From 1e9982927a0d64e79d393906e362052a88b86adb Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 11:03:24 +0200 Subject: [PATCH 1/8] add identity_provider id scope --- app/controllers/agent_connect/agent_controller.rb | 6 ++++++ app/services/agent_connect_service.rb | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index 346c19a8d..a0b293ffb 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -5,6 +5,8 @@ class AgentConnect::AgentController < ApplicationController before_action :redirect_to_login_if_fc_aborted, only: [:callback] before_action :check_state, only: [:callback] + MON_COMPTE_PRO_IDP_ID = "71144ab3-ee1a-4401-b7b3-79b44f7daeeb" + STATE_COOKIE_NAME = :agentConnect_state NONCE_COOKIE_NAME = :agentConnect_nonce @@ -24,6 +26,10 @@ class AgentConnect::AgentController < ApplicationController user_info, id_token = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME]) cookies.delete NONCE_COOKIE_NAME + if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID + # MON COMPTE PRO ! + end + instructeur = Instructeur.find_by(users: { email: santized_email(user_info) }) if instructeur.nil? diff --git a/app/services/agent_connect_service.rb b/app/services/agent_connect_service.rb index cbbf91814..c4b35d18e 100644 --- a/app/services/agent_connect_service.rb +++ b/app/services/agent_connect_service.rb @@ -14,7 +14,7 @@ class AgentConnectService nonce = SecureRandom.hex(16) uri = client.authorization_uri( - scope: [:openid, :email, :given_name, :usual_name, :organizational_unit, :belonging_population, :siret], + scope: [:openid, :email, :given_name, :usual_name, :organizational_unit, :belonging_population, :siret, :idp_id], state:, nonce:, acr_values: 'eidas1' From 5f25756ae2513a396a9c44184610f39fe72be6cd Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Wed, 11 Sep 2024 10:18:46 +0200 Subject: [PATCH 2/8] ask for amr (Authentication Methods References) --- app/services/agent_connect_service.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/app/services/agent_connect_service.rb b/app/services/agent_connect_service.rb index c4b35d18e..69581d9b2 100644 --- a/app/services/agent_connect_service.rb +++ b/app/services/agent_connect_service.rb @@ -17,7 +17,9 @@ class AgentConnectService scope: [:openid, :email, :given_name, :usual_name, :organizational_unit, :belonging_population, :siret, :idp_id], state:, nonce:, - acr_values: 'eidas1' + acr_values: 'eidas1', + claims: { id_token: { amr: { essential: true } } }.to_json, + prompt: :login ) [uri, state, nonce] @@ -32,7 +34,9 @@ class AgentConnectService id_token = ResponseObject::IdToken.decode(access_token.id_token, conf[:jwks]) id_token.verify!(conf.merge(nonce: nonce)) - [access_token.userinfo!.raw_attributes, access_token.id_token] + amr = id_token.amr.present? ? JSON.parse(id_token.amr) : [] + + [access_token.userinfo!.raw_attributes, access_token.id_token, amr] end private From 1706feec3d3f973da382ece5d2a0773c42d32a9e Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 11:02:02 +0200 Subject: [PATCH 3/8] feature(agent_connect_2fa): do not log AC/MonComptePro agent without 2fa --- .../agent_connect/agent_controller.rb | 6 ++-- config/env.example.optional | 3 ++ .../agent_connect/agent_controller_spec.rb | 32 ++++++++++++++++++- 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index a0b293ffb..ee7e8d7be 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -23,11 +23,11 @@ class AgentConnect::AgentController < ApplicationController end def callback - user_info, id_token = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME]) + user_info, id_token, amr = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME]) cookies.delete NONCE_COOKIE_NAME - if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID - # MON COMPTE PRO ! + if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID && !amr.include?('mfa') + return redirect_to ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'], allow_other_host: true end instructeur = Instructeur.find_by(users: { email: santized_email(user_info) }) diff --git a/config/env.example.optional b/config/env.example.optional index 82e95ce84..74451810a 100644 --- a/config/env.example.optional +++ b/config/env.example.optional @@ -32,6 +32,9 @@ DS_ENV="staging" # AGENT_CONNECT_GOUV_SECRET="" # AGENT_CONNECT_GOUV_REDIRECT="" +# url to redirect user to when 2FA is not configured mon compte pro FI is used +# MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL="https://app-sandbox.moncomptepro.beta.gouv.fr/connection-and-account?notification=2fa_not_configured" + # Certigna usage # CERTIGNA_ENABLED="disabled" # "enabled" by default diff --git a/spec/controllers/agent_connect/agent_controller_spec.rb b/spec/controllers/agent_connect/agent_controller_spec.rb index 80a255d16..cebed5946 100644 --- a/spec/controllers/agent_connect/agent_controller_spec.rb +++ b/spec/controllers/agent_connect/agent_controller_spec.rb @@ -34,10 +34,40 @@ describe AgentConnect::AgentController, type: :controller do let(:code) { 'correct' } let(:state) { original_state } let(:user_info) { { 'sub' => 'sub', 'email' => email, 'given_name' => 'given', 