LG-12578 active non biometric user can sign in to non biometric sp SAML

app/controllers/concerns/verify_profile_concern.rb

@@ -9,7 +9,14 @@ def url_for_pending_profile_reason
   end
 
   def user_has_pending_profile?
-    return false if current_user.blank?
-    current_user.pending_profile?
+    pending_profile_policy.user_has_pending_profile?
+  end
+
+  def pending_profile_policy
+    @pending_profile_policy ||= PendingProfilePolicy.new(
+      user: current_user,
+      resolved_authn_context_result: resolved_authn_context_result,
+      biometric_comparison_requested: nil,
+    )
   end
 end

app/controllers/openid_connect/authorization_controller.rb

@@ -28,7 +28,7 @@ class AuthorizationController < ApplicationController
     def index
       if @authorize_form.ial2_or_greater?
         return redirect_to reactivate_account_url if user_needs_to_reactivate_account?
-        return redirect_to url_for_pending_profile_reason if user_has_usable_pending_profile?
+        return redirect_to url_for_pending_profile_reason if user_has_pending_profile?
         return redirect_to idv_url if identity_needs_verification?
         return redirect_to idv_url if selfie_needed?
       end
@@ -55,10 +55,6 @@ def pending_profile_policy
       )
     end
 
-    def user_has_usable_pending_profile?
-      pending_profile_policy.user_has_usable_pending_profile?
-    end
-
     def block_biometric_requests_in_production
       if biometric_comparison_requested? &&
          !FeatureManagement.idv_allow_selfie_check?

app/policies/pending_profile_policy.rb

@@ -5,7 +5,9 @@ def initialize(user:, resolved_authn_context_result:, biometric_comparison_reque
     @biometric_comparison_requested = biometric_comparison_requested
   end
 
-  def user_has_usable_pending_profile?
+  def user_has_pending_profile?
+    return false if user.blank?
+
     if biometric_comparison_requested?
       pending_biometric_profile?
     else
@@ -17,10 +19,6 @@ def user_has_usable_pending_profile?
 
   attr_reader :user, :resolved_authn_context_result, :biometric_comparison_requested
 
-  def active_biometric_profile?
-    user.active_profile&.idv_level == 'unsupervised_with_selfie'
-  end
-
   def pending_biometric_profile?
     user.pending_profile&.idv_level == 'unsupervised_with_selfie'
   end

spec/controllers/idv_controller_spec.rb

@@ -59,10 +59,11 @@
 
       context 'but user needs to redo idv with biometric' do
         let(:current_sp) { create(:service_provider) }
+
         before do
           allow(IdentityConfig.store).to receive(:doc_auth_selfie_capture_enabled).and_return(true)
           session[:sp] =
-            { issuer: current_sp.issuer, biometric_comparison_required: true }
+            { issuer: current_sp.issuer, vtr: ['C2.Pb'], biometric_comparison_required: true }
         end
 
         it 'redirects to welcome' do

spec/controllers/saml_idp_controller_spec.rb

@@ -618,6 +618,44 @@ def name_id_version(format_urn)
             expect(response).to redirect_to(idv_url)
             expect(controller.session[:sp][:vtr]).to eq(['C1.C2.P1.Pb'])
           end
+
+          context 'user has a pending biometric profile' do
+            let(:vtr_settings) do
+              saml_settings(
+                overrides: {
+                  issuer: sp1_issuer,
+                  authn_context: 'C1.C2.P1',
+                },
+              )
+            end
+
+            it 'does not redirect to proofing if sp does not request biometrics' do
+              create(
+                :profile,
+                :verify_by_mail_pending,
+                :with_pii,
+                idv_level: :unsupervised_with_selfie,
+                user: user,
+              )
+              saml_get_auth(vtr_settings)
+              expect(response).to redirect_to(sign_up_completed_url)
+              expect(controller.session[:sp][:vtr]).to eq(['C1.C2.P1'])
+            end
+
+            it 'redirects to the please call page if user has a fraudualent profile' do
+              create(
+                :profile,
+                :fraud_review_pending,
+                :with_pii,
+                idv_level: :unsupervised_with_selfie,
+                user: user,
+              )
+
+              saml_get_auth(vtr_settings)
+              expect(response).to redirect_to(idv_please_call_url)
+              expect(controller.session[:sp][:vtr]).to eq(['C1.C2.P1'])
+            end
+          end
         end
 
         context 'the user has proofed with a biometric check' do

spec/policies/pending_profile_policy_spec.rb

@@ -21,7 +21,7 @@
     )
   end
 
-  describe '#user_has_usable_pending_profile?' do
+  describe '#user_has_pending_profile?' do
     context 'has an active non-biometric profile and biometric comparison is requested' do
       let(:idv_level) { :unsupervised_with_selfie }
       before do
@@ -34,7 +34,7 @@
         let(:vtr) { ['C2.Pb'] }
 
         it 'has a usable pending profile' do
-          expect(policy.user_has_usable_pending_profile?).to eq(true)
+          expect(policy.user_has_pending_profile?).to eq(true)
         end
       end
 
@@ -43,7 +43,7 @@
         let(:acr_values) { Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF }
 
         it 'has a usable pending profile' do
-          expect(policy.user_has_usable_pending_profile?).to eq(true)
+          expect(policy.user_has_pending_profile?).to eq(true)
         end
       end
     end
@@ -56,15 +56,15 @@
           create(:profile, :verify_by_mail_pending, idv_level: idv_level, user: user)
         end
 
-        it { expect(policy.user_has_usable_pending_profile?).to eq(true) }
+        it { expect(policy.user_has_pending_profile?).to eq(true) }
       end
 
       context 'user has an active profile' do
         before do
           create(:profile, :active, :verified, idv_level: idv_level, user: user)
         end
 
-        it { expect(policy.user_has_usable_pending_profile?).to eq(false) }
+        it { expect(policy.user_has_pending_profile?).to eq(false) }
       end
 
       context 'user has active legacy profile with a pending fraud biometric profile' do
@@ -73,7 +73,7 @@
           create(:profile, :fraud_review_pending, idv_level: :unsupervised_with_selfie, user: user)
         end
 
-        it { expect(policy.user_has_usable_pending_profile?).to eq(true) }
+        it { expect(policy.user_has_pending_profile?).to eq(true) }
       end
     end
   end