omniauth-ruesia 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1a44cd7dc2ba7c42cfdb0b16d35871d0ff0109c7927b5fae0338d56cc6b63b94
+  data.tar.gz: 15f919a487dd76234cfac35183beb550d5d0a3fb0b518acf07eab19cda184789
+SHA512:
+  metadata.gz: 3128af25f1519daea6baf38697e6ee22ae1381b551426672270cd1a587c3a223ac60a0e63a20d5af4e0c75d06b61160e598e107c8870705238d12244b745a2f3
+  data.tar.gz: 216ebba99f9eca7cee7d828a69da9cb23b87d52757c7bb890a42075bc5a5ff25e745de684474c627dab86e1fb50be67ddc7d9d70990ea5a07265fbb770df3743

data/README.md

@@ -0,0 +1,59 @@
+# Ruesia
+`OmniAuth::Strategies::Ruesia` is a simple Rack middleware for authorization in the russian Unified identification and authentication system(ЕСИА). Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth. The `…/v2/ac` resource is used as a technical solution for gathering authentication code and `…/v3/te` for JWT. In order to write `client_secret`, you need to send an http post request to any system that can work with data-hash signing algorithms using mechanisms of certified Russian
+cryptographic means of information protection and a certificate
+of the information system and return json response with signature
+```
+Request:
+POST /api/sign { test: 'any string' }
+
+Response:
+{ signature: 'base64urlsafe signature' }
+```
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "ruesia"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install ruesia
+```
+## Usage
+Here's a quick example, adding the middleware to a Rails app in config/initializers/ruesia.rb:
+```
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :ruesia, 'MY_SYSTEM',
+    scope: 'fullname email mobile id_doc'
+    cert_fingerprint: 'cert hex fingerprint'
+    csp_server_url: 'http://192.168.1.195:8080/api/sign'
+    client_options:
+      site: 'https://esia-portal1.test.gosuslugi.ru'
+end
+```
+
+## Configuration
+Guidelines for the use of the Unified Identification and Authentication System:
+https://digital.gov.ru/ru/documents/6186/
+|option  |comment  | 
+|---|---|
+|scope   |requested access rights - paragraph B4 Table 95  |
+|cert_fingerprint| parameter containing the hash of the certificate (`fingerprint`) of the client system in hex format. To generate it, use http://esia.gosuslugi.ru/public/calc_cert_hash_unix.zip|
+|csp_server_url| url for cms server. We use Faradat to `post` request for `/api/sign`|
+
+Add callback request to routes
+```
+get 'auth/:provider/callback', to: 'api/client/esia#create'
+```
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,3 @@
+require 'bundler/gem_tasks'
+
+task :default => :spec

data/lib/oauth2/esia_client.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module OAuth2
+  class EsiaClient < OAuth2::Client
+    def auth_code
+      @auth_code ||= OAuth2::Strategy::EsiaAuthCode.new(self)
+    end
+  end
+end

data/lib/oauth2/strategy/esia_auth_code.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module OAuth2
+  module Strategy
+    class EsiaAuthCode < AuthCode
+      def assert_valid_params(_params); end
+    end
+  end
+end

