RC 219 to Production

Gemfile

@@ -96,7 +96,7 @@ group :development, :test do
   gem 'erb_lint', '~> 0.1.0', require: false
   gem 'i18n-tasks', '>= 0.9.31'
   gem 'knapsack'
-  gem 'nokogiri', '~> 1.13.6'
+  gem 'nokogiri', '~> 1.13.9'
   gem 'parallel_tests'
   gem 'pg_query', require: false
   gem 'pry-byebug'
@@ -113,7 +113,6 @@ end
 group :test do
   gem 'axe-core-rspec', '~> 4.2'
   gem 'bundler-audit', require: false
-  gem 'capybara-selenium', '>= 0.0.6'
   gem 'simplecov', '~> 0.21.0', require: false
   gem 'simplecov-cobertura'
   gem 'simplecov_json_formatter'

Gemfile.lock

@@ -210,9 +210,6 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
-    capybara-selenium (0.0.6)
-      capybara
-      selenium-webdriver
     cbor (0.5.9.6)
     childprocess (4.1.0)
     choice (0.2.0)
@@ -425,7 +422,7 @@ GEM
     net-ssh (6.1.0)
     newrelic_rpm (8.8.0)
     nio4r (2.5.8)
-    nokogiri (1.13.8)
+    nokogiri (1.13.9)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     notiffany (0.1.3)
@@ -742,7 +739,6 @@ DEPENDENCIES
   browser
   bullet (~> 7.0)
   bundler-audit
-  capybara-selenium (>= 0.0.6)
   capybara-webmock!
   connection_pool
   cssbundling-rails
@@ -776,7 +772,7 @@ DEPENDENCIES
   multiset
   net-sftp
   newrelic_rpm (~> 8.0)
-  nokogiri (~> 1.13.6)
+  nokogiri (~> 1.13.9)
   octokit (>= 4.25.0)
   parallel_tests
   pg

README.md

@@ -198,11 +198,6 @@ $ bundle install
 $ yarn install
 ```
 
-#### I am receiving errors related to Capybara in feature tests
-You may need to install _chromedriver_ or your chromedriver may be the wrong version (`$ which chromedriver && chromedriver --version`).
-
-chromedriver can be installed using [Homebrew](https://formulae.brew.sh/cask/chromedriver) or [direct download](https://chromedriver.chromium.org/downloads). The version of chromedriver should correspond to the version of Chrome you have installed `(Chrome > About Google Chrome)`; if installing via Homebrew, make sure the versions match up.
-
 #### I am receiving errors when creating the development and test databases
 
 If you receive the following error (where _whoami_ == _your username_):
@@ -222,16 +217,60 @@ $ createdb `whoami`
 $ make test_serial
 ```
 
-##### Errors related to too many _open files_
+##### Errors related to Capybara in feature tests
+You may need to install _chromedriver_ or your chromedriver may be the wrong version (`$ which chromedriver && chromedriver --version`).
+
+chromedriver can be installed using [Homebrew](https://formulae.brew.sh/cask/chromedriver) or [direct download](https://chromedriver.chromium.org/downloads). The version of chromedriver should correspond to the version of Chrome you have installed `(Chrome > About Google Chrome)`; if installing via Homebrew, make sure the versions match up. After your system recieves an automatic Chrome browser update you may have to upgrade (or reinstall) chromedriver.
+
+If `chromedriver -v` does not work you may have to [allow it](https://stackoverflow.com/questions/60362018/macos-catalinav-10-15-3-error-chromedriver-cannot-be-opened-because-the-de) with `xattr`.
+
+##### Errors related to _too many open files_
 You may receive connection errors similar to the following:
 
 `Failed to open TCP connection to 127.0.0.1:9515 (Too many open files - socket(2) for "127.0.0.1" port 9515)`
 
