decidim-suomifi 0.18.0 → 0.18.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e13492b1a73bdd27840c2546f7f7d38070ad211443908c3aebc9506ca75e01d3
-  data.tar.gz: c36ffe7df0263f45236d4feab729b97ea73c56a706fd514b6f7c955346c11ff6
+  metadata.gz: 150ac439de1d3aa6d6b1d4f751a2d9aaa42d71df7258e2ad1ce4ff17dda14908
+  data.tar.gz: d507607ae2555b4b22d264084b0e4ae5b2ea92cec8fd40d99a684649d1ecd914
 SHA512:
-  metadata.gz: f6863da988d2d68308bcc9b4bc0578e1f91ed2d40ad7380f104200a9e365b075b2776c133250ed34d10208597585a46a7ff6e839b4d87da25ebb79aa5064aac4
-  data.tar.gz: 1b3fe2faf3fb09e345ef1f99673706c68d9c948642ce92ce29fa01c57fe6bcfdba295dc185edb40eebf7bcb989e19b609a7f70c67d4b359314c9d71915771f82
+  metadata.gz: '060508a9c89d455df3abc8ae4c97d0d1fe4cf3602574209dd937f06675c007bdd6a67925c7082138d941e47c4f638bbbd9397d9ea7c1df54ab61337558c6a30e'
+  data.tar.gz: 1632a366514b05b264d90e0d3f47479d0bedd753127de042f654cf49af9e581b18422c2502998095bc90077a630ff7224b970d7b3dc30fb4ccb2d807d623699a

data/app/controllers/decidim/suomifi/omniauth_callbacks_controller.rb

@@ -13,33 +13,20 @@ module Decidim
       # This is called always after the user returns from the authentication
       # flow from the Suomi.fi identity provider.
       def suomifi
+        session["decidim-suomifi.signed_in"] = true
+
+        authenticator.validate!
+
         if user_signed_in?
           # The user is most likely returning from an authorization request
           # because they are already signed in. In this case, add the
           # authorization and redirect the user back to the authorizations view.
 
           # Make sure the user has an identity created in order to aid future
-          # Suomi.fi sign ins.
-          identity = current_user.identities.find_by(
-            organization: current_organization,
-            provider: oauth_data[:provider],
-            uid: user_identifier
-          )
-          unless identity
-            # Check that the identity is not already bound to another user.
-            id = Decidim::Identity.find_by(
-              organization: current_organization,
-              provider: oauth_data[:provider],
-              uid: user_identifier
-            )
-            return fail_authorize(:identity_bound_to_other_user) if id
-
-            current_user.identities.create!(
-              organization: current_organization,
-              provider: oauth_data[:provider],
-              uid: user_identifier
-            )
-          end
+          # Suomi.fi sign ins. In case this fails, it will raise a
+          # Decidim::Suomifi::Authentication::IdentityBoundToOtherUserError
+          # which is handled below.
+          authenticator.identify_user!(current_user)
 
           # Add the authorization for the user
           return fail_authorize unless authorize_user(current_user)
@@ -57,6 +44,10 @@ module Decidim
 
         # Normal authentication request, proceed with Decidim's internal logic.
         send(:create)
+      rescue Decidim::Suomifi::Authentication::ValidationError => e
+        fail_authorize(e.validation_key)
+      rescue Decidim::Suomifi::Authentication::IdentityBoundToOtherUserError
+        fail_authorize(:identity_bound_to_other_user)
       end
 
       def failure
@@ -132,31 +123,9 @@ module Decidim
       private
 
       def authorize_user(user)
-        authorization = Decidim::Authorization.find_by(
-          name: "suomifi_eid",
-          unique_id: user_signature
-        )
-        if authorization
-          return nil if authorization.user != user
-        else
-          authorization = Decidim::Authorization.find_or_initialize_by(
-            name: "suomifi_eid",
-            user: user
-          )
-        end
-
-        authorization.attributes = {
-          unique_id: user_signature,
-          metadata: authorization_metadata
-        }
-        authorization.save!
-
-        # This will update the "granted_at" timestamp of the authorization which
-        # will postpone expiration on re-authorizations in case the
-        # authorization is set to expire (by default it will not expire).
-        authorization.grant!
-
-        authorization
+        authenticator.authorize_user!(user)
+      rescue Decidim::Suomifi::Authentication::AuthorizationBoundToOtherUserError
+        nil
       end
 
       def fail_authorize(failure_message_key = :already_authorized)
@@ -164,13 +133,15 @@ module Decidim
           "failure.#{failure_message_key}",
           scope: "decidim.suomifi.omniauth_callbacks"
         )
-        redirect_to stored_location_for(resource || :user) || decidim.root_path
-      end
 
