From ac499f9555bf6aaaddd6f7de1058dcbd25fe5979 Mon Sep 17 00:00:00 2001
From: cizmarty <88806046+cizmarty@users.noreply.github.com>
Date: Tue, 30 Apr 2024 14:13:19 +0200
Subject: [PATCH] Feature/eid login (#656)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Handle case when actor key value can be null

Co-authored-by: Lucia Janíková <43437253+luciajanikova@users.noreply.github.com>

* Handle case when actor key value can be null

Co-authored-by: Lucia Janíková <43437253+luciajanikova@users.noreply.github.com>

* Add login button, expect callback URL from UPVS to be always /login for safety reasons

* Fix logout redirect

* Improve login button, fetch assertion

* Persist subject data from assertion

* Disallow subject login for non-full representation

* Update app/views/sessions/insufficient_representation.html.erb

Co-authored-by: Jano Suchal <jan.suchal@slovensko.digital>

* Remove index which is not necessary

---------

Co-authored-by: Ahmed Al Hafoudh <alhafoudh@freevision.sk>
Co-authored-by: Lucia Janíková <43437253+luciajanikova@users.noreply.github.com>
Co-authored-by: Jano Suchal <jan.suchal@slovensko.digital>
---
 Gemfile.lock                                  |  4 +-
 app/assets/images/eid-sk.svg                  |  2 +-
 app/controllers/sessions_controller.rb        | 28 ++++++-
 app/models/eid_token.rb                       |  2 +-
 app/models/upvs/assertion.rb                  | 73 +++++++++++++++++++
 app/views/components/_header.html.erb         |  3 -
 app/views/eid/onboarding/new.html.erb         |  4 +
 app/views/profiles/show.html.erb              | 33 +++++++++
 .../insufficient_representation.html.erb      |  9 +++
 app/views/sessions/new.html.erb               |  4 +
 config/initializers/omniauth.rb               |  1 +
 config/routes.rb                              |  2 +
 ...0240427124856_add_subject_data_to_users.rb |  7 ++
 db/structure.sql                              | 62 ++--------------
 lib/omniauth/strategies/eid.rb                |  2 +-
 15 files changed, 172 insertions(+), 64 deletions(-)
 create mode 100644 app/models/upvs/assertion.rb
 create mode 100644 app/views/sessions/insufficient_representation.html.erb
 create mode 100644 db/migrate/20240427124856_add_subject_data_to_users.rb

diff --git a/Gemfile.lock b/Gemfile.lock
index fad1fa79..dbcd617e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -255,7 +255,7 @@ GEM
       snaky_hash (~> 2.0)
       version_gem (~> 1.1)
     oj (3.14.2)
-    omniauth (2.1.1)
+    omniauth (2.1.2)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
@@ -295,7 +295,7 @@ GEM
       que (>= 1)
       sinatra
     racc (1.7.1)
-    rack (2.2.8)
+    rack (2.2.9)
     rack-protection (3.0.5)
       rack
     rack-proxy (0.7.6)
diff --git a/app/assets/images/eid-sk.svg b/app/assets/images/eid-sk.svg
index 842451ed..3d4bdd54 100644
--- a/app/assets/images/eid-sk.svg
+++ b/app/assets/images/eid-sk.svg
@@ -16,5 +16,5 @@
     <path fill="#fff" d="M 96.41 314.344 C 97.368 314.362 99.239 314.397 100.895 313.843 C 100.895 313.843 100.859 314.442 100.859 315.132 C 100.859 315.821 100.904 316.421 100.904 316.421 C 99.382 315.911 97.493 315.902 96.41 315.911 L 96.41 319.598 L 94.907 319.598 L 94.907 315.911 C 93.833 315.902 91.944 315.911 90.423 316.421 C 90.423 316.421 90.467 315.821 90.467 315.132 C 90.467 314.433 90.423 313.843 90.423 313.843 C 92.078 314.397 93.949 314.362 94.898 314.344 L 94.898 312.026 C 94.029 312.026 92.776 312.062 91.353 312.536 C 91.353 312.536 91.398 311.945 91.398 311.247 C 91.398 310.558 91.353 309.958 91.353 309.958 C 92.776 310.433 94.029 310.477 94.898 310.468 C 94.853 309 94.423 307.157 94.423 307.157 C 94.423 307.157 95.309 307.219 95.658 307.219 C 96.016 307.219 96.893 307.157 96.893 307.157 C 96.893 307.157 96.464 309 96.419 310.468 C 97.287 310.477 98.541 310.433 99.964 309.958 C 99.964 309.958 99.919 310.558 99.919 311.247 C 99.919 311.945 99.964 312.536 99.964 312.536 C 98.816 312.166 97.615 311.994 96.41 312.026 L 96.41 314.353 L 96.41 314.344 Z" style=""/>
     <path fill="#0b4ea2" d="M 95.658 319.204 C 93.877 319.204 92.929 321.666 92.929 321.666 C 92.929 321.666 92.391 320.502 90.942 320.502 C 89.957 320.502 89.241 321.371 88.776 322.185 C 90.565 325.022 93.421 326.777 95.658 327.859 C 97.896 326.786 100.76 325.022 102.542 322.185 C 102.076 321.379 101.36 320.502 100.375 320.502 C 98.926 320.502 98.389 321.666 98.389 321.666 C 98.389 321.666 97.449 319.204 95.658 319.204 Z" style=""/>
   </g>
-  <text style="fill: rgb(255, 255, 255); font-family: Arial, sans-serif; font-size: 27.6px; font-weight: 700; white-space: pre;" x="133.75" y="254.274">Prihlásiť cez EID</text>
+  <text style="fill: rgb(255, 255, 255); font-family: Arial, sans-serif; font-size: 30.6px; font-weight: 400; white-space: pre;" x="110.75" y="254.274">Cez slovensko.sk</text>
 </svg>
\ No newline at end of file
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index ef33e634..816e9074 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -11,6 +11,11 @@ def create
     end
 
