Merge pull request #5698 from betagouv/feat/5675

feat/5675 - add an api token verification for api entreprise
This commit is contained in:
LeSim 2020-11-09 20:40:18 +01:00 committed by GitHub
commit f0f6fea8c5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 90 additions and 18 deletions

View file

@ -125,12 +125,20 @@ module NewAdministrateur
end end
def update_jeton def update_jeton
if !@procedure.update(procedure_params) token = params[:procedure][:api_entreprise_token]
flash.now.alert = @procedure.errors.full_messages @procedure.api_entreprise_token = token
if @procedure.valid? &&
ApiEntreprise::PrivilegesAdapter.new(token).valid? &&
@procedure.save
redirect_to jeton_admin_procedure_path(procedure_id: params[:procedure_id]),
notice: 'Le jeton a bien été mis à jour'
else else
flash.notice = 'Le jeton a bien été mis à jour'
flash.now.alert = "Mise à jour impossible : le jeton n'est pas valide"
render 'jeton'
end end
render 'jeton'
end end
def publication def publication

View file

@ -8,6 +8,7 @@ class ApiEntreprise::API
ATTESTATION_SOCIALE_RESOURCE_NAME = "attestations_sociales_acoss" ATTESTATION_SOCIALE_RESOURCE_NAME = "attestations_sociales_acoss"
ATTESTATION_FISCALE_RESOURCE_NAME = "attestations_fiscales_dgfip" ATTESTATION_FISCALE_RESOURCE_NAME = "attestations_fiscales_dgfip"
BILANS_BDF_RESOURCE_NAME = "bilans_entreprises_bdf" BILANS_BDF_RESOURCE_NAME = "bilans_entreprises_bdf"
PRIVILEGES_RESOURCE_NAME = "privileges"
TIMEOUT = 15 TIMEOUT = 15
@ -24,48 +25,64 @@ class ApiEntreprise::API
end end
def self.entreprise(siren, procedure_id) def self.entreprise(siren, procedure_id)
call(ENTREPRISE_RESOURCE_NAME, siren, procedure_id) call_with_siret(ENTREPRISE_RESOURCE_NAME, siren, procedure_id)
end end
def self.etablissement(siret, procedure_id) def self.etablissement(siret, procedure_id)
call(ETABLISSEMENT_RESOURCE_NAME, siret, procedure_id) call_with_siret(ETABLISSEMENT_RESOURCE_NAME, siret, procedure_id)
end end
def self.exercices(siret, procedure_id) def self.exercices(siret, procedure_id)
call(EXERCICES_RESOURCE_NAME, siret, procedure_id) call_with_siret(EXERCICES_RESOURCE_NAME, siret, procedure_id)
end end
def self.rna(siret, procedure_id) def self.rna(siret, procedure_id)
call(RNA_RESOURCE_NAME, siret, procedure_id) call_with_siret(RNA_RESOURCE_NAME, siret, procedure_id)
end end
def self.effectifs(siren, procedure_id, annee, mois) def self.effectifs(siren, procedure_id, annee, mois)
endpoint = [EFFECTIFS_RESOURCE_NAME, annee, mois, "entreprise"].join('/') endpoint = [EFFECTIFS_RESOURCE_NAME, annee, mois, "entreprise"].join('/')
call(endpoint, siren, procedure_id) call_with_siret(endpoint, siren, procedure_id)
end end
def self.effectifs_annuels(siren, procedure_id) def self.effectifs_annuels(siren, procedure_id)
call(EFFECTIFS_ANNUELS_RESOURCE_NAME, siren, procedure_id) call_with_siret(EFFECTIFS_ANNUELS_RESOURCE_NAME, siren, procedure_id)
end end
def self.attestation_sociale(siren, procedure_id) def self.attestation_sociale(siren, procedure_id)
procedure = Procedure.find(procedure_id) procedure = Procedure.find(procedure_id)
call(ATTESTATION_SOCIALE_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("attestations_sociales") call_with_siret(ATTESTATION_SOCIALE_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("attestations_sociales")
end end
def self.attestation_fiscale(siren, procedure_id, user_id) def self.attestation_fiscale(siren, procedure_id, user_id)
procedure = Procedure.find(procedure_id) procedure = Procedure.find(procedure_id)
call(ATTESTATION_FISCALE_RESOURCE_NAME, siren, procedure_id, user_id) if procedure.api_entreprise_role?("attestations_fiscales") call_with_siret(ATTESTATION_FISCALE_RESOURCE_NAME, siren, procedure_id, user_id) if procedure.api_entreprise_role?("attestations_fiscales")
end end
def self.bilans_bdf(siren, procedure_id) def self.bilans_bdf(siren, procedure_id)
procedure = Procedure.find(procedure_id) procedure = Procedure.find(procedure_id)
call(BILANS_BDF_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("bilans_entreprise_bdf") call_with_siret(BILANS_BDF_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("bilans_entreprise_bdf")
end
def self.privileges(token)
call_with_token(PRIVILEGES_RESOURCE_NAME, token)
end end
private private
def self.call(resource_name, siret_or_siren, procedure_id, user_id = nil) def self.call_with_token(resource_name, token)
url = "#{API_ENTREPRISE_URL}/privileges?token=#{token}"
response = Typhoeus.get(url,
timeout: TIMEOUT)
if response.success?
JSON.parse(response.body, symbolize_names: true)
else
raise RequestFailed, "HTTP Error Code: #{response.code} for #{url}\nheaders: #{response.headers}\nbody: #{response.body}"
end
end
def self.call_with_siret(resource_name, siret_or_siren, procedure_id, user_id = nil)
return if ApiEntrepriseToken.new(token_for_procedure(procedure_id)).expired? return if ApiEntrepriseToken.new(token_for_procedure(procedure_id)).expired?
url = url(resource_name, siret_or_siren) url = url(resource_name, siret_or_siren)
params = params(siret_or_siren, procedure_id, user_id) params = params(siret_or_siren, procedure_id, user_id)

