Deploy RC 288 to prod

.gitlab-ci.yml

@@ -120,16 +120,16 @@ specs:
     AWS_SECRET_ACCESS_KEY: test
     CAPYBARA_WAIT_TIME_SECONDS: 5
     COVERAGE: 'true'
-    DOCKER_DB_HOST: postgres
+    DOCKER_DB_HOST: db-postgres
     POSTGRES_DB: identity_idp_test
     POSTGRES_USER: postgres_user
     POSTGRES_PASSWORD: postgres_password
     POSTGRES_HOST_AUTH_METHOD: trust
     RAILS_ENV: test
   services:
-    - name: postgres:13.9
+    - name: postgis/postgis:13-3.3
       alias: db-postgres
-      command: ["--fsync=false", "--synchronous_commit=false", "--full_page_writes=false"]
+      command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
     - name: redis:7.0
       alias: db-redis
   artifacts:
@@ -258,4 +258,3 @@ trigger_devops:
 include:
   - template: Jobs/SAST.gitlab-ci.yml
   - template: Jobs/Dependency-Scanning.gitlab-ci.yml
-

Brewfile

@@ -1,4 +1,5 @@
 brew 'postgresql@14'
+brew 'postgis'
 brew 'redis'
 brew 'node@16'
 brew 'yarn'

Gemfile

@@ -5,6 +5,7 @@ ruby "~> #{File.read(File.join(__dir__, '.ruby-version')).strip}"
 
 gem 'rails', '~> 7.0.0'
 
+gem 'activerecord-postgis-adapter'
 gem 'ahoy_matey', '~> 3.0'
 gem 'aws-sdk-kms', '~> 1.4'
 gem 'aws-sdk-pinpoint'

Gemfile.lock

@@ -113,6 +113,9 @@ GEM
     activerecord (7.0.4.3)
       activemodel (= 7.0.4.3)
       activesupport (= 7.0.4.3)
+    activerecord-postgis-adapter (8.0.2)
+      activerecord (~> 7.0.0)
+      rgeo-activerecord (~> 7.0.0)
     activestorage (7.0.4.3)
       actionpack (= 7.0.4.3)
       activejob (= 7.0.4.3)
@@ -550,6 +553,10 @@ GEM
       railties (>= 5.0)
     retries (0.0.5)
     rexml (3.2.5)
+    rgeo (3.0.0)
+    rgeo-activerecord (7.0.1)
+      activerecord (>= 5.0)
+      rgeo (>= 1.0.0)
     rotp (6.2.0)
     rouge (4.1.1)
     rqrcode (2.1.0)
@@ -722,6 +729,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  activerecord-postgis-adapter
   ahoy_matey (~> 3.0)
   aws-sdk-cloudwatchlogs
   aws-sdk-kms (~> 1.4)

app/assets/stylesheets/_uswds.scss

@@ -6,7 +6,6 @@
 @forward 'usa-alert';
 @forward 'usa-banner';
 @forward 'usa-button';
-@forward 'usa-button-group';
 @forward 'usa-collection';
 @forward 'usa-form';
 @forward 'usa-header';

app/assets/stylesheets/utilities/_typography.scss

@@ -99,28 +99,3 @@ h6,
 .h6 {
   @extend %h6;
 }
-
-.separator-text {
-  display: flex;
-  align-items: center;
-  text-align: center;
-  font-size: 1.125rem;
-  margin-bottom: 16px;
-
-  &::before,
-  &::after {
-    content: '';
-    display: block;
-    border-bottom: 1px solid color('primary-light');
-    flex-grow: 1;
-    min-width: 2rem;
-  }
-
-  &::before {
-    margin-right: 1rem;
-  }
-
-  &::after {
-    margin-left: 1rem;
-  }
-}

app/components/tab_navigation_component.html.erb

@@ -1,13 +1,12 @@
-<%= content_tag(:nav, aria: { label: }, **tag_options) do %>
+<%= content_tag(:nav, aria: { label: }, **tag_options, class: [*tag_options[:class], 'tab-navigation']) do %>
   <ul class="usa-button-group usa-button-group--segmented">
     <% routes.each do |route| %>
-      <li class="usa-button-group__item grid-col display-flex">
+      <li class="usa-button-group__item">
         <%= render ButtonComponent.new(
               action: ->(**tag_options, &block) { link_to(route[:path], **tag_options, &block) },
               big: true,
               outline: !is_current_path?(route[:path]),
               aria: { current: is_current_path?(route[:path]) ? 'page' : nil },
-              class: 'grid-col',
             ).with_content(route[:text]) %>
       </li>
     <% end %>