-      # Data that is stored against the authorization "permanently" (i.e. as
-      # long as the authorization is valid).
-      def authorization_metadata
-        metadata_collector.metadata
+        redirect_path = stored_location_for(resource || :user) || decidim.root_path
+        if session.delete("decidim-suomifi.signed_in")
+          params = "?RelayState=#{CGI.escape(redirect_path)}"
+
+          return redirect_to user_suomifi_omniauth_spslo_path + params
+        end
+
+        redirect_to redirect_path
       end
 
       # Needs to be specifically defined because the core engine routes are not
@@ -183,84 +154,18 @@ module Decidim
       # Private: Create form params from omniauth hash
       # Since we are using trusted omniauth data we are generating a valid signature.
       def user_params_from_oauth_hash
-        return nil if oauth_data.empty?
-        return nil if saml_attributes.empty?
-        return nil if user_identifier.blank?
-
-        {
-          provider: oauth_data[:provider],
-          uid: user_identifier,
-          name: user_full_name,
-          # The nickname is automatically "parametrized" by Decidim core from
-          # the name string, i.e. it will be in correct format.
-          nickname: user_full_name,
-          oauth_signature: user_signature,
-          avatar_url: oauth_data[:info][:image],
-          raw_data: oauth_hash
-        }
+        authenticator.user_params_from_oauth_hash
       end
 
-      def user_full_name
-        return oauth_data[:info][:name] if oauth_data[:info][:name]
-
-        @user_full_name ||= begin
-          first_name = begin
-            saml_attributes[:given_name] ||
-              saml_attributes[:first_names] ||
-              saml_attributes[:eidas_first_names]
-          end
-          last_name = begin
-            saml_attributes[:last_name] ||
-              saml_attributes[:eidas_family_name]
-          end
-
-          "#{first_name} #{last_name}"
-        end
-      end
-
-      def user_signature
-        @user_signature ||= OmniauthRegistrationForm.create_signature(
-          oauth_data[:provider],
-          user_identifier
-        )
-      end
-
-      # See the omniauth-suomi gem's notes about the UID. It should be always
-      # unique per person as long as it can be determined from the user's data.
-      # This consists of one of the following in this order:
-      # - The person's electronic identifier (SATU ID, sähköinen asiointitunnus)
-      # - The person's personal identifier (HETU ID, henkilötunnus) in hashed
-      #   format
-      # - The person's eIDAS personal identifier (eIDAS PID) in hashed format
-      # - The SAML NameID in the SAML response in case no unique personal data
-      #   is available as defined above
-      def user_identifier
-        @user_identifier ||= oauth_data[:uid]
-      end
-
-      def person_identifier_digest
-        metadata_collector.person_identifier_digest
-      end
-
-      def metadata_collector
-        @metadata_collector ||= Decidim::Suomifi::Verification::Manager.metadata_collector_for(
-          saml_attributes
+      def authenticator
+        @authenticator ||= Decidim::Suomifi.authenticator_for(
+          current_organization,
+          oauth_hash
         )
       end
 
       def verified_email
-        @verified_email ||= begin
-          if saml_attributes[:email]
-            saml_attributes[:email]
-          elsif Decidim::Suomifi.auto_email_domain
-            domain = Decidim::Suomifi.auto_email_domain
-            "suomifi-#{person_identifier_digest}@#{domain}"
-          end
-        end
-      end
-
-      def saml_attributes
-        @saml_attributes ||= oauth_hash[:extra][:saml_attributes]
+        authenticator.verified_email
       end
     end
   end

