Deploy RC 430 to Prod

Makefile

@@ -66,11 +66,13 @@ lint: ## Runs all lint tests
 	@echo "--- erb-lint ---"
 	make lint_erb
 	@echo "--- rubocop ---"
+	mkdir -p tmp
 ifdef JUNIT_OUTPUT
-	bundle exec rubocop --parallel --format progress --format junit --out rubocop.xml --display-only-failed
+	bundle exec rubocop --parallel --format progress --format junit --out rubocop.xml --display-only-failed --color 2> tmp/rubocop.txt
 else
-	bundle exec rubocop --parallel
+	bundle exec rubocop --parallel --color 2> tmp/rubocop.txt
 endif
+	awk 'NF {exit 1}' tmp/rubocop.txt || (printf "Error: Unexpected stderr output from Rubocop\n"; cat tmp/rubocop.txt; exit 1)
 	@echo "--- analytics_events ---"
 	make lint_analytics_events
 	make lint_analytics_events_sorted

app/assets/stylesheets/email.css.scss

@@ -25,10 +25,6 @@
   margin-bottom: 30px;
 }
 
-.mr-tiny {
-  margin-right: 4px;
-}
-
 .s10 {
   font-size: 10px;
   line-height: 10px;
@@ -75,48 +71,6 @@ h6 {
   width: 50%;
 }
 
-.footer {
-  background: $secondary-color;
-
-  a {
-    color: $white;
-    text-decoration: underline;
-  }
-
-  p {
-    color: $white;
-    padding-top: 0;
-  }
-
-  .columns {
-    padding-bottom: 0;
-  }
-
-  .wrapper-inner {
-    padding: 25px 0;
-  }
-
-  .container {
-    background: transparent;
-  }
-}
-
-.legal {
-  background: $body-background;
-
-  a {
-    color: $dark-gray;
-  }
-
-  .container {
-    background: $body-background;
-  }
-
-  .wrapper-inner {
-    padding: 15px 0;
-  }
-}
-
 .usa-alert {
   border-left: units($theme-alert-bar-width) solid;
 

app/controllers/account_reset/cancel_controller.rb

@@ -6,7 +6,7 @@ def show
       return render :show unless token
 
       result = AccountReset::ValidateCancelToken.new(token).call
-      analytics.account_reset_cancel_token_validation(**result.to_h)
+      analytics.account_reset_cancel_token_validation(**result)
 
       if result.success?
         handle_valid_token
@@ -18,7 +18,7 @@ def show
     def create
       result = AccountReset::Cancel.new(session[:cancel_token]).call
 
-      analytics.account_reset_cancel(**result.to_h)
+      analytics.account_reset_cancel(**result)
 
       if result.success?
         handle_success

app/controllers/account_reset/delete_account_controller.rb

@@ -6,7 +6,7 @@ def show
       render :show and return unless token
 
       result = AccountReset::ValidateGrantedToken.new(token, request, analytics).call
-      analytics.account_reset_granted_token_validation(**result.to_h)
+      analytics.account_reset_granted_token_validation(**result)
 
       if result.success?
         handle_valid_token

app/controllers/account_reset/request_controller.rb

@@ -23,7 +23,7 @@ def create
 
     def create_account_reset_request
       response = AccountReset::CreateRequest.new(current_user, sp_session[:issuer]).call
-      analytics.account_reset_request(**response.to_h, **analytics_attributes)
+      analytics.account_reset_request(**response, **analytics_attributes)
     end
 
     def confirm_two_factor_enabled

app/controllers/accounts/connected_accounts/selected_email_controller.rb

@@ -20,7 +20,7 @@ def update
 
         result = @select_email_form.submit(form_params)
 
-        analytics.sp_select_email_submitted(**result.to_h)
+        analytics.sp_select_email_submitted(**result)
 
         if result.success?
           flash[:email_updated_identity_id] = identity.id

app/controllers/accounts/personal_keys_controller.rb

@@ -19,7 +19,7 @@ def create
       analytics.profile_personal_key_create
       create_user_event(:new_personal_key)
       result = send_new_personal_key_notifications
-      analytics.profile_personal_key_create_notifications(**result.to_h)
+      analytics.profile_personal_key_create_notifications(**result)
 
       flash[:info] = t('account.personal_key.old_key_will_not_work')
       redirect_to manage_personal_key_url

app/controllers/api/internal/two_factor_authentication/auth_app_controller.rb

@@ -19,7 +19,7 @@ def update
             configuration_id: params[:id],
           ).submit(name: params[:name])
 
-          analytics.auth_app_update_name_submitted(**result.to_h)
+          analytics.auth_app_update_name_submitted(**result)
 
           if result.success?
             render json: { success: true }
@@ -34,7 +34,7 @@ def destroy
             configuration_id: params[:id],
           ).submit
 
