Merge pull request #11600 from 18F/stages/rc-2024-12-05

Deploy RC 436 to Production
18F · Dec 5, 2024 · 964774b · 964774b
2 parents b5dba56 + 240606a
commit 964774b
Show file tree

Hide file tree

Showing 132 changed files with 1,828 additions and 850 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -803,6 +803,9 @@ Performance/Squeeze:
 Performance/StartWith:
   Enabled: true
 
+Performance/StringBytesize:
+  Enabled: true
+
 Performance/StringIdentifierArgument:
   Enabled: true
 
@@ -1050,6 +1053,12 @@ Rails/WhereRange:
 RSpec/LeakyConstantDeclaration:
   Enabled: true
 
+RSpec/MissingExpectationTargetMethod:
+  Enabled: true
+
+RSpec/RedundantPredicateMatcher:
+  Enabled: true
+
 Security/Eval:
   Enabled: true
 

diff --git a/Gemfile b/Gemfile
@@ -74,7 +74,7 @@ gem 'rqrcode'
 gem 'ruby-progressbar'
 gem 'ruby-saml'
 gem 'safe_target_blank', '>= 1.0.2'
-gem 'saml_idp', github: '18F/saml_idp', tag: '0.23.3-18f'
+gem 'saml_idp', github: '18F/saml_idp', tag: '0.23.4-18f'
 gem 'scrypt'
 gem 'simple_form', '>= 5.0.2'
 gem 'stringex', require: false
@@ -85,7 +85,7 @@ gem 'valid_email', '>= 0.1.3', github: 'hallelujah/valid_email', ref: '486b860'
 gem 'view_component', '~> 3.0'
 gem 'webauthn', '~> 2.5.2'
 gem 'xmldsig', '~> 0.6'
-gem 'xmlenc', '~> 0.7', '>= 0.7.1'
+gem 'xmlenc', '0.8.0'
 gem 'yard', require: false
 gem 'zlib', require: false
 
@@ -118,10 +118,10 @@ group :development, :test do
   gem 'psych'
   gem 'rspec', '~> 3.13.0'
   gem 'rspec-rails', '~> 7.0'
-  gem 'rubocop', '~> 1.62.0', require: false
-  gem 'rubocop-performance', '~> 1.20.2', require: false
-  gem 'rubocop-rails', '>= 2.26.2', require: false
-  gem 'rubocop-rspec', require: false
+  gem 'rubocop', '~> 1.69.1', require: false
+  gem 'rubocop-performance', '~> 1.23.0', require: false
+  gem 'rubocop-rails', '~> 2.27.0', require: false
+  gem 'rubocop-rspec', '~> 3.2.0', require: false
   gem 'sqlite3', require: false
 end
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -36,10 +36,10 @@ GIT
 