View file

@ -0,0 +1,20 @@
class ApiEntreprise::PrivilegesAdapter < ApiEntreprise::Adapter
def initialize(token)
@token = token
end
def valid?
begin
get_resource
true
rescue
false
end
end
private
def get_resource
ApiEntreprise::API.privileges(@token)
end
end

View file

@ -333,11 +333,38 @@ describe NewAdministrateur::ProceduresController, type: :controller do
describe 'PATCH #jeton' do describe 'PATCH #jeton' do
let(:procedure) { create(:procedure, administrateur: admin) } let(:procedure) { create(:procedure, administrateur: admin) }
let(:valid_token) { "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" } let(:token) { "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" }
it "update api_entreprise_token" do subject { patch :update_jeton, params: { id: procedure.id, procedure: { api_entreprise_token: token } } }
patch :update_jeton, params: { id: procedure.id, procedure: { api_entreprise_token: valid_token } }
expect(procedure.reload.api_entreprise_token).to eq(valid_token) before do
allow_any_instance_of(ApiEntreprise::PrivilegesAdapter).to receive(:valid?).and_return(token_is_valid)
subject
end
context 'when jeton is valid' do
let(:token_is_valid) { true }
it { expect(flash.alert).to be_nil }
it { expect(flash.notice).to eq('Le jeton a bien été mis à jour') }
it { expect(procedure.reload.api_entreprise_token).to eq(token) }
end
context 'when jeton is invalid' do
let(:token_is_valid) { false }
it { expect(flash.alert).to eq("Mise à jour impossible : le jeton n'est pas valide") }
it { expect(flash.notice).to be_nil }
it { expect(procedure.reload.api_entreprise_token).not_to eq(token) }
end
context 'when jeton is not a jwt' do
let(:token) { "invalid" }
let(:token_is_valid) { true } # just to check jwt format by procedure model
it { expect(flash.alert).to eq("Mise à jour impossible : le jeton n'est pas valide") }
it { expect(flash.notice).to be_nil }
it { expect(procedure.reload.api_entreprise_token).not_to eq(token) }
end end
end end