diff --git a/app/controllers/concerns/threat_metrix_concern.rb b/app/controllers/concerns/threat_metrix_concern.rb index 570b8c69fb3..401d56587c4 100644 --- a/app/controllers/concerns/threat_metrix_concern.rb +++ b/app/controllers/concerns/threat_metrix_concern.rb @@ -5,12 +5,6 @@ module ThreatMetrixConcern THREAT_METRIX_WILDCARD_DOMAIN = '*.online-metrix.net' def override_csp_for_threat_metrix - return unless FeatureManagement.proofing_device_profiling_collecting_enabled? - - threat_metrix_csp_overrides - end - - def threat_metrix_csp_overrides policy = current_content_security_policy # ThreatMetrix requires additional Content Security Policy (CSP) diff --git a/app/controllers/idv/in_person/ssn_controller.rb b/app/controllers/idv/in_person/ssn_controller.rb index d1ca08e83de..62f8c7f02e3 100644 --- a/app/controllers/idv/in_person/ssn_controller.rb +++ b/app/controllers/idv/in_person/ssn_controller.rb @@ -12,7 +12,8 @@ class SsnController < ApplicationController before_action :confirm_not_rate_limited_after_doc_auth before_action :confirm_in_person_address_step_complete before_action :confirm_repeat_ssn, only: :show - before_action :override_csp_for_threat_metrix + before_action :override_csp_for_threat_metrix, + if: -> { FeatureManagement.proofing_device_profiling_collecting_enabled? } attr_reader :ssn_presenter diff --git a/app/controllers/idv/ssn_controller.rb b/app/controllers/idv/ssn_controller.rb index eb20938b909..04c7dcb8e9c 100644 --- a/app/controllers/idv/ssn_controller.rb +++ b/app/controllers/idv/ssn_controller.rb @@ -10,7 +10,8 @@ class SsnController < ApplicationController before_action :confirm_not_rate_limited_after_doc_auth before_action :confirm_step_allowed - before_action :override_csp_for_threat_metrix + before_action :override_csp_for_threat_metrix, + if: -> { FeatureManagement.proofing_device_profiling_collecting_enabled? } attr_reader :ssn_presenter diff --git a/app/controllers/users/two_factor_authentication_setup_controller.rb b/app/controllers/users/two_factor_authentication_setup_controller.rb index e60a2057a67..5defc432652 100644 --- a/app/controllers/users/two_factor_authentication_setup_controller.rb +++ b/app/controllers/users/two_factor_authentication_setup_controller.rb @@ -12,7 +12,8 @@ class TwoFactorAuthenticationSetupController < ApplicationController before_action :authenticate_user before_action :confirm_user_authenticated_for_2fa_setup before_action :check_if_possible_piv_user - before_action :override_csp_for_threat_metrix + before_action :override_csp_for_threat_metrix, + if: -> { FeatureManagement.account_creation_device_profiling_collecting_enabled? } delegate :enabled_mfa_methods_count, to: :mfa_context diff --git a/spec/controllers/concerns/threat_metrix_concern_spec.rb b/spec/controllers/concerns/threat_metrix_concern_spec.rb index 9d540624520..2afe4f26f7a 100644 --- a/spec/controllers/concerns/threat_metrix_concern_spec.rb +++ b/spec/controllers/concerns/threat_metrix_concern_spec.rb @@ -12,60 +12,42 @@ def index; end end describe '#override_csp_for_threat_metrix' do - let(:ff_enabled) { true } + it 'modifies CSP headers' do + get :index - before do - allow(IdentityConfig.store).to receive(:proofing_device_profiling) - .and_return(ff_enabled ? :enabled : :disabled) - end - - context 'ff is set' do - it 'modifies CSP headers' do - get :index + csp = response.request.content_security_policy - csp = response.request.content_security_policy + aggregate_failures do + expect(csp.directives['script-src']).to include('h.online-metrix.net') + expect(csp.directives['script-src']).to include("'unsafe-eval'") - aggregate_failures do - expect(csp.directives['script-src']).to include('h.online-metrix.net') - expect(csp.directives['script-src']).to include("'unsafe-eval'") + expect(csp.directives['style-src']).to include("'unsafe-inline'") - expect(csp.directives['style-src']).to include("'unsafe-inline'") + expect(csp.directives['child-src']).to include('h.online-metrix.net') - expect(csp.directives['child-src']).to include('h.online-metrix.net') + expect(csp.directives['connect-src']).to include('h.online-metrix.net') - expect(csp.directives['connect-src']).to include('h.online-metrix.net') - - expect(csp.directives['img-src']).to include('*.online-metrix.net') - end + expect(csp.directives['img-src']).to include('*.online-metrix.net') end + end - context 