disable france connect authentication for admin and instructeurs

This commit is contained in:
Christophe Robillard 2021-02-01 14:28:04 +01:00
parent 86a3ecb0be
commit a288a13805
8 changed files with 79 additions and 14 deletions

View file

@ -10,22 +10,17 @@ class FranceConnect::ParticulierController < ApplicationController
end end
def callback def callback
fetched_fci = FranceConnectService.retrieve_user_informations_particulier(params[:code]) fci = FranceConnectService.find_or_retrieve_france_connect_information(params[:code])
fci.associate_user!
fci = FranceConnectInformation if fci.user && !fci.user.can_france_connect?
.find_by(france_connect_particulier_id: fetched_fci[:france_connect_particulier_id]) || fci.destroy
fetched_fci.tap(&:save) redirect_to new_user_session_path, alert: t('errors.messages.france_connect.forbidden_html', reset_link: new_user_password_path)
return
if fci.user.nil?
user = User.find_or_create_by!(email: fci.email_france_connect.downcase) do |new_user|
new_user.password = Devise.friendly_token[0, 20]
new_user.confirmed_at = Time.zone.now
end
fci.update_attribute('user_id', user.id)
end end
connect_france_connect_particulier(fci.user) connect_france_connect_particulier(fci.user)
rescue Rack::OAuth2::Client::Error => e rescue Rack::OAuth2::Client::Error => e
Rails.logger.error e.message Rails.logger.error e.message
redirect_france_connect_error_connection redirect_france_connect_error_connection

View file

@ -18,4 +18,18 @@ class FranceConnectInformation < ApplicationRecord
belongs_to :user, optional: true belongs_to :user, optional: true
validates :france_connect_particulier_id, presence: true, allow_blank: false, allow_nil: false validates :france_connect_particulier_id, presence: true, allow_blank: false, allow_nil: false
def associate_user!
user = User.find_by(email: email_france_connect.downcase)
if user.nil?
user = User.create!(
email: email_france_connect.downcase,
password: Devise.friendly_token[0, 20],
confirmed_at: Time.zone.now
)
end
update_attribute('user_id', user.id)
end
end end

View file

@ -112,6 +112,7 @@ class User < ApplicationRecord
if user.valid? if user.valid?
if user.instructeur_id.nil? if user.instructeur_id.nil?
user.create_instructeur! user.create_instructeur!
user.update(france_connect_information: nil)
end end
user.instructeur.administrateurs << administrateurs user.instructeur.administrateurs << administrateurs
@ -125,6 +126,7 @@ class User < ApplicationRecord
if user.valid? && user.administrateur_id.nil? if user.valid? && user.administrateur_id.nil?
user.create_administrateur! user.create_administrateur!
user.update(france_connect_information: nil)
end end
user user
@ -152,6 +154,18 @@ class User < ApplicationRecord
last_sign_in_at.present? last_sign_in_at.present?
end end
def administrateur?
administrateur_id.present?
end
def instructeur?
instructeur_id.present?
end
def can_france_connect?
!administrateur? && !instructeur?
end
def can_be_deleted? def can_be_deleted?
administrateur.nil? && instructeur.nil? && dossiers.with_discarded.state_instruction_commencee.empty? administrateur.nil? && instructeur.nil? && dossiers.with_discarded.state_instruction_commencee.empty?
end end

View file

@ -14,6 +14,13 @@ class FranceConnectService
) )
end end
def self.find_or_retrieve_france_connect_information(code)
fetched_fci = FranceConnectService.retrieve_user_informations_particulier(code)
FranceConnectInformation.find_by(france_connect_particulier_id: fetched_fci[:france_connect_particulier_id]) || fetched_fci
end
private
def self.retrieve_user_informations_particulier(code) def self.retrieve_user_informations_particulier(code)
client = FranceConnectParticulierClient.new(code) client = FranceConnectParticulierClient.new(code)