 GIT
   remote: https://github.com/18F/saml_idp.git
-  revision: 752085a6f88cd3ce75ecc7a64afe064a0e4f9e35
-  tag: 0.23.3-18f
+  revision: e5d876cf10ce9b39bba0cc523d06c4dda1af5124
+  tag: 0.23.4-18f
   specs:
-    saml_idp (0.23.3.pre.18f)
+    saml_idp (0.23.4.pre.18f)
       activesupport
       builder
       faraday
@@ -382,7 +382,7 @@ GEM
     jmespath (1.6.2)
     jsbundling-rails (1.1.2)
       railties (>= 6.0.0)
-    json (2.7.2)
+    json (2.9.0)
     jwe (0.4.0)
     jwt (2.7.1)
     knapsack (4.0.0)
@@ -429,7 +429,7 @@ GEM
     method_source (1.1.0)
     mini_histogram (0.3.1)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.8)
     minitest (5.25.1)
     msgpack (1.7.2)
     multiset (0.5.3)
@@ -451,7 +451,7 @@ GEM
     net-ssh (6.1.0)
     newrelic_rpm (9.7.0)
     nio4r (2.7.3)
-    nokogiri (1.16.7)
+    nokogiri (1.16.8)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     numbers_and_words (0.11.12)
@@ -460,7 +460,7 @@ GEM
     openssl-signature_algorithm (1.2.1)
       openssl (> 2.0, < 3.1)
     orm_adapter (0.5.0)
-    parallel (1.25.1)
+    parallel (1.26.3)
     parser (3.3.4.2)
       ast (~> 2.4.1)
       racc
@@ -544,9 +544,9 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.1)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails-i18n (7.0.6)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
@@ -571,7 +571,7 @@ GEM
       redis-client (>= 0.22.0)
     redis-client (0.22.2)
       connection_pool
-    regexp_parser (2.9.2)
+    regexp_parser (2.9.3)
     reline (0.5.9)
       io-console (~> 0.5)
     request_store (1.5.1)
@@ -612,35 +612,28 @@ GEM
     rspec-support (3.13.1)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.62.1)
+    rubocop (1.69.1)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.36.2, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.3)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.36.2)
       parser (>= 3.3.1.0)
-    rubocop-capybara (2.19.0)
-      rubocop (~> 1.41)
-    rubocop-factory_bot (2.24.0)
-      rubocop (~> 1.33)
-    rubocop-performance (1.20.2)
+    rubocop-performance (1.23.0)
       rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
-    rubocop-rails (2.26.2)
+      rubocop-ast (>= 1.31.1, < 2.0)
+    rubocop-rails (2.27.0)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.52.0, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rspec (2.24.1)
-      rubocop (~> 1.33)
-      rubocop-capybara (~> 2.17)
-      rubocop-factory_bot (~> 2.22)
+    rubocop-rspec (3.2.0)
+      rubocop (~> 1.61)
     ruby-progressbar (1.13.0)
     ruby-saml (1.17.0)
       nokogiri (>= 1.13.10)
@@ -851,10 +844,10 @@ DEPENDENCIES
   rspec-rails (~> 7.0)
   rspec-retry
   rspec_junit_formatter
-  rubocop (~> 1.62.0)
-  rubocop-performance (~> 1.20.2)
-  rubocop-rails (>= 2.26.2)
-  rubocop-rspec
+  rubocop (~> 1.69.1)
+  rubocop-performance (~> 1.23.0)
+  rubocop-rails (~> 2.27.0)
+  rubocop-rspec (~> 3.2.0)
   ruby-progressbar
   ruby-saml
   safe_target_blank (>= 1.0.2)
@@ -876,7 +869,7 @@ DEPENDENCIES
   webauthn (~> 2.5.2)
   webmock
   xmldsig (~> 0.6)
-  xmlenc (~> 0.7, >= 0.7.1)
+  xmlenc (= 0.8.0)
   yard
   zlib
   zonebie

diff --git a/app/components/webauthn_input_component.rb b/app/components/webauthn_input_component.rb
@@ -1,21 +1,25 @@
 # frozen_string_literal: true
 
 class WebauthnInputComponent < BaseComponent
-  attr_reader :platform, :passkey_supported_only, :show_unsupported_passkey, :tag_options
+  attr_reader :platform, :passkey_supported_only, :show_unsupported_passkey,
+              :desktop_ft_unlock_option, :tag_options
 
   alias_method :platform?, :platform
   alias_method :passkey_supported_only?, :passkey_supported_only
   alias_method :show_unsupported_passkey?, :show_unsupported_passkey
+  alias_method :desktop_ft_unlock_option?, :desktop_ft_unlock_option
 
   def initialize(
     platform: false,
     passkey_supported_only: false,
     show_unsupported_passkey: false,
+    desktop_ft_unlock_option: false,
     **tag_options
   )
     @platform = platform
     @passkey_supported_only = passkey_supported_only
     @show_unsupported_passkey = show_unsupported_passkey
+    @desktop_ft_unlock_option = desktop_ft_unlock_option
     @tag_options = tag_options
   end
 
