18F · jmax-gsa · May 7, 2024 · Apr 25, 2024 · Apr 26, 2024 · Apr 26, 2024
diff --git a/app/controllers/concerns/idv/document_capture_concern.rb b/app/controllers/concerns/idv/document_capture_concern.rb
@@ -49,7 +49,9 @@ def stored_result
     end
 
     def selfie_requirement_met?
-      !decorated_sp_session.biometric_comparison_required? || stored_result.selfie_check_performed?
+      !FeatureManagement.idv_allow_selfie_check? ||
+        !resolved_authn_context_result.biometric_comparison? ||
+        stored_result.selfie_check_performed?
     end
 
     private

diff --git a/app/controllers/concerns/idv_session_concern.rb b/app/controllers/concerns/idv_session_concern.rb
@@ -67,7 +67,8 @@ def idv_session_user
   end
 
   def user_needs_biometric_comparison?
-    decorated_sp_session.biometric_comparison_required? &&
+    FeatureManagement.idv_allow_selfie_check? &&
+      resolved_authn_context_result.biometric_comparison? &&
       !current_user.identity_verified_with_biometric_comparison?
   end
 end
diff --git a/app/controllers/concerns/idv_step_concern.rb b/app/controllers/concerns/idv_step_concern.rb
@@ -111,7 +111,9 @@ def flow_policy
 
   def confirm_step_allowed
     # set it everytime, since user may switch SP
-    idv_session.selfie_check_required = decorated_sp_session.biometric_comparison_required?
+    idv_session.selfie_check_required =
+      FeatureManagement.idv_allow_selfie_check? &&
+      resolved_authn_context_result.biometric_comparison?
     return if flow_policy.controller_allowed?(controller: self.class)
 
     redirect_to url_for_latest_step

diff --git a/app/controllers/idv/document_capture_controller.rb b/app/controllers/idv/document_capture_controller.rb
@@ -43,6 +43,10 @@ def update
     end
 
     def extra_view_variables
+      doc_auth_selfie_capture =
+        FeatureManagement.idv_allow_selfie_check? &&
+        resolved_authn_context_result.biometric_comparison?
+
       {
         document_capture_session_uuid: document_capture_session_uuid,
         flow_path: 'standard',
@@ -51,7 +55,7 @@ def extra_view_variables
         skip_doc_auth: idv_session.skip_doc_auth,
         skip_doc_auth_from_handoff: idv_session.skip_doc_auth_from_handoff,
         opted_in_to_in_person_proofing: idv_session.opted_in_to_in_person_proofing,
-        doc_auth_selfie_capture: decorated_sp_session.biometric_comparison_required?,
+        doc_auth_selfie_capture:,
       }.merge(
         acuant_sdk_upgrade_a_b_testing_variables,
       )
@@ -90,15 +94,19 @@ def cancel_establishing_in_person_enrollments
     end
 
     def analytics_arguments
+      liveness_checking_required =
+        FeatureManagement.idv_allow_selfie_check? &&
+        resolved_authn_context_result.biometric_comparison?
+
       {
         flow_path: flow_path,
         step: 'document_capture',
         analytics_id: 'Doc Auth',
         irs_reproofing: irs_reproofing?,
         redo_document_capture: idv_session.redo_document_capture,
         skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
-        liveness_checking_required: decorated_sp_session.biometric_comparison_required?,
-        selfie_check_required: idv_session.selfie_check_required,
+        liveness_checking_required:,
+        selfie_check_required: liveness_checking_required,
       }.merge(ab_test_analytics_buckets)
     end
 

diff --git a/app/controllers/idv/hybrid_mobile/capture_complete_controller.rb b/app/controllers/idv/hybrid_mobile/capture_complete_controller.rb
@@ -20,12 +20,16 @@ def show
       private
 
       def analytics_arguments
+        liveness_checking_required =
+          FeatureManagement.idv_allow_selfie_check? &&
+          resolved_authn_context_result.biometric_comparison?
+
         {
           flow_path: 'hybrid',
           step: 'capture_complete',
           analytics_id: 'Doc Auth',
           irs_reproofing: irs_reproofing?,
-          liveness_checking_required: decorated_sp_session.biometric_comparison_required?,
+          liveness_checking_required:,
         }.merge(ab_test_analytics_buckets)
       end
     end

