Feat: claims verification

[thekaveman]

What this PR does

• Introduces a new model web.core.models.UserFlow to hold details about the flow a user will go through (e.g. Vital records request)

  • UserFlow contains the scopes and claims necessary for communication with IdG
  • Each UserFlow maps its own URL routes via system_name and urlconf_path
  • The WSGI app dynamically registers URLs for all UserFlow instances

• Implements claims verification similar to benefits.oauth and benefits.eligibility.verify

• Implements session handling to maintain OAuth related config between requests

Testing locally

• Clone and checkout this branch
• Update your .env with details for the dev IdG
  • See LastPass or Slack for connection details
• Run the build script bin/build.sh
• Rebuild and Reopen in devcontainer
• F5 to launch
• Confirm the Vital records option is in the top bar menu
• Click Vital records to be directed into that flow
• Continue with Login.gov -- see proofing-disaster-affected.yml and proofing-disaster-not-affected.yml for relevant Sandbox accounts
• For a disaster-affected Login.gov account, expect the "Verified" page
• For a disaster-not-affected Login.gov account, expect the "Unverified" page

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
web
settings.py					122
wsgi.py					11-15, 21-22
web/core
context_processors.py					1-12
session.py					1-13
web/core/admin
__init__.py
userflow.py
web/core/migrations
0001_initial.py					3-17
web/core/models
__init__.py
userflow.py					68, 72-77, 81-84, 88-91
web/oauth
claims.py					1-37
client.py					9, 16, 22-25, 47
session.py					1-65
views.py					7-11, 16, 22-31, 36-41, 69-93, 126-131, 142-143
web/oauth/admin
__init__.py
config.py
web/oauth/migrations
0001_initial.py					7-8
web/oauth/models
__init__.py
config.py
secret_name_field.py
web/vital_records
session.py					1-29
urls.py					3, 8
views.py					1-22
Project Total

This report was generated by python-coverage-comment-action

[kkoryaka]

Verification features

[angela-tran]

Reviewed the code and tested the feature. Looks good to me

[angela-tran]

Just a thought: if we're doing this for "false", maybe we should also do it for 0?

This doesn't need to be changed for this PR.

[thekaveman]

(I don't know if this is 100% right because the true/false claims are new for us -- cc @johnatstate)

Here's my thinking on the integer cases:

• Store the name of the claim if value == 1 (success)
• Store the name and the value if value >= 10 (error)
• We don't store anything if value == 0 (fail)

And so this is analogous for the non-integer cases:

• Store the name of the claim if value == true (success)
• Store the name and the value if value != false (an actual value, like [email protected])
• We don't store anything if value == false (fail)

That last two bullets are the assumption -- I don't know if we would get false back as a string, but I saw true so added the corollary.

[angela-tran]

Oh I see. Thanks for the clarification!