Merge branch 'master' into stages/rc-2018-05-10

.reek

@@ -17,6 +17,7 @@ DuplicateMethodCall:
     - UserFlowExporter#self.massage_assets
     - BasicAuthUrl#build
     - fallback_to_english
+    - Idv::Proofer#load_vendors!
 FeatureEnvy:
   exclude:
     - ActiveJob::Logging::LogSubscriber#json_for
@@ -42,6 +43,7 @@ FeatureEnvy:
     - UserEncryptedAttributeOverrides#find_with_email
     - Utf8Sanitizer#event_attributes
     - Utf8Sanitizer#remote_ip
+    - Idv::Proofer#validate_vendors
 InstanceVariableAssumption:
   exclude:
     - User
@@ -89,6 +91,8 @@ TooManyStatements:
     - UserFlowExporter#self.massage_assets
     - UserFlowExporter#self.massage_html
     - UserFlowExporter#self.run
+    - Idv::Agent#proof
+    - Idv::Proofer#configure_vendors
 TooManyMethods:
   exclude:
     - Users::ConfirmationsController

Gemfile

@@ -31,7 +31,7 @@ gem 'pg'
 gem 'phonelib'
 gem 'phony_rails'
 gem 'premailer-rails'
-gem 'proofer', github: '18F/identity-proofer-gem', tag: 'v1.1.3'
+gem 'proofer', github: '18F/identity-proofer-gem', tag: 'v2.3.0'
 gem 'rack-attack'
 gem 'rack-cors', require: 'rack/cors'
 gem 'rack-headers_filter'
@@ -85,6 +85,7 @@ group :development, :test do
   gem 'pry-byebug'
   gem 'rspec-rails', '~> 3.5.2'
   gem 'slim_lint'
+  gem 'strong_migrations'
   gem 'thin'
 end
 
@@ -109,6 +110,6 @@ group :test do
 end
 
 group :production do
-  gem 'aamva', git: '[email protected]:18F/identity-aamva-api-client-gem', tag: 'v1.0.3'
+  gem 'aamva', git: '[email protected]:18F/identity-aamva-api-client-gem', tag: 'v2.1.0'
   gem 'equifax', git: '[email protected]:18F/identity-equifax-api-client-gem.git', tag: 'v1.1.0'
 end

Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: [email protected]:18F/identity-aamva-api-client-gem
-  revision: f0e5a89e04955097084bb6c093f05c782c150c53
-  tag: v1.0.3
+  revision: 32297c9700b5dd9eaf32c3cf59cdf65efd90ca32
+  tag: v2.1.0
   specs:
-    aamva (0.1.0)
+    aamva (2.1.0)
       dotenv
       hashie
       httpi
@@ -32,10 +32,10 @@ GIT
 
 GIT
   remote: https://github.com/18F/identity-proofer-gem.git
-  revision: cdf16d24294f183160b93b8d418b294fe836e66d
-  tag: v1.1.3
+  revision: e5aeee957fd0a054cea826bebb91b25e9a6d5e86
+  tag: v2.3.0
   specs:
-    proofer (1.1.3)
+    proofer (2.3.0)
 
 GIT
   remote: https://github.com/18F/redis-session-store.git
@@ -579,6 +579,8 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     stringex (2.8.4)
+    strong_migrations (0.2.2)
+      activerecord (>= 3.2.0)
     sysexits (1.2.0)
     systemu (2.6.5)
     temple (0.8.0)
@@ -643,7 +645,7 @@ GEM
     whenever (0.10.0)
       chronic (>= 0.6.3)
     xml-simple (1.1.5)
-    xmldsig (0.6.5)
+    xmldsig (0.6.6)
       nokogiri (>= 1.6.8, < 2.0.0)
     xmlenc (0.6.9)
       activemodel (>= 3.0.0)
@@ -744,6 +746,7 @@ DEPENDENCIES
   slim-rails
   slim_lint
   stringex
+  strong_migrations
   thin
   timecop
   twilio-ruby

README.md

@@ -265,10 +265,10 @@ login.gov team for credentials and other values.
 
