Auto verification for users

.rubocop.yml

@@ -1,2 +1,26 @@
+inherit_from: .rubocop_todo.yml
+
 inherit_gem:
   decidim-dev: rubocop-decidim.yml
+
+inherit_mode:
+  merge:
+    - Exclude
+
+AllCops:
+  Include:
+    - "**/*.rb"
+    - "**/*.rake"
+    - "**/*.ru"
+    - "**/Gemfile"
+    - "**/Rakefile"
+  Exclude:
+    - "spec/decidim_dummy_app/**/*"
+    - "**/spec/decidim_dummy_app/**/*"
+    - "bin/**/*"
+    - "node_modules/**/*"
+    - "**/node_modules/**/*"
+    - "db/schema.rb"
+    - "db/migrate/*"
+    - "vendor/**/*"
+    - "**/vendor/**/*"

.rubocop_todo.yml

@@ -1,26 +0,0 @@
-inherit_from: .rubocop_todo.yml
-
-inherit_gem:
-  decidim-dev: rubocop-decidim.yml
-
-inherit_mode:
-  merge:
-    - Exclude
-
-AllCops:
-  Include:
-    - "**/*.rb"
-    - "**/*.rake"
-    - "**/*.ru"
-    - "**/Gemfile"
-    - "**/Rakefile"
-  Exclude:
-    - "spec/decidim_dummy_app/**/*"
-    - "**/spec/decidim_dummy_app/**/*"
-    - "bin/**/*"
-    - "node_modules/**/*"
-    - "**/node_modules/**/*"
-    - "db/schema.rb"
-    - "db/migrate/*"
-    - "vendor/**/*"
-    - "**/vendor/**/*"

Rakefile

@@ -3,6 +3,13 @@
 require "decidim/dev/common_rake"
 require "fileutils"
 
+def install_module(path)
+  Dir.chdir(path) do
+    system("bundle exec rake decidim_ub:install:migrations")
+    system("bundle exec rake db:migrate")
+  end
+end
+
 def install_initializer(path, env)
   Dir.chdir(path) do
     FileUtils.cp(
@@ -22,7 +29,10 @@ desc "Generates a dummy app for testing"
 task test_app: "decidim:generate_external_test_app" do
   ENV["RAILS_ENV"] = "test"
   install_initializer("spec/decidim_dummy_app", "test")
+  install_module("spec/decidim_dummy_app")
 end
 
 desc "Generates a development app."
-task development_app: "decidim:generate_external_development_app"
+task development_app: "decidim:generate_external_development_app" do
+  install_module("development_app")
+end

app/commands/decidim/ub/sync_user.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    class SyncUser < Decidim::Command
+      # Public: Initializes the command.
+      #
+      # user - A decidim user
+      # roles - The roles of the user
+      def initialize(user, roles)
+        @user = user
+        @roles = roles
+      end
+
+      # Executes the command. Broadcasts these events:
+      #
+      # - :ok when everything is valid.
+      # - :invalid if we couldn't proceed.
+      #
+      # Returns nothing.
+      def call
+        update_user!
+        ActiveSupport::Notifications.publish("decidim.ub.user.updated", user.id)
+        broadcast(:ok)
+      rescue StandardError => e
+        broadcast(:invalid, e.message)
+      end
+
+      private
+
+      attr_reader :user, :roles
+
+      def update_user!
+        user.ub_roles = roles
+        user.save!
+      end
+    end
+  end
+end

app/controllers/concerns/decidim/devise_authentication_methods.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Decidim
+  module DeviseAuthenticationMethods
+    def first_login_and_not_authorized?(user)
+      return false if user.ub_identity?
+
+      super
+    end
+  end
+end

app/forms/decidim/ub/verifications/ub.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "digest"
+
+module Decidim
+  module Ub
+    module Verifications
+      class Ub < Decidim::AuthorizationHandler
+        validate :user_valid
+
+        def unique_id
+          Digest::SHA512.hexdigest("#{role}/#{uid}-#{Rails.application.secrets.secret_key_base}")
+        end
+
+        protected
+
+        def organization
+          current_organization || user&.organization
+        end
+
+        def uid
+          user.ub_identity
+        end
+
+        def user_valid
+          errors.add(:user, "decidim.ub.errors.missing_role") unless user.ub_roles.include?(role)
+        end
+
+        def role = raise NotImplementedError
+      end
+    end
+  end
+end

app/forms/decidim/ub/verifications/ub_ant.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    module Verifications
+      class UbAnt < Ub
+        def role = "ANT"
+      end
+    end
+  end
+end