data/lib/omniauth/strategies/ruesia.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Strategies
+    class Ruesia < OmniAuth::Strategies::OAuth2
+      option :name, 'ruesia'
+      option :client_options, {
+        site:          'https://esia.gosuslugi.ru',
+        authorize_url: 'aas/oauth2/v2/ac',
+        token_url:     'aas/oauth2/v3/te',
+      }
+      uid { JWT.decode(access_token.token, nil, false).first['urn:esia:sbj_id'] }
+
+      info do
+        {
+          first_name:   raw_info['firstName'],
+          last_name:    raw_info['lastName'],
+          middle_name:  raw_info['middleName'],
+          truster:      raw_info['trusted'],
+          verifying:    raw_info['verifying'],
+          r_id_doc:     raw_info['r_id_doc'],
+        }
+      end
+
+      extra do
+        scopes = options.scope.split
+        extra_ = {}
+        extra_ = extra_.merge(get_email) if scopes.include?('email')
+        extra_ = extra_.merge(get_passport) if scopes.include?('id_doc')
+        extra_ = extra_.merge(get_mobile) if scopes.include?('mobile')
+        extra_
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get("/rs/prns/#{uid}")&.parsed
+      end
+
+      private
+
+      def state
+        @state ||= SecureRandom.uuid
+      end
+
+      def authorize_params # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        options.authorize_params[:state] = state
+
+        if OmniAuth.config.test_mode
+          @env ||= {}
+          @env["rack.session"] ||= {}
+        end
+
+        params = options.authorize_params
+                        .merge(options_for("authorize"))
+                        .merge(pkce_authorize_params)
+
+        session["omniauth.pkce.verifier"] = options.pkce_verifier if options.pkce
+        session["omniauth.state"] = params[:state]
+
+        params
+      end
+
+      def request_phase
+        redirect client.auth_code.authorize_url(
+          authorize_params.merge(
+            redirect_uri: callback_url,
+            timestamp: timestamp,
+            client_certificate_hash: fingerprint,
+            client_secret: sign(client_secret_base)
+          )
+        )
+      end
+
+      def client
+        ::OAuth2::EsiaClient.new(
+          options.client_id,
+          '',
+          deep_symbolize(options.client_options)
+        )
+      end
+
+      def client_secret_base
+        base_secret = [options.client_id, options.scope, timestamp, state, callback_url]
+        yield base_secret if block_given?
+
+        base_secret.join
+      end
+
+      def timestamp
+        @timestamp ||= Time.current.strftime('%Y.%m.%d %H:%M:%S %z')
+      end
+
+      def fingerprint
+        options.cert_fingerprint
+      end
+
+      def sign(secret)
+        secret_base64 = Base64.urlsafe_encode64(secret)
+        response = Faraday.post(options.csp_server_url, { text: secret_base64 })
+        JSON.parse(response.body)['signature']
+      end
+
+      def build_access_token
+        code = request.params['code']
+        client.auth_code.get_token(code,
+          {
+            state: state,
+            scope: options.scope,
+            timestamp: timestamp,
+            redirect_uri: callback_url,
+            token_type: 'Bearer',
+            client_secret: sign(client_secret_base { |secret| secret << code }),
+            client_id: options.client_id,
+            client_certificate_hash: fingerprint
+          }
+        )
+      end
+    
+      def get_email
+        {
+          email: ctts.find { |e| e['type'] == 'EML' }.fetch('value')
+        }
+      end
+
+      def get_passport
+        {
+          passport: access_token
+                      .get("/rs/prns/#{uid}/docs?embed=(elements)")
+                      .parsed.fetch('elements', {})
+                      .find { |e| e['type'] == 'RF_PASSPORT' }
+                      .to_h
+        }
+      end
+
+      def get_mobile
+        {
+          mobile: ctts
+                  .find { |e| e['type'] == 'MBT' }
+                  .fetch('value')
+        }
+      end
+
+      def ctts
+        @ctts ||= access_token
+          .get("/rs/prns/#{uid}/ctts?embed=(elements)")
+          .parsed.fetch('elements', {})
+      end
+    end
+  end
+end

data/lib/omniauth-ruesia.rb

@@ -0,0 +1,5 @@
+require 'omniauth'
+require 'omniauth-oauth2'
+require 'oauth2/strategy/esia_auth_code'
+require 'oauth2/esia_client'
+require 'omniauth/strategies/ruesia'

metadata

@@ -0,0 +1,109 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-ruesia
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- ''
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2024-07-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-rails_csrf_protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Description of Ruesia.
+email:
+- ''
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- Rakefile
+- lib/oauth2/esia_client.rb
+- lib/oauth2/strategy/esia_auth_code.rb
+- lib/omniauth-ruesia.rb
+- lib/omniauth/strategies/ruesia.rb
+homepage: https://github.com/vysogota0399/omniauth-ruesia
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/vysogota0399/omniauth-ruesia
+  source_code_uri: https://github.com/vysogota0399/omniauth-ruesia
+  changelog_uri: https://github.com/vysogota0399/omniauth-ruesia/blob/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.19
+signing_key:
+specification_version: 4
+summary: Summary of Ruesia.
+test_files: []