Merge branch 'master' into log-bounced-emails

2025-08-06 01:35:10 +02:00 · 2020-10-27 11:31:48 +02:00 · 2020-10-27 11:31:48 +02:00 · 34b4a7fbeb
commit 34b4a7fbeb
parent 574846c626 a7587b9c4f
70 changed files with 790 additions and 4967 deletions
--- a/config/application.yml.sample
+++ b/config/application.yml.sample
@ -159,6 +159,20 @@ lhv_dev_mode: 'false'
 epp_session_timeout_seconds: '300'
 contact_archivation_log_file_dir:

+tara_host: 'tara-test.ria.ee'
+tara_issuer: 'https://tara-test.ria.ee'
+tara_identifier: 'identifier'
+tara_secret: 'secret'
+tara_redirect_uri: 'redirect_url'
+tara_keys: "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
+
+tara_rant_identifier: 'identifier'
+tara_rant_secret: 'secret'
+tara_rant_redirect_uri: 'redirect_uri'
+
+default_email_validation_type: 'regex'
+
+
 # Since the keys for staging are absent from the repo, we need to supply them separate for testing.
 test:
  payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem'
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -43,7 +43,7 @@ Rails.application.configure do
  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = false

  # Use the lowest log level to ensure availability of diagnostic information
  # when problems arise.
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -9,7 +9,7 @@ Devise.setup do |config|
  # Devise will use the `secret_key_base` as its `secret_key`
  # by default. You can change it below and use your own secret key.
  config.secret_key = ENV['devise_secret']
-  
+
  # ==> Controller configuration
  # Configure the parent class to the devise controllers.
  # config.parent_controller = 'DeviseController'
@ -280,10 +280,4 @@ Devise.setup do |config|
  # When using OmniAuth, Devise cannot automatically set OmniAuth path,
  # so you need to do it manually. For the users scope, it would be:
  # config.omniauth_path_prefix = '/my_engine/users/auth'
-
-  require 'devise/models/id_card_authenticatable'
-  require 'devise/strategies/id_card_authenticatable'
-
-  routes = [nil, :new, :destroy]
-  config.add_module :id_card_authenticatable, strategy: true, route: { session: routes }
 end
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -0,0 +1,76 @@
+OpenIDConnect.logger = Rails.logger
+OpenIDConnect.debug!
+
+OmniAuth.config.on_failure = Proc.new { |env|
+  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
+}
+
+OmniAuth.config.logger = Rails.logger
+# Block GET requests to avoid exposing self to CVE-2015-9284
+OmniAuth.config.allowed_request_methods = [:post]
+
+signing_keys = ENV['tara_keys']
+issuer = ENV['tara_issuer']
+host = ENV['tara_host']
+identifier = ENV['tara_identifier']
+secret = ENV['tara_secret']
+redirect_uri = ENV['tara_redirect_uri']
+
+registrant_identifier = ENV['tara_rant_identifier']
+registrant_secret = ENV['tara_rant_secret']
+registrant_redirect_uri = ENV['tara_rant_redirect_uri']
+
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider "tara", {
+      callback_path: '/registrar/open_id/callback',
+      name: 'tara',
+      scope: ['openid'],
+      state: Proc.new{ SecureRandom.hex(10) },
+      client_signing_alg: :RS256,
+      client_jwk_signing_key: signing_keys,
+      send_scope_to_token_endpoint: false,
+      send_nonce: true,
+      issuer: issuer,
+
+      client_options: {
+          scheme: 'https',
+          host: host,
+
+          authorization_endpoint: '/oidc/authorize',
+          token_endpoint: '/oidc/token',
+          userinfo_endpoint: nil, # Not implemented
+          jwks_uri: '/oidc/jwks',
+
+          # Registry
+          identifier: identifier,
+          secret: secret,
+          redirect_uri: redirect_uri,
+      },
+  }
+
+  provider "tara", {
+      callback_path: '/registrant/open_id/callback',
+      name: 'rant_tara',
+      scope: ['openid'],
+      client_signing_alg: :RS256,
+      client_jwk_signing_key: signing_keys,
+      send_scope_to_token_endpoint: false,
+      send_nonce: true,
+      issuer: issuer,
+
+      client_options: {
+          scheme: 'https',
+          host: host,
+
+          authorization_endpoint: '/oidc/authorize',
+          token_endpoint: '/oidc/token',
+          userinfo_endpoint: nil, # Not implemented
+          jwks_uri: '/oidc/jwks',
+
+          # Registry
+          identifier: registrant_identifier,
+          secret: registrant_secret,
+          redirect_uri: registrant_redirect_uri,
+      },
+  }
+end
--- a/config/initializers/truemail.rb
+++ b/config/initializers/truemail.rb
@ -28,7 +28,10 @@ Truemail.configure do |config|
  # Optional parameter. You can predefine default validation type for
  # Truemail.validate('email@email.com') call without with-parameter
  # Available validation types: :regex, :mx, :smtp
-  if Rails.env.production?
+  if ENV['default_email_validation_type'].present? &&
+      %w[regex mx smtp].include?(ENV['default_email_validation_type'])
+    config.default_validation_type = ENV['default_email_validation_type'].to_sym
+  elsif Rails.env.production?
    config.default_validation_type = :mx
  else
    config.default_validation_type = :regex
--- a/config/locales/account_activities.en.yml
+++ b/config/locales/account_activities.en.yml
@ -2,4 +2,4 @@ en:
  activerecord:
    attributes:
      account_activity:
-        created_at: Receipt date
+        created_at: Receipt date
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -295,6 +295,8 @@ en:

