demarches-normaliennes/spec/controllers/agent_connect/agent_controller_spec.rb

# frozen_string_literal: true

describe AgentConnect::AgentController, type: :controller do
  describe '#login' do
    let(:uri) { 'https://agent-connect.fr' }
    let(:state) { 'state' }
    let(:nonce) { 'nonce' }

    before do
      expect(AgentConnectService).to receive(:authorization_uri).and_return([uri, state, nonce])
      get :login
    end

    it do
      expect(state_cookie).to eq(state)
      expect(nonce_cookie).to eq(nonce)
      expect(response).to redirect_to(uri)
    end
  end

  describe '#callback' do
    let(:email) { 'i@email.com' }
    let(:original_state) { 'original_state' }
    let(:nonce) { 'nonce' }
    let(:id_token) { 'id_token' }
    subject { get :callback, params: { code: code, state: state } }

    before do
      cookies.encrypted[controller.class::STATE_COOKIE_NAME] = original_state
      cookies.encrypted[controller.class::NONCE_COOKIE_NAME] = nonce
    end

    context 'when the callback code is correct' do
      let(:code) { 'correct' }
      let(:state) { original_state }
      let(:user_info) { { 'sub' => 'sub', 'email' => email, 'given_name' => 'given', 'usual_name' => 'usual' } }
      let(:amr) { [] }

      context 'and user_info returns some info' do
        before do
          expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token, amr])
        end

        context 'and the instructeur use mon_compte_pro' do
          before do
            user_info['idp_id'] = AgentConnect::AgentController::MON_COMPTE_PRO_IDP_ID
            allow(controller).to receive(:sign_in)
          end

          context 'without 2FA' do
            it 'redirects to agent_connect_explanation_2fa_path' do
              subject

              expect(controller).not_to have_received(:sign_in)
              expect(response).to redirect_to(agent_connect_explanation_2fa_path)
              expect(state_cookie).to be_nil
              expect(nonce_cookie).to be_nil
              expect(cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME]).to eq(id_token)
            end
          end

          context 'with 2FA' do
            let(:amr) { ['mfa'] }

            it 'creates the user, signs in and redirects to procedure_path' do
              expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1)

              expect(controller).to have_received(:sign_in)
            end
          end
        end

        context 'and the instructeur does not have an account yet' do
          before do
            expect(controller).to receive(:sign_in)
          end

          it 'creates the user, signs in and redirects to procedure_path' do
            expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1)

            last_user = User.last

            expect(last_user.email).to eq(email)
            expect(last_user.confirmed_at).to be_present
            expect(last_user.email_verified_at).to be_present
            expect(last_user.instructeur.agent_connect_id_token).to eq('id_token')
            expect(response).to redirect_to(instructeur_procedures_path)
            expect(state_cookie).to be_nil
            expect(nonce_cookie).to be_nil
          end
        end

        context 'and the instructeur already has an account' do
          let!(:instructeur) { create(:instructeur, email: email) }

          before do
            expect(controller).to receive(:sign_in)
          end

          it 'reuses the account, signs in and redirects to procedure_path' do
            expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)
            instructeur.reload

            expect(instructeur.agent_connect_id_token).to eq('id_token')
            expect(response).to redirect_to(instructeur_procedures_path)
          end

          it "sets email_verified_at" do
            expect { subject }.to change { instructeur.user.reload.email_verified_at }.from(
              nil
            )
          end
        end

        context 'and the instructeur already has an account as a user' do
          let!(:user) { create(:user, email: email) }

          before do
            expect(controller).to receive(:sign_in)
          end

          it 'reuses the account, signs in and redirects to procedure_path' do
            expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(1)

            instructeur = user.reload.instructeur

            expect(instructeur.agent_connect_id_token).to eq('id_token')
            expect(response).to redirect_to(instructeur_procedures_path)
          end
        end
      end

      context 'when the instructeur connects two times with the same domain' do
        before do
          expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token]).twice
          expect(controller).to receive(:sign_in).twice
        end

        it 'creates another agent_connect_information' do
          get :callback, params: { code: code, state: state }
          get :callback, params: { code: code, state: state }

          expect(Instructeur.last.agent_connect_information.count).to eq(1)
        end
      end

      context 'when the instructeur connects two times with different domains' do
        before do
          expect(controller).to receive(:sign_in).twice
        end

        it 'creates another agent_connect_information' do
          expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token])
          get :callback, params: { code: code, state: state }

          expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info.merge('sub' => 'sub2'), id_token])
          get :callback, params: { code: code, state: state }

          expect(Instructeur.last.agent_connect_information.pluck(:sub)).to match_array(['sub', 'sub2'])
        end
      end

      context 'but user_info raises and error' do
        before do
          expect(AgentConnectService).to receive(:user_info).and_raise(Rack::OAuth2::Client::Error.new(500, error: 'Unknown'))
        end

        it 'aborts the processus' do
          expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)

          expect(response).to redirect_to(new_user_session_path)
        end
      end
    end

    context 'when the callback state is not the original' do
      let(:code) { 'correct' }
      let(:state) { 'another state' }

      before { subject }

      it 'aborts the processus' do
        expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)

        expect(response).to redirect_to(new_user_session_path)
      end
    end

    context 'when the callback code is blank' do
      let(:code) { '' }
      let(:state) { original_state }

      it 'aborts the processus' do
        expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)

        expect(response).to redirect_to(new_user_session_path)
      end
    end
  end

  describe '#logout_from_mcp' do
    let(:id_token) { 'id_token' }
    subject { get :logout_from_mcp }

    before do
      cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME] = id_token
    end

    it 'clears the id token cookie and redirects to the agent connect logout url' do
      expect(AgentConnectService).to receive(:logout_url).with(id_token, host_with_port: 'test.host')
        .and_return("https://agent-connect.fr/logout/#{id_token}")

      subject

      expect(cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME]).to be_nil
      expect(cookies.encrypted[controller.class::REDIRECT_TO_AC_LOGIN_COOKIE_NAME]).to eq(true)
      expect(response).to redirect_to("https://agent-connect.fr/logout/#{id_token}")
    end

    context 'when the id_token is blank' do
      let(:id_token) { nil }

      it 'clears the cookies and redirects to the root path' do
        subject

        expect(cookies.encrypted[controller.class::REDIRECT_TO_AC_LOGIN_COOKIE_NAME]).to be_nil
        expect(response).to redirect_to(root_path)
      end
    end
  end

  def state_cookie
    cookies.encrypted[controller.class::STATE_COOKIE_NAME]
  end

  def nonce_cookie
    cookies.encrypted[controller.class::NONCE_COOKIE_NAME]
  end
end
chore: enable freeze string literals by comment 2024-04-29 00:17:15 +02:00			`# frozen_string_literal: true`

spec 2021-11-19 15:24:54 +01:00			`describe AgentConnect::AgentController, type: :controller do`
check state 2022-04-11 13:11:04 +02:00			`describe '#login' do`
remove env dependence in spec 2022-04-11 14:33:40 +02:00			`let(:uri) { 'https://agent-connect.fr' }`
			`let(:state) { 'state' }`
			`let(:nonce) { 'nonce' }`

			`before do`
			`expect(AgentConnectService).to receive(:authorization_uri).and_return([uri, state, nonce])`
			`get :login`
			`end`
check state 2022-04-11 13:11:04 +02:00
check nonce 2022-04-11 13:11:54 +02:00			`it do`
remove env dependence in spec 2022-04-11 14:33:40 +02:00			`expect(state_cookie).to eq(state)`
			`expect(nonce_cookie).to eq(nonce)`
			`expect(response).to redirect_to(uri)`
check nonce 2022-04-11 13:11:54 +02:00			`end`
check state 2022-04-11 13:11:04 +02:00			`end`

spec 2021-11-19 15:24:54 +01:00			`describe '#callback' do`
			`let(:email) { 'i@email.com' }`
check state 2022-04-11 13:11:04 +02:00			`let(:original_state) { 'original_state' }`
check nonce 2022-04-11 13:11:54 +02:00			`let(:nonce) { 'nonce' }`
store id_token 2024-03-18 10:35:41 +01:00			`let(:id_token) { 'id_token' }`
check state 2022-04-11 13:11:04 +02:00			`subject { get :callback, params: { code: code, state: state } }`

