Merged
Conversation
* prototype of forcing doc auth with selfie on mobile * raise error before making true id request for liveness + cropping workflow * comment on where to return DocAuth::ErrorRequest * do not return workflow for cropping + liveness * revert workflow method changes * LG-12306: continue work for flow policy check for selfie. changelog: Internal, Doc Auth, Stop user to capture on desktop when selfie is required. * LG-12306: cleanup change. * LG-12306: test validation. * LG-12306: analytics event test. Mark idv_session selfie_check_reqequired in agreement controller. * LG-12306: test clean up. * LG-12306: feature test. * LG-12306: format change cause failure. * LG-12306: dealing with dynamics of selfie requirement. * LG-12306: fix test. * LG-12306: fix test. * LG-12306: fix test. * LG-12306: format. * LG-12306: add configuration flag to indicate selfie allowed on desktop, mainly for testing purpose. * LG-12306: fix test. * LG-12306: restore events since we now allow selfie in test mode. * LG-12306: set the flag to true in dev and test. * LG-12306: try remove the flag. * LG-12306: rebase to main. * LG-12306: clean up. * LG-12306: clean up. * LG-12306: clean up. * LG-12306: clean up. --------- Co-authored-by: Amir Reavis-Bey <amir.reavis-bey@gsa.gov>
* LG-11703 Remove redundant queries from MKMR changelog: Internal, Reporting, Query once per time range in MKMR
* add updated hints for florida id * changelog: User-Facing Improvements, State id, update Florida specific hint text * remove spacing and change string * make normalize yaml * update spec * fix spec failure * update strings
- Query 2 weeks like the help text says - Use correct property for user_id changelog: Internal, Scripts, Update script for PIV/CAC investigations
) The `identities.vtr` column has one of the following values: 1. A JSON-encoded representation of the `vtr` param if the `vtr` param is consumed and used 2. Nil The `IdTokenBuilder` uses this value to add a `vot` to the ID token. Prior to this commit this code expected a string representation of a single VoT and not a JSON encoded list. This commit addresses the issue and adjustst the tests to have the correct expectations. [skip changelog]
…unrestricted inline styles (#10114) * Revert "Revert icon reimplementation as inline style (#10113)" This reverts commit ca3c16c. * Remove style-src nonce for unrestricted inline styles changelog: Bug Fixes, Content-Security Policy, Fix conflict with style-src nonce for unsafe inline styles * Add regression specs * Avoid mutating default configuration
A previous change (ref: #10153) stopped reading from sp_session[:piv_cac_requested] and started using the result from the AuthnContextResolver instead. This change follows up by removing writes to the piv_cac_requested property in the SP session. This should not be merged until the change to stop reading is fully merged and deployed. [skip changelog]
* Add tmx_status to analytics events * Change 'pass' => 'threatmetrix_pass' to match already-existing language for reject * Fix tests for enrollment_helper_spec * Fix tests for spec/jobs/get_usps_proofing_results_job_spec.rb * changelog: ThreatMetrix, analytics logging, log ThreatMetrix status on IPP events * Pull out logic into small helper method to accommodate feature flag * Profile is undefined in some tests, add & safeguard for method * Trying to get the tests to pass with feature flag, still having some trouble with enrollment_helper * was being silly, profile is nil in enrollment_helper. It's functioning as intended. * changelog: Internal, analytics logging, log ThreatMetrix status on IPP
* Add logging and fix tests * Switch appoaches * Fix tests * Add to logging * Revert change * Add documetnation comment in analytics * changelog: Internal, In-Person Proofing, Add TrueID ReferenceId to logs when upload succeeds * Add new `reference_id: nil` param to tests * Rename to `request_id` and fix tests
…0173) * Mitigate permissions concern in rack-cors by locking version * changelog: Internal, Dependencies, Lock rack-cors to version 2.0.0 to avoid vulnerability in version 2.0.1
…or of trust (#10170) * changelog: Internal, Dependencies, Lock rack-cors to version 2.0.0 to avoid vulnerability in version 2.0.1 --------- Co-authored-by: Charley Ferguson <charleyferguson@navapbc.com>
The `SamlIdpController` tests had a shared example for what happens when a users signs in with an already verified account. This shared example is not actually shared between any examples. It is only used for the IAL2 case. This commit goes ahead and breaks it out into individual tests instead of using a shared example. [skip changelog]
This commit adds a feature spec for an OIDC authentication using VTR. This spec makes a request for a proofed user with a VTR and validates everything works as expected including the identity token attributes and user info response. [skip changelog]
…equired (#10164) * add validation to api image upload form to enssure that all images are uploaded by sdk when selfie is required changelog: Upcoming Features, Document Authentication, Ensure all doc auth images are sourced by sdk when liveness check is required * do not validate doc auth image source in dev/test envs * test validation that images are sourced by acuant for doc auth with selfie
The `use_vot_in_sp_requests` was set twice in the config. Confusingly it was set to 2 different values. This commit removes the first one and lets the previously computed value of `false` prevail. [skip changelog]
* Add liveness_checking_required to controllers * Fix naming * Add to image upload form * Fix existing tests * Add docs * changelog: Internal, In-Person Proofing, add liveness_checking_required to BE logs * Fix tests * test commit * Add selfie_check_performed to logs * Remove unnessecary liveness_checking_required additions. Co-authored-by: Amir Reavis-Bey <amir.reavis-bey@gsa.gov> * Remove selfie_check_performed * Add 'IdV: doc auth image upload vendor submitted' to all test paths * Fix capture complete spec --------- Co-authored-by: Amir Reavis-Bey <amir.reavis-bey@gsa.gov>
…10131) * sdk autocaptured id images route to non-cropping workflow changelog: Internal, Document Authentication, SDK autocaptured images routed to non-cropping workflow * fix non cropping workflow selection * rename image_cropped to id_images_cropped * add id_images_cropped to arguments in spec * images cropped determine workflow for TrueIDRequest * update LN client tests to use images_cropped * udate spec on image source w/ selfie * test images cropped when calling post_images * remove comment * remove comment * remove unnecessary condition when detectin autocapture * resolve conflicts post rebase
* Fix yard CVE ``` Name: yard Version: 0.9.34 CVE: CVE-2024-27285 GHSA: GHSA-8mq4-9jjh-9xrc Criticality: Medium URL: GHSA-8mq4-9jjh-9xrc Title: YARD's default template vulnerable to Cross-site Scripting in generated frames.html Solution: upgrade to '>= 0.9.35' ``` * changelog: Internal, Dependencies, Update yard for cve
Contributor
|
It looks like this is failing because of the YARD CVE fix that has not been deployed to staging yet. Should we fast-forward to the commit with the fix? That is this one: e3509c9 |
Contributor
Author
Do we want only that commit, or to gather everything to that point? If only that commit: why not cherry-pick the commit? |
Contributor
|
I would say let's get everything up to at least that point. |
jmhooper
approved these changes
Feb 29, 2024
Contributor
|
I'd love to include #10181 too! But it not I can patch release it today separately as well |
Contributor
Author
As a cherry-pick, or some other method? |
Contributor
Cherry-pick or fast-forward is fine, I haven't checked what else got merged and how strongly we feel about it |
…10181) * Update valid_email gem to use new "partial" option for disposable domain blocking changelog: Internal, Signup, Block subdomains of disposable email domains from signup
Contributor
Author
Consider it done! |
zachmargolis
approved these changes
Feb 29, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User-Facing Improvements
Bug Fixes
Internal
Upcoming Features