Merge pull request #11359 from 18F/stages/rc-2024-10-17

Deploy RC 423 to Prod

app/controllers/users/emails_controller.rb

@@ -13,6 +13,7 @@ class EmailsController < ApplicationController
     def show
       analytics.add_email_visit
       @add_user_email_form = AddUserEmailForm.new
+      @pending_completions_consent = pending_completions_consent?
     end
 
     def add
@@ -62,6 +63,10 @@ def delete
       redirect_to account_url
     end
 
+    def pending_completions_consent?
+      needs_completion_screen_reason.present?
+    end
+
     def verify
       if session_email.blank?
         redirect_to add_email_url

app/views/users/emails/show.html.erb

@@ -14,7 +14,13 @@
   <% end %>
 </div>
 
-<%= render 'shared/cancel', link: decorated_sp_session.cancel_link_url %>
+<% if @pending_completions_consent %>
+  <%= render PageFooterComponent.new do %>
+    <%= link_to t('forms.buttons.back'), sign_up_completed_url %>
+  <% end %>
+<% else %>
+  <%= render 'shared/cancel', link: decorated_sp_session.cancel_link_url %>
+<% end %>
 
 <p class="margin-top-2">
   <%= new_tab_link_to(

config/locales/zh.yml

@@ -672,7 +672,7 @@ doc_auth.info.verify_identity: 我们会要求获得你的身份识别、电话
 doc_auth.info.verify_online_description: 如果你没有移动设备或者无法轻松拍身份证件照片，这一选项更好。
 doc_auth.info.verify_online_description_selfie: 如果你有手机可以拍照，请选择该选项。
 doc_auth.info.verify_online_instruction: 你将拍身份证件的照片来完全在网上验证身份。大多数用户都能轻松完成这样流程。
-doc_auth.info.verify_online_instruction_selfie: 使用手机在网上验证你的身份你将用手机拍摄身份证件和本人的照片。大多数用户都能轻松完成这一流程。
+doc_auth.info.verify_online_instruction_selfie: 你将用手机拍摄身份证件和本人的照片。大多数用户都能轻松完成这一流程。
 doc_auth.info.verify_online_link_text: 对网上验证获得更多了解
 doc_auth.info.you_entered: 你输入了：
 doc_auth.instructions.bullet1: 带上驾照或州身份证件

spec/controllers/idv/by_mail/resend_letter_controller_spec.rb

@@ -84,6 +84,31 @@
       )
     end
 
+    context 'when using vtr values' do
+      it 'uses the GPO confirmation maker to send another letter and redirects', :freeze_time do
+        expect_to_resend_letter_and_redirect(vtr: true)
+
+        expect(@analytics).to have_logged_event(
+          'IdV: USPS address letter requested',
+          hash_including(
+            resend: true,
+            first_letter_requested_at: user.pending_profile.gpo_verification_pending_at,
+            hours_since_first_letter: 24,
+          ),
+        )
+
+        expect(@analytics).to have_logged_event(
+          'IdV: USPS address letter enqueued',
+          hash_including(
+            resend: true,
+            first_letter_requested_at: user.pending_profile.gpo_verification_pending_at,
+            hours_since_first_letter: 24,
+            enqueued_at: Time.zone.now,
+          ),
+        )
+      end
+    end
+
     it 'redirects to capture password controller if the PII is locked' do
       pii_cacher = instance_double(Pii::Cacher)
       allow(pii_cacher).to receive(:fetch).and_return(nil)
@@ -96,15 +121,21 @@
     end
   end
 
-  def expect_to_resend_letter_and_redirect
+  def expect_to_resend_letter_and_redirect(vtr: false)
     pii = user.pending_profile.decrypt_pii(user.password).to_h
     pii_cacher = instance_double(Pii::Cacher)
     allow(pii_cacher).to receive(:fetch).with(user.pending_profile.id).and_return(pii)
     allow(pii_cacher).to receive(:exists_in_session?).and_return(true)
     allow(Pii::Cacher).to receive(:new).and_return(pii_cacher)
 
     service_provider = create(:service_provider, issuer: '123abc')
-    session[:sp] = { issuer: service_provider.issuer, vtr: ['C1'] }
+    session[:sp] = { issuer: service_provider.issuer }
+
+    if vtr
+      session[:sp][:vtr] = ['C1']
+    else
+      session[:sp][:acr_values] = Saml::Idp::Constants::AAL1_AUTHN_CONTEXT_CLASSREF
+    end
 
     gpo_confirmation_maker = instance_double(GpoConfirmationMaker)
     allow(GpoConfirmationMaker).to receive(:new).

