From 1706feec3d3f973da382ece5d2a0773c42d32a9e Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 11:02:02 +0200 Subject: [PATCH] feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa --- .../agent_connect/agent_controller.rb | 6 ++-- config/env.example.optional | 3 ++ .../agent_connect/agent_controller_spec.rb | 32 ++++++++++++++++++- 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index a0b293ffb..ee7e8d7be 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -23,11 +23,11 @@ class AgentConnect::AgentController < ApplicationController end def callback - user_info, id_token = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME]) + user_info, id_token, amr = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME]) cookies.delete NONCE_COOKIE_NAME - if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID - # MON COMPTE PRO ! + if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID && !amr.include?('mfa') + return redirect_to ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'], allow_other_host: true end instructeur = Instructeur.find_by(users: { email: santized_email(user_info) }) diff --git a/config/env.example.optional b/config/env.example.optional index 82e95ce84..74451810a 100644 --- a/config/env.example.optional +++ b/config/env.example.optional @@ -32,6 +32,9 @@ DS_ENV="staging" # AGENT_CONNECT_GOUV_SECRET="" # AGENT_CONNECT_GOUV_REDIRECT="" +# url to redirect user to when 2FA is not configured mon compte pro FI is used +# MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL="https://app-sandbox.moncomptepro.beta.gouv.fr/connection-and-account?notification=2fa_not_configured" + # Certigna usage # CERTIGNA_ENABLED="disabled" # "enabled" by default diff --git a/spec/controllers/agent_connect/agent_controller_spec.rb b/spec/controllers/agent_connect/agent_controller_spec.rb index 80a255d16..cebed5946 100644 --- a/spec/controllers/agent_connect/agent_controller_spec.rb +++ b/spec/controllers/agent_connect/agent_controller_spec.rb @@ -34,10 +34,40 @@ describe AgentConnect::AgentController, type: :controller do let(:code) { 'correct' } let(:state) { original_state } let(:user_info) { { 'sub' => 'sub', 'email' => email, 'given_name' => 'given', 'usual_name' => 'usual' } } + let(:amr) { [] } context 'and user_info returns some info' do before do - expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token]) + ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'] = 'https://moncomptepro.fr/not_configured' + expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token, amr]) + end + + context 'and the instructeur use mon_compte_pro without 2FA' do + before do + user_info['idp_id'] = AgentConnect::AgentController::MON_COMPTE_PRO_IDP_ID + allow(controller).to receive(:sign_in) + end + + context 'without 2FA' do + it 'redirects to MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL' do + subject + + expect(controller).not_to have_received(:sign_in) + expect(response).to redirect_to(ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL']) + expect(state_cookie).to be_nil + expect(nonce_cookie).to be_nil + end + end + + context 'with 2FA' do + let(:amr) { ['mfa'] } + + it 'creates the user, signs in and redirects to procedure_path' do + expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1) + + expect(controller).to have_received(:sign_in) + end + end end context 'and the instructeur does not have an account yet' do