Deploy RC 40 to production

.circleci/config.yml

@@ -7,7 +7,7 @@ jobs:
   build:
     docker:
       # Specify the Ruby version you desire here
-      - image: circleci/ruby:2.3.3-node-browsers
+      - image: circleci/ruby:2.3.5-node-browsers
         environment:
           RAILS_ENV: test
           CC_TEST_REPORTER_ID: faecd27e9aed532634b3f4d3e251542d7de9457cfca96a94208a63270ef9b42e

.reek

@@ -15,6 +15,7 @@ DuplicateMethodCall:
 FeatureEnvy:
   exclude:
     - ActiveJob::Logging::LogSubscriber#json_for
+    - Aws::SES::Base#deliver
     - track_registration
     - append_info_to_payload
     - generate_slo_request

.ruby-version

@@ -1 +1 @@
-2.3.3
+2.3

Dockerfile

@@ -1,5 +1,5 @@
 # Use the official Ruby image because the Rails images have been deprecated
-FROM ruby:2.3.3
+FROM ruby:2.3
 
 # npm is needed by browserify to install packages
 # TOOD(sbc): Create a separate production container without this.

Gemfile

@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
 
-ruby '~> 2.3.3'
+ruby '~> 2.3.5'
 
 gem 'rails', '~> 5.1.3'
 
@@ -31,6 +31,8 @@ gem 'phony_rails'
 gem 'premailer-rails'
 gem 'proofer', github: '18F/identity-proofer-gem', branch: 'master'
 gem 'rack-cors', require: 'rack/cors'
+gem 'rack-headers_filter'
+gem 'rack-timeout'
 gem 'readthis'
 gem 'redis-session-store', github: '18F/redis-session-store', branch: 'master'
 gem 'rqrcode'

Gemfile.lock

@@ -248,7 +248,7 @@ GEM
     erubi (1.6.1)
     erubis (2.7.0)
     eventmachine (1.2.5)
-    excon (0.57.0)
+    excon (0.58.0)
     execjs (2.7.0)
     factory_girl (4.8.0)
       activesupport (>= 3.0.0)
@@ -415,12 +415,14 @@ GEM
     rack-attack (5.0.1)
       rack
     rack-cors (0.4.1)
+    rack-headers_filter (0.0.1)
     rack-mini-profiler (0.10.5)
       rack (>= 1.2.0)
     rack-protection (2.0.0)
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
+    rack-timeout (0.4.2)
     rack_session_access (0.1.1)
       builder (>= 2.0.0)
       rack (>= 1.0.0)
@@ -513,8 +515,8 @@ GEM
     ruby-saml (1.4.3)
       nokogiri (>= 1.5.10)
     ruby_dep (1.5.0)
-    ruby_parser (3.8.4)
-      sexp_processor (~> 4.1)
+    ruby_parser (3.10.1)
+      sexp_processor (~> 4.9)
     safe_yaml (1.0.4)
     safely_block (0.2.0)
       errbase
@@ -538,7 +540,7 @@ GEM
     secure_headers (3.6.7)
       useragent
     securecompare (1.0.0)
-    sexp_processor (4.8.0)
+    sexp_processor (4.10.0)
     shellany (0.0.1)
     shoulda-matchers (3.1.2)
       activesupport (>= 4.0.0)
@@ -713,8 +715,10 @@ DEPENDENCIES
   proofer!
   pry-byebug
   rack-cors
+  rack-headers_filter
   rack-mini-profiler
   rack-test
+  rack-timeout
   rack_session_access
   rails (~> 5.1.3)
   rails-controller-testing
@@ -755,7 +759,7 @@ DEPENDENCIES
   zxcvbn-js
 
 RUBY VERSION
-   ruby 2.3.3p222
+   ruby 2.3.5p376
 
 BUNDLED WITH
    1.15.4

README.md

@@ -13,7 +13,7 @@ A Identity Management System powering login.gov.
 
 #### Dependencies
 
-- Ruby 2.3.3
+- Ruby 2.3
 - [Postgresql](http://www.postgresql.org/download/)
 - [Redis 2.8+](http://redis.io/)
 - [Node.js v4.4.x](https://nodejs.org)

app/assets/stylesheets/components/_btn.scss

@@ -51,7 +51,6 @@
   &:active,
   &:focus,
   &:hover, {
-    border: 0;
     box-shadow: none;
     text-decoration: underline;
   }

app/controllers/application_controller.rb

@@ -10,6 +10,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception
 
   rescue_from ActionController::InvalidAuthenticityToken, with: :invalid_auth_token
+  rescue_from ActionController::UnknownFormat, with: :render_not_found
 
   helper_method :decorated_session, :reauthn?, :user_fully_authenticated?
 
