Merge pull request #11171 from 18F/stages/rc-2024-08-29-patch-1

Deploy RC 410.1 to production

Gemfile

@@ -32,6 +32,7 @@ gem 'dotiw', '>= 4.0.1'
 gem 'faraday', '~> 2'
 gem 'faker'
 gem 'faraday-retry'
+gem 'fugit'
 gem 'foundation_emails'
 gem 'good_job', '~> 3.0'
 gem 'http_accept_language'

Gemfile.lock

@@ -788,6 +788,7 @@ DEPENDENCIES
   faraday (~> 2)
   faraday-retry
   foundation_emails
+  fugit
   good_job (~> 3.0)
   http_accept_language
   i18n-tasks (~> 1.0)

app/controllers/application_controller.rb

@@ -261,7 +261,7 @@ def user_needs_to_reactivate_account?
   end
 
   def user_recommended_for_piv_cac?
-    current_user.piv_cac_recommended_dismissed_at.nil? && current_user.has_gov_or_mil_email? &&
+    current_user.piv_cac_recommended_dismissed_at.nil? && current_user.has_fed_or_mil_email? &&
       !user_already_has_piv?
   end
 

app/controllers/concerns/mfa_setup_concern.rb

@@ -82,7 +82,7 @@ def show_skip_additional_mfa_link?
   end
 
   def check_if_possible_piv_user
-    if current_user.has_gov_or_mil_email? && current_user.piv_cac_recommended_dismissed_at.nil?
+    if current_user.has_fed_or_mil_email? && current_user.piv_cac_recommended_dismissed_at.nil?
       redirect_to login_piv_cac_recommended_path
     end
   end

app/controllers/idv/agreement_controller.rb

@@ -37,6 +37,7 @@ def update
 
       if result.success?
         idv_session.idv_consent_given = true
+        idv_session.idv_consent_given_at = Time.zone.now
 
         if IdentityConfig.store.in_person_proofing_opt_in_enabled &&
            IdentityConfig.store.in_person_proofing_enabled

app/controllers/socure_webhook_controller.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
 class SocureWebhookController < ApplicationController
+  include RenderConditionConcern
+
   skip_before_action :verify_authenticity_token
 
+  check_or_render_not_found -> { IdentityConfig.store.socure_webhook_enabled }
+
   def create
     if token_valid?
       render json: { message: 'Secret token is valid.' }

app/controllers/users/piv_cac_recommended_controller.rb

@@ -8,7 +8,7 @@ class PivCacRecommendedController < ApplicationController
 
     before_action :confirm_user_authenticated_for_2fa_setup
     before_action :apply_secure_headers_override
-    before_action :redirect_unless_user_email_is_gov_or_mil
+    before_action :redirect_unless_user_email_is_fed_or_mil
 
     def show
       @recommended_presenter = PivCacRecommendedPresenter.new(current_user)
@@ -30,8 +30,8 @@ def skip
 
     private
 
-    def redirect_unless_user_email_is_gov_or_mil
-      redirect_to after_sign_in_path_for(current_user) unless current_user.has_gov_or_mil_email?
+    def redirect_unless_user_email_is_fed_or_mil
+      redirect_to after_sign_in_path_for(current_user) unless current_user.has_fed_or_mil_email?
     end
   end
 end

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -16,7 +16,7 @@ def index
       @presenter = two_factor_options_presenter
       analytics.user_registration_2fa_setup_visit(
         enabled_mfa_methods_count:,
-        gov_or_mil_email: has_gov_or_mil_email?,
+        gov_or_mil_email: fed_or_mil_email?,
       )
     end
 
@@ -44,8 +44,8 @@ def two_factor_options_form
 
     private
 
-    def has_gov_or_mil_email?
-      current_user.confirmed_email_addresses.any?(&:gov_or_mil?)
+    def fed_or_mil_email?
+      current_user.confirmed_email_addresses.any?(&:fed_or_mil_email?)
     end
 
     def mfa_context

app/jobs/get_usps_proofing_results_job.rb

@@ -236,7 +236,7 @@ def handle_unsupported_id_type(enrollment, response)
       proofed_at: proofed_at,
       status_check_completed_at: Time.zone.now,
     )
-
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
     # send SMS and email
     send_enrollment_status_sms_notification(enrollment: enrollment)
     send_failed_email(enrollment.user, enrollment)
@@ -271,7 +271,7 @@ def handle_expired_status_update(enrollment, response, response_message)
       status: :expired,
       status_check_completed_at: Time.zone.now,
     )
-    enrollment.profile.deactivate_due_to_ipp_expiration
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
 
     if fraud_result_pending?(enrollment)
       analytics(user: enrollment.user).idv_ipp_deactivated_for_never_visiting_post_office(
@@ -325,8 +325,10 @@ def handle_fraud_review_pending(enrollment)
   end
 
   def handle_unexpected_response(enrollment, response_message, reason:, cancel: true)
-    enrollment.cancelled! if cancel
-
+    if cancel
+      enrollment.cancelled!
+      enrollment.profile.deactivate_due_to_in_person_verification_cancelled
+    end
     analytics(user: enrollment.user).
       idv_in_person_usps_proofing_results_job_unexpected_response(
         **enrollment_analytics_attributes(enrollment, complete: cancel),
@@ -352,7 +354,7 @@ def handle_failed_status(enrollment, response)
       proofed_at: proofed_at,
       status_check_completed_at: Time.zone.now,
     )
-
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
     # send SMS and email
     send_enrollment_status_sms_notification(enrollment: enrollment)
     if response['fraudSuspected']
@@ -442,6 +444,7 @@ def handle_unsupported_secondary_id(enrollment, response)
       proofed_at: proofed_at,
       status_check_completed_at: Time.zone.now,
     )
+    enrollment.profile.deactivate_due_to_in_person_verification_cancelled
     # send SMS and email
     send_enrollment_status_sms_notification(enrollment: enrollment)
     send_failed_email(enrollment.user, enrollment)

app/models/email_address.rb

@@ -29,8 +29,25 @@ def confirmation_period_expired?
     Time.zone.now > expiration_time
   end
 
