Deploy RC 398 to Production

Gemfile

@@ -66,6 +66,7 @@ gem 'redacted_struct'
 gem 'redis', '>= 3.2.0'
 gem 'redis-session-store', github: '18F/redis-session-store', tag: 'v1.0.1-18f'
 gem 'retries'
+gem 'rexml', '~> 3.3'
 gem 'rotp', '~> 6.3', '>= 6.3.0'
 gem 'rqrcode'
 gem 'ruby-progressbar'

Gemfile.lock

@@ -573,7 +573,7 @@ GEM
       actionpack (>= 5.0)
       railties (>= 5.0)
     retries (0.0.5)
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     rotp (6.3.0)
     rouge (4.2.0)
@@ -832,6 +832,7 @@ DEPENDENCIES
   redis (>= 3.2.0)
   redis-session-store!
   retries
+  rexml (~> 3.3)
   rotp (~> 6.3, >= 6.3.0)
   rqrcode
   rspec (~> 3.13.0)

Makefile

@@ -134,7 +134,7 @@ lint_asset_bundle_size: ## Lints JavaScript and CSS compiled bundle size
 	@# and you have no options to split that from the common bundles. If you need to increase this
 	@# budget and accept the fact that this will force end-users to endure longer load times, you
 	@# should set the new budget to within a few thousand bytes of the production-compiled size.
-	find app/assets/builds/application.css -size -185000c | grep .
+	find app/assets/builds/application.css -size -105000c | grep .
 	find public/packs/application-*.digested.js -size -5000c | grep .
 
 lint_migrations:

app/assets/stylesheets/application.css.scss

@@ -3,5 +3,3 @@
 @forward 'uswds';
 @forward 'design-system-waiting-room';
 @forward 'components';
-@forward 'uswds-utilities';
-@forward 'utilities';

app/assets/stylesheets/utilities.css.scss

@@ -0,0 +1,3 @@
+@forward 'uswds-core';
+@forward 'uswds-utilities';
+@forward 'utilities';

app/controllers/idv/by_mail/request_letter_controller.rb

@@ -10,6 +10,7 @@ class RequestLetterController < ApplicationController
 
       before_action :confirm_mail_not_rate_limited
       before_action :confirm_step_allowed
+      before_action :confirm_letter_sends_allowed
 
       def index
         @applicant = idv_session.applicant
@@ -33,7 +34,7 @@ def self.step_info
           action: :index,
           next_steps: [:enter_password],
           preconditions: ->(idv_session:, user:) do
-            idv_session.verify_info_step_complete? || user.gpo_verification_pending_profile?
+            idv_session.verify_info_step_complete?
           end,
           undo_step: ->(idv_session:, user:) { idv_session.address_verification_mechanism = nil },
         )
@@ -55,6 +56,10 @@ def confirm_mail_not_rate_limited
         redirect_to idv_enter_password_url if gpo_verify_by_mail_policy.rate_limited?
       end
 
+      def confirm_letter_sends_allowed
+        redirect_to idv_enter_password_url if !gpo_verify_by_mail_policy.send_letter_available?
+      end
+
       def step_indicator_steps
         if in_person_proofing?
           Idv::Flows::InPersonFlow::STEP_INDICATOR_STEPS_GPO

app/controllers/users/piv_cac_setup_from_sign_in_controller.rb

@@ -2,85 +2,20 @@
 
 module Users
   class PivCacSetupFromSignInController < ApplicationController
-    include TwoFactorAuthenticatableMethods
     include PivCacConcern
-    include SecureHeadersConcern
     include ReauthenticationRequiredConcern
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_recently_authenticated_2fa
-    before_action :apply_secure_headers_override, only: :success
     before_action :set_piv_cac_setup_csp_form_action_uris, only: :prompt
 
     def prompt
-      if params.key?(:token)
-        process_piv_cac_setup
-      else
-        render_prompt
-      end
-    end
-
-    def success; end
-
-    def next
-      redirect_to after_sign_in_path_for(current_user)
+      analytics.piv_cac_setup_visited(in_account_creation_flow: false)
     end
 
