Deploy RC 322 to prod

.gitignore

@@ -25,6 +25,9 @@
 .vagrant
 .capistrano
 
+# avoid checking in stray files
+*.bak
+
 # root files
 capybara-*.html
 dump.rdb

.gitlab-ci.yml

@@ -97,11 +97,11 @@ build-review-image:
   needs: []
   interruptible: true
   variables:
-    BRANCH_TAGGING_STRING: ""
+    BRANCH_TAGGING_STRING: ''
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
       variables:
-        BRANCH_TAGGING_STRING: "--destination ${ECR_REGISTRY}/identity-idp/review:main"
+        BRANCH_TAGGING_STRING: '--destination ${ECR_REGISTRY}/identity-idp/review:main'
     - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
     - if: $CI_PIPELINE_SOURCE != "merge_request_event"
       when: never
@@ -312,14 +312,14 @@ build-ci-image:
     - build-pool
   image:
     name: gcr.io/kaniko-project/executor:debug
-    entrypoint: [""]
+    entrypoint: ['']
   rules:
     # Build when there are changes to the Dockerfile
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "external_pull_request_event" || $CI_PIPELINE_SOURCE == "web"'
       changes:
         compare_to: 'refs/heads/main'
         paths:
-        - dockerfiles/idp_ci.Dockerfile
+          - dockerfiles/idp_ci.Dockerfile
   script:
     - mkdir -p /kaniko/.docker
     - |-
@@ -489,25 +489,37 @@ include:
 secret_detection:
   allow_failure: false
   variables:
-      SECRET_DETECTION_LOG_OPTIONS: origin/${CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME}..HEAD
-      SECRET_DETECTION_REPORT_FILE: "gl-secret-detection-report.json"
+    SECRET_DETECTION_EXCLUDED_PATHS: 'keys.example,config/artifacts.example,public/acuant/*/opencv.min.js,tmp/0.0.0.0-3000.key'
+    SECRET_DETECTION_REPORT_FILE: 'gl-secret-detection-report.json'
   rules:
     - if: $SECRET_DETECTION_DISABLED
       when: never
     - if: '$CI_COMMIT_BRANCH || $CI_COMMIT_TAG'
+    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"
+      variables:
+        SECRET_DETECTION_LOG_OPTIONS: origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}..HEAD
+    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "main" && $CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME == "main"
+      variables:
+        SECRET_DETECTION_LOG_OPTIONS: origin/${CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME}..HEAD
   before_script:
     - apk add --no-cache jq
+    - git fetch origin --quiet
   script:
-    - /analyzer run
-    # check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
     - |
-      if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
-        if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
-          echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
-          exit 80
+      if [ -z "$SECRET_DETECTION_LOG_OPTIONS" ]; then
+        /analyzer run
+        if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
+          # check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
+          if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
+            echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
+            exit 80
+          fi
+        else
+          echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
         fi
       else
-        echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
+        echo "Skipping because this is not a PR or is not targeting main"
+        exit 0
       fi
 
 .container_scan_template:
@@ -517,7 +529,7 @@ secret_detection:
     - build-pool
   image:
     name: amazon/aws-cli
-    entrypoint: [""] 
+    entrypoint: ['']
   before_script:
     - curl -LO https://github.com/jqlang/jq/releases/download/jq-1.6/jq-linux64
     - chmod +x jq-linux64
@@ -636,7 +648,7 @@ secret_detection:
       }
       end' > gl-container-scanning-report.json
   artifacts:
-    paths: 
+    paths:
       - gl-container-scanning-report.json
     reports:
       container_scanning: gl-container-scanning-report.json
@@ -663,7 +675,7 @@ ecr-scan-ci:
       changes:
         compare_to: 'refs/heads/main'
         paths:
-        - dockerfiles/idp_ci.Dockerfile
+          - dockerfiles/idp_ci.Dockerfile
   needs:
     - job: build-ci-image
   stage: scan

.rubocop.yml

@@ -6,6 +6,7 @@
 require:
   - rubocop-rails
   - rubocop-performance
+  - ./lib/linters/analytics_event_name_linter.rb
   - ./lib/linters/localized_validation_message_linter.rb
   - ./lib/linters/image_size_linter.rb
   - ./lib/linters/mail_later_linter.rb
@@ -43,6 +44,11 @@ Bundler/InsecureProtocolSource:
 Gemspec/DuplicatedAssignment:
   Enabled: true
 
