diff --git a/app/assets/images/logo-france-connect.png b/app/assets/images/logo-france-connect.png new file mode 100644 index 000000000..c33a34723 Binary files /dev/null and b/app/assets/images/logo-france-connect.png differ diff --git a/app/controllers/new_administrateur/procedures_controller.rb b/app/controllers/new_administrateur/procedures_controller.rb index 11116b8db..29cf33abc 100644 --- a/app/controllers/new_administrateur/procedures_controller.rb +++ b/app/controllers/new_administrateur/procedures_controller.rb @@ -125,12 +125,20 @@ module NewAdministrateur end def update_jeton - if !@procedure.update(procedure_params) - flash.now.alert = @procedure.errors.full_messages + token = params[:procedure][:api_entreprise_token] + @procedure.api_entreprise_token = token + + if @procedure.valid? && + ApiEntreprise::PrivilegesAdapter.new(token).valid? && + @procedure.save + + redirect_to jeton_admin_procedure_path(procedure_id: params[:procedure_id]), + notice: 'Le jeton a bien été mis à jour' else - flash.notice = 'Le jeton a bien été mis à jour' + + flash.now.alert = "Mise à jour impossible : le jeton n'est pas valide" + render 'jeton' end - render 'jeton' end def publication diff --git a/app/graphql/api/v2/schema.rb b/app/graphql/api/v2/schema.rb index 777f08014..470be61df 100644 --- a/app/graphql/api/v2/schema.rb +++ b/app/graphql/api/v2/schema.rb @@ -63,7 +63,7 @@ class Api::V2::Schema < GraphQL::Schema use GraphQL::Execution::Interpreter use GraphQL::Analysis::AST - use GraphQL::Schema::Timeout, max_seconds: 5 + use GraphQL::Schema::Timeout, max_seconds: 10 use GraphQL::Batch use GraphQL::Backtrace diff --git a/app/lib/api_entreprise/api.rb b/app/lib/api_entreprise/api.rb index 716c28f30..62699fa63 100644 --- a/app/lib/api_entreprise/api.rb +++ b/app/lib/api_entreprise/api.rb @@ -8,6 +8,7 @@ class ApiEntreprise::API ATTESTATION_SOCIALE_RESOURCE_NAME = "attestations_sociales_acoss" ATTESTATION_FISCALE_RESOURCE_NAME = "attestations_fiscales_dgfip" BILANS_BDF_RESOURCE_NAME = "bilans_entreprises_bdf" + PRIVILEGES_RESOURCE_NAME = "privileges" TIMEOUT = 15 @@ -24,48 +25,64 @@ class ApiEntreprise::API end def self.entreprise(siren, procedure_id) - call(ENTREPRISE_RESOURCE_NAME, siren, procedure_id) + call_with_siret(ENTREPRISE_RESOURCE_NAME, siren, procedure_id) end def self.etablissement(siret, procedure_id) - call(ETABLISSEMENT_RESOURCE_NAME, siret, procedure_id) + call_with_siret(ETABLISSEMENT_RESOURCE_NAME, siret, procedure_id) end def self.exercices(siret, procedure_id) - call(EXERCICES_RESOURCE_NAME, siret, procedure_id) + call_with_siret(EXERCICES_RESOURCE_NAME, siret, procedure_id) end def self.rna(siret, procedure_id) - call(RNA_RESOURCE_NAME, siret, procedure_id) + call_with_siret(RNA_RESOURCE_NAME, siret, procedure_id) end def self.effectifs(siren, procedure_id, annee, mois) endpoint = [EFFECTIFS_RESOURCE_NAME, annee, mois, "entreprise"].join('/') - call(endpoint, siren, procedure_id) + call_with_siret(endpoint, siren, procedure_id) end def self.effectifs_annuels(siren, procedure_id) - call(EFFECTIFS_ANNUELS_RESOURCE_NAME, siren, procedure_id) + call_with_siret(EFFECTIFS_ANNUELS_RESOURCE_NAME, siren, procedure_id) end def self.attestation_sociale(siren, procedure_id) procedure = Procedure.find(procedure_id) - call(ATTESTATION_SOCIALE_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("attestations_sociales") + call_with_siret(ATTESTATION_SOCIALE_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("attestations_sociales") end def self.attestation_fiscale(siren, procedure_id, user_id) procedure = Procedure.find(procedure_id) - call(ATTESTATION_FISCALE_RESOURCE_NAME, siren, procedure_id, user_id) if procedure.api_entreprise_role?