Merge pull request #3624 from 18F/stages/rc-2020-03-10

Production: stages/rc-2020-03-10

Gemfile

@@ -66,7 +66,7 @@ gem 'typhoeus'
 gem 'uglifier', '~> 3.2'
 gem 'user_agent_parser'
 gem 'valid_email'
-gem 'webauthn', '~> 1.18.0'
+gem 'webauthn', '~> 2.1.0'
 gem 'webpacker', '~> 3.4'
 gem 'xmlenc', '~> 0.6'
 gem 'zxcvbn-js'

Gemfile.lock

@@ -43,10 +43,10 @@ GIT
 
 GIT
   remote: https://github.com/18F/saml_idp.git
-  revision: f0c4a98952ca24e3c356293dd74fd4885d96ff37
+  revision: 95366bbb24088660eadc54ba49f56399cf8b17b4
   branch: master
   specs:
-    saml_idp (0.8.0.pre.18f)
+    saml_idp (0.9.0.pre.18f)
       activesupport
       builder
       httparty
@@ -122,6 +122,7 @@ GEM
     american_date (1.1.1)
     arel (8.0.0)
     ast (2.4.0)
+    awrence (1.1.1)
     aws-eventstream (1.0.3)
     aws-partitions (1.235.0)
     aws-sdk-core (3.75.0)
@@ -166,7 +167,7 @@ GEM
       debug_inspector (>= 0.0.1)
     brakeman (4.7.1)
     browser (2.6.1)
-    builder (3.2.3)
+    builder (3.2.4)
     bullet (6.0.2)
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.11)
@@ -198,9 +199,9 @@ GEM
     coercible (1.0.0)
       descendants_tracker (~> 0.0.1)
     colorize (0.8.1)
-    concurrent-ruby (1.1.5)
+    concurrent-ruby (1.1.6)
     connection_pool (2.2.2)
-    cose (0.7.0)
+    cose (0.10.0)
       cbor (~> 0.5.9)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
@@ -299,10 +300,10 @@ GEM
     hiredis (0.6.3)
     htmlentities (4.3.4)
     http_accept_language (2.1.1)
-    httparty (0.17.1)
+    httparty (0.18.0)
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
-    i18n (1.7.0)
+    i18n (1.7.1)
       concurrent-ruby (~> 1.0)
     i18n-tasks (0.9.29)
       activesupport (>= 4.0.2)
@@ -349,12 +350,12 @@ GEM
     maxminddb (0.1.22)
     memory_profiler (0.9.14)
     method_source (0.9.2)
-    mime-types (3.3)
+    mime-types (3.3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2019.1009)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.13.0)
+    minitest (5.14.0)
     multi_xml (0.6.0)
     multipart-post (2.1.1)
     mustermann (1.0.3)
@@ -364,7 +365,7 @@ GEM
     net-ssh (5.2.0)
     newrelic_rpm (6.7.0.359)
     nio4r (2.5.2)
-    nokogiri (1.10.5)
+    nokogiri (1.10.8)
       mini_portile2 (~> 2.4.0)
     notiffany (0.1.3)
       nenv (~> 0.1)
@@ -383,7 +384,7 @@ GEM
       ast (~> 2.4.0)
     pg (1.1.4)
     phonelib (0.6.39)
-    pkcs11 (0.2.7)
+    pkcs11 (0.3.2)
     premailer (1.11.1)
       addressable
       css_parser (>= 1.6.0)
@@ -404,7 +405,7 @@ GEM
       pry (>= 0.10.4)
     psych (3.1.0)
     public_suffix (4.0.1)
-    puma (4.3.1)
+    puma (4.3.3)
       nio4r (~> 2.0)
     rack (2.0.8)
     rack-attack (6.2.1)
@@ -609,7 +610,7 @@ GEM
       rotp (>= 3.2.0)
     typhoeus (1.3.1)
       ethon (>= 0.9.0)
-    tzinfo (1.2.5)
+    tzinfo (1.2.6)
       thread_safe (~> 0.1)
     uglifier (3.2.0)
       execjs (>= 0.3.0, < 3)
@@ -628,10 +629,11 @@ GEM
       equalizer (~> 0.0, >= 0.0.9)
     warden (1.2.8)
       rack (>= 2.0.6)
-    webauthn (1.18.0)
+    webauthn (2.1.0)
+      awrence (~> 1.1)
       bindata (~> 2.4)
       cbor (~> 0.5.9)
-      cose (~> 0.7.0)
+      cose (~> 0.10.0)
       jwt (>= 1.5, < 3.0)
       openssl (~> 2.0)
       securecompare (~> 1.0)
@@ -771,7 +773,7 @@ DEPENDENCIES
   uglifier (~> 3.2)
   user_agent_parser
   valid_email
-  webauthn (~> 1.18.0)
+  webauthn (~> 2.1.0)
   webdrivers (~> 3.0)
   webmock
   webpacker (~> 3.4)

