Revert "Merge pull request #9835 from demarches-simplifiees/update_openid_connect"

This reverts commit 2e59ef97c9, reversing
changes made to d0372ec608.
This commit is contained in:
simon lehericey 2023-12-13 14:09:50 +01:00
parent e17bfcd633
commit f0a28ab1e8
5 changed files with 84 additions and 45 deletions

View file

@ -32,7 +32,6 @@ gem 'discard'
gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
gem 'dry-monads' gem 'dry-monads'
gem 'elastic-apm' gem 'elastic-apm'
gem 'faraday-jwt'
gem 'flipper' gem 'flipper'
gem 'flipper-active_record' gem 'flipper-active_record'
gem 'flipper-ui' gem 'flipper-ui'

View file

@ -116,7 +116,6 @@ GEM
axlsx_styler (1.1.0) axlsx_styler (1.1.0)
activesupport (>= 3.1) activesupport (>= 3.1)
caxlsx (>= 2.0.2) caxlsx (>= 2.0.2)
base64 (0.2.0)
bcrypt (3.1.19) bcrypt (3.1.19)
benchmark-ips (2.12.0) benchmark-ips (2.12.0)
better_html (1.0.16) better_html (1.0.16)
@ -127,7 +126,7 @@ GEM
html_tokenizer (~> 0.0.6) html_tokenizer (~> 0.0.6)
parser (>= 2.4) parser (>= 2.4)
smart_properties smart_properties
bindata (2.4.15) bindata (2.4.10)
bindex (0.8.1) bindex (0.8.1)
bootsnap (1.9.3) bootsnap (1.9.3)
msgpack (~> 1.0) msgpack (~> 1.0)
@ -175,7 +174,7 @@ GEM
css_parser (1.9.0) css_parser (1.9.0)
addressable addressable
daemons (1.3.1) daemons (1.3.1)
date (3.3.4) date (3.3.3)
deep_cloneable (3.2.0) deep_cloneable (3.2.0)
activerecord (>= 3.1.0, < 8) activerecord (>= 3.1.0, < 8)
delayed_cron_job (0.7.4) delayed_cron_job (0.7.4)
@ -238,16 +237,6 @@ GEM
excon (0.102.0) excon (0.102.0)
factory_bot (6.1.0) factory_bot (6.1.0)
activesupport (>= 5.0.0) activesupport (>= 5.0.0)
faraday (2.7.12)
base64
faraday-net_http (>= 2.0, < 3.1)
ruby2_keywords (>= 0.0.4)
faraday-follow_redirects (0.3.0)
faraday (>= 1, < 3)
faraday-jwt (0.1.0)
faraday (~> 2.0)
json-jwt (~> 1.16)
faraday-net_http (3.0.2)
ffi (1.16.3) ffi (1.16.3)
ffi-compiler (1.0.1) ffi-compiler (1.0.1)
ffi (>= 1.0.0) ffi (>= 1.0.0)
@ -336,6 +325,7 @@ GEM
domain_name (~> 0.5) domain_name (~> 0.5)
http-form_data (2.3.0) http-form_data (2.3.0)
http_accept_language (2.1.1) http_accept_language (2.1.1)
httpclient (2.8.3)
i18n (1.14.1) i18n (1.14.1)
concurrent-ruby (~> 1.0) concurrent-ruby (~> 1.0)
i18n-tasks (1.0.9) i18n-tasks (1.0.9)
@ -364,12 +354,10 @@ GEM
railties (>= 4.2.0) railties (>= 4.2.0)
thor (>= 0.14, < 2.0) thor (>= 0.14, < 2.0)
json (2.5.1) json (2.5.1)
json-jwt (1.16.3) json-jwt (1.13.0)
activesupport (>= 4.2) activesupport (>= 4.2)
aes_key_wrap aes_key_wrap
bindata bindata
faraday (~> 2.0)
faraday-follow_redirects
json_schemer (0.2.17) json_schemer (0.2.17)
ecma-re-validator (~> 0.3) ecma-re-validator (~> 0.3)
hana (~> 1.3) hana (~> 1.3)
@ -445,14 +433,14 @@ GEM
multi_json (1.15.0) multi_json (1.15.0)
mustermann (3.0.0) mustermann (3.0.0)
ruby2_keywords (~> 0.0.1) ruby2_keywords (~> 0.0.1)
net-imap (0.4.7) net-imap (0.3.7)
date date
net-protocol net-protocol
net-pop (0.1.2) net-pop (0.1.2)
net-protocol net-protocol
net-protocol (0.2.2) net-protocol (0.2.1)
timeout timeout