-  def gov_or_mil?
-    email.end_with?('.gov', '.mil')
+  def domain
+    Mail::Address.new(email).domain
+  end
+
+  def fed_or_mil_email?
+    fed_email? || mil_email?
+  end
+
+  def fed_email?
+    if IdentityConfig.store.use_fed_domain_class
+      return false unless domain
+      FederalEmailDomain.fed_domain?(domain)
+    else
+      email.end_with?('.gov')
+    end
+  end
+
+  def mil_email?
+    email.end_with?('.mil')
   end
 
   class << self

app/models/federal_email_domain.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class FederalEmailDomain < ApplicationRecord
+  def self.fed_domain?(domain)
+    exists?(name: domain)
+  end
+end

app/models/profile.rb

@@ -196,7 +196,7 @@ def deactivate_due_to_gpo_expiration
     )
   end
 
-  def deactivate_due_to_ipp_expiration
+  def deactivate_due_to_in_person_verification_cancelled
     update!(
       active: false,
       deactivation_reason: :verification_cancelled,

app/models/user.rb

@@ -79,8 +79,8 @@ def confirmed?
     email_addresses.where.not(confirmed_at: nil).any?
   end
 
-  def has_gov_or_mil_email?
-    confirmed_email_addresses.any?(&:gov_or_mil?)
+  def has_fed_or_mil_email?
+    confirmed_email_addresses.any?(&:fed_or_mil_email?)
   end
 
   def accepted_rules_of_use_still_valid?

app/presenters/completions_presenter.rb

@@ -1,6 +1,9 @@
 # frozen_string_literal: true
 
 class CompletionsPresenter
+  include ActionView::Helpers::TranslationHelper
+  include ActionView::Helpers::TagHelper
+
   attr_reader :current_user, :current_sp, :decrypted_pii, :requested_attributes, :completion_context
 
   SORTED_IAL2_ATTRIBUTE_MAPPING = [
@@ -72,33 +75,24 @@ def heading
   end
 
   def intro
-    if ial2_requested?
-      if consent_has_expired?
-        I18n.t(
-          'help_text.requested_attributes.ial2_consent_reminder_html',
-          sp: sp_name,
-        )
-      elsif reverified_after_consent?
-        I18n.t(
-          'help_text.requested_attributes.ial2_reverified_consent_info',
-          sp: sp_name,
-        )
-      else
-        I18n.t(
-          'help_text.requested_attributes.ial2_intro_html',
-          sp: sp_name,
-        )
-      end
-    elsif consent_has_expired?
-      I18n.t(
-        'help_text.requested_attributes.ial1_consent_reminder_html',
-        sp: sp_name,
+    if consent_has_expired?
+      safe_join(
+        [
+          t(
+            'help_text.requested_attributes.consent_reminder_html',
+            sp_html: content_tag(:strong, sp_name),
+          ),
+          t('help_text.requested_attributes.intro_html', sp_html: content_tag(:strong, sp_name)),
+        ],
+        ' ',
       )
-    else
-      I18n.t(
-        'help_text.requested_attributes.ial1_intro_html',
-        sp: sp_name,
+    elsif ial2_requested? && reverified_after_consent?
+      t(
+        'help_text.requested_attributes.ial2_reverified_consent_info_html',
+        sp_html: content_tag(:strong, sp_name),
       )
+    else
+      t('help_text.requested_attributes.intro_html', sp_html: content_tag(:strong, sp_name))
     end
   end
 

app/presenters/two_factor_authentication/set_up_piv_cac_selection_presenter.rb

@@ -19,7 +19,7 @@ def phishing_resistant?
     end
 
     def recommended?
-      user.confirmed_email_addresses.any?(&:gov_or_mil?)
+      user.confirmed_email_addresses.any?(&:fed_or_mil_email?)
     end
 
     def desktop_only?

app/presenters/two_factor_options_presenter.rb

@@ -11,7 +11,6 @@ class TwoFactorOptionsPresenter
               :user_agent
 
   delegate :two_factor_enabled?, to: :mfa_policy
-
   def initialize(
     user_agent:,
     user: nil,

app/services/analytics_events.rb

@@ -1329,14 +1329,6 @@ def idv_doc_auth_link_sent_visited(**extra)
     track_event('IdV: doc auth link_sent visited', **extra)
   end
 
-  def idv_doc_auth_randomizer_defaulted(**extra)
-    track_event(
-      'IdV: doc_auth random vendor error',
-      error: 'document_capture_session_uuid_key missing',
-      **extra,
-    )
-  end
-
   def idv_doc_auth_redo_ssn_submitted(**extra)
     track_event('IdV: doc auth redo_ssn submitted', **extra)
   end

app/services/doc_auth_router.rb

@@ -196,9 +196,14 @@ def self.client(vendor:, warn_notifier: nil)
   # rubocop:enable Layout/LineLength
 
   def self.doc_auth_vendor_for_bucket(bucket)
-    bucket == :alternate_vendor ?
-      IdentityConfig.store.doc_auth_vendor_randomize_alternate_vendor :
-      IdentityConfig.store.doc_auth_vendor
+    case bucket
+    when :socure
+      Idp::Constants::Vendors::SOCURE
+    when :lexis_nexis
+      Idp::Constants::Vendors::LEXIS_NEXIS
+    else # e.g., nil
+      IdentityConfig.store.doc_auth_vendor_default
+    end
   end
 
   def self.doc_auth_vendor(