'usual_name' => 'usual' } } + let(:amr) { [] } context 'and user_info returns some info' do before do - expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token]) + ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'] = 'https://moncomptepro.fr/not_configured' + expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token, amr]) + end + + context 'and the instructeur use mon_compte_pro without 2FA' do + before do + user_info['idp_id'] = AgentConnect::AgentController::MON_COMPTE_PRO_IDP_ID + allow(controller).to receive(:sign_in) + end + + context 'without 2FA' do + it 'redirects to MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL' do + subject + + expect(controller).not_to have_received(:sign_in) + expect(response).to redirect_to(ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL']) + expect(state_cookie).to be_nil + expect(nonce_cookie).to be_nil + end + end + + context 'with 2FA' do + let(:amr) { ['mfa'] } + + it 'creates the user, signs in and redirects to procedure_path' do + expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1) + + expect(controller).to have_received(:sign_in) + end + end end context 'and the instructeur does not have an account yet' do From 6f5135a6b2a5433cb6df442fc368743bc1df19e2 Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 12:10:55 +0200 Subject: [PATCH 4/8] refactor: extract agent_connect logout_url to a agent_connect_service --- app/controllers/users/sessions_controller.rb | 10 ++-------- app/services/agent_connect_service.rb | 6 ++++++ spec/services/agent_connect_service_spec.rb | 19 +++++++++++++++++++ 3 files changed, 27 insertions(+), 8 deletions(-) create mode 100644 spec/services/agent_connect_service_spec.rb diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb index 1d5e49100..601f533dc 100644 --- a/app/controllers/users/sessions_controller.rb +++ b/app/controllers/users/sessions_controller.rb @@ -59,7 +59,8 @@ class Users::SessionsController < Devise::SessionsController end if agent_connect_id_token.present? - return redirect_to build_agent_connect_logout_url(agent_connect_id_token), allow_other_host: true + return redirect_to AgentConnectService.logout_url(agent_connect_id_token, host_with_port: request.host_with_port), + allow_other_host: true end end @@ -110,11 +111,4 @@ class Users::SessionsController < Devise::SessionsController def logout redirect_to root_path, notice: I18n.t('devise.sessions.signed_out') end - - private - - def build_agent_connect_logout_url(id_token) - h = { id_token_hint: id_token, post_logout_redirect_uri: logout_url } - "#{AGENT_CONNECT[:end_session_endpoint]}?#{h.to_query}" - end end diff --git a/app/services/agent_connect_service.rb b/app/services/agent_connect_service.rb index 69581d9b2..6b2dc6ba1 100644 --- a/app/services/agent_connect_service.rb +++ b/app/services/agent_connect_service.rb @@ -39,6 +39,12 @@ class AgentConnectService [access_token.userinfo!.raw_attributes, access_token.id_token, amr] end + def self.logout_url(id_token, host_with_port:) + app_logout = Rails.application.routes.url_helpers.logout_url(host: host_with_port) + h = { id_token_hint: id_token, post_logout_redirect_uri: app_logout } + "#{AGENT_CONNECT[:end_session_endpoint]}?#{h.to_query}" + end + private # TODO: remove this block when migration to new domain is done diff --git a/spec/services/agent_connect_service_spec.rb b/spec/services/agent_connect_service_spec.rb new file mode 100644 index 000000000..f0aa30db7 --- /dev/null +++ b/spec/services/agent_connect_service_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +describe AgentConnectService do + describe '.logout_url' do + let(:id_token) { 'id_token' } + + before do + ::AGENT_CONNECT ||= {} + allow(AGENT_CONNECT).to receive(:[]) + .with(:end_session_endpoint).and_return("https://agent-connect.fr/logout") + end + + subject { described_class.logout_url(id_token, host_with_port: 'test.host') } + + it 'returns the correct url' do + expect(subject).to eq("https://agent-connect.fr/logout?id_token_hint=id_token&post_logout_redirect_uri=http%3A%2F%2Ftest.host%2Flogout") + end + end +end From cd2d772cd0a689e93fa7c9df6df736bd9bc703dd Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 12:14:46 +0200 Subject: [PATCH 5/8] feature(agent_connect_2fa): add intermediate pages to improve UX --- .../images/instructions_moncomptepro.png | Bin 0 -> 22872 bytes .../agent_connect/agent_controller.rb | 34 ++++++++++++++- app/controllers/users/sessions_controller.rb | 6 +++ .../agent/explanation_2fa.html.haml | 14 +++++++ .../agent/relogin_after_2fa_config.html.haml | 12 ++++++ config/routes.rb | 3 ++ .../agent_connect/agent_controller_spec.rb | 39 ++++++++++++++++-- .../users/sessions_controller_spec.rb | 17 ++++++++ 8 files changed, 120 insertions(+), 5 deletions(-) create mode 100644 app/assets/images/instructions_moncomptepro.png create mode 100644 app/views/agent_connect/agent/explanation_2fa.html.haml create mode 100644 app/views/agent_connect/agent/relogin_after_2fa_config.html.haml diff --git a/app/assets/images/instructions_moncomptepro.png b/app/assets/images/instructions_moncomptepro.png new file mode 100644 index 0000000000000000000000000000000000000000..554d388b568da3a66a497bcca9522cedaab5cebc GIT binary patch literal 22872 zcmZ^~byOU|(g#Wi3BeNFoyFbVb#Zrh_uvxTZE+7C+#LeJ-CcvbyT2v(-gCb5&U^eZ zJKfV=Rb5?G{i~WGOkP$T0Tvq;0s;a7C?TQ<0RaVsfcP-;^Xcj7>+9>&)6@O^{p952%ggJ{&CT`o_4D)d!