gip-inclusion · dejafait · May 27, 2020 · Apr 28, 2020 · Apr 29, 2020 · Mar 20, 2020
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@
 
 Vous pouvez personnaliser la configuration Compose en créant [un fichier `.env`](https://docs.docker.com/compose/env-file/) au même niveau que le fichier `README.md`, puis y configurer les variables d'environnement suivantes :
 
-    DJANGO_PORT_ON_DOCKER_HOST=8000
+    DJANGO_PORT_ON_DOCKER_HOST=8080
     POSTGRES_PORT_ON_DOCKER_HOST=5433
 
 ### Lancer le serveur de développement
@@ -26,6 +26,8 @@ Ou pour utiliser [un débogueur interactif](https://github.com/docker/compose/is
 
     $ docker-compose -f docker-compose-dev.yml run --service-ports django
 
+Une fois votre serveur de développement lancé, vous pouvez accéder au frontend à l'adresse http://localhost:8080/
+
 ### Peupler la base de données
 
     $ make populate_db

diff --git a/config/settings/base.py b/config/settings/base.py
@@ -313,12 +313,32 @@
 API_INSEE_KEY = os.environ["API_INSEE_KEY"]
 API_INSEE_SECRET = os.environ["API_INSEE_SECRET"]
 
-# Pôle emploi.
+# Pôle emploi's Emploi Store Dev aka ESD.
 # https://www.emploi-store-dev.fr/portail-developpeur/catalogueapi
-API_EMPLOI_STORE_KEY = os.environ["API_EMPLOI_STORE_KEY"]
-API_EMPLOI_STORE_SECRET = os.environ["API_EMPLOI_STORE_SECRET"]
-API_EMPLOI_STORE_AUTH_BASE_URL = "https://entreprise.pole-emploi.fr"
-API_EMPLOI_STORE_BASE_URL = "https://api.emploi-store.fr/partenaire"
+API_ESD_KEY = os.environ["API_ESD_KEY"]
+API_ESD_SECRET = os.environ["API_ESD_SECRET"]
+API_ESD_AUTH_BASE_URL = "https://entreprise.pole-emploi.fr"
+API_ESD_BASE_URL = "https://api.emploi-store.fr/partenaire"
+
+# PE Connect aka PEAMU - technically one of ESD's APIs.
+# PEAM stands for Pôle Emploi Access Management.
+# Technically there are two PEAM distinct systems:
+# - PEAM "Entreprise", PEAM-E or PEAME for short.
+# - PEAM "Utilisateur", PEAM-U or PEAMU for short.
+# To avoid confusion between the two when contacting ESD support,
+# we get the habit to always explicitely state that we are using PEAM*U*.
+PEAMU_AUTH_BASE_URL = 'https://authentification-candidat.pole-emploi.fr'
+SOCIALACCOUNT_PROVIDERS={
+    "peamu": {
+        "APP": {
+            "key": "peamu",
+            "client_id": API_ESD_KEY,
+            "secret": API_ESD_SECRET
+        },
+    },
+}
+SOCIALACCOUNT_EMAIL_VERIFICATION = "none"
+SOCIALACCOUNT_ADAPTER = "itou.allauth.peamu.adapter.PEAMUSocialAccountAdapter"
 
 # PDFShift
 PDFSHIFT_API_KEY = os.environ["PDFSHIFT_API_KEY"]

diff --git a/config/settings/dev.py.template b/config/settings/dev.py.template
@@ -42,3 +42,21 @@ DEBUG_TOOLBAR_CONFIG = {
     ],
     "SHOW_TEMPLATE_CONTEXT": True,
 }
+
+# PEAMU.
+# ------------------------------------------------------------------------------
+
+
+# This trick
+# https://github.com/pennersr/django-allauth/issues/749#issuecomment-70402595
+# fixes the following issue
+# https://github.com/pennersr/django-allauth/issues/749
+# Without this trick, python manage.py makemigrations
+# would want to create a migration in django-allauth dependency
+# /usr/local/lib/python3.7/site-packages/allauth/socialaccount/migrations/0004_auto_20200415_1510.py
+# - Alter field provider on socialaccount
+# - Alter field provider on socialapp
+MIGRATION_MODULES = {
+    'socialaccount': 'itou.allauth.migrations',
+}
+
diff --git a/config/settings/test.py b/config/settings/test.py
@@ -10,8 +10,8 @@
 API_BAN_BASE_URL = None
 API_INSEE_KEY = None
 API_INSEE_SECRET = None
-API_EMPLOI_STORE_KEY = None
-API_EMPLOI_STORE_SECRET = None
+API_ESD_KEY = None
+API_ESD_SECRET = None
 
