Add OneLogin flow for Jobseekers

.env.test

@@ -6,6 +6,8 @@ DFE_SIGN_IN_SUPPORT_USER_ROLE_ID=test-support-user-role-id
 DFE_SIGN_IN_URL=https://test-url.local
 DISABLE_EMAILS=false
 DOMAIN=localhost:3000
+GOVUK_ONE_LOGIN_BASE_URL=https://test-onelogin-url.local
+GOVUK_ONE_LOGIN_CLIENT_ID=one_login_client_id
 VACANCY_SOURCE_UNITED_LEARNING_FEED_URL=http://example.com/feed.xml
 VACANCY_SOURCE_VENTRUS_FEED_URL=http://example.com/feed.xml
 VACANCY_SOURCE_FUSION_FEED_URL=http://example.com/feed.json

.github/workflows/build_and_deploy.yml

@@ -95,6 +95,7 @@ jobs:
         with:
           build-args: |
             BUILDKIT_INLINE_CACHE=1
+            RAILS_MASTER_KEY=${{ secrets.RAILS_MASTER_KEY }}
           # Cache from builder target tagged with branch name, may be empty first time branch is pushed
           # Cache from builder target tagged with main branch name, always present, maybe less recent
           cache-from: |
@@ -111,6 +112,7 @@ jobs:
           build-args: |
             BUILDKIT_INLINE_CACHE=1
             COMMIT_SHA=${{ env.COMMIT_SHA }}
+            RAILS_MASTER_KEY=${{ secrets.RAILS_MASTER_KEY }}
           # Cache from builder target built above, always present
           # Cache from production target tagged with branch name, may be empty first time branch is pushed
           # Cache from production target tagged with main branch name, always present, maybe less recent

.github/workflows/lint.yml

@@ -72,8 +72,9 @@ jobs:
     runs-on: ubuntu-20.04
 
     env:
-      RAILS_ENV: test
       DATABASE_URL: postgis://postgres:postgres@localhost:5432/tvs_test
+      RAILS_ENV: test
+      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
 
     services:
       postgres:

.github/workflows/test.yml

@@ -32,8 +32,9 @@ jobs:
             params: '--exclude-pattern "spec/{system}/*_spec.rb, spec/system/{jobseekers,publishers,support_users,other}/*_spec.rb"'
 
     env:
-      RAILS_ENV: test
       DATABASE_URL: postgis://postgres:postgres@localhost:5432/tvs_test
+      RAILS_ENV: test
+      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
 
     services:
       postgres:

Dockerfile

@@ -32,9 +32,11 @@
 # configuring it using the ENV variables we provide in storage.yml. However, at this point, these ENV vars have not been loaded,
 # causing the error. Below we define two throaway ENV vars to prevent the error from being thrown. These are then later overwritten,
 # when all of the ENV vars are loaded.
+ARG RAILS_MASTER_KEY
 
 ENV DOCUMENTS_S3_BUCKET=throwaway_value
 ENV SCHOOLS_IMAGES_LOGOS_S3_BUCKET=throwaway_value
+ENV RAILS_MASTER_KEY=$RAILS_MASTER_KEY
 
 RUN RAILS_ENV=production SECRET_KEY_BASE=required-to-run-but-not-used RAILS_SERVE_STATIC_FILES=1 bundle exec rake assets:precompile
 
@@ -67,4 +69,4 @@
 ENV COMMIT_SHA=$COMMIT_SHA
 
 EXPOSE 3000
 CMD bundle exec rails db:migrate:ignore_concurrent_migration_exceptions && bundle exec rails s

Gemfile

@@ -40,6 +40,7 @@ gem "high_voltage"
 gem "httparty"
 gem "ipaddr"
 gem "jbuilder"
+gem "jwt"
 gem "kramdown"
 gem "lockbox"
 gem "mail-notify"

