Merge branch 'master' into stages/rc-2018-06-22

.circleci/config.yml

@@ -8,7 +8,7 @@ jobs:
     parallelism: 4
     docker:
       # Specify the Ruby version you desire here
-      - image: circleci/ruby:2.3-node-browsers
+      - image: circleci/ruby:2.5.1-node-browsers
         environment:
           RAILS_ENV: test
           CC_TEST_REPORTER_ID: faecd27e9aed532634b3f4d3e251542d7de9457cfca96a94208a63270ef9b42e

.reek

@@ -69,7 +69,6 @@ LongParameterList:
     - Idv::ProoferJob#perform
     - Idv::VendorResult#initialize
     - JWT
-    - Pii::Attributes#self.new_from_encrypted
 RepeatedConditional:
   exclude:
     - Users::ResetPasswordsController
@@ -100,6 +99,7 @@ TooManyStatements:
     - Idv::Agent#proof
     - Idv::Proofer#configure_vendors
     - Idv::VendorResult#initialize
+    - SamlIdpController#auth
     - Upaya::QueueConfig#self.choose_queue_adapter
     - Upaya::RandomTools#self.random_weighted_sample
     - UserFlowFormatter#stop

.rubocop.yml

@@ -10,17 +10,15 @@ AllCops:
     - '**/Rakefile'
     - '**/Capfile'
   Exclude:
+    - 'bin/**/*'
+    - 'db/migrate/*'
     - 'db/schema.rb'
-    - 'node_modules/**/*'
     - 'lib/rspec/user_flow_formatter.rb'
+    - 'lib/tasks/create_test_accounts.rb'
     - 'lib/user_flow_exporter.rb'
-    - 'scripts/load_testing/*'
-    - 'spec/**/*'
+    - 'node_modules/**/*'
     - 'tmp/**/*'
-    - 'bin/**/*'
-    - 'db/migrate/*'
-    - 'lib/tasks/create_test_accounts.rb'
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.5
   TargetRailsVersion: 5.1
   UseCache: true
 
@@ -65,6 +63,7 @@ Metrics/ClassLength:
   - app/controllers/users/confirmations_controller.rb
   - app/controllers/users/sessions_controller.rb
   - app/controllers/devise/two_factor_authentication_controller.rb
+  - app/decorators/service_provider_session_decorator.rb
   - app/decorators/user_decorator.rb
   - app/services/analytics.rb
   - app/services/idv/session.rb
@@ -103,10 +102,13 @@ Metrics/ModuleLength:
 Metrics/ParameterLists:
   CountKeywordArgs: false
 
-# This is a Rails 5 feature, so it should be disabled until we upgrade
+Naming/VariableName:
+  Exclude:
+    - 'spec/services/pii/nist_encryption_spec.rb'
+
 Rails/HttpPositionalArguments:
   Description: 'Use keyword arguments instead of positional arguments in http method calls.'
-  Enabled: false
+  Enabled: true
   Include:
     - 'spec/**/*'
     - 'test/**/*'

.ruby-version

@@ -1 +1 @@
-2.3
+2.5

Dockerfile

@@ -1,5 +1,5 @@
 # Use the official Ruby image because the Rails images have been deprecated
-FROM ruby:2.3
+FROM ruby:2.5
 
 # Install packages of https
 RUN apt-get update && apt-get install apt-transport-https
@@ -15,13 +15,16 @@ RUN apt-get update \
 
 RUN ln -s ../node/bin/node /usr/local/bin/
 RUN ln -s ../node/bin/npm /usr/local/bin/
-RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \
-  && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list \
-  && apt-get update && apt-get install yarn
+
+ADD https://dl.yarnpkg.com/debian/pubkey.gpg /tmp/yarn-pubkey.gpg
+RUN apt-key add /tmp/yarn-pubkey.gpg && rm /tmp/yarn-pubkey.gpg
+RUN echo 'deb http://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list
+RUN apt-get update && apt-get install -y --no-install-recommends yarn
 
 WORKDIR /upaya
 
 COPY package.json /upaya
+COPY yarn.lock /upaya
 
 COPY Gemfile /upaya
 COPY Gemfile.lock /upaya

Gemfile

@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
 
-ruby '~> 2.3.7'
+ruby '~> 2.5.1'
 
 gem 'rails', '~> 5.1.3'
 