@@ -151,4 +152,8 @@ def set_locale
   def sp_session
     session.fetch(:sp, {})
   end
+
+  def render_not_found
+    render template: 'pages/page_not_found', layout: false, status: 404, formats: :html
+  end
 end

app/controllers/health/workers_controller.rb

@@ -1,8 +1,6 @@
 module Health
   class WorkersController < ApplicationController
     def index
-      WorkerHealthChecker.enqueue_dummy_jobs
-
       summary = WorkerHealthChecker.summary
 
       status = summary.all_healthy? ? :ok : :internal_error

app/controllers/users/personal_keys_controller.rb

@@ -5,16 +5,25 @@ class PersonalKeysController < ApplicationController
     before_action :confirm_two_factor_authenticated
 
     def show
-      @code = create_new_code
-      analytics.track_event(Analytics::PROFILE_PERSONAL_KEY_CREATE)
+      personal_key = user_session[:personal_key]
+
+      return redirect_to account_url if personal_key.blank?
 
-      flash.now[:success] = t('notices.send_code.personal_key') if params[:resend].present?
+      @code = personal_key
     end
 
     def update
+      user_session.delete(:personal_key)
       redirect_to next_step
     end
 
+    def create
+      user_session[:personal_key] = create_new_code
+      analytics.track_event(Analytics::PROFILE_PERSONAL_KEY_CREATE)
+      flash[:success] = t('notices.send_code.personal_key') if params[:resend].present?
+      redirect_to manage_personal_key_path
+    end
+
     private
 
     def next_step

app/controllers/users/verify_account_controller.rb

@@ -9,7 +9,7 @@ def index
       @verify_account_form = VerifyAccountForm.new(user: current_user)
 
       return unless FeatureManagement.reveal_usps_code?
-      @code = JSON.parse(user_session[:decrypted_pii])['otp']['raw']
+      @code = session[:last_usps_confirmation_code]
     end
 
     def create
@@ -28,8 +28,7 @@ def create
     def build_verify_account_form
       VerifyAccountForm.new(
         user: current_user,
-        otp: params_otp,
-        pii_attributes: decrypted_pii
+        otp: params_otp
       )
     end
 
@@ -41,12 +40,5 @@ def confirm_verification_needed
       return if current_user.decorate.pending_profile_requires_verification?
       redirect_to account_url
     end
-
-    def decrypted_pii
-      @_decrypted_pii ||= begin
-        cacher = Pii::Cacher.new(current_user, user_session)
-        cacher.fetch
-      end
-    end
   end
 end

app/controllers/verify/come_back_later_controller.rb

@@ -2,19 +2,14 @@ module Verify
   class ComeBackLaterController < ApplicationController
     include IdvSession
 
-    before_action :confirm_idv_session_completed
-    before_action :confirm_usps_verification_method_chosen
+    before_action :confirm_user_needs_usps_confirmation
 
     def show; end
 
     private
 
-    def confirm_idv_session_completed
-      redirect_to account_path if idv_session.profile.blank?
-    end
-
-    def confirm_usps_verification_method_chosen
-      redirect_to account_path unless idv_session.address_verification_mechanism == 'usps'
+    def confirm_user_needs_usps_confirmation
+      redirect_to account_path unless current_user.decorate.needs_profile_usps_verification?
     end
   end
 end

app/controllers/verify/review_controller.rb

@@ -47,6 +47,9 @@ def create
       init_profile
       redirect_to verify_confirmations_path
       analytics.track_event(Analytics::IDV_REVIEW_COMPLETE)
+
+      return unless FeatureManagement.reveal_usps_code?
+      session[:last_usps_confirmation_code] = idv_session.usps_otp
     end
 
     private

app/controllers/verify/sessions_controller.rb

@@ -2,6 +2,7 @@ module Verify
   class SessionsController < ApplicationController
     include IdvSession
     include IdvFailureConcern
+    include PersonalKeyConcern
 
     before_action :confirm_two_factor_authenticated, except: [:destroy]
     before_action :confirm_idv_attempts_allowed
@@ -75,6 +76,7 @@ def step
 
     def handle_idv_redirect
       redirect_to account_path and return if current_user.personal_key.present?
+      user_session[:personal_key] = create_new_code
       redirect_to manage_personal_key_path
     end
 

