Set OmniAuth on failure config

This commit is contained in:
Alex Sherman 2020-09-25 13:20:27 +05:00
parent d256aa357e
commit 227c2f100d
9 changed files with 64 additions and 60 deletions

View file

@ -54,6 +54,7 @@ gem 'digidoc_client',
ref: '1645e83a5a548addce383f75703b0275c5310c32'
# TARA
gem 'omniauth'
gem 'omniauth-rails_csrf_protection'
gem 'omniauth-tara', github: 'internetee/omniauth-tara'

View file

@ -555,6 +555,7 @@ DEPENDENCIES
minitest (~> 5.14)
money-rails
nokogiri
omniauth
omniauth-rails_csrf_protection
omniauth-tara!
paper_trail (~> 10.3)

View file

@ -2,6 +2,8 @@ require 'tampering_detected'
class Registrar
class TaraController < ApplicationController
skip_authorization_check
rescue_from Errors::TamperingDetected do
redirect_to root_url, alert: t('auth.tara.tampering')
end

View file

@ -2,7 +2,7 @@ require 'open3'
class ApiUser < User
include EppErrors
devise :database_authenticatable, :trackable, :timeoutable, :id_card_authenticatable,
devise :database_authenticatable, :trackable, :timeoutable, #:id_card_authenticatable,
authentication_keys: [:username]
def epp_code_map

View file

@ -1,7 +1,7 @@
class RegistrantUser < User
attr_accessor :idc_data
devise :trackable, :timeoutable, :id_card_authenticatable
devise :trackable, :timeoutable#, :id_card_authenticatable
def ability
@ability ||= Ability.new(self)

View file

@ -43,7 +43,7 @@ Rails.application.configure do
# config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
config.force_ssl = true
# Use the lowest log level to ensure availability of diagnostic information
# when problems arise.

View file

@ -281,9 +281,9 @@ Devise.setup do |config|
# so you need to do it manually. For the users scope, it would be:
# config.omniauth_path_prefix = '/my_engine/users/auth'
require 'devise/models/id_card_authenticatable'
require 'devise/strategies/id_card_authenticatable'
# require 'devise/models/id_card_authenticatable'
# require 'devise/strategies/id_card_authenticatable'
routes = [nil, :new, :destroy]
config.add_module :id_card_authenticatable, strategy: true, route: { session: routes }
# routes = [nil, :new, :destroy]
# config.add_module :id_card_authenticatable, strategy: true, route: { session: routes }
end

View file

@ -1,20 +1,20 @@
OpenIDConnect.logger = Rails.logger
OpenIDConnect.debug!
OpenIDConnect.http_config do |config|
config.proxy = AuctionCenter::Application.config.customization.dig(:tara, :proxy)
end
OmniAuth.config.on_failure = Proc.new { |env|
OmniAuth::FailureEndpoint.new(env).redirect_to_failure
}
OmniAuth.config.logger = Rails.logger
# Block GET requests to avoid exposing self to CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:post]
signing_keys = "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
issuer = 'https://tara-test.ria.ee'
host = 'tara-test.ria.ee'
identifier = 'registripidaja_test'
secret = 'MdNnRBmc1JrDJUe_9h4qy52d'
redirect_uri = 'https://st-rar.infra.tld.ee/registrar/open_id/callback'
signing_keys = ENV['tara_keys']
issuer = ENV['tara_issuer']
host = ENV['tara_host']
identifier = ENV['tara_identifier']
secret = ENV['tara_secret']
redirect_uri = ENV['tara_redirect_uri']
Rails.application.config.middleware.use OmniAuth::Builder do
provider "tara", {
@ -36,7 +36,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do
userinfo_endpoint: nil, # Not implemented
jwks_uri: '/oidc/jwks',
# Auction
# Registry
identifier: identifier,
secret: secret,
redirect_uri: redirect_uri,

View file

@ -1,49 +1,49 @@
module Devise
module Strategies
class IdCardAuthenticatable < Devise::Strategies::Authenticatable
def valid?
env['SSL_CLIENT_S_DN_CN'].present?
end
def authenticate!
resource = mapping.to
user = resource.find_by_id_card(id_card)
if user
success!(user)
else
fail
end
end
private
def id_card
id_card = IdCard.new
id_card.first_name = first_name
id_card.last_name = last_name
id_card.personal_code = personal_code
id_card.country_code = country_code
id_card
end
def first_name
env['SSL_CLIENT_S_DN_CN'].split(',').second.force_encoding('utf-8')
end
def last_name
env['SSL_CLIENT_S_DN_CN'].split(',').first.force_encoding('utf-8')
end
def personal_code
env['SSL_CLIENT_S_DN_CN'].split(',').last
end
def country_code
env['SSL_CLIENT_I_DN_C']
end
# def valid?
# env['SSL_CLIENT_S_DN_CN'].present?
# end
#
# def authenticate!
# resource = mapping.to
# user = resource.find_by_id_card(id_card)
#
# if user
# success!(user)
# else
# fail
# end
# end
#
# private
#
# def id_card
# id_card = IdCard.new
# id_card.first_name = first_name
# id_card.last_name = last_name
# id_card.personal_code = personal_code
# id_card.country_code = country_code
# id_card
# end
#
# def first_name
# env['SSL_CLIENT_S_DN_CN'].split(',').second.force_encoding('utf-8')
# end
#
# def last_name
# env['SSL_CLIENT_S_DN_CN'].split(',').first.force_encoding('utf-8')
# end
#
# def personal_code
# env['SSL_CLIENT_S_DN_CN'].split(',').last
# end
#
# def country_code
# env['SSL_CLIENT_I_DN_C']
# end
end
end
end
Warden::Strategies.add(:id_card_authenticatable, Devise::Strategies::IdCardAuthenticatable)
# Warden::Strategies.add(:id_card_authenticatable, Devise::Strategies::IdCardAuthenticatable)