Deploy RC 335 to Production

.gitlab-ci.yml

@@ -366,6 +366,7 @@ review-app:
     - |-
       export IDP_ENV=$(cat <<EOF
       [
+        {"name": "KUBERNETES_REVIEW_APP", "value": "true"},
         {"name": "POSTGRES_SSLMODE", "value": "prefer"},
         {"name": "POSTGRES_NAME", "value": "idp"},
         {"name": "POSTGRES_HOST","value": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"},
@@ -396,6 +397,7 @@ review-app:
     - |-
       export WORKER_ENV=$(cat <<EOF
       [
+        {"name": "KUBERNETES_REVIEW_APP", "value": "true"},
         {"name": "POSTGRES_SSLMODE", "value": "prefer"},
         {"name": "POSTGRES_NAME", "value": "idp"},
         {"name": "POSTGRES_HOST", "value": "$CI_ENVIRONMENT_SLUG-login-chart-pg.review-apps"},
@@ -425,6 +427,7 @@ review-app:
     - |-
       export PIVCAC_ENV=$(cat <<EOF
       [
+        {"name": "KUBERNETES_REVIEW_APP", "value": "true"},
         {"name": "CLIENT_CERT_S3_BUCKET", "value": "login-gov-pivcac-public-cert-reviewapp.894947205914-us-west-2"},
         {"name": "POSTGRES_SSLMODE", "value": "prefer"},
         {"name": "POSTGRES_NAME", "value": "identity_pki_production"},
@@ -439,6 +442,7 @@ review-app:
     - |-
       export DASHBOARD_ENV=$(cat <<EOF
       [
+        {"name": "KUBERNETES_REVIEW_APP", "value": "true"},
         {"name": "POSTGRES_SSLMODE", "value": "prefer"},
         {"name": "POSTGRES_DB", "value": "dashboard"},
         {"name": "POSTGRES_HOST","value": "$CI_ENVIRONMENT_SLUG-login-chart-dashboard-pg.review-apps"},

Gemfile.lock

@@ -280,7 +280,7 @@ GEM
     dotiw (5.3.2)
       activesupport
       i18n
-    drb (2.1.1)
+    drb (2.2.0)
       ruby2_keywords
     dumb_delegator (1.0.0)
     email_spec (2.2.2)
@@ -316,15 +316,15 @@ GEM
       ffi (>= 1.0.0)
       rake
     foundation_emails (2.2.1.0)
-    fugit (1.8.1)
+    fugit (1.9.0)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
     geocoder (1.7.0)
     get_process_mem (0.2.7)
       ffi (~> 1.0)
     globalid (1.2.1)
       activesupport (>= 6.1)
-    good_job (3.19.4)
+    good_job (3.21.1)
       activejob (>= 6.0.0)
       activerecord (>= 6.0.0)
       concurrent-ruby (>= 1.0.2)
@@ -355,7 +355,7 @@ GEM
       terminal-table (>= 1.5.1)
     ice_nine (0.11.2)
     io-console (0.6.0)
-    irb (1.8.3)
+    irb (1.9.1)
       rdoc
       reline (>= 0.3.8)
     jmespath (1.6.2)
@@ -379,7 +379,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.21.4)
+    loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     lookbook (2.0.5)
@@ -411,7 +411,7 @@ GEM
     minitest (5.20.0)
     msgpack (1.7.2)
     multiset (0.5.3)
-    mutex_m (0.1.2)
+    mutex_m (0.2.0)
     net-imap (0.4.2)
       date
       net-protocol
@@ -468,12 +468,13 @@ GEM
       yard (~> 0.9.11)
     pry-rails (0.3.9)
       pry (>= 0.10.4)
-    psych (4.0.2)
+    psych (5.1.1.1)
+      stringio
     public_suffix (5.0.3)
     puma (5.6.7)
       nio4r (~> 2.0)
     raabro (1.4.0)
-    racc (1.7.2)
+    racc (1.7.3)
     rack (2.2.8)
     rack-attack (6.5.0)
       rack (>= 1.0, < 3)
@@ -532,11 +533,11 @@ GEM
       thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rdoc (6.5.0)
+    rdoc (6.6.0)
       psych (>= 4.0.0)
     redacted_struct (1.1.0)
     redcarpet (3.6.0)
@@ -545,7 +546,7 @@ GEM
     redis-client (0.14.1)
       connection_pool
     regexp_parser (2.8.2)
-    reline (0.3.9)
+    reline (0.4.0)
       io-console (~> 0.5)
     request_store (1.5.1)
       rack (>= 1.4)
@@ -657,6 +658,7 @@ GEM
       unf (~> 0.1.4)
     smart_properties (1.17.0)
     stringex (2.8.5)
+    stringio (3.0.9)
     strong_migrations (1.6.4)
       activerecord (>= 5.2)
     subprocess (1.5.5)
@@ -665,7 +667,7 @@ GEM
       unicode-display_width (>= 1.1.1, < 3)
     thor (1.3.0)
     thread_safe (0.3.6)
-    timeout (0.4.0)
+    timeout (0.4.1)
     tpm-key_attestation (0.11.0)
       bindata (~> 2.4)
       openssl (> 2.0, < 3.1)

