smart-id-ruby-client 0.1.0

data/lib/smart_id_ruby/flows/device_link_signature_session_request_builder.rb

@@ -0,0 +1,286 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+
+module SmartIdRuby
+  module Flows
+    # Builds device link signature session requests.
+    class DeviceLinkSignatureSessionRequestBuilder < BaseBuilder
+      INITIAL_CALLBACK_URL_PATTERN = %r{\Ahttps://[^|]+\z}
+      NONCE_MAX_LENGTH = 30
+      DEFAULT_HASH_ALGORITHM = "SHA-512"
+
+      attr_reader :device_link_signature_session_request
+
+      def initialize(connector)
+        super(connector)
+        @document_number = nil
+        @semantics_identifier = nil
+        @certificate_level = nil
+        @nonce = nil
+        @capabilities = nil
+        @interactions = nil
+        @share_md_client_ip_address = nil
+        @signature_algorithm = "rsassa-pss"
+        @initial_callback_url = nil
+        @digest_input = nil
+      end
+
+      def with_document_number(document_number)
+        @document_number = document_number
+        self
+      end
+
+      def with_semantics_identifier(semantics_identifier)
+        @semantics_identifier = semantics_identifier
+        self
+      end
+
+      def with_certificate_level(certificate_level)
+        @certificate_level = certificate_level
+        self
+      end
+
+      def with_nonce(nonce)
+        @nonce = nonce
+        self
+      end
+
+      def with_capabilities(*capabilities)
+        @capabilities = normalize_capabilities(capabilities)
+        self
+      end
+
+      def with_interactions(interactions)
+        @interactions = interactions
+        self
+      end
+
+      def with_share_md_client_ip_address(share_md_client_ip_address)
+        @share_md_client_ip_address = share_md_client_ip_address
+        self
+      end
+
+      def with_signature_algorithm(signature_algorithm)
+        @signature_algorithm = signature_algorithm
+        self
+      end
+
+      def with_signable_data(signable_data)
+        if digest_input_kind == :signable_hash
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'digestInput' has already been set with SignableHash."
+        end
+
+        @digest_input = build_signable_data_digest_input(signable_data)
+        self
+      end
+
+      def with_signable_hash(signable_hash)
+        if digest_input_kind == :signable_data
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'digestInput' has already been set with SignableData."
+        end
+
+        @digest_input = build_signable_hash_digest_input(signable_hash)
+        self
+      end
+
+      def with_initial_callback_url(initial_callback_url)
+        @initial_callback_url = initial_callback_url
+        self
+      end
+
+      def init_signature_session
+        validate_request_parameters
+        request = create_signature_session_request
+        response = init_session(request)
+        validate_response_parameters(response)
+        @device_link_signature_session_request = request
+        SmartIdRuby::Models::DeviceLinkSessionResponse.from_h(response)
+      end
+
+      def signature_session_request
+        if device_link_signature_session_request.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Signature session has not been initiated yet"
+        end
+
+        device_link_signature_session_request
+      end
+
+      private
+
+      def init_session(request)
+        if @semantics_identifier && @document_number
+          raise SmartIdRuby::Errors::RequestSetupError, "Only one of 'semanticsIdentifier' or 'documentNumber' may be set"
+        end
+
+        if !blank?(@document_number)
+          connector.init_device_link_signature_with_document(request, @document_number)
+        elsif @semantics_identifier
+          connector.init_device_link_signature(request, @semantics_identifier)
+        else
+          raise SmartIdRuby::Errors::RequestSetupError,
+                "Either 'documentNumber' or 'semanticsIdentifier' must be set. Anonymous signing is not allowed"
+        end
+      end
+
+      def create_signature_session_request
+        {
+          relyingPartyUUID: relying_party_uuid,
+          relyingPartyName: relying_party_name,
+          certificateLevel: @certificate_level&.to_s,
+          signatureProtocol: "RAW_DIGEST_SIGNATURE",
+          signatureProtocolParameters: {
+            digest: @digest_input[:digest],
+            signatureAlgorithm: @signature_algorithm.to_s,
+            signatureAlgorithmParameters: {
+              hashAlgorithm: @digest_input[:hash_algorithm].to_s
+            }
+          },
+          nonce: @nonce,
+          capabilities: @capabilities,
+          interactions: encode_interactions(@interactions),
+          requestProperties: request_properties,
+          initialCallbackUrl: @initial_callback_url
+        }.compact
+      end
+
+      def validate_request_parameters
+        if blank?(relying_party_uuid)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'relyingPartyUUID' cannot be empty"
+        end
+        if blank?(relying_party_name)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'relyingPartyName' cannot be empty"
+        end
+        if @signature_algorithm.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'signatureAlgorithm' must be set"
+        end
+        if @digest_input.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'digestInput' must be set with either SignableData or SignableHash"
+        end
+
+        validate_interactions
+        validate_initial_callback_url
+        validate_nonce
+      end
+
+      def validate_interactions
+        normalized_interactions = normalize_interactions(@interactions)
+        if normalized_interactions.empty?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'interactions' cannot be empty"
+        end
+
+        interaction_types = normalized_interactions.map { |interaction| interaction[:type] }
+        if interaction_types.uniq.length != interaction_types.length
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'interactions' cannot contain duplicate types"
+        end
+      end
+
+      def validate_initial_callback_url
+        return if blank?(@initial_callback_url)
+        return if INITIAL_CALLBACK_URL_PATTERN.match?(@initial_callback_url)
+
+        raise SmartIdRuby::Errors::RequestSetupError,
+              "Value for 'initialCallbackUrl' must match pattern ^https://[^|]+$ and must not contain unencoded vertical bars"
+      end
+
+      def validate_nonce
+        return if @nonce.nil?