spec/controllers/idv/personal_key_controller_spec.rb

@@ -414,14 +414,34 @@ def assert_personal_key_generated_for_profiles(*profile_pii_pairs)
 
   describe '#update' do
     context 'user selected phone verification' do
-      it 'redirects to sign up completed for an sp' do
-        subject.session[:sp] = {
-          issuer: create(:service_provider).issuer,
-          vtr: ['C1'],
-        }
-        patch :update
+      context 'with an sp' do
+        let(:acr_values) { Saml::Idp::Constants::AAL1_AUTHN_CONTEXT_CLASSREF }
+        let(:vtr) { nil }
+
+        before do
+          subject.session[:sp] = {
+            issuer: create(:service_provider).issuer,
+            acr_values:,
+            vtr:,
+          }
+        end
+
+        it 'redirects to sign up completed for the sp' do
+          patch :update
 
-        expect(response).to redirect_to sign_up_completed_url
+          expect(response).to redirect_to sign_up_completed_url
+        end
+
+        context 'with vtr values' do
+          let(:acr_values) { nil }
+          let(:vtr) { ['C1'] }
+
+          it 'redirects to sign up completed for the sp' do
+            patch :update
+
+            expect(response).to redirect_to sign_up_completed_url
+          end
+        end
       end
 
       it 'redirects to the account path when no sp present' do

spec/controllers/idv/verify_info_controller_spec.rb

@@ -481,21 +481,44 @@
       expect(response).to redirect_to idv_verify_info_url
     end
 
-    it 'modifies pii as expected' do
-      app_id = 'hello-world'
-      sp = create(:service_provider, app_id: app_id)
-      sp_session = { issuer: sp.issuer, vtr: ['C1'] }
-      allow(controller).to receive(:sp_session).and_return(sp_session)
-
-      expect(Idv::Agent).to receive(:new).with(
-        hash_including(
-          ssn: Idp::Constants::MOCK_IDV_APPLICANT_WITH_SSN[:ssn],
-          consent_given_at: controller.idv_session.idv_consent_given_at,
-          **Idp::Constants::MOCK_IDV_APPLICANT,
-        ),
-      ).and_call_original
+    context 'with an sp' do
+      let(:sp) { create(:service_provider) }
+      let(:acr_values) { Saml::Idp::Constants::AAL1_AUTHN_CONTEXT_CLASSREF }
+      let(:vtr) { nil }
+      let(:sp_session) { { issuer: sp.issuer, vtr:, acr_values: } }
 
-      put :update
+      before do
+        allow(controller).to receive(:sp_session).and_return(sp_session)
+      end
+
+      it 'modifies PII as expected' do
+        expect(Idv::Agent).to receive(:new).with(
+          hash_including(
+            ssn: Idp::Constants::MOCK_IDV_APPLICANT_WITH_SSN[:ssn],
+            consent_given_at: controller.idv_session.idv_consent_given_at,
+            **Idp::Constants::MOCK_IDV_APPLICANT,
+          ),
+        ).and_call_original
+
+        put :update
+      end
+
+      context 'with vtr values' do
+        let(:acr_values) { nil }
+        let(:vtr) { ['C1'] }
+
+        it 'modifies PII as expected' do
+          expect(Idv::Agent).to receive(:new).with(
+            hash_including(
+              ssn: Idp::Constants::MOCK_IDV_APPLICANT_WITH_SSN[:ssn],
+              consent_given_at: controller.idv_session.idv_consent_given_at,
+              **Idp::Constants::MOCK_IDV_APPLICANT,
+            ),
+          ).and_call_original
+
+          put :update
+        end
+      end
     end
 
     it 'updates DocAuthLog verify_submit_count' do

spec/controllers/idv_controller_spec.rb

@@ -58,16 +58,30 @@
 
       context 'but user needs to redo idv with facial match' do
         let(:current_sp) { create(:service_provider) }
-
         before do
           session[:sp] =
-            { issuer: current_sp.issuer, vtr: ['C2.Pb'] }
+            {
+              issuer: current_sp.issuer,
+              acr_values: Saml::Idp::Constants::IAL_VERIFIED_FACIAL_MATCH_REQUIRED_ACR,
+            }
         end
 
         it 'redirects to welcome' do
           get :index
           expect(response).to redirect_to idv_welcome_url
         end
+
+        context 'using vectors of trust' do
+          before do
+            session[:sp] =
+              { issuer: current_sp.issuer, vtr: ['C2.Pb'] }
+          end
+
+          it 'redirects to welcome' do
+            get :index
+            expect(response).to redirect_to idv_welcome_url
+          end
+        end
       end
     end
 