 ### Managing translation files
 
-To help us handle extra newlines and make sure we wrap lines consistently, we have a script called `./script/normalize-yaml` that helps format YAML consistently. After importing translations (or making changes to the *.yml files with strings, run this for the IDP app:
+To help us handle extra newlines and make sure we wrap lines consistently, we have a script called `./scripts/normalize-yaml` that helps format YAML consistently. After importing translations (or making changes to the *.yml files with strings, run this for the IDP app:
 
 ```
 $ make normalize_yaml
 ```
 
-[mac-test-passphrase-prompt]: mac-test-passphrase-prompt.png "Mac Test Passphrase Prompt"
+[mac-test-passphrase-prompt]: mac-test-passphrase-prompt.png "Mac Test Passphrase Prompt"

app/controllers/application_controller.rb

@@ -70,6 +70,11 @@ def default_url_options
     { locale: locale_url_param, host: Figaro.env.domain_name }
   end
 
+  def sign_out
+    request.cookie_jar.delete('ahoy_visit')
+    super
+  end
+
   private
 
   # These attributes show up in New Relic traces for all requests.

app/controllers/concerns/saml_idp_logout_concern.rb

@@ -49,11 +49,7 @@ def name_id_user
 
   def sp_slo_identity
     @_sp_slo_identity ||= begin
-      if FeatureManagement.enable_agency_based_uuids?
-        AgencyIdentityLinker.sp_identity_from_uuid(name_id)
-      else
-        Identity.includes(:user).find_by(uuid: name_id)
-      end
+      AgencyIdentityLinker.sp_identity_from_uuid(name_id)
     end
   end
 
@@ -85,7 +81,6 @@ def prepare_saml_logout_response
   end
 
   def prepare_saml_logout_request
-    validate_saml_request
     return if slo_session[:logout_response]
     # store originating SP's logout response in the user session
     # for final step in SLO

app/controllers/openid_connect/authorization_controller.rb

@@ -36,7 +36,8 @@ def profile_or_identity_needs_verification?
     end
 
     def track_authorize_analytics(result)
-      analytics_attributes = result.to_h.except(:redirect_uri)
+      analytics_attributes = result.to_h.except(:redirect_uri).
+                             merge(user_fully_authenticated: user_fully_authenticated?)
 
       analytics.track_event(
         Analytics::OPENID_CONNECT_REQUEST_AUTHORIZATION, analytics_attributes

app/controllers/saml_idp_controller.rb

@@ -11,6 +11,7 @@ class SamlIdpController < ApplicationController
   include VerifySPAttributesConcern
 
   skip_before_action :verify_authenticity_token
+  before_action :validate_saml_logout_request, only: :logout
 
   def auth
     return confirm_two_factor_authenticated(request_id) unless user_fully_authenticated?
@@ -26,7 +27,6 @@ def metadata
   end
 
   def logout
-    track_logout_event
     prepare_saml_logout_response_and_request
 
     return handle_saml_logout_response if slo.successful_saml_response?
@@ -38,6 +38,21 @@ def logout
 
   private
 
+  def validate_saml_logout_request(raw_saml_request = params[:SAMLRequest])
+    request_valid = saml_request_valid?(raw_saml_request)
+
+    track_logout_event(request_valid)
+    return unless raw_saml_request
+
+    head :bad_request unless request_valid
+  end
+
+  def saml_request_valid?(saml_request)
+    return false unless saml_request
+    decode_request(saml_request)
+    valid_saml_request?
+  end
+
   def saml_metadata
     if SamlCertRotationManager.use_new_secrets_for_request?(request)
       cert_rotation_saml_metadata
@@ -96,11 +111,14 @@ def render_template_for(message, action_url, type)
     )
   end
 