'with content security policy directives for style-src' do - let(:csp_nonce_directives) { ['style-src'] } - - before do - request.content_security_policy_nonce_directives = csp_nonce_directives - end + context 'with content security policy directives for style-src' do + let(:csp_nonce_directives) { ['style-src'] } - it 'removes style-src nonce directive to allow all unsafe inline styles' do - get :index + before do + request.content_security_policy_nonce_directives = csp_nonce_directives + end - csp = parse_content_security_policy + it 'removes style-src nonce directive to allow all unsafe inline styles' do + get :index - expect(csp['style-src']).to_not include(/'nonce-.+'/) + csp = parse_content_security_policy - # Ensure that the default configuration is not mutated as a result of the request-specific - # revisions to the content security policy. - expect(csp_nonce_directives).to eq(['style-src']) - end - end - end + expect(csp['style-src']).to_not include(/'nonce-.+'/) - context 'ff is not set' do - let(:ff_enabled) { false } - it 'does not modify CSP headers' do - get :index - secure_header_config = response.request.headers.env['secure_headers_request_config'] - expect(secure_header_config).to be_nil + # Ensure that the default configuration is not mutated as a result of the request-specific + # revisions to the content security policy. + expect(csp_nonce_directives).to eq(['style-src']) end end end diff --git a/spec/controllers/idv/in_person/ssn_controller_spec.rb b/spec/controllers/idv/in_person/ssn_controller_spec.rb index d8ab3d9cd68..9e56e2e319c 100644 --- a/spec/controllers/idv/in_person/ssn_controller_spec.rb +++ b/spec/controllers/idv/in_person/ssn_controller_spec.rb @@ -13,9 +13,9 @@ before do stub_sign_in(user) - subject.user_session['idv/in_person'] = flow_session + controller.user_session['idv/in_person'] = flow_session stub_analytics - subject.idv_session.flow_path = 'standard' + controller.idv_session.flow_path = 'standard' end describe '#step_info' do @@ -36,6 +36,8 @@ end describe '#show' do + subject(:response) { get :show } + let(:analytics_name) { 'IdV: doc auth ssn visited' } let(:analytics_args) do { @@ -66,18 +68,18 @@ end it 'adds a threatmetrix session id to idv_session' do - expect { get :show }.to change { subject.idv_session.threatmetrix_session_id }.from(nil) + expect { get :show }.to change { controller.idv_session.threatmetrix_session_id }.from(nil) end it 'does not change threatmetrix_session_id when updating ssn' do - subject.idv_session.ssn = ssn - expect { get :show }.not_to change { subject.idv_session.threatmetrix_session_id } + controller.idv_session.ssn = ssn + expect { get :show }.not_to change { controller.idv_session.threatmetrix_session_id } end context 'with an ssn in idv_session' do let(:referer) { idv_in_person_address_url } before do - subject.idv_session.ssn = ssn + controller.idv_session.ssn = ssn request.env['HTTP_REFERER'] = referer end @@ -98,6 +100,32 @@ end end end + + context 'with ThreatMetrix profiling disabled' do + before do + allow(FeatureManagement).to receive(:proofing_device_profiling_collecting_enabled?) + .and_return(false) + end + + it 'does not override CSPs for ThreatMetrix' do + expect(controller).not_to receive(:override_csp_for_threat_metrix) + + response + end + end + + context 'with ThreatMetrix profiling enabled' do + before do + allow(FeatureManagement).to receive(:proofing_device_profiling_collecting_enabled?) + .and_return(true) + end + + it 'overrides CSPs for ThreatMetrix' do + expect(controller).to receive(:override_csp_for_threat_metrix) + + response + end + end end describe '#update' do diff --git a/spec/controllers/idv/ssn_controller_spec.rb b/spec/controllers/idv/ssn_controller_spec.rb index 4afbe54f828..b330a154d4d 100644 --- a/spec/controllers/idv/ssn_controller_spec.rb +++ b/spec/controllers/idv/ssn_controller_spec.rb @@ -9,7 +9,7 @@ before do stub_sign_in(user) - stub_up_to(:document_capture, idv_session: subject.idv_session) + stub_up_to(:document_capture, idv_session: controller.idv_session) stub_analytics end @@ -33,16 +33,11 @@ :check_for_mail_only_outage, ) end - - it 'overrides CSPs for ThreatMetrix' do - expect(subject).to have_actions( - :before, - :override_csp_for_threat_metrix, - ) - end end describe '#show' do + subject(:response) { get :show } + let(:analytics_name) { 'IdV: doc auth