Merge pull request #3391 from betagouv/fix_3345_connexion_securise

Fix 3345 connexion securise
2019-02-18 17:26:06 +01:00 · 2019-02-18 17:26:06 +01:00 · af1c2b028c
commit af1c2b028c
parent aebd3ff670 0b8619be77
12 changed files with 237 additions and 131 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1,4 +1,6 @@
 class ApplicationController < ActionController::Base
  include TrustedDeviceConcern
  MAINTENANCE_MESSAGE = 'Le site est actuellement en maintenance. Il sera à nouveau disponible dans un court instant.'
  # Prevent CSRF attacks by raising an exception.
@ -6,6 +8,7 @@ class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception, if: -> { !Rails.env.test? }
  before_action :load_navbar_left_pannel_partial_url
  before_action :set_raven_context
  before_action :redirect_if_untrusted
  before_action :authorize_request_for_profiler
  before_action :reject, if: -> { Flipflop.maintenance_mode? }
@ -151,4 +154,34 @@ class ApplicationController < ActionController::Base
      redirect_to root_path
    end
  end
  def redirect_if_untrusted
    if gestionnaire_signed_in? &&
        sensitive_path &&
        current_gestionnaire.feature_enabled?(:enable_email_login_token) &&
        !trusted_device?
      # return at this location
      # after the device is trusted
      store_location_for(:user, request.fullpath)
      send_login_token_or_bufferize(current_gestionnaire)
      redirect_to link_sent_path(email: current_gestionnaire.email)
    end
  end
  def sensitive_path
    path = request.path_info
    if path == '/' ||
      path == '/users/sign_out' ||
      path.start_with?('/connexion-par-jeton') ||
      path.start_with?('/api/') ||
      path.start_with?('/lien-envoye')
      false
    else
      true
    end
  end
 end
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@ -23,20 +23,7 @@ class Users::SessionsController < Sessions::SessionsController
      current_user.update(loged_in_with_france_connect: nil)
    end
-    if gestionnaire_signed_in?
+    if gestionnaire_signed_in? || user_signed_in?
      if trusted_device? || !current_gestionnaire.feature_enabled?(:enable_email_login_token)
        set_flash_message :notice, :signed_in
        redirect_to after_sign_in_path_for(:user)
      else
        gestionnaire = current_gestionnaire
        send_login_token_or_bufferize(gestionnaire)
        [:user, :gestionnaire, :administrateur].each { |role| sign_out(role) }
        redirect_to link_sent_path(email: gestionnaire.email)
      end
    elsif user_signed_in?
      set_flash_message :notice, :signed_in
      redirect_to after_sign_in_path_for(:user)
    else
@ -83,32 +70,35 @@ class Users::SessionsController < Sessions::SessionsController
  def sign_in_by_link
    gestionnaire = Gestionnaire.find(params[:id])
-    if gestionnaire&.login_token_valid?(params[:jeton])
+    trusted_device_token = gestionnaire
-      trust_device
+      .trusted_device_tokens
-      flash.notice = "Merci d’avoir confirmé votre connexion. Votre navigateur est maintenant authentifié pour #{TRUSTED_DEVICE_PERIOD.to_i / ActiveSupport::Duration::SECONDS_PER_DAY} jours."
+      .find_by(token: params[:jeton])
-      user = User.find_by(email: gestionnaire.email)
+    if trusted_device_token&.token_valid?
-      administrateur = Administrateur.find_by(email: gestionnaire.email)
+      trust_device(trusted_device_token.created_at)
-      [user, gestionnaire, administrateur].compact.each { |resource| sign_in(resource) }
+
      period = ((trusted_device_token.created_at + TRUSTED_DEVICE_PERIOD) - Time.zone.now).to_i / ActiveSupport::Duration::SECONDS_PER_DAY
      flash.notice = "Merci d’avoir confirmé votre connexion. Votre navigateur est maintenant authentifié pour #{period} jours."
      # redirect to procedure'url if stored by store_location_for(:user) in dossiers_controller
      # redirect to root_path otherwise
      if gestionnaire_signed_in?
        redirect_to after_sign_in_path_for(:user)
      else
      flash[:alert] = 'Votre lien est invalide ou expiré, veuillez-vous reconnecter.'
        redirect_to new_user_session_path
      end
    else
      flash[:alert] = 'Votre lien est invalide ou expiré, un nouveau vient de vous être envoyé.'
      send_login_token_or_bufferize(gestionnaire)
      redirect_to link_sent_path(email: gestionnaire.email)
    end
  end
  private
  def send_login_token_or_bufferize(gestionnaire)
    if !gestionnaire.young_login_token?
      login_token = gestionnaire.login_token!
