feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa

2024-09-16 11:02:02 +02:00 · 2024-09-16 11:02:02 +02:00 · 1706feec3d
commit 1706feec3d
parent 5f25756ae2
3 changed files with 37 additions and 4 deletions
--- a/app/controllers/agent_connect/agent_controller.rb
+++ b/app/controllers/agent_connect/agent_controller.rb
@ -23,11 +23,11 @@ class AgentConnect::AgentController < ApplicationController
  end

  def callback
-    user_info, id_token = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME])
+    user_info, id_token, amr = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME])
    cookies.delete NONCE_COOKIE_NAME

-    if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID
-      # MON COMPTE PRO !
+    if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID && !amr.include?('mfa')
+      return redirect_to ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'], allow_other_host: true
    end

    instructeur = Instructeur.find_by(users: { email: santized_email(user_info) })
--- a/config/env.example.optional
+++ b/config/env.example.optional
@ -32,6 +32,9 @@ DS_ENV="staging"
 # AGENT_CONNECT_GOUV_SECRET=""
 # AGENT_CONNECT_GOUV_REDIRECT=""

+# url to redirect user to when 2FA is not configured mon compte pro FI is used
+# MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL="https://app-sandbox.moncomptepro.beta.gouv.fr/connection-and-account?notification=2fa_not_configured"
+
 # Certigna usage
 # CERTIGNA_ENABLED="disabled" # "enabled" by default

--- a/spec/controllers/agent_connect/agent_controller_spec.rb
+++ b/spec/controllers/agent_connect/agent_controller_spec.rb
@ -34,10 +34,40 @@ describe AgentConnect::AgentController, type: :controller do
      let(:code) { 'correct' }
      let(:state) { original_state }
      let(:user_info) { { 'sub' => 'sub', 'email' => email, 'given_name' => 'given', 'usual_name' => 'usual' } }
+      let(:amr) { [] }

      context 'and user_info returns some info' do
        before do
-          expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token])
+          ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'] = 'https://moncomptepro.fr/not_configured'
+          expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token, amr])
+        end
+
+        context 'and the instructeur use mon_compte_pro without 2FA' do
+          before do
+            user_info['idp_id'] = AgentConnect::AgentController::MON_COMPTE_PRO_IDP_ID
+            allow(controller).to receive(:sign_in)
+          end
+
+          context 'without 2FA' do
+            it 'redirects to MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL' do
+              subject
+
+              expect(controller).not_to have_received(:sign_in)
+              expect(response).to redirect_to(ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'])
+              expect(state_cookie).to be_nil
+              expect(nonce_cookie).to be_nil
+            end
+          end
+
+          context 'with 2FA' do
+            let(:amr) { ['mfa'] }
+
+            it 'creates the user, signs in and redirects to procedure_path' do
+              expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1)
+
+              expect(controller).to have_received(:sign_in)
+            end
+          end
        end

        context 'and the instructeur does not have an account yet' do