Revert "Merge pull request #10136 from 18F/stages/rc-2024-02-22"

Gemfile

@@ -3,7 +3,7 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
 
 ruby "~> #{File.read(File.join(__dir__, '.ruby-version')).strip}"
 
-gem 'rails', '~> 7.1.3'
+gem 'rails', '~> 7.1.0'
 
 gem 'activerecord-postgis-adapter', '~> 9.0'
 gem 'ahoy_matey', '~> 3.0'

Gemfile.lock

@@ -68,74 +68,74 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.1.3.2)
-      actionpack (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    actioncable (7.1.2)
+      actionpack (= 7.1.2)
+      activesupport (= 7.1.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.3.2)
-      actionpack (= 7.1.3.2)
-      activejob (= 7.1.3.2)
-      activerecord (= 7.1.3.2)
-      activestorage (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    actionmailbox (7.1.2)
+      actionpack (= 7.1.2)
+      activejob (= 7.1.2)
+      activerecord (= 7.1.2)
+      activestorage (= 7.1.2)
+      activesupport (= 7.1.2)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.1.3.2)
-      actionpack (= 7.1.3.2)
-      actionview (= 7.1.3.2)
-      activejob (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    actionmailer (7.1.2)
+      actionpack (= 7.1.2)
+      actionview (= 7.1.2)
+      activejob (= 7.1.2)
+      activesupport (= 7.1.2)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.3.2)
-      actionview (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    actionpack (7.1.2)
+      actionview (= 7.1.2)
+      activesupport (= 7.1.2)
       nokogiri (>= 1.8.5)
       racc
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3.2)
-      actionpack (= 7.1.3.2)
-      activerecord (= 7.1.3.2)
-      activestorage (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    actiontext (7.1.2)
+      actionpack (= 7.1.2)
+      activerecord (= 7.1.2)
+      activestorage (= 7.1.2)
+      activesupport (= 7.1.2)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.3.2)
-      activesupport (= 7.1.3.2)
+    actionview (7.1.2)
+      activesupport (= 7.1.2)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.3.2)
-      activesupport (= 7.1.3.2)
+    activejob (7.1.2)
+      activesupport (= 7.1.2)
       globalid (>= 0.3.6)
-    activemodel (7.1.3.2)
-      activesupport (= 7.1.3.2)
-    activerecord (7.1.3.2)
-      activemodel (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    activemodel (7.1.2)
+      activesupport (= 7.1.2)
+    activerecord (7.1.2)
+      activemodel (= 7.1.2)
+      activesupport (= 7.1.2)
       timeout (>= 0.4.0)
     activerecord-postgis-adapter (9.0.1)
       activerecord (~> 7.1.0)
       rgeo-activerecord (~> 7.0.0)
-    activestorage (7.1.3.2)
-      actionpack (= 7.1.3.2)
-      activejob (= 7.1.3.2)
-      activerecord (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    activestorage (7.1.2)
+      actionpack (= 7.1.2)
+      activejob (= 7.1.2)
+      activerecord (= 7.1.2)
+      activesupport (= 7.1.2)
       marcel (~> 1.0)
-    activesupport (7.1.3.2)
+    activesupport (7.1.2)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
@@ -503,20 +503,20 @@ GEM
     rackup (2.1.0)
       rack (>= 3)
       webrick (~> 1.8)
-    rails (7.1.3.2)
-      actioncable (= 7.1.3.2)
-      actionmailbox (= 7.1.3.2)
-      actionmailer (= 7.1.3.2)
-      actionpack (= 7.1.3.2)
-      actiontext (= 7.1.3.2)
-      actionview (= 7.1.3.2)
-      activejob (= 7.1.3.2)
-      activemodel (= 7.1.3.2)
-      activerecord (= 7.1.3.2)
-      activestorage (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    rails (7.1.2)
+      actioncable (= 7.1.2)
+      actionmailbox (= 7.1.2)
+      actionmailer (= 7.1.2)
+      actionpack (= 7.1.2)
+      actiontext (= 7.1.2)
+      actionview (= 7.1.2)
+      activejob (= 7.1.2)
+      activemodel (= 7.1.2)
+      activerecord (= 7.1.2)
+      activestorage (= 7.1.2)
+      activesupport (= 7.1.2)
       bundler (>= 1.15.0)
-      railties (= 7.1.3.2)
+      railties (= 7.1.2)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -531,9 +531,9 @@ GEM
     rails-i18n (7.0.6)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
-    railties (7.1.3.2)
-      actionpack (= 7.1.3.2)
-      activesupport (= 7.1.3.2)
+    railties (7.1.2)
+      actionpack (= 7.1.2)
+      activesupport (= 7.1.2)
       irb
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -818,7 +818,7 @@ DEPENDENCIES
   rack-test (>= 1.1.0)
   rack-timeout
   rack_session_access (>= 0.2.0)
-  rails (~> 7.1.3)
+  rails (~> 7.1.0)
   rails-controller-testing (>= 1.0.4)
   redacted_struct
   redis (>= 3.2.0)

