Deploy RC 431 to Production

.gitlab-ci.yml

@@ -93,18 +93,16 @@ install:
 
 # Build a container image async, and don't block CI tests
 # Cache intermediate images for 1 week (168 hours)
-build-review-image:
+build-idp-image:
   stage: review
   needs: []
-  environment:
-    name: review/$CI_COMMIT_REF_NAME
   interruptible: true
   variables:
     BRANCH_TAGGING_STRING: ''
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
       variables:
-        BRANCH_TAGGING_STRING: '--destination ${ECR_REGISTRY}/identity-idp/review:main'
+        BRANCH_TAGGING_STRING: '--destination ${ECR_REGISTRY}/identity-idp/idp:main'
     - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
     - if: $CI_PIPELINE_SOURCE != "merge_request_event"
       when: never
@@ -129,21 +127,25 @@ build-review-image:
     - >-
       /kaniko/executor
       --context "${CI_PROJECT_DIR}"
-      --dockerfile "${CI_PROJECT_DIR}/dockerfiles/idp_review_app.Dockerfile"
-      --destination "${ECR_REGISTRY}/identity-idp/review:${CI_COMMIT_SHA}"
+      --dockerfile "${CI_PROJECT_DIR}/dockerfiles/idp_deploy.Dockerfile"
+      --destination "${ECR_REGISTRY}/identity-idp/idp:${CI_COMMIT_SHA}"
       ${BRANCH_TAGGING_STRING}
-      --cache-repo="${ECR_REGISTRY}/identity-idp/review/cache"
+      --cache-repo="${ECR_REGISTRY}/identity-idp/idp/cache"
       --cache-ttl=168h
       --cache=true
+      --snapshot-mode=redo
       --compressed-caching=false
       --build-arg "http_proxy=${http_proxy}"
       --build-arg "https_proxy=${https_proxy}"
       --build-arg "no_proxy=${no_proxy}"
       --build-arg "ARG_CI_ENVIRONMENT_SLUG=${CI_ENVIRONMENT_SLUG}"
       --build-arg "ARG_CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH}"
       --build-arg "ARG_CI_COMMIT_SHA=${CI_COMMIT_SHA}"
+      --build-arg "LARGE_FILES_TOKEN=${LARGE_FILES_TOKEN}"
+      --build-arg "LARGE_FILES_USER=${LARGE_FILES_USER}"
+      --build-arg "SERVICE_PROVIDERS_KEY=${SERVICE_PROVIDERS_KEY}"
 
-build-idp-image:
+build-nginx-image:
   stage: review
   needs: []
   interruptible: true
@@ -152,7 +154,7 @@ build-idp-image:
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
       variables:
-        BRANCH_TAGGING_STRING: '--destination ${ECR_REGISTRY}/identity-idp/idp:main'
+        BRANCH_TAGGING_STRING: '--destination ${ECR_REGISTRY}/identity-idp/nginx:main'
     - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
     - if: $CI_PIPELINE_SOURCE != "merge_request_event"
       when: never
@@ -177,8 +179,8 @@ build-idp-image:
     - >-
       /kaniko/executor
       --context "${CI_PROJECT_DIR}"
-      --dockerfile "${CI_PROJECT_DIR}/dockerfiles/idp_deploy.Dockerfile"
-      --destination "${ECR_REGISTRY}/identity-idp/idp:${CI_COMMIT_SHA}"
+      --dockerfile "${CI_PROJECT_DIR}/dockerfiles/nginx.Dockerfile"
+      --destination "${ECR_REGISTRY}/identity-idp/nginx:${CI_COMMIT_SHA}"
       ${BRANCH_TAGGING_STRING}
       --cache-repo="${ECR_REGISTRY}/identity-idp/idp/cache"
       --cache-ttl=168h
@@ -195,7 +197,6 @@ build-idp-image:
       --build-arg "LARGE_FILES_USER=${LARGE_FILES_USER}"
       --build-arg "SERVICE_PROVIDERS_KEY=${SERVICE_PROVIDERS_KEY}"
 