-          analytics.auth_app_delete_submitted(**result.to_h)
+          analytics.auth_app_delete_submitted(**result)
 
           if result.success?
             create_user_event(:authenticator_disabled)

app/controllers/api/internal/two_factor_authentication/piv_cac_controller.rb

@@ -20,7 +20,7 @@ def update
             configuration_id: params[:id],
           ).submit(name: params[:name])
 
-          analytics.piv_cac_update_name_submitted(**result.to_h)
+          analytics.piv_cac_update_name_submitted(**result)
 
           if result.success?
             render json: { success: true }
@@ -35,7 +35,7 @@ def destroy
             configuration_id: params[:id],
           ).submit
 
-          analytics.piv_cac_delete_submitted(**result.to_h)
+          analytics.piv_cac_delete_submitted(**result)
 
           if result.success?
             create_user_event(:piv_cac_disabled)

app/controllers/api/internal/two_factor_authentication/webauthn_controller.rb

@@ -19,7 +19,7 @@ def update
             configuration_id: params[:id],
           ).submit(name: params[:name])
 
-          analytics.webauthn_update_name_submitted(**result.to_h)
+          analytics.webauthn_update_name_submitted(**result)
 
           if result.success?
             render json: { success: true }
@@ -34,7 +34,7 @@ def destroy
             configuration_id: params[:id],
           ).submit
 
-          analytics.webauthn_delete_submitted(**result.to_h)
+          analytics.webauthn_delete_submitted(**result)
 
           if result.success?
             create_user_event(:webauthn_key_removed)

app/controllers/concerns/idv/document_capture_concern.rb

@@ -6,6 +6,18 @@ module DocumentCaptureConcern
 
     include DocAuthVendorConcern
 
+    def handle_stored_result(user: current_user, store_in_session: true)
+      if stored_result&.success? && selfie_requirement_met?
+        save_proofing_components(user)
+        extract_pii_from_doc(user, store_in_session: store_in_session)
+        flash[:success] = t('doc_auth.headings.capture_complete')
+        successful_response
+      else
+        extra = { stored_result_present: stored_result.present? }
+        failure(I18n.t('doc_auth.errors.general.network_error'), extra)
+      end
+    end
+
     def save_proofing_components(user)
       return unless user
 
@@ -50,6 +62,24 @@ def selfie_requirement_met?
         stored_result.selfie_check_performed?
     end
 
+    def redirect_to_correct_vendor(vendor, in_hybrid_mobile)
+      expected_doc_auth_vendor = doc_auth_vendor
+      return if vendor == expected_doc_auth_vendor
+      return if vendor == Idp::Constants::Vendors::LEXIS_NEXIS &&
+                expected_doc_auth_vendor == Idp::Constants::Vendors::MOCK
+
+      correct_path = case expected_doc_auth_vendor
+        when Idp::Constants::Vendors::SOCURE
+          in_hybrid_mobile ? idv_hybrid_mobile_socure_document_capture_path
+                           : idv_socure_document_capture_path
+        when Idp::Constants::Vendors::LEXIS_NEXIS, Idp::Constants::Vendors::MOCK
+          in_hybrid_mobile ? idv_hybrid_mobile_document_capture_path
+                           : idv_document_capture_path
+        end
+
+      redirect_to correct_path
+    end
+
     private
 
     def track_document_issuing_state(user, state)
@@ -59,5 +89,10 @@ def track_document_issuing_state(user, state)
       doc_auth_log.state = state
       doc_auth_log.save!
     end
+
+    def cancel_establishing_in_person_enrollments(user: current_user)
+      UspsInPersonProofing::EnrollmentHelper.
+        cancel_stale_establishing_enrollments_for_user(user)
+    end
   end
 end

app/controllers/concerns/idv/verify_info_concern.rb

@@ -219,7 +219,7 @@ def async_state_done(current_async_state)
         flash[:success] = t('doc_auth.forms.doc_success')
         redirect_to next_step_url
       end
-      analytics.idv_doc_auth_verify_proofing_results(**analytics_arguments, **form_response.to_h)
+      analytics.idv_doc_auth_verify_proofing_results(**analytics_arguments, **form_response)
     end
 
     def next_step_url

app/controllers/concerns/mfa_setup_concern.rb

@@ -91,6 +91,15 @@ def check_if_possible_piv_user
     end
   end
 
+  def threatmetrix_attrs
+    {
+      user_id: current_user.id,
+      request_ip: request&.remote_ip,
+      threatmetrix_session_id: session[:threatmetrix_session_id],
+      email: EmailContext.new(current_user).last_sign_in_email_address.email,
+    }
+  end
+
   private
 
   def track_user_registration_mfa_setup_complete_event

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -14,7 +14,7 @@ def auth_methods_session
   def handle_verification_for_authentication_context(result:, auth_method:, extra_analytics: nil)
     increment_mfa_selection_attempt_count(auth_method)
     analytics.multi_factor_auth(
-      **result.to_h,
+      **result,
       multi_factor_auth_method: auth_method,
       enabled_mfa_methods_count: mfa_context.enabled_mfa_methods_count,
       new_device: new_device?,

app/controllers/concerns/unconfirmed_user_concern.rb

@@ -30,12 +30,14 @@ def track_user_already_confirmed_event
   end
 
   def stop_if_invalid_token
-    result = email_confirmation_token_validator.submit
-    analytics.user_registration_email_confirmation(**result.to_h)
-    return if result.success?
+    return if email_confirmation_token_validator_result.success?
     process_unsuccessful_confirmation
   end
 
