Set OmniAuth on failure config

Gemfile

@@ -54,6 +54,7 @@ gem 'digidoc_client',
     ref: '1645e83a5a548addce383f75703b0275c5310c32'
 
 # TARA
+gem 'omniauth'
 gem 'omniauth-rails_csrf_protection'
 gem 'omniauth-tara', github: 'internetee/omniauth-tara'
 

Gemfile.lock

@@ -555,6 +555,7 @@ DEPENDENCIES
   minitest (~> 5.14)
   money-rails
   nokogiri
+  omniauth
   omniauth-rails_csrf_protection
   omniauth-tara!
   paper_trail (~> 10.3)

app/controllers/registrar/tara_controller.rb

@@ -2,6 +2,8 @@ require 'tampering_detected'
 
 class Registrar
   class TaraController < ApplicationController
+    skip_authorization_check
+
     rescue_from Errors::TamperingDetected do
       redirect_to root_url, alert: t('auth.tara.tampering')
     end

app/models/api_user.rb

@@ -2,7 +2,7 @@ require 'open3'
 
 class ApiUser < User
   include EppErrors
-  devise :database_authenticatable, :trackable, :timeoutable, :id_card_authenticatable,
+  devise :database_authenticatable, :trackable, :timeoutable, #:id_card_authenticatable,
          authentication_keys: [:username]
 
   def epp_code_map

app/models/registrant_user.rb

@@ -1,7 +1,7 @@
 class RegistrantUser < User
   attr_accessor :idc_data
 
-  devise :trackable, :timeoutable, :id_card_authenticatable
+  devise :trackable, :timeoutable#, :id_card_authenticatable
 
   def ability
     @ability ||= Ability.new(self)

config/environments/production.rb

@@ -43,7 +43,7 @@ Rails.application.configure do
   # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.

config/initializers/devise.rb

@@ -9,7 +9,7 @@ Devise.setup do |config|
   # Devise will use the `secret_key_base` as its `secret_key`
   # by default. You can change it below and use your own secret key.
   config.secret_key = ENV['devise_secret']
-  
+
   # ==> Controller configuration
   # Configure the parent class to the devise controllers.
   # config.parent_controller = 'DeviseController'
@@ -281,9 +281,9 @@ Devise.setup do |config|
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
 
-  require 'devise/models/id_card_authenticatable'
+  # require 'devise/models/id_card_authenticatable'
-  require 'devise/strategies/id_card_authenticatable'
+  # require 'devise/strategies/id_card_authenticatable'
 
-  routes = [nil, :new, :destroy]
+  # routes = [nil, :new, :destroy]
-  config.add_module :id_card_authenticatable, strategy: true, route: { session: routes }
+  # config.add_module :id_card_authenticatable, strategy: true, route: { session: routes }
 end

config/initializers/omniauth.rb

@@ -1,20 +1,20 @@
 OpenIDConnect.logger = Rails.logger
 OpenIDConnect.debug!
 
-OpenIDConnect.http_config do |config|
+OmniAuth.config.on_failure = Proc.new { |env|
-  config.proxy  = AuctionCenter::Application.config.customization.dig(:tara, :proxy)
+  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
-end
+}
 
 OmniAuth.config.logger = Rails.logger
 # Block GET requests to avoid exposing self to CVE-2015-9284
 OmniAuth.config.allowed_request_methods = [:post]
 
-signing_keys = "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
+signing_keys = ENV['tara_keys']
-issuer = 'https://tara-test.ria.ee'
+issuer = ENV['tara_issuer']
-host = 'tara-test.ria.ee'
+host = ENV['tara_host']
-identifier = 'registripidaja_test'
+identifier = ENV['tara_identifier']
-secret = 'MdNnRBmc1JrDJUe_9h4qy52d'
+secret = ENV['tara_secret']
-redirect_uri = 'https://st-rar.infra.tld.ee/registrar/open_id/callback'
+redirect_uri = ENV['tara_redirect_uri']
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider "tara", {
@@ -36,7 +36,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do
           userinfo_endpoint: nil, # Not implemented
           jwks_uri: '/oidc/jwks',
 
-          # Auction
+          # Registry
           identifier: identifier,
           secret: secret,
           redirect_uri: redirect_uri,

lib/devise/strategies/id_card_authenticatable.rb

@@ -1,49 +1,49 @@
 module Devise
   module Strategies
     class IdCardAuthenticatable < Devise::Strategies::Authenticatable
-      def valid?
+      # def valid?
-        env['SSL_CLIENT_S_DN_CN'].present?
+      #   env['SSL_CLIENT_S_DN_CN'].present?
-      end
+      # end
-
+      #
-      def authenticate!
+      # def authenticate!
-        resource = mapping.to
+      #   resource = mapping.to
-        user = resource.find_by_id_card(id_card)
+      #   user = resource.find_by_id_card(id_card)
-
+      #
-        if user
+      #   if user
-          success!(user)
+      #     success!(user)
-        else
+      #   else
-          fail
+      #     fail
-        end
+      #   end
-      end
+      # end
-
+      #
-      private
+      # private
-
+      #
-      def id_card
+      # def id_card
-        id_card = IdCard.new
+      #   id_card = IdCard.new
-        id_card.first_name = first_name
+      #   id_card.first_name = first_name
-        id_card.last_name = last_name
+      #   id_card.last_name = last_name
-        id_card.personal_code = personal_code
+      #   id_card.personal_code = personal_code
-        id_card.country_code = country_code
+      #   id_card.country_code = country_code
-        id_card
+      #   id_card
-      end
+      # end
-
+      #
-      def first_name
+      # def first_name
-        env['SSL_CLIENT_S_DN_CN'].split(',').second.force_encoding('utf-8')
+      #   env['SSL_CLIENT_S_DN_CN'].split(',').second.force_encoding('utf-8')
-      end
+      # end
-
+      #
-      def last_name
+      # def last_name
-        env['SSL_CLIENT_S_DN_CN'].split(',').first.force_encoding('utf-8')
+      #   env['SSL_CLIENT_S_DN_CN'].split(',').first.force_encoding('utf-8')
-      end
+      # end
-
+      #
-      def personal_code
+      # def personal_code
-        env['SSL_CLIENT_S_DN_CN'].split(',').last
+      #   env['SSL_CLIENT_S_DN_CN'].split(',').last
-      end
+      # end
-
+      #
-      def country_code
+      # def country_code
-        env['SSL_CLIENT_I_DN_C']
+      #   env['SSL_CLIENT_I_DN_C']
-      end
+      # end
     end
   end
 end
 
-Warden::Strategies.add(:id_card_authenticatable, Devise::Strategies::IdCardAuthenticatable)
+# Warden::Strategies.add(:id_card_authenticatable, Devise::Strategies::IdCardAuthenticatable)