zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-06-06 12:47:29 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add Omniauth-Tara gem/initializer

Browse source
This commit is contained in:
Alex Sherman 2020-09-15 11:32:58 +05:00
parent 7b6060b4fb
commit 3e67ff4d65
4 changed files with 113 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Gemfile
View file

@ -53,6 +53,10 @@ gem 'digidoc_client',
github: 'tarmotalu/digidoc_client',
ref: '1645e83a5a548addce383f75703b0275c5310c32'
# TARA
gem 'omniauth-rails_csrf_protection'
gem 'omniauth-tara', github: 'internetee/omniauth-tara'
gem 'epp', github: 'internetee/epp', branch: :master
gem 'epp-xml', '1.1.0', github: 'internetee/epp-xml'

60
Gemfile.lock
View file

@ -52,6 +52,15 @@ GIT
logger
nokogiri
GIT
remote: https://github.com/internetee/omniauth-tara.git
revision: cec845ec3794532144c4976104a07e206d759aa6
specs:
omniauth-tara (0.3.0)
addressable (~> 2.5)
omniauth (~> 1.3)
openid_connect (~> 1.1)
GIT
remote: https://github.com/tarmotalu/digidoc_client.git
revision: 1645e83a5a548addce383f75703b0275c5310c32
@ -126,6 +135,7 @@ GEM
zeitwerk (~> 2.2, >= 2.2.2)
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
aes_key_wrap (1.1.0)
airbrake (11.0.0)
airbrake-ruby (~> 5.0)
airbrake-ruby (5.0.2)
@ -133,9 +143,11 @@ GEM
akami (1.3.1)
gyoku (>= 0.4.0)
nokogiri
attr_required (1.0.1)
autoprefixer-rails (10.0.0.2)
execjs
bcrypt (3.1.16)
bindata (2.4.8)
bootsnap (1.4.8)
msgpack (~> 1.0)
bootstrap-sass (3.4.1)
@ -175,7 +187,7 @@ GEM
data_migrate (6.3.0)
rails (>= 5.0)
database_cleaner (1.8.5)
devise (4.7.2)
devise (4.7.3)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
@ -227,6 +239,7 @@ GEM
temple (>= 0.8.0)
tilt
hashdiff (1.0.1)
hashie (4.1.0)
hpricot (0.8.6)
http-accept (1.7.0)
http-cookie (1.0.3)
@ -247,6 +260,10 @@ GEM
jquery-ui-rails (5.0.5)
railties (>= 3.2.16)
json (2.3.1)
json-jwt (1.13.0)
activesupport (>= 4.2)
aes_key_wrap
bindata
kaminari (1.2.1)
activesupport (>= 4.1.0)
kaminari-actionview (= 1.2.1)
@ -302,7 +319,23 @@ GEM
nokogiri (1.10.10)
mini_portile2 (~> 2.4.0)
nori (2.6.0)
omniauth (1.9.1)
hashie (>= 3.4.6)
rack (>= 1.6.2, < 3)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
open4 (1.3.4)
openid_connect (1.2.0)
activemodel
attr_required (>= 1.0.0)
json-jwt (>= 1.5.0)
rack-oauth2 (>= 1.6.1)
swd (>= 1.0.0)
tzinfo
validate_email
validate_url
webfinger (>= 1.0.1)
orm_adapter (0.5.0)
paper_trail (10.3.1)
activerecord (>= 4.2)
@ -326,6 +359,12 @@ GEM
rack (2.2.3)
rack-accept (0.4.5)
rack (>= 0.4)
rack-oauth2 (1.16.0)
activesupport
attr_required
httpclient
json-jwt (>= 1.11.0)
rack (>= 2.1.0)
rack-protection (2.1.0)
rack
rack-test (1.1.0)
@ -366,7 +405,7 @@ GEM
rb-inotify (0.10.1)
ffi (~> 1.0)
rbtree3 (0.6.0)
regexp_parser (1.7.1)
regexp_parser (1.8.0)
request_store (1.5.0)
rack (>= 1.4)
responders (3.0.1)
@ -425,11 +464,15 @@ GEM
actionpack (>= 4.0)
activesupport (>= 4.0)
sprockets (>= 3.0.0)
swd (1.2.0)
activesupport (>= 3)
attr_required (>= 0.0.5)
httpclient (>= 2.4)
temple (0.8.2)
thor (0.20.3)
thread_safe (0.3.6)
tilt (2.0.10)
truemail (1.9.0)
truemail (1.9.1)
simpleidn (~> 0.1.1)
tzinfo (1.2.7)
thread_safe (~> 0.1)
@ -439,6 +482,12 @@ GEM
unf_ext
unf_ext (0.0.7.7)
unicode_utils (1.4.0)
validate_email (0.1.6)
activemodel (>= 3.0)
mail (>= 2.2.5)
validate_url (1.0.13)
activemodel (>= 3.0.0)
public_suffix
validates_email_format_of (1.6.3)
i18n
warden (1.2.9)
@ -451,6 +500,9 @@ GEM
nokogiri (~> 1.6)
rubyzip (>= 1.3.0)
selenium-webdriver (>= 3.0, < 4.0)
webfinger (1.1.0)
activesupport
httpclient (>= 2.4)
webmock (3.9.1)
addressable (>= 2.3.6)
crack (>= 0.3.2)
@ -503,6 +555,8 @@ DEPENDENCIES
minitest (~> 5.14)
money-rails
nokogiri
omniauth-rails_csrf_protection
omniauth-tara!
paper_trail (~> 10.3)
pdfkit
pg (= 1.2.2)

7
config/application.yml.sample
View file

@ -156,6 +156,13 @@ lhv_dev_mode: 'false'
epp_session_timeout_seconds: '300'
contact_archivation_log_file_dir:
tara_host: 'tara-test.ria.ee'
tara_issuer: 'https://tara-test.ria.ee'
tara_identifier: 'identifier'
tara_secret: 'secret'
tara_redirect_uri: 'redirect_url'
tara_keys: "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
# Since the keys for staging are absent from the repo, we need to supply them separate for testing.
test:
payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem'

45
config/initializers/omniauth.rb Normal file
View file

@ -0,0 +1,45 @@
OpenIDConnect.logger = Rails.logger
OpenIDConnect.debug!
OpenIDConnect.http_config do |config|
config.proxy = AuctionCenter::Application.config.customization.dig(:tara, :proxy)
end
OmniAuth.config.logger = Rails.logger
# Block GET requests to avoid exposing self to CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:post]
signing_keys = ENV['tara_keys']
issuer = ENV['tara_issuer']
host = ENV['tara_host']
identifier = ENV['tara_identifier']
secret = ENV['tara_secret']
redirect_uri = ENV['tara_redirect_uri']
Rails.application.config.middleware.use OmniAuth::Builder do
provider "tara", {
name: 'tara',
scope: ['openid'],
state: Proc.new{ SecureRandom.hex(10) },
client_signing_alg: :RS256,
client_jwk_signing_key: signing_keys,
send_scope_to_token_endpoint: false,
send_nonce: true,
issuer: issuer,
client_options: {
scheme: 'https',
host: host,
authorization_endpoint: '/oidc/authorize',
token_endpoint: '/oidc/token',
userinfo_endpoint: nil, # Not implemented
jwks_uri: '/oidc/jwks',
# Auction
identifier: identifier,
secret: secret,
redirect_uri: redirect_uri,
},
}
end