Deploy RC 402 to Production

.gitlab-ci.yml

@@ -226,7 +226,7 @@ migrate:
     POSTGRES_HOST_AUTH_METHOD: trust
     RAILS_ENV: test
   services:
-    - name: postgres:13.9
+    - name: public.ecr.aws/docker/library/postgres:13.9
       alias: db-postgres
       command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
   script:
@@ -258,10 +258,10 @@ specs:
     POSTGRES_HOST_AUTH_METHOD: trust
     RAILS_ENV: test
   services:
-    - name: postgres:13.9
+    - name: public.ecr.aws/docker/library/postgres:13.9
       alias: db-postgres
       command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
-    - name: redis:7.0
+    - name: public.ecr.aws/docker/library/redis:7.0
       alias: db-redis
   artifacts:
     expire_in: 31d
@@ -288,7 +288,7 @@ specs:
     - cp -a keys.example keys
     - cp -a certs.example certs
     - cp pwned_passwords/pwned_passwords.txt.sample pwned_passwords/pwned_passwords.txt
-    - "echo -e \"test:\n  redis_url: 'redis://redis:6379/0'\n  redis_throttle_url: 'redis://redis:6379/1'\" > config/application.yml"
+    - "echo -e \"test:\n  redis_url: 'redis://db-redis:6379/0'\n  redis_throttle_url: 'redis://db-redis:6379/1'\" > config/application.yml"
     - bundle exec rake db:create db:migrate --trace
     - bundle exec rake db:seed
     - bundle exec rake knapsack:rspec["--format documentation --format RspecJunitFormatter --out rspec.xml --format json --out rspec_json/${CI_NODE_INDEX}.json"]

Gemfile

@@ -50,6 +50,7 @@ gem 'maxminddb'
 gem 'multiset'
 gem 'net-sftp'
 gem 'newrelic_rpm', '~> 9.0'
+gem 'numbers_and_words', '~> 0.11.12'
 gem 'prometheus_exporter'
 gem 'puma', '~> 6.0'
 gem 'pg'

