yoti 1.0.0

data/Rakefile

@@ -0,0 +1,46 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'yaml'
+
+################################
+# Tests                        #
+################################
+
+RSpec::Core::RakeTask.new
+task test: :spec
+
+################################
+# Rubocop                      #
+################################
+
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new(:rubocop) do |t|
+  t.options = ['--config', 'rubocop.yml']
+end
+
+################################
+# Documentation                #
+################################
+
+require 'yard'
+YARD::Rake::YardocTask.new do |t|
+  t.stats_options = ['--list-undoc']
+end
+
+yardstick_options = YAML.load_file('yardstick.yml')
+
+require 'yardstick/rake/measurement'
+Yardstick::Rake::Measurement.new(:measurement, yardstick_options) do |measurement|
+  measurement.output = 'measurement/report.txt'
+end
+
+require 'yardstick/rake/verify'
+Yardstick::Rake::Verify.new(:verify_measurements, yardstick_options) do |verify|
+  verify.threshold = 88.5
+end
+
+################################
+# Defaults                     #
+################################
+
+task default: [:spec, :rubocop]

data/lib/generators/yoti/install/install_generator.rb

@@ -0,0 +1,13 @@
+module Yoti
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      desc 'This generator creates an Yoti initializer file at config/initializers'
+
+      def copy_initializer
+        template 'yoti.rb', 'config/initializers/yoti.rb'
+      end
+    end
+  end
+end

data/lib/generators/yoti/install/templates/yoti.rb

@@ -0,0 +1,4 @@
+Yoti.configure do |config|
+  config.client_sdk_id = ENV['YOTI_CLIENT_SDK_ID']
+  config.key_file_path = ENV['YOTI_KEY_FILE_PATH']
+end

data/lib/yoti/activity_details.rb

@@ -0,0 +1,31 @@
+require 'net/http'
+
+module Yoti
+  # Encapsulates the user profile data
+  class ActivityDetails
+    # @return [String] the outcome of the profile request, eg: SUCCESS
+    attr_reader :outcome
+
+    # @return [String] the Yoti ID
+    attr_reader :user_id
+
+    # @return [Hash] the decoded profile attributes
+    attr_reader :user_profile
+
+    # @param receipt [Hash] the receipt from the API request
+    # @param decrypted_profile [Object] Protobuf AttributeList decrypted object containing the profile attributes
+    def initialize(receipt, decrypted_profile)
+      @decrypted_profile = decrypted_profile
+      @user_profile = {}
+
+      if @decrypted_profile.respond_to_has_and_present?(:attributes)
+        @decrypted_profile.attributes.each do |field|
+          @user_profile[field.name] = Yoti::Protobuf.value_based_on_content_type(field.value, field.content_type)
+        end
+      end
+
+      @user_id = receipt['remember_me_id']
+      @outcome = receipt['sharing_outcome']
+    end
+  end
+end

data/lib/yoti/client.rb

@@ -0,0 +1,17 @@
+module Yoti
+  # Handles all the publicly accesible Yoti methods for
+  # geting data using an encrypted connect token
+  module Client
+    # Performs all the steps required to get the decrypted profile from an API request
+    # @param encrypted_connect_token [String] token provided as a base 64 string
+    # @return [Object] an ActivityDetails instance encapsulating the user profile
+    def self.get_activity_details(encrypted_connect_token)
+      receipt = Yoti::Request.new(encrypted_connect_token).receipt
+      encrypted_data = Protobuf.current_user(receipt)
+      unwrapped_key = Yoti::SSL.decrypt_token(receipt['wrapped_receipt_key'])
+      decrypted_data = Yoti::SSL.decipher(unwrapped_key, encrypted_data.iv, encrypted_data.cipher_text)
+      decrypted_profile = Protobuf.attribute_list(decrypted_data)
+      ActivityDetails.new(receipt, decrypted_profile)
+    end
+  end
+end