app/forms/decidim/ub/verifications/ub_est.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    module Verifications
+      class UbEst < Ub
+        def role = "EST"
+      end
+    end
+  end
+end

app/forms/decidim/ub/verifications/ub_pas.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    module Verifications
+      class UbPas < Ub
+        def role = "PAS"
+      end
+    end
+  end
+end

app/forms/decidim/ub/verifications/ub_pdi.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    module Verifications
+      class UbPdi < Ub
+        def role = "PDI"
+      end
+    end
+  end
+end

app/forms/decidim/ub/verifications/ub_pex.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    module Verifications
+      class UbPex < Ub
+        def role = "PEX"
+      end
+    end
+  end
+end

app/helpers/decidim/ub/omniauth_helper_override.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    module OmniauthHelperOverride
+      extend ActiveSupport::Concern
+
+      included do
+        alias_method :original_normalize_provider_name, :normalize_provider_name
+
+        def normalize_provider_name(provider)
+          return "Universitat de Barcelona" if provider == :ub
+
+          original_normalize_provider_name(provider)
+        end
+      end
+    end
+  end
+end

app/jobs/decidim/ub/auto_verification_job.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    class AutoVerificationJob < ApplicationJob
+      queue_as :default
+
+      def perform(user_id)
+        @user = Decidim::User.find(user_id)
+        @auths = Decidim::Ub.roles_to_auth_name(@user.ub_roles & Decidim::Ub::ROLES)
+        update_auths
+      rescue ActiveRecord::RecordNotFound
+        Rails.logger.error "AutoVerificationJob: ERROR: model not found for user #{user_id}"
+      end
+
+      private
+
+      def update_auths
+        current_auths = user_auths.pluck(:name)
+        (current_auths - @auths).each { |name| remove_auth(user_auths.find_by(name:)) }
+        (@auths - current_auths).each { |name| create_auth(name) }
+      end
+
+      def create_auth(name)
+        return unless (handler = Decidim::AuthorizationHandler.handler_for(name, user: @user))
+
+        Decidim::Verifications::AuthorizeUser.call(handler, @user.organization) do
+          on(:ok) do
+            Rails.logger.info "AutoVerificationJob: Success: created auth #{name} for user #{handler.user.id}"
+          end
+
+          on(:invalid) do
+            Rails.logger.error "AutoVerificationJob: ERROR: not created auth #{name} for user #{handler.user&.id}"
+          end
+        end
+      end
+
+      def remove_auth(auth)
+        Decidim::Verifications::DestroyUserAuthorization.call(auth) do
+          on(:ok) do
+            Rails.logger.info "AutoVerificationJob: Success: removed auth #{auth.name} for user #{auth.user.id}"
+          end
+
+          on(:invalid) do
+            Rails.logger.error "AutoVerificationJob: ERROR: not removed auth #{auth.name} for user #{auth.user&.id}"
+          end
+        end
+      end
+
+      def user_auths
+        @user_auths ||= Decidim::Authorization.where(user: @user, name: Decidim::Ub.authorizations)
+      end
+    end
+  end
+end

app/jobs/decidim/ub/omniauth_user_sync_job.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    class OmniauthUserSyncJob < ApplicationJob
+      queue_as :default
+
+      def perform(data)
+        user = Decidim::User.find(data[:user_id])
+        return unless user.ub_identity?
+
+        Decidim::Ub::SyncUser.call(user, data.dig(:raw_data, :info, :roles)) do
+          on(:ok) do
+            Rails.logger.info "OmniauthUserSyncJob: Success: Ub roles updated for user #{user.id}"
+          end
+
+          on(:invalid) do |message|
+            Rails.logger.error "OmniauthUserSyncJob: ERROR: Error updating ub roles '#{message}'"
+          end
+        end
+      end
+    end
+  end
+end

app/models/concerns/decidim/ub/user_override.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Ub
+    module UserOverride
+      extend ActiveSupport::Concern
+
+      included do
+        def ub_identity
+          identities.find_by(provider: Decidim::Ub::OMNIAUTH_PROVIDER_NAME)
+        end
+
+        def ub_identity?
+          identities.exists?(provider: Decidim::Ub::OMNIAUTH_PROVIDER_NAME)
+        end
+      end
+    end
+  end
+end

config/i18n-tasks.yml

@@ -1,4 +1,7 @@
 ---
 
 base_locale: en
-locales: [en]
+locales:
+  - ca
+  - en
+  - es