+        return if @nonce.length.between?(1, NONCE_MAX_LENGTH)
+
+        raise SmartIdRuby::Errors::RequestSetupError, "Value for 'nonce' length must be between 1 and 30 characters."
+      end
+
+      def validate_response_parameters(response)
+        if blank?(fetch_value(response, :sessionID))
+          raise SmartIdRuby::Errors::UnprocessableResponseError,
+                "Device link signature session initialisation response field 'sessionID' is missing or empty"
+        end
+        if blank?(fetch_value(response, :sessionToken))
+          raise SmartIdRuby::Errors::UnprocessableResponseError,
+                "Device link signature session initialisation response field 'sessionToken' is missing or empty"
+        end
+        if blank?(fetch_value(response, :sessionSecret))
+          raise SmartIdRuby::Errors::UnprocessableResponseError,
+                "Device link signature session initialisation response field 'sessionSecret' is missing or empty"
+        end
+        if blank?(fetch_value(response, :deviceLinkBase))
+          raise SmartIdRuby::Errors::UnprocessableResponseError,
+                "Device link signature session initialisation response field 'deviceLinkBase' is missing or empty"
+        end
+      end
+
+      def request_properties
+        request_properties_for_share_md(@share_md_client_ip_address)
+      end
+
+      def build_signable_data_digest_input(signable_data)
+        return nil if signable_data.nil?
+
+        data_to_sign, hash_algorithm = extract_signable_data(signable_data)
+        data = normalize_binary_input(data_to_sign)
+        algorithm_name = normalize_hash_algorithm(hash_algorithm)
+
+        digest = OpenSSL::Digest.new(openssl_algorithm_name(algorithm_name)).digest(data)
+        { kind: :signable_data, digest: Base64.strict_encode64(digest), hash_algorithm: algorithm_name }
+      end
+
+      def build_signable_hash_digest_input(signable_hash)
+        return nil if signable_hash.nil?
+
+        hash_to_sign, hash_algorithm = extract_signable_hash(signable_hash)
+        hash_bytes = normalize_binary_input(hash_to_sign)
+        algorithm_name = normalize_hash_algorithm(hash_algorithm)
+
+        { kind: :signable_hash, digest: Base64.strict_encode64(hash_bytes), hash_algorithm: algorithm_name }
+      end
+
+      def extract_signable_data(input)
+        if input.respond_to?(:to_h)
+          normalized = input.to_h.transform_keys(&:to_sym)
+          [normalized[:data_to_sign] || normalized[:data], normalized[:hash_algorithm]]
+        elsif input.respond_to?(:data_to_sign)
+          [input.data_to_sign, input.respond_to?(:hash_algorithm) ? input.hash_algorithm : nil]
+        else
+          [input, nil]
+        end
+      end
+
+      def extract_signable_hash(input)
+        if input.respond_to?(:to_h)
+          normalized = input.to_h.transform_keys(&:to_sym)
+          [normalized[:hash_to_sign] || normalized[:hash] || normalized[:digest], normalized[:hash_algorithm]]
+        elsif input.respond_to?(:hash_to_sign)
+          [input.hash_to_sign, input.respond_to?(:hash_algorithm) ? input.hash_algorithm : nil]
+        else
+          [input, nil]
+        end
+      end
+
+      def normalize_binary_input(input)
+        data = input.is_a?(String) ? input.dup : input
+        data = data.pack("C*") if data.is_a?(Array) && data.all? { |value| value.is_a?(Integer) && value.between?(0, 255) }
+        if data.nil? || data.to_s.bytesize.zero?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'digestInput' must be set with either SignableData or SignableHash"
+        end
+
+        data
+      end
+
+      def normalize_hash_algorithm(hash_algorithm)
+        value = hash_algorithm&.to_s
+        return DEFAULT_HASH_ALGORITHM if blank?(value)
+
+        value
+      end
+
+      def openssl_algorithm_name(hash_algorithm)
+        hash_algorithm.to_s.delete("-")
+      end
+
+      def digest_input_kind
+        @digest_input && @digest_input[:kind]
+      end
+    end
+  end
+end

data/lib/smart_id_ruby/flows/linked_notification_signature_session_request_builder.rb

@@ -0,0 +1,235 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+
+module SmartIdRuby
+  module Flows
+    # Builds linked notification signature session requests.