data/lib/yoti/configuration.rb

@@ -0,0 +1,84 @@
+module Yoti
+  class Configuration
+    attr_accessor :client_sdk_id, :key_file_path, :key, :api_url,
+                  :api_port, :api_version, :api_endpoint
+
+    # Set config variables by using a configuration block
+    def initialize
+      @client_sdk_id = ''
+      @key_file_path = ''
+      @key = ''
+      @api_url = 'https://api.yoti.com'
+      @api_port = 443
+      @api_version = 'v1'
+    end
+
+    # @return [String] the API endpoint for the selected API version
+    def api_endpoint
+      @api_endpoint ||= "#{@api_url}/api/#{@api_version}"
+    end
+
+    # Validates the configuration values set in instance variables
+    # @return [nil]
+    def validate
+      validate_required_all(%w(client_sdk_id))
+      validate_required_any(%w(key_file_path key))
+      validate_value('api_version', ['v1'])
+    end
+
+    private
+
+    # Loops through the list of required configurations and raises an error
+    # if a it can't find all the configuration values set
+    # @return [nil]
+    def validate_required_all(required_configs)
+      required_configs.each do |config|
+        unless config_set?(config)
+          message = "Configuration value `#{config}` is required."
+          raise ConfigurationError, message
+        end
+      end
+    end
+
+    # Loops through the list of required configurations and raises an error
+    # if a it can't find at least one configuration value set
+    # @return [nil]
+    def validate_required_any(required_configs)
+      valid = required_configs.select { |config| config_set?(config) }
+
+      return if valid.any?
+
+      config_list = required_configs.map { |conf| '`' + conf + '`' }.join(', ')
+      message = "At least one of the configuration values has to be set: #{config_list}."
+      raise ConfigurationError, message
+    end
+
+    # Raises an error if the setting receives an invalid value
+    # @param value [String] the value to be assigned
+    # @param allowed_values [Array] an array of allowed values for the variable
+    # @return [nil]
+    def validate_value(config, allowed_values)
+      value = instance_variable_get("@#{config}")
+
+      return unless invalid_value?(value, allowed_values)
+
+      message = "Configuration value `#{value}` is not allowed for `#{config}`."
+      raise ConfigurationError, message
+    end
+
+    # Checks if an allowed array of values includes the setting value
+    # @param value [String] the value to be checked
+    # @param allowed_values [Array] an array of allowed values for the variable
+    # @return [Boolean]
+    def invalid_value?(value, allowed_values)
+      allowed_values.any? && !allowed_values.include?(value)
+    end
+
+    # Checks if a configuration has been set as a instance variable
+    # @param name [String] the name of the configuration
+    # @return [Boolean]
+    def config_set?(config)
+      instance_variable_get("@#{config}").to_s != ''
+    end
+  end
+end

data/lib/yoti/errors.rb

@@ -0,0 +1,13 @@
+module Yoti
+  # Raises exceptions related to Protobuf decoding
+  class ProtobufError < StandardError; end
+
+  # Raises exceptions related to API requests
+  class RequestError < StandardError; end
+
+  # Raises exceptions related to OpenSSL actions
+  class SslError < StandardError; end
+
+  # Raises exceptions realted to an incorrect gem configuration value
+  class ConfigurationError < StandardError; end
+end

data/lib/yoti/protobuf/v1/attribute_public_api/attribute.pb.rb

@@ -0,0 +1,45 @@
+require 'protobuf/message'
+
+module Yoti
+  module Protobuf
+    module V1
+      module Attrpubapi
+        ##
+        # Enum Classes
+        #
+        class ContentType < ::Protobuf::Enum
+          define :UNDEFINED, 0
+          define :STRING, 1
+          define :JPEG, 2
+          define :DATE, 3
+          define :PNG, 4
+        end
+
+        ##
+        # Message Classes
+        #
+        class Attribute < ::Protobuf::Message; end
+        class Anchor < ::Protobuf::Message; end
+
+        ##
+        # Message Fields
+        #
+        class Attribute
+          optional :string, :name, 1
+          optional :bytes, :value, 2
+          optional Yoti::Protobuf::V1::Attrpubapi::ContentType, :content_type, 3
+          repeated Yoti::Protobuf::V1::Attrpubapi::Anchor, :anchors, 4
+        end
+
+        class Anchor
+          optional :bytes, :artifact_link, 1
+          repeated :bytes, :origin_server_certs, 2
+          optional :bytes, :artifact_signature, 3
+          optional :string, :sub_type, 4
+          optional :bytes, :signature, 5
+          optional :bytes, :signed_time_stamp, 6
+        end
+      end
+    end
+  end
+end

