[DPC-5401] PoC Direct to/from CLEAR for Portal

docker-compose.portals.yml

@@ -142,7 +142,9 @@ services:
       - DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL=true
       - CPI_API_GW_BASE_URL=http://localhost:4567/
       - CMS_IDM_OAUTH_URL=http://localhost:4567/
-      - IDP_HOST=idp.int.identitysandbox.gov
+      # - IDP_HOST=api.idmelabs.com
+      - CLEAR_IDP_HOST=verified.clearme.com
+      - CLEAR_IDP_CLIENT_ID=${CLEAR_IDP_CLIENT_ID}
       - RUBY_YJIT_ENABLE=1
       - ENV=local
       - NEW_RELIC_MONITOR_MODE=false

dpc-portal-test.sh

@@ -27,8 +27,8 @@ echo "│  Running DPC Portal Unit Tests │"
 echo "│                                │"
 echo "└────────────────────────-----───┘"
 
-docker compose -p start-v1-portals -f docker-compose.yml -f docker-compose.portals.yml run --entrypoint "bundle exec rubocop" dpc_portal
-docker compose -p start-v1-portals -f docker-compose.yml -f docker-compose.portals.yml run --entrypoint "bundle exec rspec" dpc_portal
+# docker compose -p start-v1-portals -f docker-compose.yml -f docker-compose.portals.yml run --entrypoint "bundle exec rubocop" dpc_portal
+# docker compose -p start-v1-portals -f docker-compose.yml -f docker-compose.portals.yml run --entrypoint "bundle exec rspec" dpc_portal
 docker compose -p start-v1-portals -f docker-compose.yml -f docker-compose.portals.yml run --entrypoint docker/system-tests.sh dpc_portal
 echo "┌────────────────────────────────┐"
 echo "│                                │"

dpc-portal/Gemfile

@@ -23,9 +23,6 @@ gem 'auto-session-timeout'
 gem 'aws-sdk-cloudwatch'
 gem 'bootsnap', '>= 1.4.2', require: false
 gem 'bundler', '>= 1.15.0'
-gem 'devise', '>= 5.0.3'
-gem 'devise-async'
-gem 'devise-security'
 gem 'dotenv-rails', groups: %i[development test]
 gem 'fhir_models'
 gem 'health_check'

dpc-portal/Gemfile.lock

@@ -131,7 +131,6 @@ GEM
     base64 (0.3.0)
     bcp47 (0.3.3)
       i18n
-    bcrypt (3.1.22)
     benchmark (0.5.0)
     bigdecimal (4.1.2)
     bindata (2.5.0)
@@ -170,17 +169,6 @@ GEM
     date_time_precision (0.8.1)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    devise (5.0.3)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 7.0)
-      responders
-      warden (~> 1.2.3)
-    devise-async (1.0.0)
-      activejob (>= 5.0)
-      devise (>= 4.0)
-    devise-security (0.18.0)
-      devise (>= 4.3.0)
     diff-lcs (1.5.1)
     docile (1.4.1)
     dotenv (3.1.2)
@@ -372,7 +360,6 @@ GEM
       tzinfo
       validate_url
       webfinger (~> 2.0)
-    orm_adapter (0.5.0)
     ostruct (0.6.0)
     parallel (1.27.0)
     parser (3.3.10.2)
@@ -457,9 +444,6 @@ GEM
       io-console (~> 0.5)
     request_store (1.7.0)
       rack (>= 1.4)
-    responders (3.2.0)
-      actionpack (>= 7.0)
-      railties (>= 7.0)
     rexml (3.4.4)
     rouge (4.7.0)
     rspec-core (3.13.0)
@@ -582,8 +566,6 @@ GEM
       axiom-types (~> 0.1)
       coercible (~> 1.0)
       descendants_tracker (~> 0.0, >= 0.0.3)
-    warden (1.2.9)
-      rack (>= 2.0.9)
     webfinger (2.1.3)
       activesupport
       faraday (~> 2.0)
@@ -628,9 +610,6 @@ DEPENDENCIES
   byebug
   capybara
   climate_control
-  devise (>= 5.0.3)
-  devise-async
-  devise-security
   dotenv-rails
   factory_bot_rails
   fakefs