app/controllers/application_controller.rb

@@ -257,7 +257,7 @@ def after_mfa_setup_path
   def user_needs_to_reactivate_account?
     return false if current_user.password_reset_profile.blank?
     return false if pending_profile_newer_than_password_reset_profile?
-    resolved_authn_context_result.identity_proofing?
+    sp_session[:ial2] == true
   end
 
   def pending_profile_newer_than_password_reset_profile?
@@ -387,11 +387,8 @@ def set_locale
     I18n.locale = LocaleChooser.new(params[:locale], request).locale
   end
 
-  def pii_requested_but_locked?
-    if resolved_authn_context_result.identity_proofing? || resolved_authn_context_result.ialmax?
-      current_user.identity_verified? &&
-        !Pii::Cacher.new(current_user, user_session).exists_in_session?
-    end
+  def sp_session_ial
+    sp_session[:ial].presence || 1
   end
 
   def mfa_policy

app/controllers/concerns/billable_event_trackable.rb

@@ -41,7 +41,7 @@ def mark_current_session_billed
   def session_has_been_billed_flag_key
     issuer = sp_session[:issuer]
 
-    if !resolved_authn_context_result.identity_proofing?
+    if sp_session_ial == 1
       "auth_counted_#{issuer}ial1"
     else
       "auth_counted_#{issuer}"

app/controllers/concerns/idv_session_concern.rb

@@ -53,7 +53,13 @@ def redirect_unless_idv_session_user
   def redirect_unless_sp_requested_verification
     return if !IdentityConfig.store.idv_sp_required
     return if idv_session_user.profiles.any?
-    return if resolved_authn_context_result.identity_proofing?
+
+    ial_context = IalContext.new(
+      ial: sp_session_ial,
+      service_provider: sp_from_sp_session,
+      user: idv_session_user,
+    )
+    return if ial_context.ial2_or_greater?
 
     redirect_to account_url
   end

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -133,7 +133,7 @@ def link_identity_from_session_data
     IdentityLinker.
       new(current_user, saml_request_service_provider).
       link_identity(
-        ial: resolved_authn_context_int_ial,
+        ial: ial_context.ial,
         rails_session_id: session.id,
       )
   end
@@ -148,8 +148,9 @@ def identity_needs_verification?
 
   def ial_context
     @ial_context ||= IalContext.new(
-      ial: resolved_authn_context_int_ial,
+      ial: requested_ial_authn_context,
       service_provider: saml_request_service_provider,
+      authn_context_comparison: saml_request.requested_authn_context_comparison,
       user: current_user,
     )
   end

app/controllers/concerns/verify_sp_attributes_concern.rb

@@ -22,7 +22,7 @@ def update_verified_attributes
       current_user,
       current_sp,
     ).link_identity(
-      ial: linked_identity_ial,
+      ial: sp_session_ial,
       verified_attributes: sp_session[:requested_attributes],
       last_consented_at: Time.zone.now,
       clear_deleted_at: true,
@@ -62,16 +62,6 @@ def verified_after_consent?(last_estimated_consent)
     verification_timestamp.present? && last_estimated_consent < verification_timestamp
   end
 