-
 check_changelog:
   stage: test
   variables:
@@ -672,19 +673,6 @@ secret_detection:
 
 # Export the automated ECR scan results into a format Gitlab can use
 # Report schema https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json
-ecr-scan-review-app:
-  extends: .container_scan_template
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
-    - if: $CI_PIPELINE_SOURCE != "merge_request_event"
-      when: never
-  needs:
-    - job: build-review-image
-  stage: scan
-  variables:
-    ecr_repo: identity-idp/review
-
 ecr-scan-ci:
   extends: .container_scan_template
   rules:

.rubocop.yml

@@ -7,6 +7,7 @@ require:
   - rubocop-rails
   - rubocop-rspec
   - rubocop-performance
+  - ./lib/linters/i18n_helper_html_linter.rb
   - ./lib/linters/analytics_event_name_linter.rb
   - ./lib/linters/localized_validation_message_linter.rb
   - ./lib/linters/image_size_linter.rb
@@ -45,6 +46,13 @@ Bundler/InsecureProtocolSource:
 Gemspec/DuplicatedAssignment:
   Enabled: true
 
+IdentityIdp/I18nHelperHtmlLinter:
+  Enabled: true
+  Include:
+    - app/views/**/*.erb
+    - app/components/**/*.erb
+    - app/controllers/**/*.rb
+
 IdentityIdp/AnalyticsEventNameLinter:
   Enabled: true
   Include:

Gemfile

@@ -36,7 +36,7 @@ gem 'fugit'
 gem 'foundation_emails'
 gem 'good_job', '~> 4.0'
 gem 'http_accept_language'
-gem 'identity-hostdata', github: '18F/identity-hostdata', tag: 'v4.0.0'
+gem 'identity-hostdata', github: '18F/identity-hostdata', tag: 'v4.4.1'
 gem 'identity-logging', github: '18F/identity-logging', tag: 'v0.1.1'
 gem 'identity_validations', github: '18F/identity-validations', tag: 'v0.7.2'
 gem 'jsbundling-rails', '~> 1.1.2'
@@ -66,7 +66,7 @@ gem 'rack-headers_filter'
 gem 'rack-timeout', require: false
 gem 'redacted_struct'
 gem 'redis', '>= 3.2.0'
-gem 'redis-session-store', github: '18F/redis-session-store', tag: 'v1.0.1-18f'
+gem 'redis-session-store', github: '18F/redis-session-store', tag: 'v1.0.2-18f'
 gem 'retries'
 gem 'rexml', '~> 3.3'
 gem 'rotp', '~> 6.3', '>= 6.3.0'

Gemfile.lock

@@ -1,11 +1,12 @@
 GIT
   remote: https://github.com/18F/identity-hostdata.git
-  revision: 9574e05398833c531f450c3da99a6afde4ce68fc
-  tag: v4.0.0
+  revision: 67a19c577b8fa9305350cf9cefa572cef4a80310
+  tag: v4.4.1
   specs:
-    identity-hostdata (4.0.0)
-      activesupport (>= 6.1, < 8)
+    identity-hostdata (4.4.1)
+      activesupport (>= 6.1, < 9)
       aws-sdk-s3 (~> 1.8)
+      aws-sdk-secretsmanager (>= 1.91)
       redacted_struct (>= 2.0)
 
 GIT
@@ -26,11 +27,11 @@ GIT
 
 GIT
   remote: https://github.com/18F/redis-session-store.git
-  revision: 9e3f8a22a1b5d1e835e5cba20c51e38b8965b836
-  tag: v1.0.1-18f
+  revision: 905c146bbc1c09ce411edd036eac266c53f5b153
+  tag: v1.0.2-18f
   specs:
-    redis-session-store (1.0.1.pre.18f)
-      actionpack (>= 6, < 8)
+    redis-session-store (1.0.2.pre.18f)
+      actionpack (>= 6, < 9)
       redis (>= 4.3, < 6)
 