app/components/tab_navigation_component.scss

@@ -0,0 +1,54 @@
+@use 'uswds-core' as *;
+
+@forward 'usa-button-group/src/styles';
+
+// Upstream: https://github.com/uswds/uswds/pull/5324
+.usa-button-group--segmented {
+  .usa-button {
+    @include u-display('flex');
+    @include u-flex('align-center', 'justify-center');
+  }
+
+  .usa-button-group__item {
+    @include u-display('flex');
+    @include grid-col('auto');
+  }
+}
+
+// Upstream: https://github.com/18F/identity-design-system/pull/359
+.usa-button-group__item {
+  &:first-child > .usa-button.usa-button--big {
+    margin-right: -1 * units($theme-button-stroke-width);
+  }
+
+  &:last-child > .usa-button.usa-button--big {
+    margin-left: -2 * units($theme-button-stroke-width);
+    width: calc(100% + #{units($theme-button-stroke-width) * 2});
+
+    @include at-media('mobile-lg') {
+      margin-left: -1 * units($theme-button-stroke-width);
+    }
+  }
+
+  &:where(:not(:first-child):not(:last-child)) > .usa-button.usa-button--big {
+    margin-right: -1 * units($theme-button-stroke-width);
+    margin-left: -1 * units($theme-button-stroke-width);
+  }
+}
+
+.tab-navigation .usa-button-group--segmented {
+  .usa-button-group__item {
+    flex-basis: 50%;
+  }
+
+  .usa-button-group__item:last-child > .usa-button,
+  .usa-button {
+    width: 100%;
+  }
+
+  .usa-button--big {
+    @include at-media-max('tablet') {
+      font-size: units(2);
+    }
+  }
+}

app/controllers/api/internal/sessions_controller.rb

@@ -15,16 +15,12 @@ def show
       end
 
       def update
-        analytics.session_kept_alive if live?
-        update_last_request_at
-        render json: status_response
-      end
+        if live?
+          analytics.session_kept_alive
+          update_last_request_at
+        end
 
-      def destroy
-        analytics.session_timed_out
-        request_id = sp_session[:request_id]
-        sign_out
-        render json: { redirect: root_url(request_id:, timeout: :session) }
+        render json: status_response
       end
 
       private

app/controllers/application_controller.rb

@@ -34,11 +34,8 @@ class ApplicationController < ActionController::Base
 
   def session_expires_at
     return if @skip_session_expiration || @skip_session_load
-    now = Time.zone.now
-    session[:session_started_at] = now if session[:session_started_at].nil?
-    session[:session_expires_at] = now + Devise.timeout_in
-    session[:pinged_at] ||= now
-    redirect_on_timeout
+    session[:session_started_at] = Time.zone.now if session[:session_started_at].nil?
+    redirect_with_flash_if_timeout
   end
 
   # for lograge
@@ -156,18 +153,26 @@ def cache_issuer_in_cookie
                           end
   end
 
-  def redirect_on_timeout
+  def redirect_with_flash_if_timeout
     return unless params[:timeout]
 
-    unless current_user
+    if params[:timeout] == 'session'
+      analytics.session_timed_out
+      flash[:info] = t(
+        'notices.session_timedout',
+        app_name: APP_NAME,
+        minutes: IdentityConfig.store.session_timeout_in_minutes,
+      )
+    elsif current_user.blank?
       flash[:info] = t(
         'notices.session_cleared',
         minutes: IdentityConfig.store.session_timeout_in_minutes,
       )
     end
+
     begin
       redirect_to url_for(permitted_timeout_params)
-    rescue ActionController::UrlGenerationError # binary data in params cause redirect to throw this
+    rescue ActionController::UrlGenerationError # Binary data in parameters throw on redirect
       head :bad_request
     end
   end

app/controllers/concerns/idv/verify_info_concern.rb

@@ -48,6 +48,12 @@ def update
         double_address_verification: capture_secondary_id_enabled,
       )
 