app/controllers/verify/usps_controller.rb

@@ -13,7 +13,8 @@ def create
       idv_session.address_verification_mechanism = :usps
 
       if current_user.decorate.needs_profile_usps_verification?
-        redirect_to account_path
+        resend_letter
+        redirect_to verify_come_back_later_url
       else
         redirect_to verify_review_url
       end
@@ -29,5 +30,17 @@ def confirm_mail_not_spammed
       redirect_to verify_review_path if idv_session.address_mechanism_chosen? &&
                                         usps_mail_service.mail_spammed?
     end
+
+    def resend_letter
+      confirmation_maker = UspsConfirmationMaker.new(
+        pii: Pii::Cacher.new(current_user, user_session).fetch,
+        issuer: sp_session[:issuer],
+        profile: current_user.decorate.pending_profile
+      )
+      confirmation_maker.perform
+
+      return unless FeatureManagement.reveal_usps_code?
+      session[:last_usps_confirmation_code] = confirmation_maker.otp
+    end
   end
 end

app/decorators/service_provider_session_decorator.rb

@@ -68,7 +68,7 @@ def sp_return_url
   end
 
   def cancel_link_path
-    sign_up_start_path(request_id: sp_session[:request_id])
+    sign_up_start_path(request_id: sp_session[:request_id], locale: locale_url_param)
   end
 
   private

app/forms/verify_account_form.rb

@@ -9,10 +9,9 @@ class VerifyAccountForm
   attr_accessor :otp, :pii_attributes
   attr_reader :user
 
-  def initialize(user:, otp: nil, pii_attributes: nil)
+  def initialize(user:, otp: nil)
     @user = user
     @otp = otp
-    @pii_attributes = pii_attributes
   end
 
   def submit
@@ -31,8 +30,14 @@ def pending_profile
     @_pending_profile ||= user.decorate.pending_profile
   end
 
+  def usps_confirmation_code
+    return if otp.blank? || pending_profile.blank?
+
+    pending_profile.usps_confirmation_codes.first_with_otp(otp)
+  end
+
   def validate_otp_not_expired
-    return unless Idv::UspsMail.new(user).most_recent_otp_expired?
+    return unless usps_confirmation_code.present? && usps_confirmation_code.expired?
 
     errors.add :otp, :usps_otp_expired
   end
@@ -47,9 +52,7 @@ def validate_otp
   end
 
   def valid_otp?
-    otp.present? && ActiveSupport::SecurityUtils.secure_compare(
-      Base32::Crockford.normalize(otp), Base32::Crockford.normalize(pii_attributes.otp.to_s)
-    )
+    otp.present? && usps_confirmation_code.present?
   end
 
   def reset_sensitive_fields

app/jobs/sms_otp_sender_job.rb

@@ -17,14 +17,5 @@ def send_otp(twilio_service, code, phone)
       to: phone,
       body: I18n.t('jobs.sms_otp_sender_job.message', code: code, app: APP_NAME)
     )
-  rescue Twilio::REST::RestError => error
-    sanitize_phone_number(error.message)
-    raise
-  end
-
-  def sanitize_phone_number(str)
-    return unless str =~ /is not a valid phone number/
-
-    str.gsub!(/\+[\d\(\)\- ]+/) { |match| match.gsub(/\d/, '#') }
   end
 end

app/models/profile.rb

@@ -1,5 +1,6 @@
 class Profile < ApplicationRecord
   belongs_to :user
+  has_many :usps_confirmation_codes
 
   validates :active, uniqueness: { scope: :user_id, if: :active? }
   validates :ssn_signature, uniqueness: { scope: :active, if: :active? }

app/models/usps_confirmation_code.rb

@@ -0,0 +1,16 @@
+class UspsConfirmationCode < ApplicationRecord
+  belongs_to :profile
+
+  def self.first_with_otp(otp)
+    find do |usps_confirmation_code|
+      Pii::Fingerprinter.verify(
+        Base32::Crockford.normalize(otp),
+        usps_confirmation_code.otp_fingerprint
+      )
+    end
+  end
+
+  def expired?
+    code_sent_at < Figaro.env.usps_confirmation_max_days.to_i.days.ago
+  end
+end

app/services/analytics.rb

@@ -9,7 +9,6 @@ def track_event(event, attributes = {})
       event_properties: attributes.except(:user_id),
       user_id: attributes[:user_id] || uuid,
     }
-
     ahoy.track(event, analytics_hash.merge!(request_attributes))
   end