Deploy RC 260 to Prod

.gitignore

@@ -75,6 +75,7 @@ Vagrantfile
 /doc/
 
 package-lock.json
+browsers.json
 
 saml_*.txt
 saml_*.shr

Gemfile.lock

@@ -460,7 +460,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.6.2)
-    rack (2.2.6.2)
+    rack (2.2.6.3)
     rack-attack (6.5.0)
       rack (>= 1.0, < 3)
     rack-cors (1.1.1)

Makefile

@@ -129,6 +129,9 @@ brakeman: ## Runs brakeman
 public/packs/manifest.json: yarn.lock $(shell find app/javascript -type f) ## Builds JavaScript assets
 	yarn build
 
+browsers.json: yarn.lock .browserslistrc ## Generates browsers.json browser support file
+	yarn generate-browsers-json
+
 test: export RAILS_ENV := test
 test: $(CONFIG) ## Runs RSpec and yarn tests in parallel
 	bundle exec rake parallel:spec && yarn test
@@ -153,7 +156,7 @@ tmp/$(HOST)-$(PORT).key tmp/$(HOST)-$(PORT).crt: ## Self-signed cert for local H
 		-keyout tmp/$(HOST)-$(PORT).key \
 		-out tmp/$(HOST)-$(PORT).crt
 
-run: ## Runs the development server
+run: browsers.json ## Runs the development server
 	foreman start -p $(PORT)
 
 urn:
@@ -165,8 +168,10 @@ run-https: tmp/$(HOST)-$(PORT).key tmp/$(HOST)-$(PORT).crt ## Runs the developme
 
 normalize_yaml: ## Normalizes YAML files (alphabetizes keys, fixes line length, smart quotes)
 	yarn normalize-yaml .rubocop.yml --disable-sort-keys --disable-smart-punctuation
+	find ./config/locales/transliterate -type f -name '*.yml' -exec yarn normalize-yaml --disable-sort-keys --disable-smart-punctuation {} \;
 	find ./config/locales/telephony -type f -name '*.yml' | xargs yarn normalize-yaml --disable-smart-punctuation
-	find ./config/locales -not -path "./config/locales/telephony*" -type f -name '*.yml' | xargs yarn normalize-yaml \
+	find ./config/locales -not \( -path "./config/locales/telephony*" -o -path "./config/locales/transliterate/*" \) -type f -name '*.yml' | \
+	xargs yarn normalize-yaml \
 		config/pinpoint_supported_countries.yml \
 		config/pinpoint_overrides.yml \
 		config/country_dialing_codes.yml