     def decline
       session.delete(:needs_to_setup_piv_cac_after_sign_in)
       redirect_to after_sign_in_path_for(current_user)
     end
-
-    private
-
-    def render_prompt
-      analytics.piv_cac_setup_visited(in_account_creation_flow: false)
-      render :prompt
-    end
-
-    def process_piv_cac_setup
-      result = user_piv_cac_form.submit
-      properties = result.to_h.merge(analytics_properties)
-      analytics.multi_factor_auth_setup(**properties)
-      if result.success?
-        process_valid_submission
-      else
-        process_invalid_submission
-      end
-    end
-
-    def user_piv_cac_form
-      @user_piv_cac_form ||= UserPivCacSetupForm.new(
-        user: current_user,
-        token: params[:token],
-        nonce: piv_cac_nonce,
-        name: user_session[:piv_cac_nickname],
-      )
-    end
-
-    def process_invalid_submission
-      redirect_to login_piv_cac_error_url(error: user_piv_cac_form.error_type)
-    end
-
-    def process_valid_submission
-      handle_valid_verification_for_confirmation_context(
-        auth_method: TwoFactorAuthenticatable::AuthMethod::PIV_CAC,
-      )
-      session.delete(:needs_to_setup_piv_cac_after_sign_in)
-      save_piv_cac_information(
-        subject: user_piv_cac_form.x509_dn,
-        issuer: user_piv_cac_form.x509_issuer,
-        presented: true,
-      )
-      create_user_event(:piv_cac_enabled)
-      redirect_to login_add_piv_cac_success_url
-    end
-
-    def analytics_properties
-      {
-        in_account_creation_flow: false,
-        enabled_mfa_methods_count: MfaContext.new(current_user).enabled_mfa_methods_count,
-      }
-    end
   end
 end

app/controllers/users/sessions_controller.rb

@@ -176,6 +176,7 @@ def track_authentication_attempt(email)
         bad_password_count: session[:bad_password_count].to_i,
         sp_request_url_present: sp_session[:request_url].present?,
         remember_device: remember_device_cookie.present?,
+        new_device: success ? new_device? : nil,
       )
     end
 

app/services/analytics_events.rb

@@ -404,6 +404,8 @@ def edit_password_visit
   # @param [String] bad_password_count represents number of prior login failures
   # @param [Boolean] sp_request_url_present if was an SP request URL in the session
   # @param [Boolean] remember_device if the remember device cookie was present
+  # @param [Boolean, nil] new_device Whether the user is authenticating from a new device. Nil if
+  # there is the attempt was unsuccessful, since it cannot be known whether it's a new device.
   # Tracks authentication attempts at the email/password screen
   def email_and_password_auth(
     success:,
@@ -413,6 +415,7 @@ def email_and_password_auth(
     bad_password_count:,
     sp_request_url_present:,
     remember_device:,
+    new_device:,
     **extra
   )
     track_event(
@@ -424,6 +427,7 @@ def email_and_password_auth(
       bad_password_count:,
       sp_request_url_present:,
       remember_device:,
+      new_device:,
       **extra,
     )
   end
@@ -670,6 +674,25 @@ def fraud_review_rejected(
     )
   end
 
+  # @param [Boolean] success Whether records were successfully uploaded
+  # @param [String] exception The exception that occured if an exception did occur
+  # @param [Number] gpo_confirmation_count The number of GPO Confirmation records uploaded
+  # GPO confirmation records were uploaded for letter sends
+  def gpo_confirmation_upload(
+    success:,
+    exception:,
+    gpo_confirmation_count:,
+    **extra
+  )
+    track_event(
+      :gpo_confirmation_upload,
+      success: success,
+      exception: exception,
+      gpo_confirmation_count: gpo_confirmation_count,
+      **extra,
+    )
+  end
+
   # @param [Boolean] acuant_sdk_upgrade_a_b_testing_enabled
   # @param [String] acuant_version
   # @param [String] flow_path whether the user is in the hybrid or standard flow
@@ -4125,12 +4148,17 @@ def multi_factor_auth_added_phone(
   # Tracks when the user has added the MFA method piv_cac to their account
   # @param [Integer] enabled_mfa_methods_count number of registered mfa methods for the user
   # @param [Boolean] in_account_creation_flow whether user is going through creation flow
-  def multi_factor_auth_added_piv_cac(enabled_mfa_methods_count:, in_account_creation_flow:,
-                                      **extra)
+  # @param ['piv_cac'] method_name Authentication method added
+  def multi_factor_auth_added_piv_cac(
+    enabled_mfa_methods_count:,
+    in_account_creation_flow:,
+    method_name: :piv_cac,
+    **extra
+  )
     track_event(
       :multi_factor_auth_added_piv_cac,
       {
-        method_name: :piv_cac,
+        method_name:,
         enabled_mfa_methods_count:,
         in_account_creation_flow:,
         **extra,