data/lib/yoti/protobuf/v1/attribute_public_api/list.pb.rb

@@ -0,0 +1,33 @@
+require 'protobuf/message'
+require_relative 'attribute.pb'
+
+module Yoti
+  module Protobuf
+    module V1
+      module Attrpubapi
+        ##
+        # Message Classes
+        #
+        class AttributeAndId < ::Protobuf::Message; end
+        class AttributeAndIdList < ::Protobuf::Message; end
+        class AttributeList < ::Protobuf::Message; end
+
+        ##
+        # Message Fields
+        #
+        class AttributeAndId
+          optional Yoti::Protobuf::V1::Attrpubapi::Attribute, :attribute, 1
+          optional :bytes, :attribute_id, 2
+        end
+
+        class AttributeAndIdList
+          repeated Yoti::Protobuf::V1::Attrpubapi::AttributeAndId, :attribute_and_id_list, 1
+        end
+
+        class AttributeList
+          repeated Yoti::Protobuf::V1::Attrpubapi::Attribute, :attributes, 1
+        end
+      end
+    end
+  end
+end

data/lib/yoti/protobuf/v1/attribute_public_api/signing.pb.rb

@@ -0,0 +1,27 @@
+require 'protobuf/message'
+require_relative 'attribute.pb'
+
+module Yoti
+  module Protobuf
+    module V1
+      module Attrpubapi
+        ##
+        # Message Classes
+        #
+        class AttributeSigning < ::Protobuf::Message; end
+
+        ##
+        # Message Fields
+        #
+        class AttributeSigning
+          optional :string, :name, 1
+          optional :bytes, :value, 2
+          optional Yoti::Protobuf::V1::Attrpubapi::ContentType, :content_type, 3
+          optional :bytes, :artifact_signature, 4
+          optional :string, :sub_type, 5
+          optional :bytes, :signed_time_stamp, 6
+        end
+      end
+    end
+  end
+end

data/lib/yoti/protobuf/v1/common_public_api/encrypted_data.pb.rb

@@ -0,0 +1,22 @@
+require 'protobuf/message'
+
+module Yoti
+  module Protobuf
+    module V1
+      module Compubapi
+        ##
+        # Message Classes
+        #
+        class EncryptedData < ::Protobuf::Message; end
+
+        ##
+        # Message Fields
+        #
+        class EncryptedData
+          optional :bytes, :iv, 1
+          optional :bytes, :cipher_text, 2
+        end
+      end
+    end
+  end
+end

data/lib/yoti/protobuf/v1/definitions/attribute-public-api/attrpubapi_v1/attribute.proto

@@ -0,0 +1,52 @@
+//syntax = "proto2";
+
+package attrpubapi_v1;
+
+option java_package = "com.yoti.attrpubapi_v1";
+option java_outer_classname = "AttrProto";
+
+
+// ContentType indicates how to interpret the ‘Value’ field of an Attribute.
+enum ContentType {
+	// UNDEFINED should not be seen, and is used as an error placeholder
+	// value.
+	UNDEFINED = 0;
+
+	// STRING means the value is UTF-8 encoded text.
+	STRING = 1;
+
+	// JPEG indicates a standard .jpeg image.
+	JPEG = 2;
+
+	// Date as string in RFC3339 format (YYYY-MM-DD).
+	DATE = 3;
+
+	// PNG indicates a standard .png image.
+	PNG = 4;
+}
+
+
+message Attribute {
+	optional string name = 1;
+
+	optional bytes value = 2;
+
+	optional ContentType content_type = 3;
+
+	repeated Anchor anchors = 4;
+}
+
+
+message Anchor {
+	optional bytes artifact_link = 1;
+
+	repeated bytes origin_server_certs = 2;
+
+	optional bytes artifact_signature = 3;
+
+	optional string sub_type = 4;
+
+	optional bytes signature = 5;
+
+	optional bytes signed_time_stamp = 6;
+}

data/lib/yoti/protobuf/v1/definitions/attribute-public-api/attrpubapi_v1/list.proto

@@ -0,0 +1,27 @@
+//syntax = "proto2";
+
+package attrpubapi_v1;
+
+import "Attribute.proto";
+
+option java_package = "com.yoti.attrpubapi_v1";
+option java_outer_classname = "AttrProto";
+
+
+// AttributeAndId is a simple container for holding an attribute's value
+// alongside its ID.
+message AttributeAndId {
+	optional Attribute attribute = 1;
+
+	optional bytes attribute_id = 2;
+}
+
+
+message AttributeAndIdList{
+    repeated AttributeAndId attribute_and_id_list = 1;
+}
+
+
+message AttributeList {
+    repeated Attribute attributes = 1;
+}

data/lib/yoti/protobuf/v1/definitions/attribute-public-api/attrpubapi_v1/signing.proto