^6Yn z<>lGg+0@k3pFe-%g((8?(U3@jjyh*j?dqgmX<<8LywP-Utiz&`T57j z#`cciW@l$dMn-yidgkZnA0HpRyu3O(I_@9ehKGlXi;G)ZTRS^DTUuJSwyvb4q`-38 z+1Z_+pI1~=jE|2mE-n@o6>V>C_w?)z4rx3;#{*Vk88R@UC$J~1)T+uOUpzyJLF zwzai2I5^nd-QC~czp=3q78Z7Ud%L{6Y++&1(9i$@5xujsb8v9*_wV1jy1J&Orkk6m z=H`vNyXTXOxBL6&$jHd`^_RA`v-|tgnwlDYef^u8^Mr)khK9c-CCe|bZ+?D$K|w*( z)VVP+F_o1oCnu)@0wtH1j}Z~0OG{^SbEo3s;=#egMMaC&*49r?F9`{g9v&WAT3W8I zt|=)gK0dxlNlAuTf1RD3kB;s@Adr30mXeZEfB)Y3&1+`n?8?e{Z0z{y>HVKSJITpY z4h{|-3s+TRXQ`>F^78T%8}~UqCsR|$3_oVm(xx*rGfhm|Yirls+G9R8<>cVG}blGSbr0kdTm;*3Y*OpQNO!^NZ@dz5C}j zp9I1e?Ckz{dU|qla{BoV{`@(Yn3$NJo=!}hec94-6c>9pGgDsOzP9&*Xfrmya@;?> zw6=AXo>e@!bpNorlAN3zpOiDbuyGRRy)z$efD;EfK3t=?${CqbxHJO|~yRE3ma4qiw0YL}>6cJQ* zTRL8~lfZGu@4pyC9Le7GHME3ht%zg|f5>xIoc4$lJJh6)BC}fBPf2rPX-I*FZP}%{ zv75D|6+>lJ`9=7>)mvWsU@53z;_=Mo%wa=4$&c0GPs7EP z2V(q#iN9BBTPh$H5ejVR|Nnnp%7OMA_P+#c%tRo=f|CRsLjt)6b{w0(Acx~rdy$iK z>=JTvcZv4=lBej26{gru>~L~)_0AFyZ{s>;Sk19}{u)aQQYn)sb0{GA8@ zc-oMtL0wY?oWW141BHlH*q9Lb0wl)^pvb`!D{UgVQYD9t28hEIOK1BD8JiXrm5~O| z>!?!4LgSGo8bG0_ic6i{fUgMS0#axcFo5L&Aj8jjx@9P7BZ;zKe@((>7kv6uPnXPV8AAa)|!Xn97`**vc zfo-9@=7^!_g_&`?Css}!!7QV$9Ys$PwksjA;^}mLepNfiZSG|F6b4C1@jAd-P_?qS z+Djp|mt~K_4klb`U&h8{c>B%ab@lbRVucfrcD6@pJYb;Z-1Jo4*2B%2xQ0vDtfkS* zs?=s;X0~~$8Lcl+0huG0l+tn0u9XHsB@<1{KwO7{h3yP>S*Ni5`_(Ui=LjdZ`>8sD zEQc7^k>cJ_%ju^hp}dX97L2a&`L3-4 zi_ebYu+`o8O7k?17MKw+>Ey)PK^PpX1xrFjB%w@Xwd5HjF-OKsLLtK3PCSp$>nM0E_%#BQ`HQH=NveLC#2X1SuU~H@k zHBYnc;wDB9G1Y9osA$i0FN?3WskLfK*X5K(@cQQ3+M4I@BcoTxi|ydb%}o*evRQ}r zSxQ>_+uwuEzG=|}sAy#%U8zRpjj_eAmbt@bl}x3b`h^jfyH|Wi&WlSe4*+o<-K)ig zm0Vcnc!VpTpigti`Dp1==`xN>Lm&MXTvt19Q0}*bL9(`|`(b253Un*FuvVW|ZiC!#W!5h{Vxr7jdI`bd2%4KEp}>HFejz{7UPcu4~qRGU(<^ygaeR`R$q= zY(-FU^&ci91=4e`{WwAW0^=u&*FnVeCG=j#Hhoj_d04I?n{6ti@5IWHPuPwg#kwIn zR@no~p8=%o=cxi0aKGGoqt5A_t!P|waHRqS|a}qCV z0V`Q+ql(dG6U(3F`dR#XB4eA`8SIy=HhBhPEla9zJF~&RN`5xiZ|1Kmo=m!x^eQWj zCB|x$+ERViBQF?h*At}T6F;Ziz`ei_(? zt;9e-I%ixnV@cyW)V@My#?XOE`r-awGM8Ie>VE0RKCS0~iEX&C+!rYS&x+I&PZEBU z69SKz1-;f2r4(7ZqPnJ-io@uPEGH35K|=xa*BiO>2>?L>BMJEf z^z;4ZC*TJN_x$3*Sr9z=p#!Tog;5fcV(^JROrcZ=2q6!0jsGOh{c`5DCS&?s^rj`* zab>V0i6senjxUAW`ZPIeEg#rdQ2qa?H=X>7Jd@nRydKWJ;PM#0AC6EqOJed=l6Dx6cg(Y7O zPq_%{($?JFx4TlhDMt%Uc0Cr@4p~Kbt;@CP-@!D|sx7$u^X642+nsR+ zclI^takNViKhej_{kbQ?4nO*dCy2xptkIW*`~d2~`e^##2%}G<%#)|7>cbD}EL^O! zIumVHv#_Ie zN0`vA^L5==fO=Waj~lcfbJzh;xnW@!dJE9jQ)9-3b92&1*LMiw9DUyQjm6RP+88~ zlB3IxQYz0l;hw$wF?mY}`}X2v;^78blsVH!fZxwMGML+){dQ_svC2BR#_UW^?#FfJ z6SKncmDV{vW?_papOdlc(WCjIGnsMeY@2%va=HUp$&^a-`?An$k% zGKD*<&-eGtWk!D#)p|;4(|CjC4Z7iywiYhFJJ#dtlqI;((1cb=X`-dkW2{odP4%!V zV_1~C>6S9>y-tr~)50AEsDBUp{d28mLh>V6YcIgd!c}W?x06TLM|Wi81KKqoN+C6N z0vAGW1C^jLug)S3HXc4GN6P?yOn~NmElMGQy~{Vddgfx*al*6a*9X2YC^dma+q*j~o=H zd&M`&>b04FBCRk{h!X!1zR{04JSeA3&Hrs~IYo#fvG4zNrL(+SE0HJe;J^=1Y)8{o z<+Vd2mZMPBmcfHuU{OMUVvJpZQ^pmez%j_5krXlsg@Q{H^ARL4F$oG38l@{jmmkbT zt9w@T@v-gGchSSnUQ&_X-7{0x$2fOXbRkbn)037RrWoDZOHSS^+R4>vsiD4y28mb} z%gn1(nEx6Q`|e?7l2_Pp5wbYUbP>N7JSVQxhUPV(y!h+5_}O5SKr<5+yelN6gM1g< z>(0a8q?A}}=Ox=7z@#>XsH0#NWIn}U+9q(UkB5{=2Z3)r&?Bj*a|UPGkxbE&qCF3C0fL4QnuA7SivbbAbX05EKE>KrP3~aK{-K+25X}zP~^B?g5>DVu}N;PHX#?HJ>a5rR8F~xXy}d z=*TUT(;mmKvcCKy^CUI(QuZsjpXGr3)iy=Nk=50qz*#aT0=#%yt$Bt|{~aX6RjC4( zKSdcJF?{k%4OT?EC5etPOlww-{@Y4s+jn))^G>CB$2i!e9^0P)366X)Mn|lQl5|l@ zl7)&EUf9h)gz0|n*gyW-?gni;eLfnvLjy0Q()%oUdiAMd{p3js&!HLv@RMUr>OCeH(!RuuVmep9 zyS)eK9vgB*fCArDOh~q983{%dGAEW9)gfeM3@R<6-#d_bJBl;&gBc;}7bq5UqFDP} z&boN!Q~2J@&*U3yffI*NR*TjVr!-i3F14#owGaHQ?t|7WwpdXvTMfJ|XgW;GjU%Q` zGi@kQbXZZ#T4HMU7X7wt^vffYI}azMPS>NA1z<5A82}3RnPc{Ze_g~^!UTA>ojr|C zbu=idk7NTkKd>AM%LcYzxN+c$*FYiCwL0|35c=yooVAb;u>^92A)dNHE}|G%pIM8Z zENcO2l5AYkSDTFW8n9d=wU)2?_8T0`maXfsq9%V$TCZs6t}&f1Bqiq#jz)#1x-Tc$ zTv5BpKnjYV@WD_w9Nj!k)JM%DU6EF*V&krb&f{D?dND$K+_xJL2;NVix^NJG4H*~g z@k$M(4{o^R#{KF_xPl1x)CJo?j~?xAM01ouZT?-O{EtlXEE;@EnNzW7-8L|K)Mm-1 zqWnbPer-q4DBUSt@S4lmXKY7kp08MkR|p*a*K|PR`zoHy56A0I>xcmCkRe%qR3H;p z_>A|=w#~%$$;?Rm(@*%iPQ=qF>Io?f7Dg~io{OC6TpNl-fECJMNsA&MAS;Z{9#*KQac**=cY*=Wc4!UYAq%pT1uEw02$%Bpy|PPsPBsoPa{ z(7m~s{>W?nr<&?d*z`>RFEXxKM9JIuTKj8$9GyL`FF*#*85K2O7u_!P!`#5nC<>~{ zP>VbfTJ{47v@nWR&v}3Y9C2yl}dKW#`YRNnL1@@=)3_+X5 zB5$b^`dfSzN--q&oCYYj^W(I9 zdFoNg%dA1m^22zlAC}ZZCE9NDyx)g-PJIvcqt<1MR;#qqXZJ6p|8V!rIHVPYrsTAU z5S&z0RSA)ZwunU!s?2l(gIHJ)V>Q{`n{OWA9jxy?Esds|iM;&=7fT?EvqnQn>o(f! z_hJrve1xZT)q*sQ3C-T-dUj0D#L$415R4c*VQfl7Z!K65rlcB$A4lxyrd5+|(ax<< zCuG~saHw5Von^S(gQQIJ5abH2Kg^8}h^thPty%7>*SeJS<4#N_wOz17gtaqpa&2Jf17EC{vX+^2S#q0^Pc zqK!;NT;Jd6iK>5y6Q_I7M3b|7$vxfQ^dmkq{pL*kXp7^<#%B^ox$4i!3)A@fe=%Dg z^w3qQ?Y7-27TJhRijJddbqv`iv1O=??pBx0 z%mcjTV43Bh9Z_#{8^Ogkh=grlI_clw{F(IKJKud=9{K$S-1?WMzqbhOq-tUh@OcPU z`&7U!Ims!Hr^k9H!(*@`Ulst4_HHu?FyCqYOYzre2Q7`?4m{E~_b9 zBeZKw<5p_<+&LFaMbRw=bf#QLw^jsnci#eCb3=T%Yva`Nq}$n?pec7P<~nRH0K#1j z6wuv0u%T;N{B+KM7C~!{mj$Q5iemf zJ*@S#*e=1A)Pm=py0$2pPePBf=*B}f!o3!GR)E|kL2RSFDo3u%7xS5<_}GWIx;9Rh z;IusNAHOwoj`|FQqTEI2J4X-dYNSI+{s3f_u_!qgt9$pslvm!K)2tb-d6pY+u%mvK<%3)ei1z>fm^Kt>Cx4GYL9^c>G3kwL}-@$f?co zu?