      GestionnaireMailer.send_login_token(gestionnaire, login_token).deliver_later
    end
  end
  def try_to_authenticate(klass, remember_me = false)
    resource = klass.find_for_database_authentication(email: params[:user][:email])
--- a/app/models/concerns/trusted_device_concern.rb
+++ b/app/models/concerns/trusted_device_concern.rb
@ -4,10 +4,10 @@ module TrustedDeviceConcern
  TRUSTED_DEVICE_COOKIE_NAME = :trusted_device
  TRUSTED_DEVICE_PERIOD = 1.month
-  def trust_device
+  def trust_device(start_at)
    cookies.encrypted[TRUSTED_DEVICE_COOKIE_NAME] = {
-      value: JSON.generate({ created_at: Time.zone.now }),
+      value: JSON.generate({ created_at: start_at }),
-      expires: TRUSTED_DEVICE_PERIOD,
+      expires: start_at + TRUSTED_DEVICE_PERIOD,
      httponly: true
    }
  end
@ -17,6 +17,13 @@ module TrustedDeviceConcern
      (Time.zone.now - TRUSTED_DEVICE_PERIOD) < trusted_device_cookie_created_at
  end
  def send_login_token_or_bufferize(gestionnaire)
    if !gestionnaire.young_login_token?
      login_token = gestionnaire.create_trusted_device_token
      GestionnaireMailer.send_login_token(gestionnaire, login_token).deliver_later
    end
  end
  private
  def trusted_device_cookie_created_at
--- a/app/models/gestionnaire.rb
+++ b/app/models/gestionnaire.rb
@ -1,10 +1,6 @@
 class Gestionnaire < ApplicationRecord
  include CredentialsSyncableConcern
  include EmailSanitizableConcern
  include ActiveRecord::SecureToken
  LOGIN_TOKEN_VALIDITY = 45.minutes
  LOGIN_TOKEN_YOUTH = 15.minutes
  devise :database_authenticatable, :registerable, :async,
    :recoverable, :rememberable, :trackable, :validatable
@ -20,6 +16,7 @@ class Gestionnaire < ApplicationRecord
  has_many :followed_dossiers, through: :follows, source: :dossier
  has_many :avis
  has_many :dossiers_from_avis, through: :avis, source: :dossier
  has_many :trusted_device_tokens
  def visible_procedures
    procedures.merge(Procedure.avec_lien.or(Procedure.archivees))
@ -135,18 +132,9 @@ class Gestionnaire < ApplicationRecord
    Dossier.where(id: dossiers_id_with_notifications(dossiers)).group(:procedure_id).count
  end
-  def login_token!
+  def create_trusted_device_token
-    login_token = Gestionnaire.generate_unique_secure_token
+    trusted_device_token = trusted_device_tokens.create
-    encrypted_login_token = BCrypt::Password.create(login_token)
+    trusted_device_token.token
    update(encrypted_login_token: encrypted_login_token, login_token_created_at: Time.zone.now)
    login_token
  end
  def login_token_valid?(login_token)
    BCrypt::Password.new(encrypted_login_token) == login_token &&
      LOGIN_TOKEN_VALIDITY.ago < login_token_created_at
  rescue BCrypt::Errors::InvalidHash
    false
  end
  def dossiers_id_with_notifications(dossiers)
@ -213,8 +201,8 @@ class Gestionnaire < ApplicationRecord
  end
  def young_login_token?
-    login_token_created_at.present? &&
+    trusted_device_token = trusted_device_tokens.order(created_at: :desc).first
-      LOGIN_TOKEN_YOUTH.ago < login_token_created_at
+    trusted_device_token&.token_young?
  end
  private
--- a/app/models/trusted_device_token.rb
+++ b/app/models/trusted_device_token.rb
@ -0,0 +1,15 @@
 class TrustedDeviceToken < ApplicationRecord
  LOGIN_TOKEN_VALIDITY = 1.week
  LOGIN_TOKEN_YOUTH = 15.minutes
  belongs_to :gestionnaire
  has_secure_token
  def token_valid?
