Refactor ID card sign-in

- Extract to Devise custom strategy - Use `SSL_CLIENT_S_DN_CN` env variable instead of `SSL_CLIENT_S_DN` to get ID card data - Remove `database_authenticatable` strategy from `RegistrantUser` Closes #1047
2025-06-10 22:54:47 +02:00 · 2019-01-30 19:08:29 +02:00 · 2019-01-30 19:08:29 +02:00 · a08f063640
commit a08f063640
parent 27976c3fbd
20 changed files with 266 additions and 89 deletions
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@ -1,6 +1,7 @@
 api_bestnames:
  username: test_bestnames
  plain_text_password: testtest
+  identity_code: 1234
  type: ApiUser
  registrar: bestnames
  active: true
--- a/test/fixtures/white_ips.yml
+++ b/test/fixtures/white_ips.yml
@ -0,0 +1,6 @@
+one:
+  registrar: bestnames
+  ipv4: 127.0.0.1
+  interfaces:
+    - <%= WhiteIp::REGISTRAR %>
+    - <%= WhiteIp::API %>
--- a/test/integration/registrant_area/sign_in/id_card_test.rb
+++ b/test/integration/registrant_area/sign_in/id_card_test.rb
@ -0,0 +1,31 @@
+require 'test_helper'
+
+class RegistrantAreaIdCardSignInTest < ApplicationIntegrationTest
+  setup do
+    allow_business_registry_component_reach_server
+  end
+
+  def test_succeeds
+    post_via_redirect registrant_id_card_sign_in_path, nil,
+                      'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,1234',
+                      'SSL_CLIENT_I_DN_C' => 'US'
+
+    assert_response :ok
+    assert_equal registrant_root_path, path
+    assert_not_nil controller.current_registrant_user
+  end
+
+  def test_fails_when_certificate_is_absent
+    post_via_redirect registrant_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => ''
+
+    assert_response :ok
+    assert_equal registrant_id_card_sign_in_path, path
+    assert_nil controller.current_registrant_user
+  end
+
+  private
+
+  def allow_business_registry_component_reach_server
+    WebMock.allow_net_connect!
+  end
+end
--- a/test/integration/registrar_area/sign_in/id_card_test.rb
+++ b/test/integration/registrar_area/sign_in/id_card_test.rb
@ -0,0 +1,61 @@
+require 'test_helper'
+
+class RegistrarAreaIdCardSignInTest < ApplicationIntegrationTest
+  setup do
+    @user = users(:api_bestnames)
+  end
+
+  def test_signs_in_a_user_when_id_card_owner_is_found
+    assert_equal '1234', @user.identity_code
+
+    post_via_redirect registrar_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,1234'
+
+    assert_response :ok
+    assert_equal registrar_root_path, path
+    assert_not_nil controller.current_registrar_user
+  end
+
+  def test_does_not_sign_in_a_user_when_id_card_owner_is_not_found
+    post_via_redirect registrar_id_card_sign_in_path, nil,
+                      'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,unacceptable-personal-code'
+
+    assert_nil controller.current_registrar_user
+    assert_equal registrar_id_card_sign_in_path, path
+    assert_includes response.body, 'Failed to Login'
+  end
+
+  def test_does_not_sign_in_a_user_when_id_card_owner_is_found_but_ip_is_not_allowed
+    allow_access_to_sign_in_page
+    assert_equal '127.0.0.1', white_ips(:one).ipv4
+    assert_equal '1234', @user.identity_code
+
+    Setting.registrar_ip_whitelist_enabled = true
+
+    post registrar_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,1234',
+         'REMOTE_ADDR' => '127.0.0.2'
+
+    assert_equal registrar_id_card_sign_in_path, path
+    assert_equal 'Access denied from IP 127.0.0.2', response.body
+
+    get registrar_root_path
+    assert_redirected_to new_registrar_user_session_path
+
+    Setting.registrar_ip_whitelist_enabled = false
+  end
+
+  def test_does_not_sign_in_a_user_when_certificate_is_absent
+    post_via_redirect registrar_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => ''
+
+    assert_nil controller.current_registrar_user
+    assert_equal registrar_id_card_sign_in_path, path
+  end
+
+  private
+
+  def allow_access_to_sign_in_page
+    another_registrar_white_ip = white_ips(:one).dup
+    another_registrar_white_ip.ipv4 = '127.0.0.2'
+    another_registrar_white_ip.registrar = registrars(:goodnames)
+    another_registrar_white_ip.save!