data/app/controllers/decidim/suomifi/sessions_controller.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    class SessionsController < ::Decidim::Devise::SessionsController
+      def destroy
+        # In case the user is signed in through Suomi.fi, redirect them through
+        # the SPSLO flow.
+        if session.delete("decidim-suomifi.signed_in")
+          # These session variables get destroyed along with the user's active
+          # session. They are needed for the SLO request.
+          saml_uid = session["saml_uid"]
+          saml_session_index = session["saml_session_index"]
+
+          # End the local user session.
+          signed_out = (::Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
+
+          # Store the SAML parameters for the SLO request utilized by
+          # omniauth-saml. These are used to generate a valid SLO request.
+          session["saml_uid"] = saml_uid
+          session["saml_session_index"] = saml_session_index
+
+          # Generate the SLO redirect path and parameters.
+          relay = slo_callback_user_session_path
+          relay += "?success=1" if signed_out
+          params = "?RelayState=#{CGI.escape(relay)}"
+
+          return redirect_to user_suomifi_omniauth_spslo_path + params
+        end
+
+        # Otherwise, continue normally
+        super
+      end
+
+      def slo
+        # This is handled already by omniauth
+        redirect_to decidim.root_path
+      end
+
+      def spslo
+        # This is handled already by omniauth
+        redirect_to decidim.root_path
+      end
+
+      def slo_callback
+        set_flash_message! :notice, :signed_out if params[:success] == "1"
+
+        redirect_to after_sign_out_path_for(resource_name)
+      end
+    end
+  end
+end

data/config/locales/en.yml

@@ -11,6 +11,7 @@ en:
           already_authorized: Another user has already authorized themselves with the same identity.
           conditions: The authentication request was not handled within an allowed timeframe. Please try again.
           identity_bound_to_other_user: Another user has already been identified using this identity. Please sign out and sign in again directly using Suomi.fi.
+          invalid_data: You cannot be authenticated through Suomi.fi.
           session_expiration: Authentication session expired. Please try again.
           success_status: Authentication failed or cancelled. Please try again.
       verification:

data/config/locales/fi.yml

@@ -10,6 +10,7 @@ fi:
           already_authorized: Toinen käyttäjä on tunnistanut itsensä jo samalla henkilöllisyydellä.
           conditions: Tunnistuspyyntöä ei käsitelty sallitun aikarajan sisällä. Yritä uudestaan.
           identity_bound_to_other_user: Toinen käyttäjä on jo tunnistanut itsensä tällä henkilöllisyydellä. Kirjaudu ulos ja kirjaudu uudestaan sisään käyttäen suoraan Suomi.fi-tunnistusta.
+          invalid_data: Sinua ei voida tunnistaa Suomi.fi-palvelun avulla.
           session_expiration: Tunnistusistunto vanhentui. Yritä uudestaan.
           success_status: Tunnistus epäonnistui tai peruutettiin. Yritä uudestaan.
       verification:

data/config/locales/sv.yml

@@ -10,6 +10,7 @@ sv:
           already_authorized: En annan användare har redan godkänt sig med samma identitet.
           conditions: Autentiseringsbegäran hanterades inte inom en tillåten tidsram. Var god försök igen.
           identity_bound_to_other_user: En annan användare har redan identifierats med denna identitet. Logga ut och logga in igen direkt med Suomi.fi.
+          invalid_data: Du kan inte verifiera dig genom Suomi.fi.
           session_expiration: Autentiseringssessionen har gått ut. Var god försök igen.
           success_status: Autentiseringen misslyckades eller avbröts. Var god försök igen.
       verification:

data/lib/decidim/suomifi.rb

@@ -6,6 +6,7 @@ require "henkilotunnus"
 
 require_relative "suomifi/version"
 require_relative "suomifi/engine"
+require_relative "suomifi/authentication"
 require_relative "suomifi/verification"
 require_relative "suomifi/mail_interceptors"
 
@@ -46,6 +47,18 @@ module Decidim
     # The private key file for the application
     config_accessor :private_key_file
 
+    # Defines how the session gets cleared when the OmniAuth strategy logs the
+    # user out. This has been customized to preserve the flash messages in the
+    # session after the session is destroyed.
+    config_accessor :idp_slo_session_destroy do
+      proc do |_env, session|
+        flash = session["flash"]
+        result = session.clear
+        session["flash"] = flash if flash
+        result
+      end
+    end
+
     # Extra configuration for the omniauth strategy
     config_accessor :extra do
       {}
@@ -62,6 +75,12 @@ module Decidim
       end
     end
 
+    # Allows customizing parts of the authentication flow such as validating
+    # the authorization data before allowing the user to be authenticated.
+    config_accessor :authenticator_class do
+      Decidim::Suomifi::Authentication::Authenticator
+    end
+
     # Allows customizing how the authorization metadata gets collected from
     # the SAML attributes passed from the authorization endpoint.
     config_accessor :metadata_collector_class do
@@ -77,6 +96,10 @@ module Decidim
       super
     end
 