     if new_eid_identity?
+      unless fully_represents_subject?
+        render :insufficient_representation, locals: { eid_token: eid_token }
+        return
+      end
+
       render :new_eid_identity, locals: { eid_token: eid_token }
       return
     end
@@ -25,7 +30,18 @@ def create
     notice = user.previously_new_record? ? 'first_time_login' : 'Prihlásenie úspešné. Vitajte!'
 
     if eid_identity_approval?
-      user.update!(eid_sub: eid_sub_from_auth)
+      assertion = Upvs::Assertion.assertion(eid_token)
+
+      if assertion
+        user.update!(
+          eid_sub: eid_sub_from_auth,
+          subject_name: assertion.subject_name,
+          subject_cin: assertion.subject_cin,
+          subject_edesk_number: assertion.subject_edesk_number,
+          )
+      else
+        user.update!(eid_sub: eid_sub_from_auth)
+      end
     end
 
     unless should_keep_eid_token_in_session?(user.eid_sub)
@@ -57,7 +73,10 @@ def logout
 
   def destroy
     if should_perform_eid_logout?
-      redirect_to eid_token.generate_logout_url(expires_in: 5.minutes)
+      eid_logout_url = eid_token.generate_logout_url(expires_in: 5.minutes)
+      reset_session
+
+      redirect_to eid_logout_url
     else
       logout
     end
@@ -95,4 +114,9 @@ def after_login_redirect_path
     return session[:after_login_callback] if session[:after_login_callback]&.start_with?("/") # Only allow local redirects
     root_path
   end
+
+  def fully_represents_subject?
+    assertion = Upvs::Assertion.assertion(eid_token)
+    assertion&.fully_represents_subject?
+  end
 end
diff --git a/app/models/eid_token.rb b/app/models/eid_token.rb
index af15ef7e..4840c226 100644
--- a/app/models/eid_token.rb
+++ b/app/models/eid_token.rb
@@ -14,7 +14,7 @@ def decoded_token
   end
 
   def sub
-    decoded_token&.first&.fetch('actor')&.fetch('sub')
+    decoded_token&.first&.fetch('sub')
   end
 