check nonce 2022-04-11 13:11:54 +02:00			`before do`
			`cookies.encrypted[controller.class::STATE_COOKIE_NAME] = original_state`
			`cookies.encrypted[controller.class::NONCE_COOKIE_NAME] = nonce`
			`end`
spec 2021-11-19 15:24:54 +01:00
			`context 'when the callback code is correct' do`
			`let(:code) { 'correct' }`
check state 2022-04-11 13:11:04 +02:00			`let(:state) { original_state }`
[#10742] Set email as verified when instructeur signs in with Agent Connect 2024-09-03 19:03:12 +02:00			`let(:user_info) { { 'sub' => 'sub', 'email' => email, 'given_name' => 'given', 'usual_name' => 'usual' } }`
feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa 2024-09-16 11:02:02 +02:00			`let(:amr) { [] }`
spec 2021-11-19 15:24:54 +01:00
			`context 'and user_info returns some info' do`
			`before do`
feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa 2024-09-16 11:02:02 +02:00			`expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token, amr])`
			`end`

feature(agent_connect_2fa): add intermediate pages to improve UX 2024-09-16 12:14:46 +02:00			`context 'and the instructeur use mon_compte_pro' do`
feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa 2024-09-16 11:02:02 +02:00			`before do`
			`user_info['idp_id'] = AgentConnect::AgentController::MON_COMPTE_PRO_IDP_ID`
			`allow(controller).to receive(:sign_in)`
			`end`

			`context 'without 2FA' do`
feature(agent_connect_2fa): add intermediate pages to improve UX 2024-09-16 12:14:46 +02:00			`it 'redirects to agent_connect_explanation_2fa_path' do`
feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa 2024-09-16 11:02:02 +02:00			`subject`

			`expect(controller).not_to have_received(:sign_in)`
feature(agent_connect_2fa): add intermediate pages to improve UX 2024-09-16 12:14:46 +02:00			`expect(response).to redirect_to(agent_connect_explanation_2fa_path)`
feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa 2024-09-16 11:02:02 +02:00			`expect(state_cookie).to be_nil`
			`expect(nonce_cookie).to be_nil`
feature(agent_connect_2fa): add intermediate pages to improve UX 2024-09-16 12:14:46 +02:00			`expect(cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME]).to eq(id_token)`
feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa 2024-09-16 11:02:02 +02:00			`end`
			`end`

			`context 'with 2FA' do`
			`let(:amr) { ['mfa'] }`

			`it 'creates the user, signs in and redirects to procedure_path' do`
			`expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1)`

			`expect(controller).to have_received(:sign_in)`
			`end`
			`end`
spec 2021-11-19 15:24:54 +01:00			`end`

			`context 'and the instructeur does not have an account yet' do`
			`before do`
			`expect(controller).to receive(:sign_in)`
			`end`

			`it 'creates the user, signs in and redirects to procedure_path' do`
			`expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1)`

			`last_user = User.last`

			`expect(last_user.email).to eq(email)`
			`expect(last_user.confirmed_at).to be_present`
[#10742] Set email as verified when instructeur signs in with Agent Connect 2024-09-03 19:03:12 +02:00			`expect(last_user.email_verified_at).to be_present`
store id_token 2024-03-18 10:35:41 +01:00			`expect(last_user.instructeur.agent_connect_id_token).to eq('id_token')`
spec 2021-11-19 15:24:54 +01:00			`expect(response).to redirect_to(instructeur_procedures_path)`
check state 2022-04-11 13:11:04 +02:00			`expect(state_cookie).to be_nil`
check nonce 2022-04-11 13:11:54 +02:00			`expect(nonce_cookie).to be_nil`
spec 2021-11-19 15:24:54 +01:00			`end`
			`end`

			`context 'and the instructeur already has an account' do`
			`let!(:instructeur) { create(:instructeur, email: email) }`

			`before do`
			`expect(controller).to receive(:sign_in)`
			`end`

			`it 'reuses the account, signs in and redirects to procedure_path' do`
			`expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)`
			`instructeur.reload`

store id_token 2024-03-18 10:35:41 +01:00			`expect(instructeur.agent_connect_id_token).to eq('id_token')`
spec 2021-11-19 15:24:54 +01:00			`expect(response).to redirect_to(instructeur_procedures_path)`
			`end`
[#10742] Set email as verified when instructeur signs in with Agent Connect 2024-09-03 19:03:12 +02:00
			`it "sets email_verified_at" do`
			`expect { subject }.to change { instructeur.user.reload.email_verified_at }.from(`
			`nil`
			`)`
			`end`
spec 2021-11-19 15:24:54 +01:00			`end`

			`context 'and the instructeur already has an account as a user' do`
			`let!(:user) { create(:user, email: email) }`