+    def self.authenticator_for(organization, oauth_hash)
+      authenticator_class.new(organization, oauth_hash)
+    end
+
     def self.mode
       return config.mode if config.mode
       return :production unless Rails.application.secrets.omniauth
@@ -111,7 +134,8 @@ module Decidim
         scope_of_data: scope_of_data,
         sp_entity_id: sp_entity_id,
         certificate: certificate,
-        private_key: private_key
+        private_key: private_key,
+        idp_slo_session_destroy: idp_slo_session_destroy
       }
       settings.merge!(config.extra) if config.extra.is_a?(Hash)
       settings

data/lib/decidim/suomifi/authentication.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative "authentication/authenticator"
+require_relative "authentication/errors"

data/lib/decidim/suomifi/authentication/authenticator.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Authentication
+      class Authenticator
+        include ActiveModel::Validations
+
+        def initialize(organization, oauth_hash)
+          @organization = organization
+          @oauth_hash = oauth_hash
+        end
+
+        def verified_email
+          @verified_email ||= begin
+            if saml_attributes[:email]
+              saml_attributes[:email]
+            elsif Decidim::Suomifi.auto_email_domain
+              domain = Decidim::Suomifi.auto_email_domain
+              "suomifi-#{person_identifier_digest}@#{domain}"
+            end
+          end
+        end
+
+        # Private: Create form params from omniauth hash
+        # Since we are using trusted omniauth data we are generating a valid signature.
+        def user_params_from_oauth_hash
+          return nil if oauth_data.empty?
+          return nil if saml_attributes.empty?
+          return nil if user_identifier.blank?
+
+          {
+            provider: oauth_data[:provider],
+            uid: user_identifier,
+            name: user_full_name,
+            # The nickname is automatically "parametrized" by Decidim core from
+            # the name string, i.e. it will be in correct format.
+            nickname: user_full_name,
+            oauth_signature: user_signature,
+            avatar_url: oauth_data[:info][:image],
+            raw_data: oauth_hash
+          }
+        end
+
+        def validate!
+          raise ValidationError, "No SAML data provided" if saml_attributes.blank?
+
+          data_blank = saml_attributes.all? { |_k, val| val.blank? }
+          raise ValidationError, "Invalid SAML data" if data_blank
+          raise ValidationError, "Invalid person dentifier" if person_identifier_digest.blank?
+
+          true
+        end
+
+        def identify_user!(user)
+          identity = user.identities.find_by(
+            organization: organization,
+            provider: oauth_data[:provider],
+            uid: user_identifier
+          )
+          return identity if identity
+
+          # Check that the identity is not already bound to another user.
+          id = Decidim::Identity.find_by(
+            organization: organization,
+            provider: oauth_data[:provider],
+            uid: user_identifier
+          )
+
+          raise IdentityBoundToOtherUserError if id
+
+          user.identities.create!(
+            organization: organization,
+            provider: oauth_data[:provider],
+            uid: user_identifier
+          )
+        end
+
+        def authorize_user!(user)
+          authorization = Decidim::Authorization.find_by(
+            name: "suomifi_eid",
+            unique_id: user_signature
+          )
+          if authorization
+            raise AuthorizationBoundToOtherUserError if authorization.user != user
+          else
+            authorization = Decidim::Authorization.find_or_initialize_by(
+              name: "suomifi_eid",
+              user: user
+            )
+          end
+
+          authorization.attributes = {
+            unique_id: user_signature,
+            metadata: authorization_metadata
+          }
+          authorization.save!
+
+          # This will update the "granted_at" timestamp of the authorization
+          # which will postpone expiration on re-authorizations in case the
+          # authorization is set to expire (by default it will not expire).
+          authorization.grant!
+
+          authorization
+        end
+
+        protected
+
+        attr_reader :organization, :oauth_hash
+
+        def oauth_data
+          @oauth_data ||= oauth_hash.slice(:provider, :uid, :info)
+        end
+
+        def saml_attributes
+          @saml_attributes ||= oauth_hash[:extra][:saml_attributes]
+        end
+
+        # See the omniauth-suomi gem's notes about the UID. It should be always
+        # unique per person as long as it can be determined from the user's data.
+        # This consists of one of the following in this order:
+        # - The person's electronic identifier (SATU ID, sähköinen asiointitunnus)
+        # - The person's personal identifier (HETU ID, henkilötunnus) in hashed
+        #   format
+        # - The person's eIDAS personal identifier (eIDAS PID) in hashed format
+        # - The SAML NameID in the SAML response in case no unique personal data
+        #   is available as defined above
+        def user_identifier
+          @user_identifier ||= oauth_data[:uid]
+        end
+
+        # Create a unique signature for the user that will be used for the
+        # granted authorization.
+        def user_signature
+          @user_signature ||= ::Decidim::OmniauthRegistrationForm.create_signature(
+            oauth_data[:provider],
+            user_identifier
+          )
+        end
+
+        def user_full_name
+          return oauth_data[:info][:name] if oauth_data[:info][:name]
+
+          @user_full_name ||= begin
+            first_name = begin
+              saml_attributes[:given_name] ||
+                saml_attributes[:first_names] ||
+                saml_attributes[:eidas_first_names]
+            end
+            last_name = begin
+              saml_attributes[:last_name] ||
+                saml_attributes[:eidas_family_name]
+            end
+
+            "#{first_name} #{last_name}"
+          end
+        end
+
+        def metadata_collector
+          @metadata_collector ||= ::Decidim::Suomifi::Verification::Manager.metadata_collector_for(
+            saml_attributes
+          )
+        end
+
+        # Data that is stored against the authorization "permanently" (i.e. as
+        # long as the authorization is valid).
+        def authorization_metadata
+          metadata_collector.metadata
+        end
+
+        # The digest that is created from the person identifier.
+        def person_identifier_digest
+          metadata_collector.person_identifier_digest
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/authentication/errors.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Authentication
+      class Error < StandardError; end
+
+      class AuthorizationBoundToOtherUserError < Error; end
+      class IdentityBoundToOtherUserError < Error; end
+
+      class ValidationError < Error
+        attr_reader :validation_key
+
+        def initialize(msg = nil, validation_key = :invalid_data)
+          @validation_key = validation_key
+          super(msg)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/engine.rb

