Merge pull request #2696 from internetee/verify-contacts

Handling contact verifications
2025-07-31 06:56:23 +02:00 · 2024-11-19 10:34:53 +02:00 · 2024-11-19 10:34:53 +02:00 · 5d454febb3
commit 5d454febb3
parent 5b7f6ae3c4 6bd4c25d65
25 changed files with 898 additions and 7 deletions
--- a/test/integration/eeid/identification_requests_webhook_test.rb
+++ b/test/integration/eeid/identification_requests_webhook_test.rb
@ -0,0 +1,101 @@
+require 'test_helper'
+
+class Eeid::IdentificationRequestsWebhookTest < ActionDispatch::IntegrationTest
+  setup do
+    @contact = contacts(:john)
+    @secret = 'valid_secret'
+    ENV['ident_service_client_secret'] = @secret
+    payload = {
+      identification_request_id: '123',
+      reference: @contact.code
+    }
+    @valid_hmac_signature = OpenSSL::HMAC.hexdigest('SHA256', @secret, payload.to_json)
+
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(
+        status: 200,
+        body: { access_token: 'token', token_type: 'Bearer', expires_in: 100 }.to_json, headers: {}
+      )
+    pdf_content = File.read(Rails.root.join('test/fixtures/files/legaldoc.pdf'))
+    stub_request(:get, %r{api/ident/v1/identification_requests})
+      .to_return(status: 200, body: pdf_content, headers: { 'Content-Type' => 'application/pdf' })
+
+    adapter = ENV['shunter_default_adapter'].constantize.new
+    adapter&.clear!
+  end
+
+  test 'should verify contact with valid signature and parameters' do
+    @contact.update!(ident_request_sent_at: Time.zone.now - 1.day)
+    post '/eeid/webhooks/identification_requests', params: { identification_request_id: '123', reference: @contact.code }, as: :json, headers: { 'X-HMAC-Signature' => @valid_hmac_signature }
+
+    assert_response :ok
+    assert_equal({ 'status' => 'success' }, JSON.parse(response.body))
+    assert_not_nil @contact.reload.verified_at
+    assert_equal @contact.verification_id, '123'
+    assert_notify_registrar('Successful Contact Verification')
+  end
+
+  test 'should return unauthorized for invalid HMAC signature' do
+    post '/eeid/webhooks/identification_requests', params: { identification_request_id: '123', reference: @contact.code }, as: :json, headers: { 'X-HMAC-Signature' => 'invalid_signature' }
+
+    assert_response :unauthorized
+    assert_equal({ 'error' => 'Invalid HMAC signature' }, JSON.parse(response.body))
+    assert_emails 0
+  end
+
+  test 'should return unauthorized for missing parameters' do
+    post '/eeid/webhooks/identification_requests', params: { reference: @contact.code }, as: :json, headers: { 'X-HMAC-Signature' => @valid_hmac_signature }
+
+    assert_response :unauthorized
+    assert_equal({ 'error' => 'Invalid HMAC signature' }, JSON.parse(response.body))
+    assert_emails 0
+  end
+
+  test 'should handle internal server error gracefully' do
+    # Simulate an error in the verify_contact method
+    Contact.stub :find_by_code, ->(_) { raise StandardError, 'Simulated error' } do
+      post '/eeid/webhooks/identification_requests', params: { identification_request_id: '123', reference: @contact.code }, as: :json, headers: { 'X-HMAC-Signature' => @valid_hmac_signature }
+
+      assert_response :internal_server_error
+      assert_equal({ 'error' => 'Simulated error' }, JSON.parse(response.body))
+      assert_emails 0
+    end
+  end
+
+  test 'should handle error from ident response' do
+    stub_request(:get, %r{api/ident/v1/identification_requests})
+      .to_return(status: :not_found, body: { error: 'Proof of identity not found' }.to_json, headers: { 'Content-Type' => 'application/json' })
+
+    @contact.update!(ident_request_sent_at: Time.zone.now - 1.day)
+    post '/eeid/webhooks/identification_requests', params: { identification_request_id: '123', reference: @contact.code }, as: :json, headers: { 'X-HMAC-Signature' => @valid_hmac_signature }
+
+    assert_response :internal_server_error
+    assert_equal({ 'error' => 'Proof of identity not found' }, JSON.parse(response.body))
+    assert_emails 0
+    assert_nil @contact.reload.verified_at
+  end
+
+  test 'returns error response if throttled' do
+    ENV['shunter_default_threshold'] = '1'
+    ENV['shunter_enabled'] = 'true'
+
+    post '/eeid/webhooks/identification_requests', params: { identification_request_id: '123', reference: @contact.code }, as: :json, headers: { 'X-HMAC-Signature' => @valid_hmac_signature }
+    post '/eeid/webhooks/identification_requests', params: { identification_request_id: '123', reference: @contact.code }, as: :json, headers: { 'X-HMAC-Signature' => @valid_hmac_signature }
+
+    assert_response :bad_request
+    assert response.body.include?(Shunter.default_error_message)
+    ENV['shunter_default_threshold'] = '10000'
+    ENV['shunter_enabled'] = 'false'
+  end
+
+  private
+
+  def assert_notify_registrar(subject)
+    assert_emails 1
+    email = ActionMailer::Base.deliveries.last
+    assert_equal [@contact.registrar.email], email.to
+    assert_equal subject, email.subject
+    assert_equal 1, email.attachments.size
+    assert_equal 'proof_of_identity.pdf', email.attachments.first.filename
+  end
+end
--- a/test/integration/repp/v1/contacts/download_poi_test.rb
+++ b/test/integration/repp/v1/contacts/download_poi_test.rb
@ -0,0 +1,72 @@
+require 'test_helper'
+
+class ReppV1ContactsDownloadPoiTest < ActionDispatch::IntegrationTest
+  def setup
+    @contact = contacts(:john)
+    @user = users(:api_bestnames)
+    token = Base64.encode64("#{@user.username}:#{@user.plain_text_password}")
+    token = "Basic #{token}"
+
+    @auth_headers = { 'Authorization' => token }
+
+    adapter = ENV['shunter_default_adapter'].constantize.new
+    adapter&.clear!