-Running the following, _prior_ to running tests, may solve the problem:
+You are encountering you OS's [limits on allowed file descriptors](https://wilsonmar.github.io/maximum-limits/). Check the limits with both:
+* `ulimit -n`
+* `launchctl limit maxfiles`
+
+Try this to increase the user limit:
 ```
 $ ulimit -Sn 65536 && make test
 ```
 To set this _permanently_, add the following to your `~/.zshrc` or `~/.bash_profile` file, depending on your shell:
 ```
 ulimit -Sn 65536
 ```
+
+If you are running MacOS, you may find it is not taking your revised ulimit seriously. [You must insist.](https://medium.com/mindful-technology/too-many-open-files-limit-ulimit-on-mac-os-x-add0f1bfddde) Run this command to edit a property list file:
+```
+sudo nano /Library/LaunchDaemons/limit.maxfiles.plist
+```
+Paste the following contents into the text editor:
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+          "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key>
+    <string>limit.maxfiles</string>
+    <key>ProgramArguments</key>
+    <array>
+      <string>launchctl</string>
+      <string>limit</string>
+      <string>maxfiles</string>
+      <string>524288</string>
+      <string>524288</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>ServiceIPC</key>
+    <false/>
+  </dict>
+</plist>
+
+```
+Use Control+X to save the file.
+
+Restart your Mac to cause the .plist to take effect. Check the limits again and you should see both `ulimit -n` and `launchctl limit maxfiles` return a limit of 524288.

app/assets/stylesheets/components/_click-observer.scss

@@ -0,0 +1,3 @@
+lg-click-observer {
+  display: contents;
+}

app/assets/stylesheets/components/all.scss

@@ -4,6 +4,7 @@
 @import 'block-link';
 @import 'btn';
 @import 'card';
+@import 'click-observer';
 @import 'container';
 @import 'file-input';
 @import 'form-steps';

app/components/click_observer_component.rb

@@ -0,0 +1,12 @@
+class ClickObserverComponent < BaseComponent
+  attr_reader :event_name, :tag_options
+
+  def initialize(event_name:, **tag_options)
+    @event_name = event_name
+    @tag_options = tag_options
+  end
+
+  def call
+    content_tag(:'lg-click-observer', content, 'event-name': @event_name, **tag_options)
+  end
+end

app/components/click_observer_component.ts

@@ -0,0 +1 @@
+import '@18f/identity-analytics/click-observer-element';

app/components/download_button_component.rb

@@ -0,0 +1,29 @@
+class DownloadButtonComponent < ButtonComponent
+  attr_reader :file_data, :file_name, :tag_options
+
+  def initialize(file_data:, file_name:, **tag_options)
+    super(
+      icon: :file_download,
+      action: ->(**tag_options, &block) do
+        link_to(
+          "data:text/plain;charset=utf-8,#{CGI.escape(file_data)}",
+          download: file_name,
+          **tag_options,
+          &block
+        )
+      end,
+      **tag_options,
+    )
+
+    @file_data = file_data
+    @file_name = file_name
+  end
+
+  def call
+    content_tag(:'lg-download-button', super)
+  end
+
+  def content
+    super || t('components.download_button.label')
+  end
+end

app/components/download_button_component.ts

@@ -0,0 +1 @@
+import '@18f/identity-download-button/download-button-element';

app/controllers/concerns/idv_session.rb

@@ -14,6 +14,7 @@ def confirm_idv_session_started
   def confirm_idv_needed
     return if effective_user.active_profile.blank? ||
               decorated_session.requested_more_recent_verification? ||
+              effective_user.decorate.reproof_for_irs?(service_provider: current_sp) ||
               strict_ial2_upgrade_required?
 
     redirect_to idv_activated_url

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -115,7 +115,9 @@ def link_identity_from_session_data
   end
 
   def identity_needs_verification?
-    ial2_requested? && current_user.decorate.identity_not_verified?
+    ial2_requested? &&
+      (current_user.decorate.identity_not_verified? ||
+       current_user.decorate.reproof_for_irs?(service_provider: current_sp))
   end
 
   def_delegators :ial_context, :ial2_requested?

app/controllers/frontend_log_controller.rb

@@ -17,6 +17,7 @@ class FrontendLogController < ApplicationController
     'IdV: Native camera forced after failed attempts' => :idv_native_camera_forced,
     'Multi-Factor Authentication: download backup code' => :multi_factor_auth_backup_code_download,
     'Show Password button clicked' => :show_password_button_clicked,
+    'IdV: personal key acknowledgment toggled' => :idv_personal_key_acknowledgment_toggled,
   }.transform_values { |method| AnalyticsEvents.instance_method(method) }.freeze
   # rubocop:enable Layout/LineLength
 

app/controllers/idv/gpo_controller.rb

@@ -50,7 +50,7 @@ def update_tracking
       irs_attempts_api_tracker.idv_gpo_letter_requested(resend: resend_requested?)
       create_user_event(:gpo_mail_sent, current_user)
 