README.md

@@ -315,3 +315,14 @@ If you are getting the error:
 LoadError: cannot load such file -- sassc
 ```
 Try `make run` for a short time, then use Ctrl+C to kill it
+
+##### Errors relating to OpenSSL versions
+
+If you get this error during test runs:
+```
+     Failure/Error: JWT::JWK.import(certs_response[:keys].first).public_key
+     OpenSSL::PKey::PKeyError:
+       rsa#set_key= is incompatible with OpenSSL 3.0
+```
+See [this document](docs/FixingOpenSSLVersionProblem.md) for how to fix it.
+

app/assets/stylesheets/components/_alert-icon.scss

@@ -4,25 +4,6 @@
   height: 88px;
 }
 
-// For displaying icons as "badges"
-// at the top of modals
-.iconic-modal-badge {
-  position: relative;
-  &::before {
-    background-repeat: no-repeat;
-    background-size: contain;
-    content: '';
-    position: absolute;
-    left: 50%;
-    top: 0px;
-    transform: translateX(-50%) translateY(-50%);
-    height: 88px;
-    width: 88px;
-  }
-  &.personal-key-badge::before {
-    background-image: url('status/personal-key.svg');
-  }
-}
 .alert-icon--centered-top {
   position: absolute;
   left: 50%;

app/controllers/api/irs_attempts_api_controller.rb

@@ -106,7 +106,7 @@ def serve_s3_response(log_file_record:)
 
     def authenticate_client
       bearer, csp_id, token = request.authorization&.split(' ', 3)
-      if bearer != 'Bearer' || !valid_auth_tokens.include?(token) ||
+      if bearer != 'Bearer' || !valid_auth_token?(token) ||
          csp_id != IdentityConfig.store.irs_attempt_api_csp_id
         analytics.irs_attempts_api_events(
           **analytics_properties(
@@ -118,6 +118,26 @@ def authenticate_client
       end
     end
 
+    def valid_auth_token?(token)
+      valid_auth_data = hashed_valid_auth_data
+      cost = valid_auth_data[:cost]
+      salt = valid_auth_data[:salt]
+      hashed_token = scrypt_digest(token: token, salt: salt, cost: cost)
+
+      valid_auth_data[:digested_tokens].any? do |valid_hashed_token|
+        ActiveSupport::SecurityUtils.secure_compare(
+          valid_hashed_token,
+          hashed_token,
+        )
+      end
+    end
+
+    def scrypt_digest(token:, salt:, cost:)
+      scrypt_salt = cost + OpenSSL::Digest::SHA256.hexdigest(salt)
+      scrypted = SCrypt::Engine.hash_secret token, scrypt_salt, 32
+      SCrypt::Password.new(scrypted).digest
+    end
+
     # @return [Array<String>] JWE strings
     def security_event_tokens
       return [] unless timestamp
@@ -146,8 +166,24 @@ def s3_helper
       @s3_helper ||= JobHelpers::S3Helper.new
     end
 
-    def valid_auth_tokens
-      IdentityConfig.store.irs_attempt_api_auth_tokens
+    def hashed_valid_auth_data
+      key = IdentityConfig.store.irs_attempt_api_auth_tokens.map do |token|
+        OpenSSL::Digest::SHA256.hexdigest(token)
+      end.join(',')
+
+      Rails.cache.fetch("irs_hashed_tokens:#{key}", expires_in: 48.hours) do
+        salt = SecureRandom.hex(32)
+        cost = IdentityConfig.store.scrypt_cost
+        digested_tokens = IdentityConfig.store.irs_attempt_api_auth_tokens.map do |token|
+          scrypt_digest(token: token, salt: salt, cost: cost)
+        end
+
+        {
+          salt: salt,
+          cost: cost,
+          digested_tokens: digested_tokens,
+        }
+      end
     end
 
     def analytics_properties(authenticated:, elapsed_time:)

app/controllers/concerns/idv/step_utilities_concern.rb

@@ -14,10 +14,16 @@ def flow_path
     def confirm_pii_from_doc
       @pii = flow_session&.[]('pii_from_doc') # hash with indifferent access
       return if @pii.present?
+
       flow_session&.delete('Idv::Steps::DocumentCaptureStep')
       redirect_to idv_doc_auth_url
     end
 
+    def confirm_profile_not_already_confirmed
+      return unless idv_session.profile_confirmation == true
+      redirect_to idv_review_url
+    end
+
     # Copied from capture_doc_flow.rb
     # and from doc_auth_flow.rb
     def acuant_sdk_ab_test_analytics_args

app/controllers/concerns/idv/verify_info_concern.rb

@@ -96,6 +96,7 @@ def async_state_done(current_async_state)
         # todo: add other edited fields?
         extra: {
           address_edited: !!flow_session['address_edited'],
+          address_line2_present: !pii[:address2].blank?,
           pii_like_keypaths: [[:errors, :ssn], [:response_body, :first_name]],
         },
       )
@@ -230,6 +231,7 @@ def add_proofing_costs(results)
         elsif stage == :threatmetrix
           # transaction_id comes from request_id
           tmx_id = hash[:transaction_id]
+          log_irs_tmx_fraud_check_event(hash) if tmx_id
           add_cost(:threatmetrix, transaction_id: tmx_id) if tmx_id
         end
       end

app/controllers/concerns/idv_session.rb

@@ -7,10 +7,6 @@ module IdvSession
     before_action :redirect_if_sp_context_needed
   end
 
-  def confirm_idv_applicant_created
-    redirect_to idv_verify_info_url if idv_session.applicant.blank?
-  end
-
   def confirm_idv_needed
     return if effective_user.active_profile.blank? ||
               decorated_session.requested_more_recent_verification? ||

app/controllers/concerns/idv_step_concern.rb

@@ -7,4 +7,20 @@ module IdvStepConcern
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_needed
   end
+
+  def confirm_verify_info_step_complete
+    return if idv_session.verify_info_step_complete?
+
+    if idv_session.in_person_enrollment?
+      redirect_to idv_in_person_verify_info_url
+    else
+      redirect_to idv_verify_info_url
+    end
+  end
+
+  def confirm_address_step_complete
+    return if idv_session.address_step_complete?
+
+    redirect_to idv_otp_verification_url
+  end
 end

app/controllers/concerns/verify_sp_attributes_concern.rb

@@ -8,6 +8,8 @@ def needs_completion_screen_reason
       :new_sp
     elsif !requested_attributes_verified?(sp_session_identity)
       :new_attributes
+    elsif reverified_after_consent?(sp_session_identity)
+      :reverified_after_consent
     elsif consent_has_expired?(sp_session_identity)
       :consent_expired
     elsif consent_was_revoked?(sp_session_identity)
@@ -30,19 +32,30 @@ def update_verified_attributes
   def consent_has_expired?(sp_session_identity)
     return false unless sp_session_identity
     return false if sp_session_identity.deleted_at.present?
-    last_estimated_consent = sp_session_identity.last_consented_at || sp_session_identity.created_at
+    last_estimated_consent = last_estimated_consent_for(sp_session_identity)
     !last_estimated_consent ||
-      last_estimated_consent < ServiceProviderIdentity::CONSENT_EXPIRATION.ago ||
-      verified_after_consent?(last_estimated_consent)
+      last_estimated_consent < ServiceProviderIdentity::CONSENT_EXPIRATION.ago
   end
 
   def consent_was_revoked?(sp_session_identity)
     return false unless sp_session_identity
     sp_session_identity.deleted_at.present?
   end
 
+  def reverified_after_consent?(sp_session_identity)
+    return false unless sp_session_identity
+    return false if sp_session_identity.deleted_at.present?
+    last_estimated_consent = last_estimated_consent_for(sp_session_identity)
+    return false if last_estimated_consent.nil?
+    verified_after_consent?(last_estimated_consent)
+  end
+
   private
 
+  def last_estimated_consent_for(sp_session_identity)
+    sp_session_identity.last_consented_at || sp_session_identity.created_at
+  end
+
   def verified_after_consent?(last_estimated_consent)
     verification_timestamp = current_user.active_profile&.verified_at
 

app/controllers/idv/doc_auth_controller.rb

@@ -23,7 +23,7 @@ class DocAuthController < ApplicationController
 
     FLOW_STATE_MACHINE_SETTINGS = {
       step_url: :idv_doc_auth_step_url,
-      final_url: :idv_review_url,
+      final_url: :idv_ssn_url,
       flow: Idv::Flows::DocAuthFlow,
       analytics_id: 'Doc Auth',
     }.freeze