viisp-auth 0.1.0

data/lib/viisp/auth/configuration.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    class Configuration
+      attr_writer :pid
+      attr_writer :postback_url
+      attr_writer :private_key
+      attr_writer :service_cert
+      attr_writer :test
+      attr_writer :endpoint
+      attr_writer :portal_endpoint
+
+      attr_accessor :providers
+      attr_accessor :attributes
+      attr_accessor :user_information
+
+      attr_accessor :read_timeout
+      attr_accessor :open_timeout
+
+      CERTS_PATH = File.expand_path('../../../../certs', __FILE__).freeze
+
+      DEFAULT_PROVIDERS = %w[
+        auth.lt.identity.card
+        auth.lt.bank
+        auth.signatureProvider
+        auth.login.pass
+        auth.lt.government.employee.card
+        auth.stork
+        auth.tsl.identity.card
+      ].freeze
+
+      DEFAULT_ATTRIBUTES = %w[
+        lt-personal-code
+        lt-company-code
+        lt-government-employee-code
+        stork-eid
+        tsl-serial-number
+        login
+      ].freeze
+
+      DEFAULT_USER_INFORMATION = %w[
+        firstName
+        lastName
+        address
+        email
+        phoneNumber
+        birthday
+        companyName
+      ].freeze
+
+      PRODUCTION_ENDPOINT = 'https://www.epaslaugos.lt/portal/authenticationServices/auth'
+      PRODUCTION_PORTAL_ENDPOINT = 'https://www.epaslaugos.lt/portal/external/services/authentication/v2/'
+
+      TEST_PID = 'VSID000000000113'
+      TEST_ENDPOINT = 'https://www.epaslaugos.lt/portal-test/services/AuthenticationServiceProxy'
+      TEST_PORTAL_ENDPOINT = 'https://www.epaslaugos.lt/portal-test/external/services/authentication/v2/'
+
+      DEFAULT_OPEN_TIMEOUT = 3
+      DEFAULT_READ_TIMEOUT = 10
+
+      def initialize
+        @providers = DEFAULT_PROVIDERS
+        @attributes = DEFAULT_ATTRIBUTES
+        @user_information = DEFAULT_USER_INFORMATION
+
+        @open_timeout = DEFAULT_OPEN_TIMEOUT
+        @read_timeout = DEFAULT_READ_TIMEOUT
+      end
+
+      def pid
+        return @pid if @pid
+        return TEST_PID if test?
+        error('pid not configured')
+      end
+
+      def postback_url
+        @postback_url || error('postback_url not configured')
+      end
+
+      def endpoint
+        return @endpoint if @endpoint
+        return TEST_ENDPOINT if test?
+        PRODUCTION_ENDPOINT
+      end
+
+      def portal_endpoint
+        return @portal_endpoint if @portal_endpoint
+        return TEST_PORTAL_ENDPOINT if test?
+        PRODUCTION_PORTAL_ENDPOINT
+      end
+
+      def private_key
+        return @private_key if @private_key
+        return test_private_key if test?
+        error('private key not configured')
+      end
+
+      def service_cert
+        @service_cert || builtin_service_cert
+      end
+
+      def test?
+        @test
+      end
+
+      private
+
+      def builtin_service_cert
+        @builtin_service_cert ||= OpenSSL::X509::Certificate.new(
+          read_cert('epaslaugos_ident.crt')
+        )
+      end
+
+      def test_private_key
+        @test_private_key ||= OpenSSL::PKey::RSA.new(
+          read_cert('testKey.pem')
+        )
+      end
+
+      def read_cert(filename)
+        path = File.join(CERTS_PATH, filename)
+        File.read(path)
+      end
+
+      def error(message)
+        raise(ConfigurationError, message)
+      end
+    end
+  end
+end

data/lib/viisp/auth/errors.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    class Error < StandardError; end
+    class RequestError < Error; end
+    class SignatureError < Error; end
+    class ConfigurationError < Error; end
+  end
+end

data/lib/viisp/auth/identity.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    class Identity
+      attr_reader :doc
+
+      def initialize(doc)
+        @doc = doc
+      end
+
+      def to_hash
+        {
+          'authentication_provider' => element_text('authenticationProvider'),
+          'attributes' => attributes,
+          'user_information' => user_information,
+          'custom_data' => element_text('customData'),
+          'source_data' => source_data,
+        }
+      end
+
+      private
+
+      def attributes
+        pairs = doc.css('authenticationAttribute').map do |el|
+          [el.at('attribute').text, el.at('value').text]
+        end
+
+        Hash[pairs]
+      end
+
+      def user_information
+        pairs = doc.css('userInformation').map do |el|
+          value = el.at('stringValue')&.text || el.at('dateValue')&.text
+          [el.at('information').text, value]
+        end
+
+        Hash[pairs]
+      end
+
+      def source_data
+        return unless source_data_element
+
+        {
+          'type' => source_data_element.at('type').text,
+          'parameters' => source_data_parameters,
+        }
+      end
+
+      def source_data_element
+        @source_data_element ||= doc.at('sourceData')
+      end
+
+      def source_data_parameters
+        pairs = source_data_element.css('parameter').map do |el|
+          [el.attr('name'), el.text]
+        end
+
+        Hash[pairs]
+      end
+
+      def element_text(element_name)
+        doc.at(element_name)&.text
+      end
+    end
+  end
+end

