Skip to content

Deploy RC 360 to Production #10188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jmdembe merged 20 commits into from
Feb 29, 2024
Merged

Deploy RC 360 to Production #10188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
bdefaab
LG-12306: selfie standardflow check (#10112)
dawei-nava Feb 27, 2024
88aab40
LG-11703 Remove redundant queries from MKMR (#10163)
ThatSpaceGuy Feb 27, 2024
d6408b8
LG-12138 add updated hints for florida id (#10149)
svalexander Feb 27, 2024
0061373
Fix download-piv-certs script (#10167)
zachmargolis Feb 27, 2024
0621238
Modify the ID token builder to recognize JSON encoded VTR params (#10…
jmhooper Feb 27, 2024
88f7900
Restore inline icon style implementation, remove style-src nonce for …
aduth Feb 28, 2024
2a02d34
LG-12265: Stop writing to sp_session[:piv_cac_requested] (#10154)
solipet Feb 28, 2024
a295f12
Log ThreatMetrix status on IPP events (#10101)
daphnegold Feb 28, 2024
e89d68d
LG-12321: Log TrueIDResponse Identifiers for Troubleshooting (#10118)
charleyf Feb 28, 2024
47713e1
Lock to `rack-cors 2.0.0` to avoid problem with `rack-cors 2.0.1` (#1…
charleyf Feb 28, 2024
501a170
LG-12264 replace uses of :aal_level_requested in sp session with vect…
jmax-gsa Feb 28, 2024
24a63ab
Remove shared example from SamlIdpController tests (#10174)
jmhooper Feb 28, 2024
77829c4
Add a VTR feature spec (#10176)
jmhooper Feb 28, 2024
6494e28
LG-12308: validate images are sourced by sdk when liveness check is r…
amirbey Feb 28, 2024
0b2cb84
Remove extraneous `use_vot_in_sp_requests` setting (#10179)
jmhooper Feb 28, 2024
d05cac6
LG-12160: Add liveness_checking_required To BE Logs (#10150)
charleyf Feb 28, 2024
6820f81
Remove `tid` argument from OIDC auth helpers (#10177)
jmhooper Feb 28, 2024
7d53024
LG-12372: sdk autocaptured id images route to non-cropping workflow (…
amirbey Feb 28, 2024
e3509c9
Fix yard CVE (#10184)
Feb 29, 2024
43da169
Block subdomains of disposable email domains from signup (LG-12589) (…
zachmargolis Feb 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ gem 'profanity_filter'
gem 'propshaft'
gem 'rack', '>= 3.0'
gem 'rack-attack', github: 'rack/rack-attack', ref: 'd9fedfae4f7f6409f33857763391f4e18a6d7467'
gem 'rack-cors', '>= 1.0.5', require: 'rack/cors'
gem 'rack-cors', '>= 1.0.5', '< 2.0.1', require: 'rack/cors'
gem 'rack-headers_filter'
gem 'rack-timeout', require: false
gem 'redacted_struct'
Expand All @@ -76,7 +76,8 @@ gem 'stringex', require: false
gem 'strong_migrations', '>= 0.4.2'
gem 'subprocess', require: false
gem 'terminal-table', require: false
gem 'valid_email', '>= 0.1.3'
# until a release includes https://github.com/hallelujah/valid_email/pull/126
gem 'valid_email', '>= 0.1.3', github: 'hallelujah/valid_email', ref: '486b860'
gem 'view_component', '~> 3.0'
gem 'webauthn', '~> 2.5.2'
gem 'xmldsig', '~> 0.6'
Expand Down
34 changes: 20 additions & 14 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,16 @@ GIT
nokogiri (>= 1.10.2)
pkcs11

GIT
remote: https://github.com/hallelujah/valid_email.git
revision: 486b860fb40281d1ba99ec7621505abc5c9ad5bb
ref: 486b860
specs:
valid_email (0.2.0)
activemodel
mail (>= 2.6.1)
simpleidn

GIT
remote: https://github.com/hashrocket/capybara-webmock.git
revision: d3f3b7c8edbeca7b575e74b256ad22df80d2b420
Expand Down Expand Up @@ -216,7 +226,7 @@ GEM
erubi (~> 1.4)
parser (>= 2.4)
smart_properties
bigdecimal (3.1.5)
bigdecimal (3.1.6)
bindata (2.4.15)
bootsnap (1.17.0)
msgpack (~> 1.2)
Expand Down Expand Up @@ -249,7 +259,7 @@ GEM
coderay (1.1.3)
coercible (1.0.0)
descendants_tracker (~> 0.0.1)
concurrent-ruby (1.2.2)
concurrent-ruby (1.2.3)
connection_pool (2.4.1)
cose (1.3.0)
cbor (~> 0.5.9)
Expand Down Expand Up @@ -418,11 +428,11 @@ GEM
mini_histogram (0.3.1)
mini_mime (1.1.5)
mini_portile2 (2.8.5)
minitest (5.20.0)
minitest (5.22.2)
msgpack (1.7.2)
multiset (0.5.3)
mutex_m (0.2.0)
net-imap (0.4.6)
net-imap (0.4.10)
date
net-protocol
net-pop (0.1.2)
Expand All @@ -431,7 +441,7 @@ GEM
timeout
net-sftp (3.0.0)
net-ssh (>= 5.0.0, < 7.0.0)
net-smtp (0.4.0)
net-smtp (0.4.0.1)
net-protocol
net-ssh (6.1.0)
newrelic_rpm (9.7.0)
Expand Down Expand Up @@ -485,7 +495,7 @@ GEM
raabro (1.4.0)
racc (1.7.3)
rack (3.0.9.1)
rack-cors (2.0.1)
rack-cors (2.0.0)
rack (>= 2.0.0)
rack-headers_filter (0.0.1)
rack-mini-profiler (3.3.0)
Expand Down Expand Up @@ -683,13 +693,9 @@ GEM
concurrent-ruby (~> 1.0)
unf (0.1.4)
unf_ext
unf_ext (0.0.8)
unf_ext (0.0.9.1)
unicode-display_width (2.5.0)
uniform_notifier (1.16.0)
valid_email (0.1.4)
activemodel
mail (>= 2.6.1)
simpleidn
view_component (3.9.0)
activesupport (>= 5.2.0, < 8.0)
concurrent-ruby (~> 1.0)
Expand Down Expand Up @@ -729,7 +735,7 @@ GEM
nokogiri (~> 1.11)
xpath (3.2.0)
nokogiri (~> 1.8)
yard (0.9.34)
yard (0.9.35)
zeitwerk (2.6.12)
zlib (3.0.0)
zonebie (0.6.1)
Expand Down Expand Up @@ -812,7 +818,7 @@ DEPENDENCIES
puma (~> 6.0)
rack (>= 3.0)
rack-attack!
rack-cors (>= 1.0.5)
rack-cors (>= 1.0.5, < 2.0.1)
rack-headers_filter
rack-mini-profiler (>= 1.1.3)
rack-test (>= 1.1.0)
Expand Down Expand Up @@ -850,7 +856,7 @@ DEPENDENCIES
subprocess
tableparser
terminal-table
valid_email (>= 0.1.3)
valid_email (>= 0.1.3)!
view_component (~> 3.0)
webauthn (~> 2.5.2)
webmock
Expand Down
1 change: 0 additions & 1 deletion app/assets/images/globe-blue.svg
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion app/assets/images/globe-white.svg
View file
Open in desktop

This file was deleted.

39 changes: 16 additions & 23 deletions app/assets/stylesheets/components/_language-picker.scss
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,18 +43,6 @@
}
}

span {
margin: 0 units(1);
}

&::after {
content: '';
display: block;
width: 0.8125rem;
height: 0.8125rem;
background-size: 0.8125rem;
}

&.usa-accordion__button[aria-expanded='false'],
&.usa-accordion__button[aria-expanded='true'] {
background-image: none;
Expand All @@ -64,23 +52,28 @@
&:hover {
background-color: transparent;
}

&::after {
background-image: url('/angle-arrow-up.svg');

@include at-media('tablet') {
background-image: url('/angle-arrow-up-white.svg');
}
}
}

&.usa-accordion__button[aria-expanded='true'] {
@include u-bg('primary');
color: color('white');
}
}

&::after {
background-image: url('/angle-arrow-down-white.svg');
}
.language-picker__label-text {
margin-left: units(1);
margin-right: units(0.5);
}

.language-picker__expander {
transition: transform $project-easing;

@media (prefers-reduced-motion) {
transition: none;
}

.usa-accordion__button[aria-expanded='false'] & {
transform: rotate(-180deg);
}
}

