Merge pull request #11167 from 18F/stages/rc-2024-08-29

Deploy RC 410 to Production

Gemfile

@@ -32,6 +32,7 @@ gem 'dotiw', '>= 4.0.1'
 gem 'faraday', '~> 2'
 gem 'faker'
 gem 'faraday-retry'
+gem 'fugit'
 gem 'foundation_emails'
 gem 'good_job', '~> 3.0'
 gem 'http_accept_language'

Gemfile.lock

@@ -788,6 +788,7 @@ DEPENDENCIES
   faraday (~> 2)
   faraday-retry
   foundation_emails
+  fugit
   good_job (~> 3.0)
   http_accept_language
   i18n-tasks (~> 1.0)

app/components/icon_list_item_component.html.erb

@@ -2,5 +2,5 @@
   <%= content_tag(:div, class: icon_css_class) do %>
     <%= render IconComponent.new(icon: icon) %>
   <% end %>
-  <div class="usa-icon-list__content"><%= content %></div>
+  <div class="usa-icon-list__content grid-col-fill"><%= content %></div>
 <% end %>

app/controllers/application_controller.rb

@@ -261,7 +261,7 @@ def user_needs_to_reactivate_account?
   end
 
   def user_recommended_for_piv_cac?
-    current_user.piv_cac_recommended_dismissed_at.nil? && current_user.has_gov_or_mil_email? &&
+    current_user.piv_cac_recommended_dismissed_at.nil? && current_user.has_fed_or_mil_email? &&
       !user_already_has_piv?
   end
 

app/controllers/concerns/mfa_setup_concern.rb

@@ -82,7 +82,7 @@ def show_skip_additional_mfa_link?
   end
 
   def check_if_possible_piv_user
-    if current_user.has_gov_or_mil_email? && current_user.piv_cac_recommended_dismissed_at.nil?
+    if current_user.has_fed_or_mil_email? && current_user.piv_cac_recommended_dismissed_at.nil?
       redirect_to login_piv_cac_recommended_path
     end
   end

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -140,9 +140,18 @@ def link_identity_from_session_data
       link_identity(
         ial: resolved_authn_context_int_ial,
         rails_session_id: session.id,
+        email_address_id: email_address_id,
       )
   end
 
+  def email_address_id
+    return nil unless IdentityConfig.store.feature_select_email_to_share_enabled
+    return user_session[:selected_email_id] if user_session[:selected_email_id].present?
+    identity = current_user.identities.find_by(service_provider: sp_session['issuer'])
+    email_id = identity&.email_address_id
+    return email_id if email_id.is_a? Integer
+  end
+
   def identity_needs_verification?
     resolved_authn_context_result.identity_proofing? && current_user.identity_not_verified?
   end

app/controllers/openid_connect/authorization_controller.rb

@@ -84,9 +84,17 @@ def link_identity_to_service_provider
         current_user: current_user,
         ial: resolved_authn_context_int_ial,
         rails_session_id: session.id,
+        email_address_id: email_address_id,
       )
     end
 
+    def email_address_id
+      return nil unless IdentityConfig.store.feature_select_email_to_share_enabled
+      return user_session[:selected_email_id] if user_session[:selected_email_id].present?
+      identity = current_user.identities.find_by(service_provider: sp_session['issuer'])
+      identity&.email_address_id
+    end
+
     def ial_context
       IalContext.new(
         ial: resolved_authn_context_int_ial,

app/controllers/sign_up/completions_controller.rb

@@ -21,6 +21,10 @@ def update
       track_completion_event('agency-page')
       update_verified_attributes
       send_in_person_completion_survey
+      if user_session[:selected_email_id].nil?
+        user_session[:selected_email_id] = EmailContext.new(current_user).
+          last_sign_in_email_address.id
+      end
       if decider.go_back_to_mobile_app?
         sign_user_out_and_instruct_to_go_back_to_mobile_app
       else
@@ -49,6 +53,7 @@ def completions_presenter
         requested_attributes: decorated_sp_session.requested_attributes.map(&:to_sym),
         ial2_requested: ial2_requested?,
         completion_context: needs_completion_screen_reason,
+        selected_email_id: user_session[:selected_email_id],
       )
     end
 