data/lib/viisp/auth/requests/identity.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    module Requests
+      class Identity
+        include Soap
+        include Signature
+
+        NODE_ID = 'uniqueNodeId'
+
+        def initialize(ticket:, include_source_data: false)
+          @ticket = ticket
+          @include_source_data = include_source_data
+        end
+
+        def build
+          builder = Nokogiri::XML::Builder.new do |builder|
+            soap_envelope(builder) do
+              build_request(builder)
+            end
+          end
+
+          builder.doc
+        end
+
+        private
+
+        def build_request(builder)
+          builder[:authentication].authenticationDataRequest(id: NODE_ID) do
+            builder.pid(configuration.pid)
+            builder.ticket(@ticket)
+            builder.includeSourceData('true') if @include_source_data
+
+            build_signature(builder, NODE_ID)
+          end
+        end
+
+        def configuration
+          Auth.configuration
+        end
+      end
+    end
+  end
+end

data/lib/viisp/auth/requests/signature.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    module Requests
+      module Signature
+        def build_signature(builder, element_id)
+          builder[:ds].Signature do
+            builder.SignedInfo do
+              builder.CanonicalizationMethod(Algorithm: 'http://www.w3.org/2001/10/xml-exc-c14n#')
+              builder.SignatureMethod(Algorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256')
+              builder.Reference(URI: '#' + element_id) do
+                builder.Transforms do
+                  builder.Transform(Algorithm: 'http://www.w3.org/2000/09/xmldsig#enveloped-signature')
+                end
+                builder.DigestMethod(Algorithm: 'http://www.w3.org/2001/04/xmlenc#sha256')
+                builder.DigestValue
+              end
+            end
+            builder.SignatureValue
+          end
+        end
+      end
+    end
+  end
+end

data/lib/viisp/auth/requests/soap.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    module Requests
+      module Soap
+        NAMESPACES = {
+          'xmlns:soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/',
+          'xmlns:authentication' => 'http://www.epaslaugos.lt/services/authentication',
+          'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#',
+        }.freeze
+
+        def soap_envelope(builder)
+          builder[:soapenv].Envelope(NAMESPACES) do
+            builder.Body { yield }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/viisp/auth/requests/ticket.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    module Requests
+      class Ticket
+        include Soap
+        include Signature
+
+        NODE_ID = 'uniqueNodeId'
+
+        def initialize(providers: nil, attributes: nil, user_information: nil, postback_url: nil,
+                       custom_data: '')
+          @providers = providers || configuration.providers
+          @attributes = attributes || configuration.attributes
+          @user_information = user_information || configuration.user_information
+          @postback_url = postback_url || configuration.postback_url
+          @custom_data = custom_data
+        end
+
+        def build
+          builder = Nokogiri::XML::Builder.new do |builder|
+            soap_envelope(builder) do
+              build_request(builder)
+            end
+          end
+
+          builder.doc
+        end
+
+        private
+
+        def build_request(builder)
+          builder[:authentication].authenticationRequest(id: NODE_ID) do
+            builder.pid(configuration.pid)
+
+            @providers.each do |provider|
+              builder.authenticationProvider(provider)
+            end
+
+            @attributes.each do |attribute|
+              builder.authenticationAttribute(attribute)
+            end
+
+            @user_information.each do |val|
+              builder.userInformation(val)
+            end
+
+            builder.postbackUrl(@postback_url)
+            builder.customData(@custom_data)
+
+            build_signature(builder, NODE_ID)
+          end
+        end
+
+        def configuration
+          Auth.configuration
+        end
+      end
+    end
+  end
+end

data/lib/viisp/auth/signing.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'xmldsig'
+
+module VIISP
+  module Auth
+    module Signing
+      SCHEMAS_PATH = File.expand_path('../../../../schemas', __FILE__).freeze
+
+      module_function
+
+      def sign(doc, private_key = Auth.configuration.private_key)
+        signed_document = Xmldsig::SignedDocument.new(doc, id_attr: 'id')
+        signed_document.sign(private_key)
+      end
+
+      def validate!(doc, certificate = Auth.configuration.service_cert)
+        Dir.chdir(SCHEMAS_PATH) do
+          schema = IO.read('authentication.xsd')
+          signed_document = Xmldsig::SignedDocument.new(doc, id_attr: 'id')
+          signed_document.validate(certificate, schema) ||
+            raise(SignatureError, 'Unable to verify signature')
+        end
+      end
+    end
+  end
+end