app/assets/stylesheets/components/_btn.scss

@@ -7,10 +7,12 @@
   margin-right: 0;
 }
 
+// Upstream: https://github.com/uswds/uswds/pull/5631
 .usa-button--unstyled {
   // Temporary: To be backported to design system. Unstyled buttons should inherit the appearance
   // of a link.
   display: inline;
+  width: auto;
 }
 
 .usa-button:disabled.usa-button--active,

app/components/webauthn_verify_button_component.html.erb

@@ -26,4 +26,5 @@
   <%= hidden_field_tag :signature, '' %>
   <%= hidden_field_tag :client_data_json, '' %>
   <%= hidden_field_tag :webauthn_error, '' %>
+  <%= hidden_field_tag :screen_lock_error, '' %>
 <% end %>

app/controllers/concerns/idv/ab_test_analytics_concern.rb

@@ -1,7 +1,6 @@
 module Idv
   module AbTestAnalyticsConcern
     include AcuantConcern
-    include Idv::GettingStartedAbTestConcern
     include Idv::PhoneQuestionAbTestConcern
 
     def ab_test_analytics_buckets
@@ -12,7 +11,6 @@ def ab_test_analytics_buckets
       end
 
       buckets.merge(acuant_sdk_ab_test_analytics_args).
-        merge(getting_started_ab_test_analytics_bucket).
         merge(phone_question_ab_test_analytics_bucket)
     end
   end

app/controllers/concerns/idv/availability_concern.rb

@@ -0,0 +1,15 @@
+module Idv
+  module AvailabilityConcern
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :redirect_if_idv_unavailable
+    end
+
+    def redirect_if_idv_unavailable
+      return if FeatureManagement.idv_available?
+
+      redirect_to idv_unavailable_url
+    end
+  end
+end

app/controllers/concerns/idv/step_indicator_concern.rb

@@ -48,7 +48,7 @@ def gpo_address_verification?
       return false unless current_user
       return true if current_user.gpo_verification_pending_profile?
 
-      return idv_session.address_verification_mechanism == 'gpo'
+      return idv_session.verify_by_mail?
     end
   end
 end

app/controllers/concerns/idv/verify_info_concern.rb

@@ -315,14 +315,6 @@ def move_applicant_to_idv_session
       idv_session.applicant = pii
       idv_session.applicant[:ssn] = idv_session.ssn
       idv_session.applicant['uuid'] = current_user.uuid
-      delete_pii
-    end
-
-    def delete_pii
-      idv_session.pii_from_doc = nil
-      if defined?(flow_session) # no longer defined for remote flow
-        flow_session.delete(:pii_from_user)
-      end
     end
 
     def add_proofing_costs(results)

app/controllers/concerns/idv_session.rb

@@ -3,7 +3,7 @@ module IdvSession
 
   included do
     before_action :redirect_unless_idv_session_user
-    before_action :redirect_if_sp_context_needed
+    before_action :redirect_unless_sp_requested_verification
   end
 
   def confirm_idv_needed
@@ -53,11 +53,17 @@ def redirect_unless_idv_session_user
     redirect_to root_url if !idv_session_user
   end
 
-  def redirect_if_sp_context_needed
-    return if sp_from_sp_session.present?
-    return unless IdentityConfig.store.idv_sp_required
+  def redirect_unless_sp_requested_verification
+    return if !IdentityConfig.store.idv_sp_required
     return if idv_session_user.profiles.any?
 