+    class LinkedNotificationSignatureSessionRequestBuilder < BaseBuilder
+      NONCE_MAX_LENGTH = 30
+      DEFAULT_HASH_ALGORITHM = "SHA-512"
+
+      def initialize(connector)
+        super(connector)
+        @document_number = nil
+        @digest_input = nil
+        @signature_algorithm = "rsassa-pss"
+        @linked_session_id = nil
+        @interactions = nil
+        @certificate_level = nil
+        @nonce = nil
+        @share_md_client_ip_address = nil
+        @capabilities = nil
+      end
+
+      def with_document_number(document_number)
+        @document_number = document_number
+        self
+      end
+
+      def with_certificate_level(certificate_level)
+        @certificate_level = certificate_level
+        self
+      end
+
+      def with_signable_data(signable_data)
+        if digest_input_kind == :signable_hash
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'digestInput' has been already set with SignableHash"
+        end
+
+        @digest_input = build_signable_data_digest_input(signable_data)
+        self
+      end
+
+      def with_signable_hash(signable_hash)
+        if digest_input_kind == :signable_data
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'digestInput' has been already set with SignableData"
+        end
+
+        @digest_input = build_signable_hash_digest_input(signable_hash)
+        self
+      end
+
+      def with_signature_algorithm(signature_algorithm)
+        @signature_algorithm = signature_algorithm
+        self
+      end
+
+      def with_linked_session_id(linked_session_id)
+        @linked_session_id = linked_session_id
+        self
+      end
+
+      def with_nonce(nonce)
+        @nonce = nonce
+        self
+      end
+
+      def with_interactions(interactions)
+        @interactions = interactions
+        self
+      end
+
+      def with_share_md_client_ip_address(share_md_client_ip_address)
+        @share_md_client_ip_address = share_md_client_ip_address
+        self
+      end
+
+      def with_capabilities(*capabilities)
+        @capabilities = normalize_capabilities(capabilities)
+        self
+      end
+
+      def init_signature_session
+        validate_request_parameters
+        request = create_session_request
+        response = connector.init_linked_notification_signature(request, @document_number)
+        validate_response(response)
+        response
+      end
+
+      private
+
+      def validate_request_parameters
+        if blank?(relying_party_uuid)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'relyingPartyUUID' cannot be empty"
+        end
+        if blank?(relying_party_name)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'relyingPartyName' cannot be empty"
+        end
+        if blank?(@document_number)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'documentNumber' cannot be empty"
+        end
+        if @digest_input.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'digestInput' must be set with SignableData or with SignableHash"
+        end
+        if @signature_algorithm.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'signatureAlgorithm' must be set"
+        end
+        if blank?(@linked_session_id)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'linkedSessionID' cannot be empty"
+        end
+        if !@nonce.nil? && (@nonce.empty? || @nonce.length > NONCE_MAX_LENGTH)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'nonce' must be 1-30 characters long"
+        end
+
+        validate_interactions
+      end
+
+      def validate_interactions
+        normalized_interactions = normalize_interactions(@interactions)
+        if normalized_interactions.empty?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'interactions' cannot be empty"
+        end
+
+        interaction_types = normalized_interactions.map { |interaction| interaction[:type] }
+        if interaction_types.uniq.length != interaction_types.length
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'interactions' cannot contain duplicate types"
+        end
+      end
+
+      def create_session_request
+        {
+          relyingPartyUUID: relying_party_uuid,
+          relyingPartyName: relying_party_name,
+          certificateLevel: @certificate_level&.to_s,
+          signatureProtocol: "RAW_DIGEST_SIGNATURE",
+          signatureProtocolParameters: {
+            digest: @digest_input[:digest],
+            signatureAlgorithm: @signature_algorithm.to_s,
+            signatureAlgorithmParameters: {
+              hashAlgorithm: @digest_input[:hash_algorithm].to_s
+            }
+          },
+          linkedSessionID: @linked_session_id,
+          nonce: @nonce,
+          interactions: encode_interactions(@interactions),
+          requestProperties: request_properties,
+          capabilities: @capabilities
+        }.compact
+      end
+
+      def request_properties
+        request_properties_for_share_md(@share_md_client_ip_address)
+      end
+
+      def validate_response(response)
+        return unless blank?(fetch_value(response, :sessionID))
+
+        raise SmartIdRuby::Errors::UnprocessableResponseError,
+              "Linked notification-base signature session response field 'sessionID' is missing or empty"
+      end
+
+      def build_signable_data_digest_input(signable_data)
+        return nil if signable_data.nil?