app/services/gpo_confirmation_uploader.rb

@@ -12,7 +12,13 @@ def run
     upload_export(export)
     LetterRequestsToGpoFtpLog.create(ftp_at: @now, letter_requests_count: confirmations.count)
     clear_confirmations(confirmations)
+    analytics.gpo_confirmation_upload(
+      success: true, exception: nil, gpo_confirmation_count: confirmations.count,
+    )
   rescue StandardError => error
+    analytics.gpo_confirmation_upload(
+      success: false, exception: error.to_s, gpo_confirmation_count: 0,
+    )
     NewRelic::Agent.notice_error(error)
     raise error
   end
@@ -71,4 +77,8 @@ def sftp_config
       timeout: IdentityConfig.store.usps_upload_sftp_timeout,
     ]
   end
+
+  def analytics
+    Analytics.new(user: AnonymousUser.new, request: nil, session: {}, sp: nil)
+  end
 end

app/views/layouts/base.html.erb

@@ -20,8 +20,9 @@
   <% end %>
   <%= preload_link_tag font_path('public-sans/PublicSans-Bold.woff2') %>
   <%= preload_link_tag font_path('public-sans/PublicSans-Regular.woff2') %>
-  <%= render_stylesheet_once_tags %>
   <%= stylesheet_link_tag 'application', nopush: false %>
+  <%= render_stylesheet_once_tags %>
+  <%= stylesheet_link_tag 'utilities', nopush: false %>
   <%= stylesheet_link_tag 'print', media: :print, preload_links_header: false %>
   <%= csrf_meta_tags %>
 

app/views/layouts/component_preview.html.erb

@@ -2,8 +2,9 @@
 <html>
   <head>
     <title>Component Preview</title>
+    <%= stylesheet_link_tag 'application', nopush: false %>
     <%= render_stylesheet_once_tags %>
-    <%= stylesheet_link_tag 'application', media: 'all' %>
+    <%= stylesheet_link_tag 'utilities', nopush: false %>
   </head>
   <body class="height-auto padding-2 <%= params.dig(:lookbook, :display, :body_class) %>">
     <% if params.dig(:lookbook, :display, :form) == true %>

app/views/saml_idp/shared/saml_post_binding.html.erb

@@ -7,8 +7,9 @@
       document.documentElement.classList.replace('no-js', 'js');
     <% end %>
     <%= csrf_meta_tags %>
-    <%= stylesheet_link_tag 'application', media: 'all' %>
+    <%= stylesheet_link_tag 'application', nopush: false %>
     <%= render_stylesheet_once_tags %>
+    <%= stylesheet_link_tag 'utilities', nopush: false %>
   </head>
   <body>
     <div class="grid-container tablet:padding-y-6 no-js">

config/locales/en.yml

@@ -956,8 +956,7 @@ help_text.requested_attributes.email: Email address
 help_text.requested_attributes.full_name: Full name
 help_text.requested_attributes.ial1_consent_reminder_html: You must consent each year to share your information with <strong>%{sp}</strong>. We’ll share your information with <strong>%{sp}</strong> to connect your account.
 help_text.requested_attributes.ial1_intro_html: We’ll share your information with <strong>%{sp}</strong> to connect your account.
-help_text.requested_attributes.ial2_consent_reminder_html: "<strong>%{sp}</stro\
-  ng> needs to know who you are to connect to your account. You must consent each year to share your verified information with <strong>%{sp}</strong>. We’ll share this information:"
+help_text.requested_attributes.ial2_consent_reminder_html: '<strong>%{sp}</strong> needs to know who you are to connect to your account. You must consent each year to share your verified information with <strong>%{sp}</strong>. We’ll share this information:'
 help_text.requested_attributes.ial2_intro_html: '<strong>%{sp}</strong> needs to know who you are to connect your account. We’ll share this information with %{sp}:'
 help_text.requested_attributes.ial2_reverified_consent_info: 'Because you verified your identity again, we need your permission to share this information with %{sp}:'
 help_text.requested_attributes.phone: Phone number
@@ -1603,8 +1602,7 @@ titles.verify_email: Check your email
 titles.visitors.index: Welcome
 titles.webauthn_setup: Add your security key
 two_factor_authentication.aal2_request.phishing_resistant_html: '<strong>%{sp_name}</strong> requires a high-security authentication method, such as face or touch unlock, a security key or a government employee ID.'
-two_factor_authentication.aal2_request.piv_cac_only_html: "<strong>%{sp_name}</\
-  strong> requires your government employee ID, a high-security authentication method."
+two_factor_authentication.aal2_request.piv_cac_only_html: '<strong>%{sp_name}</strong> requires your government employee ID, a high-security authentication method.'
 two_factor_authentication.account_reset.cancel_link: Cancel your request
 two_factor_authentication.account_reset.link: deleting your account
 two_factor_authentication.account_reset.pending: You currently have a pending request to delete your account. It takes %{interval} from the time you made the request to complete the process. Please check back later.

