viisp-auth-custom 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8548b19a39976bcdaa28d19fe09f0aa2a002aecb19f2415433feb87a460e33f3
+  data.tar.gz: 7b9363bb752a23bcc7a98d9131cbc2ad6454b4fbc7ff1b446dc54e1a68e5d2f5
+SHA512:
+  metadata.gz: c45552e2567a6f1e88d09ae0dac211747dbe9c94d7c5699df90ff325711782f987d77bf34b54e254444a6496d01ef2197262087dcb02c93f59b3b239eb8f06fb
+  data.tar.gz: c4c0d1760ddfc3f71b7d6afc1946cf1547321eac338d6dd9f13e94b293340601f61b86084b0d0d24efc953c7b0b995724929a47c01be23e44f83361186687469

data/.gitignore

@@ -0,0 +1,12 @@
+Gemfile.lock
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.ruby-version

@@ -0,0 +1 @@
+2.7.2

data/.travis.yml

@@ -0,0 +1,6 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.7.2
+  - 3.0.0
+before_install: gem install bundler -v 2.2.15

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at laurynas.butkus@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in viisp-auth-custom.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Laurynas Butkus
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,107 @@
+# VIISP::Auth
+
+[![Gem Version](https://badge.fury.io/rb/viisp-auth.svg)](https://badge.fury.io/rb/viisp-auth)
+[![Build Status](https://travis-ci.org/laurynas/viisp-auth.svg?branch=master)](https://travis-ci.org/laurynas/viisp-auth)
+
+Lithuanian E-Government Gateway "Elektroniniai valdžios vartai" identity service client.
+
+VIISP identity service documentation: https://www.epaslaugos.lt/portal/content/1257
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'viisp-auth'
+```
+
+## Configuration
+
+```ruby
+VIISP::Auth.configure do |c|
+  c.pid = '1234'
+  c.private_key = OpenSSL::PKey::RSA.new(File.read('your-private-key.pem'))
+  c.postback_url = 'https://localhost'
+
+  # optional
+  c.providers = %w[auth.lt.identity.card auth.lt.bank]
+  c.attributes = %w[lt-personal-code lt-company-code] 
+  c.user_information = %w[firstName lastName companyName email]
+
+  # enable test mode
+  # (in test mode there is no need to set pid and private_key)
+  c.test = true
+end
+```
+
+## Usage
+
+Get an authentication ticket:
+
+```ruby
+ticket = VIISP::Auth.ticket
+```
+
+Redirected user to authentication portal with ticket using http POST.
+`VIISP::Auth.portal_endpoint` is a convenience method to get portal URL.
+
+Redirect form for testing: https://jsfiddle.net/kmrzpqwk/
+
+After successful authentication identity data can be fetched once.
+
+```ruby
+identity = VIISP::Auth.identity(
+  ticket: ticket,
+  include_source_data: true,
+)
+```
+
+Identity example:
+
+```ruby
+{
+  "authentication_provider" => "auth.lt.bank",
+  "attributes" => {
+    "lt-personal-code" => "XXXXXXXXXXX"
+  },
+  "user_information" => {