-FFSrOY*I|YouT4JChnQ#sv9y}?=zA;mCtTS0=4^~ED{FsLsDC;X1DT@w)HsV}h z^O(NG!fAqpP>wN!2zQb2;6W@ii%f{WvSJE`rv2{jPGM-!)+eB&!4g)!n(LDUQwluH zbo?I=utl6nUdnti@$mgu)cK7o2^q^z+U#9^lX1PlTLJN)2nrg}Uw=>^FMHRwBIr%( zKh>Q7M*DwZ|HuFLApq|F&ynzd2X(F&0a$&)QKORDc`4id+k7*_&|u$<_F;S8uEN&s zFKdii+>pa~`k!3AQ%?eowM;RsW!Qhljj(ej*m+kG;9qW|sbM_(#&lImy5v7q6PzL$~DK1$%;4!2cINX6I4xQhNetKCy1MT%@aPwz@0V$biD&NI%< zk462wYDFdQ)v#?NzdS6BUiqh{+mP%cWfHl$I^%7@TGHYq!l53W@!-6y0_lWbK(p&=6>*(0x zHCc52hbBRZHJc^r5<;jdE^{rmQ^Mn)p^gmDmBw@fHMr8D5b-~P0=|_V!<&C2WGPA_ zW<98rpP84~PUy~hoZ;Myeg2{HmNtt&7rd60`kJOK3`>PJnUB({x`F*C$<-D)YoA7>?Z~zeE z?;YFV`tLWtmc9Q?`vGl)JR50St z^G{xIo8J&wCo?p#Go1RJA|H7Uh0yeu%lFxr%hHgX6%Y_)AL7BHy)W}!3gmyR_!wcr z7~CEnqB3zuVi7e?u~34ay^80aJlJvE=8YJ@vf~E=87w1ao5(-*40&x^xzbTtHKWPe zkiaT^FRp!w{~#|u@RH#8R*W@3pM~@+O1sF)TqxKHfH+5#MlSAnn2taSCqz|h3xg)Y zG=N2kgt_P-@_qG7=|3Lv+AKkmHqXaM5MuIw_6S78BS;x(cNDzXvgN-jnaLTa?#iUT+ODEkSR?1shf%2& zG(B{FW(IFkfp>DM2mdsCu=JU}T&628=aG(-eSJ7c7_2THsQ8KAs~d6ZxcO<3L*iLl zZFsr9pf$xD3#UAYfMwGg=0@2ac(>)#jl~;> zL1AIPO@?Y$%vaiT23jf22<#BdBpU;#ZlX3GZ+>T_!JkYgFVA=9Ew;S6aA@-?jQs)Y zl2BUcS7~FZ_|w&-?BVG4cUPO-NGJ9}#f;ICDf0yE(|P>n>EYyl zU-+zwf(ki3)ji==UT?;hnz5qeEwkE<#fy6{A4PBf8&)-r-|ERD794|ml?7rrI9D@= z%I&AoMctDN_3K$9vx}t9EgybB*T@Rtx@-OlgS8p0;5>bAF-loBeUkwz;#HWV#JiMSF;LBotn$A04tWKrX4oXqqn9bp1S#(b!i<&L|?af>I zS&ke@_^hIoT&q^*$>uOrt@X&?TERnYaHZu688RNC6RhkY66m^)3dyg;p%br?B^`U7 zow2<``w6>(4qf=HNISL(m&^KCPGqa>Fzx)AYM%nK2N*ihOd^{s8v$#Y?c0Jglcc z`Rewpn_umG?m#YjcY)J%Aj9MHHp_FpCuioXdL%cLFR~_b_*0Q|QRX)@nJs6+lirN+ zzDK$J+6Z?NE(frwtdPgY{w&)zH;uy?|G6Vh@ne$M|HaF_a(l1Y=q-+$F6r9Hhs&D* zSI+bMfwpOHrIzy@^Ts!>+>Sk?z|4>S?E+k;h4HBCKu}O!%D3ig=buCFwV&kE(wXrYn~;yX)%_@51`R<#OIMx&}`e?O<&h8&TP)wG`0wrRL@nT(Yj zyKq_8o8~i{@{)gF%21JW%@wq|GDVa*UvT7fpr2tm5}hyE!5M$79~O-JuEA$!ik)8X zb}qIs+r-p}W#Y18IWy7+R4#3(QT4Y8mlJJ$mF+w+=O$NmYZw>9cIQ?dCjAPwRr?s} zF6aCrUkXVqV3L)88z=v?3Z=P4b#1AaQiHToEADoJ&sbuRfEJ2PB^tF9o9Rusarma! zY(bifN^w86iz<@Hs0S$;Em39Atdtf=)I=}pbWyPv830_9l`;~H7p<@f=45ub9cxh5 zLEZ`ceqJ{2Q80YBX3toRt3)Ol{26RNFN`p<{ko~3^0az%vpyav0Gmwf+L_hIJ4r71 zP!y^7f~E4L$!1=`xRoIRG%JtpN&38(vPBGzaFpv(c+$~&AGQ*!kL94s3;ze*!M&pl z%GMCi>PXsjLtT))%6OmQIE{FG4>q-m$cy4=RlqX@8rpPpbs?EOpeRCPw5;k2IKJMQ zXF@3nviu%pn%z>QSaZh0`mXwQ7{Xrm~4wv~cu&AV>9Eew5;*MKa^8RZo;I zgFFpVk@9K2l*?#oo+@Fe|~O#3j5O-CI5pS z&*fR_Gnd5>4)Nb(EU&OY|6bnyR@d&~M&pdHFQK>&`vmC6ihr0WfcEA^!TL zZgjai|MM1F4(aLIP+yL6jLh1wX1s0sqd>)antQn|RYe6su{$N)zlkC7!pJ2fY}d`i zHZ6{Qb6PU9QFYhhR2GYg4Rhl|Fx2$9DIPSQI(`sj^Jj0--0$3H z82Nt|7aHLkR;iuC7ZR?>KFx6o{A|l*v&GD9woFljfzrYi1#8nOe%ueVnij06hUH z9o(_@@N~s#D~ey7_2PRl;PP%xlOewvTs?8*d@x{2Umqo(COm&xHO6Mq`8UaZ9gwW% zdi7(ub&!B;dUog0g(*``cda5R{^sUncyRO3mMim<-+@O>)~h>Ld-^}rbt#yh-<(pB zG~Daa46B+vd{nw)Sly({hH+Ket71Q1n?`SXbYs}w(xO|Ys#a?BPa%9vF11*&YthgI z>))=~8aIYVH@4UVdXv*}|D$kQkRJR$KzNqEZSYU2m!=KR>qVtUAyvPl{&hIMQJl+t z`;_(feKWlH-}mVsDt$+y?>_T?(A&R$H)OI0jDIxsa%DiTL(O3L+DVeW?b`8RbX^J! z-ohAbaH0cN19;H?ivXAd7#9B15SVsn0(9nln&kD?W(sHe%QKU z(=bKGH@Bgw>FKx7d4~G3rc%~xvZrCXI9ic&z0ri~`g@sXh z>%Q#bo<@Fz#Gm3-yu*FzJC~OO>9Mx)1bKNq4)Hs`=oZY? zx9TuUNSG&%9EHolAyc8&$DMi4Pv|w~k&E$JL?7`my0NhRjzU1yq%+7fkVIoPJ71kg zztifUy8+5T6 z6UhfAur1-Y_a}POF&Sp$K@l; zk-*3kj0E-u@CN6o#~FU}w~rka>*c^fAF3)QEY%2cHQ4 znfblf`_DEUi6;1iAUniI1k%gfZ$9=$g7uMOSJ|w<9%J<8!KaLSmw<=;b6^YFwp~mp zTe$r3B%%3)mvHiWv9TIN;&I3HoWWD~H(1Y8%ZwKnSAq8=4<>cH)5}4#7H>nOOXnn) ze(#Zo{>~9^cHf*+kRVaHBC}9C#3jRcitdUvdh1iq4Wmu{EOrYfK2c;uivW}v;u%uQ zD2hyMjfQ_HEeBHt3{~!sSFZytN@_j6*$yI>VzD1@U1-Uk5!GCZU`Gg)GO5Z~U8q!; zCQffps8;>ChAi2D;P_aGW@{j8MXxKTmwlYod0oc4$15=o1|6o8_Qv&@_Tf}n0%>O+ z47-)7SD!}*SZMmGOCIWUaS}sW{{~5h+)5A9!=$E(9IocoC}Mp#$qNwcqvYbJb<^#? z3kPhauVe523S?d#gL5LF1Z<%_rzG2%I0N4*WE9%{bAAeCQB(R-k$JSJC7{ks;2>=E zap&OCnI8g0GDEV*95czwL%SjiPHQA8y2 zUOEL^{zI3#sN!#upC8jsjmI!ms$;2fw|PH6pTI}lgEp+#`fv-PpKj=wno-8qxe3Yo z7r)F$dCh$f_a`|SIBnQIhJFZn&$<9k>jP>eDT%_BrM`byqTBc4 z%bza;{XM#xfGtPP(4bY&u*CcxoDDsK^h6jgZyR*r#E^tXEYut7sK_=*)}m2v_?)7$ zA}tdk(u_)NVoY^J>8qZYj~rg;O+y|hhUzTujUN*S`+aIeKlY|tHuX9#9|vrH{lfq* zVxF_v&lY3MWQu&v8B90!T%}4bQ3k>5w~@UtuhzMy?O)E`54Vy01pdtUhfT5 z(Sb_2PJg9kicFvG0oSa`3lS`m{e>kYSLCVEbCH!L`mMkfMg zksb}AoH-?odiq3_U0FGIiQBzH@r}NG%afNaTJ36~C}dl!Or@|giB+Nqo|6zYT6O5# zu4SH$vk5m2aO?nBupFE*vZk9yf1SM*m7pI^RBmC3?>;qE0i9T(mq|tf{M9$wWXVtO z20vhz7Ez2y8l-MZN~NQaobZ0d=)bRmiC1+BvOF>{jMP%H(!ouQ4J%Py3IcM%lYRJM zWCD7oL&Y~zQ&`D<*0hZqZ@Z*={=`9mYHHw9e0t_VYBQ#0K9RVqSxWttPrFyJ1NVE~ zy0*%(OA3eL%K%3RCpjL?9Cw+f#QWKslDb_kTKA?p@4g@XCV3*imrjs%$FK@c9aFa3 z&&JON@iRzq^QkL38aB)-@9vL{#th$4iu-t7)%B~*+>-o;s-4Oa^BfFj}FTyE9;}tu>8HfYU=9YDvayA>Y>1?*QZMMGMUNiT=B zB7na!Y^fB18)*Mvl)Z+=5T)-VL=@J9ybrgAMbPo+_HdORA3x4E7Uj#z`QWy5nmxYK z(e8LRSF5FGtt~ERyN(b2zS0(10M!f5;GvX~Qu1Xbu5XL7I*s1z zvjSBhk7VJp>rkTi~j_D&_2Ep zJM3f!;$y?YryTJ!C;fkbH@3a>I0$yu01=?jO>~OU>`w<9KXaJFF6@_=<0_zul9kQ>yKM zen@hDDAA$4c#8JSvsJw~@KUG>JCC<3E^<)6!ApFj5X1Qn%G;d4FLKgX;*?K3lr67u z%Q)LdDH@#Wtaw_J(W2Qn#P7I<&}CLl(y{#3wbF0*mbTm5b8Ys&7Y)a9w6r_u;H@;^ zRxmBIg5|p3mQf^f#x$K6nCel|i}KwlE?1POZL780D5gu$BrLAc(Y+uk@hsMEXPQJ8 zq~J)dsE8R2!|1_c&LywtY5qzNYONq7QVQ?UV9OlMEZ{j~$Va?w?6EFlH$ztF7R8vN zW$8Nz3&WFJHbw1EQ8H{1r#EJmb96FPU!&(wb8MS6^9bNx{->Y{ncTwG-U`BL1GlB^ zQQLYGpOZn$&$L|JmechG@yblVib99^NFpg4QUr^@Yo|Bsnu4LgnIs|-5$4+9z6`-@ zr^yW95>iKVI?T2#H@wqT>OH&0-a$f@ReXBd)MxjGV#*`>;jw5B?uNwP?