("attestations_fiscales") + call_with_siret(ATTESTATION_FISCALE_RESOURCE_NAME, siren, procedure_id, user_id) if procedure.api_entreprise_role?("attestations_fiscales") end def self.bilans_bdf(siren, procedure_id) procedure = Procedure.find(procedure_id) - call(BILANS_BDF_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("bilans_entreprise_bdf") + call_with_siret(BILANS_BDF_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("bilans_entreprise_bdf") + end + + def self.privileges(token) + call_with_token(PRIVILEGES_RESOURCE_NAME, token) end private - def self.call(resource_name, siret_or_siren, procedure_id, user_id = nil) + def self.call_with_token(resource_name, token) + url = "#{API_ENTREPRISE_URL}/privileges?token=#{token}" + response = Typhoeus.get(url, + timeout: TIMEOUT) + + if response.success? + JSON.parse(response.body, symbolize_names: true) + else + raise RequestFailed, "HTTP Error Code: #{response.code} for #{url}\nheaders: #{response.headers}\nbody: #{response.body}" + end + end + + def self.call_with_siret(resource_name, siret_or_siren, procedure_id, user_id = nil) return if ApiEntrepriseToken.new(token_for_procedure(procedure_id)).expired? url = url(resource_name, siret_or_siren) params = params(siret_or_siren, procedure_id, user_id) diff --git a/app/lib/api_entreprise/privileges_adapter.rb b/app/lib/api_entreprise/privileges_adapter.rb new file mode 100644 index 000000000..8064d5962 --- /dev/null +++ b/app/lib/api_entreprise/privileges_adapter.rb @@ -0,0 +1,20 @@ +class ApiEntreprise::PrivilegesAdapter < ApiEntreprise::Adapter + def initialize(token) + @token = token + end + + def valid? + begin + get_resource + true + rescue + false + end + end + + private + + def get_resource + ApiEntreprise::API.privileges(@token) + end +end diff --git a/app/models/dossier.rb b/app/models/dossier.rb index d4a99ce22..7c4ddc06e 100644 --- a/app/models/dossier.rb +++ b/app/models/dossier.rb @@ -59,6 +59,7 @@ class Dossier < ApplicationRecord has_one :etablissement, dependent: :destroy has_one :individual, validate: false, dependent: :destroy has_one :attestation, dependent: :destroy + has_one :france_connect_information, through: :user has_one_attached :justificatif_motivation diff --git a/app/views/dossiers/show.pdf.prawn b/app/views/dossiers/show.pdf.prawn index 36c1c6329..5d85579cb 100644 --- a/app/views/dossiers/show.pdf.prawn +++ b/app/views/dossiers/show.pdf.prawn @@ -188,6 +188,9 @@ prawn_document(page_size: "A4") do |pdf| add_title(pdf, "Identité du demandeur") + if @dossier.france_connect_information.present? + format_in_2_columns(pdf, 'Informations France Connect', "Le dossier a été déposé par le compte de #{@dossier.france_connect_information.given_name} #{@dossier.france_connect_information.family_name}, authentifié par France Connect le #{@dossier.france_connect_information.updated_at.strftime('%d/%m/%Y')}") + end format_in_2_columns(pdf, "Email", @dossier.user.email) add_identite_individual(pdf, @dossier) if @dossier.individual.present? render_identite_etablissement(pdf, @dossier.etablissement) if @dossier.etablissement.present? diff --git a/app/views/shared/dossiers/_demande.html.haml b/app/views/shared/dossiers/_demande.html.haml index 55870541c..a4c45ec87 100644 --- a/app/views/shared/dossiers/_demande.html.haml +++ b/app/views/shared/dossiers/_demande.html.haml @@ -5,6 +5,8 @@ .tab-title Identité du demandeur .card + - if dossier.france_connect_information.present? + = render partial: "shared/dossiers/france_connect_informations", locals: { user_information: dossier.france_connect_information } = render partial: "shared/dossiers/user_infos", locals: { user: dossier.user } - if dossier.etablissement.present? diff --git a/app/views/shared/dossiers/_edit.html.haml b/app/views/shared/dossiers/_edit.html.haml index a8a420e3f..67e21b38a 100644 --- a/app/views/shared/dossiers/_edit.html.haml +++ b/app/views/shared/dossiers/_edit.html.haml @@ -21,7 +21,8 @@ Votre dossier est enregistré automatiquement après chaque modification. Vous pouvez à tout moment fermer la fenêtre et reprendre plus tard là où vous en étiez. - else Pour enregistrer votre dossier et le reprendre plus tard, cliquez sur le bouton « Enregistrer le brouillon » en bas à gauche du formulaire. - + - if !apercu && dossier.france_connect_information.present? + = render partial: "shared/dossiers/france_connect_informations", locals: { user_information: dossier.france_connect_information } - if notice_url(dossier.procedure).present? = link_to notice_url(dossier.procedure), target: '_blank', rel: 'noopener', class: 'button notice', title: "Pour vous aider à remplir votre dossier, vous pouvez consulter le guide de cette démarche." do %span.icon.info> diff --git a/app/views/shared/dossiers/_france_connect_informations.html.haml b/app/views/shared/dossiers/_france_connect_informations.html.haml new file mode 100644 index 000000000..ba7256521 --- /dev/null +++ b/app/views/shared/dossiers/_france_connect_informations.html.haml @@ -0,0 +1,4 @@ +.card.featured + .flex.justify-center + = image_tag "logo-france-connect.png", alt: "France Connect logo", width: 200, class: "mb-2" + .card-title Le dossier a été déposé par le compte de #{user_information.given_name} #{user_information.family_name}, authentifié par France Connect le #{user_information.updated_at.strftime('%d/%m/%Y')}. diff --git a/config/routes.rb b/config/routes.rb index d6bdfafd5..82914057e 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -49,7 +49,7 @@ Rails.application.routes.draw do post 'demandes/create_administrateur' post 'demandes/refuse_administrateur' - authenticate :administration do + authenticate :super_admin do mount Flipper::UI.app(-> { Flipper.instance }) => "/features", as: :flipper match "/delayed_job" => DelayedJobWeb, :anchor => false, :via => [:get, :post] end diff --git a/spec/controllers/new_administrateur/procedures_controller_spec.rb b/spec/controllers/new_administrateur/procedures_controller_spec.rb index ecc2c4095..de1efc074 100644 --- a/spec/controllers/new_administrateur/procedures_controller_spec.rb +++ b/spec/controllers/new_administrateur/procedures_controller_spec.rb @@ -333,11 +333,38 @@ describe NewAdministrateur::ProceduresController, type: :controller do describe 'PATCH #jeton' do let(:procedure) { create(:procedure, administrateur: admin) } - let(:valid_token) { "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" } + let(:token) { "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" } - it "update api_entreprise_token" do - patch :update_jeton, params: { id: procedure.id, procedure: { api_entreprise_token: valid_token } } - expect(procedure.reload.api_entreprise_token).to eq(valid_token) + subject { patch :update_jeton, params: { id: procedure.id, procedure: { api_entreprise_token: token } } } + + before do + allow_any_instance_of(ApiEntreprise::PrivilegesAdapter).to receive(:valid?).and_return(token_is_valid) + subject + end + + context 'when jeton is valid' do + let(:token_is_valid) { true } + + it { expect(flash.alert).to be_nil } + it { expect(flash.notice).to eq('Le jeton a bien été mis à jour') } + it { expect(procedure.reload.api_entreprise_token).to eq(token) } + end + + context 'when