@@ -25,6 +25,42 @@ module Decidim
             as: "user_suomifi_omniauth_callback",
             via: [:get, :post]
           )
+
+          # Add the SLO and SPSLO paths to be able to pass these requests to
+          # OmniAuth.
+          match(
+            "/users/auth/suomifi/slo",
+            to: "sessions#slo",
+            as: "user_suomifi_omniauth_slo",
+            via: [:get, :post]
+          )
+
+          match(
+            "/users/auth/suomifi/spslo",
+            to: "sessions#spslo",
+            as: "user_suomifi_omniauth_spslo",
+            via: [:get, :post]
+          )
+
+          # Manually map the sign out path in order to control the sign out
+          # flow through OmniAuth when the user signs out from the service.
+          # In these cases, the user needs to be also signed out from Suomi.fi
+          # which is handled by the OmniAuth strategy.
+          match(
+            "/users/sign_out",
+            to: "sessions#destroy",
+            as: "destroy_user_session",
+            via: [:delete, :post]
+          )
+
+          # This is the callback route after a returning from a successful sign
+          # out request through OmniAuth.
+          match(
+            "/users/slo_callback",
+            to: "sessions#slo_callback",
+            as: "slo_callback_user_session",
+            via: [:get]
+          )
         end
       end
 

data/lib/decidim/suomifi/version.rb

@@ -2,7 +2,7 @@
 
 module Decidim
   module Suomifi
-    VERSION = "0.18.0"
+    VERSION = "0.18.1"
     DECIDIM_VERSION = "~> 0.18.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: decidim-suomifi
 version: !ruby/object:Gem::Version
-  version: 0.18.0
+  version: 0.18.1
 platform: ruby
 authors:
 - Antti Hukkanen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-08 00:00:00.000000000 Z
+date: 2019-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim-core
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: decidim-dev
   requirement: !ruby/object:Gem::Requirement
@@ -91,11 +91,15 @@ files:
 - README.md
 - Rakefile
 - app/controllers/decidim/suomifi/omniauth_callbacks_controller.rb
+- app/controllers/decidim/suomifi/sessions_controller.rb
 - app/controllers/decidim/suomifi/verification/authorizations_controller.rb
 - config/locales/en.yml
 - config/locales/fi.yml
 - config/locales/sv.yml
 - lib/decidim/suomifi.rb
+- lib/decidim/suomifi/authentication.rb
+- lib/decidim/suomifi/authentication/authenticator.rb
+- lib/decidim/suomifi/authentication/errors.rb
 - lib/decidim/suomifi/engine.rb
 - lib/decidim/suomifi/mail_interceptors.rb
 - lib/decidim/suomifi/mail_interceptors/generated_recipients_interceptor.rb