Merge pull request #7217 from betagouv/main

2022-04-29-01
This commit is contained in:
LeSim 2022-04-29 11:02:15 +02:00 committed by GitHub
commit 971c02ca5c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 295 additions and 55 deletions

View file

@ -4,40 +4,40 @@ GEM
aasm (5.2.0)
concurrent-ruby (~> 1.0)
acsv (0.0.1)
actioncable (6.1.5)
actionpack (= 6.1.5)
activesupport (= 6.1.5)
actioncable (6.1.5.1)
actionpack (= 6.1.5.1)
activesupport (= 6.1.5.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (6.1.5)
actionpack (= 6.1.5)
activejob (= 6.1.5)
activerecord (= 6.1.5)
activestorage (= 6.1.5)
activesupport (= 6.1.5)
actionmailbox (6.1.5.1)
actionpack (= 6.1.5.1)
activejob (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
mail (>= 2.7.1)
actionmailer (6.1.5)
actionpack (= 6.1.5)
actionview (= 6.1.5)
activejob (= 6.1.5)
activesupport (= 6.1.5)
actionmailer (6.1.5.1)
actionpack (= 6.1.5.1)
actionview (= 6.1.5.1)
activejob (= 6.1.5.1)
activesupport (= 6.1.5.1)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
actionpack (6.1.5)
actionview (= 6.1.5)
activesupport (= 6.1.5)
actionpack (6.1.5.1)
actionview (= 6.1.5.1)
activesupport (= 6.1.5.1)
rack (~> 2.0, >= 2.0.9)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (6.1.5)
actionpack (= 6.1.5)
activerecord (= 6.1.5)
activestorage (= 6.1.5)
activesupport (= 6.1.5)
actiontext (6.1.5.1)
actionpack (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
nokogiri (>= 1.8.5)
actionview (6.1.5)
activesupport (= 6.1.5)
actionview (6.1.5.1)
activesupport (= 6.1.5.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
@ -55,26 +55,26 @@ GEM
activemodel (>= 5.2.0)
activestorage (>= 5.2.0)
activesupport (>= 5.2.0)
activejob (6.1.5)
activesupport (= 6.1.5)
activejob (6.1.5.1)
activesupport (= 6.1.5.1)
globalid (>= 0.3.6)
activemodel (6.1.5)
activesupport (= 6.1.5)
activerecord (6.1.5)
activemodel (= 6.1.5)
activesupport (= 6.1.5)
activestorage (6.1.5)
actionpack (= 6.1.5)
activejob (= 6.1.5)
activerecord (= 6.1.5)
activesupport (= 6.1.5)
activemodel (6.1.5.1)
activesupport (= 6.1.5.1)
activerecord (6.1.5.1)
activemodel (= 6.1.5.1)
activesupport (= 6.1.5.1)
activestorage (6.1.5.1)
actionpack (= 6.1.5.1)
activejob (= 6.1.5.1)
activerecord (= 6.1.5.1)
activesupport (= 6.1.5.1)
marcel (~> 1.0)
mini_mime (>= 1.1.0)
activestorage-openstack (1.5.1)
fog-openstack (~> 1.0)
marcel
rails (>= 5.2.2)
activesupport (6.1.5)
activesupport (6.1.5.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
@ -134,7 +134,7 @@ GEM
bindex (0.8.1)
bootsnap (1.9.3)
msgpack (~> 1.0)
brakeman (5.1.1)
brakeman (5.2.2)
browser (5.3.1)
builder (3.2.4)
byebug (11.1.3)
@ -519,20 +519,20 @@ GEM
rack
rack-test (1.1.0)
rack (>= 1.0, < 3)
rails (6.1.5)
actioncable (= 6.1.5)
actionmailbox (= 6.1.5)
actionmailer (= 6.1.5)
actionpack (= 6.1.5)
actiontext (= 6.1.5)
actionview (= 6.1.5)
activejob (= 6.1.5)
activemodel (= 6.1.5)
activerecord (= 6.1.5)
activestorage (= 6.1.5)
activesupport (= 6.1.5)
rails (6.1.5.1)
actioncable (= 6.1.5.1)
actionmailbox (= 6.1.5.1)
actionmailer (= 6.1.5.1)
actionpack (= 6.1.5.1)
actiontext (= 6.1.5.1)
actionview (= 6.1.5.1)
activejob (= 6.1.5.1)
activemodel (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
bundler (>= 1.15.0)
railties (= 6.1.5)
railties (= 6.1.5.1)
sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.5)
actionpack (>= 5.0.1.rc1)
@ -551,9 +551,9 @@ GEM
rails-i18n (7.0.3)
i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 8)
railties (6.1.5)
actionpack (= 6.1.5)
activesupport (= 6.1.5)
railties (6.1.5.1)
actionpack (= 6.1.5.1)
activesupport (= 6.1.5.1)
method_source
rake (>= 12.2)
thor (~> 1.0)

88
SECURITY.md Normal file
View file

@ -0,0 +1,88 @@
# Politiques et procédures de sécurité
Ce document décrit les procédures de sécurité et les politiques générales pour le projet 'demarches-simplifiees.fr'.