Gemfile.lock

@@ -790,6 +790,7 @@ DEPENDENCIES
   ipaddr
   jbuilder
   jsbundling-rails
+  jwt
   kramdown
   launchy (~> 3.0)
   listen

app/controllers/jobseekers/account_transfers_controller.rb

@@ -12,10 +12,12 @@ def create
         flash[:success] = "Your account details have been transferred successfully!"
         redirect_to jobseekers_profile_path
       else
+        @email = @account_transfer_form.email
         flash[:error] = "Account transfer failed. Please try again."
         render :new
       end
     else
+      @email = @account_transfer_form.email
       render :new
     end
   end
@@ -31,6 +33,8 @@ def successfully_transfer_account_data?
     true
   rescue Jobseekers::AccountTransfer::AccountNotFoundError, ActiveRecord::RecordInvalid, ActiveRecord::RecordNotFound => e
     Rails.logger.error("Account transfer failed: #{e.message}")
+    Rails.logger.error("Account transfer failed on #{e.record.class.name} with ID: #{e.record.id}")
+    Rails.logger.error("Validation errors: #{e.record.errors.full_messages.join(', ')}")
     false
   end
 end

app/controllers/jobseekers/accounts_controller.rb

@@ -2,4 +2,8 @@ class Jobseekers::AccountsController < Jobseekers::BaseController
   def show; end
 
   def confirmation; end
+
+  def account_found; end
+
+  def account_not_found; end
 end

app/controllers/jobseekers/govuk_one_login_callbacks_controller.rb

@@ -0,0 +1,77 @@
+class Jobseekers::GovukOneLoginCallbacksController < Devise::OmniauthCallbacksController
+  include Jobseekers::GovukOneLogin::Errors
+  # Devise redirects response from Govuk One Login to this method.
+  # The request parameters contain the response from Govuk One Login from the user authentication through their portal.
+
+  # rubocop:disable Metrics/MethodLength
+  # rubocop:disable Metrics/AbcSize
+  def openid_connect
+    if (govuk_one_login_user = Jobseekers::GovukOneLogin::UserFromAuthResponse.call(params, session))
+      session[:govuk_one_login_id_token] = govuk_one_login_user.id_token
+      jobseeker = Jobseeker.find_by(govuk_one_login_id: govuk_one_login_user.id) ||
+                  Jobseeker.find_by(email: govuk_one_login_user.email) # Pre-migration to GovUK One Login Jobseeker still non-linked with a One Login account.
+
+      # Completely new user
+      if jobseeker.nil?
+        session[:newly_created_user] = { value: "true", path: "/", expires: 1.hour.from_now }
+        jobseeker = Jobseeker.create_from_govuk_one_login(email: govuk_one_login_user.email, govuk_one_login_id: govuk_one_login_user.id)
+      # User exists but is their first time signing-in with OneLogin
+      elsif jobseeker.govuk_one_login_id.nil?
+        session[:user_exists_first_log_in] = { value: "true", path: "/", expires: 1.hour.from_now }
+        jobseeker.update(govuk_one_login_id: govuk_one_login_user.id)
+      # User changed their email in OneLogin after having already signed in with us
+      elsif jobseeker.email.downcase != govuk_one_login_user.email.downcase
+        jobseeker.update(email: govuk_one_login_user.email)
+      end
+
+      session.delete(:govuk_one_login_state)
+      session.delete(:govuk_one_login_nonce)
+
+      if jobseeker
+        sign_out_except(:jobseeker)
+        sign_in_and_redirect jobseeker
+      end
+    else
+      error_redirect
+    end
+  rescue GovukOneLoginError => e
+    Rails.logger.error(e.message)
+    error_redirect
+  end
+  # rubocop:enable Metrics/MethodLength
+  # rubocop:enable Metrics/AbcSize
+
+  private
+
+  def error_redirect
+    return if jobseeker_signed_in?
+
+    flash[:alert] = "There was a problem signing in. Please try again."
+    redirect_to root_path
+  end
+
+  # Devise method to redirect the user after sign in.
+  # We need to build our own logic to redirect the user to the correct pages.
+  def after_sign_in_path_for(resource)
+    stored_location = stored_location_for(resource)
+    if redirect_to_location?(stored_location)
+      stored_location
+    elsif session[:newly_created_user]
+      session.delete(:newly_created_user)
+      account_not_found_jobseekers_account_path
+    elsif session[:user_exists_first_log_in]
+      session.delete(:user_exists_first_log_in)
+      account_found_jobseekers_account_path
+    else
+      jobseekers_job_applications_path
+    end
+  end
+
+  def redirect_to_location?(stored_location)
+    return false if stored_location.blank?
+
+    stored_location.include?("/job_application/new") || # Signed-in from a quick apply link
+      stored_location.include?("/saved_job/") || # Signed-in from a vacancy page save/unsave action.
+      stored_location.include?("/jobseekers/subscriptions") # Signed-in from a job alert email link.
+  end
+end

