Deploy RC 190 to Production

Gemfile

@@ -54,7 +54,7 @@ gem 'rqrcode'
 gem 'ruby-progressbar'
 gem 'ruby-saml'
 gem 'safe_target_blank', '>= 1.0.2'
-gem 'saml_idp', github: '18F/saml_idp', tag: '0.16.0-18f'
+gem 'saml_idp', github: '18F/saml_idp', tag: '0.17.0-18f'
 gem 'scrypt'
 gem 'simple_form', '>= 5.0.2'
 gem 'stringex', require: false
@@ -87,6 +87,7 @@ group :development, :test do
   gem 'aws-sdk-cloudwatchlogs', require: false
   gem 'brakeman', require: false
   gem 'bullet', '>= 6.0.2'
+  gem 'capybara-webmock', git: 'https://github.com/hashrocket/capybara-webmock.git', ref: '63d790a0'
   gem 'data_uri', require: false
   gem 'erb_lint', '~> 0.1.0', require: false
   gem 'i18n-tasks', '>= 0.9.31'

Gemfile.lock

@@ -25,17 +25,30 @@ GIT
 
 GIT
   remote: https://github.com/18F/saml_idp.git
-  revision: f82bd9cd1682d1645abe98e1fe5e6261f53a8279
-  tag: 0.16.0-18f
+  revision: f10c8ba1b4e10ba983a79b1d0fd39cadca95a728
+  tag: 0.17.0-18f
   specs:
-    saml_idp (0.16.0.pre.18f)
+    saml_idp (0.17.0.pre.18f)
       activesupport
       builder
       faraday
       nokogiri (>= 1.10.2)
       pkcs11
       uuid
 
+GIT
+  remote: https://github.com/hashrocket/capybara-webmock.git
+  revision: 63d790a0b6c779b9700634bfc153e25ccdeb3688
+  ref: 63d790a0
+  specs:
+    capybara-webmock (0.6.0)
+      capybara (>= 2.4, < 4)
+      rack (>= 1.4)
+      rack-proxy (>= 0.6.0)
+      rexml (>= 3.2)
+      selenium-webdriver (>= 4.0)
+      webrick (>= 1.7)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -408,7 +421,7 @@ GEM
     pg_query (2.1.3)
       google-protobuf (>= 3.19.2)
     phonelib (0.6.54)
-    pkcs11 (0.3.3)
+    pkcs11 (0.3.4)
     premailer (1.15.0)
       addressable
       css_parser (>= 1.6.0)
@@ -442,6 +455,8 @@ GEM
     rack-headers_filter (0.0.1)
     rack-mini-profiler (2.3.3)
       rack (>= 1.2.0)
+    rack-proxy (0.7.2)
+      rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rack-timeout (0.6.0)
@@ -700,6 +715,7 @@ DEPENDENCIES
   bullet (>= 6.0.2)
   bundler-audit
   capybara-selenium (>= 0.0.6)
+  capybara-webmock!
   connection_pool
   cssbundling-rails
   data_uri

app/assets/stylesheets/components/_validated-checkbox.scss

@@ -0,0 +1,7 @@
+.mfa-selection {
+  .usa-checkbox__input--tile:checked
+    + label.checkbox__invalid.usa-checkbox__label.usa-checkbox__label--illustrated {
+    border-color: color('secondary');
+    border-width: 2px;
+  }
+}

app/assets/stylesheets/components/all.scss

@@ -24,4 +24,5 @@
 @import 'spinner-dots';
 @import 'step-indicator';
 @import 'troubleshooting-options';
+@import 'validated-checkbox';
 @import 'i18n-dropdown';

app/controllers/api/verify/complete_controller.rb

@@ -4,7 +4,7 @@ class CompleteController < Api::BaseController
       def create
         result, personal_key = Api::ProfileCreationForm.new(
           password: verify_params[:password],
-          jwt: verify_params[:details],
+          jwt: verify_params[:user_bundle_token],
           user_session: user_session,
           service_provider: current_sp,
         ).submit
@@ -23,7 +23,7 @@ def create
       private
 
       def verify_params
-        params.permit(:password, :details)
+        params.permit(:password, :user_bundle_token)
       end
 
       def add_proofing_component(user)

app/controllers/application_controller.rb

@@ -428,16 +428,6 @@ def analytics_exception_info(exception)
     }
   end
 
-  def add_sp_cost(token)
-    Db::SpCost::AddSpCost.call(
-      current_sp,
-      sp_session_ial,
-      token,
-      transaction_id: nil,
-      user: current_user,
-    )
-  end
-
   def mobile?
     BrowserCache.parse(request.user_agent).mobile?
   end

app/controllers/concerns/billable_event_trackable.rb

@@ -6,7 +6,6 @@ def track_billing_events
       increment_sp_monthly_auths
       create_sp_return_log(billable: true)
       mark_current_session_billed
-      add_sp_cost(:authentication)
     end
   end
 
