decidim-suomifi 0.18.0

data/app/controllers/decidim/suomifi/verification/authorizations_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Verification
+      class AuthorizationsController < ::Decidim::ApplicationController
+        skip_before_action :store_current_location
+
+        def new
+          # Do enforce the permission here because it would cause
+          # re-authorizations not to work as the authorization already exists.
+          # In case the user wants to re-authorize themselves, they can just
+          # hit this endpoint again.
+          redirect_to decidim.user_suomifi_omniauth_authorize_path
+        end
+      end
+    end
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,21 @@
+---
+en:
+  decidim:
+    authorization_handlers:
+      suomifi_eid:
+        explanation: Identify yourself using the Suomi.fi e-Identification service.
+        name: Suomi.fi e-Identification
+    suomifi:
+      omniauth_callbacks:
+        failure:
+          already_authorized: Another user has already authorized themselves with the same identity.
+          conditions: The authentication request was not handled within an allowed timeframe. Please try again.
+          identity_bound_to_other_user: Another user has already been identified using this identity. Please sign out and sign in again directly using Suomi.fi.
+          session_expiration: Authentication session expired. Please try again.
+          success_status: Authentication failed or cancelled. Please try again.
+      verification:
+        authorizations:
+          create:
+            success: You have been successfully authorized through Suomi.fi
+          destroy:
+            success: Authorization sucessfully reset.

data/config/locales/fi.yml

@@ -0,0 +1,20 @@
+fi:
+  decidim:
+    authorization_handlers:
+      suomifi_eid:
+        explanation: Tunnista itsesi Suomi.fi-tunnistuspalvelun avulla.
+        name: Suomi.fi tunnistus
+    suomifi:
+      omniauth_callbacks:
+        failure:
+          already_authorized: Toinen käyttäjä on tunnistanut itsensä jo samalla henkilöllisyydellä.
+          conditions: Tunnistuspyyntöä ei käsitelty sallitun aikarajan sisällä. Yritä uudestaan.
+          identity_bound_to_other_user: Toinen käyttäjä on jo tunnistanut itsensä tällä henkilöllisyydellä. Kirjaudu ulos ja kirjaudu uudestaan sisään käyttäen suoraan Suomi.fi-tunnistusta.
+          session_expiration: Tunnistusistunto vanhentui. Yritä uudestaan.
+          success_status: Tunnistus epäonnistui tai peruutettiin. Yritä uudestaan.
+      verification:
+        authorizations:
+          create:
+            success: Sinut on onnistuneesti tunnistettu Suomi.fi-palvelun avulla
+          destroy:
+            success: Varmennus tyhjennetty onnistuneesti.

data/config/locales/sv.yml

@@ -0,0 +1,20 @@
+sv:
+  decidim:
+    authorization_handlers:
+      suomifi_eid:
+        explanation: Identifiera dig själv med Suomi.fi-identifikation.
+        name: Suomi.fi-identifikation
+    suomifi:
+      omniauth_callbacks:
+        failure:
+          already_authorized: En annan användare har redan godkänt sig med samma identitet.
+          conditions: Autentiseringsbegäran hanterades inte inom en tillåten tidsram. Var god försök igen.
+          identity_bound_to_other_user: En annan användare har redan identifierats med denna identitet. Logga ut och logga in igen direkt med Suomi.fi.
+          session_expiration: Autentiseringssessionen har gått ut. Var god försök igen.
+          success_status: Autentiseringen misslyckades eller avbröts. Var god försök igen.
+      verification:
+        authorizations:
+          create:
+            success: Du har godkänts med Suomi.fi
+          destroy:
+            success: Tillståndet återställs efterhand.