 # Disable logging and traceback in unit tests for readability.
 # https://docs.python.org/3/library/logging.html#logging.disable

diff --git a/config/urls.py b/config/urls.py
@@ -6,6 +6,7 @@
 from itou.utils.urls import SiretConverter
 from itou.www.dashboard import views as dashboard_views
 from itou.www.signup import views as signup_views
+from itou.www.login import views as login_views
 
 
 register_converter(SiretConverter, "siret")
@@ -26,6 +27,15 @@
         r"^accounts/signup/$", signup_views.signup
     ),
     # --------------------------------------------------------------------------------------
+    # Override allauth `account_login` URL.
+    # /accounts/login/ <=> account_login
+    # We override this view because the login page should look slightly differently
+    # for job seekers, prescribers and employers.
+    # Also, PEAMU is only available for job seekers.
+    re_path(
+        r"^accounts/login/$", login_views.login
+    ),
+    # --------------------------------------------------------------------------------------
     # Override allauth `account_change_password` URL.
     # /accounts/password/change/ <=> account_change_password
     # https://github.com/pennersr/django-allauth/issues/468
@@ -35,9 +45,16 @@
     # Avoid user enumeration via password reset page.
     re_path(r"^accounts/password/reset/$", signup_views.ItouPasswordResetView.as_view()),
     # --------------------------------------------------------------------------------------
-    # Other allauth URLs.
+    # Override allauth `account_logout` URL.
+    # /accounts/logout/ <=> account_logout
+    # We need custom code to process PEAMU logout.
+    re_path(r"^accounts/logout/$", dashboard_views.logout),
+    # --------------------------------------------------------------------------------------    # Other allauth URLs.
     path("accounts/", include("allauth.urls")),
     # --------------------------------------------------------------------------------------
+    # PEAMU URLs.
+    path("accounts/", include("itou.allauth.peamu.urls")),
+    # --------------------------------------------------------------------------------------
 
     # www.
     path("", include("itou.www.home.urls")),

diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -34,7 +34,7 @@ services:
       - .:/app
     restart: always
     ports:
-      - "${DJANGO_PORT_ON_DOCKER_HOST:-8000}:8000"
+      - "${DJANGO_PORT_ON_DOCKER_HOST:-8080}:8000"
 
 volumes:
   postgres_data:

diff --git a/docker/dev/django/entrypoint.sh b/docker/dev/django/entrypoint.sh
@@ -13,6 +13,9 @@ done
 # tail -f /dev/null & wait
 
 django-admin migrate
-django-admin runserver_plus 0.0.0.0:8000
+
+# --nopin disables for you the annoying PIN security prompt on the web
+# debugger. For local dev only of course!
+django-admin runserver_plus 0.0.0.0:8000 --nopin
 
 exec "$@"
diff --git a/envs/secrets.env.template b/envs/secrets.env.template
@@ -4,7 +4,7 @@ API_INSEE_SECRET=set_it
 API_MAILJET_KEY=set_it
 API_MAILJET_SECRET=set_it
 
-API_EMPLOI_STORE_KEY=set_it
-API_EMPLOI_STORE_SECRET=set_it
+API_ESD_KEY=set_it
+API_ESD_SECRET=set_it
 
