Merge pull request #11453 from 18F/stages/rc-2024-11-05

Deploy RC 428 to Production

.gitlab-ci.yml

@@ -177,7 +177,7 @@ build-idp-image:
     - >-
       /kaniko/executor
       --context "${CI_PROJECT_DIR}"
-      --dockerfile "${CI_PROJECT_DIR}/dockerfiles/idp_prod.Dockerfile"
+      --dockerfile "${CI_PROJECT_DIR}/dockerfiles/idp_deploy.Dockerfile"
       --destination "${ECR_REGISTRY}/identity-idp/idp:${CI_COMMIT_SHA}"
       ${BRANCH_TAGGING_STRING}
       --cache-repo="${ECR_REGISTRY}/identity-idp/idp/cache"
@@ -480,7 +480,8 @@ stop-review-app:
   script:
     - export CONTEXT=$(kubectl config get-contexts | grep reviewapp | awk '{print $1}' | head -1)
     - kubectl config use-context "$CONTEXT"
-    - kubectl delete application $CI_ENVIRONMENT_SLUG -n argocd
+    - kubectl delete application "$CI_ENVIRONMENT_SLUG" -n argocd
+    - kubectl delete application "$CI_ENVIRONMENT_SLUG-db" -n argocd
   stage: review
   image:
     name: dtzar/helm-kubectl:latest

.rubocop.yml

@@ -977,6 +977,11 @@ Rails/SelectMap:
 Rails/ShortI18n:
   Enabled: true
 
+Rails/SkipsModelValidations:
+  Enabled: true
+  Exclude:
+    - 'spec/**/*.rb'
+
 Rails/StripHeredoc:
   Enabled: false
 

Gemfile

@@ -91,7 +91,7 @@ gem 'zlib', require: false
 
 # This version of the zxcvbn gem matches the data and behavior of the zxcvbn NPM package.
 # It should not be updated without verifying that the behavior still matches JS version 4.4.2.
-gem 'zxcvbn', '0.1.9'
+gem 'zxcvbn', '0.1.12'
 
 group :development do
   gem 'better_errors', '>= 2.5.1'

Gemfile.lock

@@ -262,7 +262,7 @@ GEM
       bigdecimal
       rexml
     crass (1.0.6)
-    css_parser (1.17.1)
+    css_parser (1.19.1)
       addressable
     cssbundling-rails (1.4.0)
       railties (>= 6.0.0)
@@ -397,7 +397,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.22.0)
+    loofah (2.23.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     lookbook (2.2.0)
@@ -426,14 +426,14 @@ GEM
     mini_histogram (0.3.1)
     mini_mime (1.1.5)
     mini_portile2 (2.8.7)
-    minitest (5.24.1)
+    minitest (5.25.1)
     msgpack (1.7.2)
     multiset (0.5.3)
     net-http (0.4.1)
       uri
     net-http-persistent (4.0.2)
       connection_pool (~> 2.2)
-    net-imap (0.4.12)
+    net-imap (0.5.0)
       date
       net-protocol
     net-pop (0.1.2)
@@ -465,9 +465,9 @@ GEM
       google-protobuf (>= 3.22.3)
     phonelib (0.9.1)
     pkcs11 (0.3.4)
-    premailer (1.23.0)
+    premailer (1.27.0)
       addressable
-      css_parser (>= 1.12.0)
+      css_parser (>= 1.19.0)
       htmlentities (>= 4.0.0)
     premailer-rails (1.12.0)
       actionmailer (>= 3)
@@ -746,7 +746,7 @@ GEM
     zeitwerk (2.7.1)
     zlib (3.0.0)
     zonebie (0.6.1)
-    zxcvbn (0.1.9)
+    zxcvbn (0.1.12)
 
 PLATFORMS
   ruby
@@ -876,7 +876,7 @@ DEPENDENCIES
   yard
   zlib
   zonebie
-  zxcvbn (= 0.1.9)
+  zxcvbn (= 0.1.12)
 
 RUBY VERSION
    ruby 3.3.4p94

app/assets/stylesheets/components/_btn.scss

@@ -7,14 +7,6 @@
   margin-right: 0;
 }
 
-// Upstream: https://github.com/uswds/uswds/pull/5631
-.usa-button--unstyled {
-  // Temporary: To be backported to design system. Unstyled buttons should inherit the appearance
-  // of a link.
-  display: inline;
-  width: auto;
-}
-
 .usa-button:disabled.usa-button--active,
 [aria-disabled='true'].usa-button--active {
   &:not(

app/assets/stylesheets/email.css.scss

@@ -124,8 +124,7 @@ h6 {
     padding: units(1.5) 0;
 
