Merge pull request #11752 from 18F/stages/rc-2025-01-14-patch-1

Deploy RC 443.1 to Production

.gitlab-ci.yml

@@ -293,7 +293,7 @@ specs:
     - cp -a keys.example keys
     - cp -a certs.example certs
     - cp pwned_passwords/pwned_passwords.txt.sample pwned_passwords/pwned_passwords.txt
-    - "echo -e \"test:\n  redis_url: 'redis://db-redis:6379/0'\n  redis_throttle_url: 'redis://db-redis:6379/1'\" > config/application.yml"
+    - "echo -e \"test:\n  redis_url: 'redis://db-redis:6379/0'\n  redis_throttle_url: 'redis://db-redis:6379/1'\n  redis_attempts_api_url: 'redis://db-redis:6379/2'\" > config/application.yml"
     - bundle exec rake db:create db:migrate --trace
     - bundle exec rake db:seed
     - bundle exec rake knapsack:rspec["--format documentation --format RspecJunitFormatter --out rspec.xml --format json --out rspec_json/${CI_NODE_INDEX}.json"]

.rubocop.yml

@@ -29,7 +29,7 @@ AllCops:
     - 'tmp/**/*'
     - 'vendor/**/*'
     - 'public/**/*'
-  TargetRubyVersion: 3.2.0
+  TargetRubyVersion: 3.3.0
   TargetRailsVersion: 7.2
   UseCache: true
   DisabledByDefault: true
@@ -391,6 +391,9 @@ Lint/BooleanSymbol:
 Lint/CircularArgumentReference:
   Enabled: true
 
+Lint/ConstantReassignment:
+  Enabled: true
+
 Lint/Debugger:
   Enabled: true
 

Brewfile

@@ -2,6 +2,5 @@ brew 'postgresql@14'
 brew 'redis'
 brew 'node@22'
 brew 'yarn'
-brew '[email protected]'
 brew 'jq'
 cask 'chromedriver'

Gemfile

@@ -74,7 +74,7 @@ gem 'rqrcode'
 gem 'ruby-progressbar'
 gem 'ruby-saml'
 gem 'safe_target_blank', '>= 1.0.2'
-gem 'saml_idp', github: '18F/saml_idp', tag: '0.23.4-18f'
+gem 'saml_idp', github: '18F/saml_idp', tag: '0.23.5-18f'
 gem 'scrypt'
 gem 'simple_form', '>= 5.0.2'
 gem 'stringex', require: false
@@ -118,7 +118,7 @@ group :development, :test do
   gem 'psych'
   gem 'rspec', '~> 3.13.0'
   gem 'rspec-rails', '~> 7.0'
-  gem 'rubocop', '~> 1.69.1', require: false
+  gem 'rubocop', '~> 1.70.0', require: false
   gem 'rubocop-performance', '~> 1.23.0', require: false
   gem 'rubocop-rails', '~> 2.27.0', require: false
   gem 'rubocop-rspec', '~> 3.2.0', require: false

Gemfile.lock

@@ -36,10 +36,10 @@ GIT
 
 GIT
   remote: https://github.com/18F/saml_idp.git
-  revision: e5d876cf10ce9b39bba0cc523d06c4dda1af5124
-  tag: 0.23.4-18f
+  revision: bdf8e1f93707e413ecbd0f48d803e18812e19f90
+  tag: 0.23.5-18f
   specs:
-    saml_idp (0.23.4.pre.18f)
+    saml_idp (0.23.5.pre.18f)
       activesupport
       builder
       faraday
@@ -390,7 +390,7 @@ GEM
     jmespath (1.6.2)
     jsbundling-rails (1.1.2)
       railties (>= 6.0.0)
-    json (2.9.0)
+    json (2.9.1)
     jwe (0.4.0)
     jwt (2.7.1)
     knapsack (4.0.0)
@@ -477,7 +477,7 @@ GEM
     pg (1.5.9)
     pg_query (5.1.0)
       google-protobuf (>= 3.22.3)
-    phonelib (0.9.1)
+    phonelib (0.10.3)
     pkcs11 (0.3.4)
     premailer (1.27.0)
       addressable
@@ -582,7 +582,7 @@ GEM
       redis-client (>= 0.22.0)
     redis-client (0.23.0)
       connection_pool
-    regexp_parser (2.9.3)
+    regexp_parser (2.10.0)
     reline (0.5.12)
       io-console (~> 0.5)
     request_store (1.5.1)
@@ -623,7 +623,7 @@ GEM
     rspec-support (3.13.2)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.69.1)
+    rubocop (1.70.0)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
@@ -633,7 +633,7 @@ GEM
       rubocop-ast (>= 1.36.2, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.36.2)
+    rubocop-ast (1.37.0)
       parser (>= 3.3.1.0)
     rubocop-capybara (2.21.0)
       rubocop (~> 1.41)
@@ -706,7 +706,7 @@ GEM
       openssl-signature_algorithm (~> 1.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (2.6.0)
     uniform_notifier (1.16.0)
     uri (0.13.0)
     useragent (0.16.11)
@@ -854,7 +854,7 @@ DEPENDENCIES
   rspec-rails (~> 7.0)
   rspec-retry
   rspec_junit_formatter
-  rubocop (~> 1.69.1)
+  rubocop (~> 1.70.0)
   rubocop-capybara
   rubocop-performance (~> 1.23.0)
   rubocop-rails (~> 2.27.0)

Makefile

@@ -309,6 +309,7 @@ public/api/_analytics-events.json: .yardoc .yardoc/objects/root.dat
 
 .yardoc .yardoc/objects/root.dat: app/services/analytics_events.rb
 	bundle exec yard doc \
+		--no-progress \
 		--fail-on-warning \
 		--type-tag identity.idp.previous_event_name:"Previous Event Name" \
 		--no-output \

app/controllers/concerns/idv/verify_info_concern.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module Idv
+  # @attr idv_session [Idv::Session]
   module VerifyInfoConcern
     extend ActiveSupport::Concern
 
@@ -39,6 +40,12 @@ def shared_update
         threatmetrix_session_id: idv_session.threatmetrix_session_id,
         request_ip: request.remote_ip,
         ipp_enrollment_in_progress: ipp_enrollment_in_progress?,
+        proofing_components: ProofingComponents.new(
+          user: current_user,
+          idv_session:,
+          session:,
+          user_session:,
+        ),
       )
 
       return true

app/controllers/idv/forgot_password_controller.rb

@@ -15,7 +15,7 @@ def new
     def update
       analytics.idv_forgot_password_confirmed
       request_id = sp_session[:request_id]
-      email = current_user.confirmed_email_addresses.first.email
+      email = current_user.last_sign_in_email_address.email
       reset_password(email, request_id)
     end
 

app/controllers/saml_idp_controller.rb

@@ -150,13 +150,6 @@ def capture_analytics
 
     if result.success? && saml_request.signed?
       analytics_payload[:cert_error_details] = saml_request.cert_errors
-
-      # analytics to determine if turning on SHA256 validation will break
-      # existing partners
-      if certs_different?
-        analytics_payload[:certs_different] = true
-        analytics_payload[:sha256_matching_cert] = sha256_alg_matching_cert_serial
-      end
     end
 
     analytics.saml_auth(**analytics_payload)
@@ -168,21 +161,6 @@ def matching_cert_serial
     nil
   end
 
-  def sha256_alg_matching_cert
-    # if sha256_alg_matching_cert is nil, fallback to the "first" cert
-    saml_request.sha256_validation_matching_cert ||
-      saml_request_service_provider&.ssl_certs&.first
-  rescue SamlIdp::XMLSecurity::SignedDocument::ValidationError
-  end
-
-  def sha256_alg_matching_cert_serial
-    sha256_alg_matching_cert&.serial&.to_s
-  end
-
-  def certs_different?
-    encryption_cert != sha256_alg_matching_cert
-  end
-
   def log_external_saml_auth_request
     return unless external_saml_request?
 

app/controllers/users/sessions_controller.rb

@@ -18,7 +18,7 @@ class SessionsController < Devise::SessionsController
     before_action :store_sp_metadata_in_session, only: [:new]
     before_action :check_user_needs_redirect, only: [:new]
     before_action :apply_secure_headers_override, only: [:new, :create]
-    before_action :clear_session_bad_password_count_if_window_expired, only: [:create]
+    before_action :clear_session_sign_in_failure_count_if_window_expired, only: [:create]
     before_action :set_analytics_user_from_params, only: :create
     before_action :allow_csp_recaptcha_src, if: :recaptcha_enabled?
 
@@ -37,12 +37,14 @@ def new
 
     def create
       session[:sign_in_flow] = :sign_in
-      return process_rate_limited if session_bad_password_count_max_exceeded?
+      return process_rate_limited if session_sign_in_failure_count_max_exceeded?
       return process_locked_out_user if current_user && user_locked_out?(current_user)
       return process_rate_limited if rate_limited?
-      return process_failed_captcha unless recaptcha_response.success? || log_captcha_failures_only?
 
       rate_limit_password_failure = true
+
+      return process_failed_captcha unless recaptcha_response.success? || log_captcha_failures_only?
+
       self.resource = warden.authenticate!(auth_options)
       handle_valid_authentication
     ensure
@@ -65,38 +67,38 @@ def analytics_user
 
     private
 
-    def clear_session_bad_password_count_if_window_expired
-      locked_at = session[:max_bad_passwords_at]
-      window = IdentityConfig.store.max_bad_passwords_window_in_seconds
+    def clear_session_sign_in_failure_count_if_window_expired
+      locked_at = session[:max_sign_in_failures_at]
+      window = IdentityConfig.store.max_sign_in_failures_window_in_seconds
       return if locked_at.nil? || (locked_at + window) > Time.zone.now.to_i
-      [:max_bad_passwords_at, :bad_password_count].each { |x| session.delete(x) }
+      [:max_sign_in_failures_at, :sign_in_failure_count].each { |x| session.delete(x) }
     end
 
-    def session_bad_password_count_max_exceeded?
-      session[:bad_password_count].to_i >= IdentityConfig.store.max_bad_passwords
+    def session_sign_in_failure_count_max_exceeded?
+      session[:sign_in_failure_count].to_i >= IdentityConfig.store.max_sign_in_failures
     end
 
-    def increment_session_bad_password_count
-      session[:bad_password_count] = session[:bad_password_count].to_i + 1
-      return unless session_bad_password_count_max_exceeded?
-      session[:max_bad_passwords_at] ||= Time.zone.now.to_i
+    def increment_session_sign_in_failure_count
+      session[:sign_in_failure_count] = session[:sign_in_failure_count].to_i + 1
+      return unless session_sign_in_failure_count_max_exceeded?
+      session[:max_sign_in_failures_at] ||= Time.zone.now.to_i
     end
 
     def process_rate_limited
       sign_out(:user)
       warden.lock!
 
       flash[:error] = t(
-        'errors.sign_in.bad_password_limit',
+        'errors.sign_in.sign_in_failure_limit',
         time_left: locked_out_time_remaining,
       )
       redirect_to root_url
     end
 
     def locked_out_time_remaining
-      if session[:max_bad_passwords_at]
-        locked_at = session[:max_bad_passwords_at]
-        window = IdentityConfig.store.max_bad_passwords_window_in_seconds.seconds
+      if session[:max_sign_in_failures_at]
+        locked_at = session[:max_sign_in_failures_at]
+        window = IdentityConfig.store.max_sign_in_failures_window_in_seconds.seconds
         time_lockout_expires = Time.zone.at(locked_at) + window
       else
         time_lockout_expires = rate_limiter&.expires_at || Time.zone.now
@@ -188,7 +190,7 @@ def process_locked_out_user
 