@@ -21,14 +20,14 @@ def increment_sp_monthly_auths
   end
 
   def create_sp_return_log(billable:)
-    ial_context = IalContext.new(
-      ial: sp_session_ial, service_provider: current_sp, user: current_user,
+    user_ial_context = IalContext.new(
+      ial: ial_context.ial, service_provider: current_sp, user: current_user,
     )
     Db::SpReturnLog.create_return(
       request_id: request_id,
       user_id: current_user.id,
       billable: billable,
-      ial: ial_context.bill_for_ial_1_or_2,
+      ial: user_ial_context.bill_for_ial_1_or_2,
       issuer: current_sp.issuer,
       requested_at: session[:session_started_at],
     )

app/controllers/concerns/idv/phone_otp_rate_limitable.rb

@@ -10,7 +10,7 @@ module PhoneOtpRateLimitable
     def handle_locked_out_user
       reset_attempt_count_if_user_no_longer_locked_out
       return unless decorated_user.locked_out?
-      analytics.track_event(Analytics::IDV_PHONE_CONFIRMATION_OTP_RATE_LIMIT_LOCKED_OUT)
+      analytics.idv_phone_confirmation_otp_rate_limit_locked_out
       handle_too_many_otp_attempts
       false
     end
@@ -28,12 +28,12 @@ def reset_attempt_count_if_user_no_longer_locked_out
     end
 
     def handle_too_many_otp_sends
-      analytics.track_event(Analytics::IDV_PHONE_CONFIRMATION_OTP_RATE_LIMIT_SENDS)
+      analytics.idv_phone_confirmation_otp_rate_limit_sends
       handle_max_attempts('otp_requests')
     end
 
     def handle_too_many_otp_attempts
-      analytics.track_event(Analytics::IDV_PHONE_CONFIRMATION_OTP_RATE_LIMIT_ATTEMPTS)
+      analytics.idv_phone_confirmation_otp_rate_limit_attempts
       handle_max_attempts('otp_login_attempts')
     end
 

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -122,6 +122,7 @@ def ial_context
     @ial_context ||= IalContext.new(
       ial: requested_ial_authn_context,
       service_provider: saml_request_service_provider,
+      authn_context_comparison: saml_request.requested_authn_context_comparison,
     )
   end
 

app/controllers/concerns/verify_profile_concern.rb

@@ -10,6 +10,8 @@ def account_or_verify_profile_url
 
   def profile_needs_verification?
     return false if current_user.blank?
+    return false if sp_session[:ial2_strict] &&
+                    !IdentityConfig.store.gpo_allowed_for_strict_ial2
     current_user.decorate.pending_profile_requires_verification? ||
       user_needs_to_reactivate_account?
   end

app/controllers/idv/doc_auth_controller.rb

@@ -31,6 +31,8 @@ def redirect_if_mail_bounced
     end
 
     def redirect_if_pending_profile
+      return if sp_session[:ial2_strict] &&
+                !IdentityConfig.store.gpo_allowed_for_strict_ial2
       redirect_to idv_gpo_verify_url if current_user.decorate.pending_profile_requires_verification?
     end
 

app/controllers/idv/gpo_controller.rb

@@ -6,6 +6,7 @@ class GpoController < ApplicationController
     before_action :confirm_idv_needed
     before_action :confirm_user_completed_idv_profile_step
     before_action :confirm_mail_not_spammed
+    before_action :confirm_gpo_allowed_if_strict_ial2
     before_action :max_attempts_reached, only: [:update]
 
     def index
@@ -32,7 +33,9 @@ def create
       update_tracking
       idv_session.address_verification_mechanism = :gpo
 
-      if current_user.decorate.pending_profile_requires_verification?
+      if current_user.decorate.pending_profile_requires_verification? && pii_locked?
+        redirect_to capture_password_url
+      elsif current_user.decorate.pending_profile_requires_verification?
         resend_letter
         redirect_to idv_come_back_later_url
       else
@@ -63,6 +66,12 @@ def failure
       redirect_to idv_gpo_url unless performed?
     end
 