     &:first-child {
-      padding-left: $alert-icon-optical-padding;
-      padding-right: units(1);
+      @include u-padding-x(2);
     }
   }
 

app/assets/stylesheets/tables-report.css.scss

@@ -1,8 +1,38 @@
-@forward 'uswds-core';
+@use 'uswds-core' as * with (
+  $theme-table-border-color: 'primary-darker',
+  $theme-table-header-background-color: 'primary-darker',
+  $theme-table-header-text-color: 'white'
+);
+
 @forward 'usa-prose';
 @forward 'usa-table';
 @forward 'usa-alert';
 
+.bg-secondary {
+  @include u-bg('secondary');
+}
+
+.margin-bottom-4 {
+  @include u-margin-bottom(4);
+}
+
+.margin-top-4 {
+  @include u-margin-top(4);
+}
+
+.height-05 {
+  @include u-height(0.5);
+}
+
+.border-transparent {
+  @include u-border-color('transparent');
+}
+
+.report-title,
+.report-subtitle {
+  color: color('primary-darker');
+}
+
 .table-number {
   font-variant-numeric: tabular-nums;
   text-align: right;

app/controllers/accounts/connected_accounts/selected_email_controller.rb

@@ -23,6 +23,7 @@ def update
         analytics.sp_select_email_submitted(**result.to_h)
 
         if result.success?
+          flash[:email_updated_identity_id] = identity.id
           redirect_to account_connected_accounts_path
         else
           flash[:error] = result.first_error_message

app/controllers/application_controller.rb

@@ -234,6 +234,9 @@ def after_sign_in_path_for(_user)
     return login_add_piv_cac_prompt_url if session[:needs_to_setup_piv_cac_after_sign_in].present?
     return reactivate_account_url if user_needs_to_reactivate_account?
     return login_piv_cac_recommended_path if user_recommended_for_piv_cac?
+    return webauthn_platform_recommended_path if recommend_webauthn_platform_for_sms_user?(
+      :recommend_for_authentication,
+    )
     return second_mfa_reminder_url if user_needs_second_mfa_reminder?
     return sp_session_request_url_with_updated_params if sp_session.key?(:request_url)
     signed_in_url
@@ -457,6 +460,10 @@ def render_not_acceptable
     render template: 'pages/not_acceptable', layout: false, status: :not_acceptable, formats: :html
   end
 
+  def render_bad_request
+    render template: 'pages/bad_request', layout: false, status: :bad_request, formats: :html
+  end
+
   def render_timeout(exception)
     analytics.response_timed_out(**analytics_exception_info(exception))
     if exception.instance_of?(Rack::Timeout::RequestTimeoutException)

app/controllers/concerns/mfa_setup_concern.rb

@@ -2,12 +2,15 @@
 
 module MfaSetupConcern
   extend ActiveSupport::Concern
+  include RecommendWebauthnPlatformConcern
 
   def next_setup_path
-    if suggest_second_mfa?
-      auth_method_confirmation_url
-    elsif next_setup_choice
+    if next_setup_choice
       confirmation_path
+    elsif recommend_webauthn_platform_for_sms_user?(:recommend_for_account_creation)
+      webauthn_platform_recommended_path
+    elsif suggest_second_mfa?
+      auth_method_confirmation_path
     elsif user_session[:mfa_selections]
       track_user_registration_mfa_setup_complete_event
       user_session.delete(:mfa_selections)
@@ -52,8 +55,9 @@ def mfa_context
   end
 
   def suggest_second_mfa?
-    return false unless user_session[:mfa_selections]
-    mfa_selection_count < 2 && mfa_context.enabled_mfa_methods_count < 2
+    return false if !in_multi_mfa_selection_flow?
+    return false if current_user.webauthn_platform_recommended_dismissed_at?
+    mfa_context.enabled_mfa_methods_count < 2
   end
 