Gemfile.lock

@@ -231,7 +231,7 @@ GEM
     brakeman (6.1.0)
     browser (6.0.0)
     builder (3.3.0)
-    bullet (7.1.4)
+    bullet (7.2.0)
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.11)
     bundler-audit (0.9.1)
@@ -266,7 +266,7 @@ GEM
       bigdecimal
       rexml
     crass (1.0.6)
-    css_parser (1.14.0)
+    css_parser (1.17.1)
       addressable
     cssbundling-rails (1.4.0)
       railties (>= 6.0.0)
@@ -323,10 +323,11 @@ GEM
       railties (>= 5.0.0)
     faker (2.19.0)
       i18n (>= 1.6, < 2)
-    faraday (2.7.10)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
+    faraday (2.10.0)
+      faraday-net_http (>= 2.0, < 3.2)
+      logger
+    faraday-net_http (3.1.1)
+      net-http
     faraday-retry (2.0.0)
       faraday (~> 2.0)
     ffi (1.15.5)
@@ -422,14 +423,16 @@ GEM
     matrix (0.4.2)
     maxminddb (0.1.22)
     memory_profiler (1.0.1)
-    method_source (1.0.0)
+    method_source (1.1.0)
     mini_histogram (0.3.1)
     mini_mime (1.1.5)
     mini_portile2 (2.8.7)
     minitest (5.24.1)
     msgpack (1.7.2)
     multiset (0.5.3)
     mutex_m (0.2.0)
+    net-http (0.4.1)
+      uri
     net-http-persistent (4.0.2)
       connection_pool (~> 2.2)
     net-imap (0.4.12)
@@ -449,6 +452,8 @@ GEM
     nokogiri (1.16.6)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
+    numbers_and_words (0.11.12)
+      i18n (<= 2)
     openssl (3.0.2)
     openssl-signature_algorithm (1.2.1)
       openssl (> 2.0, < 3.1)
@@ -460,9 +465,9 @@ GEM
     pg (1.5.6)
     pg_query (4.2.3)
       google-protobuf (>= 3.22.3)
-    phonelib (0.8.9)
+    phonelib (0.9.1)
     pkcs11 (0.3.4)
-    premailer (1.21.0)
+    premailer (1.23.0)
       addressable
       css_parser (>= 1.12.0)
       htmlentities (>= 4.0.0)
@@ -487,11 +492,11 @@ GEM
     pry-doc (1.5.0)
       pry (~> 0.11)
       yard (~> 0.9.11)
-    pry-rails (0.3.9)
-      pry (>= 0.10.4)
+    pry-rails (0.3.11)
+      pry (>= 0.13.0)
     psych (5.1.2)
       stringio
-    public_suffix (6.0.0)
+    public_suffix (6.0.1)
     puma (6.4.2)
       nio4r (~> 2.0)
     raabro (1.4.0)
@@ -500,7 +505,7 @@ GEM
     rack-cors (2.0.2)
       rack (>= 2.0.0)
     rack-headers_filter (0.0.1)
-    rack-mini-profiler (3.3.0)
+    rack-mini-profiler (3.3.1)
       rack (>= 1.2.0)
     rack-proxy (0.7.7)
       rack
@@ -639,7 +644,6 @@ GEM
       nokogiri (>= 1.10.5)
       rexml
     ruby-statistics (3.0.2)
-    ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
     safe_target_blank (1.0.2)
       rails
@@ -697,6 +701,7 @@ GEM
     unf_ext (0.0.9.1)
     unicode-display_width (2.5.0)
     uniform_notifier (1.16.0)
+    uri (0.13.0)
     view_component (3.9.0)
       activesupport (>= 5.2.0, < 8.0)
       concurrent-ruby (~> 1.0)
@@ -806,6 +811,7 @@ DEPENDENCIES
   net-sftp
   newrelic_rpm (~> 9.0)
   nokogiri (~> 1.16.0)
+  numbers_and_words (~> 0.11.12)
   pg
   pg_query
   phonelib

app/controllers/concerns/verify_profile_concern.rb

@@ -18,7 +18,6 @@ def pending_profile_policy
     @pending_profile_policy ||= PendingProfilePolicy.new(
       user: current_user,
       resolved_authn_context_result: resolved_authn_context_result,
-      biometric_comparison_requested: nil,
     )
   end
 

app/controllers/openid_connect/authorization_controller.rb

@@ -52,14 +52,9 @@ def pending_profile_policy
       @pending_profile_policy ||= PendingProfilePolicy.new(
         user: current_user,
         resolved_authn_context_result: resolved_authn_context_result,
-        biometric_comparison_requested: biometric_comparison_requested?,
       )
     end
 
-    def biometric_comparison_requested?
-      @authorize_form.biometric_comparison_requested?
-    end
-
     def check_sp_active
       return if @authorize_form.service_provider&.active?
       redirect_to sp_inactive_error_url

app/controllers/sign_up/passwords_controller.rb

@@ -3,6 +3,7 @@
 module SignUp
   class PasswordsController < ApplicationController
     include UnconfirmedUserConcern
+    include NewDeviceConcern
 
     before_action :find_user_with_confirmation_token
     before_action :confirm_user_needs_sign_up_confirmation
@@ -76,6 +77,7 @@ def process_unsuccessful_password_creation
 
     def sign_in_and_redirect_user
       sign_in @user
+      set_new_device_session(false)
       user_session[:in_account_creation_flow] = true
       if current_user.accepted_rules_of_use_still_valid?
         redirect_to authentication_methods_setup_url

app/forms/openid_connect_authorize_form.rb

@@ -129,22 +129,6 @@ def requested_aal_value
       Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF
   end
 
