Deploy RC 425 to Production

.rubocop.yml

@@ -28,7 +28,7 @@ AllCops:
     - 'vendor/**/*'
     - 'public/**/*'
   TargetRubyVersion: 3.2.0
-  TargetRailsVersion: 7.1
+  TargetRailsVersion: 7.2
   UseCache: true
   DisabledByDefault: true
   SuggestExtensions: false

Gemfile

@@ -3,7 +3,7 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
 
 ruby "~> #{File.read(File.join(__dir__, '.ruby-version')).strip}"
 
-gem 'rails', '~> 7.1.4'
+gem 'rails', '~> 7.2.1'
 
 gem 'ahoy_matey', '~> 3.0'
 # pod identity requires 3.188.0
@@ -117,7 +117,7 @@ group :development, :test do
   gem 'pry-rails'
   gem 'psych'
   gem 'rspec', '~> 3.13.0'
-  gem 'rspec-rails', '~> 6.0'
+  gem 'rspec-rails', '~> 7.0'
   gem 'rubocop', '~> 1.62.0', require: false
   gem 'rubocop-performance', '~> 1.20.2', require: false
   gem 'rubocop-rails', '>= 2.26.2', require: false

Gemfile.lock

@@ -79,80 +79,76 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.1.4.1)
-      actionpack (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
+    actioncable (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.4.1)
-      actionpack (= 7.1.4.1)
-      activejob (= 7.1.4.1)
-      activerecord (= 7.1.4.1)
-      activestorage (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
-      mail (>= 2.7.1)
-      net-imap
-      net-pop
-      net-smtp
-    actionmailer (7.1.4.1)
-      actionpack (= 7.1.4.1)
-      actionview (= 7.1.4.1)
-      activejob (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
+    actionmailbox (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activestorage (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
+      mail (>= 2.8.0)
+    actionmailer (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      actionview (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
+      mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.4.1)
-      actionview (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
+    actionpack (7.2.1.1)
+      actionview (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       nokogiri (>= 1.8.5)
       racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.2)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.4.1)
-      actionpack (= 7.1.4.1)
-      activerecord (= 7.1.4.1)
-      activestorage (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
+      useragent (~> 0.16)
+    actiontext (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activestorage (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.4.1)
-      activesupport (= 7.1.4.1)
+    actionview (7.2.1.1)
+      activesupport (= 7.2.1.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.4.1)
-      activesupport (= 7.1.4.1)
+    activejob (7.2.1.1)
+      activesupport (= 7.2.1.1)
       globalid (>= 0.3.6)
-    activemodel (7.1.4.1)
-      activesupport (= 7.1.4.1)
-    activerecord (7.1.4.1)
-      activemodel (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
+    activemodel (7.2.1.1)
+      activesupport (= 7.2.1.1)
+    activerecord (7.2.1.1)
+      activemodel (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       timeout (>= 0.4.0)
-    activestorage (7.1.4.1)
-      actionpack (= 7.1.4.1)
-      activejob (= 7.1.4.1)
-      activerecord (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
+    activestorage (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       marcel (~> 1.0)
-    activesupport (7.1.4.1)
+    activesupport (7.2.1.1)
       base64
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
-      tzinfo (~> 2.0)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     ahoy_matey (3.3.0)
@@ -395,7 +391,7 @@ GEM
     listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    logger (1.6.0)
+    logger (1.6.1)
     lograge (0.11.2)
       actionpack (>= 4)
       activesupport (>= 4)
@@ -433,7 +429,6 @@ GEM
     minitest (5.24.1)
     msgpack (1.7.2)
     multiset (0.5.3)
-    mutex_m (0.2.0)
     net-http (0.4.1)
       uri
     net-http-persistent (4.0.2)
@@ -523,20 +518,20 @@ GEM
     rackup (2.1.0)
       rack (>= 3)
       webrick (~> 1.8)
-    rails (7.1.4.1)
-      actioncable (= 7.1.4.1)
-      actionmailbox (= 7.1.4.1)
-      actionmailer (= 7.1.4.1)
-      actionpack (= 7.1.4.1)
-      actiontext (= 7.1.4.1)
-      actionview (= 7.1.4.1)
-      activejob (= 7.1.4.1)
-      activemodel (= 7.1.4.1)
-      activerecord (= 7.1.4.1)
-      activestorage (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
+    rails (7.2.1.1)
+      actioncable (= 7.2.1.1)
+      actionmailbox (= 7.2.1.1)
+      actionmailer (= 7.2.1.1)
+      actionpack (= 7.2.1.1)
+      actiontext (= 7.2.1.1)
+      actionview (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activemodel (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activestorage (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       bundler (>= 1.15.0)
-      railties (= 7.1.4.1)
+      railties (= 7.2.1.1)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -551,10 +546,10 @@ GEM
     rails-i18n (7.0.6)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
-    railties (7.1.4.1)
-      actionpack (= 7.1.4.1)
-      activesupport (= 7.1.4.1)
-      irb
+    railties (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
@@ -592,22 +587,22 @@ GEM
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.0)
+    rspec-core (3.13.1)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.0)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.0)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (6.0.3)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
+    rspec-rails (7.0.1)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
+      railties (>= 7.0)
+      rspec-core (~> 3.13)
+      rspec-expectations (~> 3.13)
+      rspec-mocks (~> 3.13)
+      rspec-support (~> 3.13)
     rspec-retry (0.6.2)
       rspec-core (> 3.3)
     rspec-support (3.13.1)
@@ -656,6 +651,7 @@ GEM
       jwt (~> 2.0)
     scrypt (3.0.7)
       ffi-compiler (>= 1.0, < 2.0)
+    securerandom (0.3.1)
     selenium-webdriver (4.22.0)
       base64 (~> 0.2)
       logger (~> 1.4)
@@ -706,6 +702,7 @@ GEM
     unicode-display_width (2.5.0)
     uniform_notifier (1.16.0)
     uri (0.13.0)
+    useragent (0.16.10)
     view_component (3.9.0)
       activesupport (>= 5.2.0, < 8.0)
       concurrent-ruby (~> 1.0)
@@ -837,7 +834,7 @@ DEPENDENCIES
   rack-test (>= 1.1.0)
   rack-timeout
   rack_session_access (>= 0.2.0)
-  rails (~> 7.1.4)
+  rails (~> 7.2.1)
   rails-controller-testing (>= 1.0.4)
   redacted_struct
   redis (>= 3.2.0)
@@ -847,7 +844,7 @@ DEPENDENCIES
   rotp (~> 6.3, >= 6.3.0)
   rqrcode
   rspec (~> 3.13.0)
-  rspec-rails (~> 6.0)
+  rspec-rails (~> 7.0)
   rspec-retry
   rspec_junit_formatter
   rubocop (~> 1.62.0)

