Expand TARA auth flow to registrant portal

app/controllers/registrant/tara_controller.rb

@@ -0,0 +1,33 @@
+class Registrant
+  class TaraController < ApplicationController
+    skip_authorization_check
+
+    # rubocop:disable Style/AndOr
+    def callback
+      session[:omniauth_hash] = user_hash
+      @registrant_user = RegistrantUser.find_or_create_by_omniauth_data(user_hash)
+
+      if @registrant_user
+        flash[:notice] = t(:signed_in_successfully)
+        sign_in_and_redirect(:registrant_user, @registrant_user)
+      else
+        show_error and return
+      end
+    end
+    # rubocop:enable Style/AndOr
+
+    def cancel
+      redirect_to root_path, notice: t(:sign_in_cancelled)
+    end
+
+    def show_error
+      redirect_to new_registrant_user_session_url, alert: t(:no_such_user)
+    end
+
+    private
+
+    def user_hash
+      request.env['omniauth.auth']
+    end
+  end
+end

app/models/registrant_user.rb

@@ -66,23 +66,19 @@ class RegistrantUser < User
       find_or_create_by_user_data(user_data)
     end
 
-    def find_or_create_by_mid_data(response)
-      user_data = { first_name: response.user_givenname, last_name: response.user_surname,
-                    ident: response.user_id_code, country_code: response.user_country }
+    def find_or_create_by_omniauth_data(omniauth_hash)
+      uid = omniauth_hash['uid']
+      identity_code = uid.slice(2..-1)
+      country_code = uid.slice(0..1)
+      first_name = omniauth_hash.dig('info', 'first_name')
+      last_name = omniauth_hash.dig('info', 'last_name')
+
+      user_data = { first_name: first_name, last_name: last_name,
+        ident: identity_code, country_code: country_code }
 
       find_or_create_by_user_data(user_data)
     end
 
-    def find_by_id_card(id_card)
-      registrant_ident = "#{id_card.country_code}-#{id_card.personal_code}"
-      username = [id_card.first_name, id_card.last_name].join("\s")
-
-      user = find_or_initialize_by(registrant_ident: registrant_ident)
-      user.username = username
-      user.save!
-      user
-    end
-
     private
 
     def find_or_create_by_user_data(user_data = {})

app/views/registrant/sessions/new.html.erb

@@ -8,11 +8,6 @@
             <%= t '.hint' %>
         </div>
         <br/>
-        <%= link_to '/registrant/login/mid' do %>
-            <%= image_tag 'mid.gif' %>
-        <% end %>
-        <%= link_to registrant_id_card_sign_in_path, method: :post do %>
-            <%= image_tag 'id_card.gif' %>
-        <% end %>
+        <%= link_to t(:sign_in), "/auth/rant_tara", method: :post, class: 'btn btn-lg btn-primary btn-block' %>
     </div>
-</div>
+</div>

config/application.yml.sample

@@ -163,6 +163,10 @@ tara_secret: 'secret'
 tara_redirect_uri: 'redirect_url'
 tara_keys: "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
 
+tara_rant_identifier: 'identifier'
+tara_rant_secret: 'secret'
+tara_rant_redirect_uri: 'redirect_uri'
+
 # Since the keys for staging are absent from the repo, we need to supply them separate for testing.
 test:
   payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem'

config/initializers/omniauth.rb

@@ -16,6 +16,10 @@ identifier = ENV['tara_identifier']
 secret = ENV['tara_secret']
 redirect_uri = ENV['tara_redirect_uri']
 
+registrant_identifier = ENV['tara_rant_identifier']
+registrant_secret = ENV['tara_rant_secret']
+registrant_redirect_uri = ENV['tara_rant_redirect_uri']
+
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider "tara", {
       callback_path: '/registrar/open_id/callback',
@@ -43,4 +47,31 @@ Rails.application.config.middleware.use OmniAuth::Builder do
           redirect_uri: redirect_uri,
       },
   }
+
+  provider "tara", {
+      callback_path: '/registrant/open_id/callback',
+      name: 'rant_tara',
+      scope: ['openid'],
+      state: Proc.new{ SecureRandom.hex(10) },
+      client_signing_alg: :RS256,
+      client_jwk_signing_key: signing_keys,
+      send_scope_to_token_endpoint: false,
+      send_nonce: true,
+      issuer: issuer,
+
+      client_options: {
+          scheme: 'https',
+          host: host,
+
+          authorization_endpoint: '/oidc/authorize',
+          token_endpoint: '/oidc/token',
+          userinfo_endpoint: nil, # Not implemented
+          jwks_uri: '/oidc/jwks',
+
+          # Registry
+          identifier: registrant_identifier,
+          secret: registrant_secret,
+          redirect_uri: registrant_redirect_uri,
+      },
+  }
 end

config/locales/registrant/sessions.en.yml

@@ -2,11 +2,7 @@ en:
   registrant:
     sessions:
       new:
-        header: Log in
+        header: Sign in with identity document
         hint:  >-
-          Access currently available only to Estonian citizens and e-residents with Estonian ID-card
-          or Mobile-ID.
-
-      login_mid:
-        header: Log in with mobile-id
-        submit_btn: Login
+          Sign in using Estonian (incl. e-residents) ID card, mobile ID,
+          Bank link or other EU citizen's electronic ID supported by EIDAS.

config/routes.rb

@@ -176,6 +176,9 @@ Rails.application.routes.draw do
       # Client certificate is asked only on login form submission, therefore the path must be different from the one in
       # `new_registrant_user_session_path` route, in case some other auth type will be implemented
       post 'id' => 'sessions#create', as: :id_card_sign_in
+      match '/open_id/callback', via: %i[get post], to: 'tara#callback', as: :tara_registrant_callback
+      match '/open_id/cancel', via: %i[get post delete], to: 'tara#cancel',
+            as: :tara_registrant_cancel
     end
 
     resources :registrars, only: :show