Class: V0::SignInController

Inherits:

SignIn::ApplicationController

• Object
• ActionController::API
• SignIn::ApplicationController
• V0::SignInController

Defined in:

app/controllers/v0/sign_in_controller.rb

Constant Summary

Constants included from ExceptionHandling

ExceptionHandling::SKIP_SENTRY_EXCEPTION_TYPES

Constants included from SignIn::Authentication

SignIn::Authentication::BEARER_PATTERN

Instance Attribute Summary

Attributes inherited from SignIn::ApplicationController

#current_user

Instance Method Summary

• #anti_csrf_token_param ⇒ Object private
• #auth_service(type, client_id = nil) ⇒ Object private
• #authorize ⇒ Object

  rubocop:disable Metrics/MethodLength.

• #callback ⇒ Object

  rubocop:disable Metrics/MethodLength.

• #client_config(client_id) ⇒ Object private
• #cookie_authentication?(client_id) ⇒ Boolean private
• #create_login_code(state_payload, user_info, credential_level) ⇒ Object private

  rubocop:disable Metrics/MethodLength.

• #delete_cookies ⇒ Object private
• #handle_credential_provider_error(error, type) ⇒ Object private
• #handle_pre_login_error(error, client_id) ⇒ Object private
• #logingov_logout_proxy ⇒ Object
• #logout ⇒ Object

  rubocop:disable Metrics/MethodLength.

• #refresh ⇒ Object
• #refresh_token_param ⇒ Object private
• #render_uplevel_credential(state_payload) ⇒ Object private
• #revoke ⇒ Object
• #revoke_all_sessions ⇒ Object
• #sign_in_logger ⇒ Object private
• #token ⇒ Object
• #token_cookies ⇒ Object private
• #token_params ⇒ Object private
• #validate_authorize_params(type, client_id, acr, operation) ⇒ Object private
• #validate_callback_params(code, state, error) ⇒ Object private

Methods inherited from SignIn::ApplicationController

#cors_preflight

Methods included from Traceable

#set_trace_tags

Methods included from SentryControllerLogging

#set_tags_and_extra_context, #tags_context, #user_context

Methods included from SentryLogging

#log_exception_to_sentry, #log_message_to_sentry, #non_nil_hash?, #normalize_level, #rails_logger, #set_sentry_metadata

Methods included from Headers

#set_app_info_headers

Methods included from ExceptionHandling

#render_errors, #report_mapped_exception, #report_original_exception, #skip_sentry_exception?, #skip_sentry_exception_types

Methods included from SignIn::Instrumentation

#append_info_to_payload, #session

Methods included from SignIn::Authentication

#access_token, #access_token_authenticate, #authenticate, #authenticate_access_token, #bearer_token, #cookie_access_token, #handle_authenticate_error, #load_user, #load_user_object, #scrub_bearer_token, #validate_request_ip

Instance Method Details

#anti_csrf_token_param ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 331

def anti_csrf_token_param
  params[:anti_csrf_token] || token_cookies[SignIn::Constants::Auth::ANTI_CSRF_COOKIE_NAME]
end

#auth_service(type, client_id = nil) ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 346

def auth_service(type, client_id = nil)
  SignIn::AuthenticationServiceRetriever.new(type:, client_config: client_config(client_id)).perform
end

#authorize ⇒ Object

rubocop:disable Metrics/MethodLength

# File 'app/controllers/v0/sign_in_controller.rb', line 12

def authorize # rubocop:disable Metrics/MethodLength
  type = params[:type].presence
  client_state = params[:state].presence
  code_challenge = params[:code_challenge].presence
  code_challenge_method = params[:code_challenge_method].presence
  client_id = params[:client_id].presence
  acr = params[:acr].presence
  operation = params[:operation].presence || SignIn::Constants::Auth::AUTHORIZE
  scope = params[:scope].presence

  validate_authorize_params(type, client_id, acr, operation)

