2024-04-29 00:17:15 +02:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2021-11-19 15:24:54 +01:00
|
|
|
# doc: https://github.com/france-connect/Documentation-AgentConnect
|
2021-11-19 10:00:04 +01:00
|
|
|
class AgentConnect::AgentController < ApplicationController
|
2021-11-19 15:24:54 +01:00
|
|
|
before_action :redirect_to_login_if_fc_aborted, only: [:callback]
|
2022-04-11 13:11:04 +02:00
|
|
|
before_action :check_state, only: [:callback]
|
|
|
|
|
2024-09-16 11:03:24 +02:00
|
|
|
MON_COMPTE_PRO_IDP_ID = "71144ab3-ee1a-4401-b7b3-79b44f7daeeb"
|
|
|
|
|
2022-04-11 13:11:04 +02:00
|
|
|
STATE_COOKIE_NAME = :agentConnect_state
|
2022-04-11 13:11:54 +02:00
|
|
|
NONCE_COOKIE_NAME = :agentConnect_nonce
|
2021-11-19 15:24:54 +01:00
|
|
|
|
2024-09-16 12:14:46 +02:00
|
|
|
AC_ID_TOKEN_COOKIE_NAME = :agentConnect_id_token
|
|
|
|
REDIRECT_TO_AC_LOGIN_COOKIE_NAME = :redirect_to_ac_login
|
|
|
|
|
2021-11-19 10:00:04 +01:00
|
|
|
def index
|
|
|
|
end
|
2021-11-19 10:21:47 +01:00
|
|
|
|
|
|
|
def login
|
2022-04-11 13:11:54 +02:00
|
|
|
uri, state, nonce = AgentConnectService.authorization_uri
|
2022-04-11 13:11:04 +02:00
|
|
|
|
2024-07-03 11:54:10 +02:00
|
|
|
cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production?, httponly: true }
|
|
|
|
cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production?, httponly: true }
|
2022-04-11 13:11:04 +02:00
|
|
|
|
2023-04-27 13:21:20 +02:00
|
|
|
redirect_to uri, allow_other_host: true
|
2021-11-19 10:21:47 +01:00
|
|
|
end
|
2021-11-19 15:24:54 +01:00
|
|
|
|
|
|
|
def callback
|
2024-09-16 11:02:02 +02:00
|
|
|
user_info, id_token, amr = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME])
|
2024-03-19 14:41:41 +01:00
|
|
|
cookies.delete NONCE_COOKIE_NAME
|
2021-11-19 15:24:54 +01:00
|
|
|
|
2024-09-16 13:38:09 +02:00
|
|
|
if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID &&
|
|
|
|
!amr.include?('mfa') &&
|
|
|
|
Flipper.enabled?(:agent_connect_2fa, Struct.new(:flipper_id).new(flipper_id: user_info['email']))
|
2024-09-16 12:14:46 +02:00
|
|
|
# we need the id_token to disconnect the agent connect session later.
|
|
|
|
# we cannot store it in the instructeur model because the user is not yet created
|
|
|
|
# so we store it in a encrypted cookie
|
|
|
|
cookies.encrypted[AC_ID_TOKEN_COOKIE_NAME] = id_token
|
|
|
|
return redirect_to agent_connect_explanation_2fa_path
|
2024-09-16 11:03:24 +02:00
|
|
|
end
|
|
|
|
|
2024-03-19 14:57:19 +01:00
|
|
|
instructeur = Instructeur.find_by(users: { email: santized_email(user_info) })
|
2021-11-19 15:24:54 +01:00
|
|
|
|
|
|
|
if instructeur.nil?