* [Signaler une faille](#signaler-une-faille)
* [Politique de divulgation](#politique-de-divulgation)
* [Commentaires sur cette politique](#commentaires-sur-cette-politique)
## Signaler une faille
La communauté et léquipe cœur de 'demarches-simplifiees.fr' prennent au très au sérieux la sécurité de lapplication.
Signalez toute faille de sécurité en envoyant un mail à léquipe cœur tech@demarches-simplifiees.fr
Si la faille vous paraît critique, vous pouvez utiliser la clée gpg suivante pour chiffrer votre alerte :
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGJpCZkBEADHfnM8cssCCrU6WNSOvTP82wA93EAI1gjJOPW4ISzpGM1lx7pG
RDEzIGoS3ZdTRok3nGEseX+VJUw81X+iWtK/jHmsFehzKRs/ocR9RJUU7Djgz7xe
qHbQWu4sa2Vdn7YCiVNt9bbXQmY2/u0qF1HGGHdgv2fOAqYNgfKLBSZetVj/ULpO
eos+Rtx64ZXDFeRvNWFlQVpyDFx4RLIrZwvtaThTtK4pzjck6ZtnLC7ORA/5Dvy1
Kqeu/U2u88ln/rruxzvlm4Tw0UoZXRF6ADqvEAizraxmsA0MvcTg1cjKhOMTMNAV
8AuHMFMaIIUTutG2zIMUdXrHCmMbyVDI6K22kilV0qa3Y6LyqUM8pRyYFPxtbCXs
a/T2ZF1qMMYbhjpth92xrgwFR73SwfZL/9dv3ozBELuBvX5A6IB+5P2mQKrTU/EC
gBURpUkEVNDJ++ML/5+6EjtLkuW1gAZt4lulUmKhz2xc6ruMhkPzGb6KJfj5vyEY
JBhOrdbZiiLkf+lHL6XQFZUBY7EI4wxELwarP+OQTh+GYcL3jzbypycF9wQY6L2w
vRchCG/rE67lLYK7RbaVpbNBJ+gtHA1tVTlhX7F116GM0AdPkvEd7ULXoF92oLfN
ZRlIqfESo3eKqvtCLLMD0kjoni5oNrsgFqkmAvz8WVGr3cblKaGa+XOliQARAQAB
tGhkZW1hcmNoZXMtc2ltcGxpZmllZXMtc2VjdSAocG91ciBsZXMgZmFpbGxlcyBk
ZSBzZWN1IGVudm95ZWVzIHBhciBtYWlscykgPHRlY2hAZGVtYXJjaGVzLXNpbXBs
aWZpZWVzLmZyPokCTgQTAQoAOBYhBKBlh57+ZRQ/8290BKIUz1yrNajMBQJiaQmZ
AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKIUz1yrNajMV+sP/0b0zSqg
OcTZIhFz5l0t5kN5AOaAOVZLMehW6nePuosSrO1BnDOAv7DV5geN7s9My8yhEp3W
iXSIjmmm5BIjPnqeLR63NW+6KnqPDZC6E585HYprQbSx6Bae7zI45ZPcvupNHnF8
PPB/zm1kbc5fnYUgmVwzvEzMyqvQhiZ/9pesTUg5ei50NWKAZ+jLUK/fLQiDXgCq
q3mq0NchAgfkn8iVEcId3pgI+zE+IAdypSj6dRZaCaCVmduojhsbHALAxx3VFwiD
AIQhXIdimgeaJeq9uWbloaJXVzeuSueexhGC1W2C6bWEob7nJ92inwPYKgW5a13n
G0O2cWIh+haTjDM2jU0qzf2Ma9a+RFXz4tUDHZ2WBF0RuZXaIPrhRmW6vWZLtBLO
JXlThyL+DblIywADuf05WUWqwIkRwvo+e3exKLCWwDpzPeCKXYZDS/1aCLpvW2gX
lfxJu3zWR2du0Q0T0I4s4eQV443YqmbeAXopkmIgE40TIZldzsr3l2SB9PcFHYGW
2j0e5EInwSiGA+LpE4pJ9XWiuYaDn0RTEX9Uejd9fA9ZAKJYlQ0h85P1bAeG9RDc
yKpxk6PZI5g5D+UiHBXLA1ZJkIHaOKStqWpwXrraWIDOdIQCDEAzcSZ+5E91wni6