+    def confirm_gpo_allowed_if_strict_ial2
+      return unless sp_session[:ial2_strict]
+      return if IdentityConfig.store.gpo_allowed_for_strict_ial2
+      redirect_to idv_phone_url
+    end
+
     def pii(address_pii)
       address_pii.dup.merge(non_address_pii)
     end
@@ -256,5 +265,9 @@ def missing
       delete_async
       ProofingSessionAsyncResult.missing
     end
+
+    def pii_locked?
+      !Pii::Cacher.new(current_user, user_session).exists_in_session?
+    end
   end
 end

app/controllers/idv/otp_delivery_method_controller.rb

@@ -48,7 +48,7 @@ def render_new_with_error_message
     def send_phone_confirmation_otp_and_handle_result
       save_delivery_preference
       result = send_phone_confirmation_otp
-      analytics.track_event(Analytics::IDV_PHONE_CONFIRMATION_OTP_SENT, result.to_h)
+      analytics.idv_phone_confirmation_otp_sent(**result.to_h)
       if result.success?
         redirect_to idv_otp_verification_url
       else
@@ -79,8 +79,11 @@ def otp_delivery_selection_form
     end
 
     def gpo_letter_available
+      return @gpo_letter_available if defined?(@gpo_letter_available)
       @gpo_letter_available ||= FeatureManagement.enable_gpo_verification? &&
-                                !Idv::GpoMail.new(current_user).mail_spammed?
+                                !Idv::GpoMail.new(current_user).mail_spammed? &&
+                                !(sp_session[:ial2_strict] &&
+                                  !IdentityConfig.store.gpo_allowed_for_strict_ial2)
     end
   end
 end

app/controllers/idv/phone_controller.rb

@@ -140,8 +140,11 @@ def new_phone_added?
     end
 
     def gpo_letter_available
+      return @gpo_letter_available if defined?(@gpo_letter_available)
       @gpo_letter_available ||= FeatureManagement.enable_gpo_verification? &&
-                                !Idv::GpoMail.new(current_user).mail_spammed?
+                                !Idv::GpoMail.new(current_user).mail_spammed? &&
+                                !(sp_session[:ial2_strict] &&
+                                  !IdentityConfig.store.gpo_allowed_for_strict_ial2)
     end
   end
 end

app/controllers/idv/phone_errors_controller.rb

@@ -4,6 +4,7 @@ class PhoneErrorsController < ApplicationController
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_phone_step_needed
+    before_action :set_gpo_letter_available
 
     def warning
       @remaining_attempts = throttle.remaining_count
@@ -45,5 +46,15 @@ def track_event(type:)
 
       analytics.idv_phone_error_visited(**attributes)
     end
+
+    # rubocop:disable Naming/MemoizedInstanceVariableName
+    def set_gpo_letter_available
+      return @gpo_letter_available if defined?(@gpo_letter_available)
+      @gpo_letter_available ||= FeatureManagement.enable_gpo_verification? &&
+                                !Idv::GpoMail.new(current_user).mail_spammed? &&
+                                !(sp_session[:ial2_strict] &&
+                                  !IdentityConfig.store.gpo_allowed_for_strict_ial2)
+    end
+    # rubocop:enable Naming/MemoizedInstanceVariableName
   end
 end

app/controllers/idv/resend_otp_controller.rb

@@ -10,7 +10,7 @@ class ResendOtpController < ApplicationController
 
     def create
       result = send_phone_confirmation_otp
-      analytics.track_event(Analytics::IDV_PHONE_CONFIRMATION_OTP_RESENT, result.to_h)
+      analytics.idv_phone_confirmation_otp_resent(**result.to_h)
       if result.success?
         redirect_to idv_otp_verification_url
       else

app/controllers/idv/review_controller.rb

@@ -46,7 +46,7 @@ def create
       user_session[:need_personal_key_confirmation] = true
       redirect_to next_step
       analytics.track_event(Analytics::IDV_REVIEW_COMPLETE)
-      analytics.track_event(Analytics::IDV_FINAL, success: true)
+      analytics.idv_final(success: true)
 
       return unless FeatureManagement.reveal_gpo_code?
       session[:last_gpo_confirmation_code] = idv_session.gpo_otp
@@ -115,15 +115,15 @@ def need_personal_key_confirmation?
 
     def next_step
       if idv_api_personal_key_step_enabled?
-        idv_app_root_url
+        idv_app_url
       else
         idv_personal_key_url
       end
     end
 
     def idv_api_personal_key_step_enabled?
       return false if idv_session.address_verification_mechanism == 'gpo'
-      IdentityConfig.store.idv_api_enabled_steps.include?(:personal_key)
+      IdentityConfig.store.idv_api_enabled_steps.include?('personal_key')
     end
   end
 end

app/controllers/openid_connect/authorization_controller.rb

@@ -58,6 +58,10 @@ def link_identity_to_service_provider
       @authorize_form.link_identity_to_service_provider(current_user, session.id)
     end
 
+    def ial_context
+      @authorize_form.ial_context
+    end
+
     def handle_successful_handoff
       track_events
       SpHandoffBounce::AddHandoffTimeToSession.call(sp_session)