     def handle_invalid_authentication
       rate_limiter&.increment!
-      increment_session_bad_password_count
+      increment_session_sign_in_failure_count
     end
 
     def handle_valid_authentication
@@ -223,7 +225,7 @@ def track_authentication_attempt
         rate_limited: rate_limited?,
         captcha_validation_performed: captcha_validation_performed?,
         valid_captcha_result: recaptcha_response.success?,
-        bad_password_count: session[:bad_password_count].to_i,
+        sign_in_failure_count: session[:sign_in_failure_count].to_i,
         sp_request_url_present: sp_session[:request_url].present?,
         remember_device: remember_device_cookie.present?,
         new_device: success ? new_device? : nil,

app/forms/gpo_verify_form.rb

@@ -49,6 +49,7 @@ def submit(is_enhanced_ipp)
         pii_like_keypaths: [[:errors, :otp], [:error_details, :otp]],
         pending_in_person_enrollment: !!pending_profile&.in_person_enrollment&.pending?,
         fraud_check_failed: fraud_check_failed,
+        initiating_service_provider: pending_profile&.initiating_service_provider_issuer,
       },
     )
   end

app/javascript/packages/document-capture/components/_file-input.scss

@@ -17,18 +17,6 @@
   border-width: 3px;
 }
 
-usa-file-input:not(
-    .usa-file-input--has-value,
-    .usa-file-input--value-pending,
-    .usa-file-input--is-id-capture
-  )
-  .usa-form-group--success
-  .usa-file-input
-  .usa-file-input__target {
-  height: 21rem;
-  width: 12rem;
-}
-
 .usa-file-input:not(.usa-file-input--has-value, .usa-file-input--value-pending) {
   .usa-file-input__target {
     border-color: color('primary');
@@ -88,12 +76,8 @@ usa-file-input:not(
   }
 }
 .usa-file-input.usa-file-input--single-value:not(.usa-file-input--is-id-capture) {
-  .usa-file-input__preview {
-    width: 12rem;
-  }
-  .usa-file-input__target {
-    width: 12rem;
-  }
+  .usa-file-input__preview,
+  .usa-file-input__target,
   .usa-file-input__preview-image {
     width: 12rem;
   }

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -140,11 +140,6 @@ interface AcuantCaptureProps {
  */
 const NBSP_UNICODE = '\u00A0';
 
-/**
- * A noop function.
- */
-const noop = () => {};
-
 /**
  * Returns true if the given Acuant capture failure was caused by the user declining access to the
  * camera, or false otherwise.
@@ -491,6 +486,16 @@ function AcuantCapture(
     }
   }
 
+  /**
+   * Responds to a drag and drop file upload by either preventing the default action
+   * or allowing the file to be uploaded
+   */
+  function startDragDropUpload(event) {
+    if (!allowUpload) {
+      event.preventDefault();
+    }
+  }
+
   /**
    * Responds to a click by starting capture if supported in the environment, or triggering the
    * default file picker prompt. The click event may originate from the file input itself, or
@@ -783,7 +788,7 @@ function AcuantCapture(
         errorMessage={ownErrorMessage ?? errorMessage}
         isValuePending={hasStartedCropping}
         onClick={withLoggedClick('placeholder')(startCaptureOrTriggerUpload)}
-        onDrop={withLoggedClick('placeholder', { isDrop: true })(noop)}
+        onDrop={withLoggedClick('placeholder', { isDrop: true })(startDragDropUpload)}
         onChange={onUpload}
         onError={() => setOwnErrorMessage(null)}
       />

app/javascript/packages/phone-input/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.0",
   "dependencies": {
     "intl-tel-input": "^24.5.0",
-    "libphonenumber-js": "^1.11.4"
+    "libphonenumber-js": "^1.11.17"
   },
   "sideEffects": [
     "./index.ts"