Deploy RC 226 to Production

Gemfile.lock

@@ -418,7 +418,7 @@ GEM
       net-protocol
       timeout
     net-ssh (6.1.0)
-    newrelic_rpm (8.8.0)
+    newrelic_rpm (8.12.0)
     nio4r (2.5.8)
     nokogiri (1.13.9)
       mini_portile2 (~> 2.8.0)

app/assets/stylesheets/components/_password-toggle.scss

@@ -1,22 +1,12 @@
 lg-password-toggle {
   display: block;
-  position: relative;
 
-  &.password-toggle--toggle-top .password-toggle__toggle-label {
-    @include u-pin-right;
-    top: -24px;
+  .validated-field__input-wrapper {
+    margin-bottom: 0;
   }
-
-  &.password-toggle--toggle-bottom .validated-field__input-wrapper {
-    margin-bottom: units(2);
-  }
-}
-
-.password-toggle__toggle-wrapper {
-  display: flex;
-  justify-content: end;
 }
 
 .password-toggle__toggle-label.usa-checkbox__label {
   @include u-margin-y(0);
+  @include u-padding-y(1);
 }

app/components/password_toggle_component.html.erb

@@ -1,27 +1,25 @@
-<%= content_tag(:'lg-password-toggle', class: css_class) do %>
+<%= content_tag(:'lg-password-toggle', **tag_options) do %>
   <%= render ValidatedFieldComponent.new(
         form: form,
         name: :password,
         type: :password,
-        label: label,
+        label: default_label,
         **field_options,
         input_html: field_options[:input_html].to_h.merge(
           id: input_id,
           class: ['password-toggle__input', *field_options.dig(:input_html, :class)],
         ),
       ) %>
-  <div class="password-toggle__toggle-wrapper js">
-    <input
-      id="<%= toggle_id %>"
-      type="checkbox"
-      class="usa-checkbox__input usa-checkbox__input--bordered password-toggle__toggle"
-      aria-controls="<%= input_id %>"
-    >
-    <label
-      for="<%= toggle_id %>"
-      class="usa-checkbox__label password-toggle__toggle-label"
-    >
-      <%= toggle_label %>
-    </label>
-  </div>
+  <input
+    id="<%= toggle_id %>"
+    type="checkbox"
+    class="usa-checkbox__input password-toggle__toggle"
+    aria-controls="<%= input_id %>"
+  >
+  <label
+    for="<%= toggle_id %>"
+    class="usa-checkbox__label password-toggle__toggle-label"
+  >
+    <%= toggle_label %>
+  </label>
 <% end %>

app/components/password_toggle_component.rb

@@ -1,25 +1,21 @@
 class PasswordToggleComponent < BaseComponent
-  attr_reader :form, :label, :toggle_label, :toggle_position, :field_options
+  attr_reader :form, :label, :toggle_label, :field_options, :tag_options
 
   def initialize(
     form:,
-    label: t('components.password_toggle.label'),
     toggle_label: t('components.password_toggle.toggle_label'),
-    toggle_position: :top,
-    **field_options
+    field_options: {},
+    **tag_options
   )
     @form = form
     @label = label
     @toggle_label = toggle_label
-    @toggle_position = toggle_position
     @field_options = field_options
+    @tag_options = tag_options
   end
 
-  def css_class
-    classes = []
-    classes << 'password-toggle--toggle-top' if toggle_position == :top
-    classes << 'password-toggle--toggle-bottom' if toggle_position == :bottom
-    classes
+  def default_label
+    t('components.password_toggle.label')
   end
 
   def toggle_id

app/controllers/api/irs_attempts_api_controller.rb

@@ -23,7 +23,8 @@ def create
 
         headers['X-Payload-Key'] = Base64.strict_encode64(result.encrypted_key)
         headers['X-Payload-IV'] = Base64.strict_encode64(result.iv)
-        send_data Base64.strict_encode64(result.encrypted_data),
+
+        send_data result.encrypted_data,
                   disposition: "filename=#{result.filename}"
       else
         render json: { status: :unprocessable_entity, description: 'Invalid timestamp parameter' },
@@ -42,25 +43,21 @@ def authenticate_client
       end
     end
 
+    # @return [Array<String>] JWE strings
     def security_event_tokens
-      return {} unless timestamp
+      return [] unless timestamp
 
       events = redis_client.read_events(timestamp: timestamp)
-      sets = {}
-      events.each_pair do |k, v|
-        key_id, jti = k.split(':')
-        sets[jti] = { key_id => v }
-      end
-      sets
+      events.values
     end
 
     def encrypted_security_event_log_result
-      json = security_event_tokens.to_json
+      events = security_event_tokens.join("\r\n")
       decoded_key_der = Base64.strict_decode64(IdentityConfig.store.irs_attempt_api_public_key)
       pub_key = OpenSSL::PKey::RSA.new(decoded_key_der)
 
