From 3fc999ffdd4270197399f341aad53c045ff655ed Mon Sep 17 00:00:00 2001 From: Steve Urciuoli Date: Mon, 22 Aug 2022 23:41:50 -0500 Subject: [PATCH 1/7] LG-7305 Make sure ThreatMetrix failure results in disabled account --- app/forms/api/profile_creation_form.rb | 10 ++++++++++ app/models/profile.rb | 1 + config/application.yml.default | 1 + lib/identity_config.rb | 1 + 4 files changed, 13 insertions(+) diff --git a/app/forms/api/profile_creation_form.rb b/app/forms/api/profile_creation_form.rb index 9a378a4c485..62565e8fc33 100644 --- a/app/forms/api/profile_creation_form.rb +++ b/app/forms/api/profile_creation_form.rb @@ -60,6 +60,8 @@ def deactivation_reason :gpo_verification_pending elsif pending_in_person_enrollment? :in_person_verification_pending + elsif threatmetrix_failed_and_needs_review? + :threatmetrix_review_pending end end @@ -172,5 +174,13 @@ def in_person_enrollment? return false unless IdentityConfig.store.in_person_proofing_enabled ProofingComponent.find_by(user: user)&.document_check == Idp::Constants::Vendors::USPS end + + def threatmetrix_failed_and_needs_review? + return unless IdentityConfig.store.lexisnexis_threatmetrix_required_to_verify + return unless IdentityConfig.store.lexisnexis_threatmetrix_enabled + component = ProofingComponent.find_by(user: user) + return true unless component + !(component.threatmetrix_enabled && component.threatmetrix_review_status == 'pass') + end end end diff --git a/app/models/profile.rb b/app/models/profile.rb index 8465f997a65..45a11067b3d 100644 --- a/app/models/profile.rb +++ b/app/models/profile.rb @@ -16,6 +16,7 @@ class Profile < ApplicationRecord gpo_verification_pending: 3, verification_cancelled: 4, in_person_verification_pending: 5, + threatmetrix_review_pending: 6, } attr_reader :personal_key diff --git a/config/application.yml.default b/config/application.yml.default index 23bc8d37cd3..2f2ef2707bf 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -152,6 +152,7 @@ lexisnexis_threatmetrix_policy: test-policy lexisnexis_threatmetrix_timeout: 1.0 lexisnexis_threatmetrix_enabled: false lexisnexis_threatmetrix_mock_enabled: true +lexisnexis_threatmetrix_required_to_verify: false ################################################################### lockout_period_in_minutes: 10 log_to_stdout: false diff --git a/lib/identity_config.rb b/lib/identity_config.rb index a220726bad6..2f44fe7d057 100644 --- a/lib/identity_config.rb +++ b/lib/identity_config.rb @@ -224,6 +224,7 @@ def self.build_store(config_map) config.add(:lexisnexis_threatmetrix_mock_enabled, type: :boolean) config.add(:lexisnexis_threatmetrix_org_id, type: :string) config.add(:lexisnexis_threatmetrix_policy, type: :string) + config.add(:lexisnexis_threatmetrix_required_to_verify, type: :boolean) config.add(:lexisnexis_threatmetrix_timeout, type: :float) config.add(:liveness_checking_enabled, type: :boolean) config.add(:lockout_period_in_minutes, type: :integer) From af512f5ea9649c83a64b22599647e1d9d94ddee4 Mon Sep 17 00:00:00 2001 From: Steve Urciuoli Date: Mon, 22 Aug 2022 23:47:16 -0500 Subject: [PATCH 2/7] changelog: Upcoming Features, Identity verification, Make sure ThreatMetrix failure results in disabled account From 8c8815848167749f37abf5b1d8c7627e9db0f3b0 Mon Sep 17 00:00:00 2001 From: Steve Urciuoli Date: Tue, 23 Aug 2022 10:35:05 -0500 Subject: [PATCH 3/7] Spec --- app/forms/api/profile_creation_form.rb | 2 +- spec/forms/api/profile_creation_form_spec.rb | 27 ++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/app/forms/api/profile_creation_form.rb b/app/forms/api/profile_creation_form.rb index 62565e8fc33..213da866366 100644 --- a/app/forms/api/profile_creation_form.rb +++ b/app/forms/api/profile_creation_form.rb @@ -180,7 +180,7 @@ def threatmetrix_failed_and_needs_review? return unless IdentityConfig.store.lexisnexis_threatmetrix_enabled component = ProofingComponent.find_by(user: user) return true unless component - !(component.threatmetrix_enabled && component.threatmetrix_review_status == 'pass') + !(component.threatmetrix && component.threatmetrix_review_status == 'pass') end end end diff --git a/spec/forms/api/profile_creation_form_spec.rb b/spec/forms/api/profile_creation_form_spec.rb index 7c1330ca326..22e3a009501 100644 --- a/spec/forms/api/profile_creation_form_spec.rb +++ b/spec/forms/api/profile_creation_form_spec.rb @@ -109,6 +109,33 @@ end end + context 'with the user failing threatmetrix' do + let(:metadata) do + { + vendor_phone_confirmation: true, + user_phone_confirmation: true, + } + end + before do + ProofingComponent.create( + user: user, + threatmetrix: true, + threatmetrix_review_status: 'review', + ) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify). + and_return(true) + end + + it 'sets profile to pending threatmetrix review' do + subject.submit + profile = user.profiles.first + + expect(profile.active?).to be false + expect(profile.deactivation_reason).to eq('threatmetrix_review_pending') + end + end + context 'with the user having verified their address via GPO letter' do let(:metadata) do { From 2b1bd8eec1bce15d75ddabb35433afb5147b93c4 