+    "firstName" => "VARDENIS",
+    "lastName" => "PAVARDENIS",
+    "companyName" => nil
+  },
+  "custom_data" => "correlation-123",
+  "source_data" => {
+    "type" => "BANKLINK",
+    "parameters" => {
+      "VK_USER" => "12345678900",
+      "VK_TIME" => "08:57:29"
+    }
+  }
+}
+```
+
+### Ticket arguments
+
+You can pass `custom_data` and override some configuration attributes when requesting ticket.
+
+```ruby
+ticket = VIISP::Auth.ticket(
+  custom_data: 'custom data',
+  postback_url: 'https://localhost',
+  providers: %w[auth.lt.identity.card auth.lt.bank],
+  attributes: %w[lt-personal-code lt-company-code],
+  user_information: %w[firstName lastName companyName email],
+)
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/laurynas/viisp-auth. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the VIISP::Auth project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/laurynas/viisp-auth/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/certs/testKey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCbnQjgBnAEbEqG
+tgNLqrCgYKvLWf6RkIvitIjmKSrqyu3xrQCaDokKBfdqRFx1/cq1/ddn7XFlJJCJ
+Y2kJ6fgeLsr/a2xKaYtaEKnger6QQBcjkmuYKAfnVgmlbxnazDtApaRu9D7ut3Cp
+cCcQbGnWgxbfnn2XZYNHMNoL+JWaIWjxLgjdqT/BIcWIKv4zFbi9D/taKtbYWp9Q
+gUpW0ILgi6ombTAq+y6l04BzosXoIp5Mzl1zyEdLrtw8t1zd6/ulHm1QPjFAQIJ4
+x3zWz715kRSgfzh2NktGdfHdaHEWANHB9xxVRhi6nhlrYTxIQdJ5eTBO55IGIjHy
+qJsA0MCbAgMBAAECggEAXDm4fdUy5Fwt2yLaVykFXzeL+YwPpMPPNAAdNpNlfRvh
+457NwYAl1cvtc4yqY7+TOUMFO/Hsh64g/1vsb9S7mV/QLYrD9mIRFcLUe1cjw6hI
+TmvD2ry22nMSanqrDxKFd230Q1H8Tkxnt/PhIwmtvFWa49Mxyd1+7V1VjUy5lUuQ
+c8ReVGSK5txnNL+9Qg1/qsa2XOLDVeepWbaWC2GMJ9nvjZCigFfIcYiilGC6CWMw
+siOupdA7TGnNloaabgMyT/L+2/ugdcRiAeI7mO2zMV705B8FbpKsuJ+4MefYpn2a
+7FZ8UXfT93nXqfV9hoj8Ms86QOxu4bCvxBOvF+i3IQKBgQDzmrdGZDEWxuNJayOL
+O5ZILBnwyMGUn/yiCffO2xq21IFpFuuRVLHg261DpsmEp14bAs/IVnVDMSbjUNoP
+HJd7pk1U91DIuhIZJRqTts1AjWKi9xmbxqXlAWVgF6z7YFvBpSR/dfqnZzqALkIT
+9hVJ5dV4aEtzgEUBY9fTKhov0QKBgQCjiB1pazh01JMcyzIolspBdXD39t8tI0oL
+G4ZXDh49nQwmUVRCzQR+2cu6wOxukLAy7FIwvMK+12hynWrdbYIvvHNCu+usBQue
+gfZWZv4XS7/ioWcUBJ6v0QVpf1ckOs6fdcWT/pgh46quareQYQ2SJD4f6ycwp2N4
+nlj2UinQqwKBgBIaHyBl9Zfhs6YTBhMknGhEjrDr2ia3NMi9wOJoObX4WJ18jIjC
+KG2zJU7vp+3pmf6b2ODkO9aAYollyq5wy3juxLRZpHEmEo43yZ/MZ7gySXAeuJJw
+0ocP8X6Qg9QyNt9O7EVkePnTm+9GgLaHBNH2+EP4TBMLJxWRW8pfSI7hAoGAB3fi
+5/qWlHdU1J7PBp2EVSL46soifRw8eG9kXjtt1CCE+ocCUx6r0uM9c6T150LCWUED
+q+gi+LY7tehMhhpHNMjldqnAZJXCZxXGW0HO3t99vuriGz7uxFbGaYAASc5Ju2yU
+fmLFLd8I33hOM9DK3t6625hQrN8oIs0QgQdVk4sCgYBNczHEmwGknqmkF4EXFSxy
+sozveJftCFgv8LrAhX0QLEPd8H8nNY8WSHCQZ4+hnvePYJnrSWxl6fM23pd9AInc
+LrwLasQmdYzzPmJrKIoTjUbzxYxLYEsTzlz8068kvFiPHiIyWdB5zupKNAaGnMZN
+RKOCbWATWhO58C9AqdvH0g==
+-----END PRIVATE KEY-----