+(;A2qbiD z?#Wz+ybqUnz)NABCvZxm4|26Z)?3uo(1@WPj5Ic*dkwF^yr+?^90UDI!-`^K#8CRh z{zx3ww0L8ynQk+X8Sk8T+o0_3d}O$FsM;d)w~=AWMA1Dybb92~6)l4r{MMc(iQk)u zT-X>D8om^7ku57GsUsy0L}zGv?W`qh$n9k1lVP2bJ(|o;1hzFVMKbsEzk-a|mPg^= z=&?t4AhGYDMurUula!N?LNY^o^a}9y>EzrPeER0Q=L16b231!{ulQbF8Xq z?YWq*RyeC08`2|5s-D@n;(k=2I#apmB|7-=f|n0HODdi7vp9Ibp9FXq_e0Lr9x>nRDKnr|)E?z#joMYyX zqn5fYA`#-Mm7vz=@>ZsM7WH8pJX)4FnOInwxYm;-6)(3K2<|E7Rw zPV$6N)ZsiFAG&YbB9Hz}1n}^9Vg&}%iu8Op@1(+m3HSEgC5&3y=!{d(}(`@(7KHvS-ZI_?j|OKc)VG@k3f zE)x%qr})4FBmdsSLTT*xN`TJ)bh!}50$RK{L6~CaA|S$}jdq#8IT(at;}KZK*g!%J z645B2%0;{cvC+vNUYK#;QUGO|E5^5EH(#msAL0a$?ml@l{1thB5tYX)=kgTQ_J);u zq1U*C&X`i2=H@rOvhTP&(X^e@%Vb@g48G?JI?=thBATGVR{8_PngH#{pr8B!fNCtN zZ;SVL@qyA6hvT+8VYpUjq-Tc1>fshq&g}H`WRs?V#BCV|R|y!(V!bE*o16~u|l^Rm_x9x zN^kIEz+2xjWtj?uW`fuF_9V~TH3yp2LJACFiXT?z79`D|(=OxK z5Gt*PMR$NFqd+GxbAa5pj*7AJ=UCEOHd>^@BQ?vnv))emnpED2_<2%Sa7Q3@=|ll! zuHJ}HH4TxKjUFBRP127B6;s_ny$0TP5Fi9e0<(|fNrJB5gYXAAjrRpUanjt%2jM3R zF>f=l%aN%PYvAYisKA(>`T#&Szc;dFE>%jKDF~pNy#A z+^lzH%Xm`#ocRsfv*!U1wvK+;ac^klC=IUrNh}q9!0>5WaEG2etkU>^}pp<<+S~Z?w6;fjm{*x4L^#QxBq4=E4u{{o*+Gpvg0k~(z) z17a|``|(4+lPiyV4)fyKjhe`b-!u~7D1_`r<~PQYDT|yWmQT(u4up(JA%(^V4xDrF zkA?4FiAgx_eAnV`ed6Xe3y^HgQ~>{0tNvkWtJZl%e?{LeWw6*JtyscdP3pn_3he*{Dq>aAvI$SSx zTKE#}HO_6!)+$s*PpwZ=x$YV#C#$ZF=)lj=mE~4Uu{EQ8Cd|v0 zX18M_IU1B|dKAiU&=Orf!XS<&^eWDraA*D6D2};Z1DB&G#=%!N#uJe>l#7zr2@vbzgSK~giwlBv6 zsz2DVw!GL=z(Nv_VgCCM5&}gtku}=5%Lq^#2_TY>YMmU~;4h31EfcWfjTP~{ z%V4@bO;c%C;g`ETb0I|&djutixwIK0m;Ce%@(Jy&>FbG5NUgpX!(^LOm=Vn?uOZF2 zvw7YR4MUM&YG2MBCu2S%!}U(QnDLu)?vuf(sjH@qlmNxa_ze*nR;d<(dJJq31zYT$ z0s$LH@|bL1cJz7NT3v~Of)|MXmvaU z^03{>6A4;IA_U113LJ3`l4V$&@KN+Rj-Z}bHuQ1?UKzYpxUUGP;*+0q6a+aWT~@A{ z!aAa3doI6^B1+`i17J7JVgV&UsDj+%Ut62J4OaHXqj)5P*S2!8fJkZs(dnNmSdQBF z!=IMD-Q*y(!ZnX|I(@o{oC6F-31K#}!<;t?C6I~lX`;)6B!eFmlF-qGDSHyUA zrFjC&h3#KMF^xa1FlxX*tzm1~@>OV&i`O65WQ-LRPy*o!?`Er&RJ-op!rfqLv}JE> zS%Mx*7mBhs0!E-Awpak`Ns-r%s9iel33q zJZfZOa{uhX;f~_?W^aE0Q9Rd+U@_P0Kkd{~go^X?B4PVG`vJb%bi(-=h$GGKKTAem ziIY@RW&(hkO9Txuuj6aYH+6Bw4sG_t-@cB4!j>1hsW9_w1LADH$RK-03LwfPh!Ryt z0ll=Urhv<#$vg{kN$_rnggJ>dQ-B{NHIi**G%SKcBf`&2X>mz0RqLjD4W%WOzXLmw zp@lLjM>s{NDHb@7wujcITOA?`xj>nQN}u z*&B}SWwq(Fz1QO-ZpB}#kAuT>HH%Buu;O%bn2T3r$4_-|Jzu-hbnhP7<()1-x4`)i zm#X=dWz0SgCcISM9sU zlZ)VUx*E!zZ&kytaIFd3e?^YT`L9k#qhe1X`xd%k7@BQbi29H;5Y;mBR!1muO3iW= zr5S}dHvW@uT!xf+qms(|w11pF=BKp=o6B@)V>#ucYzuM|ALdqIVCNz#EUfG;-o6NBmDZz>~SegE2cj7@B@}b1*UL_!@H#@t;I47 zuJ{FU9g1h4D^mw8cb2ArhUvC@Ozg|4?^eMYH_K!vQH6wI6AZ3TZKc?Y+}ob0Lk&C& zsUy#Z_cOs@+@6Z7;uBAjhzyxsQ>Pak!=QN-uTHd1 zZs@Oph3;^}RPW5?sW_XwG=RPNMRsQM0PfVZp*c3gF{gCKe$A+v-)+QBmpByji|*8` zR0;HEnD=HbBqsy<4&OAjxIDeucD^R!z&5nkG;9o|yLDX}XXo zR|QS>qFvbR_La{f1{6`HeC*>S@8KVaT(M*7NvfmZG07K!!4H|c0BMIXYT8Q83?CvW z9<;|ssP7RB3Wvd+dbf9`>ue)QKoTYZ3W)3qJbeNMpmKLjP1YLD zfyh8gXpeOr)B0!{GniU^t#Bh2`Up%FM(vxzAm)L9=@+0xo@Uw3w%u9PEO@X!bT>N! zVREZvCES6FNPZJ$GV8t=vEMlzTRLA#lT;F@q9c`DX)ymHf-$5){u_8dN+ zY6dnD9*dLq5+r={Eb;bT8&nzcp0d|9G_(pTyXZ?cWp5CuyeG-t9QSn5Yh(0$v(QMw zwYj>6V?Lx{`5pRfqZJ+$j}Hb8>}evwv+M(Sh?@)s*M0fH5g5t^)8&m{=rPNNj^n1I#+f*Tf$N8)_w`;DI@;$F0!8AqF>FM3B= zx7*L@9naOg8+dzMX0+hu6^v)(15-xt2XLfpy*UPKCu{3i{6ji!6l8$)wzi8K@U$c-*z~#K@i<_SAh8}l& zH8CwH-t>=*%nw1#u?buTDTE?UM@Z?q+KoP5#S-n`eptI17Z^|y`}VM}-iGA6yCWk^ zRnGI}OH%q`Xw)Ysz8{9V7C(T|XC%&NemF5&)z;wsI@V_&97IqJH7URCbAB1xZN$-2 zTo-KjIyu4z*xb?LxnSepXmnQREU-QrOl2f4T98RvV!E$CJHg0OrRg~)MlZ1}? zEw&J*X*MlA#m7(!i_$h7$TKY5jC9L~>Y>1c6;^-CkNdU7@h>y6IpwU{B`cUu^~U%k z?pHy-k$!W`zyzB#;B$Yk zHWqMb3lCUn9A#ft^Gk^-4X=&VrTt&b(j4W^I+^2!Q2vQ#*ZbHX(LW(WAkLgynlY~< zXBCV0D#$bQ7mmm#To)8^Wka!8LX`)|7er{zuNnf=)0omO#V!zEjxMyG+8gzL)3}H= zzwk0atiBSAN6KXT8OuT{V>SRTDTB%Fn6&P%Dy1A@QKb-dW`{}mpGS$j11wmo$5!L z!s}B}(vBs@*6*-TCnAWQR4Tdt^@uq9oaC|>4$`Zt(%Nn;5$E0FG*nd`T_70kI<%u@ zvdOp=n$^MBRK|MwQ1GcjFQeT%iyxvvK>NBmZy7XH`yf}3ELwc1yUnJFONTSGh$VE> zZ)_I&Lgp1a z4mHulzc0_UQUb3?T!j$E2?7;itp!j-P4Dx226=@BY(~*4`w=w3E5aA>+@3@WOb02ss_ z7=UcBMQuQxNb*RVJt%PR4UjZv@oZCW*$hO3XDCNubDNXOamcf7 zE8$V#ewv$lSi}$4Osxh_My()X{Ujrf$E8rbJVO3y_Mak7)sxDZkP>0kB&K#1&7CtC z7z{*{l~es;?I)oVg3YNE80bbIg?~4$Vmf%Uj{5-)mT4SXOXSJ)@desB{6v2EmVLZ= z$<(o$5FS+4z^&bS^G$#7beIz03HHeO73#p25sXLMN00o$iog(FhVyc<~&) z20+k)Kk+AE#6j!}yzexaR=9Xy!^1Fi@jL|FuFE|rt<(!iY4cSfujVlSLU~2QWUJ!} zwb_>?TS_0u`)l_uWKp`81U#pXDQ{VS5sqlnF?*~RWzO?F%aH6rX)D|Q?F6bWG4~KF za@jW;t|~GC6P2u5OeSya!XOKO{FAa=10erq=C8wt?RqnJu~>kS+w$sd%rf$-Cq|N`pdFFMK=b{Gdp&l093a)oyZ+NsOWB5&8b%MF#}l5`jf-@^E!K@ty25Qm8e>mmKQ8GcD@^O z06^|KmVROJ-{8cKW>yBTwiYgL#y#SyIP@ErJSD)5Usx zZjfMhWRF@v|C6xN&i1CMF2aP#>mOqPu*Ddv)hSkUX`d}z9Hg?bfB&ckR@A%3?n?WP zoKR1j;*w{ZOVAx*sHj<@V)J=ZuBh;*xRt$YL+aWA-}pV}gtkBN_dl<;COY3nlxFU# zcM}%$Zfe!caXpJVHbA{7?o>gw+iFL+CK+up_t-VjKR}QG`oswCsj?&?8PBrBe9l~l zU+Zd)c6;!;hEa3+rmHYB8w^W=iB64!_%JG>{`LpKV{iqBqDEx5P9vsHx z>N}YTY2T)Nvdi|YhWzB_Ex&sTe)p3zE!hrN_n!sSbT#$dM02#%^wm*k$x2q!3+0{W zweAzxNhpH)Q_)6I1r$n|+^|AAhq_iI*sxp9-YTVP;x)B-t&&zVElc?9B=yWce*iZq z8^|Qx&!uyOcExKED(9U(jwC?XSed=ew1L%8Y6`Ima#0UwS4^qs*~?{#42=wrSbU4< zTYWw>$hnp-i036c)ctY2RfD{QkIq_$oRa3FV7Cypl~5l$6c6@_v8VT9)8u?E;{ENz z^zD~i{=cTtBZ~hJksiE^APE2*r$#JzPTk;V4lWuAg`^2OV&2`+ ztD##!!dp~|uRYF4OiF0>ns%G1&dM`@ZQueAWI(@ht`qYPM0v*RyVo4SGZMM|=LV5Va5_uQb$`u=3iD9Sg{KrYf=HXwia+b>d z%L%cQ>RTnB2jero35yG@MZ#%Qn2UIS{^vpDU~juLLcw9=#8}w}8ILqMVc79Z=jGZN zH_V$p+AQ0m*_*c+IW5>4sWl!p_Cb#M5P%F=i1e89YZraP%H8nGJaPNyIT91xF{uT% z1BKt6Sr+LJ(Z_gHNehD##HYL`-xcgtn&f{+Mc{uiCby5*s}n;IrDL7s5M_g_EO_XM9CY#AD-?E|xX z2A$d39t{REhrGHGBC!