+  def email_confirmation_token_validator_result
+    @email_confirmation_token_validator_result ||= email_confirmation_token_validator.submit
+  end
+
   def email_confirmation_token_validator
     @email_confirmation_token_validator ||= begin
       EmailConfirmationTokenValidator.new(@email_address, current_user)
@@ -44,10 +46,6 @@ def email_confirmation_token_validator
 
   def process_valid_confirmation_token
     @confirmation_token = params[:confirmation_token]
-    @forbidden_passwords = @user.email_addresses.flat_map do |email_address|
-      ForbiddenPasswords.new(email_address.email).call
-    end
-    flash.now[:success] = t('devise.confirmations.confirmed_but_must_set_password')
     session[:user_confirmation_token] = @confirmation_token
   end
 

app/controllers/event_disavowal_controller.rb

@@ -10,13 +10,13 @@ def new
       success: true,
       extra: EventDisavowal::BuildDisavowedEventAnalyticsAttributes.call(disavowed_event),
     )
-    analytics.event_disavowal(**result.to_h)
+    analytics.event_disavowal(**result)
     @forbidden_passwords = forbidden_passwords
   end
 
   def create
     result = password_reset_from_disavowal_form.submit(password_reset_params)
-    analytics.event_disavowal_password_reset(**result.to_h)
+    analytics.event_disavowal_password_reset(**result)
     if result.success?
       handle_successful_password_reset
     else
@@ -50,7 +50,7 @@ def validate_disavowed_event
       return
     end
 
-    analytics.event_disavowal_token_invalid(**result.to_h)
+    analytics.event_disavowal_token_invalid(**result)
     flash[:error] = (result.errors[:event] || result.errors.first.last).first
     redirect_to root_url
   end

app/controllers/idv/by_mail/enter_code_controller.rb

@@ -53,7 +53,7 @@ def create
         @gpo_verify_form = build_gpo_verify_form
 
         result = @gpo_verify_form.submit(resolved_authn_context_result.enhanced_ipp?)
-        analytics.idv_verify_by_mail_enter_code_submitted(**result.to_h)
+        analytics.idv_verify_by_mail_enter_code_submitted(**result)
 
         if !result.success?
           if rate_limiter.limited?

app/controllers/idv/document_capture_controller.rb

@@ -12,19 +12,15 @@ class DocumentCaptureController < ApplicationController
     before_action :confirm_step_allowed, unless: -> { allow_direct_ipp? }
     before_action :override_csp_to_allow_acuant
     before_action :set_usps_form_presenter
+    before_action -> { redirect_to_correct_vendor(Idp::Constants::Vendors::LEXIS_NEXIS, false) }
 
     def show
       analytics.idv_doc_auth_document_capture_visited(**analytics_arguments)
 
       Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
         call('document_capture', :view, true)
 
-      case doc_auth_vendor
-      when Idp::Constants::Vendors::SOCURE
-        redirect_to idv_socure_document_capture_url
-      when Idp::Constants::Vendors::LEXIS_NEXIS, Idp::Constants::Vendors::MOCK
-        render :show, locals: extra_view_variables
-      end
+      render :show, locals: extra_view_variables
     end
 
     def update
@@ -93,11 +89,6 @@ def self.step_info
 
     private
 
-    def cancel_establishing_in_person_enrollments
-      UspsInPersonProofing::EnrollmentHelper.
-        cancel_stale_establishing_enrollments_for_user(current_user)
-    end
-
     def analytics_arguments
       {
         flow_path: flow_path,
@@ -110,18 +101,6 @@ def analytics_arguments
       }.merge(ab_test_analytics_buckets)
     end
 
-    def handle_stored_result
-      if stored_result&.success? && selfie_requirement_met?
-        save_proofing_components(current_user)
-        extract_pii_from_doc(current_user, store_in_session: true)
-        flash[:success] = t('doc_auth.headings.capture_complete')
-        successful_response
-      else
-        extra = { stored_result_present: stored_result.present? }
-        failure(I18n.t('doc_auth.errors.general.network_error'), extra)
-      end
-    end
-
     def allow_direct_ipp?
       return false unless idv_session.welcome_visited &&
                           idv_session.idv_consent_given?