[Vigie] Améliorer l'observabilité sur InclusionConnect

app/controllers/inclusion_connect_controller.rb

@@ -10,6 +10,7 @@ def auth
 
   def callback
     if params[:state] != session[:ic_state]
+      Sentry.capture_message("InclusionConnect states do not match", extra: { params_state: params[:state], session_ic_state: session[:ic_state] })
       flash[:error] = "Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse <#{current_domain.support_email}> si le problème persiste."
       redirect_to new_agent_session_path and return
     end

app/services/inclusion_connect.rb

@@ -39,24 +39,24 @@ def get_token(code, inclusion_connect_callback_url)
       }
       uri = URI("#{IC_BASE_URL}/token")
 
-      res = Net::HTTP.post_form(uri, data)
+      res = Typhoeus.post(
+        uri,
+        body: data,
+        headers: { "Content-Type" => "application/x-www-form-urlencoded" }
+      )
 
-      return false unless res.is_a?(Net::HTTPSuccess)
+      return false unless res.success?
 
       JSON.parse(res.body)["access_token"]
     end
 
     def get_user_info(token)
       uri = URI("#{IC_BASE_URL}/userinfo")
       uri.query = URI.encode_www_form({ schema: "openid" })
-      req = Net::HTTP::Get.new(uri)
-      req["Authorization"] = "Bearer #{token}"
 
-      res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http|
-        http.request(req)
-      end
+      res = Typhoeus.get(uri, headers: { "Authorization" => "Bearer #{token}" })
 
-      return false unless res.is_a?(Net::HTTPSuccess)
+      return false unless res.success?
 
       JSON.parse(res.body)
     end

config/initializers/typhoeus.rb

@@ -1,13 +1,17 @@
 # frozen_string_literal: true
 
 Typhoeus.before do |request|
+  filter_secrets_from_body = lambda do |body|
+    body.to_s.gsub(InclusionConnect::IC_CLIENT_SECRET || "", "filtered")
+  end
+
   crumb = Sentry::Breadcrumb.new(
     message: "HTTP request",
     data: {
       method: request.options[:method],
       url: request.url,
       headers: request.options[:headers],
-      body: request.encoded_body,
+      body: filter_secrets_from_body.call(request.encoded_body),
     }
   )
   Sentry.add_breadcrumb(crumb)

spec/controllers/inclusion_connect_controller_spec.rb

@@ -3,6 +3,8 @@
 describe InclusionConnectController, type: :controller do
   let(:base_url) { "https://test.inclusion.connect.fr" }
 
+  stub_sentry_events
+
   describe "#callback" do
     it "update first_name and last_name of agent" do
       now = Time.zone.parse("2022-08-22 11h34")
@@ -17,11 +19,9 @@
 
       stub_request(:get, "#{base_url}/userinfo?schema=openid").with(
         headers: {
-          "Accept" => "*/*",
-          "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
+          "Expect" => "",
           "Authorization" => "Bearer zekfjzeklfjl",
-          "Host" => "test.inclusion.connect.fr",
-          "User-Agent" => "Ruby",
+          "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus",
         }
       ).to_return(status: 200, body: { email_verified: true, given_name: "Bob", family_name: "Eponge", email: "bob@demo.rdv-solidarites.fr" }.to_json, headers: {})
 
@@ -41,6 +41,10 @@
       get :callback, params: { state: "zefjzelkf", session_state: "zfjzerklfjz", code: "klzefklzejlf" }
       expect(response).to redirect_to(new_agent_session_path)
       expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse <support@rdv-solidarites.fr> si le problème persiste.")
+
+      # Error message is sent to Sentry
+      expect(sentry_events.last.message).to include("InclusionConnect states do not match")
+      expect(sentry_events.last.extra.keys).to match_array(%i[params_state session_ic_state])
     end
 
     it "uses the current domain's support email address in the error message" do
@@ -60,6 +64,9 @@
       get :callback, params: { state: "a state", session_state: "a state", code: "klzefklzejlf" }
       expect(response).to redirect_to(new_agent_session_path)
       expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse <support@rdv-solidarites.fr> si le problème persiste.")
+
+      # HTTP request is sent to Sentry as breadcrumbs
+      expect(sentry_events.last.breadcrumbs.compact.map(&:message)).to eq(["HTTP request", "HTTP response"])
     end
 
     it "returns an error if token request doesn't contains token" do
@@ -74,6 +81,9 @@
 
       expect(response).to redirect_to(new_agent_session_path)
       expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse <support@rdv-solidarites.fr> si le problème persiste.")
+
+      # HTTP request is sent to Sentry as breadcrumbs
+      expect(sentry_events.last.breadcrumbs.compact.map(&:message)).to eq(["HTTP request", "HTTP response"])
     end
 
     it "returns an error if userinfo request doesnt work" do
@@ -85,11 +95,9 @@
 
       stub_request(:get, "#{base_url}/userinfo?schema=openid").with(
         headers: {
-          "Accept" => "*/*",
-          "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
+          "Expect" => "",
           "Authorization" => "Bearer zekfjzeklfjl",
-          "Host" => "test.inclusion.connect.fr",
-          "User-Agent" => "Ruby",
+          "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus",
         }
       ).to_return(status: 500, body: "", headers: {})
 
@@ -98,6 +106,9 @@
 
       expect(response).to redirect_to(new_agent_session_path)
       expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse <support@rdv-solidarites.fr> si le problème persiste.")
+
+      # HTTP request is sent to Sentry as breadcrumbs
+      expect(sentry_events.last.breadcrumbs.compact.map(&:message).uniq).to eq(["HTTP request", "HTTP response"])
     end
 
     it "returns an error if userinfo's email checked is false" do
@@ -109,11 +120,9 @@
 
       stub_request(:get, "#{base_url}/userinfo?schema=openid").with(
         headers: {
-          "Accept" => "*/*",
-          "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
+          "Expect" => "",
           "Authorization" => "Bearer zekfjzeklfjl",
-          "Host" => "test.inclusion.connect.fr",
-          "User-Agent" => "Ruby",
+          "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus",
         }
       ).to_return(status: 200, body: { email_verified: false, given_name: "Bob", family_name: "Eponge", email: "bob@demo.rdv-solidarites.fr" }.to_json, headers: {})
 
@@ -122,6 +131,9 @@
 
       expect(response).to redirect_to(new_agent_session_path)
       expect(flash[:error]).to eq("Nous n'avons pas pu vous authentifier. Contacter le support à l'adresse <support@rdv-solidarites.fr> si le problème persiste.")
+
+      # HTTP request is sent to Sentry as breadcrumbs
+      expect(sentry_events.last.breadcrumbs.compact.map(&:message).uniq).to eq(["HTTP request", "HTTP response"])
     end
 
     it "call sentry about authentification failure" do
@@ -148,11 +160,9 @@ def stub_token_request
         "redirect_uri" => inclusion_connect_callback_url,
       },
       headers: {
-        "Accept" => "*/*",
-        "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
+        "Expect" => "",
+        "User-Agent" => "Typhoeus - https://github.com/typhoeus/typhoeus",
         "Content-Type" => "application/x-www-form-urlencoded",
-        "Host" => "test.inclusion.connect.fr",
-        "User-Agent" => "Ruby",
       }
     )
   end