Mon Sep 17 00:00:00 2001 From: Steve Urciuoli Date: Tue, 23 Aug 2022 10:38:39 -0500 Subject: [PATCH 4/7] More spec --- spec/forms/api/profile_creation_form_spec.rb | 28 +++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/spec/forms/api/profile_creation_form_spec.rb b/spec/forms/api/profile_creation_form_spec.rb index 22e3a009501..7e16a5e94a3 100644 --- a/spec/forms/api/profile_creation_form_spec.rb +++ b/spec/forms/api/profile_creation_form_spec.rb @@ -109,7 +109,7 @@ end end - context 'with the user failing threatmetrix' do + context 'with the user failing threatmetrix and it is required' do let(:metadata) do { vendor_phone_confirmation: true, @@ -136,6 +136,32 @@ end end + context 'with the user failing threatmetrix but it is not required' do + let(:metadata) do + { + vendor_phone_confirmation: true, + user_phone_confirmation: true, + } + end + before do + ProofingComponent.create( + user: user, + threatmetrix: true, + threatmetrix_review_status: 'review', + ) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify). + and_return(false) + end + + it 'activates profile' do + subject.submit + profile = user.profiles.first + + expect(profile.active?).to be true + end + end + context 'with the user having verified their address via GPO letter' do let(:metadata) do { From 74763e1010ab6515792be397a680cfbca64d9ebe Mon Sep 17 00:00:00 2001 From: Steve Urciuoli Date: Tue, 23 Aug 2022 10:40:51 -0500 Subject: [PATCH 5/7] More spec --- spec/forms/api/profile_creation_form_spec.rb | 26 ++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/spec/forms/api/profile_creation_form_spec.rb b/spec/forms/api/profile_creation_form_spec.rb index 7e16a5e94a3..0dcb433f67c 100644 --- a/spec/forms/api/profile_creation_form_spec.rb +++ b/spec/forms/api/profile_creation_form_spec.rb @@ -162,6 +162,32 @@ end end + context 'with the user passing threatmetrix when it is required' do + let(:metadata) do + { + vendor_phone_confirmation: true, + user_phone_confirmation: true, + } + end + before do + ProofingComponent.create( + user: user, + threatmetrix: true, + threatmetrix_review_status: 'pass', + ) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify). + and_return(true) + end + + it 'activates profile' do + subject.submit + profile = user.profiles.first + + expect(profile.active?).to be true + end + end + context 'with the user having verified their address via GPO letter' do let(:metadata) do { From b4fad11f076f30b67e429bdd7061ff5fad78fee9 Mon Sep 17 00:00:00 2001 From: Steve Urciuoli Date: Tue, 23 Aug 2022 11:24:03 -0500 Subject: [PATCH 6/7] More specs --- spec/forms/api/profile_creation_form_spec.rb | 25 ++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/spec/forms/api/profile_creation_form_spec.rb b/spec/forms/api/profile_creation_form_spec.rb index 0dcb433f67c..2ac8555e934 100644 --- a/spec/forms/api/profile_creation_form_spec.rb +++ b/spec/forms/api/profile_creation_form_spec.rb @@ -136,6 +136,31 @@ end end + context 'with the user failing threatmetrix and it never ran' do + let(:metadata) do + { + vendor_phone_confirmation: true, + user_phone_confirmation: true, + } + end + before do + ProofingComponent.create( + user: user, + ) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify). + and_return(true) + end + + it 'sets profile to pending threatmetrix review' do + subject.submit + profile = user.profiles.first + + expect(profile.active?).to be false + expect(profile.deactivation_reason).to eq('threatmetrix_review_pending') + end + end + context 'with the user failing threatmetrix but it is not required' do let(:metadata) do { From 691739f6ee660a8f63110b544c30eb4354ae52a7 Mon Sep 17 00:00:00 2001 From: Steve Urciuoli Date: Tue, 23 Aug 2022 12:47:11 -0500 Subject: [PATCH 7/7] Feature spec --- .../password_confirm_controller_spec.rb | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/spec/controllers/api/verify/password_confirm_controller_spec.rb b/spec/controllers/api/verify/password_confirm_controller_spec.rb index 79141f15f41..8b13bc95d0d 100644 --- a/spec/controllers/api/verify/password_confirm_controller_spec.rb +++ b/spec/controllers/api/verify/password_confirm_controller_spec.rb @@ -267,6 +267,37 @@ def stub_idv_session end end + context 'with threatmetrix required but review status did not pass' do + let(:applicant) { + Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE.merge(same_address_as_id: true) + } + let(:stub_idv_session) do + stub_user_with_applicant_data(user, applicant) + end + let(:stub_usps_response) do + stub_request_enroll + end + + before(:each) do + stub_request_token + stub_usps_response + ProofingComponent.create( + user: user, + threatmetrix: true, + threatmetrix_review_status: 'review', + ) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify). + and_return(true) + end + + it 'creates a disabled profile' do + post :create, params: { password: password, user_bundle_token: jwt } + + expect(user.profiles.last.deactivation_reason).to eq('threatmetrix_review_pending') + end + end + context 'with associated sp session' do before do session[:sp] = { issuer: create(:service_provider).issuer }