   def name
diff --git a/app/models/upvs/assertion.rb b/app/models/upvs/assertion.rb
new file mode 100644
index 00000000..607bd08d
--- /dev/null
+++ b/app/models/upvs/assertion.rb
@@ -0,0 +1,73 @@
+module Upvs
+  class Assertion
+    include ActiveModel::Model
+    attr_accessor(:raw, :subject_name, :subject_id, :subject_cin, :subject_edesk_number, :delegation_type)
+
+    DELEGATION_TYPES = {
+      legal_representation: '0',
+      full_representation: '1',
+      partial_representation: '2',
+    }
+
+    def fully_represents_subject?
+      delegation_type&.to_s&.in?(full_representations)
+    end
+
+    def self.new_from_xml(raw:)
+      return unless raw
+
+      doc  = Nokogiri::XML(raw)
+      return unless doc
+
+      doc.remove_namespaces!
+      doc_attrs = doc.xpath('//Assertion/AttributeStatement/Attribute')
+      return unless doc_attrs
+
+      new(
+        raw:,
+        subject_name: doc_attrs.detect{|n| n['Name'] == 'Subject.FormattedName' }&.xpath('AttributeValue')&.text,
+        subject_id: doc_attrs.detect{|n| n['Name'] == 'SubjectID' }&.xpath('AttributeValue')&.text,
+        subject_cin: doc_attrs.detect{|n| n['Name'] == 'Subject.ICO' }&.xpath('AttributeValue')&.text,
+        subject_edesk_number: doc_attrs.detect{|n| n['Name'] == 'Subject.eDeskNumber' }&.xpath('AttributeValue')&.text,
+        delegation_type: doc_attrs.detect{|n| n['Name'] == 'DelegationType' }&.xpath('AttributeValue')&.text,
+      )
+    end
+
+    def self.assertion(eid_token, client: Faraday, url: "#{ENV.fetch('AUTH_EID_BASE_URL')}/api/upvs/assertion?token=#{eid_token&.api_token}")
+      new_from_xml(raw: get_from_sk_api(client, url, eid_token))
+    end
+
+    def self.get_from_sk_api(client, url, eid_token)
+      headers =  {
+        "Accept": "application/samlassertion+xml",
+        "AUTHORIZATION": "Bearer #{eid_token&.api_token}",
+      }
+
+      response = client.get(url, {}, headers)
+      error =  begin
+                 JSON.parse(response.body)
+                rescue StandardError
+                  nil
+               end
+      if error && error['message']
+        return nil
+      end
+      response.body
+    rescue StandardError => _e
+      raise
+      nil
+    end
+
+    private
+
+    def full_representations
+      [
+        DELEGATION_TYPES[:legal_representation],
+        DELEGATION_TYPES[:full_representation],
+      ]
+    end
+
+    class SkApiError < StandardError
+    end
+  end
+end
diff --git a/app/views/components/_header.html.erb b/app/views/components/_header.html.erb
index 4a0e0c49..e29a5757 100644
--- a/app/views/components/_header.html.erb
+++ b/app/views/components/_header.html.erb
@@ -27,9 +27,6 @@
                 <a href="#" data-turbolinks="false" class="sdn-header__link sdn-header__dropdown-toggle js-dropdown-toggle" aria-controls="subnav-dropdown">
                   <span class="sdn-header__fixed-width-text">
                     <%= current_user.email %>
-                    <% if eid_token&.valid? %>
-                    <sup>EID</sup>
-                  <% end %>
                   </span>
                 </a>
                 <ul class="sdn-header__dropdown" id="subnav-dropdown">
diff --git a/app/views/eid/onboarding/new.html.erb b/app/views/eid/onboarding/new.html.erb
index e396f9da..b86971eb 100644
--- a/app/views/eid/onboarding/new.html.erb
+++ b/app/views/eid/onboarding/new.html.erb
@@ -13,6 +13,10 @@
       <%= image_submit_tag 'google/btn_google_signin_dark_normal.svg', class: 'govuk-link', title: 'Prihlásiť sa cez Google', alt: 'Prihlásiť sa cez Google', style: 'max-width: 300px' %>
     <% end %>
 
