Merge branch 'staging' into rdv-solidarites-oauth

.env.example

@@ -51,6 +51,7 @@ CARNET_DE_BORD_URL=https://demo.carnetdebord.inclusion.beta.gouv.fr
 CARNET_DE_BORD_API_SECRET=secret_api_token
 
 DEPARTMENTS_WHERE_PARCOURS_DISABLED=44
+ORGANISATION_IDS_WHERE_STATS_DISABLED=
 
 # Ces valeurs correspondent au seed de RDV Solidarités
 RDV_SOLIDARITES_OAUTH_APP_ID=zC24y16rYftyrBgTj8h08g1NZKkwStXWe3E_lLMGoHc

.env.test

@@ -18,3 +18,4 @@ FRANCE_TRAVAIL_AUTH_URL=https://somefakeauthurl.fr
 FRANCE_TRAVAIL_RDV_API_URL=https://francetravailfakerdvurl.fr
 
 AGENT_SIGNATURE_KEY=bc995863-5c80-43a3-a31d-0da216e814a4
+HOST=http://www.rdv-insertion-test.fake

.github/workflows/ci.yml

@@ -3,7 +3,7 @@ on: push
 jobs:
   linters:
     name: Linters
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - name: Set up Ruby
@@ -24,7 +24,7 @@ jobs:
         run: yarn lint
   test_unit:
     name: Unit Tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     services:
       postgres:
         image: postgres:13.2
@@ -78,7 +78,7 @@ jobs:
         run: |
           RAILS_ENV=test bundle exec rake parallel:drop parallel:create parallel:load_schema parallel:spec['spec/(?!features)']
         env:
-          HOST: http://example.com
+          HOST: http://www.rdv-insertion-test.fake
           POSTGRES_HOST: localhost
           POSTGRES_PORT: 5432
           POSTGRES_USER: rdv_insertion_test
@@ -87,7 +87,7 @@ jobs:
 
   test_features:
     name: Feature Tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
@@ -154,7 +154,7 @@ jobs:
 
           RAILS_ENV=test bundle exec rspec $(cat node_spec_files.txt)
         env:
-          HOST: http://example.com
+          HOST: http://www.rdv-insertion-test.fake
           POSTGRES_HOST: localhost
           POSTGRES_PORT: 5432
           POSTGRES_USER: rdv_insertion_test

.husky/pre-commit

@@ -1,4 +1,6 @@
 #!/bin/sh
 . "$(dirname "$0")/_/husky.sh"
 
-yarn lint
+if [[ $(git status --porcelain | grep app/javascript/) ]]; then # only run the linter if the javascript files have changed
+  yarn lint
+fi

Gemfile.lock

@@ -279,7 +279,7 @@ GEM
     listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.22.0)
+    loofah (2.23.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -308,11 +308,11 @@ GEM
     net-smtp (0.5.0)
       net-protocol
     nio4r (2.7.3)
-    nokogiri (1.16.5-arm64-darwin)
+    nokogiri (1.16.8-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.5-x86_64-darwin)
+    nokogiri (1.16.8-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.5-x86_64-linux)
+    nokogiri (1.16.8-x86_64-linux)
       racc (~> 1.4)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
@@ -380,7 +380,7 @@ GEM
     pundit (2.3.1)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
-    racc (1.8.0)
+    racc (1.8.1)
     rack (3.0.11)
     rack-cors (2.0.2)
       rack (>= 2.0.0)
@@ -427,9 +427,9 @@ GEM
       activesupport (>= 4.2)
       choice (~> 0.2.0)
       ruby-graphviz (~> 1.2)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.1)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     railties (7.1.3.4)
       actionpack (= 7.1.3.4)
       activesupport (= 7.1.3.4)

app/blueprints/address_geocoding_blueprint.rb

@@ -0,0 +1,3 @@
+class AddressGeocodingBlueprint < ApplicationBlueprint
+  fields :post_code, :city
+end

app/blueprints/user_blueprint.rb

@@ -27,6 +27,7 @@ class UserBlueprint < ApplicationBlueprint
     association :organisations, blueprint: OrganisationBlueprint
     association :referents, blueprint: AgentBlueprint
     association :archives, blueprint: ArchiveBlueprint
+    association :address_geocoding, blueprint: AddressGeocodingBlueprint
 
     policy_scoped_association :invitations, blueprint: InvitationBlueprint
     policy_scoped_association :follow_ups, blueprint: FollowUpBlueprint

app/clients/mattermost_client.rb

@@ -1,20 +1,42 @@
 class MattermostClient
+  CHANNEL_URLS_BY_TYPE = {
+    main: ENV["MATTERMOST_MAIN_CHANNEL_URL"],
+    notification: ENV["MATTERMOST_NOTIFICATIONS_CHANNEL_URL"],
+    private: ENV["MATTERMOST_PRIVATE_CHANNEL_URL"]
+  }.freeze
+
   class << self
     def send_to_notif_channel(text)
-      send_message(ENV["MATTERMOST_NOTIFICATIONS_CHANNEL_URL"], text)
+      send_message(:notification, text)
     end
 