jeton is invalid' do + let(:token_is_valid) { false } + + it { expect(flash.alert).to eq("Mise à jour impossible : le jeton n'est pas valide") } + it { expect(flash.notice).to be_nil } + it { expect(procedure.reload.api_entreprise_token).not_to eq(token) } + end + + context 'when jeton is not a jwt' do + let(:token) { "invalid" } + let(:token_is_valid) { true } # just to check jwt format by procedure model + + it { expect(flash.alert).to eq("Mise à jour impossible : le jeton n'est pas valide") } + it { expect(flash.notice).to be_nil } + it { expect(procedure.reload.api_entreprise_token).not_to eq(token) } end end diff --git a/spec/features/france_connect/france_connect_particulier_spec.rb b/spec/features/france_connect/france_connect_particulier_spec.rb index 123a10d7d..37a5171c3 100644 --- a/spec/features/france_connect/france_connect_particulier_spec.rb +++ b/spec/features/france_connect/france_connect_particulier_spec.rb @@ -68,6 +68,10 @@ feature 'France Connect Particulier Connexion' do scenario 'he is redirected to user dossiers page' do expect(page).to have_content('Dossiers') end + + scenario 'the updated_at date is well updated' do + expect(france_connect_information.updated_at).not_to eq(france_connect_information.created_at) + end end end diff --git a/spec/views/instructeur/dossiers/show.html.haml_spec.rb b/spec/views/instructeur/dossiers/show.html.haml_spec.rb index 25072b3e5..7eb30ba0a 100644 --- a/spec/views/instructeur/dossiers/show.html.haml_spec.rb +++ b/spec/views/instructeur/dossiers/show.html.haml_spec.rb @@ -18,4 +18,19 @@ describe 'instructeurs/dossiers/show.html.haml', type: :view do expect(rendered).to have_text('Identité') expect(rendered).to have_text('Demande') end + + context 'when the user is logged in with france connect' do + let(:france_connect_information) { build(:france_connect_information) } + let(:user) { build(:user, france_connect_information: france_connect_information) } + let(:procedure1) { create(:procedure, :with_type_de_champ, for_individual: true) } + let(:dossier) { create(:dossier, procedure: procedure1, user: user) } + + before do + render + end + + it 'fills the individual with the informations from France Connect' do + expect(rendered).to have_text("Le dossier a été déposé par le compte de #{france_connect_information.given_name} #{france_connect_information.family_name}, authentifié par France Connect le #{france_connect_information.updated_at.strftime('%d/%m/%Y')}") + end + end end diff --git a/spec/views/users/dossiers/demande.html.haml_spec.rb b/spec/views/users/dossiers/demande.html.haml_spec.rb index 0a46903d4..4b0859420 100644 --- a/spec/views/users/dossiers/demande.html.haml_spec.rb +++ b/spec/views/users/dossiers/demande.html.haml_spec.rb @@ -33,4 +33,19 @@ describe 'users/dossiers/demande.html.haml', type: :view do it { expect(rendered).not_to have_text('Déposé le') } end + + context 'when the user is logged in with france connect' do + let(:france_connect_information) { build(:france_connect_information) } + let(:user) { build(:user, france_connect_information: france_connect_information) } + let(:procedure1) { create(:procedure, :with_type_de_champ, for_individual: true) } + let(:dossier) { create(:dossier, procedure: procedure1, user: user) } + + before do + render + end + + it 'fills the individual with the informations from France Connect' do + expect(rendered).to have_text("Le dossier a été déposé par le compte de #{france_connect_information.given_name} #{france_connect_information.family_name}, authentifié par France Connect le #{france_connect_information.updated_at.strftime('%d/%m/%Y')}") + end + end end