@@ -0,0 +1,23 @@
+//syntax = "proto2";
+
+package attrpubapi_v1;
+
+import "Attribute.proto";
+
+option java_package = "com.yoti.attrpubapi_v1";
+option java_outer_classname = "AttrProto";
+
+
+message AttributeSigning {
+	optional string name = 1;
+
+	optional bytes value = 2;
+
+	optional ContentType content_type = 3;
+
+	optional bytes artifact_signature = 4;
+
+	optional string sub_type = 5;
+
+	optional bytes signed_time_stamp = 6;
+}

data/lib/yoti/protobuf/v1/definitions/common-public-api/compubapi_v1/encrypted_data.proto

@@ -0,0 +1,15 @@
+// syntax = "proto2";
+
+package compubapi_v1;
+
+option java_package = "com.yoti.compubapi_v1";
+option java_outer_classname = "EncryptedDataProto";
+
+message EncryptedData {
+    // the iv will be used in conjunction with the secret key
+    // received via other channel in order to decrypt the cipher_text
+    optional bytes iv = 1;
+
+    // block of bytes to be decrypted
+    optional bytes cipher_text = 2;
+}

data/lib/yoti/protobuf/v1/protobuf.rb

@@ -0,0 +1,49 @@
+require 'protobuf'
+require_relative 'attribute_public_api/list.pb'
+require_relative 'common_public_api/encrypted_data.pb'
+
+module Yoti
+  module Protobuf
+    class << self
+      CT_UNDEFINED = 0 # should not be seen, and is used as an error placeholder
+      CT_STRING = 1 # UTF-8 encoded text.
+      CT_JPEG = 2 # standard .jpeg image.
+      CT_DATE = 3 # string in RFC3339 format (YYYY-MM-DD)
+      CT_PNG = 4 # standard .png image
+
+      def current_user(receipt)
+        raise ProtobufError, 'The receipt has invalid data.' unless valid_recepit?(receipt)
+        profile_content = receipt['other_party_profile_content']
+        decoded_profile_content = Base64.decode64(profile_content)
+        V1::Compubapi::EncryptedData.decode(decoded_profile_content)
+      end
+
+      def attribute_list(data)
+        V1::Attrpubapi::AttributeList.decode(data)
+      end
+
+      def value_based_on_content_type(value, content_type = nil)
+        case content_type
+        when CT_UNDEFINED
+          raise ProtobufError, 'The content type is invalid.'
+        when CT_STRING
+          value.encode('utf-8')
+        when CT_JPEG
+          'data:image/jpeg;base64,'.concat(Base64.strict_encode64(value))
+        when CT_DATE
+          value.encode('utf-8')
+        when CT_PNG
+          'data:image/png;base64,'.concat(Base64.strict_encode64(value))
+        else
+          value
+        end
+      end
+
+      private
+
+      def valid_recepit?(receipt)
+        receipt.key?('other_party_profile_content') && !receipt['other_party_profile_content'].nil?
+      end
+    end
+  end
+end

data/lib/yoti/request.rb

@@ -0,0 +1,58 @@
+module Yoti
+  # Manage the API's HTTPS requests
+  class Request
+    def initialize(encrypted_connect_token)
+      @encrypted_connect_token = encrypted_connect_token
+      @auth_key = Yoti::SSL.auth_key_from_pem
+    end
+
+    # @return [Hash] the receipt key from the request hash response
+    def receipt
+      request['receipt']
+    end
+
+    private
+
+    def request
+      res = Net::HTTP.start(uri.hostname, Yoti.configuration.api_port, use_ssl: https_uri?) do |http|
+        http.request(req)
+      end
+
+      raise RequestError, "Unsuccessful Yoti API call: #{res.message}" unless res.code == '200'
+      JSON.parse(res.body)
+    end
+
+    def req
+      http_req = Net::HTTP::Get.new(uri)
+      http_req['X-Yoti-Auth-Key'] = @auth_key
+      http_req['X-Yoti-Auth-Digest'] = message_signature
+      http_req['Content-Type'] = 'application/json'
+      http_req['Accept'] = 'application/json'
+      http_req
+    end
+
+    def message_signature
+      @message_signature ||= Yoti::SSL.get_secure_signature("GET&#{path}")
+    end
+
+    def uri
+      @uri ||= URI(Yoti.configuration.api_endpoint + path)
+    end
+
+    def path
+      @path ||= begin
+        nonce = SecureRandom.uuid
+        timestamp = Time.now.to_i
+        "/profile/#{token}?nonce=#{nonce}&timestamp=#{timestamp}&appId=#{Yoti.configuration.client_sdk_id}"
+      end
+    end
+
+    def token
+      @token ||= Yoti::SSL.decrypt_token(@encrypted_connect_token)
+    end
+
+    def https_uri?
+      uri.scheme == 'https'
+    end
+  end
+end