+      # Don't allow the user to go back to document capture after verifying
+      if flow_session['redo_document_capture']
+        flow_session.delete('redo_document_capture')
+        flow_session[:flow_path] ||= 'standard'
+      end
+
       redirect_to after_update_url
     end
 

app/controllers/idv/agreement_controller.rb

@@ -0,0 +1,82 @@
+module Idv
+  class AgreementController < ApplicationController
+    include IdvSession
+    include IdvStepConcern
+    include OutageConcern
+    include StepIndicatorConcern
+    include StepUtilitiesConcern
+
+    before_action :confirm_two_factor_authenticated
+    before_action :render_404_if_agreement_controller_disabled
+    before_action :confirm_welcome_step_complete
+    before_action :confirm_agreement_needed
+    before_action :check_for_outage, only: :show
+
+    def show
+      analytics.idv_doc_auth_agreement_visited(**analytics_arguments)
+
+      Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).call(
+        'agreement', :view,
+        true
+      )
+
+      render :show, locals: { flow_session: flow_session }
+    end
+
+    def update
+      skip_to_capture if params[:skip_upload]
+
+      result = Idv::ConsentForm.new.submit(consent_form_params)
+
+      analytics.idv_doc_auth_agreement_submitted(
+        **analytics_arguments.merge(result.to_h),
+      )
+
+      if result.success?
+        idv_session.idv_consent_given = true
+
+        # for the 50/50 state
+        flow_session['Idv::Steps::AgreementStep'] = true
+
+        redirect_to idv_hybrid_handoff_url
+      else
+        redirect_to idv_agreement_url
+      end
+    end
+
+    private
+
+    def analytics_arguments
+      {
+        step: 'agreement',
+        analytics_id: 'Doc Auth',
+        irs_reproofing: irs_reproofing?,
+      }
+    end
+
+    def skip_to_capture
+      flow_session[:skip_upload_step] = true
+      flow_session[:flow_path] = 'standard'
+    end
+
+    def consent_form_params
+      params.require(:doc_auth).permit(:ial2_consent_given)
+    end
+
+    def confirm_welcome_step_complete
+      return if flow_session['Idv::Steps::WelcomeStep']
+
+      redirect_to idv_doc_auth_url
+    end
+
+    def confirm_agreement_needed
+      return unless idv_session.idv_consent_given
+
+      redirect_to idv_hybrid_handoff_url
+    end
+
+    def render_404_if_agreement_controller_disabled
+      render_not_found unless IdentityConfig.store.doc_auth_agreement_controller_enabled
+    end
+  end
+end

app/controllers/idv/doc_auth_controller.rb

@@ -12,7 +12,6 @@ class DocAuthController < ApplicationController
 
     before_action :redirect_if_flow_completed
     before_action :handle_fraud
-    before_action :update_if_skipping_upload
     # rubocop:disable Rails/LexicallyScopedActionFilter
     before_action :check_for_outage, only: :show
     # rubocop:enable Rails/LexicallyScopedActionFilter
@@ -43,12 +42,6 @@ def redirect_if_pending_in_person_enrollment
       redirect_to idv_in_person_ready_to_verify_url if current_user.pending_in_person_enrollment
     end
 
-    def update_if_skipping_upload
-      return if params[:step] != 'upload' || !flow_session || !flow_session[:skip_upload_step]
-      track_step_visited
-      update
-    end
-
     def do_meta_refresh(meta_refresh_count)
       @meta_refresh = 10 * 60
       flow_session[:meta_refresh_count] = meta_refresh_count + 1

app/controllers/idv/document_capture_controller.rb

@@ -10,7 +10,7 @@ class DocumentCaptureController < ApplicationController
     include RateLimitConcern
 
     before_action :confirm_two_factor_authenticated
-    before_action :confirm_upload_step_complete
+    before_action :confirm_hybrid_handoff_complete
     before_action :confirm_document_capture_needed
     before_action :override_csp_to_allow_acuant
     before_action :check_for_outage, only: :show
@@ -53,7 +53,7 @@ def extra_view_variables
 
     private
 
-    def confirm_upload_step_complete
+    def confirm_hybrid_handoff_complete
       return if flow_session[:flow_path].present?
 
       redirect_to idv_hybrid_handoff_url
@@ -74,7 +74,8 @@ def analytics_arguments
         step: 'document_capture',
         analytics_id: 'Doc Auth',
         irs_reproofing: irs_reproofing?,
-      }.merge(**acuant_sdk_ab_test_analytics_args)
+        redo_document_capture: flow_session[:redo_document_capture],
+      }.compact.merge(**acuant_sdk_ab_test_analytics_args)
     end
 
     def handle_stored_result