+    ial_context = IalContext.new(
+      ial: sp_session_ial,
+      service_provider: sp_from_sp_session,
+      user: idv_session_user,
+    )
+    return if ial_context.ial2_or_greater?
+
     redirect_to account_url
   end
 

app/controllers/concerns/idv_step_concern.rb

@@ -9,14 +9,20 @@ module IdvStepConcern
   included do
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_needed
+    before_action :confirm_letter_recently_enqueued
     before_action :confirm_no_pending_gpo_profile
     before_action :confirm_no_pending_in_person_enrollment
     before_action :handle_fraud
     before_action :check_for_mail_only_outage
   end
 
+  def confirm_letter_recently_enqueued
+    # idv session should be clear when user returns to enter code
+    return redirect_to idv_letter_enqueued_url if letter_recently_enqueued?
+  end
+
   def confirm_no_pending_gpo_profile
-    redirect_to idv_verify_by_mail_enter_code_url if current_user&.gpo_verification_pending_profile?
+    redirect_to idv_verify_by_mail_enter_code_url if letter_not_recently_enqueued?
   end
 
   def confirm_no_pending_in_person_enrollment
@@ -47,9 +53,6 @@ def flow_path
   def confirm_hybrid_handoff_needed
     if params[:redo]
       idv_session.redo_document_capture = true
-    elsif idv_session.document_capture_complete?
-      redirect_to idv_ssn_url
-      return
     end
 
     # If we previously skipped hybrid handoff, keep doing that.
@@ -64,29 +67,6 @@ def confirm_hybrid_handoff_needed
 
   private
 
-  def confirm_document_capture_not_complete
-    return unless idv_session.document_capture_complete?
-
-    redirect_to idv_ssn_url
-  end
-
-  def confirm_ssn_step_complete
-    return if pii.present? && idv_session.ssn.present?
-    redirect_to prev_url
-  end
-
-  def confirm_document_capture_complete
-    return if idv_session.pii_from_doc.present?
-
-    if flow_path == 'standard'
-      redirect_to idv_document_capture_url
-    elsif flow_path == 'hybrid'
-      redirect_to idv_link_sent_url
-    else # no flow_path
-      redirect_to idv_hybrid_handoff_path
-    end
-  end
-
   def confirm_verify_info_step_complete
     return if idv_session.verify_info_step_complete?
 
@@ -103,7 +83,7 @@ def confirm_verify_info_step_needed
   end
 
   def confirm_address_step_complete
-    return if idv_session.address_step_complete?
+    return if idv_session.phone_or_address_step_complete?
 
     redirect_to idv_otp_verification_url
   end
@@ -123,6 +103,16 @@ def extra_analytics_properties
     extra
   end
 
+  def letter_recently_enqueued?
+    current_user&.gpo_verification_pending_profile? &&
+      idv_session.verify_by_mail?
+  end
+
+  def letter_not_recently_enqueued?
+    current_user&.gpo_verification_pending_profile? &&
+      !idv_session.address_verification_mechanism
+  end
+
   def flow_policy
     @flow_policy ||= Idv::FlowPolicy.new(idv_session: idv_session, user: current_user)
   end
@@ -135,10 +125,11 @@ def confirm_step_allowed
 
   def url_for_latest_step
     step_info = flow_policy.info_for_latest_step
+
     url_for(controller: step_info.controller, action: step_info.action)
   end
 
-  def clear_invalid_steps!
-    flow_policy.undo_steps_from_controller!(controller: self.class)
+  def clear_future_steps!
+    flow_policy.undo_future_steps_from_controller!(controller: self.class)
   end
 end