data/lib/viisp/auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module VIISP
+  module Auth
+    VERSION = '0.1.0'
+  end
+end

data/schemas/authentication.xsd

@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" targetNamespace="http://www.epaslaugos.lt/services/authentication" elementFormDefault="qualified"
+  xmlns="http://www.epaslaugos.lt/services/authentication">
+
+  <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
+  <xs:import namespace="http://www.w3.org/2001/10/xml-exc-c14n#" schemaLocation="exc-c14n.xsd"/>
+
+  <xs:element name="authenticationRequest">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="pid" type="xs:string" />
+        <xs:element name="serviceTarget" type="serviceTarget" minOccurs="0" />
+        <xs:element name="authenticationProvider" type="authenticationProvider" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="authenticationAttribute" type="authenticationAttribute" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="userInformation" type="userInformation" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="postbackUrl" type="xs:anyURI" minOccurs="0" />
+        <xs:element name="customData" type="xs:string" minOccurs="0" />
+        <xs:element ref="dsig:Signature" />
+      </xs:sequence>
+      <xs:attribute name="id" type="xs:ID" use="optional"/>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="authenticationResponse">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="ticket" type="ticket" />
+        <xs:element ref="dsig:Signature" />
+      </xs:sequence>
+      <xs:attribute name="id" type="xs:ID" use="optional"/>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="authenticationDataRequest">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="pid" type="xs:string" />
+        <xs:element name="ticket" type="ticket" />
+        <xs:element name="includeSourceData" type="xs:boolean" minOccurs="0" />
+        <xs:element ref="dsig:Signature" />
+      </xs:sequence>
+      <xs:attribute name="id" type="xs:ID" use="optional"/>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="authenticationDataResponse">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="authenticationProvider" type="authenticationProvider" />
+        <xs:element name="authenticationAttribute" type="authenticationAttributePair" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="userInformation" type="userInformationPair" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="customData" type="xs:string" minOccurs="0" />
+        <xs:element name="sourceData" type="authenticationSourceData" minOccurs="0" />
+        <xs:element ref="dsig:Signature" />
+      </xs:sequence>
+      <xs:attribute name="id" type="xs:ID" use="optional"/>
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name="invalidSignatureException" />
+  <xs:element name="invalidXmlException" />
+
+  <xs:complexType name="authenticationAttributePair">
+    <xs:sequence>
+      <xs:element name="attribute" type="authenticationAttribute" />
+      <xs:element name="value" type="xs:string" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:complexType name="userInformationPair">
+    <xs:sequence>
+      <xs:element name="information" type="userInformation" />
+      <xs:element name="value">
+        <xs:complexType>
+          <xs:choice>
+            <xs:element name="stringValue" type="xs:string" />
+            <xs:element name="dateValue" type="xs:date" />
+          </xs:choice>
+        </xs:complexType>
+      </xs:element>
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:simpleType name="ticket">
+    <xs:restriction base="xs:string">
+      <xs:maxLength value="512" />
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="serviceTarget">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="citizen" />
+      <xs:enumeration value="business" />
+      <xs:enumeration value="provider" />
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="authenticationProvider">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="auth.login.pass" />
+      <xs:enumeration value="auth.lt.identity.card" />
+      <xs:enumeration value="auth.lt.government.employee.card" />
+      <xs:enumeration value="auth.lt.bank" />
+      <xs:enumeration value="auth.stork" />
+      <xs:enumeration value="auth.tsl.identity.card" />
+      <xs:enumeration value="auth.signatureProvider" />
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="authenticationAttribute">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="lt-personal-code" />
+      <xs:enumeration value="lt-company-code" />
+      <xs:enumeration value="lt-government-employee-code" />
+      <xs:enumeration value="stork-eid" />
+      <xs:enumeration value="tsl-serial-number" />
+      <xs:enumeration value="login" />
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:simpleType name="userInformation">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="id" />
+      <xs:enumeration value="firstName" />
+      <xs:enumeration value="lastName" />
+      <xs:enumeration value="address" />
+      <xs:enumeration value="email" />
+      <xs:enumeration value="phoneNumber" />
+      <xs:enumeration value="birthday" />
+      <xs:enumeration value="companyName" />
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="authenticationSourceData">
+    <xs:sequence>
+      <xs:element name="type" type="authenticationSourceType" />
+      <xs:element name="parameter" type="authenticationSourceParameter" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+
+  <xs:simpleType name="authenticationSourceType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="SAML" />
+    </xs:restriction>
+  </xs:simpleType>
+
+  <xs:complexType name="authenticationSourceParameter">
+    <xs:simpleContent>
+      <xs:extension base="xs:string">
+        <xs:attribute name="name" type="xs:string" />
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+</xs:schema>