diff --git a/app/controllers/openid_connect/authorization_controller.rb b/app/controllers/openid_connect/authorization_controller.rb index 8a203fe3d70..1c405a0047f 100644 --- a/app/controllers/openid_connect/authorization_controller.rb +++ b/app/controllers/openid_connect/authorization_controller.rb @@ -97,15 +97,10 @@ def track_authorize_analytics(result) end def identity_needs_verification? - ((@authorize_form.ial2_requested? || @authorize_form.ial2_strict_requested?) && + (@authorize_form.ial2_requested? && (current_user.decorate.identity_not_verified? || decorated_session.requested_more_recent_verification?)) || - current_user.decorate.reproof_for_irs?(service_provider: current_sp) || - identity_needs_strict_ial2_verification? - end - - def identity_needs_strict_ial2_verification? - @authorize_form.ial2_strict_requested? && !current_user.active_profile&.strict_ial2_proofed? + current_user.decorate.reproof_for_irs?(service_provider: current_sp) end def build_authorize_form_from_params diff --git a/app/forms/openid_connect_authorize_form.rb b/app/forms/openid_connect_authorize_form.rb index 6b540df4fd6..732d20264dd 100644 --- a/app/forms/openid_connect_authorize_form.rb +++ b/app/forms/openid_connect_authorize_form.rb @@ -41,7 +41,6 @@ class OpenidConnectAuthorizeForm validate :validate_prompt validate :validate_verified_within_format validate :validate_verified_within_duration - validate :validate_liveness_checking_enabled_if_ial2_strict_requested def initialize(params) @acr_values = parse_to_values(params[:acr_values], Saml::Idp::Constants::VALID_AUTHN_CONTEXTS) @@ -109,8 +108,7 @@ def ial def_delegators :ial_context, :ial2_or_greater?, - :ial2_requested?, - :ial2_strict_requested? + :ial2_requested? private @@ -249,12 +247,4 @@ def validate_privileges ) end end - - def validate_liveness_checking_enabled_if_ial2_strict_requested - return if !ial2_strict_requested? || FeatureManagement.liveness_checking_enabled? - errors.add( - :acr_values, t('openid_connect.authorization.errors.liveness_checking_disabled'), - type: :liveness_checking_disabled - ) - end end diff --git a/config/locales/openid_connect/en.yml b/config/locales/openid_connect/en.yml index c1e85e47030..3c68137adbd 100644 --- a/config/locales/openid_connect/en.yml +++ b/config/locales/openid_connect/en.yml @@ -8,7 +8,6 @@ en: one: value must be at least %{count} day or older other: value must be at least %{count} days or older invalid_verified_within_format: Unrecognized format for verified_within - liveness_checking_disabled: Liveness checking is disabled missing_ial: Missing a valid IAL level no_auth: The acr_values are not authorized no_valid_acr_values: No acceptable acr_values found diff --git a/config/locales/openid_connect/es.yml b/config/locales/openid_connect/es.yml index a973dd12b0f..85af76ffbbc 100644 --- a/config/locales/openid_connect/es.yml +++ b/config/locales/openid_connect/es.yml @@ -8,7 +8,6 @@ es: one: el valor debe ser al menos %{count} día o más other: el valor debe tener al menos %{count} días o más invalid_verified_within_format: Formato no reconocido para verified_within - liveness_checking_disabled: La verificación de la vida está deshabilitada missing_ial: Falta un nivel de IAL válido no_auth: Los acr_values no están autorizados no_valid_acr_values: ial_valores encontrados no aceptables diff --git a/config/locales/openid_connect/fr.yml b/config/locales/openid_connect/fr.yml index f502226dac8..2d8f7eefe24 100644 --- a/config/locales/openid_connect/fr.yml +++ b/config/locales/openid_connect/fr.yml @@ -8,7 +8,6 @@ fr: one: la valeur doit être d’au moins %{count} jour ou plus other: la valeur doit être d’au moins %{count} jours ou plus invalid_verified_within_format: Format non reconnu pour verified_within - liveness_checking_disabled: La vérification de la vivacité est désactivée missing_ial: Manque un niveau IAL valide no_auth: Les acr_values ne sont pas autorisées no_valid_acr_values: Valeurs acr_values inacceptables trouvées diff --git a/spec/features/idv/strict_ial2/feature_flag_spec.rb b/spec/features/idv/strict_ial2/feature_flag_spec.rb deleted file mode 100644 index 15c5f4f1629..00000000000 --- a/spec/features/idv/strict_ial2/feature_flag_spec.rb +++ /dev/null @@ -1,17 +0,0 @@ -require 'rails_helper' - -describe 'Strict IAL2 feature flag' do - include IdvHelper - include OidcAuthHelper - - scenario 'returns an error if liveness checking is disabled' do - allow(IdentityConfig.store).to receive(:liveness_checking_enabled).and_return(false) - - visit_idp_from_oidc_sp_with_ial2_strict - - expect(current_url).to start_with( - 'http://localhost:7654/auth/result?error=invalid_request'\ - '&error_description=Acr+values+Liveness+checking+is+disabled', - ) - end -end diff --git a/spec/features/idv/strict_ial2/upgrade_spec.rb b/spec/features/idv/strict_ial2/upgrade_spec.rb deleted file mode 100644 