README.md

@@ -18,7 +18,11 @@ A Identity Management System powering login.gov.
 - [Node.js v12.x.x](https://nodejs.org)
 - [Yarn](https://yarnpkg.com/en/)
 
-#### Setting up and running the app
+#### Running the app with Docker
+
+See the [Docker documentation](./docs/Docker.md) to get up and running
+
+#### Setting up and running the app without Docker
 
 1. Make sure you have a working development environment with all the
   [dependencies](#dependencies) installed. On OS X, the easiest way
@@ -180,37 +184,6 @@ it into the "Index pattern" field, then click the "Next step" button.
 12. Refresh the Kibana website. You should now see new events show up in the
 Discover section.
 
-
-#### Using Docker Locally
-
-1. Download, install, and launch [Docker](https://www.docker.com/products/docker-desktop). You should probably bump the memory resources in Docker above the defaults to avoid timeouts. 4 or 8 GB should work well.
-
-1. Build the Docker containers: `docker-compose build`
-
-1. Run `make docker_setup` to copy configuration files and bootstrap the database.
-
-1. Start the Docker containers `docker-compose up` and `open http://localhost:3000`
-
-Please note that the `docker_setup` script will destroy and re-create configuration files that were previously symlinked.  See the script source for more info.
-
-More useful Docker commands:
-
-* Force the images to re-build: `docker-compose build --no-cache`
-* Stop the containers: `docker-compose stop`
-* Stop and remove the containers (`-v` removes Volumes, which includes Postgres data): `docker-compose down`
-* Open a shell in a one-off web container: `docker-compose run --rm web bash`
-* Open a shell in the running web container: `docker-compose exec web bash`
-* Open a psql shell in the running db container: `docker-compose exec db psql -U postgres`
-
-#### Running Tests in Docker
-
-* After Docker is set up you can run the entire suite with `docker-compose run web bundle exec rspec`. This takes a while.
-* You can run a one-off test with `docker-compose run web bundle exec rspec spec/file.rb`
-* If the cluster is already running you can run the test on those containers using `exec` instead of `run`: `docker-compose exec web bundle exec rspec spec/file.rb`
-
-
-
-
 ### Viewing the app locally
 
 Once it is up and running, the app will be accessible at

app/assets/stylesheets/components/_list.scss

@@ -34,7 +34,9 @@
       background-repeat: no-repeat;
       content: '';
       display: inline-block;
+      float: left;
       height: 1rem;
+      margin-top: .33rem;
       padding-right: 1.5rem;
       vertical-align: middle;
       width: 1rem;

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -1,3 +1,4 @@
+# rubocop:disable Metrics/ModuleLength
 module SamlIdpAuthConcern
   extend ActiveSupport::Concern
 
@@ -94,6 +95,7 @@ def saml_response
       reference_id: active_identity.session_uuid,
       encryption: current_service_provider.encryption_opts,
       signature: saml_response_signature_options,
+      signed_response_message: current_service_provider.signed_response_message_requested,
     )
   end
 