HpOh715UOsjYJGYgsNKlm8N1GUc+6WhAtauZuQINBGJpCZkBEAC4ZtCRRUbZU0Z5
9orkyhBm4oYJJY3pKSz5bKdQK0bL+e08CMKsgYzHjklGCmdk6oS4okZi8x1lSj/j
kEZU1l/aq8gyob6s35hhcMb+2QFTVKoDYStRZ0cM90KmmPtaVAeEd57gTqFU5Wm4
PF0bTRhxImDND0xL5FwBha4TaZeIAdWfrJ5KRvJWD7aWlhcFTGdNXkPqXH/Yrmfg
IqYO3+Z0pMHFCpPgjIxJ5fI1zaZG8KOoNWsiMW+27xnYsQYx6/g+LWlwPutyz8jk
awgD2072/3rQvWGRi2V91v/uQzgheAjQWW24RQLPjZVEBZhtkJNzfqxkR50GzwdW
Ez6Uj7QHtFiy3c28XWbkop6WML9bQdBRSYhE5V/gJT6fugVRDge13j0gMGojaCnO
+v+Z1O8YXeAwmneQSjA/cpKB83LMKZqaAtCDqGI0hEAY/opxd3KSGMoFLubSKJmY
J1YB5mxHQREwrKVLq/lWNXdm5Cr0zMunHGpcZHLxxUiITNVqaG9YVVJXLnUQH+kA
LTvSKP1pwVGbYcr+8ah/0KkoJIMFAFQn85kGjxIAkAuqZ3idVp3R2x+WVDLQuaYs
HWUL5Cm7yTsxd/QdxwbkZxGRyQraEqZHV9K+znRUsUhGBTOdRS2MpLTZls7GWp+5
vubODl6TI8+q5oSbyC5mkBTGkxgwnwARAQABiQI2BBgBCgAgFiEEoGWHnv5lFD/z
b3QEohTPXKs1qMwFAmJpCZkCGwwACgkQohTPXKs1qMyecBAAxBT8gRVJ4N7jtKri
wE7Q5D4UB79/evLWbTXRpx28wiMVet5SOG+HS9AnvnjNr2ZwIIK6+O9ymtsqQxdk
WCI2x3fMKJeKBU0uy1eY1za85Ic38QNo4l661/FHvMYCDEaOYuROVewD8OIANpk3
TfFm7KeGXKX/QhdLr6nIo/DBDG8fTKfMQ8T3AWt0bZMY9XOFedG3zRoktoLXUF9K
GRyx6RGV2SkBXrOfBIRTePNSWGKgXSs4Jh6VgAMf/2OijJf0hyNfQJqi0YJPQkcf
wLwG0DbymYHogYl3tHN3/A6u3kGtoX7oLjMADOKUc6hAXeZZj2kMTdnbfv2YyZyZ
3bm2qvezX88OchJIM0CRIn9+O4qBCtpxS6UFd5VbYldgg72EHvrrQLVJqjK8ypQ7
rdQYewPhJkEfTRIi7WlL1GrjwYTUcalcdGZ/7uAkKjOiFk6vazT5x9tYbyOKXf76
0URNVo1vGFOgz572LKebq5AQtOHSCsqH/hbKDIvoEUwoM/rdjK/IgVDQe/ulLotq
GGhL9QbH8B1fL3BOv64Pf3XhkTL2MFclRQ9nJhtIamHk1q7KuZsmYDUKq3Z+mxFh
JD7AQC83LyZNNtsvPqeElYsnAGbCbFRbkeYiHhktfOtFAQJ5AWDvilsX2Ec97+2U
6Be9Gt2A9DpK4ne1JshyiBo/zkw=
=/exZ
-----END PGP PUBLIC KEY BLOCK---
```
ex: `gpg --encrypt --recipient-file "fichier_avec_la_clé_publique" --output "fichier_chiffré" "fichier_en_clair"`
Léquipe accusera réception de votre mail dans les 72 heures. Après la réponse initiale à votre rapport, elle vous tiendra informé de la progression vers une correction et une annonce complète, et pourra vous demander des informations ou des conseils supplémentaires.
## Politique de divulgation et de correction
Lorsque léquipe reçoit un rapport sur une faille de sécurité, elle procède aux étapes suivantes :
* Confirmer le problème et déterminer les versions affectées.