View file

@ -114,6 +114,7 @@ fr:
# etablissement_fail: 'Désolé, nous navons pas réussi à enregistrer létablissement correspondant à ce numéro SIRET' # etablissement_fail: 'Désolé, nous navons pas réussi à enregistrer létablissement correspondant à ce numéro SIRET'
france_connect: france_connect:
connexion: "Erreur lors de la connexion à France Connect." connexion: "Erreur lors de la connexion à France Connect."
forbidden_html: "Seul-e-s les usagers peuvent se connecter via France Connect. En tant qu'instructeur ou administrateur, nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
procedure_archived: "Cette démarche en ligne a été close, il nest plus possible de déposer de dossier." procedure_archived: "Cette démarche en ligne a été close, il nest plus possible de déposer de dossier."
# procedure_not_draft: "Cette démarche nest maintenant plus en brouillon." # procedure_not_draft: "Cette démarche nest maintenant plus en brouillon."
cadastres_empty: cadastres_empty:

View file

@ -55,7 +55,7 @@ describe FranceConnect::ParticulierController, type: :controller do
it { expect { subject }.not_to change { FranceConnectInformation.count } } it { expect { subject }.not_to change { FranceConnectInformation.count } }
context 'when france_connect_particulier_id have an associate user' do context 'when france_connect_particulier_id have an associate user' do
let!(:user) { create(:user, email: 'plop@plop.com', france_connect_information: france_connect_information) } let!(:user) { create(:user, email: email, france_connect_information: france_connect_information) }
it do it do
subject subject
@ -84,6 +84,17 @@ describe FranceConnect::ParticulierController, type: :controller do
expect(user.reload.loged_in_with_france_connect).to eq(User.loged_in_with_france_connects.fetch(:particulier)) expect(user.reload.loged_in_with_france_connect).to eq(User.loged_in_with_france_connects.fetch(:particulier))
expect(subject).to redirect_to(root_path) expect(subject).to redirect_to(root_path)
end end
context 'and the user is also instructeur' do
let(:instructeur) { create(:instructeur) }
let(:email) { instructeur.email }
let(:user) { instructeur.user }
before { subject }
it { expect(response).to redirect_to(new_user_session_path) }
it { expect(flash[:alert]).to be_present }
end
end end
context 'when a differently cased email address is already used' do context 'when a differently cased email address is already used' do

View file

@ -6,4 +6,27 @@ describe FranceConnectInformation, type: :model do
it { is_expected.to allow_value('mon super projet').for(:france_connect_particulier_id) } it { is_expected.to allow_value('mon super projet').for(:france_connect_particulier_id) }
end end
end end
describe 'associate_user!' do
context 'when there is no user with same email' do
let(:fci) { create(:france_connect_information) }
let(:subject) { fci.associate_user! }
it { expect { subject }.to change(User, :count).by(1) }
it do
subject
expect(fci.user.email).to eq(fci.email_france_connect)
end
end
context 'when a user with same email (but who is not an instructeur) exist' do
let(:user) { create(:user) }
let(:fci) { build(:france_connect_information, email_france_connect: user.email) }
let(:subject) { fci.associate_user! }
before { subject }
it { expect(fci.user).to eq(user) }
end
end
end end

View file

@ -15,7 +15,7 @@ describe FranceConnectService do
let(:user_info_hash) { { sub: france_connect_particulier_id, given_name: given_name, family_name: family_name, birthdate: birthdate, gender: gender, birthplace: birthplace, email: email, phone: phone } } let(:user_info_hash) { { sub: france_connect_particulier_id, given_name: given_name, family_name: family_name, birthdate: birthdate, gender: gender, birthplace: birthplace, email: email, phone: phone } }
let(:user_info) { instance_double('OpenIDConnect::ResponseObject::UserInfo', raw_attributes: user_info_hash) } let(:user_info) { instance_double('OpenIDConnect::ResponseObject::UserInfo', raw_attributes: user_info_hash) }
subject { described_class.retrieve_user_informations_particulier code } subject { described_class.find_or_retrieve_france_connect_information code }
before do before do
allow_any_instance_of(FranceConnectParticulierClient).to receive(:access_token!).and_return(access_token) allow_any_instance_of(FranceConnectParticulierClient).to receive(:access_token!).and_return(access_token)