diff --git a/Gemfile b/Gemfile index 15d5f779c..6ba54e871 100644 --- a/Gemfile +++ b/Gemfile @@ -54,6 +54,7 @@ gem 'digidoc_client', ref: '1645e83a5a548addce383f75703b0275c5310c32' # TARA +gem 'omniauth' gem 'omniauth-rails_csrf_protection' gem 'omniauth-tara', github: 'internetee/omniauth-tara' diff --git a/Gemfile.lock b/Gemfile.lock index 574afc9df..1a45ed826 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -555,6 +555,7 @@ DEPENDENCIES minitest (~> 5.14) money-rails nokogiri + omniauth omniauth-rails_csrf_protection omniauth-tara! paper_trail (~> 10.3) diff --git a/app/controllers/registrar/tara_controller.rb b/app/controllers/registrar/tara_controller.rb index 0d0805e2d..5be54ec12 100644 --- a/app/controllers/registrar/tara_controller.rb +++ b/app/controllers/registrar/tara_controller.rb @@ -2,6 +2,8 @@ require 'tampering_detected' class Registrar class TaraController < ApplicationController + skip_authorization_check + rescue_from Errors::TamperingDetected do redirect_to root_url, alert: t('auth.tara.tampering') end diff --git a/app/models/api_user.rb b/app/models/api_user.rb index d7b264495..12096bae7 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -2,7 +2,7 @@ require 'open3' class ApiUser < User include EppErrors - devise :database_authenticatable, :trackable, :timeoutable, :id_card_authenticatable, + devise :database_authenticatable, :trackable, :timeoutable, #:id_card_authenticatable, authentication_keys: [:username] def epp_code_map diff --git a/app/models/registrant_user.rb b/app/models/registrant_user.rb index e7ce9cc3b..e739d4a9d 100644 --- a/app/models/registrant_user.rb +++ b/app/models/registrant_user.rb @@ -1,7 +1,7 @@ class RegistrantUser < User attr_accessor :idc_data - devise :trackable, :timeoutable, :id_card_authenticatable + devise :trackable, :timeoutable#, :id_card_authenticatable def ability @ability ||= Ability.new(self) diff --git a/config/environments/production.rb b/config/environments/production.rb index 6e13ea1f7..377166f29 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -43,7 +43,7 @@ Rails.application.configure do # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. - # config.force_ssl = true + config.force_ssl = true # Use the lowest log level to ensure availability of diagnostic information # when problems arise. diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 10f937f40..3c1a9015c 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,7 +9,7 @@ Devise.setup do |config| # Devise will use the `secret_key_base` as its `secret_key` # by default. You can change it below and use your own secret key. config.secret_key = ENV['devise_secret'] - + # ==> Controller configuration # Configure the parent class to the devise controllers. # config.parent_controller = 'DeviseController' @@ -281,9 +281,9 @@ Devise.setup do |config| # so you need to do it manually. For the users scope, it would be: # config.omniauth_path_prefix = '/my_engine/users/auth' - require 'devise/models/id_card_authenticatable' - require 'devise/strategies/id_card_authenticatable' + # require 'devise/models/id_card_authenticatable' + # require 'devise/strategies/id_card_authenticatable' - routes = [nil, :new, :destroy] - config.add_module :id_card_authenticatable, strategy: true, route: { session: routes } + # routes = [nil, :new, :destroy] + # config.add_module :id_card_authenticatable, strategy: true, route: { session: routes } end diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index b99958efd..299ddceec 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -1,20 +1,20 @@ OpenIDConnect.logger = Rails.logger OpenIDConnect.debug! -OpenIDConnect.http_config do |config| - config.proxy = AuctionCenter::Application.config.customization.dig(:tara, :proxy) -end +OmniAuth.config.on_failure = Proc.new { |env| + OmniAuth::FailureEndpoint.new(env).redirect_to_failure +} OmniAuth.config.logger = Rails.logger # Block GET requests to avoid exposing self to CVE-2015-9284 OmniAuth.config.allowed_request_methods = [:post] -signing_keys = "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}" -issuer = 'https://tara-test.ria.ee' -host = 'tara-test.ria.ee' -identifier = 'registripidaja_test' -secret = 'MdNnRBmc1JrDJUe_9h4qy52d' -redirect_uri = 'https://st-rar.infra.tld.ee/registrar/open_id/callback' +signing_keys = ENV['tara_keys'] +issuer = ENV['tara_issuer'] +host = ENV['tara_host'] +identifier = ENV['tara_identifier'] +secret = ENV['tara_secret'] +redirect_uri = ENV['tara_redirect_uri'] Rails.application.config.middleware.use OmniAuth::Builder do provider "tara", { @@ -36,7 +36,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do userinfo_endpoint: nil, # Not implemented jwks_uri: '/oidc/jwks', - # Auction + # Registry identifier: identifier, secret: secret, redirect_uri: redirect_uri, diff --git a/lib/devise/strategies/id_card_authenticatable.rb b/lib/devise/strategies/id_card_authenticatable.rb index ec26bb4d9..5ee6bf75d 100644 --- a/lib/devise/strategies/id_card_authenticatable.rb +++ b/lib/devise/strategies/id_card_authenticatable.rb @@ -1,49 +1,49 @@ module Devise module Strategies class IdCardAuthenticatable < Devise::Strategies::Authenticatable - def valid? - env['SSL_CLIENT_S_DN_CN'].present? - end - - def authenticate! - resource = mapping.to - user = resource.find_by_id_card(id_card) - - if user - success!(user) - else - fail - end - end - - private - - def id_card - id_card = IdCard.new - id_card.first_name = first_name - id_card.last_name = last_name - id_card.personal_code = personal_code - id_card.country_code = country_code - id_card - end - - def first_name - env['SSL_CLIENT_S_DN_CN'].split(',').second.force_encoding('utf-8') - end - - def last_name - env['SSL_CLIENT_S_DN_CN'].split(',').first.force_encoding('utf-8') - end - - def personal_code - env['SSL_CLIENT_S_DN_CN'].split(',').last - end - - def country_code - env['SSL_CLIENT_I_DN_C'] - end + # def valid? + # env['SSL_CLIENT_S_DN_CN'].present? + # end + # + # def authenticate! + # resource = mapping.to + # user = resource.find_by_id_card(id_card) + # + # if user + # success!(user) + # else + # fail + # end + # end + # + # private + # + # def id_card + # id_card = IdCard.new + # id_card.first_name = first_name + # id_card.last_name = last_name + # id_card.personal_code = personal_code + # id_card.country_code = country_code + # id_card + # end + # + # def first_name + # env['SSL_CLIENT_S_DN_CN'].split(',').second.force_encoding('utf-8') + # end + # + # def last_name + # env['SSL_CLIENT_S_DN_CN'].split(',').first.force_encoding('utf-8') + # end + # + # def personal_code + # env['SSL_CLIENT_S_DN_CN'].split(',').last + # end + # + # def country_code + # env['SSL_CLIENT_I_DN_C'] + # end end end end -Warden::Strategies.add(:id_card_authenticatable, Devise::Strategies::IdCardAuthenticatable) \ No newline at end of file +# Warden::Strategies.add(:id_card_authenticatable, Devise::Strategies::IdCardAuthenticatable)