data/lib/viisp/auth/client.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'faraday'
+
+module VIISP
+  module Auth
+    class Client
+      def post(document)
+        with_error_handling do
+          request = Signing.sign(document)
+          response = connection.post('', request)
+          xml = Nokogiri::XML(response.body)
+          Signing.validate!(xml)
+          xml
+        end
+      end
+
+      private
+
+      def with_error_handling
+        yield
+      rescue Faraday::ClientError => e
+        raise(RequestError, "#{e.message}. #{e.response}")
+      end
+
+      def connection
+        @connection ||= Faraday.new(url: configuration.endpoint) do |builder|
+          builder.options[:timeout] = configuration.read_timeout
+          builder.options[:open_timeout] = configuration.open_timeout
+
+          builder.headers['Accept'] = 'application/xml'
+
+          builder.response :raise_error
+
+          builder.adapter Faraday.default_adapter
+        end
+      end
+
+      def configuration
+        VIISP::Auth.configuration
+      end
+    end
+  end
+end

data/lib/viisp/auth/configuration.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    class Configuration
+      attr_writer :pid
+      attr_writer :postback_url
+      attr_writer :private_key
+      attr_writer :service_cert
+      attr_writer :test
+      attr_writer :endpoint
+      attr_writer :portal_endpoint
+
+      attr_accessor :providers
+      attr_accessor :attributes
+      attr_accessor :user_information
+
+      attr_accessor :read_timeout
+      attr_accessor :open_timeout
+
+      CERTS_PATH = File.expand_path('../../../../certs', __FILE__).freeze
+
+      DEFAULT_PROVIDERS = %w[
+        auth.lt.identity.card
+        auth.lt.bank
+        auth.signatureProvider
+        auth.login.pass
+        auth.lt.government.employee.card
+        auth.stork
+        auth.tsl.identity.card
+      ].freeze
+
+      DEFAULT_ATTRIBUTES = %w[
+        lt-personal-code
+        lt-company-code
+        lt-government-employee-code
+        stork-eid
+        tsl-serial-number
+        login
+      ].freeze
+
+      DEFAULT_USER_INFORMATION = %w[
+        firstName
+        lastName
+        address
+        email
+        phoneNumber
+        birthday
+        companyName
+      ].freeze
+
+      PRODUCTION_ENDPOINT = 'https://www.epaslaugos.lt/portal/authenticationServices/auth'
+      PRODUCTION_PORTAL_ENDPOINT = 'https://www.epaslaugos.lt/portal/external/services/authentication/v2/'
+
+      TEST_PID = 'VSID000000000113'
+      TEST_ENDPOINT = 'https://test.epaslaugos.lt/services/services/auth'
+      TEST_PORTAL_ENDPOINT = 'https://test.epaslaugos.lt/portal/external/services/authentication/v2/'
+
+      DEFAULT_OPEN_TIMEOUT = 3
+      DEFAULT_READ_TIMEOUT = 10
+
+      def initialize
+        @providers = DEFAULT_PROVIDERS
+        @attributes = DEFAULT_ATTRIBUTES
+        @user_information = DEFAULT_USER_INFORMATION
+
+        @open_timeout = DEFAULT_OPEN_TIMEOUT
+        @read_timeout = DEFAULT_READ_TIMEOUT
+      end
+
+      def pid
+        return @pid if @pid
+        return TEST_PID if test?
+        error('pid not configured')
+      end
+
+      def postback_url
+        @postback_url || error('postback_url not configured')
+      end
+
+      def endpoint
+        return @endpoint if @endpoint
+        return TEST_ENDPOINT if test?
+        PRODUCTION_ENDPOINT
+      end
+
+      def portal_endpoint
+        return @portal_endpoint if @portal_endpoint
+        return TEST_PORTAL_ENDPOINT if test?
+        PRODUCTION_PORTAL_ENDPOINT
+      end
+
+      def private_key
+        return @private_key if @private_key
+        return test_private_key if test?
+        error('private key not configured')
+      end
+
+      def service_cert
+        @service_cert || builtin_service_cert
+      end
+
+      def test?
+        @test
+      end
+
+      private
+
+      def builtin_service_cert
+        @builtin_service_cert ||= OpenSSL::X509::Certificate.new(
+          read_cert('epaslaugos_ident.cer')
+        )
+      end
+
+      def test_private_key
+        @test_private_key ||= OpenSSL::PKey::RSA.new(
+          read_cert('testKey.pem')
+        )
+      end
+
+      def read_cert(filename)
+        path = File.join(CERTS_PATH, filename)
+        File.read(path)
+      end
+
+      def error(message)
+        raise(ConfigurationError, message)
+      end
+    end
+  end
+end