Expand Down
15 changes: 8 additions & 7 deletions app/components/icon_component.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
<%= content_tag(
:svg,
aria: { hidden: true },
focusable: 'false',
role: 'img',
:span,
content_tag(
:style,
"#icon-#{unique_id} { mask-image: url(#{icon_path}); -webkit-mask-image: url(#{icon_path}); }",
nonce: content_security_policy_nonce,
),
**tag_options,
id: "icon-#{unique_id}",
class: css_class,
) do %>
<use href="<%= icon_path %>"></use>
<% end %>
) -%>
4 changes: 2 additions & 2 deletions app/components/icon_component.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,13 +255,13 @@ def initialize(icon:, size: nil, **tag_options)
end

def css_class
classes = ['usa-icon', *tag_options[:class]]
classes = ['icon', 'usa-icon', *tag_options[:class]]
classes << "usa-icon--size-#{size}" if size
classes
end

def icon_path
asset_path([asset_path('sprite.svg'), '#', icon].join, host: asset_host)
@icon_path ||= asset_path("usa-icons/#{icon}.svg", host: asset_host)
end

private
Expand Down
5 changes: 5 additions & 0 deletions app/components/icon_component.scss
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@

@forward 'usa-icon';

.icon {
mask-size: 100%;
background-color: currentColor;
}

$icon-min-padding: 2px;

// Upstream: https://github.com/uswds/uswds/pull/4493
Expand Down
6 changes: 3 additions & 3 deletions app/components/language_picker_component.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@
expanded: false,
},
) do %>
<%= image_tag(asset_url('globe-blue.svg'), width: 12, height: 12, alt: '', class: 'tablet:display-none') %>
<%= image_tag(asset_url('globe-white.svg'), width: 12, height: 12, alt: '', class: 'display-none tablet:display-inline') %>
<span id="language-picker-description-<%= unique_id %>">
<%= render IconComponent.new(icon: :language) %>
<span id="language-picker-description-<%= unique_id %>" class="language-picker__label-text">
<%= t('i18n.language') %>
</span>
<%= render IconComponent.new(icon: :expand_more, size: 3, class: 'language-picker__expander') %>
<% end %>
<ul
id="language-picker-<%= unique_id %>"
Expand Down
2 changes: 1 addition & 1 deletion app/controllers/application_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,7 @@ def service_provider_mfa_policy
user: current_user,
service_provider: sp_from_sp_session,
auth_methods_session:,
aal_level_requested: sp_session[:aal_level_requested],
aal_level_requested: resolved_authn_context_result.aal_level_requested,
piv_cac_requested: resolved_authn_context_result.hspd12?,
phishing_resistant_requested: resolved_authn_context_result.phishing_resistant?,
)
Expand Down
2 changes: 2 additions & 0 deletions app/controllers/concerns/idv/acuant_concern.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ def acuant_sdk_upgrade_a_b_testing_variables

def override_csp_to_allow_acuant
policy = current_content_security_policy
request.content_security_policy_nonce_directives =
request.content_security_policy_nonce_directives.without('style-src')
policy.connect_src(*policy.connect_src, 'us.acas.acuant.net')
policy.script_src(*policy.script_src, :unsafe_eval)
policy.style_src(*policy.style_src, :unsafe_inline)
Expand Down
2 changes: 2 additions & 0 deletions app/controllers/concerns/idv/threat_metrix_concern.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ def threat_metrix_csp_overrides
# `style-src` must be updated to enable:
# - `unsafe-inline`, since the ThreatMetrix library applies inline
# styles to elements it inserts into the DOM
request.content_security_policy_nonce_directives =
request.content_security_policy_nonce_directives.without('style-src')
policy.style_src(*(policy.style_src.to_set << :unsafe_inline))

# `img-src` must be updated to enable:
Expand Down
2 changes: 2 additions & 0 deletions app/controllers/concerns/idv_step_concern.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,8 @@ def flow_policy
end

def confirm_step_allowed
# set it everytime, since user may switch SP
idv_session.selfie_check_required = decorated_sp_session.selfie_required?
return if flow_policy.controller_allowed?(controller: self.class)

redirect_to url_for_latest_step
Expand Down
6 changes: 4 additions & 2 deletions app/controllers/concerns/remember_device_concern.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,11 @@ def save_remember_device_preference(remember_device_preference)
def check_remember_device_preference
return unless UserSessionContext.authentication_context?(context)
return if remember_device_cookie.nil?

expiration_time = decorated_sp_session.mfa_expiration_interval(resolved_authn_context_result)
return unless remember_device_cookie.valid_for_user?(
user: current_user,
expiration_interval: decorated_sp_session.mfa_expiration_interval,
expiration_interval: expiration_time,
)

handle_valid_remember_device_cookie(remember_device_cookie: remember_device_cookie)
Expand All @@ -35,7 +37,7 @@ def remember_device_cookie
def remember_device_expired_for_sp?
expired_for_interval?(
current_user,
decorated_sp_session.mfa_expiration_interval,
decorated_sp_session.mfa_expiration_interval(resolved_authn_context_result),
)
end

Expand Down
11 changes: 10 additions & 1 deletion app/controllers/idv/document_capture_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,14 @@ def self.step_info
key: :document_capture,
controller: self,
next_steps: [:ssn, :ipp_ssn], # :ipp_state_id
preconditions: ->(idv_session:, user:) { idv_session.flow_path == 'standard' },
preconditions: ->(idv_session:, user:) {
idv_session.flow_path == 'standard' && (
# mobile
idv_session.skip_hybrid_handoff ||
!idv_session.selfie_check_required || # desktop but selfie not required
idv_session.desktop_selfie_test_mode_enabled?
)
},
undo_step: ->(idv_session:, user:) do
idv_session.pii_from_doc = nil
idv_session.invalidate_in_person_pii_from_user!
Expand All @@ -85,6 +92,8 @@ def analytics_arguments
irs_reproofing: irs_reproofing?,
redo_document_capture: idv_session.redo_document_capture,
skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
liveness_checking_required: decorated_sp_session.selfie_required?,
selfie_check_required: idv_session.selfie_check_required,
}.merge(ab_test_analytics_buckets)
end

Expand Down
1 change: 1 addition & 0 deletions app/controllers/idv/hybrid_handoff_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ def analytics_arguments
irs_reproofing: irs_reproofing?,
redo_document_capture: params[:redo] ? true : nil,
skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
selfie_check_required: idv_session.selfie_check_required,
}.merge(ab_test_analytics_buckets)
end

Expand Down
1 change: 1 addition & 0 deletions app/controllers/idv/hybrid_mobile/capture_complete_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ def analytics_arguments
step: 'capture_complete',
analytics_id: 'Doc Auth',
irs_reproofing: irs_reproofing?,
liveness_checking_required: decorated_sp_session.selfie_required?,
}.merge(ab_test_analytics_buckets)
end
end
Expand Down
2 changes: 2 additions & 0 deletions app/controllers/idv/hybrid_mobile/document_capture_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ def analytics_arguments
step: 'document_capture',
analytics_id: 'Doc Auth',
irs_reproofing: irs_reproofing?,
liveness_checking_required: decorated_sp_session.selfie_required?,
selfie_check_required: decorated_sp_session.selfie_required?,
}.merge(
ab_test_analytics_buckets,
)
Expand Down
2 changes: 1 addition & 1 deletion app/decorators/null_service_provider_session.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ def cancel_link_url
view_context.root_url
end

def mfa_expiration_interval
def mfa_expiration_interval(_authentication_context)
IdentityConfig.store.remember_device_expiration_hours_aal_1.hours
end

Expand Down
8 changes: 4 additions & 4 deletions app/decorators/service_provider_session.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,12 +88,12 @@ def sp_alert(section)
end
end

def mfa_expiration_interval
def mfa_expiration_interval(authorization_context)
aal_1_expiration = IdentityConfig.store.remember_device_expiration_hours_aal_1.hours
aal_2_expiration = IdentityConfig.store.remember_device_expiration_minutes_aal_2.minutes
return aal_2_expiration if sp_aal > 1
return aal_2_expiration if sp_ial > 1
return aal_2_expiration if requested_aal > 1
return aal_2_expiration if authorization_context.aal_level_requested > 1

aal_1_expiration
end
Expand Down Expand Up @@ -138,8 +138,8 @@ def sp_ial
sp.ial || 1
end

def requested_aal
sp_session[:aal_level_requested] || 1
def requested_aal(authorization_context)
authorization_context.aal_level_requested
end

def request_url
Expand Down
Loading