  delete_cookies if token_cookies

  acr_for_type = SignIn::AcrTranslator.new(acr:, type:).perform
  state = SignIn::StatePayloadJwtEncoder.new(code_challenge:,
                                             code_challenge_method:,
                                             acr:,
                                             client_config: client_config(client_id),
                                             type:,
                                             client_state:,
                                             scope:).perform
  context = { type:, client_id:, acr:, operation: }

  sign_in_logger.info('authorize', context)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_AUTHORIZE_SUCCESS,
                   tags: ["type:#{type}", "client_id:#{client_id}", "acr:#{acr}", "operation:#{operation}"])

  render body: auth_service(type, client_id).render_auth(state:, acr: acr_for_type, operation:),
         content_type: 'text/html'
rescue SignIn::Errors::StandardError => e
  sign_in_logger.info('authorize error', { errors: e.message, client_id:, type:, acr: })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_AUTHORIZE_FAILURE)
  handle_pre_login_error(e, client_id)
rescue => e
  log_message_to_sentry(e.message, :error)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_AUTHORIZE_FAILURE)
  handle_pre_login_error(e, client_id)
end

#callback ⇒ Object

rubocop:disable Metrics/MethodLength

# File 'app/controllers/v0/sign_in_controller.rb', line 52

def callback # rubocop:disable Metrics/MethodLength
  code = params[:code].presence
  state = params[:state].presence
  error = params[:error].presence

  validate_callback_params(code, state, error)

  state_payload = SignIn::StatePayloadJwtDecoder.new(state_payload_jwt: state).perform
  SignIn::StatePayloadVerifier.new(state_payload:).perform

  handle_credential_provider_error(error, state_payload&.type) if error
  service_token_response = auth_service(state_payload.type, state_payload.client_id).token(code)

  raise SignIn::Errors::CodeInvalidError.new message: 'Code is not valid' unless service_token_response

  user_info = auth_service(state_payload.type,
                           state_payload.client_id).user_info(service_token_response[:access_token])
  credential_level = SignIn::CredentialLevelCreator.new(requested_acr: state_payload.acr,
                                                        type: state_payload.type,
                                                        logingov_acr: service_token_response[:logingov_acr],
                                                        user_info:).perform
  if credential_level.can_uplevel_credential?
    render_uplevel_credential(state_payload)
  else
    create_login_code(state_payload, user_info, credential_level)
  end
rescue SignIn::Errors::StandardError => e
  sign_in_logger.info('callback error', { errors: e.message,
                                          client_id: state_payload&.client_id,
                                          type: state_payload&.type,
                                          acr: state_payload&.acr })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_CALLBACK_FAILURE)
  handle_pre_login_error(e, state_payload&.client_id)
rescue => e
  log_message_to_sentry(e.message, :error)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_CALLBACK_FAILURE)
  handle_pre_login_error(e, state_payload&.client_id)
end

#client_config(client_id) ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 354

def client_config(client_id)
  @client_config ||= {}
  @client_config[client_id] ||= SignIn::ClientConfig.find_by(client_id:)
end

#cookie_authentication?(client_id) ⇒ Boolean (private)

Returns:

• (Boolean)

# File 'app/controllers/v0/sign_in_controller.rb', line 350

def cookie_authentication?(client_id)
  client_config(client_id)&.cookie_auth?
end

#create_login_code(state_payload, user_info, credential_level) ⇒ Object (private)

rubocop:disable Metrics/MethodLength

# File 'app/controllers/v0/sign_in_controller.rb', line 294

def create_login_code(state_payload, user_info, credential_level) # rubocop:disable Metrics/MethodLength
  user_attributes = auth_service(state_payload.type,
                                 state_payload.client_id).normalized_attributes(user_info, credential_level)
  verified_icn = SignIn::AttributeValidator.new(user_attributes:).perform
  user_code_map = SignIn::UserCodeMapCreator.new(
    user_attributes:, state_payload:, verified_icn:, request_ip: request.remote_ip
  ).perform

  context = {
    type: state_payload.type,
    client_id: state_payload.client_id,
    ial: credential_level.current_ial,
    acr: state_payload.acr,
    icn: verified_icn,
    user_uuid: user_info.sub,
    authentication_time: Time.zone.now.to_i - state_payload.created_at
  }
  sign_in_logger.info('callback', context)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_CALLBACK_SUCCESS,
                   tags: ["type:#{state_payload.type}",
                          "client_id:#{state_payload.client_id}",
                          "ial:#{credential_level.current_ial}",
                          "acr:#{state_payload.acr}"])
  params_hash = { code: user_code_map.login_code, type: user_code_map.type }
  params_hash.merge!(state: user_code_map.client_state) if user_code_map.client_state.present?

  render body: SignIn::RedirectUrlGenerator.new(redirect_uri: user_code_map.client_config.redirect_uri,
                                                terms_code: user_code_map.terms_code,
                                                terms_redirect_uri: user_code_map.client_config.terms_of_use_url,
                                                params_hash:).perform,
         content_type: 'text/html'
end

#delete_cookies ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 339

def delete_cookies
  cookies.delete(SignIn::Constants::Auth::ACCESS_TOKEN_COOKIE_NAME, domain: :all)
  cookies.delete(SignIn::Constants::Auth::REFRESH_TOKEN_COOKIE_NAME)
  cookies.delete(SignIn::Constants::Auth::ANTI_CSRF_COOKIE_NAME)
  cookies.delete(SignIn::Constants::Auth::INFO_COOKIE_NAME, domain: Settings.sign_in.info_cookie_domain)
end

#handle_credential_provider_error(error, type) ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 266

def handle_credential_provider_error(error, type)
  if error == SignIn::Constants::Auth::ACCESS_DENIED
    error_message = 'User Declined to Authorize Client'
    error_code = if type == SignIn::Constants::Auth::LOGINGOV
                   SignIn::Constants::ErrorCode::LOGINGOV_VERIFICATION_DENIED
                 else
                   SignIn::Constants::ErrorCode::IDME_VERIFICATION_DENIED
                 end
    raise SignIn::Errors::AccessDeniedError.new message: error_message, code: error_code
  else
    error_message = 'Unknown Credential Provider Issue'
    error_code = SignIn::Constants::ErrorCode::GENERIC_EXTERNAL_ISSUE
    raise SignIn::Errors::CredentialProviderError.new message: error_message, code: error_code
  end
end

#handle_pre_login_error(error, client_id) ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 254

def handle_pre_login_error(error, client_id)
  if cookie_authentication?(client_id)
    error_code = error.try(:code) || SignIn::Constants::ErrorCode::INVALID_REQUEST
    params_hash = { auth: 'fail', code: error_code, request_id: request.request_id }
    render body: SignIn::RedirectUrlGenerator.new(redirect_uri: client_config(client_id).redirect_uri,
                                                  params_hash:).perform,
           content_type: 'text/html'
  else
    render json: { errors: error }, status: :bad_request
  end
end

#logingov_logout_proxy ⇒ Object

# File 'app/controllers/v0/sign_in_controller.rb', line 214

def logingov_logout_proxy
  state = params[:state].presence

  raise SignIn::Errors::MalformedParamsError.new message: 'State is not defined' unless state

  render body: auth_service(SignIn::Constants::Auth::LOGINGOV).render_logout_redirect(state),
         content_type: 'text/html'
rescue => e
  sign_in_logger.info('logingov_logout_proxy error', { errors: e.message })

  render json: { errors: e }, status: :bad_request
end

#logout ⇒ Object

rubocop:disable Metrics/MethodLength

# File 'app/controllers/v0/sign_in_controller.rb', line 173

def logout # rubocop:disable Metrics/MethodLength
  client_id = params[:client_id].presence
  anti_csrf_token = anti_csrf_token_param.presence

  if client_config(client_id).blank?
    raise SignIn::Errors::MalformedParamsError.new message: 'Client id is not valid'
  end

  unless access_token_authenticate(skip_error_handling: true)
    raise SignIn::Errors::LogoutAuthorizationError.new message: 'Unable to authorize access token'
  end

  session = SignIn::OAuthSession.find_by(handle: @access_token.session_handle)
  raise SignIn::Errors::SessionNotFoundError.new message: 'Session not found' if session.blank?

