Refactor ID card sign-in

- Extract to Devise custom strategy - Use `SSL_CLIENT_S_DN_CN` env variable instead of `SSL_CLIENT_S_DN` to get ID card data - Remove `database_authenticatable` strategy from `RegistrantUser` Closes #1047
2025-06-10 14:44:47 +02:00 · 2019-01-30 19:08:29 +02:00 · 2019-01-30 19:08:29 +02:00 · a08f063640
commit a08f063640
parent 27976c3fbd
20 changed files with 266 additions and 89 deletions
--- a/test/integration/registrant_area/sign_in/id_card_test.rb
+++ b/test/integration/registrant_area/sign_in/id_card_test.rb
@ -0,0 +1,31 @@
+require 'test_helper'
+
+class RegistrantAreaIdCardSignInTest < ApplicationIntegrationTest
+  setup do
+    allow_business_registry_component_reach_server
+  end
+
+  def test_succeeds
+    post_via_redirect registrant_id_card_sign_in_path, nil,
+                      'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,1234',
+                      'SSL_CLIENT_I_DN_C' => 'US'
+
+    assert_response :ok
+    assert_equal registrant_root_path, path
+    assert_not_nil controller.current_registrant_user
+  end
+
+  def test_fails_when_certificate_is_absent
+    post_via_redirect registrant_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => ''
+
+    assert_response :ok
+    assert_equal registrant_id_card_sign_in_path, path
+    assert_nil controller.current_registrant_user
+  end
+
+  private
+
+  def allow_business_registry_component_reach_server
+    WebMock.allow_net_connect!
+  end
+end
--- a/test/integration/registrar_area/sign_in/id_card_test.rb
+++ b/test/integration/registrar_area/sign_in/id_card_test.rb
@ -0,0 +1,61 @@
+require 'test_helper'
+
+class RegistrarAreaIdCardSignInTest < ApplicationIntegrationTest
+  setup do
+    @user = users(:api_bestnames)
+  end
+
+  def test_signs_in_a_user_when_id_card_owner_is_found
+    assert_equal '1234', @user.identity_code
+
+    post_via_redirect registrar_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,1234'
+
+    assert_response :ok
+    assert_equal registrar_root_path, path
+    assert_not_nil controller.current_registrar_user
+  end
+
+  def test_does_not_sign_in_a_user_when_id_card_owner_is_not_found
+    post_via_redirect registrar_id_card_sign_in_path, nil,
+                      'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,unacceptable-personal-code'
+
+    assert_nil controller.current_registrar_user
+    assert_equal registrar_id_card_sign_in_path, path
+    assert_includes response.body, 'Failed to Login'
+  end
+
+  def test_does_not_sign_in_a_user_when_id_card_owner_is_found_but_ip_is_not_allowed
+    allow_access_to_sign_in_page
+    assert_equal '127.0.0.1', white_ips(:one).ipv4
+    assert_equal '1234', @user.identity_code
+
+    Setting.registrar_ip_whitelist_enabled = true
+
+    post registrar_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => 'DOE,JOHN,1234',
+         'REMOTE_ADDR' => '127.0.0.2'
+
+    assert_equal registrar_id_card_sign_in_path, path
+    assert_equal 'Access denied from IP 127.0.0.2', response.body
+
+    get registrar_root_path
+    assert_redirected_to new_registrar_user_session_path
+
+    Setting.registrar_ip_whitelist_enabled = false
+  end
+
+  def test_does_not_sign_in_a_user_when_certificate_is_absent
+    post_via_redirect registrar_id_card_sign_in_path, nil, 'SSL_CLIENT_S_DN_CN' => ''
+
+    assert_nil controller.current_registrar_user
+    assert_equal registrar_id_card_sign_in_path, path
+  end
+
+  private
+
+  def allow_access_to_sign_in_page
+    another_registrar_white_ip = white_ips(:one).dup
+    another_registrar_white_ip.ipv4 = '127.0.0.2'
+    another_registrar_white_ip.registrar = registrars(:goodnames)
+    another_registrar_white_ip.save!
+  end
+end