ssn visited' } let(:analytics_args) do { @@ -73,25 +68,25 @@ end it 'adds a threatmetrix session id to idv_session' do - expect { get :show }.to change { subject.idv_session.threatmetrix_session_id }.from(nil) + expect { get :show }.to change { controller.idv_session.threatmetrix_session_id }.from(nil) end context 'when updating ssn' do let(:threatmetrix_session_id) { 'original-session-id' } before do - subject.idv_session.ssn = ssn - subject.idv_session.threatmetrix_session_id = threatmetrix_session_id + controller.idv_session.ssn = ssn + controller.idv_session.threatmetrix_session_id = threatmetrix_session_id end it 'does not change threatmetrix_session_id' do - expect { get :show }.not_to change { subject.idv_session.threatmetrix_session_id } + expect { get :show }.not_to change { controller.idv_session.threatmetrix_session_id } end context 'but there is no threatmetrix_session_id in the session' do let(:threatmetrix_session_id) { nil } it 'sets a threatmetrix_session_id' do - expect { get :show }.to change { subject.idv_session.threatmetrix_session_id } + expect { get :show }.to change { controller.idv_session.threatmetrix_session_id } end end end @@ -102,22 +97,22 @@ end it 'still add a threatmetrix session id to idv_session' do - expect { get :show }.to change { subject.idv_session.threatmetrix_session_id }.from(nil) + expect { get :show }.to change { controller.idv_session.threatmetrix_session_id }.from(nil) end context 'when idv_session has a threatmetrix_session_id' do before do - subject.idv_session.threatmetrix_session_id = 'fake-session-id' + controller.idv_session.threatmetrix_session_id = 'fake-session-id' end it 'changes the threatmetrix_session_id' do - expect { get :show }.to change { subject.idv_session.threatmetrix_session_id } + expect { get :show }.to change { controller.idv_session.threatmetrix_session_id } end end end context 'with an ssn in idv_session' do before do - subject.idv_session.ssn = ssn + controller.idv_session.ssn = ssn end it 'does not redirect and allows the back button' do @@ -127,24 +122,29 @@ end end - it 'overrides Content Security Policies for ThreatMetrix' do - allow(IdentityConfig.store).to receive(:proofing_device_profiling) - .and_return(:enabled) - get :show - - csp = response.request.content_security_policy + context 'with ThreatMetrix profiling disabled' do + before do + allow(FeatureManagement).to receive(:proofing_device_profiling_collecting_enabled?) + .and_return(false) + end - aggregate_failures do - expect(csp.directives['script-src']).to include('h.online-metrix.net') - expect(csp.directives['script-src']).to include("'unsafe-eval'") + it 'does not override CSPs for ThreatMetrix' do + expect(controller).not_to receive(:override_csp_for_threat_metrix) - expect(csp.directives['style-src']).to include("'unsafe-inline'") + response + end + end - expect(csp.directives['child-src']).to include('h.online-metrix.net') + context 'with ThreatMetrix profiling enabled' do + before do + allow(FeatureManagement).to receive(:proofing_device_profiling_collecting_enabled?) + .and_return(true) + end - expect(csp.directives['connect-src']).to include('h.online-metrix.net') + it 'overrides CSPs for ThreatMetrix' do + expect(controller).to receive(:override_csp_for_threat_metrix) - expect(csp.directives['img-src']).to include('*.online-metrix.net') + response end end end diff --git a/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb b/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb index 3c378b69ec9..97810f3400d 100644 --- a/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb +++ b/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb @@ -27,6 +27,19 @@ expect(assigns(:presenter).desktop_ft_ab_test).to be false end + context 'with threatmetrix disabled' do + before do + allow(FeatureManagement).to receive(:proofing_device_profiling_collecting_enabled?) + .and_return(false) + end + + it 'does not override CSPs for ThreatMetrix' do + expect(controller).not_to receive(:override_csp_for_threat_metrix) + + response + end + end + context 'with threatmetrix enabled' do let(:tmx_session_id) { '1234' } @@ -52,6 +65,12 @@ expect(response).to render_template(:index) end + + it 'overrides CSPs for ThreatMetrix' do + expect(controller).to receive(:override_csp_for_threat_metrix) + + response + end end context 'with user having gov or mil email' do