Revert "Merge pull request #9835 from demarches-simplifiees/update_openid_connect"
This reverts commit2e59ef97c9
, reversing changes made tod0372ec608
.
This commit is contained in:
parent
e17bfcd633
commit
f0a28ab1e8
5 changed files with 84 additions and 45 deletions
1
Gemfile
1
Gemfile
|
@ -32,7 +32,6 @@ gem 'discard'
|
||||||
gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
|
gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
|
||||||
gem 'dry-monads'
|
gem 'dry-monads'
|
||||||
gem 'elastic-apm'
|
gem 'elastic-apm'
|
||||||
gem 'faraday-jwt'
|
|
||||||
gem 'flipper'
|
gem 'flipper'
|
||||||
gem 'flipper-active_record'
|
gem 'flipper-active_record'
|
||||||
gem 'flipper-ui'
|
gem 'flipper-ui'
|
||||||
|
|
61
Gemfile.lock
61
Gemfile.lock
|
@ -116,7 +116,6 @@ GEM
|
||||||
axlsx_styler (1.1.0)
|
axlsx_styler (1.1.0)
|
||||||
activesupport (>= 3.1)
|
activesupport (>= 3.1)
|
||||||
caxlsx (>= 2.0.2)
|
caxlsx (>= 2.0.2)
|
||||||
base64 (0.2.0)
|
|
||||||
bcrypt (3.1.19)
|
bcrypt (3.1.19)
|
||||||
benchmark-ips (2.12.0)
|
benchmark-ips (2.12.0)
|
||||||
better_html (1.0.16)
|
better_html (1.0.16)
|
||||||
|
@ -127,7 +126,7 @@ GEM
|
||||||
html_tokenizer (~> 0.0.6)
|
html_tokenizer (~> 0.0.6)
|
||||||
parser (>= 2.4)
|
parser (>= 2.4)
|
||||||
smart_properties
|
smart_properties
|
||||||
bindata (2.4.15)
|
bindata (2.4.10)
|
||||||
bindex (0.8.1)
|
bindex (0.8.1)
|
||||||
bootsnap (1.9.3)
|
bootsnap (1.9.3)
|
||||||
msgpack (~> 1.0)
|
msgpack (~> 1.0)
|
||||||
|
@ -175,7 +174,7 @@ GEM
|
||||||
css_parser (1.9.0)
|
css_parser (1.9.0)
|
||||||
addressable
|
addressable
|
||||||
daemons (1.3.1)
|
daemons (1.3.1)
|
||||||
date (3.3.4)
|
date (3.3.3)
|
||||||
deep_cloneable (3.2.0)
|
deep_cloneable (3.2.0)
|
||||||
activerecord (>= 3.1.0, < 8)
|
activerecord (>= 3.1.0, < 8)
|
||||||
delayed_cron_job (0.7.4)
|
delayed_cron_job (0.7.4)
|
||||||
|
@ -238,16 +237,6 @@ GEM
|
||||||
excon (0.102.0)
|
excon (0.102.0)
|
||||||
factory_bot (6.1.0)
|
factory_bot (6.1.0)
|
||||||
activesupport (>= 5.0.0)
|
activesupport (>= 5.0.0)
|
||||||
faraday (2.7.12)
|
|
||||||
base64
|
|
||||||
faraday-net_http (>= 2.0, < 3.1)
|
|
||||||
ruby2_keywords (>= 0.0.4)
|
|
||||||
faraday-follow_redirects (0.3.0)
|
|
||||||
faraday (>= 1, < 3)
|
|
||||||
faraday-jwt (0.1.0)
|
|
||||||
faraday (~> 2.0)
|
|
||||||
json-jwt (~> 1.16)
|
|
||||||
faraday-net_http (3.0.2)
|
|
||||||
ffi (1.16.3)
|
ffi (1.16.3)
|
||||||
ffi-compiler (1.0.1)
|
ffi-compiler (1.0.1)
|
||||||
ffi (>= 1.0.0)
|
ffi (>= 1.0.0)
|
||||||
|
@ -336,6 +325,7 @@ GEM
|
||||||
domain_name (~> 0.5)
|
domain_name (~> 0.5)
|
||||||
http-form_data (2.3.0)
|
http-form_data (2.3.0)
|
||||||
http_accept_language (2.1.1)
|
http_accept_language (2.1.1)
|
||||||
|
httpclient (2.8.3)
|
||||||
i18n (1.14.1)
|
i18n (1.14.1)
|