+
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(
+        status: 200,
+        body: { access_token: 'token', token_type: 'Bearer', expires_in: 100 }.to_json, headers: {}
+      )
+    pdf_content = File.read(Rails.root.join('test/fixtures/files/legaldoc.pdf'))
+    stub_request(:get, %r{api/ident/v1/identification_requests})
+      .to_return(status: 200, body: pdf_content, headers: { 'Content-Type' => 'application/pdf' })
+  end
+
+  def test_returns_error_when_not_found
+    get '/repp/v1/contacts/download_poi/nonexistant:code', headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :not_found
+    assert_equal 2303, json[:code]
+    assert_equal 'Object does not exist', json[:message]
+  end
+
+  def test_downloads_poi_for_contact
+    @contact.update!(verified_at: Time.zone.now - 1.day, verification_id: '123')
+    get "/repp/v1/contacts/download_poi/#{@contact.code}", headers: @auth_headers
+
+    assert_response :ok
+    assert_equal 'application/pdf', response.headers['Content-Type']
+    assert_equal "inline; filename=\"proof_of_identity_123.pdf\"; filename*=UTF-8''proof_of_identity_123.pdf", response.headers['Content-Disposition']
+    assert_not_empty response.body
+  end
+
+  def test_handles_non_epp_error
+    stub_request(:get, %r{api/ident/v1/identification_requests})
+      .to_return(
+        status: :not_found,
+        body: { error: 'Proof of identity not found' }.to_json,
+        headers: { 'Content-Type' => 'application/json' }
+      )
+    get "/repp/v1/contacts/download_poi/#{@contact.code}", headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :bad_request
+    assert_equal 'Proof of identity not found', json[:message]
+  end
+
+  def test_returns_error_response_if_throttled
+    ENV['shunter_default_threshold'] = '1'
+    ENV['shunter_enabled'] = 'true'
+
+    get "/repp/v1/contacts/download_poi/#{@contact.code}", headers: @auth_headers
+    get "/repp/v1/contacts/download_poi/#{@contact.code}", headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :bad_request
+    assert_equal json[:code], 2502
+    assert response.body.include?(Shunter.default_error_message)
+    ENV['shunter_default_threshold'] = '10000'
+    ENV['shunter_enabled'] = 'false'
+  end
+end
--- a/test/integration/repp/v1/contacts/verify_test.rb
+++ b/test/integration/repp/v1/contacts/verify_test.rb
@ -0,0 +1,98 @@
+require 'test_helper'
+
+class ReppV1ContactsVerifyTest < ActionDispatch::IntegrationTest
+  def setup
+    @contact = contacts(:john)
+    @user = users(:api_bestnames)
+    token = Base64.encode64("#{@user.username}:#{@user.plain_text_password}")
+    token = "Basic #{token}"
+
+    @auth_headers = { 'Authorization' => token }
+
+    adapter = ENV['shunter_default_adapter'].constantize.new
+    adapter&.clear!
+
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(
+        status: 200,
+        body: { access_token: 'token', token_type: 'Bearer', expires_in: 100 }.to_json, headers: {}
+      )
+    stub_request(:post, %r{api/ident/v1/identification_requests})
+      .with(
+        body: {
+          claims_required: [{ type: 'sub', value: "#{@contact.ident_country_code}#{@contact.ident}" }],
+          reference: @contact.code
+        }
+      ).to_return(status: 200, body: { id: '123' }.to_json, headers: { 'Content-Type' => 'application/json' })
+  end
+
+  def test_returns_error_when_not_found
+    post '/repp/v1/contacts/verify/nonexistant:code', headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :not_found
+    assert_equal 2303, json[:code]
+    assert_equal 'Object does not exist', json[:message]
+  end
+
+  def test_verifies_contact
+    post "/repp/v1/contacts/verify/#{@contact.code}", headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :ok
+    assert_equal 1000, json[:code]
+    assert_equal 'Command completed successfully', json[:message]
+
+    contact = Contact.find_by(code: json[:data][:contact][:code])
+    assert contact.present?