     def send_to_main_channel(text)
-      send_message(ENV["MATTERMOST_MAIN_CHANNEL_URL"], text)
+      send_message(:main, text)
     end
 
     def send_to_private_channel(text)
-      send_message(ENV["MATTERMOST_PRIVATE_CHANNEL_URL"], text)
+      send_message(:private, text)
+    end
+
+    def send_unique_message(channel_type:, text:, expiration: 24.hours)
+      message_key = "mattermost_message:#{channel_type}:#{Digest::MD5.hexdigest(text)}"
+
+      RedisConnection.with_redis do |redis|
+        next if redis.exists?(message_key)
+
+        send_message(channel_type, text)
+        redis.set(message_key, Time.current.to_s, ex: expiration.to_i)
+      end
+    end
+
+    def send_message(channel_type, text)
+      url = CHANNEL_URLS_BY_TYPE.fetch(channel_type)
+      send_http_request(url, text)
     end
 
     private
 
-    def send_message(url, text)
+    def send_http_request(url, text)
       return unless ENV["ENVIRONMENT_NAME"] == "production"
 
       Faraday.post(

app/clients/rdv_solidarites_client.rb

@@ -37,6 +37,14 @@ def create_referent_assignations(user_id, agent_ids)
     )
   end
 
+  def get_user_referent_assignations(user_id)
+    Faraday.get(
+      "#{@url}/api/rdvinsertion/users/#{user_id}/referent_assignations",
+      {},
+      request_headers
+    )
+  end
+
   def update_user(user_id, request_body = {})
     Faraday.patch(
       "#{@url}/api/v1/users/#{user_id}",

app/controllers/accept_cgus_controller.rb

@@ -0,0 +1,23 @@
+class AcceptCgusController < ApplicationController
+  before_action :ensure_cgus_are_accepted
+
+  def create
+    if current_agent.update(cgu_accepted_at: Time.zone.now)
+      head :no_content
+    else
+      turbo_stream_display_custom_error_modal(
+        title: "L'acceptation n'a pas fonctionné",
+        errors: current_agent.errors.full_messages,
+        with_support_contact: true
+      )
+    end
+  end
+
+  private
+
+  def ensure_cgus_are_accepted
+    return if params[:cgu_accepted] == "1"
+
+    turbo_stream_display_error_modal(["Vous devez accepter les CGUs"])
+  end
+end

app/controllers/api/v1/users_controller.rb

@@ -5,7 +5,7 @@ class UsersController < ApplicationController
 
       PERMITTED_USER_PARAMS = [
         :first_name, :last_name, :title, :affiliation_number, :role, :email, :phone_number,
-        :nir, :france_travail_id, :birth_date, :rights_opening_date, :address, :department_internal_id,
+        :nir, :france_travail_id, :birth_date, :birth_name, :rights_opening_date, :address, :department_internal_id,
         { invitation: [:rdv_solidarites_lieu_id, { motif_category: [:name, :short_name] }], referents_to_add: [:email] }
       ].freeze
 

app/controllers/application_controller.rb

@@ -7,6 +7,7 @@ class ApplicationController < ActionController::Base
   include BeforeActionOverride
   include EnvironmentsHelper
   include TurboStreamConcern
+  include ModalAgreementsConcern
 
   protect_from_forgery with: :exception
   before_action :set_sentry_context
@@ -31,15 +32,17 @@ def page
     params[:page] || 1
   end
 
-  def sync_user_with_rdv_solidarites(user)
-    sync = Users::SyncWithRdvSolidarites.call(user: user)
-    return if sync.success?
+  # A user can be unlinked from its rdv-solidarites record when the latter is deleted for RGPD reasons.
+  # This method pushes the user to rdv-solidarites to recreate a new one.
+  def recreate_rdv_solidarites_user(user)
+    push = Users::PushToRdvSolidarites.call(user: user)
+    return if push.success?
 
     respond_to do |format|
       format.turbo_stream do
-        flash.now[:error] = "L'usager n'est plus lié à rdv-solidarités: #{sync.errors.map(&:to_s)}"
+        flash.now[:error] = "L'usager n'est plus lié à rdv-solidarités: #{push.errors.map(&:to_s)}"
       end
-      format.json { render json: { errors: sync.errors.map(&:to_s) }, status: :unprocessable_entity }
+      format.json { render json: { errors: push.errors.map(&:to_s) }, status: :unprocessable_entity }
     end
   end
 end

