Disallow subject login for non-full representation

slovensko-digital · Apr 27, 2024 · 5758e6a · 5758e6a
1 parent 328f5ea
commit 5758e6a
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 7 deletions.
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -11,6 +11,11 @@ def create
     end
 
     if new_eid_identity?
+      unless fully_represents_subject?
+        render :insufficient_representation, locals: { eid_token: eid_token }
+        return
+      end
+
       render :new_eid_identity, locals: { eid_token: eid_token }
       return
     end
@@ -27,12 +32,16 @@ def create
     if eid_identity_approval?
       assertion = Upvs::Assertion.assertion(eid_token)
 
-      user.update!(
-        eid_sub: eid_sub_from_auth,
-        subject_name: assertion.subject_name,
-        subject_cin: assertion.subject_cin,
-        subject_edesk_number: assertion.subject_edesk_number,
-      )
+      if assertion
+        user.update!(
+          eid_sub: eid_sub_from_auth,
+          subject_name: assertion.subject_name,
+          subject_cin: assertion.subject_cin,
+          subject_edesk_number: assertion.subject_edesk_number,
+          )
+      else
+        user.update!(eid_sub: eid_sub_from_auth)
+      end
     end
 
     unless should_keep_eid_token_in_session?(user.eid_sub)
@@ -105,4 +114,9 @@ def after_login_redirect_path
     return session[:after_login_callback] if session[:after_login_callback]&.start_with?("/") # Only allow local redirects
     root_path
   end
+
+  def fully_represents_subject?
+    assertion = Upvs::Assertion.assertion(eid_token)
+    assertion&.fully_represents_subject?
+  end
 end
diff --git a/app/models/upvs/assertion.rb b/app/models/upvs/assertion.rb
@@ -1,7 +1,17 @@
 module Upvs
   class Assertion
     include ActiveModel::Model
-    attr_accessor(:raw, :subject_name, :subject_id, :subject_cin, :subject_edesk_number)
+    attr_accessor(:raw, :subject_name, :subject_id, :subject_cin, :subject_edesk_number, :delegation_type)
+
+    DELEGATION_TYPES = {
+      legal_representation: '0',
+      full_representation: '1',
+      partial_representation: '2',
+    }
+
+    def fully_represents_subject?
+      delegation_type&.to_s&.in?(full_representations)
+    end
 
     def self.new_from_xml(raw:)
       return unless raw
@@ -19,6 +29,7 @@ def self.new_from_xml(raw:)
         subject_id: doc_attrs.detect{|n| n['Name'] == 'SubjectID' }&.xpath('AttributeValue')&.text,
         subject_cin: doc_attrs.detect{|n| n['Name'] == 'Subject.ICO' }&.xpath('AttributeValue')&.text,
         subject_edesk_number: doc_attrs.detect{|n| n['Name'] == 'Subject.eDeskNumber' }&.xpath('AttributeValue')&.text,
+        delegation_type: doc_attrs.detect{|n| n['Name'] == 'DelegationType' }&.xpath('AttributeValue')&.text,
       )
     end
 
@@ -47,6 +58,14 @@ def self.get_from_sk_api(client, url, eid_token)
       nil
     end
 
+    private
+
+    def full_representations
+      [
+        DELEGATION_TYPES[:legal_representation],
+        DELEGATION_TYPES[:full_representation],
+      ]
+    end
 
     class SkApiError < StandardError
     end

diff --git a/app/views/sessions/insufficient_representation.html.erb b/app/views/sessions/insufficient_representation.html.erb
@@ -0,0 +1,9 @@
+<%= content_for :title, build_page_title('Chyba pri prihlasovaní') %>
+
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-two-thirds">
+    <h2 class="govuk-heading-xl">Nastala chyba pri prihlasovaní</h2>
+
+    <p class="govuk-body-lead">Nemáte dostatočné oprávnenia aby ste mohli reprezentovať zvolený subjekt.</p>
+  </div>
+</div>