			`before do`
			`expect(controller).to receive(:sign_in)`
			`end`

			`it 'reuses the account, signs in and redirects to procedure_path' do`
			`expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(1)`

			`instructeur = user.reload.instructeur`

store id_token 2024-03-18 10:35:41 +01:00			`expect(instructeur.agent_connect_id_token).to eq('id_token')`
spec 2021-11-19 15:24:54 +01:00			`expect(response).to redirect_to(instructeur_procedures_path)`
			`end`
			`end`
			`end`

Allow instructeur to have multiple agent_connect_information AC will return two different sub depending of the domain demarches.gouv.fr or ds. Both agent_connect_information are stored and the corresponding instructeur is found by its email. We do not store anymore the agent_connect_id on the instructeur as the are many. 2024-03-19 14:57:19 +01:00			`context 'when the instructeur connects two times with the same domain' do`
			`before do`
			`expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token]).twice`
			`expect(controller).to receive(:sign_in).twice`
			`end`

			`it 'creates another agent_connect_information' do`
			`get :callback, params: { code: code, state: state }`
			`get :callback, params: { code: code, state: state }`

			`expect(Instructeur.last.agent_connect_information.count).to eq(1)`
			`end`
			`end`

			`context 'when the instructeur connects two times with different domains' do`
			`before do`
			`expect(controller).to receive(:sign_in).twice`
			`end`

			`it 'creates another agent_connect_information' do`
			`expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token])`
			`get :callback, params: { code: code, state: state }`

			`expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info.merge('sub' => 'sub2'), id_token])`
			`get :callback, params: { code: code, state: state }`

			`expect(Instructeur.last.agent_connect_information.pluck(:sub)).to match_array(['sub', 'sub2'])`
			`end`
			`end`

spec 2021-11-19 15:24:54 +01:00			`context 'but user_info raises and error' do`
			`before do`
			`expect(AgentConnectService).to receive(:user_info).and_raise(Rack::OAuth2::Client::Error.new(500, error: 'Unknown'))`
			`end`

			`it 'aborts the processus' do`
			`expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`
			`end`

check state 2022-04-11 13:11:04 +02:00			`context 'when the callback state is not the original' do`
			`let(:code) { 'correct' }`
			`let(:state) { 'another state' }`

			`before { subject }`

			`it 'aborts the processus' do`
			`expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`

spec 2021-11-19 15:24:54 +01:00			`context 'when the callback code is blank' do`
			`let(:code) { '' }`
check state 2022-04-11 13:11:04 +02:00			`let(:state) { original_state }`
spec 2021-11-19 15:24:54 +01:00
			`it 'aborts the processus' do`
			`expect { subject }.to change { User.count }.by(0).and change { Instructeur.count }.by(0)`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`
			`end`
check state 2022-04-11 13:11:04 +02:00
feature(agent_connect_2fa): add intermediate pages to improve UX 2024-09-16 12:14:46 +02:00			`describe '#logout_from_mcp' do`
			`let(:id_token) { 'id_token' }`
			`subject { get :logout_from_mcp }`

			`before do`
			`cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME] = id_token`
			`end`

			`it 'clears the id token cookie and redirects to the agent connect logout url' do`
			`expect(AgentConnectService).to receive(:logout_url).with(id_token, host_with_port: 'test.host')`
			`.and_return("https://agent-connect.fr/logout/#{id_token}")`

			`subject`

			`expect(cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME]).to be_nil`
			`expect(cookies.encrypted[controller.class::REDIRECT_TO_AC_LOGIN_COOKIE_NAME]).to eq(true)`
			`expect(response).to redirect_to("https://agent-connect.fr/logout/#{id_token}")`
			`end`

			`context 'when the id_token is blank' do`
			`let(:id_token) { nil }`

			`it 'clears the cookies and redirects to the root path' do`
			`subject`

			`expect(cookies.encrypted[controller.class::REDIRECT_TO_AC_LOGIN_COOKIE_NAME]).to be_nil`
			`expect(response).to redirect_to(root_path)`
			`end`
			`end`
			`end`

check state 2022-04-11 13:11:04 +02:00			`def state_cookie`
			`cookies.encrypted[controller.class::STATE_COOKIE_NAME]`
			`end`
check nonce 2022-04-11 13:11:54 +02:00
			`def nonce_cookie`
			`cookies.encrypted[controller.class::NONCE_COOKIE_NAME]`
			`end`
spec 2021-11-19 15:24:54 +01:00			`end`