+  end
+end
--- a/test/lib/devise/strategies/id_card_authenticatable_test.rb
+++ b/test/lib/devise/strategies/id_card_authenticatable_test.rb
@ -0,0 +1,13 @@
+require 'test_helper'
+
+class IdCardAuthenticatableTest < ActiveSupport::TestCase
+  def test_valid_when_id_card_data_is_present_in_env
+    strategy = Devise::Strategies::IdCardAuthenticatable.new({ 'SSL_CLIENT_S_DN_CN' => 'some' })
+    assert strategy.valid?
+  end
+
+  def test_not_valid_when_id_card_data_is_absent_in_env
+    strategy = Devise::Strategies::IdCardAuthenticatable.new({})
+    assert_not strategy.valid?
+  end
+end
--- a/test/models/api_user_test.rb
+++ b/test/models/api_user_test.rb
@ -0,0 +1,18 @@
+require 'test_helper'
+
+class ApiUserTest < ActiveSupport::TestCase
+  setup do
+    @user = users(:api_bestnames)
+  end
+
+  def test_finds_user_by_id_card
+    id_card = IdCard.new
+    id_card.personal_code = 'one'
+
+    @user.update!(identity_code: 'one')
+    assert_equal @user, ApiUser.find_by_id_card(id_card)
+
+    @user.update!(identity_code: 'another')
+    assert_nil ApiUser.find_by_id_card(id_card)
+  end
+end
--- a/test/models/registrant_user/registrant_user_creation_test.rb
+++ b/test/models/registrant_user/registrant_user_creation_test.rb
@ -35,22 +35,4 @@ class RegistrantUserCreationTest < ActiveSupport::TestCase
    user = User.find_by(registrant_ident: 'EE-37710100070')
    assert_equal('JOHN SMITH', user.username)
  end
-
-  def test_find_or_create_by_idc_with_legacy_header_creates_a_user
-    header = '/C=EE/O=ESTEID/OU=authentication/CN=SMITH,JOHN,37710100070/SN=SMITH/GN=JOHN/serialNumber=37710100070'
-
-    RegistrantUser.find_or_create_by_idc_data(header, RegistrantUser::ACCEPTED_ISSUER)
-
-    user = User.find_by(registrant_ident: 'EE-37710100070')
-    assert_equal('JOHN SMITH', user.username)
-  end
-
-  def test_find_or_create_by_idc_with_rfc2253_header_creates_a_user
-    header = 'serialNumber=37710100070,GN=JOHN,SN=SMITH,CN=SMITH\\,JOHN\\,37710100070,OU=authentication,O=ESTEID,C=EE'
-
-    RegistrantUser.find_or_create_by_idc_data(header, RegistrantUser::ACCEPTED_ISSUER)
-
-    user = User.find_by(registrant_ident: 'EE-37710100070')
-    assert_equal('JOHN SMITH', user.username)
-  end
 end
--- a/test/models/registrant_user_test.rb
+++ b/test/models/registrant_user_test.rb
@ -30,6 +30,34 @@ class RegistrantUserTest < ActiveSupport::TestCase
    assert_equal Country.new('US'), user.country
  end

+  def test_finding_by_id_card_creates_new_user_upon_first_sign_in
+    assert_not_equal 'US-5555', @user.registrant_ident
+    id_card = IdCard.new
+    id_card.first_name = 'John'
+    id_card.last_name = 'Doe'
+    id_card.personal_code = '5555'
+    id_card.country_code = 'US'
+
+    assert_difference 'RegistrantUser.count' do
+      RegistrantUser.find_by_id_card(id_card)
+    end
+
+    user = RegistrantUser.last
+    assert_equal 'US-5555', user.registrant_ident
+    assert_equal 'John Doe', user.username
+  end
+
+  def test_finding_by_id_card_reuses_existing_user_upon_subsequent_id_card_sign_ins
+    @user.update!(registrant_ident: 'US-5555')
+    id_card = IdCard.new
+    id_card.personal_code = '5555'
+    id_card.country_code = 'US'
+
+    assert_no_difference 'RegistrantUser.count' do
+      RegistrantUser.find_by_id_card(id_card)
+    end
+  end
+
  def test_queries_company_register_for_associated_companies
    assert_equal 'US-1234', @user.registrant_ident