    LOGIN_TOKEN_VALIDITY.ago < created_at
  end
  def token_young?
    LOGIN_TOKEN_YOUTH.ago < created_at
  end
 end
--- a/db/migrate/20190201164951_create_trusted_device_tokens.rb
+++ b/db/migrate/20190201164951_create_trusted_device_tokens.rb
@ -0,0 +1,11 @@
 class CreateTrustedDeviceTokens < ActiveRecord::Migration[5.2]
  def change
    create_table :trusted_device_tokens do |t|
      t.string :token, null: false
      t.references :gestionnaire, foreign_key: true
      t.timestamps
    end
    add_index :trusted_device_tokens, :token, unique: true
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -520,6 +520,15 @@ ActiveRecord::Schema.define(version: 2019_02_13_144145) do
    t.string "version", null: false
  end
  create_table "trusted_device_tokens", force: :cascade do |t|
    t.string "token", null: false
    t.bigint "gestionnaire_id"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.index ["gestionnaire_id"], name: "index_trusted_device_tokens_on_gestionnaire_id"
    t.index ["token"], name: "index_trusted_device_tokens_on_token", unique: true
  end
  create_table "types_de_champ", id: :serial, force: :cascade do |t|
    t.string "libelle"
    t.string "type_champ"
@ -611,6 +620,7 @@ ActiveRecord::Schema.define(version: 2019_02_13_144145) do
  add_foreign_key "received_mails", "procedures"
  add_foreign_key "refused_mails", "procedures"
  add_foreign_key "services", "administrateurs"
  add_foreign_key "trusted_device_tokens", "gestionnaires"
  add_foreign_key "types_de_champ", "types_de_champ", column: "parent_id"
  add_foreign_key "without_continuation_mails", "procedures"
 end
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@ -9,6 +9,7 @@ describe ApplicationController, type: :controller do
        .map(&:filter)
      expect(before_actions).to include(:set_raven_context)
      expect(before_actions).to include(:redirect_if_untrusted)
    end
  end
@ -145,4 +146,56 @@ describe ApplicationController, type: :controller do
      it { expect(flash[:alert]).to eq(ApplicationController::MAINTENANCE_MESSAGE) }
    end
  end
  describe '#redirect_if_unstrusted' do
    let(:current_gestionnaire) { create(:gestionnaire) }
    before do
      allow(current_gestionnaire).to receive(:feature_enabled?).and_return(feature_enabled)
      allow(@controller).to receive(:current_gestionnaire).and_return(current_gestionnaire)
      allow(@controller).to receive(:redirect_to)
      allow(@controller).to receive(:trusted_device?).and_return(trusted_device)
      allow(@controller).to receive(:gestionnaire_signed_in?).and_return(gestionnaire_signed_in)
      allow(@controller).to receive(:sensitive_path).and_return(sensitive_path)
      allow(@controller).to receive(:send_login_token_or_bufferize)
      allow(@controller).to receive(:store_location_for)
    end
    subject { @controller.send(:redirect_if_untrusted) }
    context 'when the path is sensitive' do
      let(:sensitive_path) { true }
      context 'when the gestionnaire is signed_in' do
        let(:gestionnaire_signed_in) { true }
        context 'when the feature is activated' do
          let(:feature_enabled) { true }
          context 'when the device is trusted' do
            let(:trusted_device) { true }
            before { subject }
            it { expect(@controller).not_to have_received(:redirect_to) }
          end
        end
        context 'when the feature is activated' do
          let(:feature_enabled) { true }
          context 'when the device is not trusted' do
            let(:trusted_device) { false }
            before { subject }
            it { expect(@controller).to have_received(:redirect_to) }
            it { expect(@controller).to have_received(:send_login_token_or_bufferize) }
            it { expect(@controller).to have_received(:store_location_for) }
          end
        end
      end
    end
  end
 end
--- a/spec/controllers/sessions/sessions_controller_spec.rb
+++ b/spec/controllers/sessions/sessions_controller_spec.rb
@ -40,6 +40,7 @@ describe Sessions::SessionsController, type: :controller do
      @request.env["devise.mapping"] = Devise.mappings[:gestionnaire]
      allow_any_instance_of(described_class).to receive(:gestionnaire_signed_in?).and_return(true)
      allow_any_instance_of(described_class).to receive(:current_gestionnaire).and_return(gestionnaire)
    end
    it 'calls sign out for gestionnaire' do