diff --git a/app/controllers/idv/hybrid_mobile/document_capture_controller.rb b/app/controllers/idv/hybrid_mobile/document_capture_controller.rb
@@ -39,11 +39,14 @@ def update
       end
 
       def extra_view_variables
+        doc_auth_selfie_capture = FeatureManagement.idv_allow_selfie_check? &&
+                                  resolved_authn_context_result.biometric_comparison?
+
         {
           flow_path: 'hybrid',
           document_capture_session_uuid: document_capture_session_uuid,
           failure_to_proof_url: return_to_sp_failure_to_proof_url(step: 'document_capture'),
-          doc_auth_selfie_capture: decorated_sp_session.biometric_comparison_required?,
+          doc_auth_selfie_capture:,
         }.merge(
           acuant_sdk_upgrade_a_b_testing_variables,
         )
@@ -52,13 +55,17 @@ def extra_view_variables
       private
 
       def analytics_arguments
+        biometric_comparison_required =
+          FeatureManagement.idv_allow_selfie_check? &&
+          resolved_authn_context_result.biometric_comparison?
+
         {
           flow_path: 'hybrid',
           step: 'document_capture',
           analytics_id: 'Doc Auth',
           irs_reproofing: irs_reproofing?,
-          liveness_checking_required: decorated_sp_session.biometric_comparison_required?,
-          selfie_check_required: decorated_sp_session.biometric_comparison_required?,
+          liveness_checking_required: biometric_comparison_required,
+          selfie_check_required: biometric_comparison_required,
         }.merge(
           ab_test_analytics_buckets,
         )

diff --git a/app/controllers/idv/image_uploads_controller.rb b/app/controllers/idv/image_uploads_controller.rb
@@ -25,7 +25,7 @@ def image_upload_form
         uuid_prefix: current_sp&.app_id,
         irs_attempts_api_tracker: irs_attempts_api_tracker,
         store_encrypted_images: store_encrypted_images?,
-        liveness_checking_required: decorated_sp_session.biometric_comparison_required?,
+        liveness_checking_required: resolved_authn_context_result.biometric_comparison?,
       )
     end
 

diff --git a/app/controllers/idv_controller.rb b/app/controllers/idv_controller.rb
@@ -32,11 +32,12 @@ def activated
   private
 
   def already_verified?
-    if decorated_sp_session.biometric_comparison_required?
-      return current_user.identity_verified_with_biometric_comparison?
+    if FeatureManagement.idv_allow_selfie_check? &&
+       resolved_authn_context_result.biometric_comparison?
+      current_user.identity_verified_with_biometric_comparison?
+    else
+      current_user.active_profile.present?
     end
-
-    return current_user.active_profile.present?
   end
 
   def verify_identity

diff --git a/app/controllers/openid_connect/authorization_controller.rb b/app/controllers/openid_connect/authorization_controller.rb
@@ -127,7 +127,8 @@ def identity_needs_verification?
     end
 
     def biometric_comparison_needed?
-      decorated_sp_session.biometric_comparison_required? &&
+      FeatureManagement.idv_allow_selfie_check? &&
+        resolved_authn_context_result.biometric_comparison? &&
         !current_user.identity_verified_with_biometric_comparison?
     end
 

diff --git a/app/controllers/saml_idp_controller.rb b/app/controllers/saml_idp_controller.rb
@@ -113,7 +113,8 @@ def prompt_for_password_if_ial2_request_and_pii_locked
   end
 
   def biometric_comparison_needed?
-    decorated_sp_session.biometric_comparison_required? &&
+    FeatureManagement.idv_allow_selfie_check? &&
+      resolved_authn_context_result.biometric_comparison? &&
       !current_user.identity_verified_with_biometric_comparison?
   end
 

diff --git a/app/decorators/null_service_provider_session.rb b/app/decorators/null_service_provider_session.rb
@@ -43,10 +43,6 @@ def request_url_params
     {}
   end
 
-  def biometric_comparison_required?
-    false
-  end
-
   def current_user
     view_context&.current_user
   end

diff --git a/app/decorators/service_provider_session.rb b/app/decorators/service_provider_session.rb
@@ -72,11 +72,6 @@ def sp_issuer
     sp.issuer
   end
 