+IdentityIdp/AnalyticsEventNameLinter:
+  Enabled: true
+  Include:
+    - app/services/analytics_events.rb
+
 IdentityIdp/LocalizedValidationMessageLinter:
   Enabled: true
 

app/controllers/concerns/idv/document_capture_concern.rb

@@ -30,7 +30,6 @@ def failure(message, extra = nil)
     end
 
     # @param [DocAuth::Response,
-    #   DocumentCaptureSessionAsyncResult,
     #   DocumentCaptureSessionResult] response
     def extract_pii_from_doc(user, response, store_in_session: false)
       pii_from_doc = response.pii_from_doc.merge(

app/controllers/concerns/idv/verify_info_concern.rb

@@ -34,17 +34,19 @@ def shared_update
         user_id: current_user.id,
         threatmetrix_session_id: idv_session.threatmetrix_session_id,
         request_ip: request.remote_ip,
-        double_address_verification: capture_secondary_id_enabled,
+        double_address_verification: double_address_verification,
       )
 
       return true
     end
 
     private
 
-    def capture_secondary_id_enabled
-      current_user.establishing_in_person_enrollment&.
-          capture_secondary_id_enabled || false
+    def double_address_verification
+      # If in person return true else return false. This is temporary until we add a feature flag
+      # to track enrollment was created in the in person flow.
+      # todo LG-11235 update value based on new feature flag
+      current_user.has_in_person_enrollment?
     end
 
     def should_use_aamva?(pii)
@@ -164,7 +166,7 @@ def process_async_state(current_async_state)
         return
       end
 
-      return if confirm_not_rate_limited
+      return if confirm_not_rate_limited_after_doc_auth
 
       if current_async_state.none?
         idv_session.invalidate_verify_info_step!

app/controllers/concerns/idv_step_concern.rb

@@ -9,7 +9,6 @@ module IdvStepConcern
   included do
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_needed
-    before_action :confirm_not_rate_limited
     before_action :confirm_no_pending_gpo_profile
     before_action :confirm_no_pending_in_person_enrollment
     before_action :handle_fraud

app/controllers/concerns/rate_limit_concern.rb

@@ -1,9 +1,11 @@
 module RateLimitConcern
   extend ActiveSupport::Concern
 
-  def confirm_not_rate_limited
+  ALL_IDV_RATE_LIMITTERS = [:idv_resolution, :idv_doc_auth, :proof_address, :proof_ssn].freeze
+
+  def confirm_not_rate_limited(rate_limiters = ALL_IDV_RATE_LIMITTERS)
     rate_limited = false
-    %i[idv_resolution idv_doc_auth proof_address proof_ssn].each do |rate_limit_type|
+    rate_limiters.each do |rate_limit_type|
       if rate_limit_redirect!(rate_limit_type)
         rate_limited = true
         break
@@ -12,6 +14,16 @@ def confirm_not_rate_limited
     rate_limited
   end
 
+  def confirm_not_rate_limited_after_doc_auth
+    rate_limitters = [:idv_resolution, :proof_ssn, :proof_address]
+    confirm_not_rate_limited(rate_limitters)
+  end
+
+  def confirm_not_rate_limited_after_idv_resolution
+    rate_limitters = [:proof_address]
+    confirm_not_rate_limited(rate_limitters)
+  end
+
   def rate_limit_redirect!(rate_limit_type)
     if idv_attempter_rate_limited?(rate_limit_type)
       track_rate_limited_event(rate_limit_type)

app/controllers/idv/address_controller.rb

@@ -2,6 +2,7 @@ module Idv
   class AddressController < ApplicationController
     include IdvStepConcern
 
+    before_action :confirm_not_rate_limited_after_doc_auth
     before_action :confirm_document_capture_complete
 
     def new

app/controllers/idv/agreement_controller.rb

@@ -3,6 +3,7 @@ class AgreementController < ApplicationController
     include IdvStepConcern
     include StepIndicatorConcern
 
+    before_action :confirm_not_rate_limited
     before_action :confirm_welcome_step_complete
     before_action :confirm_agreement_needed
 
@@ -53,7 +54,7 @@ def skip_to_capture
     end
 
     def consent_form_params
-      params.require(:doc_auth).permit([:ial2_consent_given, :idv_consent_given])
+      params.require(:doc_auth).permit(:idv_consent_given)
     end
 
     def confirm_welcome_step_complete

app/controllers/idv/capture_doc_status_controller.rb

@@ -43,8 +43,7 @@ def redirect_url
 
     def session_result
       return @session_result if defined?(@session_result)
-      @session_result = document_capture_session.load_result ||
-                        document_capture_session.load_doc_auth_async_result
+      @session_result = document_capture_session.load_result
     end
 
     def document_capture_session

app/controllers/idv/document_capture_controller.rb

@@ -5,6 +5,7 @@ class DocumentCaptureController < ApplicationController
     include IdvStepConcern
     include StepIndicatorConcern
 
+    before_action :confirm_not_rate_limited
     before_action :confirm_hybrid_handoff_complete
     before_action :confirm_document_capture_needed
     before_action :override_csp_to_allow_acuant

app/controllers/idv/getting_started_controller.rb

@@ -2,6 +2,7 @@ module Idv
   class GettingStartedController < ApplicationController
     include IdvStepConcern
 
+    before_action :confirm_not_rate_limited
     before_action :confirm_agreement_needed
 
     def show
@@ -72,7 +73,7 @@ def skip_to_capture
     end
 
     def consent_form_params
-      params.require(:doc_auth).permit([:ial2_consent_given, :idv_consent_given])
+      params.require(:doc_auth).permit(:idv_consent_given)
     end
 
     def confirm_agreement_needed

app/controllers/idv/hybrid_handoff_controller.rb

@@ -4,6 +4,7 @@ class HybridHandoffController < ApplicationController
     include IdvStepConcern
     include StepIndicatorConcern
 