app/controllers/jobseekers/request_account_transfer_emails_controller.rb

@@ -12,13 +12,15 @@ def create
         jobseeker.generate_merge_verification_code
         Jobseekers::AccountMailer.request_account_transfer(jobseeker).deliver_now
       end
-      redirect_to new_jobseekers_account_transfer_path(email: @request_account_transfer_email_form.email)
+
+      success_message = @request_account_transfer_email_form.email_resent ? t(".success") : nil
+      redirect_to new_jobseekers_account_transfer_path(email: @request_account_transfer_email_form.email), success: success_message
     else
       render :new
     end
   end
 
   def request_account_transfer_email_form_params
-    params.require(:jobseekers_request_account_transfer_email_form).permit(:email)
+    params.require(:jobseekers_request_account_transfer_email_form).permit(:email, :email_resent)
   end
 end

app/controllers/jobseekers/sessions_controller.rb

@@ -3,9 +3,7 @@ class Jobseekers::SessionsController < Devise::SessionsController
 
   def new
     if (attempted_path = params[:attempted_path])
-      alert_text = t("jobseekers.forced_login.#{forced_login_resource(attempted_path)}_html",
-                     account_creation_link: helpers.govuk_link_to(t("jobseekers.forced_login.create_account"), new_jobseeker_registration_url))
-      flash.now[:alert] = alert_text
+      flash.now[:alert] = t("jobseekers.forced_login.#{forced_login_resource(attempted_path)}_html")
     elsif (login_failure = params[:login_failure])
       alert_text = t("devise.failure.#{login_failure}")
       trigger_jobseeker_sign_in_event(:failure, alert_text)

app/form_models/jobseekers/request_account_transfer_email_form.rb

@@ -1,5 +1,5 @@
 class Jobseekers::RequestAccountTransferEmailForm < BaseForm
-  attr_accessor :email
+  attr_accessor :email, :email_resent
 
   validates :email, presence: true
   validates :email, email_address: true

app/helpers/jobseekers_login_helper.rb

@@ -0,0 +1,20 @@
+module JobseekersLoginHelper
+  include Jobseekers::GovukOneLogin::Helper
+
+  def jobseeker_login_uri
+    params = generate_login_params
+    session[:govuk_one_login_state] = params[:state]
+    session[:govuk_one_login_nonce] = params[:nonce]
+
+    govuk_one_login_uri(:login, params)
+  end
+
+  def jobseeker_logout_uri
+    params = generate_logout_params(session[:govuk_one_login_id_token])
+    govuk_one_login_uri(:logout, params)
+  end
+
+  def jobseeker_login_button(class: "")
+    govuk_button_link_to(t("buttons.one_login_sign_in"), jobseeker_login_uri.to_s, class:)
+  end
+end

app/models/jobseeker.rb

@@ -18,6 +18,7 @@ class Jobseeker < ApplicationRecord
   has_one :jobseeker_profile
 
   validates :email, presence: true, email_address: true
+  validates :govuk_one_login_id, uniqueness: true, allow_nil: true
 
   after_update :update_subscription_emails
 
@@ -35,6 +36,18 @@ def needs_email_confirmation?
     !confirmed? || unconfirmed_email.present?
   end
 
+  def self.create_from_govuk_one_login(email:, govuk_one_login_id:)
+    return unless email.present? && govuk_one_login_id.present?
+
+    # OneLogin users won't need/use this password. But is required by validations for in-house Devise users.
+    # Eventually when all the users become OneLogin users, we should be able to remove the password requirement.
+    random_password = Devise.friendly_token
+    create!(email: email.downcase,
+            govuk_one_login_id: govuk_one_login_id,
+            password: random_password,
+            confirmed_at: Time.zone.now)
+  end
+
   def generate_merge_verification_code
     self.account_merge_confirmation_code = SecureRandom.alphanumeric(6)
     self.account_merge_confirmation_code_generated_at = Time.current

