betagouv · tnicolas1 · Feb 3, 2025 · Feb 4, 2025 · Feb 5, 2025 · Feb 5, 2025
diff --git a/.env.local b/.env.local
@@ -1,3 +1,9 @@
+APLYPRO_ACADEMIC_OIDC_CLIENT_ID=academic client id
+APLYPRO_ACADEMIC_OIDC_CLIENT_SECRET=academic client secret
+APLYPRO_ACADEMIC_OIDC_HOST=localhost:1080
+APLYPRO_ACADEMIC_OIDC_ISSUER=localhost:3001/realms/aplypro-academic
+APLYPRO_ACADEMIC_OIDC_REDIRECT_URI=http://localhost:3000/auth/academic/callback
+APLYPRO_ACADEMIC_OIDC_SCOPE=openid
 APLYPRO_ASP_FILENAME=aplypro_test_dev
 APLYPRO_ASP_FTP_DROP_FOLDER=depot
 APLYPRO_ASP_FTP_HOST=asp-mock

diff --git a/.github/workflows/test.env b/.github/workflows/test.env
@@ -1,3 +1,9 @@
+APLYPRO_ACADEMIC_OIDC_CLIENT_ID=academic client id
+APLYPRO_ACADEMIC_OIDC_CLIENT_SECRET=academic client secret
+APLYPRO_ACADEMIC_OIDC_HOST=academic ci oidc host
+APLYPRO_ACADEMIC_OIDC_ISSUER=academic ci issuer
+APLYPRO_ACADEMIC_OIDC_REDIRECT_URI=academic ci redirect uri
+APLYPRO_ACADEMIC_OIDC_SCOPE=academic ci scope
 APLYPRO_ASP_FILENAME=aplypro_test_ci
 APLYPRO_ASP_FTP_DROP_FOLDER=ci depot
 APLYPRO_ASP_FTP_HOST=ci-asp-mock

diff --git a/app/controllers/academic/application_controller.rb b/app/controllers/academic/application_controller.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Academic
+  class ApplicationController < ActionController::Base
+    include UserLogger
+    include PageTitle
+
+    layout "application"
+
+    before_action :authenticate_academic_user!, except: :login
+    before_action :log_user,
+                  :set_overrides,
+                  :infer_page_title
+
+    helper_method :current_user, :current_establishment
+
+    def home; end
+
+    def login; end
+
+    def logout
+      sign_out(current_academic_user)
+
+      redirect_to after_sign_out_path_for(:academic_user)
+    end
+
+    protected
+
+    def after_sign_out_path_for(_resource)
+      new_academic_user_session_path
+    end
+
+    def current_user
+      current_academic_user
+    end
+
+    def current_establishment
+      nil
+    end
+
+    def set_overrides
+      @inhibit_nav = true
+      @logout_path = :destroy_academic_user_session
+    end
+  end
+end
diff --git a/app/controllers/academic/users_controller.rb b/app/controllers/academic/users_controller.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Academic
+  class UsersController < ApplicationController
+    before_action :infer_page_title
+
+    def select_academy
+      @academic_user = current_user
+    end
+  end
+end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -7,6 +7,7 @@ class ApplicationController < ActionController::Base
   before_action :authenticate_user!,
                 :log_user,
                 :redirect_asp_users!,
+                :redirect_academic_users!,
                 :check_maintenance,
                 :check_current_establishment
 
@@ -24,6 +25,8 @@ def after_sign_out_path_for(resource_or_scope)
       new_user_session_path
     when :asp_user
       new_asp_user_session_path
+    when :academic_user
+      new_academic_user_session_path
     end
   end
 
@@ -52,6 +55,10 @@ def redirect_asp_users!
     redirect_to asp_schoolings_path and return if asp_user_signed_in?
   end
 