config/locales/es.yml

@@ -1614,8 +1614,7 @@ titles.verify_email: Revise su correo electrónico
 titles.visitors.index: Bienvenido
 titles.webauthn_setup: Añada su clave de seguridad
 two_factor_authentication.aal2_request.phishing_resistant_html: '<strong>%{sp_name}</strong> requiere un método de autenticación de alta seguridad, como desbloqueo facial o táctil, una clave de seguridad o una identificación de empleado de gobierno.'
-two_factor_authentication.aal2_request.piv_cac_only_html: "<strong>%{sp_name}</\
-  strong> requiere su identificación de empleado de gobierno, un método de autenticación de alta seguridad."
+two_factor_authentication.aal2_request.piv_cac_only_html: '<strong>%{sp_name}</strong> requiere su identificación de empleado de gobierno, un método de autenticación de alta seguridad.'
 two_factor_authentication.account_reset.cancel_link: Cancelar su solicitud
 two_factor_authentication.account_reset.link: eliminando su cuenta
 two_factor_authentication.account_reset.pending: Actualmente tiene una solicitud pendiente para eliminar su cuenta. Se necesitan %{interval} desde el momento en que realizó la solicitud para completar el proceso. Por favor, vuelva más tarde.

config/locales/fr.yml

@@ -956,8 +956,7 @@ help_text.requested_attributes.email: Adresse e-mail
 help_text.requested_attributes.full_name: Nom complet
 help_text.requested_attributes.ial1_consent_reminder_html: Vous devez consentir chaque année au partage de vos informations avec <strong>%{sp}</strong>. Nous partagerons vos informations avec <strong>%{sp}</strong> pour connecter votre compte.
 help_text.requested_attributes.ial1_intro_html: Nous partagerons vos informations avec <strong>%{sp}</strong> pour connecter votre compte.
-help_text.requested_attributes.ial2_consent_reminder_html: "<strong>%{sp}</stro\
-  ng> a besoin de savoir qui vous êtes pour se connecter à votre compte. Vous devez consentir chaque année à partager vos informations vérifiées avec <strong>%{sp}</strong>. Nous partagerons ces informations :"
+help_text.requested_attributes.ial2_consent_reminder_html: '<strong>%{sp}</strong> a besoin de savoir qui vous êtes pour se connecter à votre compte. Vous devez consentir chaque année à partager vos informations vérifiées avec <strong>%{sp}</strong>. Nous partagerons ces informations :'
 help_text.requested_attributes.ial2_intro_html: '<strong>%{sp}</strong> a besoin de savoir qui vous êtes pour connecter votre compte. Nous partagerons ces informations avec %{sp} :'
 help_text.requested_attributes.ial2_reverified_consent_info: 'Étant donné que vous avez revérifié votre identité, nous avons besoin de votre autorisation pour partager ces informations avec %{sp} :'
 help_text.requested_attributes.phone: Numéro de téléphone
@@ -1603,8 +1602,7 @@ titles.verify_email: Consulter vos e-mails
 titles.visitors.index: Bienvenue
 titles.webauthn_setup: Ajouter votre clé de sécurité
 two_factor_authentication.aal2_request.phishing_resistant_html: '<strong>%{sp_name}</strong> nécessite une méthode d’authentification de haute sécurité, telle que le déverrouillage facial ou tactile, une clé de sécurité ou une carte d’employé fédéral.'
-two_factor_authentication.aal2_request.piv_cac_only_html: "<strong>%{sp_name}</\
-  strong> nécessite votre carte d’employé fédéral, qui est une méthode d’authentification de haute sécurité."
+two_factor_authentication.aal2_request.piv_cac_only_html: '<strong>%{sp_name}</strong> nécessite votre carte d’employé fédéral, qui est une méthode d’authentification de haute sécurité.'
 two_factor_authentication.account_reset.cancel_link: Annuler votre demande
 two_factor_authentication.account_reset.link: supprimer votre compte
 two_factor_authentication.account_reset.pending: Vous avez actuellement une demande en attente pour supprimer votre compte. Il faut compter %{interval} à partir du moment où vous avez fait la demande pour terminer le processus. Veuillez vérifier plus tard.