Deploy RC 403 to Production

.gitlab-ci.yml

@@ -191,6 +191,8 @@ build-idp-image:
       --build-arg "ARG_CI_COMMIT_SHA=${CI_COMMIT_SHA}"
       --build-arg "LARGE_FILES_TOKEN=${LARGE_FILES_TOKEN}"
       --build-arg "LARGE_FILES_USER=${LARGE_FILES_USER}"
+      --build-arg "SERVICE_PROVIDERS_KEY=${SERVICE_PROVIDERS_KEY}"
+
 
 check_changelog:
   stage: test
@@ -832,7 +834,7 @@ pinpoint_check_scheduled:
           --channel "#login-appdev" \
           --webhook "${SLACK_WEBHOOK}" \
           --raise \
-          --text "Pinpoint supported countries check in GitLab failed.\nBuild Results: ${CI_JOB_URL}.\nCheck results locally with 'make lint_country_dialing_codes'"
+          --text "$(printf "Pinpoint supported countries check in GitLab failed.\nBuild Results: ${CI_JOB_URL}.\nCheck results locally with 'make lint_country_dialing_codes'")""
       fi
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule"
@@ -856,7 +858,7 @@ audit_packages_scheduled:
           --channel "#login-appdev" \
           --webhook "${SLACK_WEBHOOK}" \
           --raise \
-          --text "Dependencies audit in GitLab failed.\nBuild Results: ${CI_JOB_URL}\nCheck results locally with 'make audit'"
+          --text "$(printf "Dependencies audit in GitLab failed.\nBuild Results: ${CI_JOB_URL}\nCheck results locally with 'make audit'")"
       fi
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule"

Gemfile

@@ -73,7 +73,7 @@ gem 'rqrcode'
 gem 'ruby-progressbar'
 gem 'ruby-saml'
 gem 'safe_target_blank', '>= 1.0.2'
-gem 'saml_idp', github: '18F/saml_idp', tag: '0.21.4-18f'
+gem 'saml_idp', github: '18F/saml_idp', tag: '0.21.6-18f'
 gem 'scrypt'
 gem 'simple_form', '>= 5.0.2'
 gem 'stringex', require: false

Gemfile.lock

@@ -35,10 +35,10 @@ GIT
 
 GIT
   remote: https://github.com/18F/saml_idp.git
-  revision: 5e9999ef8e9260cda74cfea0a637f754994e0f9d
-  tag: 0.21.4-18f
+  revision: 512ad9b1609884781034773f6c4ccd53e7036a82
+  tag: 0.21.6-18f
   specs:
-    saml_idp (0.21.4.pre.18f)
+    saml_idp (0.21.6.pre.18f)
       activesupport
       builder
       faraday
@@ -578,7 +578,7 @@ GEM
       actionpack (>= 5.0)
       railties (>= 5.0)
     retries (0.0.5)
-    rexml (3.3.2)
+    rexml (3.3.4)
       strscan
     rotp (6.3.0)
     rouge (4.2.0)

app/assets/stylesheets/email.css.scss

@@ -5,6 +5,8 @@
 @use 'variables/app' as *;
 @use 'variables/email' as *;
 
+@forward 'usa-tag';
+
 .gray {
   &:active,
   &:hover,
@@ -73,10 +75,6 @@ h6 {
   width: 50%;
 }
 
-.half {
-  width: 50%;
-}
-
 .footer {
   background: $secondary-color;
 

app/controllers/application_controller.rb

@@ -111,7 +111,7 @@ def resolved_authn_context_result
         service_provider: service_provider,
         vtr: sp_session[:vtr],
         acr_values: sp_session[:acr_values],
-      ).resolve
+      ).result
     end
   end
 

app/controllers/users/sessions_controller.rb

@@ -31,15 +31,16 @@ def new
 
     def create
       session[:sign_in_flow] = :sign_in
-      return process_locked_out_session if session_bad_password_count_max_exceeded?
+      return process_rate_limited if session_bad_password_count_max_exceeded?
       return process_locked_out_user if current_user && user_locked_out?(current_user)
+      return process_rate_limited if rate_limited?
       return process_failed_captcha if !valid_captcha_result?
 
       rate_limit_password_failure = true
       self.resource = warden.authenticate!(auth_options)
       handle_valid_authentication
     ensure
-      increment_session_bad_password_count if rate_limit_password_failure && !current_user
+      handle_invalid_authentication if rate_limit_password_failure && !current_user
       track_authentication_attempt(auth_params[:email])
     end
 
@@ -71,7 +72,7 @@ def increment_session_bad_password_count
       session[:max_bad_passwords_at] ||= Time.zone.now.to_i
     end
 
-    def process_locked_out_session
+    def process_rate_limited
       sign_out(:user)
       warden.lock!
 