-  def linked_identity_ial
-    if resolved_authn_context_result.ialmax?
-      0
-    elsif resolved_authn_context_result.identity_proofing?
-      2
-    else
-      1
-    end
-  end
-
   def find_sp_session_identity
     current_user&.identities&.find_by(service_provider: sp_session[:issuer])
   end

app/controllers/idv/personal_key_controller.rb

@@ -21,16 +21,11 @@ def show
       analytics.idv_personal_key_visited(
         address_verification_method: idv_session.address_verification_mechanism,
         in_person_verification_pending: idv_session.profile&.in_person_verification_pending?,
-        encrypted_profiles_missing: pii_is_missing?,
         **opt_in_analytics_properties,
       )
+      add_proofing_component
 
-      if pii_is_missing?
-        redirect_to_retrieve_pii
-      else
-        add_proofing_component
-        finish_idv_session
-      end
+      finish_idv_session
     end
 
     def update
@@ -122,14 +117,5 @@ def in_person_enrollment?
       return false unless IdentityConfig.store.in_person_proofing_enabled
       current_user.pending_in_person_enrollment.present?
     end
-
-    def pii_is_missing?
-      user_session[:encrypted_profiles].blank?
-    end
-
-    def redirect_to_retrieve_pii
-      user_session[:stored_location] = request.original_fullpath
-      redirect_to fix_broken_personal_key_url
-    end
   end
 end

app/controllers/openid_connect/authorization_controller.rb

@@ -189,6 +189,12 @@ def store_request
       ).call
     end
 
+    def pii_requested_but_locked?
+      sp_session && sp_session_ial > 1 &&
+        current_user.identity_verified? &&
+        !Pii::Cacher.new(current_user, user_session).exists_in_session?
+    end
+
     def track_events
       event_ial_context = IalContext.new(
         ial: @authorize_form.ial,

app/controllers/saml_idp_controller.rb

@@ -113,6 +113,13 @@ def set_devise_failure_redirect_for_concurrent_session_logout
     request.env['devise_session_limited_failure_redirect_url'] = request.url
   end
 
+  def pii_requested_but_locked?
+    if (sp_session && sp_session_ial > 1) || ial_context.ialmax_requested?
+      current_user.identity_verified? &&
+        !Pii::Cacher.new(current_user, user_session).exists_in_session?
+    end
+  end
+
   def capture_analytics
     analytics_payload = result.to_h.merge(
       endpoint: api_saml_auth_path(path_year: params[:path_year]),
@@ -139,9 +146,7 @@ def log_external_saml_auth_request
   end
 
   def requested_ial
-    requested_ial_acr = FederatedProtocols::Saml.new(saml_request).ial
-    requested_ial_component = Vot::LegacyComponentValues.by_name[requested_ial_acr]
-    return 'ialmax' if requested_ial_component&.requirements&.include?(:ialmax)
+    return 'ialmax' if ial_context.ialmax_requested?
 
     saml_request&.requested_ial_authn_context || 'none'
   end
@@ -169,19 +174,9 @@ def render_template_for(message, action_url, type)
     )
   end
 
-  def resolved_authn_context_int_ial
-    if resolved_authn_context_result.ialmax?
-      0
-    elsif resolved_authn_context_result.identity_proofing?
-      2
-    else
-      1
-    end
-  end
-
   def track_events
     analytics.sp_redirect_initiated(
-      ial: resolved_authn_context_int_ial,
+      ial: ial_context.ial,
       billed_ial: ial_context.bill_for_ial_1_or_2,
       sign_in_flow: session[:sign_in_flow],
     )