app/controllers/sign_up/select_email_controller.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module SignUp
+  class SelectEmailController < ApplicationController
+    before_action :confirm_two_factor_authenticated
+    before_action :verify_needs_completions_screen
+
+    def show
+      @sp_name = current_sp.friendly_name || sp.agency&.name
+      @user_emails = user_emails
+      @last_sign_in_email_address = last_email
+      @select_email_form = build_select_email_form
+    end
+
+    def create
+      @select_email_form = build_select_email_form
+
+      result = @select_email_form.submit(form_params)
+      if result.success?
+        user_session[:selected_email_id] = form_params[:selected_email_id]
+        redirect_to sign_up_completed_path
+      else
+        flash[:error] = result.first_error_message
+        redirect_to sign_up_select_email_path
+      end
+    end
+
+    def user_emails
+      @user_emails = current_user.confirmed_email_addresses
+    end
+
+    private
+
+    def build_select_email_form
+      SelectEmailForm.new(current_user)
+    end
+
+    def form_params
+      params.fetch(:select_email_form, {}).permit(:selected_email_id)
+    end
+
+    def last_email
+      if user_session[:selected_email_id]
+        user_emails.find(user_session[:selected_email_id]).email
+      else
+        EmailContext.new(current_user).last_sign_in_email_address.email
+      end
+    end
+
+    def verify_needs_completions_screen
+      redirect_to account_url unless needs_completion_screen_reason
+    end
+  end
+end

app/controllers/socure_webhook_controller.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
 class SocureWebhookController < ApplicationController
+  include RenderConditionConcern
+
   skip_before_action :verify_authenticity_token
 
+  check_or_render_not_found -> { IdentityConfig.store.socure_webhook_enabled }
+
   def create
     if token_valid?
       render json: { message: 'Secret token is valid.' }

app/controllers/users/piv_cac_recommended_controller.rb

@@ -8,7 +8,7 @@ class PivCacRecommendedController < ApplicationController
 
     before_action :confirm_user_authenticated_for_2fa_setup
     before_action :apply_secure_headers_override
-    before_action :redirect_unless_user_email_is_gov_or_mil
+    before_action :redirect_unless_user_email_is_fed_or_mil
 
     def show
       @recommended_presenter = PivCacRecommendedPresenter.new(current_user)
@@ -30,8 +30,8 @@ def skip
 
     private
 
-    def redirect_unless_user_email_is_gov_or_mil
-      redirect_to after_sign_in_path_for(current_user) unless current_user.has_gov_or_mil_email?
+    def redirect_unless_user_email_is_fed_or_mil
+      redirect_to after_sign_in_path_for(current_user) unless current_user.has_fed_or_mil_email?
     end
   end
 end

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -16,7 +16,7 @@ def index
       @presenter = two_factor_options_presenter
       analytics.user_registration_2fa_setup_visit(
         enabled_mfa_methods_count:,
-        gov_or_mil_email: has_gov_or_mil_email?,
+        gov_or_mil_email: fed_or_mil_email?,
       )
     end
 
@@ -44,8 +44,8 @@ def two_factor_options_form
 
     private
 
-    def has_gov_or_mil_email?
-      current_user.confirmed_email_addresses.any?(&:gov_or_mil?)
+    def fed_or_mil_email?
+      current_user.confirmed_email_addresses.any?(&:fed_or_mil_email?)
     end
 
     def mfa_context

app/forms/openid_connect_authorize_form.rb

@@ -94,7 +94,8 @@ def service_provider
   def link_identity_to_service_provider(
     current_user:,
     ial:,
-    rails_session_id:
+    rails_session_id:,
+    email_address_id:
   )
     identity_linker = IdentityLinker.new(current_user, service_provider)
     @identity = identity_linker.link_identity(
@@ -106,6 +107,7 @@ def link_identity_to_service_provider(
       requested_aal_value: requested_aal_value,
       scope: scope.join(' '),
       code_challenge: code_challenge,
+      email_address_id: email_address_id,
     )
   end
 

app/forms/select_email_form.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+class SelectEmailForm
+  include ActiveModel::Model
+  include ActionView::Helpers::TranslationHelper
+
+  attr_reader :user, :selected_email_id
+
+  validate :validate_owns_selected_email
+
+  def initialize(user)
+    @user = user
+  end
+
+  def submit(params)
+    @selected_email_id = params[:selected_email_id]
+
+    success = valid?
+    FormResponse.new(success:, errors:)
+  end
+
+  private
+
+  def validate_owns_selected_email
+    return if user.confirmed_email_addresses.exists?(id: selected_email_id)
+
+    errors.add :email, I18n.t(
+      'email_address.not_found',
+    ), type: :selected_email_id
+  end
+end