@@ -49,7 +49,7 @@ gem 'saml_idp', git: 'https://github.com/18F/saml_idp.git', tag: 'v0.7.0-18f'
 gem 'sass-rails', '~> 5.0'
 gem 'savon'
 gem 'scrypt'
-gem 'secure_headers', '~> 3.0'
+gem 'secure_headers', '~> 6.0'
 gem 'sidekiq'
 gem 'simple_form'
 gem 'sinatra', require: false
@@ -114,7 +114,7 @@ group :test do
 end
 
 group :production do
-  gem 'aamva', git: '[email protected]:18F/identity-aamva-api-client-gem', tag: 'v3.0.0'
+  gem 'aamva', git: '[email protected]:18F/identity-aamva-api-client-gem', tag: 'v3.0.1'
   gem 'equifax', git: '[email protected]:18F/identity-equifax-api-client-gem.git', tag: 'v1.1.0'
   gem 'lexisnexis', git: '[email protected]:18F/identity-lexisnexis-api-client-gem', tag: 'v1.0.0'
 end

Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: [email protected]:18F/identity-aamva-api-client-gem
-  revision: 41cf170a0161883f3a4a34f5a5edbb186a36bc06
-  tag: v3.0.0
+  revision: 015186dd86691294404229ee051cfcf9e87fb6c7
+  tag: v3.0.1
   specs:
-    aamva (3.0.0)
+    aamva (3.0.1)
       dotenv
       hashie
       httpi
@@ -272,7 +272,7 @@ GEM
     fasterer (0.4.1)
       colorize (~> 0.7)
       ruby_parser (~> 3.11.0)
-    ffi (1.9.23)
+    ffi (1.9.25)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
@@ -415,7 +415,7 @@ GEM
     rack-headers_filter (0.0.1)
     rack-mini-profiler (1.0.0)
       rack (>= 1.2.0)
-    rack-protection (2.0.1)
+    rack-protection (2.0.2)
       rack
     rack-proxy (0.6.4)
       rack
@@ -543,8 +543,7 @@ GEM
       wasabi (~> 3.4)
     scrypt (3.0.5)
       ffi-compiler (>= 1.0, < 2.0)
-    secure_headers (3.7.3)
-      useragent
+    secure_headers (6.0.0)
     selenium-webdriver (3.11.0)
       childprocess (~> 0.5)
       rubyzip (~> 1.2)
@@ -565,10 +564,10 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.0)
-    sinatra (2.0.1)
+    sinatra (2.0.2)
       mustermann (~> 1.0)
       rack (~> 2.0)
-      rack-protection (= 2.0.1)
+      rack-protection (= 2.0.2)
       tilt (~> 2.0)
     slim (3.0.9)
       temple (>= 0.7.6, < 0.9)
@@ -626,7 +625,6 @@ GEM
     unicode-display_width (1.3.0)
     uniform_notifier (1.11.0)
     user_agent_parser (2.4.1)
-    useragent (0.16.8)
     uuid (2.3.9)
       macaddr (~> 1.0)
     valid_email (0.1.0)
@@ -754,7 +752,7 @@ DEPENDENCIES
   sass-rails (~> 5.0)
   savon
   scrypt
-  secure_headers (~> 3.0)
+  secure_headers (~> 6.0)
   shoulda-matchers (~> 3.0)
   sidekiq
   simple_form
@@ -779,7 +777,7 @@ DEPENDENCIES
   zxcvbn-js
 
 RUBY VERSION
-   ruby 2.3.7p456
+   ruby 2.5.1p57
 
 BUNDLED WITH
    1.16.1

app/controllers/account_recovery_setup_controller.rb

@@ -0,0 +1,18 @@
+class AccountRecoverySetupController < ApplicationController
+  include AccountRecoverable
+  include UserAuthenticator
+
+  before_action :confirm_two_factor_authenticated
+
+  def index
+    return redirect_to account_url unless piv_cac_enabled_but_not_phone_enabled?
+    @two_factor_options_form = TwoFactorOptionsForm.new(current_user)
+    @presenter = account_recovery_options_presenter
+  end
+
+  private
+
+  def account_recovery_options_presenter
+    AccountRecoveryOptionsPresenter.new
+  end
+end