||||||
concurrent-ruby (~> 1.0)
|
concurrent-ruby (~> 1.0)
|
||||||
i18n-tasks (1.0.9)
|
i18n-tasks (1.0.9)
|
||||||
|
@ -364,12 +354,10 @@ GEM
|
||||||
railties (>= 4.2.0)
|
railties (>= 4.2.0)
|
||||||
thor (>= 0.14, < 2.0)
|
thor (>= 0.14, < 2.0)
|
||||||
json (2.5.1)
|
json (2.5.1)
|
||||||
json-jwt (1.16.3)
|
json-jwt (1.13.0)
|
||||||
activesupport (>= 4.2)
|
activesupport (>= 4.2)
|
||||||
aes_key_wrap
|
aes_key_wrap
|
||||||
bindata
|
bindata
|
||||||
faraday (~> 2.0)
|
|
||||||
faraday-follow_redirects
|
|
||||||
json_schemer (0.2.17)
|
json_schemer (0.2.17)
|
||||||
ecma-re-validator (~> 0.3)
|
ecma-re-validator (~> 0.3)
|
||||||
hana (~> 1.3)
|
hana (~> 1.3)
|
||||||
|
@ -445,14 +433,14 @@ GEM
|
||||||
multi_json (1.15.0)
|
multi_json (1.15.0)
|
||||||
mustermann (3.0.0)
|
mustermann (3.0.0)
|
||||||
ruby2_keywords (~> 0.0.1)
|
ruby2_keywords (~> 0.0.1)
|
||||||
net-imap (0.4.7)
|
net-imap (0.3.7)
|
||||||
date
|
date
|
||||||
net-protocol
|
net-protocol
|
||||||
net-pop (0.1.2)
|
net-pop (0.1.2)
|
||||||
net-protocol
|
net-protocol
|
||||||
net-protocol (0.2.2)
|
net-protocol (0.2.1)
|
||||||
timeout
|
timeout
|
||||||
net-smtp (0.4.0)
|
net-smtp (0.3.3)
|
||||||
net-protocol
|
net-protocol
|
||||||
netrc (0.11.0)
|
netrc (0.11.0)
|
||||||
nio4r (2.5.9)
|
nio4r (2.5.9)
|
||||||
|
@ -460,19 +448,16 @@ GEM
|
||||||
mini_portile2 (~> 2.8.2)
|
mini_portile2 (~> 2.8.2)
|
||||||
racc (~> 1.4)
|
racc (~> 1.4)
|
||||||
open4 (1.3.4)
|
open4 (1.3.4)
|
||||||
openid_connect (2.2.0)
|
openid_connect (1.3.0)
|
||||||
activemodel
|
activemodel
|
||||||
attr_required (>= 1.0.0)
|
attr_required (>= 1.0.0)
|
||||||
faraday (~> 2.0)
|
json-jwt (>= 1.5.0)
|
||||||
faraday-follow_redirects
|
rack-oauth2 (>= 1.6.1)
|
||||||
json-jwt (>= 1.16)
|
swd (>= 1.0.0)
|
||||||
net-smtp
|
|
||||||
rack-oauth2 (~> 2.2)
|
|
||||||
swd (~> 2.0)
|
|
||||||
tzinfo
|
tzinfo
|
||||||
validate_email
|
validate_email
|
||||||
validate_url
|
validate_url
|
||||||
webfinger (~> 2.0)
|
webfinger (>= 1.0.1)
|
||||||
orm_adapter (0.5.0)
|
orm_adapter (0.5.0)
|
||||||
parallel (1.23.0)
|
parallel (1.23.0)
|
||||||
parsby (1.1.1)
|
parsby (1.1.1)
|
||||||
|
@ -506,7 +491,7 @@ GEM
|
||||||
pry (>= 0.13, < 0.15)
|
pry (>= 0.13, < 0.15)
|
||||||
pry-rails (0.3.9)
|
pry-rails (0.3.9)
|
||||||
pry (>= 0.10.4)
|
pry (>= 0.10.4)
|
||||||
public_suffix (5.0.4)
|
public_suffix (5.0.3)
|
||||||
puma (6.3.1)
|
puma (6.3.1)
|
||||||
nio4r (~> 2.0)
|
nio4r (~> 2.0)
|
||||||
pundit (2.2.0)
|
pundit (2.2.0)
|
||||||
|
@ -518,11 +503,10 @@ GEM
|
||||||
rack (>= 1.0, < 3)
|
rack (>= 1.0, < 3)
|
||||||
rack-mini-profiler (3.0.0)
|
rack-mini-profiler (3.0.0)
|
||||||
rack (>= 1.2.0)
|
rack (>= 1.2.0)
|
||||||
rack-oauth2 (2.2.0)
|
rack-oauth2 (1.19.0)
|
||||||
activesupport
|
activesupport
|
||||||