+    <%= form_tag(auth_path(:eid), method: :post, class: 'govuk-body govuk-!-margin-bottom-8') do %>
+      <%= image_submit_tag 'eid-sk.svg', class: 'govuk-link', title: 'Prihlásiť sa cez eID', alt: 'Prihlásiť sa cez eID', style: 'max-width: 300px' %>
+    <% end %>
+
     <%= form_tag(auth_path(:magiclink), method: :post, id: 'login-email') do %>
       <fieldset class="govuk-fieldset">
         <div class="govuk-form-group">
diff --git a/app/views/profiles/show.html.erb b/app/views/profiles/show.html.erb
index 6f6be49f..ba9adaf7 100644
--- a/app/views/profiles/show.html.erb
+++ b/app/views/profiles/show.html.erb
@@ -3,6 +3,39 @@
 <div class="govuk-grid-row">
   <div class="govuk-grid-column-two-thirds">
     <div class="govuk-body sdn-content">
+      <% if current_user.subject_name.present? || current_user.subject_edesk_number.present? || current_user.subject_cin.present? %>
+        <h2 class="govuk-heading-l">Vaše identifikačné údaje</h2>
+        <% if current_user.subject_name.present? %>
+          <div class="govuk-text govuk-!-padding-bottom-5">
+            <div style = "color: #505a5f;" class="govuk-!-font-size-19 govuk-!-padding-bottom-1">
+              Meno
+            </div>
+            <div class="govuk-!-font-size-24">
+              <%= current_user.subject_name %>
+            </div>
+          </div>
+        <% end %>
+        <% if current_user.subject_edesk_number.present? %>
+          <div class="govuk-text govuk-!-padding-bottom-5">
+            <div style = "color: #505a5f;" class="govuk-!-font-size-19 govuk-!-padding-bottom-1">
+              Identifikátor schránky
+            </div>
+            <div class="govuk-!-font-size-24">
+              <%= current_user.subject_edesk_number %>
+            </div>
+          </div>
+        <% end %>
+        <% if current_user.subject_cin.present? %>
+          <div class="govuk-text govuk-!-padding-bottom-5">
+            <div style = "color: #505a5f;" class="govuk-!-font-size-19 govuk-!-padding-bottom-1">
+              IČO
+            </div>
+            <div class="govuk-!-font-size-24">
+              <%= current_user.subject_cin %>
+            </div>
+          </div>
+        <% end %>
+      <% end %>
       <h2 class="govuk-heading-l">Nastavenia</h2>
       <div class="govuk-inset-text">Jedného dňa tu pribudne veľa zaujímavých nastavení, ale zatiaľ je to tu také
         prázdne. Ak nám chceš pomôcť testovať novú funkcionalitu Návody.Digital, <%= link_to 'ozvi sa nám', page_path('kontakt') %>.
diff --git a/app/views/sessions/insufficient_representation.html.erb b/app/views/sessions/insufficient_representation.html.erb
new file mode 100644
index 00000000..5001b45b
--- /dev/null
+++ b/app/views/sessions/insufficient_representation.html.erb
@@ -0,0 +1,9 @@
+<%= content_for :title, build_page_title('Chyba pri prihlasovaní') %>
+
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-two-thirds">
+    <h2 class="govuk-heading-xl">Nastala chyba pri prihlasovaní</h2>
+
+    <p class="govuk-body-lead">Nemáte dostatočné oprávnenia, aby ste mohli zastupovať zvolený subjekt.</p>
+  </div>
+</div>
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
index e396f9da..71cdd1d8 100644
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -13,6 +13,10 @@
       <%= image_submit_tag 'google/btn_google_signin_dark_normal.svg', class: 'govuk-link', title: 'Prihlásiť sa cez Google', alt: 'Prihlásiť sa cez Google', style: 'max-width: 300px' %>
     <% end %>
 
+    <%= form_tag(auth_path(:eid), method: :post, class: 'govuk-body govuk-!-margin-bottom-8') do %>
+      <%= image_submit_tag 'eid-sk.svg', class: 'govuk-link', title: 'Prihlásiť sa cez slovensko.sk', alt: 'Prihlásiť sa cez slovensko.sk', style: 'max-width: 300px' %>
+    <% end %>
+
     <%= form_tag(auth_path(:magiclink), method: :post, id: 'login-email') do %>
       <fieldset class="govuk-fieldset">
         <div class="govuk-form-group">
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index ce4882f7..47959a39 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -16,6 +16,7 @@
   }
   provider :eid, {
     config: Rails.application.config_for(:auth).fetch(:eid),
+    callback_path: '/login',
   }
 end
 
diff --git a/config/routes.rb b/config/routes.rb
index 56968cf6..3bebd8f9 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -171,6 +171,8 @@
   get '/auth/failure', to: 'sessions#failure'
   get '/auth/:provider/callback', to: 'sessions#create', as: :auth_callback
   post '/auth/:provider', to: lambda { |_| [404, {}, ["Not Found"]] }, as: :auth
+  get '/login', to: 'sessions#create', as: :login
+  get '/logout', to: 'sessions#destroy', as: :logout
 
   resources :faqs, path: 'casto-kladene-otazky'
   resources :pages, path: '', only: 'show'
diff --git a/db/migrate/20240427124856_add_subject_data_to_users.rb b/db/migrate/20240427124856_add_subject_data_to_users.rb
new file mode 100644
index 00000000..d2734fe8
--- /dev/null
+++ b/db/migrate/20240427124856_add_subject_data_to_users.rb
@@ -0,0 +1,7 @@
+class AddSubjectDataToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :subject_name, :string
+    add_column :users, :subject_cin, :string
+    add_column :users, :subject_edesk_number, :string
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
index 22e99246..0010d3d2 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -510,8 +510,8 @@ ALTER SEQUENCE public.apps_id_seq OWNED BY public.apps.id;
 CREATE TABLE public.ar_internal_metadata (
     key character varying NOT NULL,
     value character varying,
-    created_at timestamp without time zone NOT NULL,
-    updated_at timestamp without time zone NOT NULL
+    created_at timestamp(6) without time zone NOT NULL,
+    updated_at timestamp(6) without time zone NOT NULL
 );
 