-  def biometric_comparison_requested?
-    !!parsed_vectors_of_trust&.any?(&:biometric_comparison?)
-  end
-
-  def parsed_vectors_of_trust
-    return @parsed_vectors_of_trust if defined?(@parsed_vectors_of_trust)
-
-    @parsed_vectors_of_trust = begin
-      if vtr.is_a?(Array) && !vtr.empty?
-        vtr.map { |vot| Vot::Parser.new(vector_of_trust: vot).parse }
-      end
-    rescue Vot::Parser::ParseException
-      nil
-    end
-  end
-
   private
 
   attr_reader :identity, :success
@@ -160,6 +144,18 @@ def check_for_unauthorized_scope(params)
     @scope != param_value.split(' ').compact
   end
 
+  def parsed_vectors_of_trust
+    return @parsed_vectors_of_trust if defined?(@parsed_vectors_of_trust)
+
+    @parsed_vectors_of_trust = begin
+      if vtr.is_a?(Array) && !vtr.empty?
+        vtr.map { |vot| Vot::Parser.new(vector_of_trust: vot).parse }
+      end
+    rescue Vot::Parser::ParseException
+      nil
+    end
+  end
+
   def parse_to_values(param_value, possible_values)
     return [] if param_value.blank?
     param_value.split(' ').compact & possible_values

app/javascript/packages/document-capture/components/acuant-camera.tsx

@@ -4,7 +4,6 @@ import { useI18n } from '@18f/identity-react-i18n';
 import { useImmutableCallback } from '@18f/identity-react-hooks';
 import AcuantContext from '../context/acuant';
 
-declare let AcuantCameraUI: AcuantCameraUIInterface;
 declare global {
   interface Window {
     AcuantCameraUI: AcuantCameraUIInterface;
@@ -262,26 +261,6 @@ interface AcuantCameraContextProps {
   children: ReactNode;
 }
 
-/**
- * Returns a found AcuantCameraUI
- * object, if one is available.
- * This function normalizes differences between
- * the 11.5.0 and 11.7.0 SDKs. The former attached
- * the object to the global window, while the latter
- * sets the object in the global (but non-window)
- * scope.
- */
-const getActualAcuantCameraUI = (): AcuantCameraUIInterface => {
-  if (window.AcuantCameraUI) {
-    return window.AcuantCameraUI;
-  }
-  if (typeof AcuantCameraUI === 'undefined') {
-    // eslint-disable-next-line no-console
-    console.error('AcuantCameraUI is not defined in the global scope');
-  }
-  return AcuantCameraUI;
-};
-
 function AcuantCamera({
   onImageCaptureSuccess = () => {},
   onImageCaptureFailure = () => {},
@@ -318,7 +297,6 @@ function AcuantCamera({
         onFailureCallbackWithOptions[key] = textOptions[key];
       });
 
-      window.AcuantCameraUI = getActualAcuantCameraUI();
       window.AcuantCameraUI.start(
         {
           onCaptured: onCropStart,

app/javascript/packages/document-capture/context/acuant.tsx

@@ -8,8 +8,6 @@ import SelfieCaptureContext from './selfie-capture';
 /**
  * Global declarations
  */
-declare let AcuantCamera: AcuantCameraInterface;
-
 declare global {
   interface AcuantJavascriptWebSdkInterface {
     setUnexpectedErrorCallback(arg0: (error: string) => void): unknown;
@@ -159,38 +157,6 @@ const AcuantContext = createContext<AcuantContextInterface>({
 
 AcuantContext.displayName = 'AcuantContext';
 