attr_required
|
attr_required
|
||||||
faraday (~> 2.0)
|
httpclient
|
||||||
faraday-follow_redirects
|
|
||||||
json-jwt (>= 1.11.0)
|
json-jwt (>= 1.11.0)
|
||||||
rack (>= 2.1.0)
|
rack (>= 2.1.0)
|
||||||
rack-protection (3.0.5)
|
rack-protection (3.0.5)
|
||||||
|
@ -739,11 +723,10 @@ GEM
|
||||||
stackprof (0.2.21)
|
stackprof (0.2.21)
|
||||||
strong_migrations (0.8.0)
|
strong_migrations (0.8.0)
|
||||||
activerecord (>= 5.2)
|
activerecord (>= 5.2)
|
||||||
swd (2.0.2)
|
swd (1.3.0)
|
||||||
activesupport (>= 3)
|
activesupport (>= 3)
|
||||||
attr_required (>= 0.0.5)
|
attr_required (>= 0.0.5)
|
||||||
faraday (~> 2.0)
|
httpclient (>= 2.4)
|
||||||
faraday-follow_redirects
|
|
||||||
sysexits (1.2.0)
|
sysexits (1.2.0)
|
||||||
temple (0.8.2)
|
temple (0.8.2)
|
||||||
terminal-table (3.0.2)
|
terminal-table (3.0.2)
|
||||||
|
@ -752,7 +735,7 @@ GEM
|
||||||
thread_safe (0.3.6)
|
thread_safe (0.3.6)
|
||||||
tilt (2.0.11)
|
tilt (2.0.11)
|
||||||
timecop (0.9.4)
|
timecop (0.9.4)
|
||||||
timeout (0.4.1)
|
timeout (0.4.0)
|
||||||
ttfunk (1.7.0)
|
ttfunk (1.7.0)
|
||||||
turbo-rails (1.3.2)
|
turbo-rails (1.3.2)
|
||||||
actionpack (>= 6.0.0)
|
actionpack (>= 6.0.0)
|
||||||
|
@ -771,7 +754,7 @@ GEM
|
||||||
validate_email (0.1.6)
|
validate_email (0.1.6)
|
||||||
activemodel (>= 3.0)
|
activemodel (>= 3.0)
|
||||||
mail (>= 2.2.5)
|
mail (>= 2.2.5)
|
||||||
validate_url (1.0.15)
|
validate_url (1.0.13)
|
||||||
activemodel (>= 3.0.0)
|
activemodel (>= 3.0.0)
|
||||||
public_suffix
|
public_suffix
|
||||||
vcr (6.1.0)
|
vcr (6.1.0)
|
||||||
|
@ -797,10 +780,9 @@ GEM
|
||||||
activemodel (>= 6.0.0)
|
activemodel (>= 6.0.0)
|
||||||
bindex (>= 0.4.0)
|
bindex (>= 0.4.0)
|
||||||
railties (>= 6.0.0)
|
railties (>= 6.0.0)
|
||||||
webfinger (2.1.2)
|
webfinger (1.2.0)
|
||||||
activesupport
|
activesupport
|
||||||
faraday (~> 2.0)
|
httpclient (>= 2.4)
|
||||||
faraday-follow_redirects
|
|
||||||
webmock (3.11.2)
|
webmock (3.11.2)
|
||||||
addressable (>= 2.3.6)
|
addressable (>= 2.3.6)
|
||||||
crack (>= 0.3.2)
|
crack (>= 0.3.2)
|
||||||
|
@ -867,7 +849,6 @@ DEPENDENCIES
|
||||||
dry-monads
|
dry-monads
|
||||||
elastic-apm
|
elastic-apm
|
||||||
factory_bot
|
factory_bot
|
||||||
faraday-jwt
|
|
||||||
flipper
|
flipper
|
||||||
flipper-active_record
|
flipper-active_record
|
||||||
flipper-ui
|
flipper-ui
|
||||||
|
|
|
@ -13,8 +13,8 @@ class AgentConnectService
|
||||||
|
|
||||||
uri = client.authorization_uri(
|
uri = client.authorization_uri(
|
||||||
scope: [:openid, :email],
|
scope: [:openid, :email],
|
||||||
state:,
|
state: state,
|
||||||
nonce:,
|
nonce: nonce,
|
||||||
acr_values: 'eidas1'
|
acr_values: 'eidas1'
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -56,6 +56,7 @@ FC_PARTICULIER_BASE_URL=""
|
||||||
AGENT_CONNECT_ID=""