>feaO}pk%^bkZ|;ny5^{xEh*qRKM8oM6^E~Zt;K#TcrCN=g zE$#*i%>gVlMbJQnSN z)5q7HJmDdlXcUME14OR>FE0x7XRr9?A1bpc=*ow1GHU2$PpgcWD=?TcbZoc3V9dn}ud0L)WhMq;BvXxW63GgMY~a#m;)XBrY7#)rxfiLI z^xyJT`6Oqdv8EV73??X}>EnQ2hu;N@8_6lzOGUjL9H)QQ;zDdUW%X@`q;8-M#ge6^ zHbk7B1Ts|jFfVH5uQL7^DzcmuLqxjC ztK|CgJkD8pQ?(fwy7`566@oDCf@&n`8ILwe7wP2DRI*=4gqRoEflh_YUYQ0dKL^yT zg@1WqfW9Y=lS5!}s{+yA?PzORT}zu$OXgJ%*GVx@%c-1Y44D`ca}a6}o2QZx!v5>L ztx?Xy+)eHiO7@1zIHhF~CBTi=UE?iogu zrs_#_JZ~AhWt7`+8A+LG(fd^$v~!?#X*lU-px7hkUthvVdLsEbLW}c<<;KQx)@3Rh zz14>yDKWH`=?e{I!P_TlJ? zl=zOWfjKT5^G)+C*D-hIu-LG=hO;)T|HsfC(U{j=J8Ak!Nhw+_|5DPerO>qPF+i}8 zH!I{gwY|(dR$-gP51KAfQ(2s&)n1G z>o&D@@*&qcDSTi@KlP+f+~D{;mxa#5%G$fHy8E)@?G+E{ypKyZT7jX9{B4P(_<4fExL2iaJ~E4Bx8K}$dk-xAgh}u@rv+nV$ngg z86+lo{%iu1&QLvnuKvu-pfz&alP)~?$te5zvI{);(O*P)+mlmRNk^i3X4=}Rwpr21 zSR4;b{At5@#a-sGyD^7e9iVY@^rWD3_Mh*iTMRXn!0%OkuVkSRH4`plXT+cp1Me|O zqZ8T8m-O%9>0guFrb~lgN4E?-5?|>&mqw(we1CtvK%?siimeabI*32TlSJIGDq!4| zD`PP7sd>DN8sx4lB!D4ksWYw~7y@a6hzi4a6fejDB5lS_+5s&V1VQ-6L3W=9gU@lM++3e?&6?7PJ)z^x} zLgcL6{2W!GQk02N)+r1I87jc@W#y8nzSVJ$U9?u@t8@Fm7s;sN@fwL4Eu)X{-Q3so zC)Ld;=l(~-o{iJbCf}<)aX>C8BQk@hHVY(bE%o^W7wcvtZ?dMRJ_ia5!%G2)r_mO6 zH6#>ROo4;7w5u-xGG;08DPQ3ex2JZ2z^Zs`FA3yZGGrcXqs-9?^}A}#-KT{Da6#r4 zX6=#lR0d9o!)B&Htc@pbEmfl@6LRLkl6lNCiKT66k A2LJ#7 literal 0 HcmV?d00001 diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index ee7e8d7be..0ecefb767 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -10,6 +10,9 @@ class AgentConnect::AgentController < ApplicationController STATE_COOKIE_NAME = :agentConnect_state NONCE_COOKIE_NAME = :agentConnect_nonce + AC_ID_TOKEN_COOKIE_NAME = :agentConnect_id_token + REDIRECT_TO_AC_LOGIN_COOKIE_NAME = :redirect_to_ac_login + def index end @@ -27,7 +30,11 @@ class AgentConnect::AgentController < ApplicationController cookies.delete NONCE_COOKIE_NAME if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID && !amr.include?('mfa') - return redirect_to ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'], allow_other_host: true + # we need the id_token to disconnect the agent connect session later. + # we cannot store it in the instructeur model because the user is not yet created + # so we store it in a encrypted cookie + cookies.encrypted[AC_ID_TOKEN_COOKIE_NAME] = id_token + return redirect_to agent_connect_explanation_2fa_path end instructeur = Instructeur.find_by(users: { email: santized_email(user_info) }) @@ -52,6 +59,31 @@ class AgentConnect::AgentController < ApplicationController redirect_france_connect_error_connection end + def explanation_2fa + end + + # Special callback from MonComptePro juste after 2FA configuration + # then: + # - the current user is disconnected from the AgentConnect session by redirecting to the AgentConnect logout endpoint + # - the user is redirected to User::SessionsController#logout by agent connect (no choice) + # - the cookie redirect_to_ac_login is detected and the controller redirects to the relogin_after_2fa_config page + # - finally, the user clicks on the button to reconnect to the AgentConnect session + def logout_from_mcp + sign_out(:user) if user_signed_in? + + id_token = cookies.encrypted[AC_ID_TOKEN_COOKIE_NAME] + cookies.delete(AC_ID_TOKEN_COOKIE_NAME) + + return redirect_to root_path if id_token.blank? + + cookies.encrypted[REDIRECT_TO_AC_LOGIN_COOKIE_NAME] = true + + redirect_to AgentConnectService.logout_url(id_token, host_with_port: request.host_with_port), allow_other_host: true + end + + def relogin_after_2fa_config + end + private def santized_email(user_info) diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb index 601f533dc..7b764fbff 100644 --- a/app/controllers/users/sessions_controller.rb +++ b/app/controllers/users/sessions_controller.rb @@ -109,6 +109,12 @@ class Users::SessionsController < Devise::SessionsController # agent connect callback def logout + if cookies.encrypted[AgentConnect::AgentController::REDIRECT_TO_AC_LOGIN_COOKIE_NAME].present? + cookies.delete(AgentConnect::AgentController::REDIRECT_TO_AC_LOGIN_COOKIE_NAME) + + return redirect_to agent_connect_relogin_after_2fa_config_path + end + redirect_to root_path, notice: I18n.t('devise.sessions.signed_out') end end diff --git a/app/views/agent_connect/agent/explanation_2fa.html.haml b/app/views/agent_connect/agent/explanation_2fa.html.haml new file mode 100644 index 000000000..ab52b99f1 --- /dev/null +++ b/app/views/agent_connect/agent/explanation_2fa.html.haml @@ -0,0 +1,14 @@ +.fr-container + %h1.fr-h2.fr-mt-4w Une validation en 2 étapes est désormais nécessaire. + + %p.fr-mb-2w + La sécurité de votre compte augmente. Nous vous demandons à présent une validation en 2 étapes pour vous connecter. + + %p.fr-mb-2w + Vous allez devoir configurer votre mode d'authentification sur le site MonComptePro : + + %img{ src: image_url("instructions_moncomptepro.png"), alt: "MonComptePro", loading: 'lazy' } + + + %button.fr-btn.fr-btn--primary.fr-mb-2w + = link_to "Configurer mon appli