Merged
Conversation
…ce_provider` to match pattern in `SamlIdpController` (#10646) Both the `OpenidConnect::AuthorizationController` and `SamlIdpController` have logic that ultimately invokes the `IdentityLinker` to link a user to a service provider. This code consumes an `ial` value which is used to set values on the `ServiceProviderIdentity` record that are eventually used for analytics and reporting purposes. In the `SamlIdpController` the `ial` value is computed using `resolved_authn_contenxt_result`. This means that it considers the SP defaults and the content of the SP request. Eventually this will also include the user context when multiple vectors of trust support is added. Prior to this commit the `OpenidConnect::AuthorizationController` did not use the `resolved_authn_contenxt_result` and instead computed the value itself in its form object. Its computation ignored SP defaults and would ignore the user context when multiple vectors of trust support is added. This commit modifies the `OpenidConnect::AuthorizationController1` to match the pattern on `SamlIdpController` to avoid these issues. [skip changelog]
This makes some small adjustments to how bring our FormObject usage in line with best practices. changelog: Internal, FormObject, Fix usage in AgreementController --------- Co-authored-by: Matt Wagner <matt.wagner@gsa.gov>
* LG-13214: Log presence of issue date and exp date changelog: Internal, Logging, Log whether the state ID issue/exp dates are present. * feature specs
changelog: Internal, Code Quality, Remove unused Step Indicator component styles
* changelog: User-Facing Improvements, Authentication, update translations * remove i18n spec
- Used to help address merge conflicts and streamline transition to flattened YML files, but should not be needed after changelog: Internal, Source code, Remove unused scripts
changelog: Internal, Design System, Use design system centered variant for banner
* Add feature flag to control AAMVA issue / expiry validation * Refactor how we add new XML elements to AAMVA requests Make a general-purpose method I can use for other elements. * Add issue date + expiry date to AAMVA requests if present * Only send issue date / expiry to aamva when we're supposed to * Check for DriverLicenseIssueDateMatchIndicator in AAMVA response * Check for DriverLicenseExpirationDateMatchIndicator in AAMVA responses * Allow feature flag to affect AAMVA response success? * Tweak how we verified_attributes is calculated I'm going to do something similar for requested attributes and want code to reuse * Add requested_attributes to AAMVA proofer result A requested attribute is one where there is a definitive "yes" or "no" in the response. * Walk this back a little bit I don't think we have a good enough picture of what the :enabled setting should do (do we require issue + expiry? in all cases?) * Remove feature flag for now Will leave feature flag development for after the test. * Use match_array in ResolutionProofingJob spec The order of verfied_attributes has changed * changelog: Internal, Identity verification, Send issue + expiry date to AAMVA * Convert requested_attributes to a hash * Update spec/services/proofing/aamva/proofer_spec.rb Co-authored-by: Doug Price <douglas.price@gsa.gov> --------- Co-authored-by: Doug Price <douglas.price@gsa.gov>
changelog: Internal, Continuous Integration, Fix command for review app configuration in GitLab job
* feat: add eipp to vot parser * feat: update authn context resolver tests for ipp * feat: add enhanced_ipp_required required to service provider * feat: update oidc connect parsing logic for enhance_ipp * feat: default saml parsing for eipp to false * feat: update ordering of params in sp session * feat: update spec for service provider session * fix: merge conflicts * feat: add vot parser method for sp session * Revert "feat: add enhanced_ipp_required required to service provider" This reverts commit 36c248949d604d654e25f637f1867eccade2668f. * feat: lintfix
* changelog: User-Facing Improvements, In-person proofing, update translations for Opt-in IPP non-biometric * feat: update configs for review-app * feat: more updates to configs for review-app * feat: revert config updates * feat: update i8n spec for keys that are newly translated * feat: update translations into new format * changelog: User-Facing Improvements, In-person proofing, update translations for Opt-in IPP non-biometric for Chinese, French, and Spanish * fix: spanish translations fixes from merge conflict * feat: code review comments
…ents_ready_job_enabled is true (#10671) * Disable in_person_enrollments_ready_job_enabled at top level * changelog: Internal, In-Person Proofing, prevent get usps proofing results job spec to pass when enrollment status by email is enabled