+  def redirect_academic_users!
+    redirect_to academic_home_path and return if academic_user_signed_in?
+  end
+
   private
 
   def check_current_establishment

diff --git a/app/controllers/concerns/developer_oidc.rb b/app/controllers/concerns/developer_oidc.rb
@@ -35,25 +35,28 @@ def role(attrs)
 
   def static_info(attrs)
     {
-      "credentials" => {
-        "token" => "dev token"
+      credentials: {
+        token: "dev token"
       },
-      "uid" => attrs["info"]["email"],
-      "info" => {
-        "name" => "Developer Account",
-        "email" => attrs["info"]["email"]
+      uid: attrs["info"]["email"],
+      info: {
+        name: "Developer Account",
+        email: attrs["info"]["email"]
       }
     }
   end
 
   def provider_info(attrs)
-    { "provider" => provider(attrs) }
+    { provider: provider(attrs) }
   end
 
   def extra_info(attrs)
-    uai = attrs["info"]["uai"]
-
-    info = role(attrs) == :dir ? responsibility_hash(attrs, uai) : authorised_hash(attrs, uai)
+    if attrs["info"]["uai"].nil?
+      info = { AplyproAcademieResp: attrs["info"]["academy_code"] }
+    else
+      uai = attrs["info"]["uai"]
+      info = role(attrs) == :dir ? responsibility_hash(attrs, uai) : authorised_hash(attrs, uai)
+    end
 
     {
       extra: {

diff --git a/app/controllers/concerns/page_title.rb b/app/controllers/concerns/page_title.rb
@@ -18,8 +18,8 @@ def infer_page_title(attrs = {})
   private
 
   def page_title_key
-    asp = "asp" if controller_path.include?("asp/")
-    ["pages", "titles", asp, controller_name, action_name].join(".")
+    namespace = controller_path.split("/").first if controller_path.include?("/")
+    ["pages", "titles", namespace, controller_name, action_name].join(".")
   end
 
   def extract_title_data(data)

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -9,25 +9,30 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
 
     rescue_from IdentityMappers::Errors::Error, ActiveRecord::RecordInvalid, with: :authentication_failure
 
-    def asp
-      @asp_login = true
-      @asp_user = ASP::User.from_oidc(auth_hash).tap(&:save!)
-
-      sign_in(:asp_user, @asp_user)
+    def developer
+      oidcize_dev_hash(auth_hash)
 
-      redirect_to asp_schoolings_path
+      oidc
     end
 
-    def developer
+    def academic_developer
       oidcize_dev_hash(auth_hash)
 
+      academic
+    end
+
+    def masa
+      oidc
+    end
+
+    def fim
       oidc
     end
 
     def oidc
       parse_identity
 
-      @user.save!
+      @user = User.from_oidc(auth_hash).tap(&:save!)
 
       add_auth_breadcrumb(data: { user_id: @user.id }, message: "Successfully parsed user")
 
@@ -42,12 +47,36 @@ def oidc
       choose_redirect_page!
     end
 
-    def masa
-      oidc
+    def academic # rubocop:disable Metrics/AbcSize
+      parse_identity
+
+      @academic_login = true
+      @academic_user = Academic::User.from_oidc(auth_hash).tap(&:save!)
+
+      add_auth_breadcrumb(data: { user_id: @academic_user.id }, message: "Successfully parsed academic user")
+
+      @academies = @mapper.aplypro_academies
+
+      raise IdentityMappers::Errors::NoLimitedAccessError if @academies.empty?
+
+      sign_in(:academic_user, @academic_user)
+
+      if @academies.many?
+        redirect_to academic_user_select_academy_path(@academic_user)
+      else
+        @academic_user.update!(selected_academy: @academies.first)
+
+        redirect_to academic_home_path, notice: t("auth.success")
+      end
     end
 
-    def fim
-      oidc
+    def asp
+      @asp_login = true
+      @asp_user = ASP::User.from_oidc(auth_hash).tap(&:save!)
+
+      sign_in(:asp_user, @asp_user)
+
+      redirect_to asp_schoolings_path
     end
 
     def failure
@@ -63,6 +92,8 @@ def authentication_failure(error)
 
       if defined? @asp_login
         fail_asp_user
+      elsif defined? @academic_login
+        fail_academic_user
       else
         fail_user
       end
@@ -78,6 +109,10 @@ def fail_asp_user
       redirect_to new_asp_user_session_path
     end
 
+    def fail_academic_user
+      redirect_to new_academic_user_session_path
+    end
+
     private
 
     def check_access!
@@ -96,10 +131,8 @@ def parse_identity
       data = auth_hash
       raw = data.extra.raw_info
 
-      @user = User.from_oidc(data)
-
       @mapper = case data.provider.to_sym
-                when :fim
+                when :fim, :academic
                   IdentityMappers::Fim.new(raw)
                 when :masa
                   IdentityMappers::Cas.new(raw)

diff --git a/app/models/academic/user.rb b/app/models/academic/user.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Academic
+  class User < User
+    devise :authenticatable
+
+    validates :uid, :provider, :name, :email, presence: true
+
+    class << self
+      # ideally all these methods would live in some OIDC-factory but I
+      # can't figure out a pattern I like quite yet
+      def from_oidc(attrs)
+        # we can't use find_or_create because a bunch of fields are mandatory
+        User.find_or_initialize_by(uid: attrs["uid"], provider: attrs["provider"]).tap do |user|
+          user.token = attrs["credentials"]["token"]
+          user.secret = "nope"
+          user.name = attrs["info"]["name"]
+          user.email = attrs["info"]["email"]
+          user.oidc_attributes = attrs
+        end
+      end
+    end
+
+    def academies
+      establishments.distinct.pluck(:academy_code)
+    end
+
+    def to_s
+      name
+    end
+  end
+end
diff --git a/app/models/concerns/identity_mappers/fim.rb b/app/models/concerns/identity_mappers/fim.rb
@@ -17,5 +17,9 @@ def responsibility_uais
     def aplypro_responsibilities
       Array(attributes["AplyproResp"]).compact
     end
+
+    def aplypro_academies
+      Array(attributes["AplyproAcademieResp"]).compact
+    end
   end
 end
diff --git a/app/views/academic/application/home.html.haml b/app/views/academic/application/home.html.haml
@@ -0,0 +1,3 @@
+.home.fr-container
+  .fr-grid-row.fr-grid-row--center
+    %p Bonjour
diff --git a/app/views/academic/application/login.html.haml b/app/views/academic/application/login.html.haml
@@ -0,0 +1,14 @@
+.fr-grid-row.fr-grid-row--gutters#login-page
+  .fr-col-md-6.fr-col-12
+    = render 'shared/connection_panel',
+      name: t("omniauth.fim.title"),
+      description: t("omniauth.fim.description"),
+      button: t("omniauth.fim.button"),
+      path: "/auth/academic"
+
+  .fr-col-md-6.fr-col-12
+    = render 'shared/connection_panel',
+      name: t("omniauth.developer.title"),
+      description: t("omniauth.developer.description"),
+      button: t("omniauth.developer.button"),
+      path: "/auth/academic_developer"
diff --git a/app/views/academic/users/select_academy.html.haml b/app/views/academic/users/select_academy.html.haml
@@ -0,0 +1,12 @@
+.fr-grid-row
+  .fr-col-md-7
+    %p
+      Veuillez sélectionner l'académie que vous désirez piloter dans la liste ci-dessous.
+
+    .fr-select-group.fr-col-md-7
+      = form_with url: academic_user_select_academy_path, builder: DsfrFormBuilder do |form|
+        .fr-input-group
+          = form.label :selected_academy, "Académie", class: 'fr-label'
+          = form.select :selected_academy, @academic_user.academies, {}, { class: 'fr-select' }
+
+        = form.submit "Continuez avec cette académie", class: 'fr-btn'
diff --git a/app/views/asp/application/login.html.haml b/app/views/asp/application/login.html.haml
@@ -1,6 +1,6 @@
 .fr-grid-row.fr-grid-row--gutters#login-page
   .fr-col-md-6.fr-col-12
-    = render '/home/connection_panel',
+    = render '/shared/connection_panel',
       name: "Agence de Services et Paiements (ASP)",
       description: "Vous êtes un agent de l'ASP",
       button: "Connexion",

diff --git a/app/views/home/login.html.haml b/app/views/home/login.html.haml
@@ -1,14 +1,14 @@
 .fr-grid-row.fr-grid-row--gutters#login-page
   - User::OMNIAUTH_PROVIDERS.each do |provider|
     .fr-col-md-6.fr-col-12
-      = render 'connection_panel',
+      = render 'shared/connection_panel',
         name: t("omniauth.#{provider}.title"),
         description: t("omniauth.#{provider}.description"),
         button: t("omniauth.#{provider}.button"),
         path: "/users/auth/#{provider}"
 
   .fr-col-md-6.fr-col-12
-    = render 'connection_panel',
+    = render 'shared/connection_panel',
       name: t("omniauth.mer.title"),
       description: t("omniauth.mer.description"),
       button: t("omniauth.mer.button"),

diff --git a/app/views/home/_connection_panel.html.haml → app/views/shared/_connection_panel.html.haml b/app/views/home/_connection_panel.html.haml → app/views/shared/_connection_panel.html.haml