net-smtp (0.4.0) net-smtp (0.3.3)
net-protocol net-protocol
netrc (0.11.0) netrc (0.11.0)
nio4r (2.5.9) nio4r (2.5.9)
@ -460,19 +448,16 @@ GEM
mini_portile2 (~> 2.8.2) mini_portile2 (~> 2.8.2)
racc (~> 1.4) racc (~> 1.4)
open4 (1.3.4) open4 (1.3.4)
openid_connect (2.2.0) openid_connect (1.3.0)
activemodel activemodel
attr_required (>= 1.0.0) attr_required (>= 1.0.0)
faraday (~> 2.0) json-jwt (>= 1.5.0)
faraday-follow_redirects rack-oauth2 (>= 1.6.1)
json-jwt (>= 1.16) swd (>= 1.0.0)
net-smtp
rack-oauth2 (~> 2.2)
swd (~> 2.0)
tzinfo tzinfo
validate_email validate_email
validate_url validate_url
webfinger (~> 2.0) webfinger (>= 1.0.1)
orm_adapter (0.5.0) orm_adapter (0.5.0)
parallel (1.23.0) parallel (1.23.0)
parsby (1.1.1) parsby (1.1.1)
@ -506,7 +491,7 @@ GEM
pry (>= 0.13, < 0.15) pry (>= 0.13, < 0.15)
pry-rails (0.3.9) pry-rails (0.3.9)
pry (>= 0.10.4) pry (>= 0.10.4)
public_suffix (5.0.4) public_suffix (5.0.3)
puma (6.3.1) puma (6.3.1)
nio4r (~> 2.0) nio4r (~> 2.0)
pundit (2.2.0) pundit (2.2.0)
@ -518,11 +503,10 @@ GEM
rack (>= 1.0, < 3) rack (>= 1.0, < 3)
rack-mini-profiler (3.0.0) rack-mini-profiler (3.0.0)
rack (>= 1.2.0) rack (>= 1.2.0)
rack-oauth2 (2.2.0) rack-oauth2 (1.19.0)
activesupport activesupport
attr_required attr_required
faraday (~> 2.0) httpclient
faraday-follow_redirects
json-jwt (>= 1.11.0) json-jwt (>= 1.11.0)
rack (>= 2.1.0) rack (>= 2.1.0)
rack-protection (3.0.5) rack-protection (3.0.5)
@ -739,11 +723,10 @@ GEM
stackprof (0.2.21) stackprof (0.2.21)
strong_migrations (0.8.0) strong_migrations (0.8.0)
activerecord (>= 5.2) activerecord (>= 5.2)
swd (2.0.2) swd (1.3.0)
activesupport (>= 3) activesupport (>= 3)
attr_required (>= 0.0.5) attr_required (>= 0.0.5)
faraday (~> 2.0) httpclient (>= 2.4)
faraday-follow_redirects
sysexits (1.2.0) sysexits (1.2.0)
temple (0.8.2) temple (0.8.2)
terminal-table (3.0.2) terminal-table (3.0.2)
@ -752,7 +735,7 @@ GEM
thread_safe (0.3.6) thread_safe (0.3.6)
tilt (2.0.11) tilt (2.0.11)
timecop (0.9.4) timecop (0.9.4)
timeout (0.4.1) timeout (0.4.0)
ttfunk (1.7.0) ttfunk (1.7.0)
turbo-rails (1.3.2) turbo-rails (1.3.2)
actionpack (>= 6.0.0) actionpack (>= 6.0.0)
@ -771,7 +754,7 @@ GEM
validate_email (0.1.6) validate_email (0.1.6)
activemodel (>= 3.0) activemodel (>= 3.0)
mail (>= 2.2.5) mail (>= 2.2.5)
validate_url (1.0.15) validate_url (1.0.13)
activemodel (>= 3.0.0) activemodel (>= 3.0.0)
public_suffix public_suffix
vcr (6.1.0) vcr (6.1.0)
@ -797,10 +780,9 @@ GEM
activemodel (>= 6.0.0) activemodel (>= 6.0.0)
bindex (>= 0.4.0) bindex (>= 0.4.0)
railties (>= 6.0.0) railties (>= 6.0.0)
webfinger (2.1.2) webfinger (1.2.0)
activesupport activesupport
faraday (~> 2.0) httpclient (>= 2.4)
faraday-follow_redirects
webmock (3.11.2) webmock (3.11.2)
addressable (>= 2.3.6) addressable (>= 2.3.6)
crack (>= 0.3.2) crack (>= 0.3.2)
@ -867,7 +849,6 @@ DEPENDENCIES
dry-monads dry-monads
elastic-apm elastic-apm
factory_bot factory_bot
faraday-jwt
flipper flipper
flipper-active_record flipper-active_record
flipper-ui flipper-ui

View file

@ -13,8 +13,8 @@ class AgentConnectService
uri = client.authorization_uri( uri = client.authorization_uri(
scope: [:openid, :email], scope: [:openid, :email],
state:, state: state,
nonce:, nonce: nonce,
acr_values: 'eidas1' acr_values: 'eidas1'
) )

View file

@ -56,6 +56,7 @@ FC_PARTICULIER_BASE_URL=""
AGENT_CONNECT_ID="" AGENT_CONNECT_ID=""
AGENT_CONNECT_SECRET="" AGENT_CONNECT_SECRET=""
AGENT_CONNECT_BASE_URL="" AGENT_CONNECT_BASE_URL=""
AGENT_CONNECT_JWKS=""
AGENT_CONNECT_REDIRECT="" AGENT_CONNECT_REDIRECT=""
# External service: integration with HelpScout (optional) # External service: integration with HelpScout (optional)

View file

@ -1,3 +1,61 @@
OpenIDConnect.http_config do |config| OpenIDConnect.debug!
config.response :jwt OpenIDConnect.logger = Rails.logger
Rack::OAuth2.logger = Rails.logger
# Webfinger.logger = Rails.logger
SWD.logger = Rails.logger
# the openid_connect gem does not support
# jwt format in the userinfo call.
# A PR is open to improve the situation
# https://github.com/nov/openid_connect/pull/54
module OpenIDConnect
class AccessToken < Rack::OAuth2::AccessToken::Bearer
private
def jwk_loader
JSON.parse(URI.parse(ENV['AGENT_CONNECT_JWKS']).read).deep_symbolize_keys
end
def decode_jwt(requested_host, jwt)
agent_connect_host = URI.parse(ENV['AGENT_CONNECT_BASE_URL']).host
if requested_host == agent_connect_host
# rubocop:disable Lint/UselessAssignment
JWT.decode(jwt, key = nil, verify = true, { algorithms: ['ES256'], jwks: jwk_loader })[0]
# rubocop:enable Lint/UselessAssignment
else
raise "unknwon host : #{requested_host}"
end
end
def resource_request
res = yield
case res.status
when 200
hash = case parse_type_and_subtype(res.content_type)
when 'application/jwt'
requested_host = URI.parse(client.userinfo_endpoint).host
decode_jwt(requested_host, res.body)
when 'application/json'
JSON.parse(res.body)
end
hash&.with_indifferent_access
when 400
raise BadRequest.new('API Access Faild', res)
when 401
raise Unauthorized.new('Access Token Invalid or Expired', res)
when 403
raise Forbidden.new('Insufficient Scope', res)
else
raise HttpError.new(res.status, 'Unknown HttpError', res)
end
end
# https://datatracker.ietf.org/doc/html/rfc2045#section-5.1
# - type and subtype are the first member
# they are case insensitive
def parse_type_and_subtype(content_type)
content_type.split(';')[0].strip.downcase
end
end
end end