* LG-13117: zh texts for LG-12829. * LG-13117: zh texts for LG-12804. * LG-13117: zh texts for LG-12903. * LG-13117: zh texts for LG-12120. * LG-13117: zh texts for LG-12268. * LG-13117: zh texts for LG-12122. * LG-13117: remove untranslated keys. * LG-13117: layout issue with selfie. * changelog: User-Facing Improvements, Doc Auth, Simpliefied Chinese translations * LG-13171: rebase to main. --------- Co-authored-by: Eileen McFarland <eileenmcfarland@navapbc.com>
changelog: Internal, Performance, Avoid outputting font-face for unused light font weight
* Subset fonts to used character data * Optimize fonts * Remove unnecessary hash_values This was added when considering support for legacy formats with nested hashes. Since we now target only flattened keys (where values are either strings or arrays of strings), use `flatten` instead to simplify * Drop Nokogiri dependency, remove any HTML-like * Add changelog changelog: Internal, Performance, Optimize size of fonts to include only content character data * Use glyphs from loaded locale data * Simplify hash_values * Support excluding data from gem load paths * Use case for type-checking value * Limit formats to woff2 1. Avoid extra dependency 2. Faster to run since we're not creating file formats we don't need * Regenerate fonts after updated glyphs * Try referencing Rails directly May work better in CI * Add banner with usage help for script See: #10655 (comment) Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Try bundle exec shebang * Exec Rails by code instead of shebang See: - https://stackoverflow.com/a/41194935 - http://solutions.davesource.com/20161216.Shebang-That-Calls-Ruby-Rails-Script-With-Arguments.html - rails/rails#665 * Require environment.rb to load Rails See: 675e0de#r1608353189 Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Remove redundant file extension --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* LG-13220: Fix aggregated new device sign-in for expired session changelog: Upcoming Features, Aggregated Sign-In Message, Fix aggregated new device sign-in for expired session * Send sign_in_after_2fa for existing device not previously 2FA'd * Update existing devices stubbing * Use email_spec current_email + Capybara selectors * Update TwoFactorAuthenticatableMethods spec device stubbing * Send email for repeated successful sign-in without MFA * Extract new device handling to concern * Stub concern methods rather than session directly * Update AlertUserAboutNewDevice specs * Call set_new_device_session consistently at login
… screen (#10675) * Update translations for "How verifiying your identity works" screen changelog: User-Facing Improvements, IdV, Update translations for agreement step screen * lint fixes
changelog: Upcoming Features, Aggregated Sign-In Message, Fix aggregated new device sign-in for expired session
Previously all reviewapps were being put mistakenly in the same `reviewapps` cloudwatch log group. This change fixes it so they're put in cloudwatch log groups named after the reviewapp. In cloudwatch you can search for your branch to find the log groups for your reviewapp again. [skip changelog]
* changelog: Internal, Doc Auth, Add tests for resubmit h1 and body copy Co-authored-by: Eileen McFarland <eileen.mcfarland@gsa.gov>
The `AuthnContextResolver#resolve` takes the ACR values and VTR param for a request and returns an `Vot::Parser::Result` object. This object has predicate methods such as `aal2?` and `#identity_proofing?` which describe the requirements for the given service provider request. This is necessary because these requirements are a function of the service provider settings that are stored in the database and the request from the service provider. When using vectors of trust a service provider is able to make a request with multiple valid vectors. Prior to this commit we used the first vector in the list for the service provider request. This commit makes a change to show the following preference: 1. If a SP requests biometric comparison and the user has completed proofing with biometric comparison we select the biometric comparison vector 2. If a SP requests identity proofing without biometric comparison and the user completed proofing we select the vector for identity proofing without biometric comparison 3. If neither of the above is true then we continue to select the first vector. This change requires passing the current user into the `AuthnContextResolver` initializer so it has access to the user context once the user signs in. The arrangement allows us to use the following vector combinations to satisfy the following use cases - `C1.C2.P1.Pb,C1.C2.P1`: Existing proofed users do not need to proof again but unproofed users need to proof with a biometric - `C1.C2.P1,C1.C2`: Users who have proofed have their attributes shared but unproofed users do not need to go through proofing i.e. IALMax [skip changelog]