data/lib/yoti/ssl.rb

@@ -0,0 +1,71 @@
+require 'openssl'
+require 'base64'
+
+module Yoti
+  # Manages security behaviour that requires the use of OpenSSL actions
+  module SSL
+    class << self
+      # Gets the private key from either a String (YOTI_KEY)
+      # or a pem file (YOTI_KEY_FILE_PATH)
+      # @return [String] the content of the private key
+      def pem
+        @pem ||= begin
+          if Yoti.configuration.key.to_s.empty?
+            File.read(Yoti.configuration.key_file_path, encoding: 'utf-8')
+          else
+            Yoti.configuration.key
+          end
+        end
+      end
+
+      # Uses the pem key to decrypt an encrypted connect token
+      # @param encrypted_connect_token [String]
+      # @return [String] decrypted connect token decoded in base 64
+      def decrypt_token(encrypted_connect_token)
+        raise SslError, 'Encrypted token cannot be nil.' unless encrypted_connect_token
+
+        begin
+          private_key.private_decrypt(Base64.urlsafe_decode64(encrypted_connect_token))
+        rescue => error
+          raise SslError, "Could not decrypt token. #{error}"
+        end
+      end
+
+      # Extracts the public key from pem key, converts it to a DER base 64 encoded value
+      # @return [String] base 64 encoded anthentication key
+      def auth_key_from_pem
+        public_key = private_key.public_key
+        Base64.strict_encode64(public_key.to_der)
+      end
+
+      # Sign message using a secure SHA256 hash and the private key
+      # @param message [String] message to be signed
+      # @return [String] signed message encoded in base 64
+      def get_secure_signature(message)
+        digest = OpenSSL::Digest::SHA256.new
+        Base64.strict_encode64(private_key.sign(digest, message))
+      end
+
+      # Uses the decrypted receipt key and the current user's iv to decode the text
+      # @param key [String] base 64 decoded key
+      # @param iv [String] base 64 decoded iv
+      # @param text [String] base 64 decoded cyphered text
+      # @return [String] base 64 decoded deciphered text
+      def decipher(key, iv, text)
+        ssl_decipher = OpenSSL::Cipher.new('AES-256-CBC')
+        ssl_decipher.decrypt
+        ssl_decipher.key = key
+        ssl_decipher.iv = iv
+        ssl_decipher.update(text) + ssl_decipher.final
+      end
+
+      private
+
+      def private_key
+        @private_key ||= OpenSSL::PKey::RSA.new(pem)
+      rescue => error
+        raise SslError, "The secure key is invalid. #{error}"
+      end
+    end
+  end
+end

data/lib/yoti/version.rb

@@ -0,0 +1,4 @@
+module Yoti
+  # @return [String] the gem's current version
+  VERSION = '1.0.0'.freeze
+end

data/lib/yoti.rb

@@ -0,0 +1,21 @@
+require_relative 'yoti/version'
+require_relative 'yoti/configuration'
+require_relative 'yoti/errors'
+require_relative 'yoti/ssl'
+require_relative 'yoti/request'
+require_relative 'yoti/activity_details'
+require_relative 'yoti/client'
+require_relative 'yoti/protobuf/v1/protobuf'
+
+# The main module namespace of the Yoti gem
+module Yoti
+  class << self
+    attr_accessor :configuration
+  end
+
+  def self.configure
+    self.configuration ||= Configuration.new
+    yield(configuration)
+    configuration.validate
+  end
+end