data/lib/viisp/auth/errors.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    class Error < StandardError; end
+    class RequestError < Error; end
+    class SignatureError < Error; end
+    class ConfigurationError < Error; end
+  end
+end

data/lib/viisp/auth/identity.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    class Identity
+      attr_reader :doc
+
+      def initialize(doc)
+        @doc = doc
+      end
+
+      def to_hash
+        {
+          'authentication_provider' => element_text('authenticationProvider'),
+          'attributes' => attributes,
+          'user_information' => user_information,
+          'custom_data' => element_text('customData'),
+          'source_data' => source_data,
+        }
+      end
+
+      private
+
+      def attributes
+        pairs = doc.css('authenticationAttribute').map do |el|
+          [el.at('attribute').text, el.at('value').text]
+        end
+
+        Hash[pairs]
+      end
+
+      def user_information
+        pairs = doc.css('userInformation').map do |el|
+          value = el.at('stringValue')&.text || el.at('dateValue')&.text
+          [el.at('information').text, value]
+        end
+
+        Hash[pairs]
+      end
+
+      def source_data
+        return unless source_data_element
+
+        {
+          'type' => source_data_element.at('type').text,
+          'parameters' => source_data_parameters,
+        }
+      end
+
+      def source_data_element
+        @source_data_element ||= doc.at('sourceData')
+      end
+
+      def source_data_parameters
+        pairs = source_data_element.css('parameter').map do |el|
+          [el.attr('name'), el.text]
+        end
+
+        Hash[pairs]
+      end
+
+      def element_text(element_name)
+        doc.at(element_name)&.text
+      end
+    end
+  end
+end

data/lib/viisp/auth/requests/identity.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    module Requests
+      class Identity
+        include Soap
+        include Signature
+
+        NODE_ID = 'uniqueNodeId'
+
+        def initialize(ticket:, include_source_data: false)
+          @ticket = ticket
+          @include_source_data = include_source_data
+        end
+
+        def build
+          builder = Nokogiri::XML::Builder.new do |builder|
+            soap_envelope(builder) do
+              build_request(builder)
+            end
+          end
+
+          builder.doc
+        end
+
+        private
+
+        def build_request(builder)
+          builder[:authentication].authenticationDataRequest(id: NODE_ID) do
+            builder.pid(configuration.pid)
+            builder.ticket(@ticket)
+            builder.includeSourceData('true') if @include_source_data
+
+            build_signature(builder, NODE_ID)
+          end
+        end
+
+        def configuration
+          Auth.configuration
+        end
+      end
+    end
+  end
+end

data/lib/viisp/auth/requests/signature.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    module Requests
+      module Signature
+        def build_signature(builder, element_id)
+          builder[:ds].Signature do
+            builder.SignedInfo do
+              builder.CanonicalizationMethod(Algorithm: 'http://www.w3.org/2001/10/xml-exc-c14n#')
+              builder.SignatureMethod(Algorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256')
+              builder.Reference(URI: '#' + element_id) do
+                builder.Transforms do
+                  builder.Transform(Algorithm: 'http://www.w3.org/2000/09/xmldsig#enveloped-signature')
+                end
+                builder.DigestMethod(Algorithm: 'http://www.w3.org/2001/04/xmlenc#sha256')
+                builder.DigestValue
+              end
+            end
+            builder.SignatureValue
+          end
+        end
+      end
+    end
+  end
+end

data/lib/viisp/auth/requests/soap.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    module Requests
+      module Soap
+        NAMESPACES = {
+          'xmlns:soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/',
+          'xmlns:authentication' => 'http://www.epaslaugos.lt/services/authentication',
+          'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#',
+        }.freeze
+
+        def soap_envelope(builder)
+          builder[:soapenv].Envelope(NAMESPACES) do
+            builder.Body { yield }
+          end
+        end
+      end
+    end
+  end
+end