Merge pull request #11309 from 18F/stages/rc-2024-10-03

Deploy RC 419 to Production

.gitignore

@@ -5,6 +5,7 @@
 #   git config --global core.excludesfile ~/.gitignore_global
 
 .generators
+*.db
 *.pyc
 *.rbc
 **.orig

Gemfile

@@ -122,6 +122,7 @@ group :development, :test do
   gem 'rubocop-performance', '~> 1.20.2', require: false
   gem 'rubocop-rails', '>= 2.5.2', require: false
   gem 'rubocop-rspec', require: false
+  gem 'sqlite3', require: false
 end
 
 group :test do

Gemfile.lock

@@ -681,6 +681,8 @@ GEM
     simpleidn (0.2.1)
       unf (~> 0.1.4)
     smart_properties (1.17.0)
+    sqlite3 (2.1.0)
+      mini_portile2 (~> 2.8.0)
     stringex (2.8.5)
     stringio (3.1.1)
     strong_migrations (2.0.0)
@@ -862,6 +864,7 @@ DEPENDENCIES
   simplecov (~> 0.22.0)
   simplecov-cobertura
   simplecov_json_formatter
+  sqlite3
   stringex
   strong_migrations (>= 0.4.2)
   tableparser

app/controllers/concerns/idv/document_capture_concern.rb

@@ -46,7 +46,7 @@ def stored_result
     end
 
     def selfie_requirement_met?
-      !resolved_authn_context_result.biometric_comparison? ||
+      !resolved_authn_context_result.facial_match? ||
         stored_result.selfie_check_performed?
     end
 

app/controllers/concerns/idv_session_concern.rb

@@ -17,7 +17,7 @@ def hybrid_session?
   end
 
   def idv_needed?
-    user_needs_biometric_comparison? ||
+    user_needs_facial_match? ||
       idv_session_user.active_profile.blank? ||
       decorated_sp_session.requested_more_recent_verification?
   end
@@ -59,8 +59,8 @@ def idv_session_user
     current_user
   end
 
-  def user_needs_biometric_comparison?
-    resolved_authn_context_result.biometric_comparison? &&
-      !idv_session_user.identity_verified_with_biometric_comparison?
+  def user_needs_facial_match?
+    resolved_authn_context_result.facial_match? &&
+      !idv_session_user.identity_verified_with_facial_match?
   end
 end

app/controllers/concerns/idv_step_concern.rb

@@ -108,7 +108,7 @@ def flow_policy
 
   def confirm_step_allowed
     # set it everytime, since user may switch SP
-    idv_session.selfie_check_required = resolved_authn_context_result.biometric_comparison?
+    idv_session.selfie_check_required = resolved_authn_context_result.facial_match?
     return if flow_policy.controller_allowed?(controller: self.class)
 
     redirect_to url_for_latest_step

app/controllers/idv/document_capture_controller.rb

@@ -54,7 +54,7 @@ def extra_view_variables
         skip_doc_auth_from_how_to_verify: idv_session.skip_doc_auth_from_how_to_verify,
         skip_doc_auth_from_handoff: idv_session.skip_doc_auth_from_handoff,
         opted_in_to_in_person_proofing: idv_session.opted_in_to_in_person_proofing,
-        doc_auth_selfie_capture: resolved_authn_context_result.biometric_comparison?,
+        doc_auth_selfie_capture: resolved_authn_context_result.facial_match?,
       }.merge(
         acuant_sdk_upgrade_a_b_testing_variables,
       )
@@ -100,8 +100,8 @@ def analytics_arguments
         analytics_id: 'Doc Auth',
         redo_document_capture: idv_session.redo_document_capture,
         skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
-        liveness_checking_required: resolved_authn_context_result.biometric_comparison?,
-        selfie_check_required: resolved_authn_context_result.biometric_comparison?,
+        liveness_checking_required: resolved_authn_context_result.facial_match?,
+        selfie_check_required: resolved_authn_context_result.facial_match?,
       }.merge(ab_test_analytics_buckets)
     end
 

app/controllers/idv/hybrid_mobile/capture_complete_controller.rb

@@ -24,7 +24,7 @@ def analytics_arguments
           flow_path: 'hybrid',
           step: 'capture_complete',
           analytics_id: 'Doc Auth',
-          liveness_checking_required: resolved_authn_context_result.biometric_comparison?,
+          liveness_checking_required: resolved_authn_context_result.facial_match?,
         }.merge(ab_test_analytics_buckets)
       end
     end