app/jobs/get_usps_proofing_results_job.rb

@@ -236,7 +236,7 @@ def handle_unsupported_id_type(enrollment, response)
       proofed_at: proofed_at,
       status_check_completed_at: Time.zone.now,
     )
-
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
     # send SMS and email
     send_enrollment_status_sms_notification(enrollment: enrollment)
     send_failed_email(enrollment.user, enrollment)
@@ -271,7 +271,7 @@ def handle_expired_status_update(enrollment, response, response_message)
       status: :expired,
       status_check_completed_at: Time.zone.now,
     )
-    enrollment.profile.deactivate_due_to_ipp_expiration
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
 
     if fraud_result_pending?(enrollment)
       analytics(user: enrollment.user).idv_ipp_deactivated_for_never_visiting_post_office(
@@ -325,8 +325,10 @@ def handle_fraud_review_pending(enrollment)
   end
 
   def handle_unexpected_response(enrollment, response_message, reason:, cancel: true)
-    enrollment.cancelled! if cancel
-
+    if cancel
+      enrollment.cancelled!
+      enrollment.profile.deactivate_due_to_in_person_verification_cancelled
+    end
     analytics(user: enrollment.user).
       idv_in_person_usps_proofing_results_job_unexpected_response(
         **enrollment_analytics_attributes(enrollment, complete: cancel),
@@ -352,7 +354,7 @@ def handle_failed_status(enrollment, response)
       proofed_at: proofed_at,
       status_check_completed_at: Time.zone.now,
     )
-
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
     # send SMS and email
     send_enrollment_status_sms_notification(enrollment: enrollment)
     if response['fraudSuspected']
@@ -442,6 +444,7 @@ def handle_unsupported_secondary_id(enrollment, response)
       proofed_at: proofed_at,
       status_check_completed_at: Time.zone.now,
     )
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
     # send SMS and email
     send_enrollment_status_sms_notification(enrollment: enrollment)
     send_failed_email(enrollment.user, enrollment)

app/models/email_address.rb

@@ -11,6 +11,7 @@ class EmailAddress < ApplicationRecord
   # rubocop:disable Rails/HasManyOrHasOneDependent
   has_one :suspended_email
   # rubocop:enable Rails/HasManyOrHasOneDependent
+  has_many :identities, class_name: 'ServiceProviderIdentity', dependent: :nullify
 
   scope :confirmed, -> { where('confirmed_at IS NOT NULL') }
 
@@ -29,8 +30,25 @@ def confirmation_period_expired?
     Time.zone.now > expiration_time
   end
 
-  def gov_or_mil?
-    email.end_with?('.gov', '.mil')
+  def domain
+    Mail::Address.new(email).domain
+  end
+
+  def fed_or_mil_email?
+    fed_email? || mil_email?
+  end
+
+  def fed_email?
+    if IdentityConfig.store.use_fed_domain_class
+      return false unless domain
+      FederalEmailDomain.fed_domain?(domain)
+    else
+      email.end_with?('.gov')
+    end
+  end
+
+  def mil_email?
+    email.end_with?('.mil')
   end
 
   class << self

app/models/federal_email_domain.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class FederalEmailDomain < ApplicationRecord
+  def self.fed_domain?(domain)
+    exists?(name: domain)
+  end
+end

app/models/profile.rb

@@ -196,7 +196,7 @@ def deactivate_due_to_gpo_expiration
     )
   end
 
-  def deactivate_due_to_ipp_expiration
+  def deactivate_due_to_in_person_verification_cancelled
     update!(
       active: false,
       deactivation_reason: :verification_cancelled,

app/models/service_provider_identity.rb

@@ -19,6 +19,8 @@ class ServiceProviderIdentity < ApplicationRecord
   # rubocop:enable Rails/InverseOf
   has_one :agency, through: :service_provider_record
 
+  belongs_to :email_address
+
   scope :not_deleted, -> { where(deleted_at: nil) }
 
   CONSENT_EXPIRATION = 1.year.freeze

app/models/user.rb

@@ -79,8 +79,8 @@ def confirmed?
     email_addresses.where.not(confirmed_at: nil).any?
   end
 
-  def has_gov_or_mil_email?
-    confirmed_email_addresses.any?(&:gov_or_mil?)
+  def has_fed_or_mil_email?
+    confirmed_email_addresses.any?(&:fed_or_mil_email?)
   end
 
   def accepted_rules_of_use_still_valid?