From 3e67ff4d65a0395e17e2c1257d4f682037a348d9 Mon Sep 17 00:00:00 2001
From: Alex Sherman <yul.golem@gmail.com>
Date: Tue, 15 Sep 2020 11:32:58 +0500
Subject: [PATCH] Add Omniauth-Tara gem/initializer

---
 Gemfile                         |  4 +++
 Gemfile.lock                    | 60 +++++++++++++++++++++++++++++++--
 config/application.yml.sample   |  7 ++++
 config/initializers/omniauth.rb | 45 +++++++++++++++++++++++++
 4 files changed, 113 insertions(+), 3 deletions(-)
 create mode 100644 config/initializers/omniauth.rb

diff --git a/Gemfile b/Gemfile
index accb4d3a2..15d5f779c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -53,6 +53,10 @@ gem 'digidoc_client',
     github: 'tarmotalu/digidoc_client',
     ref: '1645e83a5a548addce383f75703b0275c5310c32'
 
+# TARA
+gem 'omniauth-rails_csrf_protection'
+gem 'omniauth-tara', github: 'internetee/omniauth-tara'
+
 
 gem 'epp', github: 'internetee/epp', branch: :master
 gem 'epp-xml', '1.1.0', github: 'internetee/epp-xml'
diff --git a/Gemfile.lock b/Gemfile.lock
index 3f9824cf1..574afc9df 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -52,6 +52,15 @@ GIT
       logger
       nokogiri
 
+GIT
+  remote: https://github.com/internetee/omniauth-tara.git
+  revision: cec845ec3794532144c4976104a07e206d759aa6
+  specs:
+    omniauth-tara (0.3.0)
+      addressable (~> 2.5)
+      omniauth (~> 1.3)
+      openid_connect (~> 1.1)
+
 GIT
   remote: https://github.com/tarmotalu/digidoc_client.git
   revision: 1645e83a5a548addce383f75703b0275c5310c32
@@ -126,6 +135,7 @@ GEM
       zeitwerk (~> 2.2, >= 2.2.2)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
+    aes_key_wrap (1.1.0)
     airbrake (11.0.0)
       airbrake-ruby (~> 5.0)
     airbrake-ruby (5.0.2)
@@ -133,9 +143,11 @@ GEM
     akami (1.3.1)
       gyoku (>= 0.4.0)
       nokogiri
+    attr_required (1.0.1)
     autoprefixer-rails (10.0.0.2)
       execjs
     bcrypt (3.1.16)
+    bindata (2.4.8)
     bootsnap (1.4.8)
       msgpack (~> 1.0)
     bootstrap-sass (3.4.1)
@@ -175,7 +187,7 @@ GEM
     data_migrate (6.3.0)
       rails (>= 5.0)
     database_cleaner (1.8.5)
-    devise (4.7.2)
+    devise (4.7.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -227,6 +239,7 @@ GEM
       temple (>= 0.8.0)
       tilt
     hashdiff (1.0.1)
+    hashie (4.1.0)
     hpricot (0.8.6)
     http-accept (1.7.0)
     http-cookie (1.0.3)
@@ -247,6 +260,10 @@ GEM
     jquery-ui-rails (5.0.5)
       railties (>= 3.2.16)
     json (2.3.1)
+    json-jwt (1.13.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
     kaminari (1.2.1)
       activesupport (>= 4.1.0)
       kaminari-actionview (= 1.2.1)
@@ -302,7 +319,23 @@ GEM
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
     nori (2.6.0)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
+      rack (>= 1.6.2, < 3)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     open4 (1.3.4)
+    openid_connect (1.2.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      json-jwt (>= 1.5.0)
+      rack-oauth2 (>= 1.6.1)
+      swd (>= 1.0.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (>= 1.0.1)
     orm_adapter (0.5.0)
     paper_trail (10.3.1)
       activerecord (>= 4.2)
@@ -326,6 +359,12 @@ GEM
     rack (2.2.3)
     rack-accept (0.4.5)
       rack (>= 0.4)
+    rack-oauth2 (1.16.0)
+      activesupport
+      attr_required
+      httpclient
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-protection (2.1.0)
       rack
     rack-test (1.1.0)
@@ -366,7 +405,7 @@ GEM
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rbtree3 (0.6.0)
-    regexp_parser (1.7.1)
+    regexp_parser (1.8.0)
     request_store (1.5.0)
       rack (>= 1.4)
     responders (3.0.1)
@@ -425,11 +464,15 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
+    swd (1.2.0)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      httpclient (>= 2.4)
     temple (0.8.2)
     thor (0.20.3)
     thread_safe (0.3.6)
     tilt (2.0.10)
-    truemail (1.9.0)
+    truemail (1.9.1)
       simpleidn (~> 0.1.1)
     tzinfo (1.2.7)
       thread_safe (~> 0.1)
@@ -439,6 +482,12 @@ GEM
       unf_ext
     unf_ext (0.0.7.7)
     unicode_utils (1.4.0)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.13)
+      activemodel (>= 3.0.0)
+      public_suffix
     validates_email_format_of (1.6.3)
       i18n
     warden (1.2.9)
@@ -451,6 +500,9 @@ GEM
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
       selenium-webdriver (>= 3.0, < 4.0)
+    webfinger (1.1.0)
+      activesupport
+      httpclient (>= 2.4)
     webmock (3.9.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
@@ -503,6 +555,8 @@ DEPENDENCIES
   minitest (~> 5.14)
   money-rails
   nokogiri
+  omniauth-rails_csrf_protection
+  omniauth-tara!
   paper_trail (~> 10.3)
   pdfkit
   pg (= 1.2.2)
diff --git a/config/application.yml.sample b/config/application.yml.sample
index 72b55e2ea..cbe32e5db 100644
--- a/config/application.yml.sample
+++ b/config/application.yml.sample
@@ -156,6 +156,13 @@ lhv_dev_mode: 'false'
 epp_session_timeout_seconds: '300'
 contact_archivation_log_file_dir:
 
