Deploy RC 458 to Production

Gemfile.lock

@@ -706,7 +706,7 @@ GEM
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.6.0)
     uniform_notifier (1.16.0)
-    uri (1.0.2)
+    uri (1.0.3)
     useragent (0.16.11)
     view_component (3.21.0)
       activesupport (>= 5.2.0, < 8.1)

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -29,18 +29,24 @@ def handle_verification_for_authentication_context(result:, auth_method:, extra_
     if result.success?
       handle_valid_verification_for_authentication_context(auth_method:)
       user_session.delete(:mfa_attempts)
-      session.delete(:sign_in_recaptcha_assessment_id)
+      session.delete(:sign_in_recaptcha_assessment_id) if sign_in_recaptcha_annotation_enabled?
     else
       handle_invalid_verification_for_authentication_context
     end
   end
 
   def annotate_recaptcha(reason)
-    RecaptchaAnnotator.annotate(assessment_id: session[:sign_in_recaptcha_assessment_id], reason:)
+    if sign_in_recaptcha_annotation_enabled?
+      RecaptchaAnnotator.annotate(assessment_id: session[:sign_in_recaptcha_assessment_id], reason:)
+    end
   end
 
   private
 
+  def sign_in_recaptcha_annotation_enabled?
+    IdentityConfig.store.sign_in_recaptcha_annotation_enabled
+  end
+
   def handle_valid_verification_for_authentication_context(auth_method:)
     mark_user_session_authenticated(auth_method:, authentication_type: :valid_2fa)
     disavowal_event, disavowal_token = create_user_event_with_disavowal(:sign_in_after_2fa)

app/controllers/idv/welcome_controller.rb

@@ -7,6 +7,7 @@ class WelcomeController < ApplicationController
     include StepIndicatorConcern
 
     before_action :confirm_not_rate_limited
+    before_action :cancel_previous_in_person_enrollments, only: :show
 
     def show
       idv_session.proofing_started_at ||= Time.zone.now.iso8601
@@ -23,7 +24,6 @@ def update
       analytics.idv_doc_auth_welcome_submitted(**analytics_arguments)
 
       create_document_capture_session
-      cancel_previous_in_person_enrollments
 
       idv_session.welcome_visited = true
 
@@ -61,7 +61,6 @@ def create_document_capture_session
     end
 
     def cancel_previous_in_person_enrollments
-      return unless IdentityConfig.store.in_person_proofing_enabled
       UspsInPersonProofing::EnrollmentHelper.cancel_establishing_and_in_progress_enrollments(
         current_user,
       )

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -136,6 +136,10 @@ interface AcuantCaptureProps {
    * Determine whether the selfie help text shoule be shown.
    */
   showSelfieHelp: () => void;
+  /**
+   * Whether user is on the failed submission review step
+   */
+  isReviewStep?: boolean;
 }
 
 /**
@@ -313,6 +317,7 @@ function AcuantCapture(
     errorMessage,
     name,
     showSelfieHelp,
+    isReviewStep,
   }: AcuantCaptureProps,
   ref: Ref<HTMLInputElement | null>,
 ) {
@@ -327,7 +332,7 @@ function AcuantCapture(
   } = useContext(AcuantContext);
   const { isMockClient } = useContext(UploadContext);
   const { trackEvent } = useContext(AnalyticsContext);
-  const { isSelfieCaptureEnabled, immediatelyBeginCapture } = useContext(SelfieCaptureContext);
+  const { isSelfieCaptureEnabled } = useContext(SelfieCaptureContext);
   const fullScreenRef = useRef<FullScreenRefHandle>(null);
   const inputRef = useRef<HTMLInputElement>(null);
   const isForceUploading = useRef(false);
@@ -350,7 +355,7 @@ function AcuantCapture(
   const isBackOfId = name === 'back';
   useLogCameraInfo({ isBackOfId, hasStartedCropping });
   const [isCapturingEnvironment, setIsCapturingEnvironment] = useState(
-    selfieCapture && immediatelyBeginCapture,
+    selfieCapture && !isReviewStep,
   );
 
   const {

app/javascript/packages/document-capture/components/document-side-acuant-capture.tsx

@@ -100,6 +100,7 @@ function DocumentSideAcuantCapture({
       className={className}
       allowUpload={isUploadAllowed}
       showSelfieHelp={showSelfieHelp}
+      isReviewStep={isReviewStep}
     />
   );
 }

app/javascript/packages/document-capture/context/selfie-capture.tsx

@@ -14,17 +14,12 @@ interface SelfieCaptureProps {
    * the capture component.
    */
   showHelpInitially: boolean;
-  /**
-   * Specify whether we should try to capture using Acuant immediately
-   */
-  immediatelyBeginCapture: boolean;
 }
 
 const SelfieCaptureContext = createContext<SelfieCaptureProps>({
   isSelfieCaptureEnabled: false,
   isSelfieDesktopTestMode: false,
   showHelpInitially: true,
-  immediatelyBeginCapture: false,
 });
 