  credential_type = session.user_verification.credential_type

  SignIn::SessionRevoker.new(access_token: @access_token, anti_csrf_token:).perform
  delete_cookies if token_cookies

  sign_in_logger.info('logout', @access_token.to_s)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_LOGOUT_SUCCESS)

  logout_redirect = SignIn::LogoutRedirectGenerator.new(credential_type:,
                                                        client_config: client_config(client_id)).perform
  logout_redirect ? redirect_to(logout_redirect) : render(status: :ok)
rescue SignIn::Errors::LogoutAuthorizationError,
       SignIn::Errors::SessionNotAuthorizedError,
       SignIn::Errors::SessionNotFoundError => e
  sign_in_logger.info('logout error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_LOGOUT_FAILURE)
  logout_redirect = SignIn::LogoutRedirectGenerator.new(client_config: client_config(client_id)).perform

  logout_redirect ? redirect_to(logout_redirect) : render(status: :ok)
rescue => e
  sign_in_logger.info('logout error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_LOGOUT_FAILURE)

  render json: { errors: e }, status: :bad_request
end

#refresh ⇒ Object

# File 'app/controllers/v0/sign_in_controller.rb', line 105

def refresh
  refresh_token = refresh_token_param.presence
  anti_csrf_token = anti_csrf_token_param.presence

  raise SignIn::Errors::MalformedParamsError.new message: 'Refresh token is not defined' unless refresh_token

  decrypted_refresh_token = SignIn::RefreshTokenDecryptor.new(encrypted_refresh_token: refresh_token).perform
  session_container = SignIn::SessionRefresher.new(refresh_token: decrypted_refresh_token,
                                                   anti_csrf_token:).perform
  serializer_response = SignIn::TokenSerializer.new(session_container:,
                                                    cookies: token_cookies).perform

  sign_in_logger.info('refresh', session_container.context)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REFRESH_SUCCESS)

  render json: serializer_response, status: :ok
rescue SignIn::Errors::MalformedParamsError => e
  sign_in_logger.info('refresh error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REFRESH_FAILURE)
  render json: { errors: e }, status: :bad_request
rescue SignIn::Errors::StandardError => e
  sign_in_logger.info('refresh error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REFRESH_FAILURE)
  render json: { errors: e }, status: :unauthorized
end

#refresh_token_param ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 327

def refresh_token_param
  params[:refresh_token] || token_cookies[SignIn::Constants::Auth::REFRESH_TOKEN_COOKIE_NAME]
end

#render_uplevel_credential(state_payload) ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 282

def render_uplevel_credential(state_payload)
  acr_for_type = SignIn::AcrTranslator.new(acr: state_payload.acr, type: state_payload.type, uplevel: true).perform
  state = SignIn::StatePayloadJwtEncoder.new(code_challenge: state_payload.code_challenge,
                                             code_challenge_method: SignIn::Constants::Auth::CODE_CHALLENGE_METHOD,
                                             acr: state_payload.acr,
                                             client_config: client_config(state_payload.client_id),
                                             type: state_payload.type,
                                             client_state: state_payload.client_state).perform
  render body: auth_service(state_payload.type, state_payload.client_id).render_auth(state:, acr: acr_for_type),
         content_type: 'text/html'
end

