Merge pull request #11233 from 18F/stages/rc-2024-09-12

Deploy RC 414 to Production

Gemfile.lock

@@ -450,7 +450,7 @@ GEM
     net-ssh (6.1.0)
     newrelic_rpm (9.7.0)
     nio4r (2.7.3)
-    nokogiri (1.16.6)
+    nokogiri (1.16.7)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     numbers_and_words (0.11.12)
@@ -579,8 +579,7 @@ GEM
       actionpack (>= 5.0)
       railties (>= 5.0)
     retries (0.0.5)
-    rexml (3.3.6)
-      strscan
+    rexml (3.3.7)
     rotp (6.3.0)
     rouge (4.2.0)
     rqrcode (2.1.0)
@@ -641,8 +640,8 @@ GEM
       rubocop-capybara (~> 2.17)
       rubocop-factory_bot (~> 2.22)
     ruby-progressbar (1.13.0)
-    ruby-saml (1.13.0)
-      nokogiri (>= 1.10.5)
+    ruby-saml (1.17.0)
+      nokogiri (>= 1.13.10)
       rexml
     ruby-statistics (3.0.2)
     rubyzip (2.3.2)
@@ -684,7 +683,6 @@ GEM
     stringio (3.1.1)
     strong_migrations (2.0.0)
       activerecord (>= 6.1)
-    strscan (3.1.0)
     tableparser (1.0.1)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)

app/assets/stylesheets/components/_index.scss

@@ -15,7 +15,6 @@
 @forward 'header';
 @forward 'page-heading';
 @forward 'personal-key';
-@forward 'radio-button';
 @forward 'spinner-button';
 @forward 'spinner-dots';
 @forward 'step-indicator';

app/controllers/idv/by_mail/enter_code_controller.rb

@@ -101,12 +101,10 @@ def note_if_user_did_not_receive_letter
 
       def prepare_for_personal_key
         unless account_not_ready_to_be_activated?
-          event, _disavowal_token = create_user_event(:account_verified)
+          create_user_event(:account_verified)
 
           UserAlerts::AlertUserAboutAccountVerified.call(
-            user: current_user,
-            date_time: event.created_at,
-            sp_name: decorated_sp_session.sp_name,
+            profile: current_user.active_profile,
           )
           flash[:success] = t('account.index.verification.success')
         end

app/controllers/idv/enter_password_controller.rb

@@ -49,6 +49,7 @@ def create
         success: true,
         fraud_review_pending: idv_session.profile.fraud_review_pending?,
         fraud_rejection: idv_session.profile.fraud_rejection?,
+        fraud_pending_reason: idv_session.profile.fraud_pending_reason,
         gpo_verification_pending: idv_session.profile.gpo_verification_pending?,
         in_person_verification_pending: idv_session.profile.in_person_verification_pending?,
         deactivation_reason: idv_session.profile.deactivation_reason,
@@ -61,6 +62,7 @@ def create
         success: true,
         fraud_review_pending: idv_session.profile.fraud_review_pending?,
         fraud_rejection: idv_session.profile.fraud_rejection?,
+        fraud_pending_reason: idv_session.profile.fraud_pending_reason,
         gpo_verification_pending: idv_session.profile.gpo_verification_pending?,
         in_person_verification_pending: idv_session.profile.in_person_verification_pending?,
         deactivation_reason: idv_session.profile.deactivation_reason,
@@ -116,6 +118,7 @@ def confirm_current_password
         in_person_verification_pending: current_user.in_person_pending_profile?,
         fraud_review_pending: fraud_review_pending?,
         fraud_rejection: fraud_rejection?,
+        fraud_pending_reason: nil,
         **ab_test_analytics_buckets,
       )
 
@@ -134,11 +137,9 @@ def init_profile
       end
 
       if idv_session.profile.active?
-        event, _disavowal_token = create_user_event(:account_verified)
+        create_user_event(:account_verified)
         UserAlerts::AlertUserAboutAccountVerified.call(
-          user: current_user,
-          date_time: event.created_at,
-          sp_name: decorated_sp_session.sp_name,
+          profile: idv_session.profile,
         )
       end
     end

app/controllers/idv/how_to_verify_controller.rb

@@ -24,7 +24,7 @@ def update
       if how_to_verify_form_params[:selection] == []
         sendable_form_params = {}
       else
-        sendable_form_params = how_to_verify_form_params
+        sendable_form_params = how_to_verify_form_params.to_h.symbolize_keys
       end
 
       analytics.idv_doc_auth_how_to_verify_submitted(

app/controllers/idv/session_errors_controller.rb

@@ -95,7 +95,7 @@ def log_event(based_on_limiter: nil)
         type: params[:action],
       }
 