data/lib/decidim/suomifi.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+require "omniauth"
+require "omniauth-suomifi"
+require "henkilotunnus"
+
+require_relative "suomifi/version"
+require_relative "suomifi/engine"
+require_relative "suomifi/verification"
+require_relative "suomifi/mail_interceptors"
+
+module Decidim
+  module Suomifi
+    include ActiveSupport::Configurable
+
+    @configured = false
+
+    # :production - For Suomi.fi production environment
+    # :test - For Suomi.fi test environment
+    config_accessor :mode, instance_reader: false
+
+    # :limited - Limited scope
+    # :medium_extensive - Medium-extensive scope
+    # :extensive - Extensive scope
+    config_accessor :scope_of_data do
+      :medium_extensive
+    end
+
+    # Defines the auto email domain in case the person's email address is not
+    # stored in the Suomi.fi database. In case this is defined, the user will
+    # be automatically assigned an email such as
+    # "suomifi-identifier@auto-email-domain.fi" upon their registration.
+    config_accessor :auto_email_domain
+
+    config_accessor :sp_entity_id, instance_reader: false
+
+    # The certificate string for the application
+    config_accessor :certificate, instance_reader: false
+
+    # The private key string for the application
+    config_accessor :private_key, instance_reader: false
+
+    # The certificate file for the application
+    config_accessor :certificate_file
+
+    # The private key file for the application
+    config_accessor :private_key_file
+
+    # Extra configuration for the omniauth strategy
+    config_accessor :extra do
+      {}
+    end
+
+    # Allows customizing the authorization workflow e.g. for adding custom
+    # workflow options or configuring an action authorizer for the
+    # particular needs.
+    config_accessor :workflow_configurator do
+      lambda do |workflow|
+        # By default, expiration is set to 0 minutes which means it will
+        # never expire.
+        workflow.expires_in = 0.minutes
+      end
+    end
+
+    # Allows customizing how the authorization metadata gets collected from
+    # the SAML attributes passed from the authorization endpoint.
+    config_accessor :metadata_collector_class do
+      Decidim::Suomifi::Verification::MetadataCollector
+    end
+
+    def self.configured?
+      @configured
+    end
+
+    def self.configure
+      @configured = true
+      super
+    end
+
+    def self.mode
+      return config.mode if config.mode
+      return :production unless Rails.application.secrets.omniauth
+      return :production unless Rails.application.secrets.omniauth[:suomifi]
+
+      # Read the mode from the secrets
+      secrets = Rails.application.secrets.omniauth[:suomifi]
+      secrets[:mode] == "test" ? :test : :production
+    end
+
+    def self.sp_entity_id
+      return config.sp_entity_id if config.sp_entity_id
+
+      "#{application_host}/users/auth/suomifi/metadata"
+    end
+
+    def self.certificate
+      return File.read(certificate_file) if certificate_file
+
+      config.certificate
+    end
+
+    def self.private_key
+      return File.read(private_key_file) if private_key_file
+
+      config.private_key
+    end
+
+    def self.omniauth_settings
+      settings = {
+        mode: mode,
+        scope_of_data: scope_of_data,
+        sp_entity_id: sp_entity_id,
+        certificate: certificate,
+        private_key: private_key
+      }
+      settings.merge!(config.extra) if config.extra.is_a?(Hash)
+      settings
+    end
+
+    # Used to determine the default service provider entity ID in case not
+    # specifically set by the `sp_entity_id` configuration option.
+    def self.application_host
+      conf = Rails.application.config
+      url_options = conf.action_controller.default_url_options
+      url_options = conf.action_mailer.default_url_options if !url_options || !url_options[:host]
+      url_options ||= {}
+
+      host = url_options[:host]
+      port = url_options[:port]
+      if host.blank?
+        # Default to local development environment
+        host = "http://localhost"
+        port ||= 3000
+      end
+
+      return "#{host}:#{port}" if port && ![80, 443].include?(port.to_i)
+
+      host
+    end
+  end
+end

data/lib/decidim/suomifi/engine.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    class Engine < ::Rails::Engine
+      isolate_namespace Decidim::Suomifi
+
+      routes do
+        devise_scope :user do
+          # Manually map the SAML omniauth routes for Devise because the default
+          # routes are mounted by core Decidim. This is because we want to map
+          # these routes to the local callbacks controller instead of the
+          # Decidim core.
+          # See: https://git.io/fjDz1
+          match(
+            "/users/auth/suomifi",
+            to: "omniauth_callbacks#passthru",
+            as: "user_suomifi_omniauth_authorize",
+            via: [:get, :post]
+          )
+
+          match(
+            "/users/auth/suomifi/callback",
+            to: "omniauth_callbacks#suomifi",
+            as: "user_suomifi_omniauth_callback",
+            via: [:get, :post]
+          )
+        end
+      end
+
+      initializer "decidim_suomifi.mount_routes", before: :add_routing_paths do
+        # Mount the engine routes to Decidim::Core::Engine because otherwise
+        # they would not get mounted properly. Note also that we need to prepend
+        # the routes in order for them to override Decidim's own routes for the
+        # "suomifi" authentication.
+        Decidim::Core::Engine.routes.prepend do
+          mount Decidim::Suomifi::Engine => "/"
+        end
+      end
+
+      initializer "decidim_suomifi.setup", before: "devise.omniauth" do
+        next unless Decidim::Suomifi.configured?
+
+        # Configure the SAML OmniAuth strategy for Devise
+        ::Devise.setup do |config|
+          config.omniauth(
+            :suomifi,
+            Decidim::Suomifi.omniauth_settings
+          )
+        end
+
+        # Customized version of Devise's OmniAuth failure app in order to handle
+        # the failures properly. Without this, the failure requests would end
+        # up in an ActionController::InvalidAuthenticityToken exception.
+        devise_failure_app = OmniAuth.config.on_failure
+        OmniAuth.config.on_failure = proc do |env|
+          if env["PATH_INFO"] =~ %r{^/users/auth/suomifi(/.*)?}
+            env["devise.mapping"] = ::Devise.mappings[:user]
+            Decidim::Suomifi::OmniauthCallbacksController.action(
+              :failure
+            ).call(env)
+          else
+            # Call the default for others.
+            devise_failure_app.call(env)
+          end
+        end
+      end
+
+      initializer "decidim_suomifi.omniauth_provider", after: :load_config_initializers do
+        next unless Decidim::Suomifi.configured?
+
+        Decidim::Suomifi::Engine.add_omniauth_provider
+
+        # This also needs to run as a callback for the reloader because
+        # otherwise the suomifi OmniAuth routes would not be added to the core
+        # engine because its routes are reloaded before e.g. the to_prepare hook
+        # runs in this engine. The OmniAuth provider needs to be added before
+        # the core routes are reloaded.
+        ActiveSupport::Reloader.to_run do
+          Decidim::Suomifi::Engine.add_omniauth_provider
+        end
+      end
+
+      initializer "decidim_suomifi.mail_interceptors" do
+        ActionMailer::Base.register_interceptor(
+          MailInterceptors::GeneratedRecipientsInterceptor
+        )
+      end
+
+      def self.add_omniauth_provider
+        # Add :suomifi to the Decidim omniauth providers
+        providers = ::Decidim::User::OMNIAUTH_PROVIDERS
+        unless providers.include?(:suomifi)
+          providers << :suomifi
+          ::Decidim::User.send(:remove_const, :OMNIAUTH_PROVIDERS)
+          ::Decidim::User.const_set(:OMNIAUTH_PROVIDERS, providers)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/mail_interceptors.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module MailInterceptors
+      autoload :GeneratedRecipientsInterceptor, "decidim/suomifi/mail_interceptors/generated_recipients_interceptor"
+    end
+  end
+end

data/lib/decidim/suomifi/mail_interceptors/generated_recipients_interceptor.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module MailInterceptors
+      # Prevents sending emails to the auto-generated email addresses.
+      class GeneratedRecipientsInterceptor
+        def self.delivering_email(message)
+          return unless Decidim::Suomifi.auto_email_domain
+
+          # Regexp to match the auto-generated emails
+          regexp = /^suomifi-[a-z0-9]{32}@#{Decidim::Suomifi.auto_email_domain}$/
+
+          # Remove the auto-generated email from the message recipients
+          message.to = message.to.reject { |email| email =~ regexp } if message.to
+          message.cc = message.cc.reject { |email| email =~ regexp } if message.cc
+          message.bcc = message.bcc.reject { |email| email =~ regexp } if message.bcc
+
+          # Prevent delivery in case there are no recipients on the email
+          message.perform_deliveries = false if message.to.empty?
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/test/cert_store.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Test
+      class CertStore
+        attr_reader :certificate, :private_key, :sign_certificate, :sign_private_key
+
+        def initialize
+          # Certificates
+          certgen = OmniAuth::Suomifi::Test::CertificateGenerator.new
+          @certificate = certgen.certificate
+          @private_key = certgen.private_key
+
+          # Use local certificate and private key for signing because otherwise the
+          # locally signed SAMLResponse's signature cannot be properly validated as
+          # we cannot sign it using the actual environments private key which is
+          # unknown.
+          sign_certgen = OmniAuth::Suomifi::Test::CertificateGenerator.new
+          @sign_certificate = sign_certgen.certificate
+          @sign_private_key = sign_certgen.private_key
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/test/runtime.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Test
+      class Runtime
+        # Ability to stub the requests already in the control class
+        include WebMock::API
+
+        def self.initializer(&block)
+          @block = block
+        end
+
+        def self.initialize
+          new.instance_initialize(&@block)
+        end
+
+        def self.load_app
+          engine_spec_dir = File.join(Dir.pwd, "spec")
+
+          require "#{Decidim::Dev.dummy_app_path}/config/environment"
+
+          Dir["#{engine_spec_dir}/shared/**/*.rb"].each { |f| require f }
+
+          require "paper_trail/frameworks/rspec"
+
+          require "decidim/dev/test/spec_helper"
+        end
+
+        def self.cert_store
+          @cert_store ||= CertStore.new
+        end
+
+        def instance_initialize
+          yield self
+
+          # Setup the Suomi.fi OmniAuth strategy for Devise
+          # ::Devise.setup do |config|
+          #   config.omniauth(
+          #     :suomifi,
+          #     Decidim::Suomifi.omniauth_settings
+          #   )
+          # end
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/verification.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative "verification/metadata_collector"
+require_relative "verification/manager"
+require_relative "verification/engine"