@@ -243,6 +257,27 @@
             get :index
             expect(response).to redirect_to idv_welcome_url
           end
+
+          context 'when using semantic acr_values' do
+            let(:acr_values) { Saml::Idp::Constants::IAL_AUTH_ONLY_ACR }
+
+            before do
+              allow(IdentityConfig).to receive(
+                :allowed_valid_authn_context_semantic_providers,
+              ).and_return([current_sp])
+            end
+
+            it 'redirects back to the account page' do
+              get :index
+              expect(response).to redirect_to account_url
+            end
+
+            it 'begins the proofing process if the user has a profile' do
+              create(:profile, :verified, user: user)
+              get :index
+              expect(response).to redirect_to idv_welcome_url
+            end
+          end
         end
 
         context 'no SP required' do
@@ -253,6 +288,22 @@
 
             expect(response).to redirect_to idv_welcome_url
           end
+
+          context 'when using semantic acr_values' do
+            let(:acr_values) { Saml::Idp::Constants::IAL_AUTH_ONLY_ACR }
+
+            before do
+              allow(IdentityConfig).to receive(
+                :allowed_valid_authn_context_semantic_providers,
+              ).and_return([current_sp])
+            end
+
+            it 'begins the identity proofing process' do
+              get :index
+
+              expect(response).to redirect_to idv_welcome_url
+            end
+          end
         end
       end
 
@@ -266,6 +317,25 @@
             get :index
             expect(response).to redirect_to idv_welcome_url
           end
+
+          context 'with semantic acr_values' do
+            let(:acr_values) { Saml::Idp::Constants::IAL_VERIFIED_ACR }
+
+            before do
+              allow(IdentityConfig).to receive(
+                :allowed_valid_authn_context_semantic_providers,
+              ).and_return([current_sp])
+            end
+
+            context 'when an SP is required' do
+              let(:idv_sp_required) { true }
+
+              it 'begins the identity proofing process' do
+                get :index
+                expect(response).to redirect_to idv_welcome_url
+              end
+            end
+          end
         end
 
         context 'no SP required' do
@@ -276,6 +346,22 @@
 
             expect(response).to redirect_to idv_welcome_url
           end
+
+          context 'with semantic acr_values' do
+            let(:acr_values) { Saml::Idp::Constants::IAL_VERIFIED_ACR }
+
+            before do
+              allow(IdentityConfig).to receive(
+                :allowed_valid_authn_context_semantic_providers,
+              ).and_return([current_sp])
+            end
+
+            it 'begins the identity proofing process' do
+              get :index
+
+              expect(response).to redirect_to idv_welcome_url
+            end
+          end
         end
       end
     end

spec/controllers/users/emails_controller_spec.rb

@@ -12,17 +12,40 @@
 
   context 'user visits add an email address page' do
     let(:user) { create(:user) }
+
     before do
       stub_sign_in(user)
       stub_analytics
     end
-    it 'renders the index view' do
+
+    it 'renders the show view' do
       get :show
 
       expect(@analytics).to have_logged_event('Add Email Address Page Visited')
     end
   end
 
+  context 'user visits add an email address from SP consent flow' do
+    let(:user) { create(:user) }
+    let(:current_sp) { create(:service_provider) }
+
+    before do
+      stub_sign_in(user)
+      subject.session[:sp] = {
+        issuer: current_sp.issuer,
+        acr_values: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
+        requested_attributes: [:email],
+        request_url: 'http://localhost:3000',
+      }
+    end
+
+    it 'sets the pending completions consent value to true' do
+      get :show
+
+      expect(controller.pending_completions_consent?).to eq(true)
+    end
+  end
+
   describe '#limit' do
     context 'user exceeds email limit' do
       let(:user) { create(:user) }