 PDFSHIFT_API_KEY=set_it
diff --git a/itou/allauth/migrations/README.md b/itou/allauth/migrations/README.md
@@ -0,0 +1,2 @@
+This empty folder is necessary for the MIGRATION_MODULES trick.
+See dev.py.template for more information.
diff --git a/itou/allauth/peamu/__init__.py b/itou/allauth/peamu/__init__.py
diff --git a/itou/allauth/peamu/adapter.py b/itou/allauth/peamu/adapter.py
@@ -0,0 +1,32 @@
+import requests
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
+from allauth.socialaccount.providers.oauth2.views import OAuth2Adapter
+from django.conf import settings
+
+from itou.allauth.peamu.provider import PEAMUProvider
+
+
+class PEAMUSocialAccountAdapter(DefaultSocialAccountAdapter):
+    def populate_user(self, request, sociallogin, data):
+        user = super().populate_user(request, sociallogin, data)
+        setattr(user, "is_job_seeker", True)
+        return user
+
+
+class PEAMUOAuth2Adapter(OAuth2Adapter):
+    provider_id = PEAMUProvider.id
+
+    authorize_url = f"{settings.PEAMU_AUTH_BASE_URL}/connexion/oauth2/authorize"
+    access_token_url = f"{settings.PEAMU_AUTH_BASE_URL}/connexion/oauth2/access_token"
+    profile_url = f"{settings.API_ESD_BASE_URL}/peconnect-individu/v1/userinfo"
+    headers = {"Accept": "application/json", "Content-Type": "application/x-www-form-urlencoded"}
+
+    def complete_login(self, request, app, token, **kwargs):
+        id_token = token.token
+        headers = {"Authorization": f"Bearer {id_token}"}
+        resp = requests.get(self.profile_url, params=None, headers=headers)
+        resp.raise_for_status()
+        extra_data = resp.json()
+        extra_data["id_token"] = id_token
+        login = self.get_provider().sociallogin_from_response(request, extra_data)
+        return login
diff --git a/itou/allauth/peamu/client.py b/itou/allauth/peamu/client.py
@@ -0,0 +1,46 @@
+from urllib.parse import parse_qsl
+
+import requests
+from allauth.socialaccount.providers.oauth2.client import OAuth2Client, OAuth2Error
+
+
+class PEAMUOAuth2Client(OAuth2Client):
+    """
+    Required exclusively for injecting realm=/individu
+    when requesting access token.
+    (╯°□°)╯︵ ┻━┻
+    """
+
+    def get_access_token(self, code):
+        """
+        This whole method is unchanged except for the
+        `params = {"realm": "/individu"}` hack.
+        Original code:
+        https://github.com/pennersr/django-allauth/blob/6a6d3c618ab018234dde8701173093274710ee0a/allauth/socialaccount/providers/oauth2/client.py#L44
+        """
+        data = {"redirect_uri": self.callback_url, "grant_type": "authorization_code", "code": code}
+        if self.basic_auth:
+            auth = requests.auth.HTTPBasicAuth(self.consumer_key, self.consumer_secret)
+        else:
+            auth = None
+            data.update({"client_id": self.consumer_key, "client_secret": self.consumer_secret})
+        params = {"realm": "/individu"}
+        self._strip_empty_keys(data)
+        url = self.access_token_url
+        if self.access_token_method == "GET":
+            params = data
+            data = None
+        resp = requests.request(
+            self.access_token_method, url, params=params, data=data, headers=self.headers, auth=auth
+        )
+
+        access_token = None
+        if resp.status_code in [200, 201]:
+            # Weibo sends json via 'text/plain;charset=UTF-8'
+            if resp.headers["content-type"].split(";")[0] == "application/json" or resp.text[:2] == '{"':
+                access_token = resp.json()
+            else:
+                access_token = dict(parse_qsl(resp.text))
+        if not access_token or "access_token" not in access_token:
+            raise OAuth2Error("Error retrieving access token: %s" % resp.content)
+        return access_token
diff --git a/itou/allauth/peamu/provider.py b/itou/allauth/peamu/provider.py
@@ -0,0 +1,83 @@
+from allauth.socialaccount import providers
+from allauth.socialaccount.providers.base import ProviderAccount
+from allauth.socialaccount.providers.oauth2.provider import OAuth2Provider
+from django.conf import settings
+
+
+# We do not use the extra 8 APIs yet, even though they are prepared below,
+# because the ESD staff has not validated our 8 contracts yet.
+USE_ALL_APIS = False
+
+BASIC_SCOPES = [
+    # API Se connecter avec Pôle emploi (individu) v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-peconnect-individu-v1.html
+    "openid",
+    "api_peconnect-individuv1",
+    "email",
+    "profile",
+]
+
+EXTRA_SCOPES = [
+    # API Coordonnées v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-peconnect-coordonnees-v1.html
+    "api_peconnect-coordonneesv1",
+    "coordonnees",
+    # API Statut v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-peconnect-statut-v1.html
+    "api_peconnect-statutv1",
+    "statut",
+    # API Date de naissance v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-peconnect-datenaissance-v1.html
+    "api_peconnect-datenaissancev1",
+    "datenaissance",
+    # API Indemnisations v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-indemnisations-v1.html
+    "api_peconnect-indemnisationsv1",
+    "indemnisation",
+    # API Expériences professionnelles v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-experiences-professionnelles.html
+    "api_peconnect-experiencesv1",
+    "pfcexperiences",
+    # API Expériences déclarées par l’Employeur v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-peconnect-exp-declarees-v1.html
+    "api_peconnect-experiencesprofessionellesdeclareesparlemployeurv1",
+    "passeprofessionnel",
+    # API Formations professionnelles v1
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-formations-professionnelles.html
+    "api_peconnect-formationsv1",
+    "pfcformations",
+    "pfcpermis",
+    # API Compétences professionnelles v2
+    # https://www.emploi-store-dev.fr/portail-developpeur-cms/home/catalogue-des-api/documentation-des-api/api/api-pole-emploi-connect/api-peconnect-competence-v2-1.html
+    "api_peconnect-competencesv2",
+    "pfccompetences",
+    "pfclangues",
+    "pfccentresinteret",
+]
+
+
+class PEAMUProvider(OAuth2Provider):
+    id = "peamu"
+    name = "PEAMU"
+    account_class = ProviderAccount
+
+    def get_default_scope(self):
+        client_id = settings.SOCIALACCOUNT_PROVIDERS["peamu"]["APP"]["client_id"]
+        scope = [f"application_{client_id}"] + BASIC_SCOPES
+        if USE_ALL_APIS:
+            scope += EXTRA_SCOPES
+        return scope
+
+    def get_auth_params(self, request, action):
+        ret = super().get_auth_params(request, action)
+        ret["realm"] = "/individu"
+        return ret
+
+    def extract_uid(self, data):
+        return str(data["sub"])
+
+    def extract_common_fields(self, data):
+        return dict(email=data.get("email"), last_name=data.get("family_name"), first_name=data.get("given_name"))
+
+
+providers.registry.register(PEAMUProvider)