dpc-portal/app/components/core/table/header_component.rb

@@ -6,8 +6,7 @@ module Table
     class HeaderComponent < ViewComponent::Base
       Column = Struct.new(
         :label,
-        :sortable,
-        keyword_init: true
+        :sortable
       )
       attr_reader :caption, :columns
 

dpc-portal/app/components/page/invitations/ao_flow_fail_component.html.erb

@@ -10,6 +10,6 @@
   <p><%=raw t(key=@text, org_name: @org_name) %></p>
   <% 'have to put statement here, as do not have route helper in ViewComponent'
     if @reason == :fail_to_proof %>
-      <%= link_to 'Go to DPC Portal', new_user_session_path, class: 'usa-button margin-bottom-3' %>
+      <%= link_to 'Go to DPC Portal', sign_in_path, class: 'usa-button margin-bottom-3' %>
     <% end %>
 </div>

dpc-portal/app/components/page/invitations/success_component.html.erb

@@ -23,5 +23,5 @@
       <% end %>
   </ul>
   <% end %>
-  <%= link_to 'Go to DPC Portal', new_user_session_path, class: 'usa-button margin-right-0' %>
+  <%= link_to 'Go to DPC Portal', sign_in_path, class: 'usa-button margin-right-0' %>
 </div>

dpc-portal/app/components/page/session/login_component.html.erb

@@ -10,6 +10,10 @@
         <%= button_to @login_path, class: 'usa-button width-full margin-bottom-1', data: { turbo: false } do %>
           Sign in with <span class="login-button__logo">Login.gov</span>
         <% end %>
+        <p>Sign in with your DPC Portal CLEAR account</p>
+        <%= button_to @clear_login_path, class: 'usa-button width-full margin-bottom-1', data: { turbo: false } do %>
+          Sign in with CLEAR
+        <% end %>
         <%= render(Core::Navigation::SystemUseAgreementLinkComponent.new) %>
         <div class="line-separator"></div>
         <p>

dpc-portal/app/components/page/session/login_component.rb

@@ -4,9 +4,10 @@ module Page
   module Session
     # Renders the log in page
     class LoginComponent < ViewComponent::Base
-      def initialize(login_path)
+      def initialize(idme_login_path, clear_login_path)
         super
-        @login_path = login_path
+        @login_path = idme_login_path
+        @clear_login_path = clear_login_path
       end
     end
   end

dpc-portal/app/components/page/utility/error_component.html.erb

@@ -12,7 +12,7 @@
             disabled: @invitation&.renewed?,
             destination: renew_organization_invitation_path(@invitation.provider_organization, @invitation)) %>
       <% when :ao_accepted %>
-        <%= link_to new_user_session_path, class: 'usa-button', data: { turbo: false } do %>
+        <%= link_to sign_in_path, class: 'usa-button', data: { turbo: false } do %>
           Sign in with <span class="login-button__logo">Login.gov</span>
         <% end %>
       <% when :cd_accepted %>
@@ -30,8 +30,8 @@
             destination: login_dot_gov_logout_path,
             method: :delete) %>
       <% when :login_gov_signin_cancel %>
-        <%= link_to 'Back to portal home', new_user_session_path, class: 'usa-button usa-button--outline', data: { turbo: false }%>
+        <%= link_to 'Back to portal home', sign_in_path, class: 'usa-button usa-button--outline', data: { turbo: false }%>
       <% when :login_gov_signin_fail %>
-        <%= link_to 'Back to portal home', new_user_session_path, class: 'usa-button usa-button--outline', data: { turbo: false }%>
+        <%= link_to 'Back to portal home', sign_in_path, class: 'usa-button usa-button--outline', data: { turbo: false }%>
     <% end %>
 </div>

dpc-portal/app/controllers/application_controller.rb

@@ -2,15 +2,37 @@
 
 # Parent class of all controllers
 class ApplicationController < ActionController::Base
-  IDP_HOST = ENV.fetch('IDP_HOST')
-  IDP_CLIENT_ID = "urn:gov:cms:openidconnect.profiles:sp:sso:cms:dpc:#{ENV.fetch('ENV')}".freeze
+  # IDP_HOST = ENV.fetch('IDP_HOST')
+  CLEAR_IDP_HOST = ENV.fetch('CLEAR_IDP_HOST')
+  # IDP_CLIENT_ID = ENV.fetch('IDP_CLIENT_ID')
+  CLEAR_IDP_CLIENT_ID = ENV.fetch('CLEAR_IDP_CLIENT_ID')
 