@@ -26,6 +30,7 @@ def call
       **tag_options,
       **initial_hidden_tag_options,
       'show-unsupported-passkey': show_unsupported_passkey?.presence,
+      'desktop-ft-unlock-option': show_desktop_ft_unlock_option?.presence,
     )
   end
 
@@ -36,4 +41,8 @@ def initial_hidden_tag_options
       { class: 'js' }
     end
   end
+
+  def show_desktop_ft_unlock_option?
+    desktop_ft_unlock_option? && I18n.locale == :en
+  end
 end
diff --git a/app/controllers/accounts/connected_accounts_controller.rb b/app/controllers/accounts/connected_accounts_controller.rb
@@ -8,6 +8,7 @@ class ConnectedAccountsController < ApplicationController
     layout 'account_side_nav'
 
     def show
+      analytics.connected_accounts_page_visited
       @presenter = AccountShowPresenter.new(
         decrypted_pii: nil,
         sp_session_request_url: sp_session_request_url_with_updated_params,

diff --git a/app/controllers/concerns/idv/doc_auth_vendor_concern.rb b/app/controllers/concerns/idv/doc_auth_vendor_concern.rb
@@ -6,8 +6,32 @@ module DocAuthVendorConcern
 
     # @returns[String] String identifying the vendor to use for doc auth.
     def doc_auth_vendor
-      bucket = ab_test_bucket(:DOC_AUTH_VENDOR)
+      if resolved_authn_context_result.facial_match?
+        if doc_auth_vendor_enabled?(Idp::Constants::Vendors::LEXIS_NEXIS)
+          bucket = :lexis_nexis
+        elsif doc_auth_vendor_enabled?(Idp::Constants::Vendors::MOCK)
+          bucket = :mock
+        else
+          return nil
+        end
+      else
+        bucket = ab_test_bucket(:DOC_AUTH_VENDOR)
+      end
       DocAuthRouter.doc_auth_vendor_for_bucket(bucket)
     end
+
+    def doc_auth_vendor_enabled?(vendor)
+      return true if IdentityConfig.store.doc_auth_vendor_default == vendor
+      return false unless IdentityConfig.store.doc_auth_vendor_switching_enabled
+
+      case vendor
+      when Idp::Constants::Vendors::SOCURE
+        IdentityConfig.store.doc_auth_vendor_socure_percent > 0
+      when Idp::Constants::Vendors::LEXIS_NEXIS
+        IdentityConfig.store.doc_auth_vendor_lexis_nexis_percent > 0
+      else
+        false
+      end
+    end
   end
 end
diff --git a/app/controllers/concerns/idv/document_capture_concern.rb b/app/controllers/concerns/idv/document_capture_concern.rb
@@ -13,7 +13,7 @@ def handle_stored_result(user: current_user, store_in_session: true)
         successful_response
       else
         extra = { stored_result_present: stored_result.present? }
-        failure(I18n.t('doc_auth.errors.general.network_error'), extra)
+        failure(nil, extra)
       end
     end
 
@@ -22,13 +22,25 @@ def successful_response
     end
 
     # copied from Flow::Failure module
-    def failure(message, extra = nil)
-      flash[:error] = message
-      form_response_params = { success: false, errors: { message: message } }
+    def failure(message = nil, extra = nil)
+      form_response_params = { success: false }
+      form_response_params[:errors] = make_error_hash(message)
       form_response_params[:extra] = extra unless extra.nil?
       FormResponse.new(**form_response_params)
     end
 