@@ -126,3 +128,4 @@ def request_url
     url.to_s
   end
 end
+# rubocop:enable Metrics/ModuleLength

app/controllers/concerns/verify_profile_concern.rb

@@ -10,6 +10,7 @@ def account_or_verify_profile_url
   end
 
   def account_or_verify_profile_route
+    return 'idv' if session[:ial2_request_with_no_sp] && current_user.active_profile.blank?
     return 'account' unless profile_needs_verification?
     return 'idv_usps' if usps_mail_bounced?
     'verify_account'

app/controllers/concerns/verify_sp_attributes_concern.rb

@@ -1,6 +1,9 @@
 module VerifySPAttributesConcern
   def needs_completions_screen?
-    sp_session[:issuer].present? && (sp_session_identity.nil? || !requested_attributes_verified?)
+    sp_session[:issuer].present? &&
+      (sp_session_identity.nil? ||
+        !requested_attributes_verified? ||
+        consent_has_expired?)
   end
 
   def needs_sp_attribute_verification?
@@ -20,6 +23,7 @@ def update_verified_attributes
     ).link_identity(
       ial: sp_session_ial,
       verified_attributes: sp_session[:requested_attributes],
+      last_consented_at: Time.zone.now,
     )
   end
 
@@ -36,6 +40,12 @@ def clear_verify_attributes_sessions
     user_session[:verify_shared_attributes] = false
   end
 
+  def consent_has_expired?
+    return false unless sp_session_identity
+    last_estimated_consent = sp_session_identity.last_consented_at || sp_session_identity.created_at
+    !last_estimated_consent || last_estimated_consent < Identity::CONSENT_EXPIRATION.ago
+  end
+
   private
 
   def sp_session_identity

app/controllers/idv_controller.rb

@@ -18,6 +18,7 @@ def index
 
   def activated
     redirect_to idv_url unless active_profile?
+    redirect_to account_url if session[:ial2_request_with_no_sp]
     idv_session.clear
   end
 

app/controllers/sign_up/completions_controller.rb

@@ -44,6 +44,7 @@ def view_model
         current_user: current_user,
         handoff: new_service_provider_attributes,
         ialmax_requested: ialmax?,
+        consent_has_expired: consent_has_expired?,
       )
     end
 
@@ -115,6 +116,7 @@ def displayable_attributes
       return pii_to_displayable_attributes if user_session['decrypted_pii'].present?
       {
         email: email,
+        verified_at: verified_at,
         x509_subject: current_user.piv_cac_configurations.first&.x509_dn_uuid,
       }
     end
@@ -124,6 +126,15 @@ def dob
       pii_dob ? pii_dob.to_date.to_formatted_s(:long) : ''
     end
 
+    def verified_at
+      timestamp = current_user.active_profile&.verified_at
+      if timestamp
+        I18n.l(timestamp, format: :event_timestamp)
+      else
+        I18n.t('help_text.requested_attributes.verified_at_blank')
+      end
+    end
+
     def pii_to_displayable_attributes
       {
         full_name: full_name,
@@ -132,6 +143,7 @@ def pii_to_displayable_attributes
         birthdate: dob,
         phone: PhoneFormatter.format(pii[:phone].to_s),
         email: email,
+        verified_at: verified_at,
         x509_subject: current_user.piv_cac_configurations.first&.x509_dn_uuid,
       }
     end

app/controllers/two_factor_authentication/webauthn_verification_controller.rb

@@ -66,8 +66,8 @@ def user_opted_remember_device_cookie
     end
 
     def save_challenge_in_session
-      credential_creation_options = ::WebAuthn.credential_request_options
-      user_session[:webauthn_challenge] = credential_creation_options[:challenge].bytes.to_a
+      credential_creation_options = WebAuthn::Credential.options_for_get
+      user_session[:webauthn_challenge] = credential_creation_options.challenge.bytes.to_a
     end
 
     def credential_ids

app/controllers/users/sessions_controller.rb

@@ -21,6 +21,7 @@ def new
       )
 
       @ial = sp_session ? sp_session_ial : 1
+      session[:ial2_request_with_no_sp] = true if sp_session.blank? && params[:ial] == '2'
       super
     end