app/controllers/application_controller.rb

@@ -230,6 +230,7 @@ def after_sign_in_path_for(_user)
     return authentication_methods_setup_url if user_needs_sp_auth_method_setup?
     return fix_broken_personal_key_url if current_user.broken_personal_key?
     return user_session.delete(:stored_location) if user_session.key?(:stored_location)
+    return setup_piv_cac_url if user_session[:add_piv_cac_after_2fa]
     return login_add_piv_cac_prompt_url if session[:needs_to_setup_piv_cac_after_sign_in].present?
     return reactivate_account_url if user_needs_to_reactivate_account?
     return login_piv_cac_recommended_path if user_recommended_for_piv_cac?

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -12,16 +12,19 @@ def auth_methods_session
   end
 
   def handle_verification_for_authentication_context(result:, auth_method:, extra_analytics: nil)
+    increment_mfa_selection_attempt_count(auth_method)
     analytics.multi_factor_auth(
       **result.to_h,
       multi_factor_auth_method: auth_method,
       enabled_mfa_methods_count: mfa_context.enabled_mfa_methods_count,
       new_device: new_device?,
       **extra_analytics.to_h,
+      attempts: mfa_attempts_count,
     )
 
     if result.success?
       handle_valid_verification_for_authentication_context(auth_method:)
+      user_session.delete(:mfa_attempts)
     else
       handle_invalid_verification_for_authentication_context
     end
@@ -113,6 +116,20 @@ def handle_remember_device_preference(remember_device_preference)
     save_remember_device_preference(remember_device_preference)
   end
 
+  def increment_mfa_selection_attempt_count(auth_method)
+    user_session[:mfa_attempts] ||= {}
+    user_session[:mfa_attempts][:attempts] ||= 0
+    if user_session[:mfa_attempts][:auth_method] != auth_method
+      user_session[:mfa_attempts][:attempts] = 0
+    end
+    user_session[:mfa_attempts][:attempts] += 1
+    user_session[:mfa_attempts][:auth_method] = auth_method
+  end
+
+  def mfa_attempts_count
+    user_session.dig(:mfa_attempts, :attempts)
+  end
+
   # Method will be renamed in the next refactor.
   # You can pass in any "type" with a corresponding I18n key in
   # two_factor_authentication.invalid_#{type}
@@ -137,8 +154,6 @@ def invalid_otp_error(type)
       t('two_factor_authentication.invalid_otp')
     when 'personal_key'
       t('two_factor_authentication.invalid_personal_key')
-    when 'piv_cac'
-      t('two_factor_authentication.invalid_piv_cac')
     else
       raise "Unsupported otp method: #{type}"
     end

app/controllers/idv/in_person/address_controller.rb

@@ -109,11 +109,7 @@ def redirect_to_next_page
 
       def confirm_in_person_state_id_step_complete
         return if pii_from_user&.has_key?(:identity_doc_address1)
-        if IdentityConfig.store.in_person_state_id_controller_enabled
-          redirect_to idv_in_person_proofing_state_id_url
-        else
-          redirect_to idv_in_person_step_url(step: :state_id)
-        end
+        redirect_to idv_in_person_proofing_state_id_url
       end
 
       def confirm_in_person_address_step_needed

app/controllers/idv/in_person/public/usps_locations_controller.rb

@@ -4,10 +4,6 @@ module Idv
   module InPerson
     module Public
       class UspsLocationsController < ApplicationController
-        include RenderConditionConcern
-
-        check_or_render_not_found -> { enabled? }
-
         skip_forgery_protection
 
         def index
@@ -38,10 +34,6 @@ def localized_locations(locations)
           end
         end
 
-        def enabled?
-          IdentityConfig.store.in_person_public_address_search_enabled
-        end
-
         def search_params
           params.require(:address).permit(
             :street_address,

app/controllers/idv/in_person_controller.rb

@@ -20,7 +20,7 @@ class InPersonController < ApplicationController
 
     FLOW_STATE_MACHINE_SETTINGS = {
       step_url: :idv_in_person_step_url,
-      final_url: :idv_in_person_address_url,
+      final_url: :idv_in_person_proofing_state_id_url,
       flow: Idv::Flows::InPersonFlow,
       analytics_id: 'In Person Proofing',
     }.freeze

app/controllers/two_factor_authentication/options_controller.rb

@@ -54,6 +54,7 @@ def two_factor_options_presenter
         service_provider: current_sp,
         phishing_resistant_required: service_provider_mfa_policy.phishing_resistant_required?,
         piv_cac_required: service_provider_mfa_policy.piv_cac_required?,
+        add_piv_cac_after_2fa: user_session[:add_piv_cac_after_2fa].present?,
       )
     end