-      ProofingComponent.create_or_find_by(user: current_user).update(address_check: 'gpo_letter')
+      ProofingComponent.find_or_create_by(user: current_user).update(address_check: 'gpo_letter')
     end
 
     def resend_requested?

app/controllers/idv/inherited_proofing_controller.rb

@@ -1,5 +1,7 @@
 module Idv
   class InheritedProofingController < ApplicationController
+    before_action :confirm_two_factor_authenticated
+
     include Flow::FlowStateMachine
     include IdvSession
     include InheritedProofing404Concern
@@ -15,5 +17,9 @@ class InheritedProofingController < ApplicationController
     def return_to_sp
       redirect_to return_to_sp_failure_to_proof_url(step: next_step, location: params[:location])
     end
+
+    # for errors/no_information
+    def no_information
+    end
   end
 end

app/controllers/idv/personal_key_controller.rb

@@ -43,7 +43,7 @@ def confirm_profile_has_been_created
     end
 
     def add_proofing_component
-      ProofingComponent.create_or_find_by(user: current_user).update(verified_at: Time.zone.now)
+      ProofingComponent.find_or_create_by(user: current_user).update(verified_at: Time.zone.now)
     end
 
     def finish_idv_session

app/controllers/idv_controller.rb

@@ -7,7 +7,8 @@ class IdvController < ApplicationController
   before_action :profile_needs_reactivation?, only: [:index]
 
   def index
-    if decorated_session.requested_more_recent_verification?
+    if decorated_session.requested_more_recent_verification? ||
+       current_user.decorate.reproof_for_irs?(service_provider: current_sp)
       verify_identity
     elsif active_profile? && !strict_ial2_upgrade_required?
       redirect_to idv_activated_url

app/controllers/openid_connect/authorization_controller.rb

@@ -100,6 +100,7 @@ def identity_needs_verification?
       ((@authorize_form.ial2_requested? || @authorize_form.ial2_strict_requested?) &&
         (current_user.decorate.identity_not_verified? ||
         decorated_session.requested_more_recent_verification?)) ||
+        current_user.decorate.reproof_for_irs?(service_provider: current_sp) ||
         identity_needs_strict_ial2_verification?
     end
 

app/decorators/user_decorator.rb

@@ -57,8 +57,13 @@ def identity_not_verified?
     !identity_verified?
   end
 
-  def identity_verified?
-    user.active_profile.present?
+  def identity_verified?(service_provider: nil)
+    user.active_profile.present? && !reproof_for_irs?(service_provider: service_provider)
+  end
+
+  def reproof_for_irs?(service_provider:)
+    service_provider&.irs_attempts_api_enabled &&
+      !user.active_profile&.initiating_service_provider&.irs_attempts_api_enabled
   end
 
   def active_profile_newer_than_pending_profile?

app/helpers/csp_helper.rb

@@ -0,0 +1,11 @@
+module CspHelper
+  def add_document_capture_image_urls_to_csp(request, urls)
+    cleaned_urls = urls.compact.map do |url|
+      URI(url).tap { |uri| uri.query = nil }.to_s
+    end
+
+    policy = request.content_security_policy.clone
+    policy.connect_src(*policy.connect_src, *cleaned_urls)
+    request.content_security_policy = policy
+  end
+end

app/javascript/app/components/index.js

@@ -1,8 +1,8 @@
-import { accordion, banner, navigation, skipnav } from 'identity-style-guide';
+import { accordion, banner, skipnav } from 'identity-style-guide';
 import Modal from './modal';
 
 window.LoginGov = window.LoginGov || {};
 window.LoginGov.Modal = Modal;
 
-const components = [accordion, banner, navigation, skipnav];
+const components = [accordion, banner, skipnav];
 components.forEach((component) => component.on());