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@ -28,31 +28,15 @@ describe Users::SessionsController, type: :controller do
      context 'when the device is not trusted' do
        let(:trusted_device) { false }
-        it 'redirects to the confirmation link path' do
+        it 'redirects to the root path' do
          subject
-          expect(controller).to redirect_to link_sent_path(email: email)
+          expect(controller).to redirect_to(root_path)
          # do not know why, should be test related
          expect(controller.current_user).to eq(user)
-
+          expect(controller.current_gestionnaire).to eq(gestionnaire)
-          expect(controller.current_gestionnaire).to be(nil)
+          expect(controller.current_administrateur).to eq(administrateur)
-          expect(controller.current_administrateur).to be(nil)
+          expect(user.loged_in_with_france_connect).to eq(nil)
          expect(user.loged_in_with_france_connect).to be(nil)
          expect(GestionnaireMailer).to have_received(:send_login_token)
        end
        context 'and the user try to connect multiple times in a short period' do
          before do
            allow_any_instance_of(Gestionnaire).to receive(:young_login_token?).and_return(true)
            allow(GestionnaireMailer).to receive(:send_login_token)
          end
          it 'does not renew nor send a new login token' do
            subject
            expect(GestionnaireMailer).not_to have_received(:send_login_token)
          end
        end
      end
@ -69,7 +53,6 @@ describe Users::SessionsController, type: :controller do
          expect(controller.current_gestionnaire).to eq(gestionnaire)
          expect(controller.current_administrateur).to eq(administrateur)
          expect(user.loged_in_with_france_connect).to be(nil)
          expect(GestionnaireMailer).not_to have_received(:send_login_token)
        end
      end
@ -192,17 +175,43 @@ describe Users::SessionsController, type: :controller do
  describe '#sign_in_by_link' do
    context 'when the gestionnaire has non other account' do
      let(:gestionnaire) { create(:gestionnaire) }
-      let!(:good_jeton) { gestionnaire.login_token! }
+      let!(:good_jeton) { gestionnaire.create_trusted_device_token }
      let(:logged) { false }
      before do
        if logged
          sign_in gestionnaire
        end
        allow(controller).to receive(:trust_device)
        allow(controller).to receive(:send_login_token_or_bufferize)
        post :sign_in_by_link, params: { id: gestionnaire.id, jeton: jeton }
      end
      context 'when the gestionnaire is not logged in' do
        context 'when the token is valid' do
          let(:jeton) { good_jeton }
          it { is_expected.to redirect_to new_user_session_path }
          it { expect(controller.current_gestionnaire).to be_nil }
          it { expect(controller).to have_received(:trust_device) }
        end
        context 'when the token is invalid' do
          let(:jeton) { 'invalid_token' }
          it { is_expected.to redirect_to link_sent_path(email: gestionnaire.email) }
          it { expect(controller.current_gestionnaire).to be_nil }
          it { expect(controller).not_to have_received(:trust_device) }
          it { expect(controller).to have_received(:send_login_token_or_bufferize) }
        end
      end
      context 'when the gestionnaire is logged in' do
        let(:logged) { true }
        context 'when the token is valid' do
          let(:jeton) { good_jeton }
        # TODO when the gestionnaire has no other account, and the token is valid, and the user signing in was not starting a demarche,
          # redirect to root_path, then redirect to gestionnaire_procedures_path (see root_controller)
          it { is_expected.to redirect_to root_path }
          it { expect(controller.current_gestionnaire).to eq(gestionnaire) }
@ -212,30 +221,11 @@ describe Users::SessionsController, type: :controller do
        context 'when the token is invalid' do
          let(:jeton) { 'invalid_token' }
-        it { is_expected.to redirect_to new_user_session_path }
+          it { is_expected.to redirect_to link_sent_path(email: gestionnaire.email) }
        it { expect(controller.current_gestionnaire).to be_nil }
        it { expect(controller).not_to have_received(:trust_device) }
      end
    end
    context 'when the gestionnaire has an user and admin account' do
      let(:email) { 'unique@plop.com' }