* Vérifier le code pour trouver tout problème similaire potentiel.
* Communiquer par mattermost aux différentes instances connues qu'une faille est en cours de résolution
* Préparer les correctifs, les merger sur la branche production et les déployer sur l'instance DINUM
* Communiquer par mattermost aux différentes instances connues que le correctif est disponible sur la branche principale
## Commentaires sur cette politique
Si vous avez des suggestions sur la façon dont ce processus pourrait être amélioré, veuillez soumettre une demande de téléchargement.

View file

@ -62,7 +62,8 @@ module Manager
email_services = [
Mailjet::API.new,
Sendinblue::API.new
Sendinblue::API.new,
Dolist::API.new
]
@sent_mails = email_services

90
app/lib/dolist/api.rb Normal file
View file

@ -0,0 +1,90 @@
class Dolist::API
CONTACT_URL = "https://apiv9.dolist.net/v1/contacts/read?AccountID=%{account_id}"
EMAIL_LOGS_URL = "https://apiv9.dolist.net/v1/statistics/email/sendings/transactional/search?AccountID=%{account_id}"
EMAIL_KEY = 7
DOLIST_WEB_DASHBOARD = "https://campaign.dolist.net/#/%{account_id}/contacts/%{contact_id}/sendings"
def properly_configured?
client_key.present?
end
def sent_mails(email_address)
contact_id = fetch_contact_id(email_address)
if contact_id.nil?
Rails.logger.info "Dolist::API: no contact found for email address '#{email_address}'"
return []
end
dolist_messages = fetch_dolist_messages(contact_id)
dolist_messages.map { |m| to_sent_mail(email_address, contact_id, m) }
rescue StandardError => e
Rails.logger.error e.message
[]
end
private
def headers
{
"Content-Type": 'application/json',
"Accept": 'application/json',
"X-API-Key": client_key
}
end
def client_key
Rails.application.secrets.dolist[:api_key]
end
def account_id
Rails.application.secrets.dolist[:account_id]
end
# https://api.dolist.com/documentation/index.html#/b3A6Mzg0MTQ0MDc-rechercher-un-contact
def fetch_contact_id(email_address)
url = format(CONTACT_URL, account_id: account_id)
body = {
Query: { FieldValueList: [{ ID: EMAIL_KEY, Value: email_address }] }
}.to_json
response = Typhoeus.post(url, body: body, headers: headers)
JSON.parse(response.response_body)["ID"]
end
# https://api.dolist.com/documentation/index.html#/b3A6Mzg0MTQ4MDk-recuperer-les-statistiques-des-envois-pour-un-contact
def fetch_dolist_messages(contact_id)
url = format(EMAIL_LOGS_URL, account_id: account_id)
body = { SearchQuery: { ContactID: contact_id } }.to_json
response = Typhoeus.post(url, body: body, headers: headers)
JSON.parse(response.response_body)['ItemList']
end
def to_sent_mail(email_address, contact_id, dolist_message)
SentMail.new(
from: ENV['DOLIST_NO_REPLY_EMAIL'],
to: email_address,
subject: dolist_message['SendingName'],
delivered_at: Time.zone.parse(dolist_message['SendDate']),
status: status(dolist_message),
service_name: 'Dolist',
external_url: format(DOLIST_WEB_DASHBOARD, account_id: account_id, contact_id: contact_id)
)
end
def status(dolist_message)
case dolist_message.fetch_values('Status', 'IsDelivered')
in ['Sent', true]
"delivered"
in ['Sent', false]
"sent (delivered ?)"