 GIT
@@ -182,6 +183,9 @@ GEM
       aws-sdk-core (~> 3, >= 3.179.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.6)
+    aws-sdk-secretsmanager (1.102.0)
+      aws-sdk-core (~> 3, >= 3.201.0)
+      aws-sigv4 (~> 1.5)
     aws-sdk-ses (1.44.0)
       aws-sdk-core (~> 3, >= 3.122.0)
       aws-sigv4 (~> 1.1)

Makefile

@@ -120,9 +120,11 @@ lint_yaml: normalize_yaml ## Lints YAML files
 lint_font_glyphs: ## Lints to validate content glyphs match expectations from fonts
 	scripts/yaml_characters \
 		--exclude-locale=zh \
+		--exclude-path=config/locales/telephony \
 		--exclude-gem-path=faker \
 		--exclude-gem-path=good_job \
 		--exclude-gem-path=i18n-tasks \
+		--exclude-key-scope=user_mailer \
 		> app/assets/fonts/glyphs.txt
 	(! git diff --name-only | grep "glyphs\.txt$$") || (echo "Error: New character data found. Follow 'Fonts' instructions in 'docs/frontend.md' to regenerate fonts."; exit 1)
 

Procfile

@@ -1,4 +1,4 @@
 web: WEBPACK_PORT=${WEBPACK_PORT:-3035} bundle exec rackup config.ru --port ${PORT:-3000} --host ${FOREMAN_HOST:-${HOST:-localhost}}
 worker: bundle exec good_job start
-js: WEBPACK_PORT=${WEBPACK_PORT:-3035} yarn webpack $([ -n "$HTTPS" ] && echo "--watch" || echo "serve")
+js: WEBPACK_PORT=${WEBPACK_PORT:-3035} yarn webpack --watch
 css: yarn build:css --watch

app/assets/stylesheets/components/_btn.scss

@@ -8,7 +8,7 @@
 }
 
 .usa-button:disabled.usa-button--active,
-[aria-disabled='true'].usa-button--active {
+.usa-button[aria-disabled='true'].usa-button--active {
   &:not(
       .usa-button--unstyled,
       .usa-button--secondary,

app/controllers/concerns/idv/verify_info_concern.rb

@@ -79,12 +79,27 @@ def ssn_rate_limiter
 
     def idv_failure(result)
       proofing_results_exception = result.extra.dig(:proofing_results, :exception)
+      has_exception = proofing_results_exception.present?
       is_mva_exception = result.extra.dig(
         :proofing_results,
         :context,
         :stages,
         :state_id,
         :mva_exception,
+      ).present?
+      is_threatmetrix_exception = result.extra.dig(
+        :proofing_results,
+        :context,
+        :stages,
+        :threatmetrix,
+        :exception,
+      ).present?
+      resolution_failed = !result.extra.dig(
+        :proofing_results,
+        :context,
+        :stages,
+        :resolution,
+        :success,
       )
 
       if ssn_rate_limiter.limited?
@@ -93,10 +108,14 @@ def idv_failure(result)
       elsif resolution_rate_limiter.limited?
         idv_failure_log_rate_limited(:idv_resolution)
         redirect_to rate_limited_url
-      elsif proofing_results_exception.present? && is_mva_exception
+      elsif has_exception && is_mva_exception
         idv_failure_log_warning
         redirect_to state_id_warning_url
-      elsif proofing_results_exception.present?
+      elsif (has_exception && is_threatmetrix_exception) ||
+            (!has_exception && resolution_failed)
+        idv_failure_log_warning
+        redirect_to warning_url
+      elsif has_exception
         idv_failure_log_error
         redirect_to exception_url
       else

app/controllers/idv/hybrid_handoff_controller.rb

@@ -5,15 +5,15 @@ class HybridHandoffController < ApplicationController
     include Idv::AvailabilityConcern
     include ActionView::Helpers::DateHelper
     include IdvStepConcern
+    include DocAuthVendorConcern
     include StepIndicatorConcern
 
     before_action :confirm_not_rate_limited
     before_action :confirm_step_allowed
     before_action :confirm_hybrid_handoff_needed, only: :show
 
     def show
-      @upload_disabled = idv_session.selfie_check_required &&
-                         !idv_session.desktop_selfie_test_mode_enabled?
+      @upload_disabled = upload_disabled?
 