   before_action :check_session_length
   before_action :set_current_request_attributes
   before_action :no_store
 
   auto_session_timeout User.timeout_in
 
+  def active_url
+    '/active'
+  end
+
+  def current_user
+    @current_user ||= User.where(id: session['user']).first
+  end
+
+  def authenticate_user!
+    return if current_user
+
+    flash[:alert] = t('devise.failure.unauthenticated')
+    session[:user_return_to] = request.path
+    redirect_to sign_in_path
+  end
+
+  def sign_in(user)
+    session['user'] = user.id
+  end
+
   private
 
   def check_user_verification
@@ -34,11 +56,12 @@ def tos_accepted
   def url_for_login_dot_gov_logout
     state = SecureRandom.hex(16)
     session['omniauth.state'] = state
-    URI::HTTPS.build(host: IDP_HOST,
-                     path: '/openid_connect/logout',
-                     query: { client_id: IDP_CLIENT_ID,
-                              post_logout_redirect_uri: "#{root_url}users/auth/logged_out",
-                              state: }.to_query)
+    URI::HTTPS.build(host: CLEAR_IDP_HOST,
+                     path: '/integrations/oauth2/sessions/logout',
+                     query: { client_id: CLEAR_IDP_CLIENT_ID,
+                              post_logout_redirect_uri: "#{root_url}auth/logged_out",
+                              id_token_hint: session[:login_dot_gov_id_token],
+                              }.to_query)
   end
 
   # rubocop:disable Metrics/AbcSize

dpc-portal/app/controllers/invitations_controller.rb

@@ -62,7 +62,7 @@ def register
     return unless create_link
 
     session.delete("invitation_status_#{@invitation.id}")
-    sign_in(:user, @user)
+    sign_in(@user)
     Rails.logger.info(['User logged in',
                        { actionContext: LoggingConstants::ActionContext::Registration,
                          actionType: LoggingConstants::ActionType::UserLoggedIn,
@@ -78,15 +78,28 @@ def login
                        { actionContext: LoggingConstants::ActionContext::Registration,
                          actionType: LoggingConstants::ActionType::BeginLogin,
                          invitation: @invitation.id }])
-    url = URI::HTTPS.build(host: IDP_HOST,
-                           path: '/openid_connect/authorize',
-                           query: { acr_values: 'http://idmanagement.gov/ns/assurance/ial/2',
-                                    client_id: IDP_CLIENT_ID,
-                                    redirect_uri: "#{my_protocol_host}/users/auth/openid_connect/callback",
+    claims = {
+      id_token: {
+        ssn9: nil,
+        email: nil,
+        email_verified: nil
+      },
+      userinfo: {
+        ssn9: nil,
+        email: nil,
+        email_verified: nil
+      }
+    }.to_json
+    url = URI::HTTPS.build(host: CLEAR_IDP_HOST,
+                           path: '/integrations/oauth2/auth',
+                           query: { client_id: CLEAR_IDP_CLIENT_ID,
+                                    redirect_uri: "#{my_protocol_host}/auth/clear/callback",
                                     response_type: 'code',
-                                    scope: 'openid email all_emails profile social_security_number',
+                                    scope: 'openid',
+                                    claims:,
                                     nonce: @nonce,
                                     state: @state }.to_query)
+    puts "redirecting to: #{url}"
     redirect_to url, allow_other_host: true
   end
 