app/controllers/idv/hybrid_mobile/document_capture_controller.rb

@@ -45,7 +45,7 @@ def extra_view_variables
           mock_client: doc_auth_vendor == 'mock',
           document_capture_session_uuid: document_capture_session_uuid,
           failure_to_proof_url: return_to_sp_failure_to_proof_url(step: 'document_capture'),
-          doc_auth_selfie_capture: resolved_authn_context_result.biometric_comparison?,
+          doc_auth_selfie_capture: resolved_authn_context_result.facial_match?,
         }.merge(
           acuant_sdk_upgrade_a_b_testing_variables,
         )
@@ -58,8 +58,8 @@ def analytics_arguments
           flow_path: 'hybrid',
           step: 'document_capture',
           analytics_id: 'Doc Auth',
-          liveness_checking_required: resolved_authn_context_result.biometric_comparison?,
-          selfie_check_required: resolved_authn_context_result.biometric_comparison?,
+          liveness_checking_required: resolved_authn_context_result.facial_match?,
+          selfie_check_required: resolved_authn_context_result.facial_match?,
         }.merge(
           ab_test_analytics_buckets,
         )

app/controllers/idv/image_uploads_controller.rb

@@ -27,7 +27,7 @@ def image_upload_form
         service_provider: current_sp,
         analytics: analytics,
         uuid_prefix: current_sp&.app_id,
-        liveness_checking_required: resolved_authn_context_result.biometric_comparison?,
+        liveness_checking_required: resolved_authn_context_result.facial_match?,
       )
     end
   end

app/controllers/idv_controller.rb

@@ -33,8 +33,8 @@ def activated
   private
 
   def already_verified?
-    if resolved_authn_context_result.biometric_comparison?
-      current_user.identity_verified_with_biometric_comparison?
+    if resolved_authn_context_result.facial_match?
+      current_user.identity_verified_with_facial_match?
     else
       current_user.active_profile.present?
     end

app/controllers/openid_connect/authorization_controller.rb

@@ -31,7 +31,7 @@ def index
         return redirect_to reactivate_account_url if user_needs_to_reactivate_account?
         return redirect_to url_for_pending_profile_reason if user_has_pending_profile?
         return redirect_to idv_url if identity_needs_verification?
-        return redirect_to idv_url if biometric_comparison_needed?
+        return redirect_to idv_url if facial_match_needed?
       end
       return redirect_to sign_up_completed_url if needs_completion_screen_reason
       link_identity_to_service_provider
@@ -140,9 +140,9 @@ def identity_needs_verification?
         decorated_sp_session.requested_more_recent_verification?)
     end
 
-    def biometric_comparison_needed?
-      resolved_authn_context_result.biometric_comparison? &&
-        !current_user.identity_verified_with_biometric_comparison?
+    def facial_match_needed?
+      resolved_authn_context_result.facial_match? &&
+        !current_user.identity_verified_with_facial_match?
     end
 
     def build_authorize_form_from_params

app/controllers/saml_idp_controller.rb

@@ -37,7 +37,7 @@ def auth
       return redirect_to reactivate_account_url if user_needs_to_reactivate_account?
       return redirect_to url_for_pending_profile_reason if user_has_pending_profile?
       return redirect_to idv_url if identity_needs_verification?
-      return redirect_to idv_url if biometric_comparison_needed?
+      return redirect_to idv_url if facial_match_needed?
     end
     return redirect_to sign_up_completed_url if needs_completion_screen_reason
     if auth_count == 1 && first_visit_for_sp?
@@ -113,9 +113,9 @@ def prompt_for_password_if_ial2_request_and_pii_locked
     redirect_to capture_password_url
   end
 
-  def biometric_comparison_needed?
-    resolved_authn_context_result.biometric_comparison? &&
-      !current_user.identity_verified_with_biometric_comparison?
+  def facial_match_needed?
+    resolved_authn_context_result.facial_match? &&
+      !current_user.identity_verified_with_facial_match?
   end
 
   def set_devise_failure_redirect_for_concurrent_session_logout

app/forms/openid_connect_authorize_form.rb

@@ -312,7 +312,7 @@ def scopes
   def validate_privileges
     if (identity_proofing_requested? && !identity_proofing_service_provider?) ||
        (ialmax_requested? && !ialmax_allowed_for_sp?) ||
-       (biometric_ial_requested? && !service_provider.biometric_ial_allowed?) ||
+       (facial_match_ial_requested? && !service_provider.facial_match_ial_allowed?) ||
        (semantic_authn_contexts_requested? && !service_provider.semantic_authn_contexts_allowed?)
       errors.add(
         :acr_values, t('openid_connect.authorization.errors.no_auth'),
@@ -351,8 +351,8 @@ def ialmax_requested?
     Saml::Idp::Constants::AUTHN_CONTEXT_CLASSREF_TO_IAL[ial_values.sort.max] == 0
   end
 
