Deploy RC 312 to Prod

.gitlab-ci.yml

@@ -8,7 +8,7 @@ variables:
   FF_SCRIPT_SECTIONS: 'true'
   JUNIT_OUTPUT: 'true'
   ECR_REGISTRY: '${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com'
-  IDP_CI_SHA: 'sha256:6915b54a913ebcb9066fdfaa88c3d42bda1f4505cfb59b9d5848576705954621'
+  IDP_CI_SHA: 'sha256:d085544aae118252860ebe72522457e55248dad8883b6451e6ed10340f4dffe9'
   PKI_IMAGE_TAG: 'main'
 
 default:

app/controllers/idv/personal_key_controller.rb

@@ -11,7 +11,10 @@ class PersonalKeyController < ApplicationController
     before_action :confirm_profile_has_been_created
 
     def show
-      analytics.idv_personal_key_visited(address_verification_method: address_verification_method)
+      analytics.idv_personal_key_visited(
+        address_verification_method: address_verification_method,
+        in_person_verification_pending: idv_session.profile&.in_person_verification_pending?,
+      )
       add_proofing_component
 
       finish_idv_session
@@ -23,6 +26,7 @@ def update
       analytics.idv_personal_key_submitted(
         address_verification_method: address_verification_method,
         deactivation_reason: idv_session.profile&.deactivation_reason,
+        in_person_verification_pending: idv_session.profile&.in_person_verification_pending?,
         fraud_review_pending: fraud_review_pending?,
         fraud_rejection: fraud_rejection?,
       )

app/controllers/idv/review_controller.rb

@@ -17,23 +17,6 @@ class ReviewController < ApplicationController
     rescue_from UspsInPersonProofing::Exception::RequestEnrollException,
                 with: :handle_request_enroll_exception
 
-    def confirm_current_password
-      return if valid_password?
-
-      analytics.idv_review_complete(
-        success: false,
-        gpo_verification_pending: current_user.gpo_verification_pending_profile?,
-        in_person_verification_pending: current_user.in_person_pending_profile?,
-        fraud_review_pending: fraud_review_pending?,
-        fraud_rejection: fraud_rejection?,
-        **ab_test_analytics_buckets,
-      )
-      irs_attempts_api_tracker.idv_password_entered(success: false)
-
-      flash[:error] = t('idv.errors.incorrect_password')
-      redirect_to idv_review_url
-    end
-
     def new
       Funnel::DocAuth::RegisterStep.new(current_user.id, current_sp&.issuer).
         call(:encrypt, :view, true)
@@ -98,6 +81,24 @@ def step_indicator_step
 
     private
 
+    def confirm_current_password
+      return if valid_password?
+
+      analytics.idv_review_complete(
+        success: false,
+        gpo_verification_pending: current_user.gpo_verification_pending_profile?,
+        # note: this always returns false as of 8/23
+        in_person_verification_pending: current_user.in_person_pending_profile?,
+        fraud_review_pending: fraud_review_pending?,
+        fraud_rejection: fraud_rejection?,
+        **ab_test_analytics_buckets,
+      )
+      irs_attempts_api_tracker.idv_password_entered(success: false)
+
+      flash[:error] = t('idv.errors.incorrect_password')
+      redirect_to idv_review_url
+    end
+
     def gpo_mail_service
       @gpo_mail_service ||= Idv::GpoMail.new(current_user)
     end

app/controllers/openid_connect/authorization_controller.rb

@@ -132,12 +132,13 @@ def sign_out_if_prompt_param_is_login_and_user_is_signed_in
           is_forced_reauthentication: false,
         )
       end
-      return unless user_signed_in? && @authorize_form.prompt == 'login'
+      return unless @authorize_form.prompt == 'login'
       return if session[:oidc_state_for_login_prompt] == @authorize_form.state
+      session[:oidc_state_for_login_prompt] = @authorize_form.state
+      return unless user_signed_in?
       return if check_sp_handoff_bounced
       unless sp_session[:request_url] == request.original_url
         sign_out
-        session[:oidc_state_for_login_prompt] = @authorize_form.state
         set_issuer_forced_reauthentication(
           issuer: @authorize_form.service_provider.issuer,
           is_forced_reauthentication: true,

app/forms/two_factor_options_form.rb

@@ -27,7 +27,7 @@ def submit(params)
   private
 
   def validate_selection_present
-    return if !has_no_mfa_or_in_required_flow? || selection.present?
+    return if selection.present? || has_minimum_required_mfa_methods?
     errors.add(:selection, missing_selection_error_message, type: :missing_selection)
   end
 
@@ -43,10 +43,6 @@ def extra_analytics_attributes
     }
   end
 
-  def in_phishing_resistant_or_piv_cac_required_flow?
-    phishing_resistant_required || piv_cac_required
-  end
-
   def user_needs_updating?
     (%w[voice sms] & selection).present? &&
       !selection.include?(user.otp_delivery_preference)
@@ -62,26 +58,28 @@ def phone_selected?
     selection.include?('phone') || selection.include?('voice') || selection.include?('sms')
   end
 