       IrsAttemptsApi::EnvelopeEncryptor.encrypt(
-        data: json, timestamp: timestamp, public_key: pub_key,
+        data: events, timestamp: timestamp, public_key: pub_key,
       )
     end
 
@@ -74,7 +71,7 @@ def valid_auth_tokens
 
     def analytics_properties
       {
-        rendered_event_count: security_event_tokens.keys.count,
+        rendered_event_count: security_event_tokens.count,
         timestamp: timestamp&.iso8601,
         success: timestamp.present?,
       }
@@ -84,7 +81,9 @@ def timestamp
       timestamp_param = params.permit(:timestamp)[:timestamp]
       return nil if timestamp_param.nil?
 
-      Time.strptime(timestamp_param, '%Y-%m-%dT%H:%M:%S%z')
+      date_fmt = timestamp_param.include?('.') ? '%Y-%m-%dT%H:%M:%S.%N%z' : '%Y-%m-%dT%H:%M:%S%z'
+
+      Time.strptime(timestamp_param, date_fmt)
     rescue ArgumentError
       nil
     end

app/controllers/concerns/billable_event_trackable.rb

@@ -3,22 +3,13 @@ def track_billing_events
     if current_session_has_been_billed?
       create_sp_return_log(billable: false)
     else
-      increment_sp_monthly_auths
       create_sp_return_log(billable: true)
       mark_current_session_billed
     end
   end
 
   private
 
-  def increment_sp_monthly_auths
-    MonthlySpAuthCount.increment(
-      user_id: current_user.id,
-      service_provider: current_sp,
-      ial: sp_session_ial,
-    )
-  end
-
   def create_sp_return_log(billable:)
     user_ial_context = IalContext.new(
       ial: ial_context.ial, service_provider: current_sp, user: current_user,

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -223,10 +223,10 @@ def phone_confirmed
   end
 
   def send_phone_added_email
-    event = create_user_event_with_disavowal(:phone_added, current_user)
+    _event, disavowal_token = create_user_event_with_disavowal(:phone_added, current_user)
     current_user.confirmed_email_addresses.each do |email_address|
       UserMailer.with(user: current_user, email_address: email_address).
-        phone_added(disavowal_token: event.disavowal_token).deliver_now_or_later
+        phone_added(disavowal_token: disavowal_token).deliver_now_or_later
     end
   end
 

app/controllers/concerns/unconfirmed_user_concern.rb

@@ -35,12 +35,12 @@ def track_user_already_confirmed_event
   def stop_if_invalid_token
     result = email_confirmation_token_validator.submit
     analytics.user_registration_email_confirmation(**result.to_h)
+    return if result.success?
     irs_attempts_api_tracker.user_registration_email_confirmation(
       email: @email_address&.email,
-      success: result.success?,
+      success: false,
       failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
     )
-    return if result.success?
     process_unsuccessful_confirmation
   end
 

app/controllers/idv/gpo_verify_controller.rb

@@ -42,12 +42,12 @@ def create
           if result.extra[:pending_in_person_enrollment]
             redirect_to idv_in_person_ready_to_verify_url
           else
-            event = create_user_event_with_disavowal(:account_verified)
+            event, disavowal_token = create_user_event_with_disavowal(:account_verified)
             UserAlerts::AlertUserAboutAccountVerified.call(
               user: current_user,
               date_time: event.created_at,
               sp_name: decorated_session.sp_name,
-              disavowal_token: event.disavowal_token,
+              disavowal_token: disavowal_token,
             )
             flash[:success] = t('account.index.verification.success')
             redirect_to sign_up_completed_url

app/controllers/idv/in_person/address_search_controller.rb

@@ -0,0 +1,31 @@
+module Idv
+  module InPerson
+    class AddressSearchController < ApplicationController
+      include RenderConditionConcern
+
+      check_or_render_not_found -> { IdentityConfig.store.arcgis_search_enabled }
+
+      def index
+        render json: addresses
+      end
+
+      protected
+
+      def addresses
+        suggestion = geocoder.suggest(permitted_params[:address]).first
+        return [] unless suggestion
+        geocoder.find_address_candidates(suggestion.magic_key).slice(0, 1)
+      rescue Faraday::ConnectionFailed
+        []
+      end
+
+      def geocoder
+        @geocoder ||= ArcgisApi::Geocoder.new
+      end
+
+      def permitted_params
+        params.permit(:address)
+      end
+    end
+  end
+end

app/controllers/idv/review_controller.rb

@@ -96,12 +96,12 @@ def init_profile
       end
 
       if idv_session.profile.active?
-        event = create_user_event_with_disavowal(:account_verified)
+        event, disavowal_token = create_user_event_with_disavowal(:account_verified)
         UserAlerts::AlertUserAboutAccountVerified.call(
           user: current_user,
           date_time: event.created_at,
           sp_name: decorated_session.sp_name,
-          disavowal_token: event.disavowal_token,
+          disavowal_token: disavowal_token,
         )
       end
     end

