From 3dc5d5a9c31a61cbf1d86123b73c6596507bdf10 Mon Sep 17 00:00:00 2001
From: azelcs <armandszel@gmail.com>
Date: Wed, 8 May 2024 12:09:31 +0300
Subject: [PATCH 1/4] Use ppid instead of nameid for unique identifier

---
 lib/omniauth/strategies/latvija.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/omniauth/strategies/latvija.rb b/lib/omniauth/strategies/latvija.rb
index 3ec1dfe..2d191f1 100644
--- a/lib/omniauth/strategies/latvija.rb
+++ b/lib/omniauth/strategies/latvija.rb
@@ -88,7 +88,7 @@ def raw_info
     end
 
     def uid
-      @response.name_identifier
+      "PK:#{raw_info['privatepersonalidentifier']}"
     end
 
     def full_name

From b46f942e2419ecbd77148941bb2f360838c3f135 Mon Sep 17 00:00:00 2001
From: azelcs <armandszel@gmail.com>
Date: Wed, 8 May 2024 12:48:28 +0300
Subject: [PATCH 2/4] Add test

---
 ...e_personal_code_uid_mismatch_decrypted.xml | 63 +++++++++++++++++++
 spec/omniauth/strategies/latvija_spec.rb      | 34 +++++++++-
 2 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml

diff --git a/spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml b/spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml
new file mode 100644
index 0000000..8fe80ab
--- /dev/null
+++ b/spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0"?>
+<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+  <trust:RequestSecurityTokenResponse Context="https://demo.latvijasnotars.lv/users/auth/latvija/callback">
+    <trust:Lifetime>
+      <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-11-05T13:57:02.777Z</wsu:Created>
+      <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-11-05T17:57:02.777Z</wsu:Expires>
+    </trust:Lifetime>
+    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+      <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
+        <wsa:Address>https://example.com</wsa:Address>
+      </wsa:EndpointReference>
+    </wsp:AppliesTo>
+    <trust:RequestedSecurityToken>
+      <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_fe766b93-7b30-43cb-9f54-7e66c7421a26" Issuer="http://www.latvija.lv/sts" IssueInstant="2019-11-04T14:12:08.977Z">
+        <saml:Conditions NotBefore="2019-11-05T13:57:02.777Z" NotOnOrAfter="2019-11-05T17:57:02.777Z">
+          <saml:AudienceRestrictionCondition>
+            <saml:Audience>https://ivis.eps.gov.lv/LVP.Sitecore</saml:Audience>
+          </saml:AudienceRestrictionCondition>
+        </saml:Conditions>
+        <saml:AttributeStatement>
+          <saml:Subject>
+            <saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:32345678901</saml:NameIdentifier>
+            <saml:SubjectConfirmation>
+              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
+            </saml:SubjectConfirmation>
+          </saml:Subject>
+          <saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="TESTidp"
+            xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
+            <saml:AttributeValue>ODS</saml:AttributeValue>
+          </saml:Attribute>
+          <saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="TESTidp"
+            xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
+            <saml:AttributeValue>KNISLIS</saml:AttributeValue>
+          </saml:Attribute>
+          <saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="TESTidp"
+            xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
+            <saml:AttributeValue>01018012345</saml:AttributeValue>
+          </saml:Attribute>
+          <saml:Attribute AttributeName="citizenQAALevel" AttributeNamespace="http://ivis.eps.gov.lv/schema/identity/claims">
+            <saml:AttributeValue a:type="tn:integer"
+              xmlns:tn="http://www.w3.org/2001/XMLSchema"
+              xmlns:a="http://www.w3.org/2001/XMLSchema-instance">4</saml:AttributeValue>
+          </saml:Attribute>
+          <saml:Attribute AttributeName="109x34" AttributeNamespace="http://ivis.eps.gov.lv/schema/media/image">
+            <saml:AttributeValue>https://epakvisstv.vraa.gov.lv/STS/VISS.LVP.STS/Image.ashx?id=am-test</saml:AttributeValue>
+          </saml:Attribute>
+        </saml:AttributeStatement>
+        <saml:AuthenticationStatement AuthenticationMethod="urn:ivis:100001:am-idp40-wif" AuthenticationInstant="2019-11-05T13:57:02.511Z">
+          <saml:Subject>
+            <saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:32345678901</saml:NameIdentifier>
+            <saml:SubjectConfirmation>
+              <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
+            </saml:SubjectConfirmation>
+          </saml:Subject>
+          <saml:SubjectLocality IPAddress="127.0.0.1" />
+        </saml:AuthenticationStatement>
+      </saml:Assertion>
+    </trust:RequestedSecurityToken>
+    <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
+    <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
+    <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
+  </trust:RequestSecurityTokenResponse>
+</trust:RequestSecurityTokenResponseCollection>
diff --git a/spec/omniauth/strategies/latvija_spec.rb b/spec/omniauth/strategies/latvija_spec.rb
index b888cc9..69b3c2f 100644
--- a/spec/omniauth/strategies/latvija_spec.rb
+++ b/spec/omniauth/strategies/latvija_spec.rb
@@ -198,7 +198,7 @@ def strategy
         expect(response.dig('extra', 'raw_info', 'historical_privatepersonalidentifier')).to match_array(['12345678901'])
       end
 