d'authentification sur MonComptePro", ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'] diff --git a/app/views/agent_connect/agent/relogin_after_2fa_config.html.haml b/app/views/agent_connect/agent/relogin_after_2fa_config.html.haml new file mode 100644 index 000000000..898f57497 --- /dev/null +++ b/app/views/agent_connect/agent/relogin_after_2fa_config.html.haml @@ -0,0 +1,12 @@ +.fr-container + %h1.fr-h2.fr-mt-4w Poursuivez votre connexion à #{APPLICATION_NAME} + + = render Dsfr::AlertComponent.new(state: :success, extra_class_names: 'fr-mb-4w') do |c| + - c.with_body do + %p Votre application d'authentification a bien été configurée. + + %p.fr-mb-4w + Vous allez maintenant pouvoir vous connecter à nouveau à #{APPLICATION_NAME} en effectuant la validation en 2 étapes avec votre application d'authentification. + + %button.fr-btn.fr-btn--primary.fr-mb-2w + = link_to "Se connecter à #{APPLICATION_NAME} avec #{AgentConnect}", agent_connect_login_path diff --git a/config/routes.rb b/config/routes.rb index 57031dc7c..86b1ef45a 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -202,6 +202,9 @@ Rails.application.routes.draw do get '' => 'agent#index' get 'login' => 'agent#login' get 'callback' => 'agent#callback' + get 'explanation_2fa' => 'agent#explanation_2fa' + get 'relogin_after_2fa_config' => 'agent#relogin_after_2fa_config' + get 'logout_from_mcp' => 'agent#logout_from_mcp' end namespace :champs do diff --git a/spec/controllers/agent_connect/agent_controller_spec.rb b/spec/controllers/agent_connect/agent_controller_spec.rb index cebed5946..9c55a82c3 100644 --- a/spec/controllers/agent_connect/agent_controller_spec.rb +++ b/spec/controllers/agent_connect/agent_controller_spec.rb @@ -38,24 +38,24 @@ describe AgentConnect::AgentController, type: :controller do context 'and user_info returns some info' do before do - ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL'] = 'https://moncomptepro.fr/not_configured' expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token, amr]) end - context 'and the instructeur use mon_compte_pro without 2FA' do + context 'and the instructeur use mon_compte_pro' do before do user_info['idp_id'] = AgentConnect::AgentController::MON_COMPTE_PRO_IDP_ID allow(controller).to receive(:sign_in) end context 'without 2FA' do - it 'redirects to MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL' do + it 'redirects to agent_connect_explanation_2fa_path' do subject expect(controller).not_to have_received(:sign_in) - expect(response).to redirect_to(ENV['MON_COMPTE_PRO_2FA_NOT_CONFIGURED_URL']) + expect(response).to redirect_to(agent_connect_explanation_2fa_path) expect(state_cookie).to be_nil expect(nonce_cookie).to be_nil + expect(cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME]).to eq(id_token) end end @@ -198,6 +198,37 @@ describe AgentConnect::AgentController, type: :controller do end end + describe '#logout_from_mcp' do + let(:id_token) { 'id_token' } + subject { get :logout_from_mcp } + + before do + cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME] = id_token + end + + it 'clears the id token cookie and redirects to the agent connect logout url' do + expect(AgentConnectService).to receive(:logout_url).with(id_token, host_with_port: 'test.host') + .and_return("https://agent-connect.fr/logout/#{id_token}") + + subject + + expect(cookies.encrypted[controller.class::AC_ID_TOKEN_COOKIE_NAME]).to be_nil + expect(cookies.encrypted[controller.class::REDIRECT_TO_AC_LOGIN_COOKIE_NAME]).to eq(true) + expect(response).to redirect_to("https://agent-connect.fr/logout/#{id_token}") + end + + context 'when the id_token is blank' do + let(:id_token) { nil } + + it 'clears the cookies and redirects to the root path' do + subject + + expect(cookies.encrypted[controller.class::REDIRECT_TO_AC_LOGIN_COOKIE_NAME]).to be_nil + expect(response).to redirect_to(root_path) + end + end + end + def state_cookie cookies.encrypted[controller.class::STATE_COOKIE_NAME] end diff --git a/spec/controllers/users/sessions_controller_spec.rb b/spec/controllers/users/sessions_controller_spec.rb index e4fde9b2f..42c4e0f58 100644 --- a/spec/controllers/users/sessions_controller_spec.rb +++ b/spec/controllers/users/sessions_controller_spec.rb @@ -311,4 +311,21 @@ describe Users::SessionsController, type: :controller do end end end + + describe '#logout' do + subject { get :logout } + + it 'redirects to root_path' do + expect(subject).to redirect_to(root_path) + end + + context 'when the cookie redirect_to_ac_login is present' do + before { cookies.encrypted[AgentConnect::AgentController::REDIRECT_TO_AC_LOGIN_COOKIE_NAME] = true } + + it 'redirects to relogin_after_2fa_config' do + expect(subject).to redirect_to(agent_connect_relogin_after_2fa_config_path) + expect(cookies.encrypted[AgentConnect::AgentController::REDIRECT_TO_AC_LOGIN_COOKIE_NAME]).to be_nil + end + end + end end From 363f70a3fcd7232fc7add44a688550bb143ffcea Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 13:38:09 +0200 Subject: [PATCH 6/8] add feature flipping, just in case --- app/controllers/agent_connect/agent_controller.rb | 4 +++- config/initializers/flipper.rb | 1 + spec/controllers/agent_connect/agent_controller_spec.rb | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index 0ecefb767..93be41843 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -29,7 +29,9 @@ class AgentConnect::AgentController < ApplicationController user_info, id_token, amr = AgentConnectService.user_info(params[:code], cookies.encrypted[NONCE_COOKIE_NAME]) cookies.delete NONCE_COOKIE_NAME - if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID && !amr.include?