  authentication_error: 'Authentication error'

+  sign_in_cancelled: "Sign in cancelled"
+
  transfer_requested: 'Transfer requested.'
  message_was_not_found: 'Message was not found'
  only_one_parameter_allowed: 'Only one parameter allowed: %{param_1} or %{param_2}'
@ -658,3 +660,5 @@ en:
    ipv6: IPv6
    reference_no: Reference number
    iban: IBAN
+  sign_in: "Sign in"
+  signed_in_successfully: "Signed in successfully"
--- a/config/locales/registrant/sessions.en.yml
+++ b/config/locales/registrant/sessions.en.yml
@ -2,11 +2,7 @@ en:
  registrant:
    sessions:
      new:
-        header: Log in
+        header: Sign in with identity document
        hint:  >-
-          Access currently available only to Estonian citizens and e-residents with Estonian ID-card
-          or Mobile-ID.
-
-      login_mid:
-        header: Log in with mobile-id
-        submit_btn: Login
+          Sign in using Estonian (incl. e-residents) ID card, mobile ID,
+          Bank link or other EU citizen's electronic ID supported by EIDAS.
--- a/config/locales/registrar/sessions.en.yml
+++ b/config/locales/registrar/sessions.en.yml
@ -4,6 +4,14 @@ en:
      new:
        header_html: Eesti Interneti SA<br>Registrar Portal
        submit_btn: Login
+        sign_in_with_identity_document: "Sign in with identity document"
+        identity_document_text: |
+          Sign in using Estonian (incl. e-residents) ID card, mobile ID,
+          Bank link or other EU citizen's electronic ID supported by EIDAS.
      login_mid:
        header: Log in with mobile-id
        submit_btn: Login
+    tara:
+      callback:
+        header_html: "Eesti Interneti SA<br>Registrar Portal"
+        submit_btn: Login
--- a/config/locales/tara.en.yml
+++ b/config/locales/tara.en.yml
@ -0,0 +1,14 @@
+en:
+  auth:
+    tara:
+      tampering: "Tampering detected. Sign in cancelled."
+
+      callback:
+        title: "Create a user"
+        errors: "prohibited this user from being saved"
+
+      form:
+        contact_data: "Contact Data"
+        data_from_identity_document: "Data from identity document"
+        new_password: "New password"
+        sign_up: "Sign up"
--- a/config/locales/tara.et.yml
+++ b/config/locales/tara.et.yml
@ -0,0 +1,14 @@
+et:
+  auth:
+    tara:
+      tampering: "Avastatud urkimine. Sisselogimine tühistatud."
+
+      callback:
+        title: "Loo kasutaja"
+        errors: "seda kasutajat ei saa salvestada"
+
+      form:
+        contact_data: "Kontaktandmed"
+        data_from_identity_document: "Andmed elektroonselt isikutunnistuselt"
+        new_password: "Uus salasõna"
+        sign_up: "Registreeru"
--- a/config/routes.rb
+++ b/config/routes.rb
@ -61,6 +61,7 @@ Rails.application.routes.draw do
          resource :registry_lock, only: %i[create destroy]
        end
        resources :contacts, only: %i[index show update], param: :uuid
+        resources :companies, only: %i[index]
      end