-      it 'should return NameIdentifier property as the auth UID' do
+      it 'should return PK:privatepersonalidentifier as the auth UID' do
         expect(response.dig('uid')).to eq('PK:32345678901')
       end
 
@@ -237,9 +237,39 @@ def strategy
         expect(response.dig('extra', 'raw_info', 'historical_privatepersonalidentifier')).to be_empty
       end
 
-      it 'should return NameIdentifier property as the auth UID' do
+      it 'should return PK:privatepersonalidentifier as the auth UID' do
         expect(response.dig('uid')).to eq('PK:32345678901')
       end
     end
+
+    context 'when response NameIdentifier code does not match real private personal identifier' do
+      let(:wresult_decrypted) { File.read('spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml') }
+
+      before(:each) do
+        allow_any_instance_of(OmniAuth::Strategies::Latvija::SignedDocument).to receive(:validate!).and_return(true)
+      end
+
+      let(:response) do
+        post '/auth/latvija/callback', {
+          :wa => "wsignin1.0",
+          :wctx => "http://example.org/auth/latvija/callback",
+          :wresult => wresult_decrypted
+        }
+
+        last_request.env['omniauth.auth']
+      end
+
+      it 'should return primary personal code' do
+        expect(response.dig('info', 'private_personal_identifier')).to eq('01018012345')
+      end
+
+      it 'should not return historical personal codes in extra info' do
+        expect(response.dig('extra', 'raw_info', 'historical_privatepersonalidentifier')).to be_empty
+      end
+
+      it 'should return PK:privatepersonalidentifier as the auth UID' do
+        expect(response.dig('uid')).to eq('PK:01018012345')
+      end
+    end
   end
 end

From 558e12cb63dd58f59c74081c4ab72dd61dba352f Mon Sep 17 00:00:00 2001
From: azelcs <armandszel@gmail.com>
Date: Wed, 8 May 2024 12:50:19 +0300
Subject: [PATCH 3/4] Rename fixture

---
 ..._single_personal_code_nameidentifier_mismatch_decrypted.xml} | 0
 spec/omniauth/strategies/latvija_spec.rb                        | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename spec/fixtures/{wresult_single_personal_code_uid_mismatch_decrypted.xml => wresult_single_personal_code_nameidentifier_mismatch_decrypted.xml} (100%)

diff --git a/spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml b/spec/fixtures/wresult_single_personal_code_nameidentifier_mismatch_decrypted.xml
similarity index 100%
rename from spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml
rename to spec/fixtures/wresult_single_personal_code_nameidentifier_mismatch_decrypted.xml
diff --git a/spec/omniauth/strategies/latvija_spec.rb b/spec/omniauth/strategies/latvija_spec.rb
index 69b3c2f..450a009 100644
--- a/spec/omniauth/strategies/latvija_spec.rb
+++ b/spec/omniauth/strategies/latvija_spec.rb
@@ -243,7 +243,7 @@ def strategy
     end
 
     context 'when response NameIdentifier code does not match real private personal identifier' do
-      let(:wresult_decrypted) { File.read('spec/fixtures/wresult_single_personal_code_uid_mismatch_decrypted.xml') }
+      let(:wresult_decrypted) { File.read('spec/fixtures/wresult_single_personal_code_nameidentifier_mismatch_decrypted.xml') }
 
       before(:each) do
         allow_any_instance_of(OmniAuth::Strategies::Latvija::SignedDocument).to receive(:validate!).and_return(true)

From 30e6086eee97c79b7c0f699c74a511d964a9b972 Mon Sep 17 00:00:00 2001
From: azelcs <armandszel@gmail.com>
Date: Wed, 8 May 2024 16:58:23 +0300
Subject: [PATCH 4/4] Keep VPM internal ID in legacy UIDs as fallback

---
 lib/omniauth/strategies/latvija.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/omniauth/strategies/latvija.rb b/lib/omniauth/strategies/latvija.rb
index 2d191f1..f5ffcd0 100644
--- a/lib/omniauth/strategies/latvija.rb
+++ b/lib/omniauth/strategies/latvija.rb
@@ -99,7 +99,8 @@ def legacy_uids
       # UIDs that could have been assigned to this identity by previous versions of the gem, or due to peronal identifier change
 
       legacy_uids = [
-        "#{full_name}, #{raw_info["privatepersonalidentifier"]}" # generated by gem version <= 4.0
+        "#{full_name}, #{raw_info["privatepersonalidentifier"]}", # generated by gem version <= 4.0
+        @response.name_identifier # VPM internal UID fallback, generated by gem version <= 6.3.0
       ]
 
       raw_info.fetch('historical_privatepersonalidentifier', []).each do |historical_identifier|