@@ -83,9 +84,14 @@ def process_locked_out_session
     end
 
     def locked_out_time_remaining
-      locked_at = session[:max_bad_passwords_at]
-      window = IdentityConfig.store.max_bad_passwords_window_in_seconds.seconds
-      time_lockout_expires = Time.zone.at(locked_at) + window
+      if session[:max_bad_passwords_at]
+        locked_at = session[:max_bad_passwords_at]
+        window = IdentityConfig.store.max_bad_passwords_window_in_seconds.seconds
+        time_lockout_expires = Time.zone.at(locked_at) + window
+      else
+        time_lockout_expires = rate_limiter&.expires_at || Time.zone.now
+      end
+
       distance_of_time_in_words(Time.zone.now, time_lockout_expires, true)
     end
 
@@ -147,7 +153,13 @@ def process_locked_out_user
       render_full_width('two_factor_authentication/_locked', locals: { presenter: presenter })
     end
 
+    def handle_invalid_authentication
+      rate_limiter&.increment!
+      increment_session_bad_password_count
+    end
+
     def handle_valid_authentication
+      rate_limiter&.reset!
       sign_in(resource_name, resource)
       cache_profiles(auth_params[:password])
       set_new_device_session(nil)
@@ -171,6 +183,7 @@ def track_authentication_attempt(email)
         success: success,
         user_id: user.uuid,
         user_locked_out: user_locked_out?(user),
+        rate_limited: rate_limited?,
         valid_captcha_result: valid_captcha_result?,
         bad_password_count: session[:bad_password_count].to_i,
         sp_request_url_present: sp_session[:request_url].present?,
@@ -183,6 +196,20 @@ def user_locked_out?(user)
       user.locked_out?
     end
 
+    def rate_limited?
+      !!rate_limiter&.limited?
+    end
+
+    def rate_limiter
+      return @rate_limiter if defined?(@rate_limiter)
+      user = User.find_with_email(auth_params[:email])
+      return @rate_limiter = nil unless user
+      @rate_limiter = RateLimiter.new(
+        rate_limit_type: :sign_in_user_id_per_ip,
+        target: [user.id, request.ip].join('-'),
+      )
+    end
+
     def store_sp_metadata_in_session
       return if sp_session[:issuer] || request_id.blank?
       StoreSpMetadataInSession.new(session: session, request_id: request_id).call
@@ -214,23 +241,17 @@ def pending_account_reset_request
 
     def override_csp_for_google_analytics
       return unless IdentityConfig.store.participate_in_dap
+      # See: https://github.com/digital-analytics-program/gov-wide-code#content-security-policy
       policy = current_content_security_policy
       policy.script_src(
         *policy.script_src,
         'dap.digitalgov.gov',
         'www.google-analytics.com',
-        '*.googletagmanager.com',
+        'www.googletagmanager.com',
       )
       policy.connect_src(
         *policy.connect_src,
-        '*.google-analytics.com',
-        '*.analytics.google.com',
-        '*.googletagmanager.com',
-      )
-      policy.img_src(
-        *policy.img_src,
-        '*.google-analytics.com',
-        '*.googletagmanager.com',
+        'www.google-analytics.com',
       )
       request.content_security_policy = policy
     end

app/forms/idv/doc_pii_form.rb

@@ -18,9 +18,10 @@ class DocPiiForm
     validates_presence_of :state_id_number, { message: proc {
       I18n.t('doc_auth.errors.general.no_liveness')
     } }
+    validate :state_id_expired?
 
     attr_reader :first_name, :last_name, :dob, :address1, :state, :zipcode, :attention_with_barcode,
-                :jurisdiction, :state_id_number
+                :jurisdiction, :state_id_number, :state_id_expiration
     alias_method :attention_with_barcode?, :attention_with_barcode
 
     def initialize(pii:, attention_with_barcode: false)
@@ -33,6 +34,7 @@ def initialize(pii:, attention_with_barcode: false)
       @zipcode = pii[:zipcode]
       @jurisdiction = pii[:state_id_jurisdiction]
       @state_id_number = pii[:state_id_number]
+      @state_id_expiration = pii[:state_id_expiration]
       @attention_with_barcode = attention_with_barcode
     end
 
@@ -106,6 +108,12 @@ def dob_valid?
       end
     end
 
+    def state_id_expired?
+      if state_id_expiration && DateParser.parse_legacy(state_id_expiration).past?
+        errors.add(:state_id_expiration, generic_error, type: :state_id_expiration)
+      end
+    end
+
     def zipcode_valid?
       return if zipcode.is_a?(String) && zipcode.present?
 

