lib/decidim/trusted_ids.rb
# frozen_string_literal: true
require "decidim/trusted_ids/verifications"
require "decidim/trusted_ids/engine"
module Decidim
module TrustedIds
include ActiveSupport::Configurable
def self.omniauth_env(key, default = nil)
ENV.fetch("#{TrustedIds.omniauth_provider.upcase}_#{key}", default)
end
def self.to_bool(val)
ActiveRecord::Type::Boolean.new.deserialize(val.to_s.downcase)
end
def self.omniauth_metadata_attributes
valid_keys = ENV.keys.filter { |key| key.starts_with?("#{TrustedIds.omniauth_provider.upcase}_METADATA_") }
return nil if valid_keys.blank?
valid_keys.to_h do |key|
[key.gsub("#{TrustedIds.omniauth_provider.upcase}_METADATA_", "").downcase.to_sym, ENV[key].split.map(&:to_sym)]
end
end
# The name of the omniauth provider, must be registered in Decidim.
# Leave it empty to disable omniauth authentication.
config_accessor :omniauth_provider do
ENV.fetch("OMNIAUTH_PROVIDER", "valid")
end
# From the data obtained we extract metadata to be saved as part of the authorization
# This data can later be used by the census_authorization handler as to call the webservice
# A hash with keys and how to find it inside hash comming from the OAuth
config_accessor :authorization_metadata do
TrustedIds.omniauth_metadata_attributes || {
expires_at: [:credentials, :expires_at],
identifier_type: [:extra, :identifier_type],
method: [:extra, :method],
assurance_level: [:extra, :assurance_level]
}
end
# setup a hash with :client_id, :client_secret and :site to enable omniauth authentication
config_accessor :omniauth do
{
enabled: TrustedIds.to_bool(ENV.fetch("OMNIAUTH_ENABLED_BY_DEFAULT", TrustedIds.omniauth_env("CLIENT_ID").present?)),
client_id: TrustedIds.omniauth_env("CLIENT_ID"),
client_secret: TrustedIds.omniauth_env("CLIENT_SECRET"),
site: TrustedIds.omniauth_env("SITE", "https://identitats.aoc.cat"),
icon_path: TrustedIds.omniauth_env("ICON", "media/images/#{TrustedIds.omniauth_provider.downcase}-icon.png"),
scope: TrustedIds.omniauth_env("SCOPE", "autenticacio_usuari")
}
end
# which of the former attributes can not set a the /system configuration, there are all the same for all tenants
config_accessor :omniauth_global_attributes do
ENV.fetch("OMNIAUTH_GLOBAL_ATTRIBUTES", "site icon_path scope").split.map(&:to_sym)
end
# wheter to use a custom login screen or the default one
config_accessor :custom_login_screen do
TrustedIds.to_bool(ENV.fetch("CUSTOM_LOGIN_SCREEN", true))
end
# how long the verification will be valid, defaults to 90 days
# if empty or nil, the verification will never expire
config_accessor :verification_expiration_time do
ENV.fetch("VERIFICATION_EXPIRATION_TIME", 90).to_i.days
end
# if false, no notifications will be send to users when automatic verifications are performed
config_accessor :send_verification_notifications do
ENV.has_key?("SEND_VERIFICATION_NOTIFICATIONS") ? TrustedIds.to_bool(ENV.fetch("SEND_VERIFICATION_NOTIFICATIONS")) : true
end
# Linked authorization method that will automatically verify users after getting a valid TrustedIds verification
config_accessor :census_authorization do
{
handler: ENV.has_key?("CENSUS_AUTHORIZATION_HANDLER") ? ENV.fetch("CENSUS_AUTHORIZATION_HANDLER").to_sym : :via_oberta_handler,
form: ENV.fetch("CENSUS_AUTHORIZATION_FORM", "Decidim::ViaOberta::Verifications::ViaObertaHandler"),
env: ENV.fetch("CENSUS_AUTHORIZATION_ENV", "production"),
api_url: ENV.fetch("CENSUS_AUTHORIZATION_API_URL", nil),
# These setting will be added in the organization form at /system as tenant configurable parameters
system_attributes: ENV.fetch("CENSUS_AUTHORIZATION_SYSTEM_ATTRIBUTES", "nif ine municipal_code province_code organization_name").split
}
end
def self.census_config_attributes
return [] if TrustedIds.census_authorization[:handler].blank?
return [] if TrustedIds.census_authorization[:system_attributes].blank?
return [] unless TrustedIds.census_authorization[:system_attributes].is_a?(Array)
TrustedIds.census_authorization[:system_attributes].map do |prop|
[prop.to_sym, String]
end
end
def self.custom_login_screen?
Decidim::TrustedIds.omniauth_provider.present? && Decidim::TrustedIds.custom_login_screen.present?
end
end
end