-  def biometric_ial_requested?
-    ial_values.any? { |ial| Saml::Idp::Constants::BIOMETRIC_IAL_CONTEXTS.include? ial }
+  def facial_match_ial_requested?
+    ial_values.any? { |ial| Saml::Idp::Constants::FACIAL_MATCH_IAL_CONTEXTS.include? ial }
   end
 
   def highest_level_aal(aal_values)

app/javascript/packages/document-capture/components/document-capture-review-issues.tsx

@@ -79,9 +79,13 @@ function DocumentCaptureReviewIssues({
           ]}
         />
       )}
-      <DocumentsCaptureStep defaultSideProps={defaultSideProps} value={value} />
+      <DocumentsCaptureStep defaultSideProps={defaultSideProps} value={value} isReviewStep />
       {isSelfieCaptureEnabled && (
-        <SelfieCaptureStep defaultSideProps={defaultSideProps} selfieValue={value.selfie} />
+        <SelfieCaptureStep
+          defaultSideProps={defaultSideProps}
+          selfieValue={value.selfie}
+          isReviewStep
+        />
       )}
       <FormStepsButton.Submit />
       <Cancel />

app/javascript/packages/document-capture/components/document-capture.tsx

@@ -141,25 +141,22 @@ function DocumentCapture({ onStepChange = () => {} }: DocumentCaptureProps) {
   if (submissionError && formValues) {
     initialValues = formValues;
   }
-
+  // If the user got here by opting-in to in-person proofing, when skipDocAuth === true,
+  // then set steps to inPersonSteps
+  const isInPersonStepEnabled = skipDocAuth || skipDocAuthFromHandoff;
   const inPersonSteps: FormStep[] =
     inPersonURL === undefined
       ? []
       : ([prepareFormStep, locationFormStep, flowPath === 'hybrid' && hybridFormStep].filter(
           Boolean,
         ) as FormStep[]);
-  const reviewAfterFailedSteps = [reviewFormStep] as FormStep[];
-  const reviewWithInPersonSteps = reviewAfterFailedSteps.concat(inPersonSteps);
-  const afterSubmissionErrorSteps = docAuthSeparatePagesEnabled
-    ? reviewAfterFailedSteps
-    : reviewWithInPersonSteps;
-  const defaultSteps: FormStep[] = submissionError ? afterSubmissionErrorSteps : documentsFormSteps;
-
-  // If the user got here by opting-in to in-person proofing, when skipDocAuth === true,
-  // then set steps to inPersonSteps
-  const isInPersonStepEnabled = skipDocAuth || skipDocAuthFromHandoff;
-  const steps: FormStep[] = isInPersonStepEnabled ? inPersonSteps : defaultSteps;
 
+  let steps = documentsFormSteps;
+  if (isInPersonStepEnabled) {
+    steps = inPersonSteps;
+  } else if (submissionError) {
+    steps = [reviewFormStep, ...inPersonSteps];
+  }
   // If the user got here by opting-in to in-person proofing, when skipDocAuth === true;
   // or opting-in ipp from handoff page, and selfie is required, when skipDocAuthFromHandoff === true
   // then set stepIndicatorPath to VerifyFlowPath.IN_PERSON

app/javascript/packages/document-capture/components/document-side-acuant-capture.tsx

@@ -22,6 +22,7 @@ interface DocumentSideAcuantCaptureProps {
   errors: FormStepError<{ front: string; back: string; selfie: string }>[];
   onError: OnErrorCallback;
   className?: string;
+  isReviewStep: boolean;
 }
 