      let(:password) { 'un super mot de passe' }
      let!(:user) { create(:user, email: email, password: password) }
      let!(:administrateur) { create(:administrateur, email: email, password: password) }
      let(:gestionnaire) { administrateur.gestionnaire }
      before do
        post :sign_in_by_link, params: { id: gestionnaire.id, jeton: jeton }
      end
      context 'when the token is valid' do
        let(:jeton) { gestionnaire.login_token! }
          it { expect(controller.current_gestionnaire).to eq(gestionnaire) }
-        it { expect(controller.current_administrateur).to eq(administrateur) }
+          it { expect(controller).not_to have_received(:trust_device) }
-        it { expect(controller.current_user).to eq(user) }
+          it { expect(controller).to have_received(:send_login_token_or_bufferize) }
        end
      end
    end
  end
@ -249,16 +239,15 @@ describe Users::SessionsController, type: :controller do
    context 'when the cookie is outdated' do
      before do
-        Timecop.freeze(Time.zone.now - TrustedDeviceConcern::TRUSTED_DEVICE_PERIOD - 1.minute)
+        emission_date = Time.zone.now - TrustedDeviceConcern::TRUSTED_DEVICE_PERIOD - 1.minute
-        controller.trust_device
+        controller.trust_device(emission_date)
        Timecop.return
      end
      it { is_expected.to be false }
    end
    context 'when the cookie is ok' do
-      before { controller.trust_device }
+      before { controller.trust_device(Time.zone.now) }
      it { is_expected.to be true }
    end
--- a/spec/models/gestionnaire_spec.rb
+++ b/spec/models/gestionnaire_spec.rb
@ -392,44 +392,24 @@ describe Gestionnaire, type: :model do
    end
  end
  describe '#login_token_valid?' do
    let!(:gestionnaire) { create(:gestionnaire) }
    let!(:good_token) { gestionnaire.login_token! }
    it { expect(gestionnaire.login_token_valid?(good_token)).to be true }
    it { expect(gestionnaire.login_token_valid?('bad_token')).to be false }
    context 'when the token as expired' do
      before { gestionnaire.update(login_token_created_at: (Gestionnaire::LOGIN_TOKEN_VALIDITY + 1.minute).ago) }
      it { expect(gestionnaire.login_token_valid?(good_token)).to be false }
    end
    context 'when the gestionnaire does not have a token' do
      before { gestionnaire.update(encrypted_login_token: nil) }
      it { expect(gestionnaire.login_token_valid?(nil)).to be false }
    end
  end
  describe '#young_login_token?' do
    let!(:gestionnaire) { create(:gestionnaire) }
    context 'when there is a token' do
-      let!(:good_token) { gestionnaire.login_token! }
+      let!(:good_token) { gestionnaire.create_trusted_device_token }
      context 'when the token has just been created' do
        it { expect(gestionnaire.young_login_token?).to be true }
      end
      context 'when the token is a bit old' do
-        before { gestionnaire.update(login_token_created_at: (Gestionnaire::LOGIN_TOKEN_YOUTH + 1.minute).ago) }
+        before { gestionnaire.trusted_device_tokens.first.update(created_at: (TrustedDeviceToken::LOGIN_TOKEN_YOUTH + 1.minute).ago) }
        it { expect(gestionnaire.young_login_token?).to be false }
      end
    end
    context 'when there are no token' do
-      it { expect(gestionnaire.young_login_token?).to be false }
+      it { expect(gestionnaire.young_login_token?).to be_falsey }
    end
  end
--- a/spec/models/trusted_device_token_spec.rb
+++ b/spec/models/trusted_device_token_spec.rb
@ -0,0 +1,29 @@
 RSpec.describe TrustedDeviceToken, type: :model do
  describe '#token_valid?' do
    let(:token) { TrustedDeviceToken.create }
    context 'when the token is create after login_token_validity' do
      it { expect(token.token_valid?).to be true }
    end
    context 'when the token is create before login_token_validity' do
      before { token.update(created_at: (TrustedDeviceToken::LOGIN_TOKEN_VALIDITY + 1.minute).ago) }
      it { expect(token.token_valid?).to be false }
    end
  end
  describe '#token_young?' do
    let(:token) { TrustedDeviceToken.create }
    context 'when the token is create after login_token_youth' do
      it { expect(token.token_young?).to be true }
    end
    context 'when the token is create before login_token_youth' do
      before { token.update(created_at: (TrustedDeviceToken::LOGIN_TOKEN_YOUTH + 1.minute).ago) }
      it { expect(token.token_young?).to be false }
    end
  end
 end