-/**
- * Returns a found AcuantJavascriptWebSdk
- * object, if one is available.
- */
-const getActualAcuantJavascriptWebSdk = (): AcuantJavascriptWebSdkInterface => {
-  if (!window.AcuantJavascriptWebSdk) {
-    // eslint-disable-next-line no-console
-    console.error('AcuantJavascriptWebSdk is not defined in the global scope');
-  }
-  return window.AcuantJavascriptWebSdk;
-};
-
-/**
- * Returns a found AcuantCamera
- * object, if one is available.
- * This function normalizes differences between
- * the 11.5.0 and 11.7.0 SDKs. The former attached
- * the object to the global window, while the latter
- * sets the object in the global (but non-window)
- * scope.
- */
-const getActualAcuantCamera = (): AcuantCameraInterface => {
-  if (window.AcuantCamera) {
-    return window.AcuantCamera;
-  }
-  if (typeof AcuantCamera === 'undefined') {
-    // eslint-disable-next-line no-console
-    console.error('AcuantCamera is not defined in the global scope');
-  }
-  return AcuantCamera;
-};
-
 function AcuantContextProvider({
   sdkSrc,
   cameraSrc,
@@ -250,7 +216,6 @@ function AcuantContextProvider({
 
         loadAcuantSdk();
       }
-      window.AcuantJavascriptWebSdk = getActualAcuantJavascriptWebSdk();
 
       // Unclear if/how this is called. Implemented just in case, but this is untested.
       window.AcuantJavascriptWebSdk.setUnexpectedErrorCallback((errorMessage) => {
@@ -264,7 +229,6 @@ function AcuantContextProvider({
       window.AcuantJavascriptWebSdk.initialize(credentials, endpoint, {
         onSuccess: () => {
           window.AcuantJavascriptWebSdk.start?.(() => {
-            window.AcuantCamera = getActualAcuantCamera();
             const { isCameraSupported: nextIsCameraSupported } = window.AcuantCamera;
             trackEvent('IdV: Acuant SDK loaded', {
               success: true,

app/javascript/packs/document-capture.tsx

@@ -80,7 +80,7 @@ const trackEvent: typeof baseTrackEvent = (event, payload) => {
     acuant_sdk_upgrade_a_b_testing_enabled: acuantSdkUpgradeABTestingEnabled,
     use_alternate_sdk: useAlternateSdk,
     acuant_version: acuantVersion,
-    opted_in_to_in_person_proofing: optedInToInPersonProofing,
+    opted_in_to_in_person_proofing: optedInToInPersonProofing === 'true',
   });
 };
 

app/mailers/user_mailer.rb

@@ -271,7 +271,12 @@ def in_person_completion_survey
     with_user_locale(user) do
       @header = t('user_mailer.in_person_completion_survey.header')
       @privacy_url = MarketingSite.security_and_privacy_practices_url
-      @survey_url = IdentityConfig.store.in_person_completion_survey_url
+      if locale == :en
+        @survey_url = IdentityConfig.store.in_person_opt_in_available_completion_survey_url
+      else
+        @survey_url = IdentityConfig.store.in_person_completion_survey_url
+      end
+
       mail(
         to: email_address.email,
         subject: t('user_mailer.in_person_completion_survey.subject', app_name: APP_NAME),

app/policies/pending_profile_policy.rb

@@ -1,10 +1,9 @@
 # frozen_string_literal: true
 
 class PendingProfilePolicy
-  def initialize(user:, resolved_authn_context_result:, biometric_comparison_requested:)
+  def initialize(user:, resolved_authn_context_result:)
     @user = user
     @resolved_authn_context_result = resolved_authn_context_result
-    @biometric_comparison_requested = biometric_comparison_requested
   end
 
   def user_has_pending_profile?
@@ -19,14 +18,14 @@ def user_has_pending_profile?
 
   private
 
-  attr_reader :user, :resolved_authn_context_result, :biometric_comparison_requested
+  attr_reader :user, :resolved_authn_context_result
 
   def pending_biometric_profile?
     user.pending_profile&.idv_level == 'unsupervised_with_selfie'
   end
 
   def biometric_comparison_requested?
-    resolved_authn_context_result.biometric_comparison? || biometric_comparison_requested
+    resolved_authn_context_result.biometric_comparison?
   end
 
   def pending_legacy_profile?