LG-13758: Bypass secondary id check for Enhanced IPP

[KeithNava]

🎫 Ticket

Link to the relevant ticket:
LG-13758

🛠 Summary of changes

As we await the new API contract from USPS with the expanded list of secondary ID options, we are temporarily bypassing the secondary check completely. This is to support the friends and family testing for Enhanced IPP

📜 Testing Plan

Please see the scenarios below for

1. EIPP Enabled with Unsupported Secondary ID
2. EIPP Enabled with Supported Secondary ID
3. The current flow in production - EIPP Disabled (ID IPP) with Unsupported Secondary ID
4. The current flow in production - EIPP Disabled (ID IPP) with Supported Secondary ID

Enhanced In Person Proofing Enabled

Note

Pre requisite for all of this is to spin up the OIDC-Sinatra app locally. You can find the setup steps here: https://docs.google.com/document/d/1FG9s8Cih9NGbrz7ag4WPLK_W10di-1xfDKy0Fjrg0fM/edit#heading=h.hepkwzlgvxf3. Once you have it running locally, you'll need to make sure you select the Enhanced IPP option from the dropdown. This is key since it sets the application up to enable Enhanced IPP.

Should PASS enrollment with UNSUPPORTED secondary ID #

Running the Job Manually 🧰

• After navigation to the application from the OIDC Sinatra application, proceed to create a test enrollment (https://handbook.login.gov/articles/identity-proofing-testing.html#gmail-extra-emails-trick)
• After the enrollment is created, open the rails console in the identity-idp application and grab that newly created enrollment

e = InPersonEnrollment.last

• Next, in the same console terminal setup the mocked response

mock = UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_secondary_id_type_results_response
res = JSON.parse(mock)

• Create an instance of the job

job = GetUspsProofingResultsJob.new

• Set the enrollments outcome instance variable

job.instance_variable_set('@enrollment_outcomes', { enrollments_passed: 0 })

• Start the job

job.send(:process_enrollment_response, e, res)

• Confirm the enrollment succeeded

e.status == 'passed'

Should PASS enrollment with SUPPORTED secondary ID #

Running the Job Manually 🧰

• After navigation to the application from the OIDC Sinatra application, proceed to create a test enrollment (https://handbook.login.gov/articles/identity-proofing-testing.html#gmail-extra-emails-trick)
• After the enrollment is created, open the rails console in the identity-idp application and grab that newly created enrollment

e = InPersonEnrollment.last

• Next, in the same console terminal setup the mocked response

mock = UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_supported_secondary_id_type_results_response
res = JSON.parse(mock)

• Create an instance of the job

job = GetUspsProofingResultsJob.new

• Set the enrollments outcome instance variable

job.instance_variable_set('@enrollment_outcomes', { enrollments_passed: 0 })

• Start the job

job.send(:process_enrollment_response, e, res)

• Confirm the enrollment succeeded

e.status == 'passed'

ID IPP (EIPP NOT Enabled)

Should FAIL enrollment with UNSUPPORTED secondary ID #

Running the Job Manually 🧰

• Open the identity-idp application and create a new test enrollment (https://handbook.login.gov/articles/identity-proofing-testing.html#gmail-extra-emails-trick)
• After the enrollment is created, open the rails console in the identity-idp application and grab that newly created enrollment

e = InPersonEnrollment.last

• Next, in the same console terminal setup the mocked response

mock = UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_secondary_id_type_results_response
res = JSON.parse(mock)

• Create an instance of the job

job = GetUspsProofingResultsJob.new

• Set the enrollments outcome instance variable

job.instance_variable_set('@enrollment_outcomes', { enrollments_failed: 0 })

• Start the job

job.send(:process_enrollment_response, e, res)

• Confirm the enrollment failed

e.status == 'failed'

Should PASS enrollment with SUPPORTED secondary ID #

Running the Job Manually 🧰

• Open the identity-idp application and create a new test enrollment (https://handbook.login.gov/articles/identity-proofing-testing.html#gmail-extra-emails-trick)
• After the enrollment is created, open the rails console in the identity-idp application and grab that newly created enrollment

e = InPersonEnrollment.last

• Next, in the same console terminal setup the mocked response

mock = UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_supported_secondary_id_type_results_response
res = JSON.parse(mock)

• Create an instance of the job

job = GetUspsProofingResultsJob.new

• Set the enrollments outcome instance variable

job.instance_variable_set('@enrollment_outcomes', { enrollments_passed: 0 })

• Start the job

job.send(:process_enrollment_response, e, res)

• Confirm the enrollment failed

e.status == 'failed'

[gina-yamada]

Does this response (UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_secondary_id_type_results_response) usually cause a failure for IPP (not EIPP)?

[shanechesnutt-ft]

I am wondering if it makes sense to create a new method for creating separation between EIPP checks and ID IPP checks

def has_unsupported_secondary_id_type?(response)
  response['secondaryIdType'].present? && 
    SUPPORTED_SECONDARY_ID_TYPES.exclude(response['secondaryIdType'])
end

Then the passed_with_unsupported_secondary_id_type? would look like this

def passed_with_unsupported_secondary_id_type?(enrollment, response)
  !enrollment.enhanced_ipp? && has_unsupported_secondary_id_type?(response)
end

[shanechesnutt-ft]

Ideally it would be nice if we had a wrapper for the proofing response then we could have a method in the response wrapper that can make the check.

[KeithNava]

Yea, that's a good thought, I'm not sure. Since this is a temporary change I would expect the final solution to either not have this check at all or expand the list of supported secondary ids based on being in the enhanced_ipp flow. I'm just not sure where this isolation would be.

[KeithNava]

Does this response (UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_secondary_id_type_results_response) usually cause a failure for IPP (not EIPP)?

@gina-yamada Yes - it does for me locally. Sorry, I've been updating the testing plan but it's going slow since I'm having some trouble on my local machine.

[jennyverdeyen]

Test plan looks good after working out some hiccups with @KeithNava! I ran through it and both test cases behave as expected. LGTM 👍

[shanechesnutt-ft]

I ran through the tests cases yesterday. Everything looked good.

[eileen-nava]

(I'm commenting on a file so that we can thread responses to this comment and resolve the conversation when we're done chatting.)

I noticed that the testing plan recommends using UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_secondary_id_type_results_response. When I look at this mock file, it has "ippAssuranceLevel": "1.5". Since this is EIPP, I think we'd want to use a file with "ippAssuranceLevel": "2.0".

I don't know that this would affect behavior for the testing plan, but I wanted to flag it because that line jumped out at me.

[eileen-nava]

I would recommend using fixtures that have the correct assurance level in the specs. Thoughts?

[eileen-nava]

👏🏻 for the updated ippAssuranceLevel

[eileen-nava]

Non-blocking nit: I think Bypasses should be one word here

[eileen-nava]

👏🏻

[eileen-nava]

Thanks for refactoring! Looks good. Approved.

[KeithNava]

Thanks everyone for your reviews and feedback!