+tara_host: 'tara-test.ria.ee'
+tara_issuer: 'https://tara-test.ria.ee'
+tara_identifier: 'identifier'
+tara_secret: 'secret'
+tara_redirect_uri: 'redirect_url'
+tara_keys: "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
+
 # Since the keys for staging are absent from the repo, we need to supply them separate for testing.
 test:
   payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem'
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
new file mode 100644
index 000000000..0e0ab9142
--- /dev/null
+++ b/config/initializers/omniauth.rb
@@ -0,0 +1,45 @@
+OpenIDConnect.logger = Rails.logger
+OpenIDConnect.debug!
+
+OpenIDConnect.http_config do |config|
+  config.proxy  = AuctionCenter::Application.config.customization.dig(:tara, :proxy)
+end
+
+OmniAuth.config.logger = Rails.logger
+# Block GET requests to avoid exposing self to CVE-2015-9284
+OmniAuth.config.allowed_request_methods = [:post]
+
+signing_keys = ENV['tara_keys']
+issuer = ENV['tara_issuer']
+host = ENV['tara_host']
+identifier = ENV['tara_identifier']
+secret = ENV['tara_secret']
+redirect_uri = ENV['tara_redirect_uri']
+
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider "tara", {
+      name: 'tara',
+      scope: ['openid'],
+      state: Proc.new{ SecureRandom.hex(10) },
+      client_signing_alg: :RS256,
+      client_jwk_signing_key: signing_keys,
+      send_scope_to_token_endpoint: false,
+      send_nonce: true,
+      issuer: issuer,
+
+      client_options: {
+          scheme: 'https',
+          host: host,
+
+          authorization_endpoint: '/oidc/authorize',
+          token_endpoint: '/oidc/token',
+          userinfo_endpoint: nil, # Not implemented
+          jwks_uri: '/oidc/jwks',
+
+          # Auction
+          identifier: identifier,
+          secret: secret,
+          redirect_uri: redirect_uri,
+      },
+  }
+end