|
AGENT_CONNECT_ID=""
|
||||||
AGENT_CONNECT_SECRET=""
|
AGENT_CONNECT_SECRET=""
|
||||||
AGENT_CONNECT_BASE_URL=""
|
AGENT_CONNECT_BASE_URL=""
|
||||||
|
AGENT_CONNECT_JWKS=""
|
||||||
AGENT_CONNECT_REDIRECT=""
|
AGENT_CONNECT_REDIRECT=""
|
||||||
|
|
||||||
# External service: integration with HelpScout (optional)
|
# External service: integration with HelpScout (optional)
|
||||||
|
|
|
@ -1,3 +1,61 @@
|
||||||
OpenIDConnect.http_config do |config|
|
OpenIDConnect.debug!
|
||||||
config.response :jwt
|
OpenIDConnect.logger = Rails.logger
|
||||||
|
Rack::OAuth2.logger = Rails.logger
|
||||||
|
# Webfinger.logger = Rails.logger
|
||||||
|
SWD.logger = Rails.logger
|
||||||
|
|
||||||
|
# the openid_connect gem does not support
|
||||||
|
# jwt format in the userinfo call.
|
||||||
|
# A PR is open to improve the situation
|
||||||
|
# https://github.com/nov/openid_connect/pull/54
|
||||||
|
module OpenIDConnect
|
||||||
|
class AccessToken < Rack::OAuth2::AccessToken::Bearer
|
||||||
|
private
|
||||||
|
|
||||||
|
def jwk_loader
|
||||||
|
JSON.parse(URI.parse(ENV['AGENT_CONNECT_JWKS']).read).deep_symbolize_keys
|
||||||
|
end
|
||||||
|
|
||||||
|
def decode_jwt(requested_host, jwt)
|
||||||
|
agent_connect_host = URI.parse(ENV['AGENT_CONNECT_BASE_URL']).host
|
||||||
|
|
||||||
|
if requested_host == agent_connect_host
|
||||||
|
# rubocop:disable Lint/UselessAssignment
|
||||||
|
JWT.decode(jwt, key = nil, verify = true, { algorithms: ['ES256'], jwks: jwk_loader })[0]
|
||||||
|
# rubocop:enable Lint/UselessAssignment
|
||||||
|
else
|
||||||
|
raise "unknwon host : #{requested_host}"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def resource_request
|
||||||
|
res = yield
|
||||||
|
case res.status
|
||||||
|
when 200
|
||||||
|
hash = case parse_type_and_subtype(res.content_type)
|
||||||
|
when 'application/jwt'
|
||||||
|
requested_host = URI.parse(client.userinfo_endpoint).host
|
||||||
|
decode_jwt(requested_host, res.body)
|
||||||
|
when 'application/json'
|
||||||
|
JSON.parse(res.body)
|
||||||
|
end
|
||||||
|
hash&.with_indifferent_access
|
||||||
|
when 400
|
||||||
|
raise BadRequest.new('API Access Faild', res)
|
||||||
|
when 401
|
||||||
|
raise Unauthorized.new('Access Token Invalid or Expired', res)
|
||||||
|
when 403
|
||||||
|
raise Forbidden.new('Insufficient Scope', res)
|
||||||
|
else
|
||||||
|
raise HttpError.new(res.status, 'Unknown HttpError', res)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# https://datatracker.ietf.org/doc/html/rfc2045#section-5.1
|
||||||
|
# - type and subtype are the first member
|
||||||
|
# they are case insensitive
|
||||||
|
def parse_type_and_subtype(content_type)
|
||||||
|
content_type.split(';')[0].strip.downcase
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue