Feat: FranceConnect 2.0 (0.27-stable)

.github/workflows/ci_cd.yml

@@ -6,7 +6,6 @@ env:
   SIMPLECOV: "true"
   RSPEC_FORMAT: "documentation"
   RUBY_VERSION: 3.0.6
-  CHROME_VERSION: 126.0.6478.182
   RAILS_ENV: test
   NODE_VERSION: 16.9.1
   RUBYOPT: '-W:no-deprecated'
@@ -92,10 +91,11 @@ jobs:
           sudo apt update
           sudo apt install -y libu2f-udev
           sudo apt install -y --fix-missing imagemagick
-          wget --no-verbose -O /tmp/chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${{env.CHROME_VERSION}}-1_amd64.deb
-          sudo dpkg -i /tmp/chrome.deb
-          rm /tmp/chrome.deb
-        name: Install dependencies and Chrome version ${{ env.CHROME_VERSION }}
+          wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
+          sudo sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list'
+          sudo apt update
+          sudo apt install -y google-chrome-stable
+        name: Install dependencies and latest Chrome
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
@@ -114,8 +114,6 @@ jobs:
       - run: mkdir -p ./spec/tmp/screenshots
         name: Create the screenshots folder
       - uses: nanasess/setup-chromedriver@v2
-        with:
-          chromedriver-version: ${{ env.CHROME_VERSION }}
       - run:  bundle exec rake "test:run[exclude, spec/system/**/*_spec.rb, ${{ matrix.slice }}]"
         name: RSpec
       # - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH
@@ -168,10 +166,11 @@ jobs:
           sudo apt update
           sudo apt install -y libu2f-udev
           sudo apt install -y --fix-missing imagemagick
-          wget --no-verbose -O /tmp/chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${{env.CHROME_VERSION}}-1_amd64.deb
-          sudo dpkg -i /tmp/chrome.deb
-          rm /tmp/chrome.deb
-        name: Install dependencies and Chrome version ${{ env.CHROME_VERSION }}
+          wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
+          sudo sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list'
+          sudo apt update
+          sudo apt install -y google-chrome-stable
+        name: Install dependencies and latest Chrome
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
@@ -190,8 +189,6 @@ jobs:
       - run: mkdir -p ./spec/tmp/screenshots
         name: Create the screenshots folder
       - uses: nanasess/setup-chromedriver@v2
-        with:
-          chromedriver-version: ${{ env.CHROME_VERSION }}
       - run:  bundle exec rake "test:run[include, spec/system/**/*_spec.rb, ${{ matrix.slice }}]"
         name: RSpec
       # - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH

.gitignore

@@ -77,6 +77,7 @@ git-status.txt
 /public/decidim-packs
 /public/packs-test
 /node_modules
+node_modules
 /yarn-error.log
 yarn-debug.log*
 .yarn-integrity

Dockerfile

@@ -44,6 +44,9 @@ RUN apt update && \
     apt install -y postgresql-client imagemagick libproj-dev proj-bin libjemalloc2 p7zip-full && \
     gem install bundler:2.4.9
 
+ADD https://letsencrypt.org/certs/isrg-root-x2.pem  /etc/ssl/certs/ISRG_ROOT_X2.pem
+RUN chmod 644 /etc/ssl/certs/ISRG_ROOT_X2.pem && update-ca-certificates && c_rehash
+
 WORKDIR /app
 
 COPY --from=builder /usr/local/bundle /usr/local/bundle

Gemfile

@@ -46,7 +46,6 @@ gem "decidim-term_customizer", git: "https://github.com/OpenSourcePolitics/decid
 gem "decidim-guest_meeting_registration", git: "https://github.com/alecslupu-pfa/guest-meeting-registration.git", branch: DECIDIM_BRANCH
 # Omniauth gems
 
-gem "omniauth-france_connect", git: "https://github.com/OpenSourcePolitics/omniauth-france_connect", branch: "feat/omniauth_openid_connect--v0.7.1"
 gem "omniauth-oauth2"
 gem "omniauth_openid_connect"
 gem "omniauth-publik", git: "https://github.com/OpenSourcePolitics/omniauth-publik"

Gemfile.lock

@@ -138,14 +138,6 @@ GIT
     decidim-spam_detection (4.1.2)
       decidim-core (~> 0.27.0)
 
-GIT
-  remote: https://github.com/OpenSourcePolitics/omniauth-france_connect
-  revision: cbf54f82e0ea55e7397004aa21905dce2b528674
-  branch: feat/omniauth_openid_connect--v0.7.1
-  specs:
-    omniauth-france_connect (0.1.0)
-      omniauth_openid_connect (~> 0.7.0)
-
 GIT
   remote: https://github.com/OpenSourcePolitics/omniauth-publik
   revision: ab703a565c402b773ce0025593554b329f603e5c
@@ -1245,7 +1237,6 @@ DEPENDENCIES
   lograge
   multipart-post
   nokogiri (= 1.13.4)
-  omniauth-france_connect!
   omniauth-oauth2
   omniauth-publik!
   omniauth-rails_csrf_protection (~> 1.0)

app/controllers/decidim/omniauth_registrations_controller_override.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Decidim
+  module OmniauthRegistrationsControllerOverride
+    extend ActiveSupport::Concern
+
+    included do
+      def create
+        form_params = user_params_from_oauth_hash || params[:user]
+
+        @form = form(Decidim::OmniauthRegistrationForm).from_params(form_params)
+        @form.email ||= verified_email
+
+        existing_user = Decidim::User.find_by(email: verified_email, organization: current_organization)
+
+        if existing_user
+          handle_existing_user(existing_user)
+        else
+          Decidim::CreateOmniauthRegistration.call(@form, verified_email) do
+            on(:ok) do |user|
+              if user.active_for_authentication?
+                sign_in_and_redirect user, event: :authentication
+                provider_name = current_organization.enabled_omniauth_providers.dig(@form.provider.to_sym, :display_name) || @form.provider.titleize
+                set_flash_message :notice, :success, kind: provider_name
+              else
+                expire_data_after_sign_in!
+                user.resend_confirmation_instructions unless user.confirmed?
+                redirect_to decidim.root_path
+                flash[:notice] = t("devise.registrations.signed_up_but_unconfirmed")
+              end
+            end
+
+            on(:invalid) do
+              set_flash_message :notice, :success, kind: @form.provider.capitalize
+              session["devise.omniauth.verified_email"] = verified_email
+              render :new
+            end
+
+            on(:error) do |user|
+              if user.errors[:email]
+                set_flash_message :alert, :failure, kind: @form.provider.capitalize,
+                                                    reason: t("decidim.devise.omniauth_registrations.create.email_already_exists")
+              end
+              session["devise.omniauth.verified_email"] = verified_email
+              render :new
+            end
+          end
+        end
+      end
+
+      protected
+
+      def after_omniauth_failure_path_for(scope)
+        request.params[stored_location_key_for(scope)] || session[stored_location_key_for(scope)] || request.referer || super
+      end
+
+      private
+
+      def handle_existing_user(user)
+        if user.blocked?
+          flash[:error] = t("decidim.account.blocked")
+          redirect_to decidim.root_path
+        else
+          user.confirm if !user.confirmed? && verified_email.present?
+
+          identity = user.identities.find_or_initialize_by(
+            provider: oauth_data[:provider],
+            uid: oauth_data[:uid]
+          )
+
+          if identity.new_record?
+            identity.organization = user.organization
+            identity.save!
+          end
+
+          sign_in_and_redirect user, event: :authentication
+          provider_name = current_organization.enabled_omniauth_providers.dig(@form.provider.to_sym, :display_name) || @form.provider.titleize
+          set_flash_message :notice, :success, kind: provider_name
+        end
+      end
+
+      def oauth_data
+        @oauth_data ||= oauth_hash.slice(:provider, :uid, :info)
+      end
+
+      def oauth_hash
+        raw_hash = request.env["omniauth.auth"]
+        return {} unless raw_hash
+
+        raw_hash.deep_symbolize_keys
+      end
+
+      def verified_email
+        @verified_email ||= find_verified_email
+      end
+
+      def find_verified_email
+        if oauth_data.present?
+          session["oauth_data.verified_email"] = oauth_data.dig(:info, :email)
+        else
+          email_from_session = session["oauth_data.verified_email"]
+          session.delete("oauth_data.verified_email")
+          email_from_session
+        end
+      end
+    end
+  end
+end

app/helpers/application_helper.rb

@@ -8,8 +8,10 @@ def normalize_full_provider_name(provider)
   end
 
   # Public: renders SSO link as image
-  def sso_provider_image(provider, link_to_path, image_path = "media/images/[email protected]")
-    ActionController::Base.helpers.link_to link_to_path, class: "button--#{normalize_full_provider_name(provider)}", method: :post do
+  def sso_provider_image(provider, link_to_path, image_path = "media/images/[email protected]", link_class: nil)
+    css_class = link_class || "button--#{normalize_full_provider_name(provider)}"
+
+    ActionController::Base.helpers.link_to link_to_path, class: css_class, method: :post do
       image_pack_tag image_path,
                      alt: I18n.t("devise.shared.links.sign_in_with_provider",
                                  provider: normalize_full_provider_name(provider).titleize)