+    def make_error_hash(message)
+      Rails.logger.info("make_error_hash: stored_result: #{stored_result.inspect}")
+
+      error_hash = { message: message || I18n.t('doc_auth.errors.general.network_error') }
+
+      if stored_result&.errors&.has_key?(:socure)
+        error_hash[:socure] = stored_result.errors[:socure]
+      end
+
+      error_hash
+    end
+
     def extract_pii_from_doc(user, store_in_session: false)
       if defined?(idv_session) # hybrid mobile does not have idv_session
         idv_session.had_barcode_read_failure = stored_result.attention_with_barcode?

diff --git a/app/controllers/concerns/idv/socure_errors_concern.rb b/app/controllers/concerns/idv/socure_errors_concern.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Idv
+  module SocureErrorsConcern
+    def errors
+      @presenter = socure_errors_presenter(handle_stored_result)
+    end
+
+    def goto_in_person
+      InPersonEnrollment.find_or_initialize_by(
+        user: document_capture_session.user,
+        status: :establishing,
+        sponsor_id: IdentityConfig.store.usps_ipp_sponsor_id,
+      ).save!
+
+      redirect_to idv_in_person_url
+    end
+
+    private
+
+    def remaining_attempts
+      RateLimiter.new(
+        user: document_capture_session.user,
+        rate_limit_type: :idv_doc_auth,
+      ).remaining_count
+    end
+
+    def error_code_for(result)
+      if result.errors[:socure]
+        result.errors.dig(:socure, :reason_codes).first
+      elsif result.errors[:network]
+        :network
+      else
+        # No error information available (shouldn't happen). Default
+        # to :network if it does.
+        :network
+      end
+    end
+  end
+end
diff --git a/app/controllers/concerns/mfa_setup_concern.rb b/app/controllers/concerns/mfa_setup_concern.rb
@@ -97,6 +97,7 @@ def threatmetrix_attrs
       request_ip: request&.remote_ip,
       threatmetrix_session_id: session[:threatmetrix_session_id],
       email: EmailContext.new(current_user).last_sign_in_email_address.email,
+      uuid_prefix: current_sp&.app_id,
     }
   end
 

diff --git a/app/controllers/concerns/unconfirmed_user_concern.rb b/app/controllers/concerns/unconfirmed_user_concern.rb
@@ -40,7 +40,7 @@ def email_confirmation_token_validator_result
 
   def email_confirmation_token_validator
     @email_confirmation_token_validator ||= begin
-      EmailConfirmationTokenValidator.new(@email_address, current_user)
+      EmailConfirmationTokenValidator.new(email_address: @email_address, current_user:)
     end
   end
 

diff --git a/app/controllers/idv/document_capture_controller.rb b/app/controllers/idv/document_capture_controller.rb
@@ -12,7 +12,8 @@ class DocumentCaptureController < ApplicationController
     before_action :confirm_step_allowed, unless: -> { allow_direct_ipp? }
     before_action :override_csp_to_allow_acuant
     before_action :set_usps_form_presenter
-    before_action -> { redirect_to_correct_vendor(Idp::Constants::Vendors::LEXIS_NEXIS, false) }
+    before_action -> { redirect_to_correct_vendor(Idp::Constants::Vendors::LEXIS_NEXIS, false) },
+                  only: :show
 
     def show
       analytics.idv_doc_auth_document_capture_visited(**analytics_arguments)

diff --git a/app/controllers/idv/hybrid_mobile/document_capture_controller.rb b/app/controllers/idv/hybrid_mobile/document_capture_controller.rb
@@ -11,7 +11,8 @@ class DocumentCaptureController < ApplicationController
       before_action :override_csp_to_allow_acuant
       before_action :confirm_document_capture_needed, only: :show
       before_action :set_usps_form_presenter
-      before_action -> { redirect_to_correct_vendor(Idp::Constants::Vendors::LEXIS_NEXIS, true) }
+      before_action -> { redirect_to_correct_vendor(Idp::Constants::Vendors::LEXIS_NEXIS, true) },
+                    only: :show
 
       def show
         analytics.idv_doc_auth_document_capture_visited(**analytics_arguments)