+    assert contact.ident_request_sent_at
+    assert_nil contact.verified_at
+    assert_notify_contact('Identification requested')
+  end
+
+  def test_handles_non_epp_error
+    stub_request(:post, %r{api/ident/v1/identification_requests})
+      .to_return(status: :unprocessable_entity, body: { error: 'error' }.to_json, headers: { 'Content-Type' => 'application/json' })
+
+    post "/repp/v1/contacts/verify/#{@contact.code}", headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :bad_request
+    assert_equal 'Sending identification request failed', json[:message]
+    assert_nil @contact.ident_request_sent_at
+    assert_emails 0
+  end
+
+  def test_does_not_verify_already_verified_contact
+    @contact.update!(verified_at: Time.zone.now - 1.day)
+    post "/repp/v1/contacts/verify/#{@contact.code}", headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :bad_request
+    assert_equal 'Contact already verified', json[:message]
+  end
+
+  def test_returns_error_response_if_throttled
+    ENV['shunter_default_threshold'] = '1'
+    ENV['shunter_enabled'] = 'true'
+
+    post "/repp/v1/contacts/verify/#{@contact.code}", headers: @auth_headers
+    post "/repp/v1/contacts/verify/#{@contact.code}", headers: @auth_headers
+    json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :bad_request
+    assert_equal json[:code], 2502
+    assert response.body.include?(Shunter.default_error_message)
+    ENV['shunter_default_threshold'] = '10000'
+    ENV['shunter_enabled'] = 'false'
+  end
+
+  private
+
+  def assert_notify_contact(subject)
+    assert_emails 1
+    email = ActionMailer::Base.deliveries.last
+    assert_equal [@contact.email], email.to
+    assert_equal subject, email.subject
+  end
+end
--- a/test/services/identification_service_test.rb
+++ b/test/services/identification_service_test.rb
@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class IdentificationServiceTest < ActiveSupport::TestCase
+  def setup
+    @service = Eeid::IdentificationService.new
+  end
+
+  def test_create_identification_request_success
+    request_params = {
+      claims_required: [{
+        type: 'sub',
+        value: 'EE1234567'
+      }],
+      reference: '111:111'
+    }
+    response_body = { id: '123', status: 'created' }.to_json
+
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(status: 200, body: { access_token: 'mock_token' }.to_json)
+
+    stub_request(:post, %r{api/ident/v1/identification_requests})
+      .with(
+        headers: { 'Authorization' => 'Bearer mock_token' },
+        body: request_params.to_json
+      )
+      .to_return(status: 201, body: response_body, headers: { 'Content-Type' => 'application/json' })
+
+    result = @service.create_identification_request(request_params)
+    assert_equal JSON.parse(response_body), result
+    assert_equal 'mock_token', @service.instance_variable_get(:@token)
+  end
+
+  def test_create_identification_request_failure
+    request_params = {
+      claims_required: [{
+        type: 'sub',
+        value: 'EE1234567'
+      }],
+      reference: '111:111'
+    }
+
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(status: 200, body: { access_token: 'mock_token' }.to_json)
+
+    stub_request(:post, %r{api/ident/v1/identification_requests})
+      .with(
+        headers: { 'Authorization' => 'Bearer mock_token' },
+        body: request_params.to_json
+      )
+      .to_return(status: 400, body: { error: 'Bad Request' }.to_json, headers: { 'Content-Type' => 'application/json' })
+
+    assert_raises(Eeid::IdentError, 'Bad Request') do
+      @service.create_identification_request(request_params)
+    end
+  end
+
+  def test_get_identification_request_success
+    id = '123'
+    response_body = { id: id, status: 'completed' }.to_json
+
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(status: 200, body: { access_token: 'mock_token' }.to_json)
+
+    stub_request(:get, %r{api/ident/v1/identification_requests/#{id}})
+      .with(headers: { 'Authorization' => 'Bearer mock_token' })
+      .to_return(status: 200, body: response_body, headers: { 'Content-Type' => 'application/json' })
+
+    result = @service.get_identification_request(id)
+    assert_equal JSON.parse(response_body), result
+    assert_equal 'mock_token', @service.instance_variable_get(:@token)
+  end
+
+  def test_get_identification_request_failure
+    id = '123'
+
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(status: 200, body: { access_token: 'mock_token' }.to_json)
+
+    stub_request(:get, %r{api/ident/v1/identification_requests/#{id}})
+      .with(headers: { 'Authorization' => 'Bearer mock_token' })
+      .to_return(status: 404, body: { error: 'Not Found' }.to_json)
+
+    assert_raises(Eeid::IdentError, 'Not Found') do
+      @service.get_identification_request(id)
+    end
+  end
+
+  def test_authentication_needed_for_requests
+    stub_request(:post, %r{api/auth/v1/token})
+      .to_return(status: 401, body: { error: 'Invalid credentials' }.to_json)
+
+    assert_raises(Eeid::IdentError) do
+      @service.create_identification_request({ key: 'value' })
+    end
+
+    assert_raises(Eeid::IdentError) do
+      @service.get_identification_request('123')
+    end
+
+    assert_equal nil, @service.instance_variable_get(:@token)
+  end
+end