app/javascript/packages/document-capture/components/acuant-selfie-camera.tsx

@@ -83,6 +83,11 @@ interface FaceDetectionStates {
   TOO_MANY_FACES: string;
   FACE_TOO_SMALL: string;
   FACE_CLOSE_TO_BORDER: string;
+  CLOSE_TEXT: string;
+  RETAKE_TEXT: string;
+  INTRO_TEXT: string;
+  SUBMIT_ALT: string;
+  CAPTURE_ALT: string;
 }
 
 function AcuantSelfieCamera({
@@ -145,6 +150,11 @@ function AcuantSelfieCamera({
       TOO_MANY_FACES: t('doc_auth.info.selfie_capture_status.too_many_faces'),
       FACE_TOO_SMALL: t('doc_auth.info.selfie_capture_status.face_too_small'),
       FACE_CLOSE_TO_BORDER: t('doc_auth.info.selfie_capture_status.face_close_to_border'),
+      CLOSE_TEXT: t('doc_auth.info.selfie_capture.action.close'),
+      RETAKE_TEXT: t('doc_auth.info.selfie_capture.action.retake'),
+      INTRO_TEXT: t('doc_auth.info.selfie_capture.intro'),
+      SUBMIT_ALT: t('doc_auth.info.selfie_capture.action.submit'),
+      CAPTURE_ALT: t('doc_auth.info.selfie_capture.action.capture'),
     };
     const cleanupSelfieCamera = () => {
       window.AcuantPassiveLiveness.end();

app/presenters/openid_connect_user_info_presenter.rb

@@ -24,7 +24,7 @@ def user_info
     info.merge!(x509_attributes) if scoper.x509_scopes_requested?
     info[:verified_at] = verified_at if scoper.verified_at_requested?
     if identity.vtr.nil?
-      info[:ial] = asserted_ial_value
+      info[:ial] = authn_context_resolver.asserted_ial_acr
       info[:aal] = identity.requested_aal_value
     else
       info[:vot] = vot_values
@@ -40,26 +40,13 @@ def url_options
 
   private
 
-  def asserted_ial_value
-    return Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF unless active_profile.present?
-
-    if resolved_authn_context_result.biometric_comparison?
-      Saml::Idp::Constants::IAL2_BIO_REQUIRED_AUTHN_CONTEXT_CLASSREF
-    elsif resolved_authn_context_result.identity_proofing? ||
-          resolved_authn_context_result.ialmax?
-      Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF
-    else
-      Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF
-    end
-  end
-
   def vot_values
     AuthnContextResolver.new(
       user: identity.user,
       vtr: JSON.parse(identity.vtr),
       service_provider: identity&.service_provider_record,
       acr_values: nil,
-    ).resolve.expanded_component_values
+    ).result.expanded_component_values
   end
 
   def uuid_from_sp_identity(identity)
@@ -151,12 +138,16 @@ def identity_proofing_requested_for_verified_user?
   end
 
   def resolved_authn_context_result
-    @resolved_authn_context_result ||= AuthnContextResolver.new(
+    authn_context_resolver.result
+  end
+
+  def authn_context_resolver
+    @authn_context_resolver ||= AuthnContextResolver.new(
       user: identity.user,
       service_provider: identity&.service_provider_record,
       vtr: identity.vtr.presence && JSON.parse(identity.vtr),
       acr_values: identity.acr_values,
-    ).resolve
+    )
   end
 
   def ial2_session?

app/presenters/piv_cac_authentication_login_presenter.rb

@@ -28,6 +28,6 @@ def heading
   end
 
   def info
-    t('instructions.mfa.piv_cac.sign_in_html', app_name: APP_NAME)
+    t('instructions.mfa.piv_cac.sign_in', app_name: APP_NAME)
   end
 end

app/services/analytics.rb

@@ -125,7 +125,7 @@ def resolved_authn_context_result
       service_provider:,
       vtr: session[:sp][:vtr],
       acr_values: session[:sp][:acr_values],
-    ).resolve
+    ).result
   rescue Vot::Parser::ParseException
     return
   end

app/services/analytics_events.rb

@@ -410,6 +410,7 @@ def edit_password_visit(required_password_change: false, **extra)
   # @param [Boolean] success
   # @param [String] user_id
   # @param [Boolean] user_locked_out if the user is currently locked out of their second factor
+  # @param [Boolean] rate_limited Whether the user has exceeded user IP rate limiting
   # @param [Boolean] valid_captcha_result Whether user passed the reCAPTCHA check
   # @param [String] bad_password_count represents number of prior login failures
   # @param [Boolean] sp_request_url_present if was an SP request URL in the session
@@ -421,6 +422,7 @@ def email_and_password_auth(
     success:,
     user_id:,
     user_locked_out:,
+    rate_limited:,
     valid_captcha_result:,
     bad_password_count:,
     sp_request_url_present:,
@@ -433,6 +435,7 @@ def email_and_password_auth(
       success:,
       user_id:,
       user_locked_out:,
+      rate_limited:,
       valid_captcha_result:,
       bad_password_count:,
       sp_request_url_present:,