('mfa') + if user_info['idp_id'] == MON_COMPTE_PRO_IDP_ID && + !amr.include?('mfa') && + Flipper.enabled?(:agent_connect_2fa, Struct.new(:flipper_id).new(flipper_id: user_info['email'])) # we need the id_token to disconnect the agent connect session later. # we cannot store it in the instructeur model because the user is not yet created # so we store it in a encrypted cookie diff --git a/config/initializers/flipper.rb b/config/initializers/flipper.rb index 129702860..6c5655878 100644 --- a/config/initializers/flipper.rb +++ b/config/initializers/flipper.rb @@ -20,6 +20,7 @@ end # A list of features to be deployed on first push features = [ :administrateur_web_hook, + :agent_connect_2fa, :api_particulier, :attestation_v2, :blocking_pending_correction, diff --git a/spec/controllers/agent_connect/agent_controller_spec.rb b/spec/controllers/agent_connect/agent_controller_spec.rb index 9c55a82c3..723d68320 100644 --- a/spec/controllers/agent_connect/agent_controller_spec.rb +++ b/spec/controllers/agent_connect/agent_controller_spec.rb @@ -39,6 +39,7 @@ describe AgentConnect::AgentController, type: :controller do context 'and user_info returns some info' do before do expect(AgentConnectService).to receive(:user_info).with(code, nonce).and_return([user_info, id_token, amr]) + Flipper.enable(:agent_connect_2fa) end context 'and the instructeur use mon_compte_pro' do From 47852bfafbc1e632f22cb91548cd749516cd0d31 Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 13:42:29 +0200 Subject: [PATCH 7/8] add amr column --- ...0_add_amr_column_to_agent_connect_informations_table.rb | 7 +++++++ db/schema.rb | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20240916114050_add_amr_column_to_agent_connect_informations_table.rb diff --git a/db/migrate/20240916114050_add_amr_column_to_agent_connect_informations_table.rb b/db/migrate/20240916114050_add_amr_column_to_agent_connect_informations_table.rb new file mode 100644 index 000000000..614a8b940 --- /dev/null +++ b/db/migrate/20240916114050_add_amr_column_to_agent_connect_informations_table.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AddAmrColumnToAgentConnectInformationsTable < ActiveRecord::Migration[7.0] + def change + add_column :agent_connect_informations, :amr, :string, array: true, default: [] + end +end diff --git a/db/schema.rb b/db/schema.rb index 7c9e1f2a5..7aaff86f0 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,7 +10,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[7.0].define(version: 2024_09_13_150318) do +ActiveRecord::Schema[7.0].define(version: 2024_09_16_114050) do # These are extensions that must be enabled in order to support this database enable_extension "pg_buffercache" enable_extension "pg_stat_statements" @@ -95,6 +95,7 @@ ActiveRecord::Schema[7.0].define(version: 2024_09_13_150318) do end create_table "agent_connect_informations", force: :cascade do |t| + t.string "amr", default: [], array: true t.string "belonging_population" t.datetime "created_at", null: false t.string "email", null: false From 05238912cfa21628e26acafbebb05f2d9b692de7 Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 16 Sep 2024 14:41:15 +0200 Subject: [PATCH 8/8] record amr for stat --- app/controllers/agent_connect/agent_controller.rb | 2 +- spec/controllers/agent_connect/agent_controller_spec.rb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index 93be41843..973f67699 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -50,7 +50,7 @@ class AgentConnect::AgentController < ApplicationController instructeur.user.update!(email_verified_at: Time.zone.now) aci = AgentConnectInformation.find_or_initialize_by(instructeur:, sub: user_info['sub']) - aci.update(user_info.slice('given_name', 'usual_name', 'email', 'sub', 'siret', 'organizational_unit', 'belonging_population', 'phone')) + aci.update(user_info.slice('given_name', 'usual_name', 'email', 'sub', 'siret', 'organizational_unit', 'belonging_population', 'phone').merge(amr:)) sign_in(:user, instructeur.user) diff --git a/spec/controllers/agent_connect/agent_controller_spec.rb b/spec/controllers/agent_connect/agent_controller_spec.rb index 723d68320..45c614f88 100644 --- a/spec/controllers/agent_connect/agent_controller_spec.rb +++ b/spec/controllers/agent_connect/agent_controller_spec.rb @@ -67,6 +67,7 @@ describe AgentConnect::AgentController, type: :controller do expect { subject }.to change { User.count }.by(1).and change { Instructeur.count }.by(1) expect(controller).to have_received(:sign_in) + expect(User.last.instructeur.agent_connect_information.last.amr).to eq(amr) end end end