app/controllers/archives_controller.rb

@@ -11,6 +11,7 @@ def create
     @archive = Archive.new(**archive_params)
     authorize @archive
     if @archive.save
+      flash_success_for_create(@archive)
       redirect_to structure_user_path(@archive.user_id)
     else
       turbo_stream_display_error_modal(@archive.errors.full_messages)
@@ -21,6 +22,8 @@ def create_many
     @archives = Archive.new_batch(**create_many_params)
     authorize_all @archives, :create
     Archive.transaction { @archives.each(&:save!) }
+
+    flash_success_for_create_many(@archives)
     redirect_to structure_user_path(params[:user_id])
   rescue ActiveRecord::RecordInvalid => e
     turbo_stream_display_error_modal(e.record.errors.full_messages)
@@ -31,7 +34,8 @@ def destroy # rubocop:disable Metrics/AbcSize
     authorize @archive
     respond_to do |format|
       if @archive.destroy
-        format.html { redirect_to structure_user_path(@archive.user_id) }
+        flash_success_for_destroy
+        format.turbo_stream { turbo_stream_redirect(structure_user_path(@archive.user_id)) }
         format.json { render json: { success: true, archive: @archive, redirect_path: request.referer } }
       else
         format.html { turbo_stream_display_error_modal(@archive.errors.full_messages) }
@@ -75,4 +79,32 @@ def set_archivable_organisations
   def user_department_organisations
     policy_scope(Organisation).where(id: @user.organisation_ids, department: @department)
   end
+
+  # rubocop:disable Rails/ActionControllerFlashBeforeRender
+  def flash_success_for_create(archive)
+    flash[:success] = {
+      title: "Dossier archivé",
+      description: "L'usager a bien été archivé sur l'organisation #{archive.organisation.name}"
+    }
+  end
+
+  def flash_success_for_create_many(archives)
+    archived_organisations = archives.map(&:organisation)
+    archived_organisations_names = archived_organisations.map(&:name).join(", ")
+    organisation_count = archived_organisations.size
+    organisation_wording = organisation_count > 1 ? "les organisations" : "l'organisation"
+
+    flash[:success] = {
+      title: "Dossier archivé",
+      description: "L'usager a bien été archivé sur #{organisation_wording} #{archived_organisations_names}"
+    }
+  end
+
+  def flash_success_for_destroy
+    flash[:success] = {
+      title: "Dossier désarchivé",
+      description: "Le dossier de l'usager a bien été rouvert sur cette organisation"
+    }
+  end
+  # rubocop:enable Rails/ActionControllerFlashBeforeRender
 end

app/controllers/brevo/ip_whitelist_concern.rb

@@ -0,0 +1,30 @@
+require "ipaddr"
+
+module Brevo::IpWhitelistConcern
+  extend ActiveSupport::Concern
+
+  # IP list comes from
+  # https://help.brevo.com/hc/en-us/articles/15127404548498-Brevo-IP-ranges-List-of-publicly-exposed-services#h_01HENC062K8KJKJE7BJNYMPM77
+  IP_WHITELIST_RANGE = "1.179.112.0/20".freeze
+
+  included do
+    before_action :ensure_ip_comes_from_brevo_ips
+  end
+
+  private
+
+  def ensure_ip_comes_from_brevo_ips
+    # In case Brevo decides to use some other IP range without notice
+    # we need a quick way to skip this check
+    return if ENV["DISABLE_BREVO_IP_WHITELIST"].present?
+
+    return if IPAddr.new(IP_WHITELIST_RANGE).include?(request.remote_ip)
+
+    Sentry.capture_message("Brevo Webhook received with following non whitelisted IP", {
+                             extra: {
+                               ip: request.remote_ip
+                             }
+                           })
+    head :forbidden
+  end
+end

app/controllers/brevo/mail_webhooks_controller.rb

@@ -1,5 +1,6 @@
 module Brevo
   class MailWebhooksController < ApplicationController
+    include Brevo::IpWhitelistConcern
     skip_before_action :authenticate_agent!, :verify_authenticity_token
 
     PERMITTED_PARAMS = %i[

app/controllers/brevo/sms_webhooks_controller.rb

@@ -1,5 +1,6 @@
 module Brevo
   class SmsWebhooksController < ApplicationController
+    include Brevo::IpWhitelistConcern
     skip_before_action :authenticate_agent!, :verify_authenticity_token
 
     PERMITTED_PARAMS = %i[

app/controllers/carnet_de_bord/carnets_controller.rb

@@ -2,6 +2,7 @@ module CarnetDeBord
   class CarnetsController < ApplicationController
     before_action :set_user, :set_department
 
+    # rubocop:disable Metrics/AbcSize
     def create
       @success, @errors = [create_carnet.success?, create_carnet.errors]
       if @success
@@ -12,10 +13,11 @@ def create
       else
         respond_to do |format|
           format.json { render json: { success: false, errors: @errors }, status: :unprocessable_entity }
-          format.turbo_stream { flash.now[:error] = @errors }
+          format.turbo_stream { flash.now[:error] = @errors.join(", ") }
         end
       end
     end
+    # rubocop:enable Metrics/AbcSize
 
     private