-  def biometric_comparison_required?
-    !!(FeatureManagement.idv_allow_selfie_check? &&
-      sp_session[:biometric_comparison_required])
-  end
-
   def cancel_link_url
     view_context.new_user_session_url(request_id: sp_session[:request_id])
   end

diff --git a/spec/controllers/concerns/idv/document_capture_concern_spec.rb b/spec/controllers/concerns/idv/document_capture_concern_spec.rb
@@ -19,38 +19,42 @@ def show
 
     context 'selfie checks enabled' do
       before do
-        decorated_sp_session = instance_double(ServiceProviderSession)
-        allow(decorated_sp_session).to receive(:biometric_comparison_required?).
-          and_return(biometric_comparison_required)
-        allow(controller).to receive(:decorated_sp_session).and_return(decorated_sp_session)
+        allow(FeatureManagement).to receive(:idv_allow_selfie_check?).and_return(true)
+
         stored_result = instance_double(DocumentCaptureSessionResult)
         allow(stored_result).to receive(:selfie_check_performed?).and_return(selfie_check_performed)
         allow(controller).to receive(:stored_result).and_return(stored_result)
+
+        resolution_result = Vot::Parser.new(vector_of_trust: vot).parse
+        allow(controller).to receive(:resolved_authn_context_result).and_return(resolution_result)
       end
 
       context 'SP requires biometric_comparison' do
-        let(:biometric_comparison_required) { true }
+        let(:vot) { 'Pb' }
 
         context 'selfie check performed' do
           let(:selfie_check_performed) { true }
+
           it 'returns true' do
             expect(controller.selfie_requirement_met?).to eq(true)
           end
         end
 
         context 'selfie check not performed' do
           let(:selfie_check_performed) { false }
+
           it 'returns false' do
             expect(controller.selfie_requirement_met?).to eq(false)
           end
         end
       end
 
       context 'SP does not require biometric_comparison' do
-        let(:biometric_comparison_required) { false }
+        let(:vot) { 'P1' }
 
         context 'selfie check performed' do
           let(:selfie_check_performed) { true }
+
           it 'returns true' do
             expect(controller.selfie_requirement_met?).to eq(true)
           end

diff --git a/spec/controllers/idv/by_mail/request_letter_controller_spec.rb b/spec/controllers/idv/by_mail/request_letter_controller_spec.rb
@@ -274,7 +274,7 @@ def expect_resend_letter_to_send_letter_and_redirect(otp:)
     allow(Pii::Cacher).to receive(:new).and_return(pii_cacher)
 
     service_provider = create(:service_provider, issuer: '123abc')
-    session[:sp] = { issuer: service_provider.issuer }
+    session[:sp] = { issuer: service_provider.issuer, vtr: ['C1'] }
 
     gpo_confirmation_maker = instance_double(GpoConfirmationMaker)
     allow(GpoConfirmationMaker).to receive(:new).

diff --git a/spec/controllers/idv/document_capture_controller_spec.rb b/spec/controllers/idv/document_capture_controller_spec.rb
@@ -30,8 +30,15 @@
     stub_up_to(:hybrid_handoff, idv_session: subject.idv_session)
     stub_analytics
     subject.idv_session.document_capture_session_uuid = document_capture_session_uuid
-    allow(controller.decorated_sp_session).to receive(:biometric_comparison_required?).
-      and_return(doc_auth_selfie_capture_enabled && sp_selfie_enabled)
+
+    vot = (doc_auth_selfie_capture_enabled && sp_selfie_enabled) ? 'Pb' : 'P1'
+    resolved_authn_context = Vot::Parser.new(vector_of_trust: vot).parse
+
+    allow(FeatureManagement).to receive(:idv_allow_selfie_check?).
+      and_return(doc_auth_selfie_capture_enabled)
+
+    allow(controller).to receive(:resolved_authn_context_result).
+      and_return(resolved_authn_context)
     subject.idv_session.flow_path = flow_path
     allow(subject).to receive(:ab_test_analytics_buckets).and_return(ab_test_args)
   end
@@ -40,10 +47,13 @@
     it 'returns a valid StepInfo object' do
       expect(Idv::DocumentCaptureController.step_info).to be_valid
     end
+
     context 'when selfie feature is enabled system wide' do
       let(:doc_auth_selfie_capture_enabled) { true }
+
       describe 'with sp selfie disabled' do
         let(:sp_selfie_enabled) { false }
+
         it 'does not satisfy precondition' do
           expect(Idv::DocumentCaptureController.step_info.preconditions.is_a?(Proc))
           expect(subject).to receive(:render).
@@ -52,16 +62,21 @@
           expect(response).to render_template :show
         end
       end
+
       describe 'with sp selfie enabled' do
         let(:sp_selfie_enabled) { true }
+
         before do
           allow(IdentityConfig.store).to receive(:doc_auth_selfie_desktop_test_mode).
             and_return(false)
         end
+
         it 'does satisfy precondition' do
           expect(Idv::DocumentCaptureController.step_info.preconditions.is_a?(Proc))
           expect(subject).not_to receive(:render).with(:show, locals: an_instance_of(Hash))
+
           get :show
+
           expect(response).to redirect_to(idv_hybrid_handoff_path)
         end
       end
@@ -255,15 +270,19 @@
     end
 