index 43c10d14c53..00000000000 --- a/spec/features/idv/strict_ial2/upgrade_spec.rb +++ /dev/null @@ -1,58 +0,0 @@ -require 'rails_helper' - -feature 'Strict IAL2 upgrade', js: true do - include IdvHelper - include OidcAuthHelper - include SamlAuthHelper - include DocAuthHelper - - before { allow(IdentityConfig.store).to receive(:liveness_checking_enabled).and_return(true) } - - context 'strict IAL2 does not allow a phone check' do - before do - allow(IdentityConfig.store).to receive( - :gpo_allowed_for_strict_ial2, - ).and_return(false) - end - - scenario 'an IAL2 strict request for a user without a phone check triggers an upgrade' do - user = create( - :profile, :active, :verified, - pii: { first_name: 'John', ssn: '111223333' }, - proofing_components: { liveness_check: :acuant, address_check: :gpo_letter } - ).user - visit_idp_from_oidc_sp_with_ial2_strict - sign_in_user(user) - fill_in_code_with_last_phone_otp - click_submit_default - click_agree_and_continue_optional - - expect(page.current_path).to eq(idv_doc_auth_welcome_step) - - complete_all_doc_auth_steps_before_password_step - fill_in 'Password', with: user.password - click_continue - acknowledge_and_confirm_personal_key - click_agree_and_continue - - expect(current_url).to start_with('http://localhost:7654/auth/result') - expect(user.active_profile.strict_ial2_proofed?).to be_truthy - end - - scenario 'an IAL2 strict request for a user with a phone check does not trigger an upgrade' do - user = create( - :profile, :active, :verified, - pii: { first_name: 'John', ssn: '111223333' }, - proofing_components: { liveness_check: :acuant, address_check: :lexis_nexis_address } - ).user - visit_idp_from_oidc_sp_with_ial2_strict - sign_in_user(user) - fill_in_code_with_last_phone_otp - click_submit_default - click_agree_and_continue - - expect(current_url).to start_with('http://localhost:7654/auth/result') - expect(user.active_profile.strict_ial2_proofed?).to be_truthy - end - end -end diff --git a/spec/features/idv/strict_ial2/usps_upload_disallowed_spec.rb b/spec/features/idv/strict_ial2/usps_upload_disallowed_spec.rb deleted file mode 100644 index a8adef0377d..00000000000 --- a/spec/features/idv/strict_ial2/usps_upload_disallowed_spec.rb +++ /dev/null @@ -1,75 +0,0 @@ -require 'rails_helper' - -feature 'Strict IAL2 with usps upload disallowed', js: true do - include IdvHelper - include OidcAuthHelper - include IdvHelper - include IdvStepHelper - - before do - allow(IdentityConfig.store).to receive(:liveness_checking_enabled).and_return(true) - allow(IdentityConfig.store).to receive( - :gpo_allowed_for_strict_ial2, - ).and_return(false) - end - - it 'does not allow the user to select the letter flow during proofing' do - user = create(:user, :signed_up) - visit_idp_from_oidc_sp_with_ial2_strict - sign_in_user(user) - fill_in_code_with_last_phone_otp - click_submit_default - complete_idv_steps_before_phone_step - - # Link is not present on the phone page - expect(page).to_not have_content(t('idv.troubleshooting.options.verify_by_mail')) - - # Link is not present on the OTP delivery selection page - fill_out_phone_form_ok('7032231234') - click_idv_continue - expect(page).to_not have_content(t('idv.troubleshooting.options.verify_by_mail')) - - # Link is not visible on the OTP entry page - choose_idv_otp_delivery_method_sms - expect(page).to_not have_content(t('idv.troubleshooting.options.verify_by_mail')) - - # Link is not visible on error or warning page - visit idv_phone_errors_warning_path - expect(page).to_not have_content(t('idv.troubleshooting.options.verify_by_mail')) - visit idv_phone_errors_jobfail_path - expect(page).to_not have_content(t('idv.troubleshooting.options.verify_by_mail')) - visit idv_phone_errors_timeout_path - expect(page).to_not have_content(t('idv.troubleshooting.options.verify_by_mail')) - visit idv_phone_errors_failure_path - expect(page).to_not have_content(t('idv.troubleshooting.options.verify_by_mail')) - - # Visiting the GPO page redirects - visit idv_gpo_path - expect(current_path).to eq(idv_phone_path) - end - - it 'does not prompt a pending user for a mailed code' do - user = create( - :profile, - deactivation_reason: :gpo_verification_pending, - pii: { first_name: 'John', ssn: '111223333' }, - ).user - - visit_idp_from_oidc_sp_with_ial2_strict - sign_in_user(user) - fill_in_code_with_last_phone_otp - click_submit_default - - # Directed to the start of the proofing flow instead of GPO code verification - expect(current_path).to eq(idv_doc_auth_step_path(step: :welcome)) - - complete_all_doc_auth_steps_before_password_step - fill_in 'Password', with: user.password - click_continue - acknowledge_and_confirm_personal_key - click_agree_and_continue - - expect(current_url).to start_with('http://localhost:7654/auth/result') - expect(user.active_profile.strict_ial2_proofed?).to be_truthy - end -end