feat(admin): backoffice access control (isAdmin role) (#3187)

Author: LucasCharrier

.github/workflows/e2e.yaml

@@ -31,6 +31,7 @@ jobs:
       S3_BUCKET_NAME: egapro-dev-app
       CLAMAV_HOST: localhost
       CLAMAV_PORT: 3310
+      ADMIN_EMAILS: test@fia1.fr
       # Required by env.js but never exercised by E2E tests (the audit
       # cleanup route is only called by the K8s CronJob). A dummy value
       # that satisfies the `.min(32)` Zod check is enough.

.kontinuous/env/dev/templates/admin.configmap.yaml

@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: admin
+data:
+  # Test ProConnect identity used by the E2E suite and manual QA on
+  # review apps — gives admin access on dev/alpha environments only.
+  ADMIN_EMAILS: "test@fia1.fr"

.kontinuous/env/preprod/templates/admin.configmap.yaml

@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: admin
+data:
+  # Test ProConnect identity used by manual QA on alpha/preprod — gives
+  # admin access on non-production environments only.
+  ADMIN_EMAILS: "test@fia1.fr"

.kontinuous/env/prod/templates/admin.sealed-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/namespace-wide: 'true'
+  name: admin
+  namespace: egapro
+spec:
+  encryptedData:
+    ADMIN_EMAILS: AgAPO/KHlIJDVCnAYm7q2u2g6c/U/bTblJtWxEc3u+D85388le3uBUOGwv4Fbn32RBXXa/FX+VVvAAQ+k0i8+TuuEFVT74/A+UnqdL+NrjRKv/NjpYqtfD75reeFnbgGZ7Z7m9i0Kb888TCX2H72LGDBC6vgJe5650FM2Fs0wSTc0Lnl7/q4wO0jJn5YOjAxMvqGm/V6fk/rtdFgTabwHVFYQHDdxorRfMcwJH0+V7FmGOCeH2ye2AUyAUUoDgdPEqwmYs3QyOQVTDKSG7KbvioY3/Jh1SwxLJxmvMm2BpBdl9aYtjDOM1vKgVcfD6kAenrB4gKFUzf0L91wfmgnXwhb19r/sT6AL4Bsf8CLow2wZZ5gecVF3MRKgaBJJyDY6pRshuVT2QUSYrOkTV0kC0U08zJv0shsUinyfBWv4XYgmUHslqtLtJac9cvQnbkQU8uT6zTRNJjdswxd44G586bVmQguop37RiPzl4tNeuN1Z/YpvwJ5V0JSRuZ94wmP254njB72GW7azKULrbSEi9nL3aMhKJnYLLJg10XleSkT45kK03+kzNDZD51ZBxLCD/GNWkqsiLqaHpKDtHWrydrlTxEJk6LSnGlhwDiVNjhPUEo9/HKiN2CBqlj2K2sQ24294M7CB5SFXv2iJSDPEVxjTphYMQblvSqj8keY/MTGTIDjzb4NpXPsdWpX1spP4CaPgmIQm/TOQu5oJ1b5z/Zp9Z3yBtj/obXNDkQp2TuyHxlN
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/namespace-wide: 'true'
+      name: admin
+    type: Opaque

.kontinuous/values.yaml

@@ -35,6 +35,12 @@ app:
     - secretRef:
         name: "gip-mds-import"
         optional: true
+    - configMapRef:
+        name: "admin"
+        optional: true
+    - secretRef:
+        name: "admin"
+        optional: true
     - secretRef:
         name: "audit-cleanup"
         optional: true

packages/app/.env.example

@@ -22,3 +22,4 @@ S3_SECRET_ACCESS_KEY="minioadmin"
 S3_BUCKET_NAME="egapro-dev-app"
 CLAMAV_HOST="localhost"
 CLAMAV_PORT="3310"
+ADMIN_EMAILS="test@fia1.fr"

packages/app/src/__tests__/middleware.test.ts

@@ -0,0 +1,54 @@
+import type { NextRequest } from "next/server";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const { mockGetToken } = vi.hoisted(() => ({
+	mockGetToken: vi.fn(),
+}));
+
+vi.mock("next-auth/jwt", () => ({ getToken: mockGetToken }));
+vi.mock("~/env", () => ({ env: { AUTH_SECRET: "test-secret" } }));
+
+import { middleware } from "~/middleware";
+
+function makeRequest(pathname = "/admin"): NextRequest {
+	const url = `http://localhost${pathname}`;
+	return {
+		url,
+		nextUrl: { pathname },
+	} as unknown as NextRequest;
+}
+
+describe("admin middleware", () => {
+	beforeEach(() => {
+		mockGetToken.mockReset();
+	});
+
+	it("redirects to /login with callbackUrl when there is no token", async () => {
+		mockGetToken.mockResolvedValue(null);
+		const res = await middleware(makeRequest("/admin/users"));
+		expect(res.headers.get("location")).toBe(
+			"http://localhost/login?callbackUrl=%2Fadmin%2Fusers",
+		);
+	});
+
+	it("forces re-login when the token has no isAdmin field (pre-PR token)", async () => {
+		mockGetToken.mockResolvedValue({ id: "u1" });
+		const res = await middleware(makeRequest("/admin"));
+		expect(res.headers.get("location")).toBe(
+			"http://localhost/login?callbackUrl=%2Fadmin",
+		);
+	});
+
+	it("redirects non-admin users to /mon-espace", async () => {
+		mockGetToken.mockResolvedValue({ id: "u1", isAdmin: false });
+		const res = await middleware(makeRequest("/admin"));
+		expect(res.headers.get("location")).toBe("http://localhost/mon-espace");
+	});
+
+	it("lets admin users through", async () => {
+		mockGetToken.mockResolvedValue({ id: "u1", isAdmin: true });
+		const res = await middleware(makeRequest("/admin"));
+		// NextResponse.next() does not set a redirect location
+		expect(res.headers.get("location")).toBeNull();
+	});
+});

packages/app/src/app/admin/layout.tsx

@@ -0,0 +1,22 @@
+import { redirect } from "next/navigation";
+import type { ReactNode } from "react";
+
+import { auth } from "~/server/auth";
+
+export default async function AdminLayout({
+	children,
+}: {
+	children: ReactNode;
+}) {
+	const session = await auth();
+
+	if (!session?.user) {
+		redirect("/login");
+	}
+
+	if (!session.user.isAdmin) {
+		redirect("/mon-espace");
+	}
+
+	return <>{children}</>;
+}

packages/app/src/app/admin/page.tsx

@@ -0,0 +1,16 @@
+import { AdminHomePage } from "~/modules/admin";
+import { auth } from "~/server/auth";
+
+export default async function Page() {
+	// Access control is handled by the edge middleware and the admin layout;
+	// when this page renders we are guaranteed to have an admin session.
+	const session = await auth();
+	const user = session?.user;
+
+	return (
+		<AdminHomePage
+			userEmail={user?.email ?? ""}
+			userName={user?.name ?? user?.email ?? ""}
+		/>
+	);
+}

packages/app/src/e2e/admin.e2e.ts

@@ -0,0 +1,11 @@
+import { expect, test } from "@playwright/test";
+
+test("admin user can access /admin and sees backoffice page", async ({
+	page,
+}) => {
+	await page.goto("/admin");
+	await expect(
+		page.getByRole("heading", { name: "Backoffice", level: 1 }),
+	).toBeVisible();
+	await expect(page.getByText("administrateur")).toBeVisible();
+});