-  def has_no_configured_mfa?
-    mfa_user.enabled_mfa_methods_count == 0
+  def has_minimum_required_mfa_methods?
+    if piv_cac_required
+      mfa_user.piv_cac_configurations.count > 0
+    elsif mfa_user.webauthn_platform_configurations.any?
+      !platform_auth_only_option?
+    elsif phishing_resistant_required
+      mfa_user.phishing_resistant_configurations.count > 0
+    else
+      mfa_user.enabled_mfa_methods_count > 0
+    end
   end
 
   def platform_auth_only_option?
     mfa_user.enabled_mfa_methods_count == 1 &&
       mfa_user.webauthn_platform_configurations.count == 1
   end
 
-  def has_no_mfa_or_in_required_flow?
-    has_no_configured_mfa? ||
-      in_phishing_resistant_or_piv_cac_required_flow? ||
-      platform_auth_only_option?
-  end
-
   def missing_selection_error_message
-    if has_no_configured_mfa? || in_phishing_resistant_or_piv_cac_required_flow?
-      t('errors.two_factor_auth_setup.must_select_option')
-    elsif platform_auth_only_option?
+    if platform_auth_only_option?
       t('errors.two_factor_auth_setup.must_select_additional_option')
+    else
+      t('errors.two_factor_auth_setup.must_select_option')
     end
   end
 end

app/javascript/packages/phone-input/package.json

@@ -4,6 +4,6 @@
   "version": "1.0.0",
   "dependencies": {
     "intl-tel-input": "^17.0.19",
-    "libphonenumber-js": "^1.10.43"
+    "libphonenumber-js": "^1.10.44"
   }
 }

app/jobs/reports/monthly_account_reuse_report.rb

@@ -10,13 +10,13 @@ def perform(report_date)
       @report_date = report_date
 
       _latest, path = generate_s3_paths(REPORT_NAME, 'json', now: report_date)
-      body = report_body.to_json
+      body = report_body
 
       if bucket_name.present?
         upload_file_to_s3_bucket(
           path: path,
           body: body,
-          content_type: 'application/json',
+          content_type: 'text/csv',
           bucket: bucket_name,
         )
       end
@@ -152,11 +152,11 @@ def report_csv
     end
 
     def report_body
-      {
-        report_date: first_day_of_report_month,
-        month: stats_month,
-        results: [report_csv],
-      }
+      CSV.generate do |csv|
+        report_csv.each do |row|
+          csv << row
+        end
+      end
     end
   end
 end

app/models/profile.rb

@@ -12,9 +12,6 @@ class Profile < ApplicationRecord
 
   validates :active, uniqueness: { scope: :user_id, if: :active? }
 
-  scope(:active, -> { where(active: true) })
-  scope(:verified, -> { where.not(verified_at: nil) })
-
   has_one :establishing_in_person_enrollment,
           -> { where(status: :establishing).order(created_at: :desc) },
           class_name: 'InPersonEnrollment', foreign_key: :profile_id, inverse_of: :profile,
@@ -25,7 +22,7 @@ class Profile < ApplicationRecord
     encryption_error: 2,
     gpo_verification_pending_NO_LONGER_USED: 3, # deprecated
     verification_cancelled: 4,
-    in_person_verification_pending: 5,
+    in_person_verification_pending_NO_LONGER_USED: 5, # deprecated
   }
 
   enum fraud_pending_reason: {
@@ -35,6 +32,32 @@ class Profile < ApplicationRecord
 
   attr_reader :personal_key
 
+  # Class methods
+  def self.active
+    where(active: true)
+  end
+
+  def self.verified
+    where.not(verified_at: nil)
+  end
+
+  def self.fraud_rejection
+    where.not(fraud_rejection_at: nil)
+  end
+
+  def self.fraud_review_pending
+    where.not(fraud_review_pending_at: nil)
+  end
+
+  def self.gpo_verification_pending
+    where.not(gpo_verification_pending_at: nil)
+  end
+
+  def self.in_person_verification_pending
+    where.not(in_person_verification_pending_at: nil)
+  end
+
+  # Instance methods
   def fraud_review_pending?
     fraud_review_pending_at.present?
   end
@@ -147,16 +170,11 @@ def has_fraud_deactivation_reason?
   end
 
   def in_person_verification_pending?
-    # note: deactivation reason will be replaced by timestamp column
-    deactivation_reason == 'in_person_verification_pending' ||
-      in_person_verification_pending_at.present?
+    in_person_verification_pending_at.present?
   end
 
   def deactivate_for_in_person_verification
-    transaction do
-      deactivate(:in_person_verification_pending) # to be deprecated
-      update!(active: false, in_person_verification_pending_at: Time.zone.now)
-    end
+    update!(active: false, in_person_verification_pending_at: Time.zone.now)
   end
 
   def deactivate_for_gpo_verification

app/models/user.rb

@@ -143,14 +143,12 @@ def pending_profile
     return @pending_profile if defined?(@pending_profile)
 