       @direct_ipp_with_selfie_enabled = IdentityConfig.store.in_person_doc_auth_button_enabled &&
                                         Idv::InPersonConfig.enabled_for_issuer?(
@@ -74,6 +74,8 @@ def self.step_info
       )
     end
 
+    private
+
     def handle_phone_submission
       return rate_limited_failure if rate_limiter.limited?
       rate_limiter.increment!
@@ -120,6 +122,11 @@ def sp_or_app_name
       current_sp&.friendly_name.presence || APP_NAME
     end
 
+    def upload_disabled?
+      (doc_auth_vendor == Idp::Constants::Vendors::SOCURE || idv_session.selfie_check_required) &&
+        !idv_session.desktop_selfie_test_mode_enabled?
+    end
+
     def build_telephony_form_response(telephony_result)
       FormResponse.new(
         success: telephony_result.success?,

app/controllers/idv/hybrid_mobile/socure/document_capture_controller.rb

@@ -19,7 +19,6 @@ def show
 
           # document request
           document_request = DocAuth::Socure::Requests::DocumentRequest.new(
-            document_capture_session_uuid: document_capture_session_uuid,
             redirect_url: idv_hybrid_mobile_socure_document_capture_url,
             language: I18n.locale,
           )

app/controllers/idv/in_person/public/usps_locations_controller.rb

@@ -3,15 +3,34 @@
 module Idv
   module InPerson
     module Public
+      class UspsLocationsError < StandardError
+        def initialize
+          super('Unsupported characters in address field.')
+        end
+      end
+
       class UspsLocationsController < ApplicationController
         skip_forgery_protection
 
+        include IppHelper
+
+        rescue_from Faraday::Error,
+                    StandardError,
+                    UspsLocationsError,
+                    Faraday::BadRequestError,
+                    with: :handle_error
+
         def index
           candidate = UspsInPersonProofing::Applicant.new(
             address: search_params['street_address'],
             city: search_params['city'], state: search_params['state'],
             zip_code: search_params['zip_code']
           )
+
+          unless candidate.has_valid_address?
+            raise UspsLocationsError
+          end
+
           locations = proofer.request_facilities(candidate, false)
 
           render json: localized_locations(locations).to_json
@@ -34,6 +53,27 @@ def localized_locations(locations)
           end
         end
 
+        def handle_error(err)
+          remapped_error = case err
+                           when ActionController::InvalidAuthenticityToken,
+                                Faraday::Error,
+                                UspsLocationsError
+                             :unprocessable_entity
+                           else
+                             :internal_server_error
+                           end
+
+          analytics.idv_in_person_locations_request_failure(
+            api_status_code: Rack::Utils.status_code(remapped_error),
+            exception_class: err.class,
+            exception_message: scrub_message(err.message),
+            response_body_present: err.respond_to?(:response_body) && err.response_body.present?,
+            response_body: err.respond_to?(:response_body) && scrub_body(err.response_body),
+            response_status_code: err.respond_to?(:response_status) && err.response_status,
+          )
+          render json: {}, status: remapped_error
+        end
+
         def search_params
           params.require(:address).permit(
             :street_address,

app/controllers/idv/socure/document_capture_controller.rb

@@ -27,7 +27,6 @@ def show
 
         # document request
         document_request = DocAuth::Socure::Requests::DocumentRequest.new(
-          document_capture_session_uuid: document_capture_session_uuid,
           redirect_url: idv_socure_document_capture_update_url,
           language: I18n.locale,
         )