Merge pull request #5698 from betagouv/feat/5675
feat/5675 - add an api token verification for api entreprise
This commit is contained in:
commit
f0f6fea8c5
4 changed files with 90 additions and 18 deletions
|
@ -125,12 +125,20 @@ module NewAdministrateur
|
||||||
end
|
end
|
||||||
|
|
||||||
def update_jeton
|
def update_jeton
|
||||||
if !@procedure.update(procedure_params)
|
token = params[:procedure][:api_entreprise_token]
|
||||||
flash.now.alert = @procedure.errors.full_messages
|
@procedure.api_entreprise_token = token
|
||||||
|
|
||||||
|
if @procedure.valid? &&
|
||||||
|
ApiEntreprise::PrivilegesAdapter.new(token).valid? &&
|
||||||
|
@procedure.save
|
||||||
|
|
||||||
|
redirect_to jeton_admin_procedure_path(procedure_id: params[:procedure_id]),
|
||||||
|
notice: 'Le jeton a bien été mis à jour'
|
||||||
else
|
else
|
||||||
flash.notice = 'Le jeton a bien été mis à jour'
|
|
||||||
|
flash.now.alert = "Mise à jour impossible : le jeton n'est pas valide"
|
||||||
|
render 'jeton'
|
||||||
end
|
end
|
||||||
render 'jeton'
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def publication
|
def publication
|
||||||
|
|
|
@ -8,6 +8,7 @@ class ApiEntreprise::API
|
||||||
ATTESTATION_SOCIALE_RESOURCE_NAME = "attestations_sociales_acoss"
|
ATTESTATION_SOCIALE_RESOURCE_NAME = "attestations_sociales_acoss"
|
||||||
ATTESTATION_FISCALE_RESOURCE_NAME = "attestations_fiscales_dgfip"
|
ATTESTATION_FISCALE_RESOURCE_NAME = "attestations_fiscales_dgfip"
|
||||||
BILANS_BDF_RESOURCE_NAME = "bilans_entreprises_bdf"
|
BILANS_BDF_RESOURCE_NAME = "bilans_entreprises_bdf"
|
||||||
|
PRIVILEGES_RESOURCE_NAME = "privileges"
|
||||||
|
|
||||||
TIMEOUT = 15
|
TIMEOUT = 15
|
||||||
|
|
||||||
|
@ -24,48 +25,64 @@ class ApiEntreprise::API
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.entreprise(siren, procedure_id)
|
def self.entreprise(siren, procedure_id)
|
||||||
call(ENTREPRISE_RESOURCE_NAME, siren, procedure_id)
|
call_with_siret(ENTREPRISE_RESOURCE_NAME, siren, procedure_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.etablissement(siret, procedure_id)
|
def self.etablissement(siret, procedure_id)
|
||||||
call(ETABLISSEMENT_RESOURCE_NAME, siret, procedure_id)
|
call_with_siret(ETABLISSEMENT_RESOURCE_NAME, siret, procedure_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.exercices(siret, procedure_id)
|
def self.exercices(siret, procedure_id)
|
||||||
call(EXERCICES_RESOURCE_NAME, siret, procedure_id)
|
call_with_siret(EXERCICES_RESOURCE_NAME, siret, procedure_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.rna(siret, procedure_id)
|
def self.rna(siret, procedure_id)
|
||||||
call(RNA_RESOURCE_NAME, siret, procedure_id)
|
call_with_siret(RNA_RESOURCE_NAME, siret, procedure_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.effectifs(siren, procedure_id, annee, mois)
|
def self.effectifs(siren, procedure_id, annee, mois)
|
||||||
endpoint = [EFFECTIFS_RESOURCE_NAME, annee, mois, "entreprise"].join('/')
|
endpoint = [EFFECTIFS_RESOURCE_NAME, annee, mois, "entreprise"].join('/')
|
||||||
call(endpoint, siren, procedure_id)
|
call_with_siret(endpoint, siren, procedure_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.effectifs_annuels(siren, procedure_id)
|
def self.effectifs_annuels(siren, procedure_id)
|
||||||
call(EFFECTIFS_ANNUELS_RESOURCE_NAME, siren, procedure_id)
|
call_with_siret(EFFECTIFS_ANNUELS_RESOURCE_NAME, siren, procedure_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.attestation_sociale(siren, procedure_id)
|
def self.attestation_sociale(siren, procedure_id)
|
||||||
procedure = Procedure.find(procedure_id)
|
procedure = Procedure.find(procedure_id)
|
||||||
call(ATTESTATION_SOCIALE_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("attestations_sociales")
|
call_with_siret(ATTESTATION_SOCIALE_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("attestations_sociales")
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.attestation_fiscale(siren, procedure_id, user_id)
|
def self.attestation_fiscale(siren, procedure_id, user_id)
|
||||||
procedure = Procedure.find(procedure_id)
|
procedure = Procedure.find(procedure_id)
|
||||||
call(ATTESTATION_FISCALE_RESOURCE_NAME, siren, procedure_id, user_id) if procedure.api_entreprise_role?("attestations_fiscales")
|
call_with_siret(ATTESTATION_FISCALE_RESOURCE_NAME, siren, procedure_id, user_id) if procedure.api_entreprise_role?("attestations_fiscales")
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.bilans_bdf(siren, procedure_id)
|
def self.bilans_bdf(siren, procedure_id)
|
||||||
procedure = Procedure.find(procedure_id)
|
procedure = Procedure.find(procedure_id)
|
||||||
call(BILANS_BDF_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("bilans_entreprise_bdf")
|
call_with_siret(BILANS_BDF_RESOURCE_NAME, siren, procedure_id) if procedure.api_entreprise_role?("bilans_entreprise_bdf")
|
||||||
|
end
|
||||||
|
|
||||||
|
def self.privileges(token)
|
||||||
|
call_with_token(PRIVILEGES_RESOURCE_NAME, token)
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def self.call(resource_name, siret_or_siren, procedure_id, user_id = nil)
|
def self.call_with_token(resource_name, token)
|
||||||
|
url = "#{API_ENTREPRISE_URL}/privileges?token=#{token}"
|
||||||
|
response = Typhoeus.get(url,
|
||||||
|
timeout: TIMEOUT)
|
||||||
|
|
||||||
|
if response.success?
|
||||||
|
JSON.parse(response.body, symbolize_names: true)
|
||||||
|
else
|
||||||
|
raise RequestFailed, "HTTP Error Code: #{response.code} for #{url}\nheaders: #{response.headers}\nbody: #{response.body}"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def self.call_with_siret(resource_name, siret_or_siren, procedure_id, user_id = nil)
|
||||||
return if ApiEntrepriseToken.new(token_for_procedure(procedure_id)).expired?
|
return if ApiEntrepriseToken.new(token_for_procedure(procedure_id)).expired?
|
||||||
url = url(resource_name, siret_or_siren)
|
url = url(resource_name, siret_or_siren)
|
||||||
params = params(siret_or_siren, procedure_id, user_id)
|
params = params(siret_or_siren, procedure_id, user_id)
|
||||||
|
|
20
app/lib/api_entreprise/privileges_adapter.rb
Normal file
20
app/lib/api_entreprise/privileges_adapter.rb
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
class ApiEntreprise::PrivilegesAdapter < ApiEntreprise::Adapter
|
||||||
|
def initialize(token)
|
||||||
|
@token = token
|
||||||
|
end
|
||||||
|
|
||||||
|
def valid?
|
||||||
|
begin
|
||||||
|
get_resource
|
||||||
|
true
|
||||||
|
rescue
|
||||||
|
false
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def get_resource
|
||||||
|
ApiEntreprise::API.privileges(@token)
|
||||||
|
end
|
||||||
|
end
|
|
@ -333,11 +333,38 @@ describe NewAdministrateur::ProceduresController, type: :controller do
|
||||||
|
|
||||||
describe 'PATCH #jeton' do
|
describe 'PATCH #jeton' do
|
||||||
let(:procedure) { create(:procedure, administrateur: admin) }
|
let(:procedure) { create(:procedure, administrateur: admin) }
|
||||||
let(:valid_token) { "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" }
|
let(:token) { "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" }
|
||||||
|
|
||||||
it "update api_entreprise_token" do
|
subject { patch :update_jeton, params: { id: procedure.id, procedure: { api_entreprise_token: token } } }
|
||||||
patch :update_jeton, params: { id: procedure.id, procedure: { api_entreprise_token: valid_token } }
|
|
||||||
expect(procedure.reload.api_entreprise_token).to eq(valid_token)
|
before do
|
||||||
|
allow_any_instance_of(ApiEntreprise::PrivilegesAdapter).to receive(:valid?).and_return(token_is_valid)
|
||||||
|
subject
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when jeton is valid' do
|
||||||
|
let(:token_is_valid) { true }
|
||||||
|
|
||||||
|
it { expect(flash.alert).to be_nil }
|
||||||
|
it { expect(flash.notice).to eq('Le jeton a bien été mis à jour') }
|
||||||
|
it { expect(procedure.reload.api_entreprise_token).to eq(token) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when jeton is invalid' do
|
||||||
|
let(:token_is_valid) { false }
|
||||||
|
|
||||||
|
it { expect(flash.alert).to eq("Mise à jour impossible : le jeton n'est pas valide") }
|
||||||
|
it { expect(flash.notice).to be_nil }
|
||||||
|
it { expect(procedure.reload.api_entreprise_token).not_to eq(token) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when jeton is not a jwt' do
|
||||||
|
let(:token) { "invalid" }
|
||||||
|
let(:token_is_valid) { true } # just to check jwt format by procedure model
|
||||||
|
|
||||||
|
it { expect(flash.alert).to eq("Mise à jour impossible : le jeton n'est pas valide") }
|
||||||
|
it { expect(flash.notice).to be_nil }
|
||||||
|
it { expect(procedure.reload.api_entreprise_token).not_to eq(token) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue