes for Devise because the default
+          # routes are mounted by core Decidim. This is because we want to map
+          # these routes to the local callbacks controller instead of the
+          # Decidim core.
+          # See: https://git.io/fjDz1
+          match(
+            "/users/auth/mpassid",
+            to: "omniauth_callbacks#passthru",
+            as: "user_mpassid_omniauth_authorize",
+            via: [:get, :post]
+          )
+
+          match(
+            "/users/auth/mpassid/callback",
+            to: "omniauth_callbacks#mpassid",
+            as: "user_mpassid_omniauth_callback",
+            via: [:get, :post]
+          )
+        end
+      end
+
+      initializer "decidim_mpassid.mount_routes", before: :add_routing_paths do
+        # Mount the engine routes to Decidim::Core::Engine because otherwise
+        # they would not get mounted properly. Note also that we need to prepend
+        # the routes in order for them to override Decidim's own routes for the
+        # "mpassid" authentication.
+        Decidim::Core::Engine.routes.prepend do
+          mount Decidim::Mpassid::Engine => "/"
+        end
+      end
+
+      initializer "decidim_mpassid.setup", before: "devise.omniauth" do
+        next unless Decidim::Mpassid.configured?
+
+        # Configure the SAML OmniAuth strategy for Devise
+        ::Devise.setup do |config|
+          config.omniauth(
+            :mpassid,
+            Decidim::Mpassid.omniauth_settings
+          )
+        end
+
+        # Customized version of Devise's OmniAuth failure app in order to handle
+        # the failures properly. Without this, the failure requests would end
+        # up in an ActionController::InvalidAuthenticityToken exception.
+        devise_failure_app = OmniAuth.config.on_failure
+        OmniAuth.config.on_failure = proc do |env|
+          if env["PATH_INFO"] =~ %r{^/users/auth/mpassid(/.*)?}
+            env["devise.mapping"] = ::Devise.mappings[:user]
+            Decidim::Mpassid::OmniauthCallbacksController.action(
+              :failure
+            ).call(env)
+          else
+            # Call the default for others.
+            devise_failure_app.call(env)
+          end
+        end
+      end
+
+      initializer "decidim_mpassid.omniauth_provider", after: :load_config_initializers do
+        next unless Decidim::Mpassid.configured?
+
+        Decidim::Mpassid::Engine.add_omniauth_provider
+
+        # This also needs to run as a callback for the reloader because
+        # otherwise the mpassid OmniAuth routes would not be added to the core
+        # engine because its routes are reloaded before e.g. the to_prepare hook
+        # runs in this engine. The OmniAuth provider needs to be added before
+        # the core routes are reloaded.
+        ActiveSupport::Reloader.to_run do
+          Decidim::Mpassid::Engine.add_omniauth_provider
+        end
+      end
+
+      initializer "decidim_mpassid.mail_interceptors" do
+        ActionMailer::Base.register_interceptor(
+          MailInterceptors::GeneratedRecipientsInterceptor
+        )
+      end
+
+      def self.add_omniauth_provider
+        # Add :mpassid to the Decidim omniauth providers
+        providers = ::Decidim::User::OMNIAUTH_PROVIDERS
+        unless providers.include?(:mpassid)
+          providers << :mpassid
+          ::Decidim::User.send(:remove_const, :OMNIAUTH_PROVIDERS)
+          ::Decidim::User.const_set(:OMNIAUTH_PROVIDERS, providers)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/mpassid/mail_interceptors.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Mpassid
+    module MailInterceptors
+      autoload :GeneratedRecipientsInterceptor, "decidim/mpassid/mail_interceptors/generated_recipients_interceptor"
+    end
+  end
+end

data/lib/decidim/mpassid/mail_interceptors/generated_recipients_interceptor.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Mpassid
+    module MailInterceptors
+      # Prevents sending emails to the auto-generated email addresses.
+      class GeneratedRecipientsInterceptor
+        def self.delivering_email(message)
+          return unless Decidim::Mpassid.auto_email_domain
+
+          # Regexp to match the auto-generated emails
+          regexp = /^mpassid-[a-z0-9]{32}@#{Decidim::Mpassid.auto_email_domain}$/
+
+          # Remove the auto-generated email from the message recipients
+          message.to = message.to.reject { |email| email =~ regexp } if message.to
+          message.cc = message.cc.reject { |email| email =~ regexp } if message.cc
+          message.bcc = message.bcc.reject { |email| email =~ regexp } if message.bcc
+
+          # Prevent delivery in case there are no recipients on the email
+          message.perform_deliveries = false if message.to.empty?
+        end
+      end
+    end
+  end
+end

data/lib/decidim/mpassid/test/cert_store.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Mpassid
+    module Test
+      class CertStore
+        attr_reader :sign_certificate, :sign_private_key
+
+        def initialize
+          # Use local certificate and private key for signing because otherwise
+          # the locally signed SAMLResponse's signature cannot be properly
+          # validated as we cannot sign it using the actual environments private
+          # key which is unknown.
+          sign_certgen = OmniAuth::MPASSid::Test::CertificateGenerator.new
+          @sign_certificate = sign_certgen.certificate
+          @sign_private_key = sign_certgen.private_key
+        end
+      end
+    end
+  end
+end

data/lib/decidim/mpassid/test/runtime.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Mpassid
+    module Test
+      class Runtime
+        # Ability to stub the requests already in the control class
+        include WebMock::API
+
+        def self.initializer(&block)
+          @block = block
+        end
+
+        def self.initialize
+          new.instance_initialize(&@block)
+        end
+
+        def self.load_app
+          engine_spec_dir = File.join(Dir.pwd, "spec")
+
+          require "#{Decidim::Dev.dummy_app_path}/config/environment"
+
+          Dir["#{engine_spec_dir}/shared/**/*.rb"].each { |f| require f }
+
+          require "paper_trail/frameworks/rspec"
+
+          require "decidim/dev/test/spec_helper"
+        end
+
+        def self.cert_store
+          @cert_store ||= CertStore.new
+        end
+
+        def instance_initialize
+          yield self
+
+          # Setup the MPASSid OmniAuth strategy for Devise
+          # ::Devise.setup do |config|
+          #   config.omniauth(
+          #     :mpassid,
+          #     Decidim::Mpassid.omniauth_settings
+          #   )
+          # end
+        end
+      end
+    end
+  end
+end

data/lib/decidim/mpassid/verification.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative "verification/metadata_collector"
+require_relative "verification/manager"
+require_relative "verification/engine"

data/lib/decidim/mpassid/verification/engine.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Mpassid
+    module Verification
+      # This is an engine that performs user authorization.
+      class Engine < ::Rails::Engine
+        isolate_namespace Decidim::Mpassid::Verification
+
+        paths["db/migrate"] = nil
+        paths["lib/tasks"] = nil
+
+        routes do
+          resource :authorizations, only: [:new], as: :authorization
+
+          root to: "authorizations#new"
+        end
+
+        initializer "decidim_mpassid.verification_workflow", after: :load_config_initializers do
+          next unless Decidim::Mpassid.configured?
+
+          # We cannot use the name `:mpassid` for the verification workflow
+          # because otherwise the route namespace (decidim_mpassid) would
+          # conflict with the main engine controlling the authentication flows.
+          # The main problem that this would bring is that the root path for
+          # this engine would not be found.
+          Decidim::Verifications.register_workflow(:mpassid_nids) do |workflow|
+            workflow.engine = Decidim::Mpassid::Verification::Engine
+
+            Decidim::Mpassid::Verification::Manager.configure_workflow(workflow)
+          end
+        end
+
+        def load_seed
+          # Enable the `:mpassid_nids` authorization
+          org = Decidim::Organization.first
+          org.available_authorizations << :mpassid_nids
+          org.save!
+        end
+      end
+    end
+  end
+end