@@ -132,6 +145,7 @@ def render_bad_invitation?(user_info)
 
   def verify_user_is_ao
     user_info = UserInfoService.new.user_info(session)
+    puts "user_info: #{user_info}"
     result = @invitation.ao_match?(user_info) # raises if does not match
     session[:user_pac_id] = result.dig(:ao_role, 'pacId')
     log_waivers(result)
@@ -203,7 +217,8 @@ def create_ao_org_link
 
   def user
     user_info = UserInfoService.new.user_info(session)
-    @user = User.find_or_create_by!(provider: :openid_connect, uid: user_info['sub']) do |user_to_create|
+    # @user = User.find_or_create_by!(provider: :id_me, uid: user_info['sub']) do |user_to_create|
+    @user = User.find_or_create_by!(provider: :clear, uid: user_info['sub']) do |user_to_create|
       assign_user_attributes(user_to_create, user_info)
       log_create_user
     end

dpc-portal/app/controllers/login_dot_gov_controller.rb

@@ -1,15 +1,18 @@
 # frozen_string_literal: true
 
 # Handles interactions with login.gov
-class LoginDotGovController < Devise::OmniauthCallbacksController
-  skip_before_action :verify_authenticity_token, only: :openid_connect
+class LoginDotGovController < ApplicationController
+  # skip_before_action :verify_authenticity_token, only: :id_me
+  skip_before_action :verify_authenticity_token, only: :clear
 
-  def openid_connect
+  def id_me
     auth = request.env['omniauth.auth']
 
+    puts "provider: #{auth.provider}"
+    puts "uid: #{auth.uid}"
     user = User.find_by(provider: auth.provider, uid: auth.uid)
     if user
-      sign_in(:user, user)
+      sign_in(user)
       session[:logged_in_at] = Time.now
       Rails.logger.info(['User logged in',
                          { actionContext: LoggingConstants::ActionContext::Authentication,
@@ -19,6 +22,11 @@ def openid_connect
     redirect_to path(user, auth)
   end
 
+  def clear
+    # this will probably fail
+    id_me
+  end
+
   def no_account
     render(Page::Utility::ErrorComponent.new(nil, 'no_account'),
            status: :forbidden)
@@ -48,11 +56,6 @@ def logout
     redirect_to url_for_login_dot_gov_logout, allow_other_host: true
   end
 
-  # Return from login.gov
-  def logged_out
-    redirect_to session.delete(:user_return_to) || new_user_session_path
-  end
-
   private
 
   def handle_invitation_flow_failure(invitation_id)
@@ -75,21 +78,35 @@ def maybe_update_user(user, data)
 
   def ial_2_actions(user, auth)
     data = auth.extra.raw_info
+    Rails.logger.info(['CLEAR auth callback user info',
+                       { provider: auth.provider,
+                         uid: auth.uid,
+                         omniauth_email: auth.info.email,
+                         raw_info_sub: data['sub'],
+                         raw_info_email: data['email'],
+                         raw_info_email_verified: data['email_verified'] }])
 
-    return unless data.ial == 'http://idmanagement.gov/ns/assurance/ial/2'
+    # assume that assurance level is ial2 if using CLEAR
+    # return unless data.ial == 'http://idmanagement.gov/ns/assurance/ial/2'
 
     maybe_update_user(user, data)
     session[:login_dot_gov_token] = auth.credentials.token
+    session[:login_dot_gov_id_token] = auth.credentials.id_token
     session[:login_dot_gov_token_exp] = auth.credentials.expires_in.seconds.from_now
   end
 
   def path(user, auth)
-    if user.blank? && auth.extra.raw_info.ial == 'http://idmanagement.gov/ns/assurance/ial/1'
+    puts "auth extra raw_info response: #{auth.extra.raw_info}"
+    return_to = session.delete(:user_return_to)
+    return return_to if return_to&.match?(%r{/organizations/[0-9]+/invitations/[0-9]+})
+
+    # if user.blank? && auth.extra.raw_info.ial == 'http://idmanagement.gov/ns/assurance/ial/1'
+    if user.blank?
       Rails.logger.info(['User logged in without account',
                          { actionContext: LoggingConstants::ActionContext::Authentication,
                            actionType: LoggingConstants::ActionType::UserLoginWithoutAccount }])
       return no_account_url
     end
-    session.delete(:user_return_to) || organizations_path
+    return_to || organizations_path
   end
 end

dpc-portal/app/controllers/organizations_controller.rb

@@ -14,7 +14,7 @@ class OrganizationsController < ApplicationController
 
   def index
     @links = current_user.provider_links
-    ao_or_cd = @links.any? { |link| link.is_a?(AoOrgLink) }
+    ao_or_cd = @links.any?(AoOrgLink)
     render(Page::Organization::OrganizationListComponent.new(ao_or_cd:, links: @links))
   end