app/services/jobseekers/govuk_one_login.rb

@@ -0,0 +1,19 @@
+module Jobseekers::GovukOneLogin
+  BASE_URL = Rails.application.config.govuk_one_login_base_url
+  CALLBACKS_BASE_URL = "#{ENV.fetch('DOMAIN').include?('localhost') ? 'http' : 'https'}://#{ENV.fetch('DOMAIN')}".freeze
+
+  CALLBACKS = {
+    login: "#{CALLBACKS_BASE_URL}/jobseekers/auth/govuk_one_login/callback",
+    logout: "#{CALLBACKS_BASE_URL}/jobseekers/sign_out",
+  }.freeze
+
+  ENDPOINTS = {
+    login: "#{BASE_URL}/authorize",
+    logout: "#{BASE_URL}/logout",
+    token: "#{BASE_URL}/token",
+    user_info: "#{BASE_URL}/userinfo",
+    jwks: "#{BASE_URL}/.well-known/jwks.json",
+  }.freeze
+
+  User = Struct.new(:id, :email, :id_token, keyword_init: true)
+end

app/services/jobseekers/govuk_one_login/client.rb

@@ -0,0 +1,85 @@
+#
+# - exchange an authorisation code for tokens (access and id)
+# - exchange an access token for user info
+# - decode an id token to get the user's gov one id
+#
+# see https://docs.sign-in.service.gov.uk/
+class Jobseekers::GovukOneLogin::Client
+  include Jobseekers::GovukOneLogin
+  include Jobseekers::GovukOneLogin::Errors
+
+  JWT_SIGNING_ALGORITHM = "RS256".freeze
+
+  attr_reader :code
+
+  def initialize(code)
+    @code = code
+  end
+
+  # POST /token
+  def tokens
+    uri, http = build_http(ENDPOINTS[:token])
+    request = Net::HTTP::Post.new(uri.path, { "Content-Type" => "application/x-www-form-urlencoded" })
+    request.set_form_data({ grant_type: "authorization_code",
+                            code: code,
+                            redirect_uri: CALLBACKS[:login],
+                            client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+                            client_assertion: jwt_assertion })
+    response = http.request(request)
+    JSON.parse(response.body)
+  rescue StandardError => e
+    raise ClientRequestError.new("GovukOneLogin.tokens", e.message)
+  end
+
+  # GET /userinfo
+  def user_info(access_token)
+    uri, http = build_http(ENDPOINTS[:user_info])
+    request = Net::HTTP::Get.new(uri.path, { "Authorization" => "Bearer #{access_token}" })
+    response = http.request(request)
+    JSON.parse(response.body)
+  rescue StandardError => e
+    raise ClientRequestError.new("GovukOneLogin.user_info", e.message)
+  end
+
+  def decode_id_token(token)
+    kid = JWT.decode(token, nil, false).last["kid"]
+    key_params = jwks["keys"].find { |key| key["kid"] == kid }
+    jwk = JWT::JWK.new(key_params)
+
+    JWT.decode(token, jwk.public_key, true, { verify_iat: true, algorithm: JWT_SIGNING_ALGORITHM })
+  end
+
+  private
+
+  def build_http(address)
+    uri = URI.parse(address)
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    [uri, http]
+  end
+
+  # GET /.well-known/jwks.json
+  def jwks
+    Rails.cache.fetch("jwks", expires_in: 24.hours) do
+      uri, http = build_http(ENDPOINTS[:jwks])
+      response = http.request(Net::HTTP::Get.new(uri.path))
+      JSON.parse(response.body)
+    end
+  end
+
+  def jwt_assertion
+    rsa_private = OpenSSL::PKey::RSA.new(Rails.application.config.govuk_one_login_private_key)
+    JWT.encode(jwt_payload, rsa_private, JWT_SIGNING_ALGORITHM)
+  end
+
+  def jwt_payload
+    {
+      aud: ENDPOINTS[:token],
+      iss: Rails.application.config.govuk_one_login_client_id,
+      sub: Rails.application.config.govuk_one_login_client_id,
+      exp: Time.zone.now.to_i + (5 * 60),
+      jti: SecureRandom.uuid,
+      iat: Time.zone.now.to_i,
+    }
+  end
+end

app/services/jobseekers/govuk_one_login/errors.rb

@@ -0,0 +1,14 @@
+module Jobseekers::GovukOneLogin::Errors
+  class GovukOneLoginError < StandardError
+    def initialize(error = "GovukOneLogin", description = "Failed to authenticate with Govuk One Login")
+      super("#{error}: #{description}")
+    end
+  end
+
+  class ClientRequestError < GovukOneLoginError; end
+  class AuthenticationError < GovukOneLoginError; end
+  class SessionKeyError < GovukOneLoginError; end
+  class TokensError < GovukOneLoginError; end
+  class IdTokenError < GovukOneLoginError; end
+  class UserInfoError < GovukOneLoginError; end
+end