   def first_mfa_selection_path

app/controllers/concerns/recommend_webauthn_platform_concern.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module RecommendWebauthnPlatformConcern
+  def recommend_webauthn_platform_for_sms_user?(bucket)
+    # Only consider for A/B test if:
+    # 1. Option would be offered for setup
+    # 2. User is viewing content in English
+    # 3. Other recommendations have not already been offered (e.g. PIV/CAC for federal emails)
+    # 4. User selected to setup phone or authenticated with phone
+    # 5. User has not already set up a platform authenticator
+    return false if !device_supports_platform_authenticator_setup?
+    return false if I18n.locale != :en
+    return false if current_user.webauthn_platform_recommended_dismissed_at?
+    return false if !user_set_up_or_authenticated_with_phone?
+    return false if current_user.webauthn_configurations.platform_authenticators.present?
+    ab_test_bucket(:RECOMMEND_WEBAUTHN_PLATFORM_FOR_SMS_USER) == bucket
+  end
+
+  private
+
+  def device_supports_platform_authenticator_setup?
+    user_session[:platform_authenticator_available] == true
+  end
+
+  def in_account_creation_flow?
+    user_session[:in_account_creation_flow] == true
+  end
+
+  def user_set_up_or_authenticated_with_phone?
+    if in_account_creation_flow?
+      current_user.phone_configurations.any? do |phone_configuration|
+        phone_configuration.mfa_enabled? && phone_configuration.delivery_preference == 'sms'
+      end
+    else
+      auth_methods_session.auth_events.pluck(:auth_method).
+        include?(TwoFactorAuthenticatable::AuthMethod::SMS)
+    end
+  end
+end

app/controllers/idv/account_verified_cta_visited_controller.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Idv
+  class AccountVerifiedCtaVisitedController < ApplicationController
+    before_action :disable_caching
+    before_action :confirm_redirect_requestable
+
+    def show
+      redirect_to(redirect_url, allow_other_host: true)
+      analytics.idv_account_verified_cta_visited(campaign_id:, issuer:)
+    end
+
+    private
+
+    def confirm_redirect_requestable
+      return if redirect_url.present?
+
+      render_bad_request
+    end
+
+    def redirect_url
+      if issuer.blank?
+        root_url
+      else
+        sp_return_url_resolver&.return_to_sp_url
+      end
+    end
+
+    def issuer
+      valid_params[:issuer]
+    end
+
+    def campaign_id
+      valid_params[:campaign_id]
+    end
+
+    def valid_params
+      params.permit(:campaign_id, :issuer)
+    end
+
+    def service_provider
+      ServiceProvider.find_by(issuer:) if issuer.present?
+    end
+
+    def sp_return_url_resolver
+      SpReturnUrlResolver.new(service_provider:) if service_provider
+    end
+  end
+end

app/controllers/idv/hybrid_mobile/socure/document_capture_controller.rb

@@ -28,6 +28,9 @@ def show
           @document_response = document_response
           @url = document_response.dig(:data, :url)
 
+          # placeholder until we get an error page for url not being present
+          return redirect_to idv_unavailable_url if @url.nil?
+
           document_capture_session = DocumentCaptureSession.find_by(
             uuid: document_capture_session_uuid,
           )

app/controllers/idv/socure/document_capture_controller.rb

@@ -37,6 +37,9 @@ def show
         @document_response = document_response
         @url = document_response.dig(:data, :url)
 
+        # placeholder until we get an error page for url not being present
+        return redirect_to idv_unavailable_url if @url.nil?
+
         document_capture_session = DocumentCaptureSession.find_by(
           uuid: document_capture_session_uuid,
         )

app/controllers/users/reset_passwords_controller.rb

@@ -3,6 +3,8 @@
 module Users
   class ResetPasswordsController < Devise::PasswordsController
     include AuthorizationCountConcern
+    include AbTestingConcern
+
     before_action :store_sp_metadata_in_session, only: [:edit]
     before_action :store_token_in_session, only: [:edit]
 
@@ -40,10 +42,15 @@ def edit
       end
     end
 
-    # PUT /resource/password
     def update
       self.resource = user_matching_token(user_params[:reset_password_token])
-      @reset_password_form = ResetPasswordForm.new(user: resource)
+      @reset_password_form = ResetPasswordForm.new(
+        user: resource,
+        log_password_matches_existing: ab_test_bucket(
+          :LOG_PASSWORD_RESET_MATCHES_EXISTING,
+          user: resource,
+        ) == :log,
+      )
 
       result = @reset_password_form.submit(user_params)
 

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -4,6 +4,7 @@ module Users
   class TwoFactorAuthenticationSetupController < ApplicationController
     include UserAuthenticator
     include MfaSetupConcern
+    include AbTestingConcern
 
     before_action :authenticate_user
     before_action :confirm_user_authenticated_for_2fa_setup
@@ -23,6 +24,8 @@ def index
     def create
       result = submit_form
       analytics.user_registration_2fa_setup(**result.to_h)
+      user_session[:platform_authenticator_available] =
+        params[:platform_authenticator_available] == 'true'
 
       if result.success?
         process_valid_form