 SelfieCaptureContext.displayName = 'SelfieCaptureContext';

app/javascript/packages/phone-input/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.0",
   "dependencies": {
     "intl-tel-input": "^24.5.0",
-    "libphonenumber-js": "^1.12.4"
+    "libphonenumber-js": "^1.12.5"
   },
   "sideEffects": [
     "./index.ts"

app/javascript/packs/document-capture.tsx

@@ -179,7 +179,6 @@ render(
                       isSelfieCaptureEnabled: getSelfieCaptureEnabled(),
                       isSelfieDesktopTestMode: String(docAuthSelfieDesktopTestMode) === 'true',
                       showHelpInitially: true,
-                      immediatelyBeginCapture: false,
                     }}
                   >
                     <FailedCaptureAttemptsContextProvider

app/jobs/data_warehouse/table_summary_stats_export_job.rb

@@ -6,11 +6,13 @@ class TableSummaryStatsExportJob < BaseJob
 
     TABLE_EXCLUSION_LIST = %w[
       agency_identities
+      usps_confirmations
     ].freeze
 
     TIMESTAMP_OVERRIDE = {
       'sp_return_logs' => 'returned_at',
       'registration_logs' => 'registered_at',
+      'letter_requests_to_usps_ftp_logs' => 'ftp_at',
     }.freeze
 
     def perform(timestamp)

app/services/encryption/contextless_kms_client.rb

@@ -19,13 +19,23 @@ class ContextlessKmsClient
     }.freeze
 
     def encrypt(plaintext, log_context: nil)
-      KmsLogger.log(:encrypt, key_id: IdentityConfig.store.aws_kms_key_id, log_context: log_context)
+      KmsLogger.log(
+        action: :encrypt,
+        timestamp: Time.zone.now,
+        key_id: IdentityConfig.store.aws_kms_key_id,
+        log_context: log_context,
+      )
       return encrypt_kms(plaintext) if FeatureManagement.use_kms?
       encrypt_local(plaintext)
     end
 
     def decrypt(ciphertext, log_context: nil)
-      KmsLogger.log(:decrypt, key_id: IdentityConfig.store.aws_kms_key_id, log_context: log_context)
+      KmsLogger.log(
+        action: :decrypt,
+        timestamp: Time.zone.now,
+        key_id: IdentityConfig.store.aws_kms_key_id,
+        log_context: log_context,
+      )
       return decrypt_kms(ciphertext) if use_kms?(ciphertext)
       decrypt_local(ciphertext)
     end

app/services/encryption/kms_client.rb

@@ -32,7 +32,12 @@ def initialize(kms_key_id: IdentityConfig.store.aws_kms_key_id)
     end
 
     def encrypt(plaintext, encryption_context)
-      KmsLogger.log(:encrypt, context: encryption_context, key_id: kms_key_id)
+      KmsLogger.log(
+        action: :encrypt,
+        timestamp: Time.zone.now,
+        context: encryption_context,
+        key_id: kms_key_id,
+      )
       return encrypt_kms(plaintext, encryption_context) if FeatureManagement.use_kms?
       encrypt_local(plaintext, encryption_context)
     end
@@ -41,7 +46,12 @@ def decrypt(ciphertext, encryption_context)
       if self.class.looks_like_contextless?(ciphertext)
         return decrypt_contextless_kms(ciphertext, encryption_context)
       end
-      KmsLogger.log(:decrypt, context: encryption_context, key_id: kms_key_id)
+      KmsLogger.log(
+        action: :decrypt,
+        timestamp: Time.zone.now,
+        context: encryption_context,
+        key_id: kms_key_id,
+      )
       return decrypt_kms(ciphertext, encryption_context) if use_kms?(ciphertext)
       decrypt_local(ciphertext, encryption_context)
     end

app/services/encryption/kms_logger.rb

@@ -2,9 +2,10 @@
 
 module Encryption
   class KmsLogger
-    def self.log(action, key_id:, context: nil, log_context: nil)
+    def self.log(action:, timestamp:, key_id:, context: nil, log_context: nil)
       output = {
         kms: {
+          timestamp: timestamp,
           action: action,
           encryption_context: context,
           log_context: log_context,

app/services/recaptcha_annotator.rb

@@ -21,8 +21,10 @@ def annotate(assessment_id:, reason: nil, annotation: nil)
       return if assessment_id.blank?
 