* changelog: internal, in-person-proofing, rename skip_doc_auth * remove skip_doc_auth_from_how... where it is part of a decision
* Remove unnessecary rerender * Hide the close button when the Acuant Camera loads * changelog: Bug Fixes, Selfie, Fix problem with focus jumping for screenreader while capturing selfie * Add a test * Add comment * Remove unused import
changelog: Internal, Performance, Reduce path size for static assets
A change requested in [10635](#10635 (comment)). We are not changing the general error message when liveness is enabled, so we do not need to pass it in as a parameter. [skip changelog]
#10427) * doc auth pass if transaction status passes changelog: Internal, Document Authentication, TrueIDReponse successful if transaction status passes * update spec response transaction status * update true id response spec * update fixtures product status for failed transactions * update product status * selfie must past * revert fixture changes * update trueID response specs for transaction status * attention barcode does not have to be only error * update doc_auth_success to remove selfie in mock result response * happy linting * allow mock proofer to have multiple errors with barcode attn * remove dup test * add an error barcode fixture to barcode error trueid response * ensure attention_with_barcode? returns a boolean * update spec attention with barcode * error generator use transaction status to determine if doc auth passed when counting errors * consolidate checking if doc auth passed in error generator * doc_auth_passed not in scope for DocAuthErrorHandler * update mock to include transaction_status * rename error generator tests from 'DocAuthResult is ...' to 'TransactionStatus is ...' * fetch transaction_status from yml image files * update analytics expectation with transaction_status value * update analytics expectation with transaction_status value * update analytics expectation with transaction_status value * update transaction_stauts in mock to reflect doc auth only * check transaction status to determine if doc auth is sucess for mock * assist with correcting case for transaction status and doc auth result in yml files * do not correct case * add transaction status to yml * add transaction status to yml * add transaction status to yml * add transaction result to inline yaml files * update yml fixtures to have transaction_status * update image upload presenter to use transaction status * upate image upload presenter spec to receive transaction status * remove stale comment
* lg-13352 added new fields at the request of Chris Manger to the new billing report to include new unique users by issuer split by profile age changelog: Internal, Reporting, added new billing report fields --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>, Luis Matos, Samatha Dondetti
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
* Update namespaces in AAMVA verification request to match docs The DLDV documentation PDF we have uses `nc:` to namespace things that are based on NIEM Core and `aa:` to namespace AAMVA extensions to NIEM core. Our code was using `ns1:` and `ns2:` which made it somewhat hard to follow. This commit updates template and fixture files to use `aa:` and `nc:` namespaces. It will require testing in the staging environment before deploying. * [skip changelog] * Say `dldv:` instead of `ns:` Docs use `dldv:` for the AAMVA DLDV SOAP namespace. * Update aamva_test_spec.rb
… page (#10685) changelog: User-Facing Improvements, Account Management, Prompt user to confirm setting up backup codes from account page
* changelog: User-Facing Improvements, Authentication, Translations fixing for DOS * remove translated langauge * make sure to include zh translation for p1 html * remove translated spec
* Ensure StateIdResult::to_h includes requested_attributes (requested_attributes weren't showing up in cloudwatch logs.) [skip changelog] * Update various specs to include requested_attributes
changelog: Internal, Performance, Delete and regenerate backup codes in a single transaction
changelog: Internal, Performance, Verify and consume backup code in single database transaction
mitchellhenke
approved these changes
May 23, 2024
zachmargolis
approved these changes
May 23, 2024
aduth
approved these changes
May 23, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User-Facing Improvements
Bug Fixes
Internal
Upcoming Features