in [status, _]
status
end
end
end

View file

@ -29,6 +29,8 @@
= link_to t("links.footer.mentions_legales.label"), t("links.footer.mentions_legales.url"), title: t("links.footer.mentions_legales.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"
%li.footer-link
= link_to t("links.footer.suivi.label"), suivi_path, title: t("links.footer.suivi.title"), class: "footer-link"
%li.footer-link
= link_to t("links.footer.code.label"), t("links.footer.code.url"), title: t("links.footer.code.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"
%li.footer-column
%ul.footer-links
@ -44,3 +46,5 @@
= link_to t("links.footer.accessibilite.label"), t("links.footer.accessibilite.url"), title: t("links.footer.accessibilite.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"
%li.footer-link
= link_to t("links.footer.status_page.label"), t("links.footer.status_page.url"), title: t("links.footer.status_page.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"
%li.footer-link
= link_to t("links.footer.security.label"), t("links.footer.security.url"), title: t("links.footer.security.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"

View file

@ -7,6 +7,8 @@
= link_to t("links.footer.mentions_legales.label"), t("links.footer.mentions_legales.url"), title: t("links.footer.mentions_legales.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"
%li.footer-link-doc>
= link_to t("links.footer.doc.label"), t("links.footer.doc.url"), title: t("links.footer.doc.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"
%li.footer-link-code>
= link_to t("links.footer.code.label"), t("links.footer.code.url"), title: t("links.footer.code.title"), class: "footer-link", target: "_blank", rel: "noopener noreferrer"
%li.footer-link-contact>
= contact_link t("links.footer.contact_technique.label"), dossier_id: dossier&.id, title: t("links.footer.contact_technique.title"), class: "footer-link"
%li.footer-link-aide>

View file

@ -112,3 +112,10 @@ MATOMO_IFRAME_URL="https://matomo.example.org/index.php?module=CoreAdminHome&act
# ACTIVE_STORAGE_FILE_SIZE_THRESHOLD_BEFORE_CUSTOM_UPLOAD=4294967296
# a custom script handling upload of big file
# ACTIVE_STORAGE_BIG_FILE_UPLOADER_WITH_ENCRYPTION_PATH='/usr/local/bin/swift'
# SMTP Provider: Dolist
# DOLIST_USERNAME=""
# DOLIST_PASSWORD=""
# DOLIST_ACCOUNT_ID=""
# DOLIST_NO_REPLY_EMAIL=""
# DOLIST_API_KEY=""

View file

@ -0,0 +1,27 @@
ActiveSupport.on_load(:action_mailer) do
module Dolist
class SMTP < ::Mail::SMTP
def deliver!(mail)
mail.from(ENV['DOLIST_NO_REPLY_EMAIL'])
mail.sender(ENV['DOLIST_NO_REPLY_EMAIL'])
mail['X-ACCOUNT-ID'] = Rails.application.secrets.dolist[:account_id]
mail['X-Dolist-Message-Name'] = mail.subject # for tracking in Dolist UI
mail['X-Dolist-Sending-Type'] = 'TransactionalService' # send even if the target is not active
super(mail)
end
end
end
ActionMailer::Base.add_delivery_method :dolist, Dolist::SMTP
ActionMailer::Base.dolist_settings = {
user_name: Rails.application.secrets.dolist[:username],
password: Rails.application.secrets.dolist[:password],
address: 'smtp.dolist.net',
port: 587,
authentication: 'plain',
enable_starttls_auto: true
}
end

View file

@ -27,6 +27,10 @@ en:
label: "Beta.gouv.fr"
title: "The Beta.gouv.fr website"
url: "https://beta.gouv.fr"
code:
label: "Source code"
title: "Source code"
url: "https://github.com/betagouv/demarches-simplifiees.fr"
cgu:
label: "ToS"
title: "Terms of Service"
@ -65,6 +69,10 @@ en:
label: "Releases"
title: "Releases"
url: "https://github.com/betagouv/demarches-simplifiees.fr/releases"
security:
label: "Security"
title: "Security"
url: "https://github.com/betagouv/demarches-simplifiees.fr/blob/main/SECURITY.md"
stats:
label: "Statistics"
title: "Statistics"

View file

@ -31,6 +31,10 @@ fr:
label: "CGU"
title: "Conditions Générales d'Utilisation"
url: "https://doc.demarches-simplifiees.fr/cgu"
code:
label: "Code source"
title: "Code source"
url: "https://github.com/betagouv/demarches-simplifiees.fr"
contact:
label: "Contact"
title: "Contact"
@ -65,6 +69,10 @@ fr:
label: "Nouveautés"
title: "Nos nouveautés"
url: "https://github.com/betagouv/demarches-simplifiees.fr/releases"
security:
label: "Sécurité"
title: "Sécurité"
url: "https://github.com/betagouv/demarches-simplifiees.fr/blob/main/SECURITY.md"
stats:
label: "Statistiques"
title: "Statistiques"

View file

@ -35,6 +35,11 @@ defaults: &defaults
mailjet:
api_key: <%= ENV['MAILJET_API_KEY'] %>
secret_key: <%= ENV['MAILJET_SECRET_KEY'] %>
dolist:
username: <%= ENV['DOLIST_USERNAME'] %>
password: <%= ENV['DOLIST_PASSWORD'] %>
account_id: <%= ENV['DOLIST_ACCOUNT_ID'] %>
api_key: <%= ENV['DOLIST_API_KEY'] %>
api_entreprise:
key: <%= ENV['API_ENTREPRISE_KEY'] %>
pipedrive: