decidim-suomifi 0.18.0

data/lib/decidim/suomifi/verification/engine.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Verification
+      # This is an engine that performs user authorization.
+      class Engine < ::Rails::Engine
+        isolate_namespace Decidim::Suomifi::Verification
+
+        paths["db/migrate"] = nil
+        paths["lib/tasks"] = nil
+
+        routes do
+          resource :authorizations, only: [:new], as: :authorization
+
+          root to: "authorizations#new"
+        end
+
+        initializer "decidim_suomifi.verification_workflow", after: :load_config_initializers do
+          next unless Decidim::Suomifi.configured?
+
+          # We cannot use the name `:suomifi` for the verification workflow
+          # because otherwise the route namespace (decidim_suomifi) would
+          # conflict with the main engine controlling the authentication flows.
+          # The main problem that this would bring is that the root path for
+          # this engine would not be found.
+          Decidim::Verifications.register_workflow(:suomifi_eid) do |workflow|
+            workflow.engine = Decidim::Suomifi::Verification::Engine
+
+            Decidim::Suomifi::Verification::Manager.configure_workflow(workflow)
+          end
+        end
+
+        def load_seed
+          # Enable the `:suomifi_eid` authorization
+          org = Decidim::Organization.first
+          org.available_authorizations << :suomifi_eid
+          org.save!
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/verification/manager.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Verification
+      class Manager
+        def self.configure_workflow(workflow)
+          Decidim::Suomifi.workflow_configurator.call(workflow)
+        end
+
+        def self.metadata_collector_for(saml_attributes)
+          Decidim::Suomifi.metadata_collector_class.new(saml_attributes)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/verification/metadata_collector.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    module Verification
+      class MetadataCollector
+        def initialize(saml_attributes)
+          @saml_attributes = saml_attributes
+        end
+
+        def metadata
+          hetu = Henkilotunnus::Hetu.new(
+            saml_attributes[:national_identification_number]
+          )
+          # In case the HETU was not sent by Suomi.fi, it will be empty and
+          # therefore invalid and will not have the gender information. With
+          # empty HETU, `Henkilotunnus::Hetu` would otherwise report "female" as
+          # the gender which would not be correct.
+          gender = nil
+          date_of_birth = nil
+
+          # Note that we cannot call hetu.valid? because it will also call
+          # `:valid_person_number?`. This checks that the HETU is in range
+          # 002-899 which are the actual HETU codes stored in the population
+          # register system. The numbers above 899 are temporary codes, e.g. in
+          # situations when a person does not yet have a HETU. Temporary codes
+          # may be returned by the Suomi.fi endpoint e.g. in the testing mode.
+          # Regarding the information needs here, it does not matter whether the
+          # HETU is temporary or permanent.
+          valid_hetu = hetu.send(:valid_format?) && hetu.send(:valid_checksum?)
+          if valid_hetu
+            gender = hetu.male? ? "m" : "f"
+            # `.to_s` returns an ISO 8601 formatted string (YYYY-MM-DD for dates)
+            date_of_birth = hetu.date_of_birth.to_s
+          elsif saml_attributes[:eidas_date_of_birth]
+            # xsd:date (YYYY-MM_DD)
+            date_of_birth = saml_attributes[:eidas_date_of_birth]
+          end
+
+          postal_code_permanent = true
+          postal_code = saml_attributes[:permanent_domestic_address_postal_code]
+          unless postal_code
+            postal_code_permanent = false
+            postal_code = saml_attributes[:temporary_domestic_address_postal_code]
+          end
+
+          first_name = saml_attributes[:first_names]
+          last_name = saml_attributes[:last_name]
+          given_name = saml_attributes[:given_name]
+
+          eidas = false
+          if saml_attributes[:eidas_person_identifier]
+            eidas = true
+            first_name = saml_attributes[:eidas_first_names]
+            last_name = saml_attributes[:eidas_family_name]
+          end
+
+          {
+            eidas: eidas,
+            gender: gender,
+            date_of_birth: date_of_birth,
+            pin_digest: person_identifier_digest,
+            # The first name will contain all first names of the person
+            first_name: first_name,
+            # The given name is the primary first name of the person, also known
+            # as "calling name" (kutsumanimi).
+            given_name: given_name,
+            last_name: last_name,
+            # The municipality number, see:
+            # http://tilastokeskus.fi/meta/luokitukset/kunta/001-2017/index.html
+            municipality: saml_attributes[:home_municipality_number],
+            municipality_name: saml_attributes[:home_municipality_name_fi],
+            postal_code: postal_code,
+            permanent_address: postal_code_permanent
+          }
+        end
+
+        # Digested format of the person's identifier unique to the person. The
+        # digested format is used because the undigested format may hold
+        # personal sensitive information about the user and may require special
+        # care regarding the privacy policy. These will still be unique hashes
+        # bound to the person's identification number.
+        def person_identifier_digest
+          @person_identifier_digest ||= begin
+            prefix = nil
+            pin = nil
+
+            if saml_attributes[:national_identification_number]
+              prefix = "FI"
+              pin = saml_attributes[:national_identification_number]
+            elsif saml_attributes[:eidas_person_identifier]
+              prefix = "EIDAS"
+              pin = saml_attributes[:eidas_person_identifier]
+            end
+
+            if prefix && pin
+              Digest::MD5.hexdigest(
+                "#{prefix}:#{pin}:#{Rails.application.secrets.secret_key_base}"
+              )
+            end
+          end
+        end
+
+        protected
+
+        attr_reader :saml_attributes
+      end
+    end
+  end
+end

data/lib/decidim/suomifi/version.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Suomifi
+    VERSION = "0.18.0"
+    DECIDIM_VERSION = "~> 0.18.0"
+  end
+end

data/lib/generators/decidim/suomifi/install_generator.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+
+module Decidim
+  module Suomifi
+    module Generators
+      class InstallGenerator < Rails::Generators::Base
+        source_root File.expand_path("../../templates", __dir__)
+
+        desc "Creates a Devise initializer and copy locale files to your application."
+
+        class_option(
+          :dummy_cert,
+          desc: "Defines whether to create a dummy certificate for localhost.",
+          type: :boolean,
+          default: false
+        )
+
+        class_option(
+          :test_initializer,
+          desc: "Copies the test initializer instead of the actual one (for test dummy app).",
+          type: :boolean,
+          default: false,
+          hide: true
+        )
+
+        def copy_initializer
+          if options[:test_initializer]
+            copy_file "suomifi_initializer_test.rb", "config/initializers/suomifi.rb"
+          else
+            copy_file "suomifi_initializer.rb", "config/initializers/suomifi.rb"
+          end
+        end
+
+        def copy_dummy_certificate
+          if options[:dummy_cert]
+            empty_directory "config/cert"
+            copy_file "suomifi_localhost.crt", "config/cert/suomifi.crt"
+            copy_file "suomifi_localhost.key", "config/cert/suomifi.key"
+          end
+        end
+
+        def enable_authentication
+          secrets_path = Rails.application.root.join("config", "secrets.yml")
+          secrets = YAML.safe_load(File.read(secrets_path), [], [], true)
+
+          if secrets["default"]["omniauth"]["suomifi"]
+            say_status :identical, "config/secrets.yml", :blue
+          else
+            mod = SecretsModifier.new(secrets_path)
+            final = mod.modify
+
+            target_path = Rails.application.root.join("config", "secrets.yml")
+            File.open(target_path, "w") { |f| f.puts final }
+
+            say_status :insert, "config/secrets.yml", :green
+          end
+        end
+
+        class SecretsModifier
+          def initialize(filepath)
+            @filepath = filepath
+          end
+
+          def modify
+            self.inside_config = false
+            self.inside_omniauth = false
+            self.config_branch = nil
+            @final = ""
+
+            @empty_line_count = 0
+            File.readlines(filepath).each do |line|
+              if line =~ /^$/
+                @empty_line_count += 1
+                next
+              else
+                handle_line line
+                insert_empty_lines
+              end
+
+              @final += line
+            end
+            insert_empty_lines
+
+            @final
+          end
+
+          private
+
+          attr_accessor :filepath, :empty_line_count, :inside_config, :inside_omniauth, :config_branch
+
+          def handle_line(line)
+            if inside_config && line =~ /^  omniauth:/
+              self.inside_omniauth = true
+            elsif inside_omniauth && line =~ /^(  )?[a-z]+/
+              inject_suomifi_config
+              self.inside_omniauth = false
+            end
+
+            return unless line =~ /^[a-z]+/
+
+            # A new root configuration block starts
+            self.inside_config = false
+            self.inside_omniauth = false
+
+            if line =~ /^default:/
+              self.inside_config = true
+              self.config_branch = :default
+            elsif line =~ /^development:/
+              self.inside_config = true
+              self.config_branch = :development
+            end
+          end
+
+          def insert_empty_lines
+            @final += "\n" * empty_line_count
+            @empty_line_count = 0
+          end
+
+          def inject_suomifi_config
+            @final += "    suomifi:\n"
+            if config_branch == :development
+              @final += "      enabled: true\n"
+              @final += "      mode: test\n"
+            else
+              @final += "      enabled: false\n"
+            end
+            @final += "      icon: globe\n"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/generators/templates/suomifi_initializer.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+cert_path = Rails.application.root.join("config", "cert")
+
+Decidim::Suomifi.configure do |config|
+  config.scope_of_data = :medium_extensive
+  # Define the service provider entity ID included in the Suomi.fi metadata:
+  # config.sp_entity_id = "https://www.example.org/users/auth/suomifi/metadata"
+  # Or define it in your application configuration and apply it here:
+  # config.sp_entity_id = Rails.application.config.suomifi_entity_id
+  config.certificate_file = "#{cert_path}/suomifi.crt"
+  config.private_key_file = "#{cert_path}/suomifi.key"
+  # Enable automatically assigned emails
+  config.auto_email_domain = "example.org"
+end

data/lib/generators/templates/suomifi_initializer_test.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+Decidim::Suomifi::Test::Runtime.initialize

data/lib/generators/templates/suomifi_localhost.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIUP/YcljlSpKAPYLzhUXy7HpqBvvkwDQYJKoZIhvcNAQEL
+BQAwTDELMAkGA1UEBhMCRkkxEDAOBgNVBAgMB1V1c2ltYWExFzAVBgNVBAoMDk1h
+aW5pbyBUZWNoIE95MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkwNzI0MTQ1MTUw
+WhcNMjkwNzIxMTQ1MTUwWjBMMQswCQYDVQQGEwJGSTEQMA4GA1UECAwHVXVzaW1h
+YTEXMBUGA1UECgwOTWFpbmlvIFRlY2ggT3kxEjAQBgNVBAMMCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNWfaZe5zwFCEqDBD2AEdFA
+wdg0FV4N3OxtQrk9hgqbDpNSvWI6wIq4lIDIrlI4hM2VQzWtJRy4UcfecLnz5q1J
+7SZ/uzTKkcqbSvCVfMeh5Yr9kjT9FYA9m7lxuiA1/AnX6Ho+8Hm8k/ggpOPCvDs/
+uO6e0SROqc0+eiy6It9YfZrrdU1YpOVkO0DNz6ndXMlFW1HZWaU/uSb0qKQoNlvD
+OZgXX0zwHgGn++Q6cGilIHUm+4OG6miItyoR7jxwupwbklAyq3QD1vgViERdVz/L
+qZyUK4+3QjJSY8iPvW87nram+Tn97qD9Tg4xrU9xclo1CsZAYrR1RYNurV0MN2UC
+AwEAAaNTMFEwHQYDVR0OBBYEFMAzak2Fbdc2zH/c8bQTi8OarjqtMB8GA1UdIwQY
+MBaAFMAzak2Fbdc2zH/c8bQTi8OarjqtMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBALh7yn9oklviyBomSJJU8voS7wSeuVVNbCKkX7SeJvPpjcZA
+S2B9QjRYYY1l7Cknwop6790fmHgDTpi4Wr+kirMv1wS+X8v5CQtVJ3uj1ZVfGrop
+pjzJNmYkkrTKr9n8JP+qYJO1PGXLjlIMqQCcujdNXvMGqHpzZiLf4jn3vLEGlkN7
+8N96dlRYrWd7CVnEB+VuZFlDuXXcVjVvhNBy2+YJxOy2ketpiz2WM6afz0q5jiV8
+EYgoBLpreJGtVGyIRNmMm41weandbReztyCIMzVZL/5GsgXHvsk1Z0JSQQMVgSl5
+GDV2YgWcKHPCqLAfiRiNxMEijiNrM1dfzTzZzBQ=
+-----END CERTIFICATE-----

data/lib/generators/templates/suomifi_localhost.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDDVn2mXuc8BQhK
+gwQ9gBHRQMHYNBVeDdzsbUK5PYYKmw6TUr1iOsCKuJSAyK5SOITNlUM1rSUcuFHH
+3nC58+atSe0mf7s0ypHKm0rwlXzHoeWK/ZI0/RWAPZu5cbogNfwJ1+h6PvB5vJP4
+IKTjwrw7P7juntEkTqnNPnosuiLfWH2a63VNWKTlZDtAzc+p3VzJRVtR2VmlP7km
+9KikKDZbwzmYF19M8B4Bp/vkOnBopSB1JvuDhupoiLcqEe48cLqcG5JQMqt0A9b4
+FYhEXVc/y6mclCuPt0IyUmPIj71vO562pvk5/e6g/U4OMa1PcXJaNQrGQGK0dUWD
+bq1dDDdlAgMBAAECggEBAKCKJv5jJRw47pV+lC+PYBVgaXAtbho8voM5UQs5Oz7g
+LNx7tdZTfwcDqFknlc1RUiQ8Nl6ZDNVLzzq64F6Ty9RD27o2ZD+A9M1VUAPmeAUC
+U8sll9Ig5ljdSWzhwRzUAW59mj1OGQmUKPBWs+3UkCsJtg23TR/P3tImNPcpi5uO
+hhuRvMVK+6NjRsU/sCoYOMdBxWLhoAALmoQx1PwETS4KSDH78eFMdhoozgWHprDv
+9NrmoNRCz+YkAID5lW8u2PzM1kUTF54hP3qn5cBD/1OkOqTFy0c7ZznAX0eL2lea
+Ayl7RjKittIjtePzxO5Qlq8CZbtVb8hrv9J5bOUBlUECgYEA/l3jfSz1TxJ/vYzz
+ycjGWZOF6+B9dFmDfn1RWFfpmauA68Og38tc/IrfS/8X6qtG1Nt2rDKuH6fho2RA
+ft6PQyFqxF/bd/N0WY9FI8wmrY6BwNSEYoXhw1ib8FjFPmZxFi9AYC0dU+fL9hUw
+QReYpIwUYh69fDBEKoTHS5Pu470CgYEAxJeTCX+IUVq06fOpZ1o9OLrdMeFcVpjD
+L0kClZ1Z6p1/Rd9RXBJ9FvUJClJnwH37EzVAzvITc40yx9EjmdqYW2Qw+agDpGMP
+WpmIufuVoxGYBFMQAPJNztOXx8gkTDzymLXL37d2sZI8TbyPWWfkL+WtgJkpXDog
+A04neavriMkCgYEAoD35f/QAnc2jl3/iXK4U9n1PEqeboN57TgYYZrULPnmif+P/
+xrxQWfAKd8+9+2Hm/1U6T4Sl2N9j8BDJ6KLAUaQNpKRWmBxQodL11XVYsGFkMFwx
+Afghn3SE2Ea0C3lxqG4f+fax0Rfnj6ENgxQgXxi4BpAjAsdNShPXkS8igWkCgYEA
+gzgpDM3zT1ocJ4xcJoA1HQidXA3wdFzC62zwLK06tz8pFJpa0/oDRK+JuToHxpRQ
+YiHJgFhUY2x72KPf/3HJADd/+SQMSk1UkkSo3nrvBklYDoriw7738HWLee49TCXi
+R8wQqOLsdtoFJl4V0LdnuBC2HoAc+1JQy+P+tVfrfwECgYA4fBLCEA8I7A26NA03
+K11RoLiwG+lH02kpFEXTka7x7yA24sivdZN0lJ2AI6iSWNygAFRmIgTiXJj628aS
+oETUX+hlMJTirgpDSeWpMGaaexKoXrBQsp2JKmnNy6uRF0lTyZLphloPqFoCVdyp
+Hy3GU3LWvG/TkY+yh3Uqn3OvVQ==
+-----END PRIVATE KEY-----

metadata

@@ -0,0 +1,137 @@
+--- !ruby/object:Gem::Specification
+name: decidim-suomifi
+version: !ruby/object:Gem::Version
+  version: 0.18.0
+platform: ruby
+authors:
+- Antti Hukkanen
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-10-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: decidim-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.18.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.18.0
+- !ruby/object:Gem::Dependency
+  name: henkilotunnus
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: omniauth-suomifi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  name: decidim-dev
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.18.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.18.0
+- !ruby/object:Gem::Dependency
+  name: xmlenc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+description: Adds Suomi.fi authentication provider to Decidim.
+email:
+- antti.hukkanen@mainiotech.fi
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE-AGPLv3.txt
+- README.md
+- Rakefile
+- app/controllers/decidim/suomifi/omniauth_callbacks_controller.rb
+- app/controllers/decidim/suomifi/verification/authorizations_controller.rb
+- config/locales/en.yml
+- config/locales/fi.yml
+- config/locales/sv.yml
+- lib/decidim/suomifi.rb
+- lib/decidim/suomifi/engine.rb
+- lib/decidim/suomifi/mail_interceptors.rb
+- lib/decidim/suomifi/mail_interceptors/generated_recipients_interceptor.rb
+- lib/decidim/suomifi/test/cert_store.rb
+- lib/decidim/suomifi/test/runtime.rb
+- lib/decidim/suomifi/verification.rb
+- lib/decidim/suomifi/verification/engine.rb
+- lib/decidim/suomifi/verification/manager.rb
+- lib/decidim/suomifi/verification/metadata_collector.rb
+- lib/decidim/suomifi/version.rb
+- lib/generators/decidim/suomifi/install_generator.rb
+- lib/generators/templates/suomifi_initializer.rb
+- lib/generators/templates/suomifi_initializer_test.rb
+- lib/generators/templates/suomifi_localhost.crt
+- lib/generators/templates/suomifi_localhost.key
+homepage: https://github.com/mainio/decidim-module-suomifi
+licenses:
+- AGPL-3.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Provides possibility to bind Suomi.fi authentication provider to Decidim.
+test_files: []