       if FeatureManagement.recaptcha_enterprise?
-        assessment = create_or_update_assessment!(assessment_id:, reason:, annotation:)
-        RecaptchaAnnotateJob.perform_later(assessment:)
+        submit_annotation(assessment_id:, reason:, annotation:)
+        # Future:
+        # assessment = create_or_update_assessment!(assessment_id:, reason:, annotation:)
+        # RecaptchaAnnotateJob.perform_later(assessment:)
       end
 
       { assessment_id:, reason:, annotation: }
@@ -34,7 +36,6 @@ def submit_assessment(assessment)
         annotation: assessment.annotation_before_type_cast,
         reason: assessment.annotation_reason_before_type_cast,
       )
-      assessment.destroy
     end
 
     private

app/services/saml_request_validator.rb

@@ -59,6 +59,9 @@ def authorized_service_provider
   end
 
   def authorized_authn_context
+    # if there is no service provider, an error has already been added
+    return unless service_provider.present?
+
     if !valid_authn_context? ||
        (identity_proofing_requested? && !service_provider.identity_proofing_allowed?) ||
        (ial_max_requested? && !service_provider.ialmax_allowed?) ||
@@ -74,7 +77,7 @@ def parsable_vtr
   end
 
   def registered_cert_exists
-    # if there is no service provider, this error has already been added
+    # if there is no service provider, an error has already been added
     return if service_provider.blank?
     return if service_provider.certs.present?
     return unless service_provider.encrypt_responses?

config/application.yml.default

@@ -390,6 +390,7 @@ short_term_phone_otp_max_attempt_window_in_seconds: 10
 short_term_phone_otp_max_attempts: 2
 show_unsupported_passkey_platform_authentication_setup: false
 show_user_attribute_deprecation_warnings: false
+sign_in_recaptcha_annotation_enabled: false
 sign_in_recaptcha_log_failures_only: false
 sign_in_recaptcha_percent_tested: 0
 sign_in_recaptcha_score_threshold: 0.0
@@ -507,6 +508,7 @@ development:
   secret_key_base: development_secret_key_base
   session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
   show_unsupported_passkey_platform_authentication_setup: true
+  sign_in_recaptcha_annotation_enabled: true
   sign_in_recaptcha_percent_tested: 100
   sign_in_recaptcha_score_threshold: 0.3
   skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:localhost"]'
@@ -607,6 +609,7 @@ test:
   secret_key_base: test_secret_key_base
   session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
   short_term_phone_otp_max_attempts: 100
+  sign_in_recaptcha_annotation_enabled: true
   skip_encryption_allowed_list: '[]'
   socure_docv_document_request_endpoint: 'https://sandbox.socure.test/documnt-request'
   socure_docv_webhook_secret_key: 'secret-key'

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2025_02_28_141538) do
+ActiveRecord::Schema[8.0].define(version: 2025_02_24_134110) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "citext"
   enable_extension "pg_catalog.plpgsql"
@@ -482,8 +482,6 @@
   create_table "recaptcha_assessments", id: :string, force: :cascade do |t|
     t.string "annotation", comment: "sensitive=false"
     t.string "annotation_reason", comment: "sensitive=false"
-    t.datetime "created_at", null: false, comment: "sensitive=false"
-    t.datetime "updated_at", null: false, comment: "sensitive=false"
   end
 
   create_table "registration_logs", force: :cascade do |t|

lib/data_pull.rb

@@ -300,13 +300,13 @@ def run(args:, config:)
             ]
           end
         elsif config.include_missing?
-          table << [user.uuid, '[HAS NO PROFILE]', nil, nil, nil, nil, nil, nil]
+          table << [user.uuid, '[HAS NO PROFILE]', nil, nil, nil, nil, nil, nil, nil]
         end
       end
 
       if config.include_missing?
         (uuids - users.map(&:uuid)).each do |missing_uuid|
-          table << [missing_uuid, '[UUID NOT FOUND]', nil, nil, nil, nil, nil, nil]
+          table << [missing_uuid, '[UUID NOT FOUND]', nil, nil, nil, nil, nil, nil, nil]
         end
       end
 

lib/identity_config.rb

@@ -428,6 +428,7 @@ def self.store
     config.add(:sign_in_user_id_per_ip_attempt_window_in_minutes, type: :integer)
     config.add(:sign_in_user_id_per_ip_attempt_window_max_minutes, type: :integer)
     config.add(:sign_in_user_id_per_ip_max_attempts, type: :integer)
+    config.add(:sign_in_recaptcha_annotation_enabled, type: :boolean)
     config.add(:sign_in_recaptcha_log_failures_only, type: :boolean)
     config.add(:sign_in_recaptcha_percent_tested, type: :integer)
     config.add(:sign_in_recaptcha_score_threshold, type: :float)