     context 'ipp disabled for sp' do
+      let(:sp_selfie_enabled) { true }
+      let(:doc_auth_selfie_capture_enabled) { true }
+
       before do
         allow(IdentityConfig.store).to receive(:doc_auth_selfie_desktop_test_mode).and_return(false)
         allow(Idv::InPersonConfig).to receive(:enabled_for_issuer?).with(anything).and_return(false)
-        allow(subject.decorated_sp_session).to receive(:biometric_comparison_required?).
-          and_return(true)
       end
+
       it 'redirect back when accessed from handoff' do
         subject.idv_session.skip_hybrid_handoff = nil
+
         get :show, params: { step: 'hybrid_handoff' }
+
         expect(response).to redirect_to(idv_hybrid_handoff_url)
         expect(subject.idv_session.skip_doc_auth_from_handoff).to_not eq(true)
       end

diff --git a/spec/controllers/idv/hybrid_handoff_controller_spec.rb b/spec/controllers/idv/hybrid_handoff_controller_spec.rb
@@ -25,8 +25,14 @@
     stub_attempts_tracker
     allow(subject).to receive(:ab_test_analytics_buckets).and_return(ab_test_args)
     allow(subject.idv_session).to receive(:service_provider).and_return(service_provider)
-    allow(subject.decorated_sp_session).to receive(:biometric_comparison_required?).
-      and_return(sp_selfie_enabled && doc_auth_selfie_capture_enabled)
+
+    resolved_authn_context_result = sp_selfie_enabled && doc_auth_selfie_capture_enabled ?
+                                      Vot::Parser.new(vector_of_trust: 'Pb').parse :
+                                      Vot::Parser.new(vector_of_trust: 'P1').parse
+
+    allow(subject).to receive(:resolved_authn_context_result).
+      and_return(resolved_authn_context_result)
+
     allow(IdentityConfig.store).to receive(:in_person_proofing_enabled) { in_person_proofing }
     allow(IdentityConfig.store).to receive(:in_person_proofing_opt_in_enabled) {
                                      ipp_opt_in_enabled
@@ -261,17 +267,21 @@
 
     context 'with selfie enabled system wide' do
       let(:doc_auth_selfie_capture_enabled) { true }
+
       describe 'when selfie is enabled for sp' do
         let(:sp_selfie_enabled) { true }
+
         it 'pass on correct flags and states and logs correct info' do
           get :show
           expect(response).to render_template :show
           expect(@analytics).to have_logged_event(analytics_name, analytics_args)
           expect(subject.idv_session.selfie_check_required).to eq(true)
         end
       end
+
       describe 'when selfie is disabled for sp' do
         let(:sp_selfie_enabled) { false }
+
         it 'pass on correct flags and states and logs correct info' do
           get :show
           expect(response).to render_template :show
-Original file line number
+Diff line change
@@ Expand Up / @@ -43,10 +43,6 @@ def request_url_params @@
         {}
       end
-      def biometric_comparison_required?
-        false
-      end
       def current_user
         view_context&.current_user
       end
@@ Expand Down @@