-  def track_logout_event
+  def track_logout_event(saml_request_valid)
+    saml_request = params[:SAMLRequest]
     result = {
-      sp_initiated: params[:SAMLRequest].present?,
+      sp_initiated: saml_request.present?,
       oidc: false,
     }
+    result[:saml_request_valid] = saml_request_valid
+
     analytics.track_event(Analytics::LOGOUT_INITIATED, result)
   end
 end

app/controllers/two_factor_authentication/otp_verification_controller.rb

@@ -53,7 +53,7 @@ def form_params
     def analytics_properties
       {
         context: context,
-        method: params[:otp_delivery_preference],
+        multi_factor_auth_method: params[:otp_delivery_preference],
         confirmation_for_phone_change: confirmation_for_phone_change?,
       }
     end

app/controllers/two_factor_authentication/personal_key_verification_controller.rb

@@ -6,7 +6,7 @@ class PersonalKeyVerificationController < ApplicationController
 
     def show
       analytics.track_event(
-        Analytics::MULTI_FACTOR_AUTH_ENTER_PERSONAL_KEY_VISIT, analytics_properties
+        Analytics::MULTI_FACTOR_AUTH_ENTER_PERSONAL_KEY_VISIT, context: context
       )
 
       @personal_key_form = PersonalKeyForm.new(current_user)
@@ -66,12 +66,5 @@ def handle_valid_otp
       redirect_to manage_personal_key_url
       reset_otp_session_data
     end
-
-    def analytics_properties
-      {
-        context: context,
-        method: 'personal key',
-      }
-    end
   end
 end

app/controllers/verify/phone_controller.rb

@@ -17,7 +17,7 @@ def create
       analytics.track_event(Analytics::IDV_PHONE_CONFIRMATION_FORM, result.to_h)
 
       if result.success?
-        submit_idv_job
+        Idv::Job.submit(idv_session, [:address])
         redirect_to verify_phone_result_url
       else
         @view_model = view_model
@@ -52,13 +52,6 @@ def phone_confirmation_required?
       idv_session.user_phone_confirmation != true
     end
 
-    def submit_idv_job
-      Idv::SubmitIdvJob.new(
-        idv_session: idv_session,
-        vendor_params: idv_session.params[:phone]
-      ).submit_phone_job
-    end
-
     def step_name
       :phone
     end

app/controllers/verify/sessions_controller.rb

@@ -24,7 +24,7 @@ def create
       analytics.track_event(Analytics::IDV_BASIC_INFO_SUBMITTED_FORM, result.to_h)
 
       if result.success?
-        submit_idv_job
+        Idv::Job.submit(idv_session, %i[resolution state_id])
         redirect_to verify_session_result_url
       else
         process_failure
@@ -50,12 +50,6 @@ def destroy
 
     private
 
-    def submit_idv_job
-      Idv::SubmitIdvJob.new(
-        idv_session: idv_session, vendor_params: idv_session.vendor_params
-      ).submit_profile_job
-    end
-
     def confirm_step_needed
       redirect_to verify_address_url if idv_session.profile_confirmation == true
     end
@@ -107,6 +101,7 @@ def idv_form
 
     def initialize_idv_session
       idv_session.params = profile_params.to_h
+      idv_session.params[:state_id_jurisdiction] = profile_params[:state]
       idv_session.applicant = idv_session.vendor_params
     end
 

app/forms/idv/profile_form.rb

@@ -4,7 +4,12 @@ class ProfileForm
     include FormProfileValidator
     include FormStateIdValidator
 
-    PROFILE_ATTRIBUTES = [:state_id_number, :state_id_type, *Pii::Attributes.members].freeze
+    PROFILE_ATTRIBUTES = [
+      :state_id_number,
+      :state_id_type,
+      :state_id_jurisdiction,
+      *Pii::Attributes.members,
+    ].freeze
 
     attr_reader :user
     attr_accessor(*PROFILE_ATTRIBUTES)

app/forms/openid_connect_logout_form.rb

@@ -55,11 +55,7 @@ def load_identity
   def identity_from_payload(payload)
     uuid = payload[:sub]
     sp = payload[:aud]
-    if FeatureManagement.enable_agency_based_uuids?
-      AgencyIdentityLinker.sp_identity_from_uuid_and_sp(uuid, sp)
-    else
-      Identity.where(uuid: uuid, service_provider: sp).first
-    end
+    AgencyIdentityLinker.sp_identity_from_uuid_and_sp(uuid, sp)
   end
 
   def build_openid_connect_redirector