app/controllers/application_controller.rb

@@ -164,7 +164,7 @@ def confirm_two_factor_authenticated
   end
 
   def prompt_to_set_up_2fa
-    redirect_to phone_setup_url
+    redirect_to two_factor_options_url
   end
 
   def prompt_to_enter_otp
@@ -184,12 +184,17 @@ def sp_session
   end
 
   def render_not_found
-    render template: 'pages/page_not_found', layout: false, status: 404, formats: :html
+    render template: 'pages/page_not_found', layout: false, status: :not_found, formats: :html
   end
 
   def render_timeout(exception)
     analytics.track_event(Analytics::RESPONSE_TIMED_OUT, analytics_exception_info(exception))
-    render template: 'pages/page_took_too_long', layout: false, status: 503, formats: :html
+    render template: 'pages/page_took_too_long',
+           layout: false, status: :service_unavailable, formats: :html
+  end
+
+  def render_full_width(template, **opts)
+    render template, **opts, layout: 'base'
   end
 
   def analytics_exception_info(exception)

app/controllers/concerns/account_recoverable.rb

@@ -0,0 +1,5 @@
+module AccountRecoverable
+  def piv_cac_enabled_but_not_phone_enabled?
+    current_user.piv_cac_enabled? && !current_user.phone_enabled?
+  end
+end

app/controllers/concerns/authorizable.rb

@@ -0,0 +1,11 @@
+module Authorizable
+  def authorize_user
+    return unless current_user.phone_enabled?
+
+    if user_fully_authenticated?
+      redirect_to account_url
+    elsif current_user.two_factor_enabled?
+      redirect_to user_two_factor_authentication_url
+    end
+  end
+end

app/controllers/concerns/two_factor_authenticatable.rb

@@ -26,22 +26,21 @@ def authenticate_user
 
   def handle_second_factor_locked_user(type)
     analytics.track_event(Analytics::MULTI_FACTOR_AUTH_MAX_ATTEMPTS)
-    decorator = current_user.decorate
-    sign_out
-    render(
-      'two_factor_authentication/shared/max_login_attempts_reached',
-      locals: { type: type, decorator: decorator }
-    )
+    handle_max_attempts(type + '_login_attempts')
   end
 
   def handle_too_many_otp_sends
     analytics.track_event(Analytics::MULTI_FACTOR_AUTH_MAX_SENDS)
-    decorator = current_user.decorate
-    sign_out
-    render(
-      'two_factor_authentication/shared/max_otp_requests_reached',
-      locals: { decorator: decorator }
+    handle_max_attempts('otp_requests')
+  end
+
+  def handle_max_attempts(type)
+    presenter = TwoFactorAuthCode::MaxAttemptsReachedPresenter.new(
+      type,
+      decorated_user
     )
+    sign_out
+    render_full_width('shared/_failure', locals: { presenter: presenter })
   end
 
   def require_current_password
@@ -254,6 +253,7 @@ def authenticator_view_data
       two_factor_authentication_method: two_factor_authentication_method,
       user_email: current_user.email,
       remember_device_available: false,
+      phone_enabled: current_user.phone_enabled?,
     }.merge(generic_data)
   end
 

app/controllers/concerns/unconfirmed_user_concern.rb

@@ -43,7 +43,7 @@ def after_confirmation_url_for(user)
     elsif user.two_factor_enabled?
       account_url
     else
-      phone_setup_url
+      two_factor_options_url
     end
   end
 

app/controllers/idv/jurisdiction_controller.rb

@@ -27,8 +27,12 @@ def create
     end
 
     def show
-      @state = user_session[:idv_jurisdiction]
-      @reason = params[:reason]
+      presenter = JurisdictionFailurePresenter.new(
+        reason: params[:reason],
+        jurisdiction: user_session[:idv_jurisdiction],
+        view_context: view_context
+      )
+      render_full_width('shared/_failure', locals: { presenter: presenter })
     end
 
     def jurisdiction_params

app/controllers/idv/sessions_controller.rb

@@ -5,7 +5,7 @@ class SessionsController < ApplicationController
     include PersonalKeyConcern
 
     before_action :confirm_two_factor_authenticated, except: [:destroy]
-    before_action :confirm_idv_attempts_allowed
+    before_action :confirm_idv_attempts_allowed, except: %i[destroy success]
     before_action :confirm_idv_needed
     before_action :confirm_step_needed, except: %i[destroy success]
     before_action :initialize_idv_session, only: [:create]