+
+        data_to_sign, hash_algorithm = extract_signable_data(signable_data)
+        data = normalize_binary_input(data_to_sign)
+        algorithm_name = normalize_hash_algorithm(hash_algorithm)
+        digest = OpenSSL::Digest.new(openssl_algorithm_name(algorithm_name)).digest(data)
+        { kind: :signable_data, digest: Base64.strict_encode64(digest), hash_algorithm: algorithm_name }
+      end
+
+      def build_signable_hash_digest_input(signable_hash)
+        return nil if signable_hash.nil?
+
+        hash_to_sign, hash_algorithm = extract_signable_hash(signable_hash)
+        hash_bytes = normalize_binary_input(hash_to_sign)
+        algorithm_name = normalize_hash_algorithm(hash_algorithm)
+        { kind: :signable_hash, digest: Base64.strict_encode64(hash_bytes), hash_algorithm: algorithm_name }
+      end
+
+      def extract_signable_data(input)
+        if input.respond_to?(:to_h)
+          normalized = input.to_h.transform_keys(&:to_sym)
+          [normalized[:data_to_sign] || normalized[:data], normalized[:hash_algorithm]]
+        elsif input.respond_to?(:data_to_sign)
+          [input.data_to_sign, input.respond_to?(:hash_algorithm) ? input.hash_algorithm : nil]
+        else
+          [input, nil]
+        end
+      end
+
+      def extract_signable_hash(input)
+        if input.respond_to?(:to_h)
+          normalized = input.to_h.transform_keys(&:to_sym)
+          [normalized[:hash_to_sign] || normalized[:hash] || normalized[:digest], normalized[:hash_algorithm]]
+        elsif input.respond_to?(:hash_to_sign)
+          [input.hash_to_sign, input.respond_to?(:hash_algorithm) ? input.hash_algorithm : nil]
+        else
+          [input, nil]
+        end
+      end
+
+      def normalize_binary_input(input)
+        data = input.is_a?(String) ? input.dup : input
+        if data.is_a?(Array) && data.all? { |value| value.is_a?(Integer) && value.between?(0, 255) }
+          data = data.pack("C*")
+        end
+
+        if data.nil? || data.to_s.bytesize.zero?
+          raise SmartIdRuby::Errors::RequestSetupError,
+                "Value for 'digestInput' must be set with SignableData or with SignableHash"
+        end
+
+        data
+      end
+
+      def normalize_hash_algorithm(hash_algorithm)
+        value = hash_algorithm&.to_s
+        return DEFAULT_HASH_ALGORITHM if blank?(value)
+
+        value
+      end
+
+      def openssl_algorithm_name(hash_algorithm)
+        hash_algorithm.to_s.delete("-")
+      end
+
+      def digest_input_kind
+        @digest_input && @digest_input[:kind]
+      end
+    end
+  end
+end

data/lib/smart_id_ruby/flows/notification_authentication_session_request_builder.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module SmartIdRuby
+  module Flows
+    # Builds notification authentication session requests.