app/controllers/sign_up/email_confirmations_controller.rb

@@ -21,6 +21,11 @@ def clear_setup_piv_cac_from_sign_in
 
     def process_successful_confirmation
       process_valid_confirmation_token
+      irs_attempts_api_tracker.user_registration_email_confirmation(
+        email: @email_address&.email,
+        success: true,
+        failure_reason: nil,
+      )
       request_id = params.fetch(:_request_id, '')
       redirect_to sign_up_enter_password_url(
         request_id: request_id, confirmation_token: @confirmation_token,

app/controllers/two_factor_authentication/personal_key_verification_controller.rb

@@ -35,19 +35,17 @@ def presenter_for_two_factor_authentication_method
 
     def handle_result(result)
       if result.success?
-        event = create_user_event_with_disavowal(:personal_key_used)
-        alert_user_about_personal_key_sign_in(event)
+        _event, disavowal_token = create_user_event_with_disavowal(:personal_key_used)
+        alert_user_about_personal_key_sign_in(disavowal_token)
         generate_new_personal_key_for_verified_users_otherwise_retire_the_key_and_ensure_two_mfa
         handle_valid_otp
       else
         handle_invalid_otp(context: context, type: 'personal_key')
       end
     end
 
-    def alert_user_about_personal_key_sign_in(event)
-      response = UserAlerts::AlertUserAboutPersonalKeySignIn.call(
-        current_user, event.disavowal_token
-      )
+    def alert_user_about_personal_key_sign_in(disavowal_token)
+      response = UserAlerts::AlertUserAboutPersonalKeySignIn.call(current_user, disavowal_token)
       analytics.personal_key_alert_about_sign_in(**response.to_h)
     end
 

app/controllers/users/passwords_controller.rb

@@ -56,8 +56,8 @@ def send_password_reset_risc_event
     end
 
     def create_event_and_notify_user_about_password_change
-      event = create_user_event_with_disavowal(:password_changed)
-      UserAlerts::AlertUserAboutPasswordChange.call(current_user, event.disavowal_token)
+      _event, disavowal_token = create_user_event_with_disavowal(:password_changed)
+      UserAlerts::AlertUserAboutPasswordChange.call(current_user, disavowal_token)
     end
 
     def handle_invalid_password

app/controllers/users/reset_passwords_controller.rb

@@ -149,8 +149,8 @@ def handle_unsuccessful_password_reset(result)
     end
 
     def create_reset_event_and_send_notification
-      event = create_user_event_with_disavowal(:password_changed, resource)
-      UserAlerts::AlertUserAboutPasswordChange.call(resource, event.disavowal_token)
+      _event, disavowal_token = create_user_event_with_disavowal(:password_changed, resource)
+      UserAlerts::AlertUserAboutPasswordChange.call(resource, disavowal_token)
     end
 
     def user_params

app/decorators/user_decorator.rb

@@ -62,8 +62,8 @@ def identity_verified?(service_provider: nil)
   end
 
   def reproof_for_irs?(service_provider:)
-    return false unless user.active_profile.present?
     return false unless service_provider&.irs_attempts_api_enabled
+    return false unless user.active_profile.present?
     !user.active_profile.initiating_service_provider&.irs_attempts_api_enabled
   end
 

app/jobs/irs_attempts_events_batch_job.rb

@@ -0,0 +1,30 @@
+class IrsAttemptsEventsBatchJob < ApplicationJob
+  queue_as :default
+
+  def perform(timestamp: Time.zone.now - 1.hour, dir_path: './attempts_api_output')
+    return nil unless IdentityConfig.store.irs_attempt_api_enabled
+
+    events = IrsAttemptsApi::RedisClient.new.read_events(timestamp: timestamp)
+    event_values = events.values.join("\r\n")
+
+    decoded_key_der = Base64.strict_decode64(IdentityConfig.store.irs_attempt_api_public_key)
+    pub_key = OpenSSL::PKey::RSA.new(decoded_key_der)
+
+    result = IrsAttemptsApi::EnvelopeEncryptor.encrypt(
+      data: event_values, timestamp: timestamp, public_key: pub_key,
+    )
+
+    # write to a file and store on the disk until S3 is setup
+    FileUtils.mkdir_p(dir_path)
+
+    file_path = "#{dir_path}/#{result.filename}"
+
+    File.open(file_path, 'wb') do |file|
+      file.write(result.encrypted_data)
+    end
+
+    return { encryptor_result: result, file_path: file_path }
+
+    # Write the file to S3 instead of whatever dir_path winds up being
+  end
+end