+    before_action :confirm_not_rate_limited
     before_action :confirm_verify_info_step_needed
     before_action :confirm_agreement_step_complete
     before_action :confirm_hybrid_handoff_needed, only: :show

app/controllers/idv/in_person/ssn_controller.rb

@@ -6,6 +6,7 @@ class SsnController < ApplicationController
       include Steps::ThreatMetrixStepHelper
       include ThreatMetrixConcern
 
+      before_action :confirm_not_rate_limited_after_doc_auth
       before_action :confirm_verify_info_step_needed
       before_action :confirm_in_person_address_step_complete
       before_action :confirm_repeat_ssn, only: :show

app/controllers/idv/in_person/verify_info_controller.rb

@@ -6,14 +6,13 @@ class VerifyInfoController < ApplicationController
       include Steps::ThreatMetrixStepHelper
       include VerifyInfoConcern
 
+      before_action :confirm_not_rate_limited_after_doc_auth, except: [:show]
       before_action :confirm_ssn_step_complete
       before_action :confirm_verify_info_step_needed
-      skip_before_action :confirm_not_rate_limited, only: :show
 
       def show
         @step_indicator_steps = step_indicator_steps
         @ssn = idv_session.ssn
-        @capture_secondary_id_enabled = capture_secondary_id_enabled
 
         analytics.idv_doc_auth_verify_visited(**analytics_arguments)
         Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).

app/controllers/idv/link_sent_controller.rb

@@ -4,6 +4,7 @@ class LinkSentController < ApplicationController
     include IdvStepConcern
     include StepIndicatorConcern
 
+    before_action :confirm_not_rate_limited
     before_action :confirm_hybrid_handoff_complete
     before_action :confirm_document_capture_needed
 
@@ -84,10 +85,7 @@ def take_photo_with_phone_successful?
     end
 
     def document_capture_session_result
-      @document_capture_session_result ||= begin
-        document_capture_session&.load_result ||
-          document_capture_session&.load_doc_auth_async_result
-      end
+      @document_capture_session_result ||= document_capture_session&.load_result
     end
   end
 end

app/controllers/idv/phone_controller.rb

@@ -7,10 +7,10 @@ class PhoneController < ApplicationController
 
     attr_reader :idv_form
 
+    before_action :confirm_not_rate_limited_after_idv_resolution, except: [:new]
     before_action :confirm_verify_info_step_complete
     before_action :confirm_step_needed
     before_action :set_idv_form
-    skip_before_action :confirm_not_rate_limited, only: :new
 
     def new
       flash.keep(:success) if should_keep_flash_success?
@@ -24,7 +24,7 @@ def new
 
       render 'shared/wait' and return if async_state.in_progress?
 
-      return if confirm_not_rate_limited
+      return if confirm_not_rate_limited_after_idv_resolution
 
       if async_state.none?
         Funnel::DocAuth::RegisterStep.new(current_user.id, current_sp&.issuer).

app/controllers/idv/phone_question_controller.rb

@@ -4,6 +4,7 @@ class PhoneQuestionController < ApplicationController
     include IdvStepConcern
     include StepIndicatorConcern
 
+    before_action :confirm_not_rate_limited
     before_action :confirm_verify_info_step_needed
     before_action :confirm_agreement_step_complete
     before_action :confirm_hybrid_handoff_needed, only: :show

app/controllers/idv/review_controller.rb

@@ -10,7 +10,6 @@ class ReviewController < ApplicationController
     before_action :confirm_verify_info_step_complete
     before_action :confirm_address_step_complete
     before_action :confirm_current_password, only: [:create]
-    skip_before_action :confirm_not_rate_limited
 
     helper_method :step_indicator_step
 

app/controllers/idv/ssn_controller.rb

@@ -5,6 +5,7 @@ class SsnController < ApplicationController
     include Steps::ThreatMetrixStepHelper
     include ThreatMetrixConcern
 
+    before_action :confirm_not_rate_limited_after_doc_auth
     before_action :confirm_verify_info_step_needed
     before_action :confirm_document_capture_complete
     before_action :confirm_repeat_ssn, only: :show

app/controllers/idv/verify_info_controller.rb

@@ -5,9 +5,9 @@ class VerifyInfoController < ApplicationController
     include VerifyInfoConcern
     include Steps::ThreatMetrixStepHelper
 
+    before_action :confirm_not_rate_limited_after_doc_auth, except: [:show]
     before_action :confirm_ssn_step_complete
     before_action :confirm_verify_info_step_needed
-    skip_before_action :confirm_not_rate_limited, only: :show
 
     def show
       @step_indicator_steps = step_indicator_steps

app/controllers/idv/welcome_controller.rb

@@ -4,6 +4,7 @@ class WelcomeController < ApplicationController
     include StepIndicatorConcern
     include GettingStartedAbTestConcern
 
+    before_action :confirm_not_rate_limited
     before_action :confirm_welcome_needed
     before_action :maybe_redirect_for_getting_started_ab_test