     @pending_profile = begin
-      pending = profiles.where(deactivation_reason: :in_person_verification_pending).or(
-        profiles.where.not(gpo_verification_pending_at: nil),
+      pending = profiles.in_person_verification_pending.or(
+        profiles.gpo_verification_pending,
       ).or(
-        profiles.where.not(in_person_verification_pending_at: nil),
+        profiles.fraud_review_pending,
       ).or(
-        profiles.where.not(fraud_review_pending_at: nil),
-      ).or(
-        profiles.where.not(fraud_rejection_at: nil),
+        profiles.fraud_rejection,
       ).order(created_at: :desc).first
 
       if pending.blank?

app/services/analytics_events.rb

@@ -2032,16 +2032,19 @@ def idv_personal_key_downloaded(proofing_components: nil, **extra)
   # @param [String, nil] deactivation_reason Reason profile was deactivated.
   # @param [Boolean] fraud_review_pending Profile is under review for fraud
   # @param [Boolean] fraud_rejection Profile is rejected due to fraud
+  # @param [Boolean] in_person_verification_pending Profile is pending in-person verification
   # User submitted IDV personal key page
   def idv_personal_key_submitted(
     fraud_review_pending:,
     fraud_rejection:,
+    in_person_verification_pending:,
     proofing_components: nil,
     deactivation_reason: nil,
     **extra
   )
     track_event(
       'IdV: personal key submitted',
+      in_person_verification_pending: in_person_verification_pending,
       deactivation_reason: deactivation_reason,
       fraud_review_pending: fraud_review_pending,
       fraud_rejection: fraud_rejection,

bin/oncall/download-piv-certs

@@ -1,6 +1,8 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+Dir.chdir(__dir__) { require 'bundler/setup' }
+
 require 'active_support'
 require 'active_support/core_ext/enumerable' # index_by
 require 'active_support/core_ext/integer/time'

bin/oncall/email-deliveries

@@ -1,6 +1,8 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+Dir.chdir(__dir__) { require 'bundler/setup' }
+
 require 'active_support'
 require 'active_support/core_ext/enumerable' # index_by
 require 'active_support/core_ext/integer/time'

bin/oncall/otp-deliveries

@@ -1,6 +1,8 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+Dir.chdir(__dir__) { require 'bundler/setup' }
+
 require 'active_support'
 require 'active_support/core_ext/integer/time'
 require 'optparse'

bin/query-cloudwatch

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
-Dir.chdir(File.dirname(__FILE__)) { require 'bundler/setup' }
+Dir.chdir(__dir__) { require 'bundler/setup' }
 
 require 'active_support'
 require 'active_support/core_ext/integer/time'

lib/reporting/cloudwatch_client.rb

@@ -1,5 +1,6 @@
 require 'aws-sdk-cloudwatchlogs'
 require 'ruby-progressbar'
+require 'identity/hostdata'
 
 module Reporting
   class CloudwatchClient

spec/controllers/idv/personal_key_controller_spec.rb

@@ -107,15 +107,15 @@ def index
 
         context 'profile is pending due to in person proofing' do
           before do
-            profile.update!(deactivation_reason: :in_person_verification_pending)
+            profile.deactivate_for_in_person_verification
             subject.idv_session.profile_id = nil
           end
 
           it 'does not redirect' do
             get :index
 
             expect(profile.user.pending_profile?).to eq true
-            expect(profile.deactivation_reason).to eq('in_person_verification_pending')
+            expect(profile.in_person_verification_pending?).to eq(true)
             expect(response).to_not be_redirect
           end
         end
@@ -208,6 +208,7 @@ def index
           address_verification_method: nil,
           fraud_review_pending: false,
           fraud_rejection: false,
+          in_person_verification_pending: false,
           deactivation_reason: nil,
           proofing_components: nil,
         )
@@ -252,6 +253,7 @@ def index
           fraud_review_pending: false,
           fraud_rejection: false,
           deactivation_reason: nil,
+          in_person_verification_pending: false,
           proofing_components: nil,
         )
       end
@@ -278,6 +280,7 @@ def index
             address_verification_method: nil,
             fraud_review_pending: false,
             fraud_rejection: false,
+            in_person_verification_pending: false,
             deactivation_reason: nil,
             proofing_components: nil,
           )
@@ -304,6 +307,7 @@ def index
             fraud_review_pending: true,
             fraud_rejection: false,
             address_verification_method: nil,
+            in_person_verification_pending: false,
             deactivation_reason: nil,
             proofing_components: nil,
           )