Validation of user certificates

app/controllers/account_controller.rb

@@ -1,5 +1,6 @@
 class AccountController < BaseController
   before_action :set_pagy_params, only: :index
+  before_action :find_request_ip, only: :switch_user
 
   # rubocop:disable Metrics/MethodLength
   def index
@@ -63,7 +64,8 @@ def switch_user
 
     sign_out
     uuid = store_auth_info(token: @response.token,
-                           data: @response.registrar)
+                           data: @response.registrar,
+                           request_ip: @request_ip)
     sign_in uuid
     flash.notice = @message
     redirect_to account_path
@@ -103,4 +105,8 @@ def format_csv
     filename = "account_activities_#{Time.zone.now.to_formatted_s(:number)}.csv"
     send_data raw_csv, filename: filename, type: "#{Mime[:csv]}; charset=utf-8"
   end
+
+  def find_request_ip
+    @request_ip = auth_info[:request_ip]
+  end
 end

app/controllers/application_controller.rb

@@ -36,7 +36,7 @@ def sign_out
 
   def sign_in(uuid)
     session[:uuid] = uuid
-    cookies.delete(:ip_address)
+    cookies.delete(:request_ip)
   end
 
   def reset_bulk_change_cache
@@ -75,14 +75,15 @@ def respond(msg, dialog: false)
     end
   end
 
-  def store_auth_info(token:, data:)
+  def store_auth_info(token:, request_ip:, data:)
     uuid = SecureRandom.uuid
     Rails.cache.write(uuid, { username: data[:username],
                               registrar_name: data[:registrar_name],
                               role: data[:roles].first,
                               legaldoc_mandatory: data[:legaldoc_mandatory],
                               address_processing: data[:address_processing],
                               token: token,
+                              request_ip: request_ip,
                               abilities: data[:abilities] }, expires_in: 18.hours)
     uuid
   end

app/controllers/auth/auth_controller.rb

@@ -8,9 +8,10 @@ def create
       result = conn.call_action
       handle_response(result); return if performed?
 
-      uuid = store_auth_info(token: conn.auth_token,
-                             data: @response)
+      uuid = store_auth_info(token: conn.auth_token, request_ip: auth_info[:request_ip], data: @response)
+
       sign_in uuid
+
       redirect_to dashboard_url, notice: I18n.t('auth.sessions.logged_in')
     end
 

app/controllers/auth/sessions_controller.rb

@@ -21,12 +21,15 @@ def user_payload
       {
         username: auth_params[:username],
         password: auth_params[:password],
-        request_ip: cookies[:ip_address] || request.ip,
+        request_ip: cookies[:request_ip] || request.ip,
+        requester: 'webclient',
+        user_cert: request.env['HTTP_SSL_CLIENT_CERT'],
+        user_cert_cn: request.env['HTTP_SSL_CLIENT_S_DN_CN'],
       }
     end
 
     def save_ip_address
-      cookies[:ip_address] = {
+      cookies[:request_ip] = {
         value: request.ip,
         expires: 1.day.from_now, # Adjust the expiration as needed
         secure: Rails.env.production?, # Set to true for secure cookies in production

app/controllers/auth/tara_controller.rb

@@ -1,15 +1,13 @@
 module Auth
   class TaraController < AuthController
-    before_action :require_no_authentication, only: %i[callback]
+    before_action :require_no_authentication, only: :callback
 
     def callback
       conn = ApiConnector::Auth::OmniauthTaraChecker.new(username: nil)
-      result = conn.call_action(payload: tara_payload)
+      result = conn.call_action(params: tara_callback_params)
       handle_response(result); return if performed?
 
-      create do
-        { username: @response.username, token: @response.token, request_ip: cookies[:ip_address] }
-      end
+      create { user_payload }
     end
 
     def cancel
@@ -18,14 +16,23 @@ def cancel
 
     private
 
-    def tara_payload
+    def tara_callback_params
       {
         auth: {
           uid: omniauth_user_hash.try(:uid),
         },
       }
     end
 
+    def user_payload
+      {
+        username: @response.username,
+        token: @response.token,
+        request_ip: cookies[:request_ip] || request.ip,
+        requester: 'tara'
+      }
+    end
+
     def omniauth_user_hash
       request.env['omniauth.auth']&.delete_if { |key, _| key == 'credentials' }
     end

app/services/api_connector.rb

@@ -10,6 +10,9 @@ class ApiConnector
   def initialize(username:, password: nil, token: nil, **other_options)
     @auth_token = token || generate_token(username: username, password: password)
     @request_ip = other_options[:request_ip]
+    @requester = other_options[:requester]
+    @user_cert = other_options[:user_cert]
+    @user_cert_cn = other_options[:user_cert_cn]
   end
 
   def self.call(**args)
@@ -90,7 +93,10 @@ def base_headers
     headers = {
       'Authorization' => "Basic #{@auth_token}",
     }
-    headers.merge!({ 'X-Client-IP' => @request_ip }) if @request_ip
+    headers.merge!({ 'Request-IP' => @request_ip }) if @request_ip
+    headers.merge!({ 'Requester' => @requester }) if @requester
+    headers.merge!({ 'User-Certificate' => @user_cert }) if @user_cert
+    headers.merge!({ 'User-Certificate-CN' => @user_cert_cn }) if @user_cert_cn
     headers
   end
 

app/services/api_connector/auth/omniauth_tara_checker.rb

@@ -9,9 +9,8 @@ class OmniauthTaraChecker < ApiConnector
         endpoint: '/registrar/auth/tara_callback',
       }.freeze
 
-      def check_omniauth_user_info(payload: nil)
-        request(url: endpoint_url,
-                method: method, params: payload)
+      def check_omniauth_user_info(params: nil)
+        request(url: endpoint_url, method: method, params: params)
       end
     end
   end