#revoke ⇒ Object

# File 'app/controllers/v0/sign_in_controller.rb', line 131

def revoke
  refresh_token = params[:refresh_token].presence
  anti_csrf_token = params[:anti_csrf_token].presence
  device_secret = params[:device_secret].presence

  raise SignIn::Errors::MalformedParamsError.new message: 'Refresh token is not defined' unless refresh_token

  decrypted_refresh_token = SignIn::RefreshTokenDecryptor.new(encrypted_refresh_token: refresh_token).perform
  SignIn::SessionRevoker.new(refresh_token: decrypted_refresh_token, anti_csrf_token:, device_secret:).perform

  sign_in_logger.info('revoke', decrypted_refresh_token.to_s)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REVOKE_SUCCESS)

  render status: :ok
rescue SignIn::Errors::MalformedParamsError => e
  sign_in_logger.info('revoke error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REVOKE_FAILURE)

  render json: { errors: e }, status: :bad_request
rescue SignIn::Errors::StandardError => e
  sign_in_logger.info('revoke error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REVOKE_FAILURE)

  render json: { errors: e }, status: :unauthorized
end

#revoke_all_sessions ⇒ Object

# File 'app/controllers/v0/sign_in_controller.rb', line 157

def revoke_all_sessions
  session = SignIn::OAuthSession.find_by(handle: @access_token.session_handle)
  raise SignIn::Errors::SessionNotFoundError.new message: 'Session not found' if session.blank?

  SignIn::RevokeSessionsForUser.new(user_account: session.user_account).perform

  sign_in_logger.info('revoke all sessions', @access_token.to_s)
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REVOKE_ALL_SESSIONS_SUCCESS)

  render status: :ok
rescue SignIn::Errors::StandardError => e
  sign_in_logger.info('revoke all sessions error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_REVOKE_ALL_SESSIONS_FAILURE)
  render json: { errors: e }, status: :unauthorized
end

#sign_in_logger ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 359

def sign_in_logger
  @sign_in_logger = SignIn::Logger.new(prefix: self.class)
end

#token ⇒ Object

# File 'app/controllers/v0/sign_in_controller.rb', line 91

def token
  SignIn::TokenParamsValidator.new(params: token_params).perform
  response_body = SignIn::TokenResponseGenerator.new(params: token_params, cookies: token_cookies).perform

  sign_in_logger.info('token')
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_TOKEN_SUCCESS)

  render json: response_body, status: :ok
rescue SignIn::Errors::StandardError => e
  sign_in_logger.info('token error', { errors: e.message })
  StatsD.increment(SignIn::Constants::Statsd::STATSD_SIS_TOKEN_FAILURE)
  render json: { errors: e }, status: :bad_request
end

#token_cookies ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 335

def token_cookies
  @token_cookies ||= defined?(cookies) ? cookies : nil
end

#token_params ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 249

def token_params
  params.permit(:grant_type, :code, :code_verifier, :client_assertion, :client_assertion_type,
                :assertion, :subject_token, :subject_token_type, :actor_token, :actor_token_type, :client_id)
end

#validate_authorize_params(type, client_id, acr, operation) ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 229

def validate_authorize_params(type, client_id, acr, operation)
  if client_config(client_id).blank?
    raise SignIn::Errors::MalformedParamsError.new message: 'Client id is not valid'
  end
  unless client_config(client_id).valid_credential_service_provider?(type)
    raise SignIn::Errors::MalformedParamsError.new message: 'Type is not valid'
  end
  unless SignIn::Constants::Auth::OPERATION_TYPES.include?(operation)
    raise SignIn::Errors::MalformedParamsError.new message: 'Operation is not valid'
  end
  unless client_config(client_id).valid_service_level?(acr)
    raise SignIn::Errors::MalformedParamsError.new message: 'ACR is not valid'
  end
end

#validate_callback_params(code, state, error) ⇒ Object (private)

# File 'app/controllers/v0/sign_in_controller.rb', line 244

def validate_callback_params(code, state, error)
  raise SignIn::Errors::MalformedParamsError.new message: 'Code is not defined' unless code || error
  raise SignIn::Errors::MalformedParamsError.new message: 'State is not defined' unless state
end