+    class NotificationAuthenticationSessionRequestBuilder < BaseBuilder
+      RP_CHALLENGE_MIN_LENGTH = 44
+      RP_CHALLENGE_MAX_LENGTH = 88
+
+      attr_reader :notification_authentication_session_request
+
+      def initialize(connector)
+        super(connector)
+        @certificate_level = nil
+        @signature_algorithm = "rsassa-pss"
+        @hash_algorithm = "SHA3-512"
+        @interactions = nil
+        @share_md_client_ip_address = nil
+        @capabilities = nil
+        @semantics_identifier = nil
+        @document_number = nil
+        @rp_challenge = nil
+      end
+
+      def with_certificate_level(certificate_level)
+        @certificate_level = certificate_level
+        self
+      end
+
+      def with_rp_challenge(rp_challenge)
+        @rp_challenge = rp_challenge
+        self
+      end
+
+      def with_signature_algorithm(signature_algorithm)
+        @signature_algorithm = signature_algorithm
+        self
+      end
+
+      def with_hash_algorithm(hash_algorithm)
+        @hash_algorithm = hash_algorithm
+        self
+      end
+
+      def with_interactions(interactions)
+        @interactions = interactions
+        self
+      end
+
+      def with_share_md_client_ip_address(share_md_client_ip_address)
+        @share_md_client_ip_address = share_md_client_ip_address
+        self
+      end
+
+      def with_capabilities(*capabilities)
+        @capabilities = normalize_capabilities(capabilities)
+        self
+      end
+
+      def with_semantics_identifier(semantics_identifier)
+        @semantics_identifier = semantics_identifier
+        self
+      end
+
+      def with_document_number(document_number)
+        @document_number = document_number
+        self
+      end
+
+      def init_authentication_session
+        validate_request_parameters
+        request = create_authentication_request
+        response = init_session(request)
+        validate_response_parameters(response)
+        @notification_authentication_session_request = request
+        SmartIdRuby::Models::NotificationAuthenticationSessionResponse.from_h(response)
+      end
+
+      def authentication_session_request
+        if notification_authentication_session_request.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Notification-based authentication session has not been initialized yet"
+        end
+
+        notification_authentication_session_request
+      end
+
+      private
+
+      def init_session(request)
+        if @semantics_identifier && @document_number
+          raise SmartIdRuby::Errors::RequestSetupError, "Only one of 'semanticsIdentifier' or 'documentNumber' may be set"
+        end
+
+        if @semantics_identifier
+          connector.init_notification_authentication(request, @semantics_identifier)
+        elsif @document_number
+          connector.init_notification_authentication_with_document(request, @document_number)
+        else
+          raise SmartIdRuby::Errors::RequestSetupError, "Either 'documentNumber' or 'semanticsIdentifier' must be set"
+        end
+      end
+
+      def validate_request_parameters
+        if blank?(relying_party_uuid)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'relyingPartyUUID' cannot be empty"
+        end
+        if blank?(relying_party_name)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'relyingPartyName' cannot be empty"
+        end
+
+        validate_signature_parameters
+        validate_interactions
+      end
+
+      def validate_signature_parameters
+        if blank?(@rp_challenge)
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'rpChallenge' cannot be empty"
+        end
+
+        begin
+          Base64.strict_decode64(@rp_challenge)
+        rescue ArgumentError
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'rpChallenge' must be Base64-encoded string"
+        end
+
+        unless @rp_challenge.length.between?(RP_CHALLENGE_MIN_LENGTH, RP_CHALLENGE_MAX_LENGTH)
+          raise SmartIdRuby::Errors::RequestSetupError,
+                "Value for 'rpChallenge' must have length between #{RP_CHALLENGE_MIN_LENGTH} and #{RP_CHALLENGE_MAX_LENGTH} characters"
+        end
+        if @signature_algorithm.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'signatureAlgorithm' must be set"
+        end
+        if @hash_algorithm.nil?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'hashAlgorithm' must be set"
+        end
+      end
+
+      def validate_interactions
+        normalized_interactions = normalize_interactions(@interactions)
+        if normalized_interactions.empty?
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'interactions' cannot be empty"
+        end
+
+        interaction_types = normalized_interactions.map { |interaction| interaction[:type] }
+        if interaction_types.uniq.length != interaction_types.length
+          raise SmartIdRuby::Errors::RequestSetupError, "Value for 'interactions' cannot contain duplicate types"
+        end
+      end
+
+      def create_authentication_request
+        {
+          relyingPartyUUID: relying_party_uuid,
+          relyingPartyName: relying_party_name,
+          certificateLevel: @certificate_level&.to_s,
+          signatureProtocol: "ACSP_V2",
+          signatureProtocolParameters: {
+            rpChallenge: @rp_challenge,
+            signatureAlgorithm: @signature_algorithm.to_s,
+            signatureAlgorithmParameters: {
+              hashAlgorithm: @hash_algorithm.to_s
+            }
+          },
+          interactions: encode_interactions(@interactions),
+          requestProperties: request_properties,
+          capabilities: @capabilities,
+          vcType: "numeric4"
+        }.compact
+      end
+
+      def request_properties
+        request_properties_for_share_md(@share_md_client_ip_address)
+      end
+
+      def validate_response_parameters(response)
+        return unless blank?(fetch_value(response, :sessionID))
+
+        raise SmartIdRuby::Errors::UnprocessableResponseError,
+              "Notification-based authentication session initialisation response field 'sessionID' is missing or empty"
+      end
+    end
+  end
+end