 /**
@@ -52,13 +53,14 @@ function DocumentSideAcuantCapture({
   errors,
   onError,
   className,
+  isReviewStep,
 }: DocumentSideAcuantCaptureProps) {
   const error = errors.find(({ field }) => field === side)?.error;
   const { changeStepCanComplete } = useContext(FormStepsContext);
   const { isSelfieCaptureEnabled, isSelfieDesktopTestMode, docAuthSeparatePagesEnabled } =
     useContext(SelfieCaptureContext);
   const isUploadAllowed = isSelfieDesktopTestMode || !isSelfieCaptureEnabled;
-  const stepCanComplete = docAuthSeparatePagesEnabled ? undefined : true;
+  const stepCanComplete = docAuthSeparatePagesEnabled && !isReviewStep ? undefined : true;
   return (
     <AcuantCapture
       ref={registerField(side, { isRequired: true })}

app/javascript/packages/document-capture/components/documents-and-selfie-step.tsx

@@ -68,9 +68,17 @@ export default function DocumentsAndSelfieStep({
           t('doc_auth.tips.document_capture_id_text3'),
         ].concat(!isMobile ? [t('doc_auth.tips.document_capture_id_text4')] : [])}
       />
-      <DocumentsCaptureStep defaultSideProps={defaultSideProps} value={value} />
+      <DocumentsCaptureStep
+        defaultSideProps={defaultSideProps}
+        value={value}
+        isReviewStep={false}
+      />
       {isSelfieCaptureEnabled && (
-        <SelfieCaptureStep defaultSideProps={defaultSideProps} selfieValue={value.selfie} />
+        <SelfieCaptureStep
+          defaultSideProps={defaultSideProps}
+          selfieValue={value.selfie}
+          isReviewStep={false}
+        />
       )}
       {isLastStep ? <FormStepsButton.Submit /> : <FormStepsButton.Continue />}
       <Cancel />

app/javascript/packages/document-capture/components/documents-step.tsx

@@ -16,9 +16,11 @@ import DocumentSideAcuantCapture from './document-side-acuant-capture';
 export function DocumentsCaptureStep({
   defaultSideProps,
   value,
+  isReviewStep = false,
 }: {
   defaultSideProps: DefaultSideProps;
   value: Record<string, ImageValue>;
+  isReviewStep: boolean;
 }) {
   type DocumentSide = 'front' | 'back';
   const documentsSides: DocumentSide[] = ['front', 'back'];
@@ -30,6 +32,7 @@ export function DocumentsCaptureStep({
           key={side}
           side={side}
           value={value[side]}
+          isReviewStep={isReviewStep}
         />
       ))}
     </>
@@ -81,7 +84,11 @@ export default function DocumentsStep({
           t('doc_auth.tips.document_capture_id_text3'),
         ].concat(!isMobile ? [t('doc_auth.tips.document_capture_id_text4')] : [])}
       />
-      <DocumentsCaptureStep defaultSideProps={defaultSideProps} value={value} />
+      <DocumentsCaptureStep
+        defaultSideProps={defaultSideProps}
+        value={value}
+        isReviewStep={false}
+      />
       <FormStepsButton.Continue />
       <Cancel />
     </>

app/javascript/packages/document-capture/components/selfie-step.tsx

@@ -20,9 +20,11 @@ import {
 export function SelfieCaptureStep({
   defaultSideProps,
   selfieValue,
+  isReviewStep,
 }: {
   defaultSideProps: DefaultSideProps;
   selfieValue: ImageValue;
+  isReviewStep: boolean;
 }) {
   const { t } = useI18n();
   return (
@@ -45,6 +47,7 @@ export function SelfieCaptureStep({
         key="selfie"
         side="selfie"
         value={selfieValue}
+        isReviewStep={isReviewStep}
       />
     </>
   );
@@ -72,7 +75,11 @@ export default function SelfieStep({
     <>
       {flowPath === 'hybrid' && <HybridDocCaptureWarning className="margin-bottom-4" />}
       <PageHeading>{pageHeaderText}</PageHeading>
-      <SelfieCaptureStep defaultSideProps={defaultSideProps} selfieValue={value.selfie} />
+      <SelfieCaptureStep
+        defaultSideProps={defaultSideProps}
+        selfieValue={value.selfie}
+        isReviewStep={false}
+      />
       {isLastStep ? <FormStepsButton.Submit /> : <FormStepsButton.Continue />}
       <Cancel />
     </>

app/models/anonymous_user.rb

@@ -53,7 +53,7 @@ def locked_out?
     second_factor_locked_at.present? && !lockout_period_expired?
   end
 
-  def identity_verified_with_biometric_comparison?
+  def identity_verified_with_facial_match?
     false
   end