|
2024-06-25 15:14:26 +02:00
|
|
|
user = User.create_or_promote_to_instructeur(santized_email(user_info), Devise.friendly_token[0, 20], agent_connect: true)
|
2021-11-19 15:24:54 +01:00
|
|
|
instructeur = user.instructeur
|
|
|
|
end
|
|
|
|
|
2024-09-06 15:37:33 +02:00
|
|
|
instructeur.update!(agent_connect_id_token: id_token)
|
|
|
|
instructeur.user.update!(email_verified_at: Time.zone.now)
|
2024-03-18 10:35:41 +01:00
|
|
|
|
2024-03-19 14:57:19 +01:00
|
|
|
aci = AgentConnectInformation.find_or_initialize_by(instructeur:, sub: user_info['sub'])
|
2024-09-16 14:41:15 +02:00
|
|
|
aci.update(user_info.slice('given_name', 'usual_name', 'email', 'sub', 'siret', 'organizational_unit', 'belonging_population', 'phone').merge(amr:))
|
2023-12-12 15:02:22 +01:00
|
|
|
|
2021-11-19 15:24:54 +01:00
|
|
|
sign_in(:user, instructeur.user)
|
|
|
|
|
|
|
|
redirect_to instructeur_procedures_path
|
|
|
|
|
|
|
|
rescue Rack::OAuth2::Client::Error => e
|
|
|
|
Rails.logger.error e.message
|
|
|
|
redirect_france_connect_error_connection
|
|
|
|
end
|
|
|
|
|
2024-09-16 12:14:46 +02:00
|
|
|
def explanation_2fa
|
|
|
|
end
|
|
|
|
|
|
|
|
# Special callback from MonComptePro juste after 2FA configuration
|
|
|
|
# then:
|
|
|
|
# - the current user is disconnected from the AgentConnect session by redirecting to the AgentConnect logout endpoint
|
|
|
|
# - the user is redirected to User::SessionsController#logout by agent connect (no choice)
|
|
|
|
# - the cookie redirect_to_ac_login is detected and the controller redirects to the relogin_after_2fa_config page
|
|
|
|
# - finally, the user clicks on the button to reconnect to the AgentConnect session
|
|
|
|
def logout_from_mcp
|
|
|
|
sign_out(:user) if user_signed_in?
|
|
|
|
|
|
|
|
id_token = cookies.encrypted[AC_ID_TOKEN_COOKIE_NAME]
|
|
|
|
cookies.delete(AC_ID_TOKEN_COOKIE_NAME)
|
|
|
|
|
|
|
|
return redirect_to root_path if id_token.blank?
|
|
|
|
|
|
|
|
cookies.encrypted[REDIRECT_TO_AC_LOGIN_COOKIE_NAME] = true
|
|
|
|
|
|
|
|
redirect_to AgentConnectService.logout_url(id_token, host_with_port: request.host_with_port), allow_other_host: true
|
|
|
|
end
|
|
|
|
|
|
|
|
def relogin_after_2fa_config
|
|
|
|
end
|
|
|
|
|
2021-11-19 15:24:54 +01:00
|
|
|
private
|
|
|
|
|
|
|
|
def santized_email(user_info)
|
|
|
|
user_info['email'].strip.downcase
|
|
|
|
end
|
2021-11-19 15:24:54 +01:00
|
|
|
|
|
|
|
def redirect_to_login_if_fc_aborted
|
|
|
|
if params[:code].blank?
|
|
|
|
redirect_to new_user_session_path
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def redirect_france_connect_error_connection
|
|
|
|
flash.alert = t('errors.messages.france_connect.connexion')
|
|
|
|
redirect_to(new_user_session_path)
|
|
|
|
end
|
2022-04-11 13:11:04 +02:00
|
|
|
|
|
|
|
def check_state
|
|
|
|
if cookies.encrypted[STATE_COOKIE_NAME] != params[:state]
|
|
|
|
flash.alert = t('errors.messages.france_connect.connexion')
|
|
|
|
redirect_to(new_user_session_path)
|
|
|
|
else
|
2024-03-19 14:41:41 +01:00
|
|
|
cookies.delete STATE_COOKIE_NAME
|
2022-04-11 13:11:04 +02:00
|
|
|
end
|
|
|
|
end
|
2021-11-19 10:00:04 +01:00
|
|
|
end
|