internetee-registry/app/controllers/registrar/sessions_controller.rb

class Registrar
  class SessionsController < Devise::SessionsController
    before_action :check_ip_restriction
    helper_method :depp_controller?

    def create
      @depp_user = Depp::User.new(depp_user_params)

      if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'].blank?
        @depp_user.errors.add(:base, :webserver_missing_user_name_directive)
      end

      if @depp_user.pki && request.env['HTTP_SSL_CLIENT_CERT'].blank?
        @depp_user.errors.add(:base, :webserver_missing_client_cert_directive)
      end

      if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'] == '(null)'
        @depp_user.errors.add(:base, :webserver_user_name_directive_should_be_required)
      end

      if @depp_user.pki && request.env['HTTP_SSL_CLIENT_CERT'] == '(null)'
        @depp_user.errors.add(:base, :webserver_client_cert_directive_should_be_required)
      end

      @api_user = ApiUser.find_by(username: sign_in_params[:username],
                                  plain_text_password: sign_in_params[:password])

      unless @api_user
        @depp_user.errors.add(:base, t(:no_such_user))
        show_error and return
      end

      if @depp_user.pki
        unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
          @depp_user.errors.add(:base, :invalid_cert)
        end
      end

      if @depp_user.errors.none?
        if @api_user.active?
          sign_in_and_redirect(:registrar_user, @api_user)
        else
          @depp_user.errors.add(:base, :not_active)
          show_error and return
        end
      else
        show_error and return
      end
    end

    def id
      @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip)

      if @user
        sign_in_and_redirect(:registrar_user, @user, event: :authentication)
      else
        flash[:alert] = t('no_such_user')
        redirect_to new_registrar_user_session_url
      end
    end

    def login_mid
      @user = User.new
    end

    def mid
      phone = params[:user][:phone]
      endpoint = "#{ENV['sk_digi_doc_service_endpoint']}"
      client = Digidoc::Client.new(endpoint)
      client.logger = Rails.application.config.logger unless Rails.env.test?

      # country_codes = {'+372' => 'EST'}
      phone.gsub!('+372', '')
      response = client.authenticate(
        phone: "+372#{phone}",
        message_to_display: 'Authenticating',
        service_name: ENV['sk_digi_doc_service_name'] || 'Testing'
      )

      if response.faultcode
        render json: { message: response.detail.message }, status: :unauthorized
        return
      end

      if Setting.registrar_ip_whitelist_enabled
        @user = find_user_by_idc_and_allowed(response.user_id_code)
      else
        @user = find_user_by_idc(response.user_id_code)
      end

      if @user.persisted?
        session[:user_id_code] = response.user_id_code
        session[:mid_session_code] = client.session_code

        render json: {
          message: t(:confirmation_sms_was_sent_to_your_phone_verification_code_is, { code: response.challenge_id })
        }, status: :ok
      else
        render json: { message: t(:no_such_user) }, status: :unauthorized
      end
    end

    def mid_status
      endpoint = "#{ENV['sk_digi_doc_service_endpoint']}"
      client = Digidoc::Client.new(endpoint)
      client.logger = Rails.application.config.logger unless Rails.env.test?
      client.session_code = session[:mid_session_code]
      auth_status = client.authentication_status

      case auth_status.status
        when 'OUTSTANDING_TRANSACTION'
          render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok
        when 'USER_AUTHENTICATED'
          @user = find_user_by_idc_and_allowed(session[:user_id_code])
          sign_in(:registrar_user, @user)
          flash[:notice] = t(:welcome)
          flash.keep(:notice)
          render js: "window.location = '#{registrar_root_url}'"
        when 'NOT_VALID'
          render json: { message: t(:user_signature_is_invalid) }, status: :bad_request
        when 'EXPIRED_TRANSACTION'
          render json: { message: t(:session_timeout) }, status: :bad_request
        when 'USER_CANCEL'
          render json: { message: t(:user_cancelled) }, status: :bad_request
        when 'MID_NOT_READY'
          render json: { message: t(:mid_not_ready) }, status: :bad_request
        when 'PHONE_ABSENT'
          render json: { message: t(:phone_absent) }, status: :bad_request
        when 'SENDING_ERROR'
          render json: { message: t(:sending_error) }, status: :bad_request
        when 'SIM_ERROR'
          render json: { message: t(:sim_error) }, status: :bad_request
        when 'INTERNAL_ERROR'
          render json: { message: t(:internal_error) }, status: :bad_request
        else
          render json: { message: t(:internal_error) }, status: :bad_request
      end
    end

    private

    def depp_controller?
      false
    end

    def find_user_by_idc(idc)
      return User.new unless idc
      ApiUser.find_by(identity_code: idc) || User.new
    end

    def find_user_by_idc_and_allowed(idc)
      return User.new unless idc
      possible_users = ApiUser.where(identity_code: idc) || User.new
      possible_users.each do |selected_user|
        if selected_user.registrar.white_ips.registrar_area.include_ip?(request.ip)
          return selected_user
        end
      end
    end

    def check_ip_restriction
      ip_restriction = Authorization::RestrictedIP.new(request.ip)
      allowed = ip_restriction.can_access_registrar_area_sign_in_page?

      return if allowed

      render text: t('registrar.authorization.ip_not_allowed', ip: request.ip)
    end

    def current_ability
      @current_ability ||= Ability.new(current_registrar_user, request.remote_ip)
    end

    def after_sign_in_path_for(_resource_or_scope)
      if can?(:show, :poll)
        registrar_root_path
      else
        registrar_profile_path
      end
    end

    def after_sign_out_path_for(_resource_or_scope)
      new_registrar_user_session_path
    end

    def user_for_paper_trail
      current_registrar_user ? current_registrar_user.id_role_username : 'anonymous'
    end

    def depp_user_params
      params = sign_in_params
      params[:tag] = params.delete(:username)
      params.merge!(pki: !(Rails.env.development? || Rails.env.test?))
      params
    end

    def show_error
      redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
    end
  end
end