From 3423926fa8834c12d2caba8512053a29bde55e92 Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Tue, 9 Apr 2024 16:28:05 -0400
Subject: [PATCH 1/4] LG-13022 Allow in-person proofing to satisfy biometric
 comparison requirement

When a user proofs in-person they satisfy the biometric comparison requirement since that is done when they present their document. This was not recognized as satisfying the biometric requirement in the code. This commit makes adjustments so that it does.

[skip changelog]
---
 app/models/user.rb                                 |  3 ++-
 .../authorization_controller_spec.rb               | 10 ++++++++++
 spec/controllers/saml_idp_controller_spec.rb       | 14 +++++++++++++-
 spec/models/user_spec.rb                           |  6 ++++++
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 6ea10976644..5d33269790a 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -365,7 +365,8 @@ def identity_verified?(service_provider: nil)
   end
 
   def identity_verified_with_selfie?
-    active_profile&.idv_level == 'unsupervised_with_selfie'
+    biometric_comparison_idv_levels = ['unsupervised_with_selfie', 'in_person']
+    biometric_comparison_idv_levels.include?(active_profile&.idv_level)
   end
 
   def reproof_for_irs?(service_provider:)
diff --git a/spec/controllers/openid_connect/authorization_controller_spec.rb b/spec/controllers/openid_connect/authorization_controller_spec.rb
index 7099b2809c2..0cb9cb5932e 100644
--- a/spec/controllers/openid_connect/authorization_controller_spec.rb
+++ b/spec/controllers/openid_connect/authorization_controller_spec.rb
@@ -477,6 +477,16 @@
                 end
               end
 
+              context 'bioemtric comparison was performed in-person' do
+                it 'redirects to the redirect_uri immediately when pii is unlocked if client-side redirect is disabled' do
+                  user.active_profile.idv_level = :in_person
+
+                  action
+
+                  expect(response).to redirect_to(/^#{params[:redirect_uri]}/)
+                end
+              end
+
               context 'selfie capture not enabled, biometric_comparison_check requested by sp' do
                 let(:selfie_capture_enabled) { false }
                 it 'returns status not_acceptable' do
diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb
index 3f44b292a67..ac763552800 100644
--- a/spec/controllers/saml_idp_controller_spec.rb
+++ b/spec/controllers/saml_idp_controller_spec.rb
@@ -658,7 +658,7 @@ def name_id_version(format_urn)
           end
         end
 
-        context 'the user has proofed with a biometric check' do
+        context 'the user has proofed with a biometric check remotely' do
           before do
             user.active_profile.update!(idv_level: :unsupervised_with_selfie)
           end
@@ -670,6 +670,18 @@ def name_id_version(format_urn)
           end
         end
 
+        context 'the user has proofed with a biometric check in-person' do
+          before do
+            user.active_profile.update!(idv_level: :in_person)
+          end
+
+          it 'does not redirect to proofing' do
+            saml_get_auth(vtr_settings)
+            expect(response).to redirect_to(sign_up_completed_url)
+            expect(controller.session[:sp][:vtr]).to eq(['C1.C2.P1.Pb'])
+          end
+        end
+
         context 'selfie check is disabled for the environment' do
           let(:doc_auth_selfie_capture_enabled) { false }
 
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 45bbc1602d6..38abe57012f 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1435,6 +1435,12 @@ def it_should_not_send_survey
       expect(user.identity_verified_with_selfie?).to eq false
     end
 
+    it 'return true if user has an active in-person profile' do
+      active_profile.idv_level = :in_person
+      active_profile.save
+      expect(user.identity_verified_with_selfie?).to eq true
+    end
+
     context 'user does not have active profile' do
       let(:active_profile) { nil }
       it 'returns false' do

From a27c39c39a7b3e050eb36131fc20cb6d5e4585ba Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Tue, 9 Apr 2024 16:37:55 -0400
Subject: [PATCH 2/4] code review

---
 app/models/user.rb                                           | 5 +++--
 .../openid_connect/authorization_controller_spec.rb          | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 5d33269790a..83793e5e3e8 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -25,6 +25,8 @@ class User < ApplicationRecord
   MAX_RECENT_EVENTS = 5
   MAX_RECENT_DEVICES = 5
 
+  BIOMETRIC_COMPARISON_IDV_LEVELS = %w[unsupervised_with_selfie, in_person].freeze
+
   enum otp_delivery_preference: { sms: 0, voice: 1 }
 
   # rubocop:disable Rails/HasManyOrHasOneDependent
@@ -365,8 +367,7 @@ def identity_verified?(service_provider: nil)
   end
 
   def identity_verified_with_selfie?
-    biometric_comparison_idv_levels = ['unsupervised_with_selfie', 'in_person']
-    biometric_comparison_idv_levels.include?(active_profile&.idv_level)
+    BIOMETRIC_COMPARISON_IDV_LEVELS.include?(active_profile&.idv_level)
   end
 
   def reproof_for_irs?(service_provider:)
diff --git a/spec/controllers/openid_connect/authorization_controller_spec.rb b/spec/controllers/openid_connect/authorization_controller_spec.rb
index 0cb9cb5932e..2b2bc966954 100644
--- a/spec/controllers/openid_connect/authorization_controller_spec.rb
+++ b/spec/controllers/openid_connect/authorization_controller_spec.rb
@@ -477,7 +477,7 @@
                 end
               end
 
-              context 'bioemtric comparison was performed in-person' do
+              context 'biometric comparison was performed in-person' do
                 it 'redirects to the redirect_uri immediately when pii is unlocked if client-side redirect is disabled' do
                   user.active_profile.idv_level = :in_person
 

From 8ddaa562fb3afbecc7c5841602779a94551553d0 Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Wed, 10 Apr 2024 09:28:34 -0400
Subject: [PATCH 3/4] wayward comma

---
 app/models/user.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 83793e5e3e8..56343122c7f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -25,7 +25,7 @@ class User < ApplicationRecord
   MAX_RECENT_EVENTS = 5
   MAX_RECENT_DEVICES = 5
 
-  BIOMETRIC_COMPARISON_IDV_LEVELS = %w[unsupervised_with_selfie, in_person].freeze
+  BIOMETRIC_COMPARISON_IDV_LEVELS = %w[unsupervised_with_selfie in_person].freeze
 
   enum otp_delivery_preference: { sms: 0, voice: 1 }
 

From 0777bc4f4c178c585f3d5c243809ddcf4338bdb8 Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Wed, 10 Apr 2024 09:29:40 -0400
Subject: [PATCH 4/4] add #to_set

---
 app/models/user.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 56343122c7f..65914ca1452 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -25,7 +25,7 @@ class User < ApplicationRecord
   MAX_RECENT_EVENTS = 5
   MAX_RECENT_DEVICES = 5
 
-  BIOMETRIC_COMPARISON_IDV_LEVELS = %w[unsupervised_with_selfie in_person].freeze
+  BIOMETRIC_COMPARISON_IDV_LEVELS = %w[unsupervised_with_selfie in_person].to_set.freeze
 
   enum otp_delivery_preference: { sms: 0, voice: 1 }