 
@@ -1233,7 +1233,10 @@ CREATE TABLE public.users (
     email text NOT NULL,
     created_at timestamp without time zone NOT NULL,
     updated_at timestamp without time zone NOT NULL,
-    eid_sub character varying
+    eid_sub character varying,
+    subject_name character varying,
+    subject_cin character varying,
+    subject_edesk_number character varying
 );
 
 
@@ -1325,41 +1328,6 @@ CREATE SEQUENCE upvs.form_template_related_documents_id_seq
 ALTER SEQUENCE upvs.form_template_related_documents_id_seq OWNED BY upvs.form_template_related_documents.id;
 
 
---
--- Name: form_template_related_documents_temp; Type: TABLE; Schema: upvs; Owner: -
---
-
-CREATE TABLE upvs.form_template_related_documents_temp (
-    id bigint NOT NULL,
-    posp_id character varying NOT NULL,
-    posp_version character varying NOT NULL,
-    message_type character varying NOT NULL,
-    xsd_schema text,
-    xslt_transformation text,
-    created_at timestamp(6) without time zone NOT NULL,
-    updated_at timestamp(6) without time zone NOT NULL
-);
-
-
---
--- Name: form_template_related_documents_temp_id_seq; Type: SEQUENCE; Schema: upvs; Owner: -
---
-
-CREATE SEQUENCE upvs.form_template_related_documents_temp_id_seq
-    START WITH 1
-    INCREMENT BY 1
-    NO MINVALUE
-    NO MAXVALUE
-    CACHE 1;
-
-
---
--- Name: form_template_related_documents_temp_id_seq; Type: SEQUENCE OWNED BY; Schema: upvs; Owner: -
---
-
-ALTER SEQUENCE upvs.form_template_related_documents_temp_id_seq OWNED BY upvs.form_template_related_documents_temp.id;
-
-
 --
 -- Name: submissions; Type: TABLE; Schema: upvs; Owner: -
 --
@@ -1616,13 +1584,6 @@ ALTER TABLE ONLY upvs.egov_application_allow_rules ALTER COLUMN id SET DEFAULT n
 ALTER TABLE ONLY upvs.form_template_related_documents ALTER COLUMN id SET DEFAULT nextval('upvs.form_template_related_documents_id_seq'::regclass);
 
 
---
--- Name: form_template_related_documents_temp id; Type: DEFAULT; Schema: upvs; Owner: -
---
-
-ALTER TABLE ONLY upvs.form_template_related_documents_temp ALTER COLUMN id SET DEFAULT nextval('upvs.form_template_related_documents_temp_id_seq'::regclass);
-
-
 --
 -- Name: submissions id; Type: DEFAULT; Schema: upvs; Owner: -
 --
@@ -1902,14 +1863,6 @@ ALTER TABLE ONLY upvs.form_template_related_documents
     ADD CONSTRAINT form_template_related_documents_pkey PRIMARY KEY (id);
 
 
---
--- Name: form_template_related_documents_temp form_template_related_documents_temp_pkey; Type: CONSTRAINT; Schema: upvs; Owner: -
---
-
-ALTER TABLE ONLY upvs.form_template_related_documents_temp
-    ADD CONSTRAINT form_template_related_documents_temp_pkey PRIMARY KEY (id);
-
-
 --
 -- Name: submissions submissions_pkey; Type: CONSTRAINT; Schema: upvs; Owner: -
 --
@@ -2486,6 +2439,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20221022143119'),
 ('20230325092744'),
 ('20230325095737'),
-('20230325151049');
+('20230325151049'),
+('20240427124856');
 
 
diff --git a/lib/omniauth/strategies/eid.rb b/lib/omniauth/strategies/eid.rb
index 540b7f9d..fe33b83d 100644
--- a/lib/omniauth/strategies/eid.rb
+++ b/lib/omniauth/strategies/eid.rb
@@ -36,7 +36,7 @@ def callback_phase
       end
 
       def on_callback_path?
-        on_path?('/login')
+        on_path?('/auth/eid/callback') || on_path?('/login')
       end
 
       uid do