      resources :auctions, only: %i[index show update], param: :uuid
@ -77,17 +78,6 @@ Rails.application.routes.draw do

    devise_for :users, path: '', class_name: 'ApiUser', skip: %i[sessions]

-    devise_scope :registrar_user do
-      get 'login/mid' => 'sessions#login_mid'
-      post 'login/mid' => 'sessions#mid'
-      post 'login/mid_status' => 'sessions#mid_status'
-
-      # /registrar/id path is hardcoded in Apache config for authentication with Estonian ID-card
-      post 'id' => 'sessions#id_card', as: :id_card_sign_in
-
-      post 'mid' => 'sessions#mid'
-    end
-
    resources :invoices, except: %i[new create edit update destroy] do
      resource :delivery, controller: 'invoices/delivery', only: %i[new create]

@ -164,6 +154,22 @@ Rails.application.routes.draw do
      post 'sessions', to: 'registrar/sessions#create', as: :registrar_user_session

      delete 'sign_out', to: 'registrar/sessions#destroy', as: :destroy_registrar_user_session
+
+      # TARA
+      match '/open_id/callback', via: %i[get post], to: 'sso/tara#registrar_callback'
+      match '/open_id/cancel', via: %i[get post delete], to: 'sso/tara#cancel'
+    end
+  end
+
+  scope :registrant do
+    devise_scope :registrant_user do
+      get 'sign_in', to: 'registrant/sessions#new', as: :new_registrant_user_session
+      post 'sessions', to: 'registrant/sessions#create', as: :registrant_user_session
+      delete 'sign_out', to: 'registrant/sessions#destroy', as: :destroy_registrant_user_session
+
+      # TARA
+      match '/open_id/callback', via: %i[get post], to: 'sso/tara#registrant_callback'
+      match '/open_id/cancel', via: %i[get post delete], to: 'sso/tara#cancel'
    end
  end

@ -172,19 +178,9 @@ Rails.application.routes.draw do

    # POST /registrant/sign_in is not used
    devise_for :users, path: '', class_name: 'RegistrantUser'
-    devise_scope :registrant_user do
-      get 'login/mid' => 'sessions#login_mid'
-      post 'login/mid' => 'sessions#mid'
-      post 'login/mid_status' => 'sessions#mid_status'
-      post 'mid' => 'sessions#mid'
-
-      # /registrant/id path is hardcoded in Apache config for authentication with Estonian ID-card
-      # Client certificate is asked only on login form submission, therefore the path must be different from the one in
-      # `new_registrant_user_session_path` route, in case some other auth type will be implemented
-      post 'id' => 'sessions#create', as: :id_card_sign_in
-    end

    resources :registrars, only: :show
+    # resources :companies, only: :index
    resources :domains, only: %i[index show] do
      resources :contacts, only: %i[show edit update]
      member do