-      options[:submit_attempts_remaining] = based_on_limiter.remaining_count if based_on_limiter
+      options[:remaining_submit_attempts] = based_on_limiter.remaining_count if based_on_limiter
 
       analytics.idv_session_error_visited(**options)
     end

app/forms/openid_connect_authorize_form.rb

@@ -30,7 +30,20 @@ class OpenidConnectAuthorizeForm
                       Saml::Idp::Constants::AAL3_HSPD12_AUTHN_CONTEXT_CLASSREF,
                       Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF,
                       Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF,
-                      Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF].freeze
+                      Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::AAL1_AUTHN_CONTEXT_CLASSREF].freeze
+  IALS_BY_PRIORITY = [Saml::Idp::Constants::IAL_VERIFIED_FACIAL_MATCH_REQUIRED_ACR,
+                      Saml::Idp::Constants::IAL2_BIO_REQUIRED_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::IAL_VERIFIED_FACIAL_MATCH_PREFERRED_ACR,
+                      Saml::Idp::Constants::IAL2_BIO_PREFERRED_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::IAL_VERIFIED_ACR,
+                      Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::LOA3_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::IAL_AUTH_ONLY_ACR,
+                      Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
+                      Saml::Idp::Constants::LOA1_AUTHN_CONTEXT_CLASSREF].freeze
 
   attr_reader(*ATTRS)
 
@@ -119,11 +132,11 @@ def success_redirect_uri
   end
 
   def ial_values
-    acr_values.filter { |acr| acr.include?('ial') || acr.include?('loa') }
+    IALS_BY_PRIORITY & acr_values
   end
 
   def aal_values
-    acr_values.filter { |acr| acr.include?('aal') }
+    AALS_BY_PRIORITY & acr_values
   end
 
   def requested_aal_value
@@ -299,7 +312,8 @@ def scopes
   def validate_privileges
     if (identity_proofing_requested? && !identity_proofing_service_provider?) ||
        (ialmax_requested? && !ialmax_allowed_for_sp?) ||
-       (biometric_ial_requested? && !service_provider.biometric_ial_allowed?)
+       (biometric_ial_requested? && !service_provider.biometric_ial_allowed?) ||
+       (semantic_authn_contexts_requested? && !service_provider.semantic_authn_contexts_allowed?)
       errors.add(
         :acr_values, t('openid_connect.authorization.errors.no_auth'),
         type: :no_auth
@@ -348,4 +362,8 @@ def highest_level_aal(aal_values)
   def verified_within_allowed?
     IdentityConfig.store.allowed_verified_within_providers.include?(client_id)
   end
+
+  def semantic_authn_contexts_requested?
+    Saml::Idp::Constants::SEMANTIC_ACRS.intersect?(acr_values)
+  end
 end

app/helpers/opt_in_helper.rb

@@ -4,8 +4,8 @@ module OptInHelper
   def opt_in_analytics_properties
     if IdentityConfig.store.in_person_proofing_opt_in_enabled
       { opted_in_to_in_person_proofing: idv_session.opted_in_to_in_person_proofing }
-      else
-        {}
-      end
+    else
+      { opted_in_to_in_person_proofing: nil }
+    end
   end
 end

app/models/federated_protocols/oidc.rb

@@ -11,11 +11,11 @@ def issuer
     end
 
     def ial
-      request.ial_values.sort.max
+      request.ial_values.first
     end
 
     def aal
-      request.aal_values.sort.max
+      request.aal_values.first
     end
 
     def acr_values

app/models/federated_protocols/saml.rb

@@ -2,8 +2,6 @@
 
 module FederatedProtocols
   class Saml
-    IAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/ial}
-    LOA_PREFIX = %r{^http://idmanagement.gov/ns/assurance/loa}
     AAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/aal|urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo}
 
     def initialize(request)
@@ -23,9 +21,7 @@ def ial
     end
 
     def requested_ial_authn_context
-      request.requested_authn_contexts.find do |classref|
-        IAL_PREFIX.match?(classref) || LOA_PREFIX.match?(classref)
-      end
+      (OpenidConnectAuthorizeForm::IALS_BY_PRIORITY & request.requested_authn_contexts).first
     end
 
     def aal