LG-16327 Update ssn logic ial2 match sp

[kevinsmaster5]

🎫 Ticket

Link to the relevant ticket:
LG-16327

🛠 Summary of changes

Ensure the restriction of duplicate SSN checks to only those IAL2 accounts that are associated with SP (Service Provider) connections that have opted into the upcoming OneAccount functionality.

Builds upon previous #12296

[vrajmohan]

The initiating_service_provider_issuer is merely the service provider who initiated the identity verification. The current service provider may be different.

[kevinsmaster5]

I am now comparing the Profiles against the current session sp with a3e5ee0

[vrajmohan]

I'm not seeing how this fixes the issue either.

Say there are 2 service providers: SP1 and SP2. SP2 and SP3 are in eligible_one_account_providers.
Profile P1 with SSN SSN1 that was initiated by SP1 and later used by SP2.
Profile P2 with the same SSN (SSN1) that was initiated and later used by SP2.
This should be detected as a duplicate when an IAL2 with facial match is requested by SP2.

I don't see a way to detect this without using sp_return_logs.

[vrajmohan]

Can we use different service providers? The "inactive" in the name is misleading.

[kevinsmaster5]

This is the service provider generated by the factory with create(:profile, :facial_match_proof
https://github.com/18F/identity-idp/blob/main/spec/factories/profiles.rb#L105-L108

[vrajmohan]

Sorry, but that does not make it any better. It is wrong there as well.
That is an inactive service provider, which is used in tests like

identity-idp/spec/features/openid_connect/redirect_uri_validation_spec.rb

Line 28 in f3417c3

context 'when the service_provider is not active' do

. It does not cause harm here but is unnecessary misdirection.

[vrajmohan]

FYI, I am cleaning up the existing problem here - #12377.

[kevinsmaster5]

Thank you. I'm revising in my tests to avoid that as you requested.

[vrajmohan]

Also, the merged PR appears to have modified DuplicateSsnFinder#ssn_is_unique?. That method is not relevant for the One Account work and should be left alone.

See Cloudwatch query for loss of information.

[kevinsmaster5]

Puts this method back to where it was before per
#12326 (comment)

[kevinsmaster5]

Suggested change

	Profile.joins(:sp_return_logs)
	.active
	.facial_match
	.where(ssn_signature: ssn_signatures)
	.where(sp_return_logs: { issuer: sp_eligible_for_one_account })
	.where.not(user_id: user.id)
	.distinct
	Profile.joins("INNER JOIN identities ON identities.user_id = profiles.user_id")
	.active
	.facial_match
	.where(ssn_signature: ssn_signatures)
	.where(identities: { service_provider: sp_eligible_for_one_account })
	.where(identities: { deleted_at: nil })
	.where(identities: { ial: 2 })
	.where.not(user_id: user.id)
	.distinct

[kevinsmaster5]

Slack question for Team https://gsa-tts.slack.com/archives/C05MGJ72GU9/p1752849537704709

[vrajmohan]

I think we would be better served by ensuring that the tests map to the spreadsheet with the combinations that we have created.

[vrajmohan]

Sorry, but that does not make it any better. It is wrong there as well.
That is an inactive service provider, which is used in tests like

identity-idp/spec/features/openid_connect/redirect_uri_validation_spec.rb

Line 28 in f3417c3

context 'when the service_provider is not active' do

. It does not cause harm here but is unnecessary misdirection.

[vrajmohan]

Why do we need the session_uuid set?

[kevinsmaster5]

That's now removed from both _spec

[vrajmohan]

Why have the identities associated only in this context and not in the sibling contexts? In fact, having these be associated in the next context should demonstrate that the code is wrong because the test fails.

[kevinsmaster5]

Added more tests with 857818b
These cover the spreadsheet mockup users 1 - 4. Users 5 & 6 would not ever reach the duplicate_ssn_finder class because they would be eliminated at

identity-idp/app/services/duplicate_profile_checker.rb

Line 14 in 0758644

return unless user_has_ial2_profile? && user_sp_eligible_for_one_account?

User 5 is covered with this test

identity-idp/spec/services/duplicate_profile_checker_spec.rb

Line 104 in 0758644

context 'when user does not have active IAL2 profile' do

User 6 is covered with

identity-idp/spec/services/duplicate_profile_checker_spec.rb

Line 34 in 0758644

context 'when user does not have other accounts with matching profile' do

[vrajmohan]

What JavaScript changes are we making to cause this?

[kevinsmaster5]

My local NPM must have done something strange. I'll revert that.

[vrajmohan]

I am sorry but we don't appear to be converging: This still does not address the fundamental issue of duplicates within the requesting service provider. This will be clear if the requesting service provider from the Reduced Version spreadsheet is SP2 instead of SP1. In that case, User 3 should not come up as a duplicate when requesting for User 1 or User 2.

There are several other issues as well:

1. The test cases are not clear
2. Unnecessary fixture setup of session_uuid: SecureRandom.uuid
3. Repeated context in test of "describe '#associated_facial_match_profiles_with_ssn'".
4. Test assertion of specific profile ids with no sort specified.

Sorry to do this, but I'm creating a separate PR that leverages some of this work and that hopefully addresses all these issues.