Merge branch 'master' into stages/rc-2018-08-30

.circleci/config.yml

@@ -77,7 +77,6 @@ jobs:
             cp certs/saml2018.crt.example certs/saml2018.crt
             cp keys/saml.key.enc.example keys/saml.key.enc
             cp keys/saml2018.key.enc.example keys/saml2018.key.enc
-            bin/generate-example-keys
             bundle exec rake db:setup --trace
             bundle exec rake assets:precompile
 

.gitignore

@@ -40,8 +40,8 @@ Vagrantfile
 /keys/*.key.enc
 !/keys/*.key.enc.example
 /keys/equifax_rsa
-/keys/equifax_rsa.pub
 /keys/equifax_gpg.pub.bin
+/keys/equifax_rsa.pub
 /coverage
 /db/*.sqlite3
 /doc/search_stats.csv
@@ -60,6 +60,7 @@ Vagrantfile
 /vendor/bundle
 
 saml_*.txt
+saml_*.shr
 
 # This is a hack to keep the files that are added to the repo and to prevent git from worrying about
 # new (transient) files that may be created in those dirs.

.reek

@@ -18,7 +18,6 @@ DuplicateMethodCall:
     - UserFlowExporter#self.massage_assets
     - BasicAuthUrl#build
     - fallback_to_english
-    - Idv::Proofer#load_vendors!
     - Upaya::RandomTools#self.random_weighted_sample
     - SmsController#authenticate
 FeatureEnvy:
@@ -46,7 +45,6 @@ FeatureEnvy:
     - UserEncryptedAttributeOverrides#find_with_email
     - Utf8Sanitizer#event_attributes
     - Utf8Sanitizer#remote_ip
-    - Idv::Proofer#validate_vendors
     - TwoFactorAuthenticationController#capture_analytics_for_exception
     - Users::SessionsController#configure_permitted_parameters
     - UspsConfirmationExporter#make_entry_row
@@ -105,7 +103,6 @@ TooManyStatements:
     - UserFlowExporter#self.massage_html
     - UserFlowExporter#self.run
     - Idv::Agent#proof
-    - Idv::Proofer#configure_vendors
     - Idv::VendorResult#initialize
     - SamlIdpController#auth
     - Upaya::QueueConfig#self.choose_queue_adapter

Gemfile

@@ -113,6 +113,5 @@ end
 
 group :production do
   gem 'aamva', git: '[email protected]:18F/identity-aamva-api-client-gem', tag: 'v3.1.0'
-  gem 'equifax', git: '[email protected]:18F/identity-equifax-api-client-gem.git', tag: 'v1.1.0'
   gem 'lexisnexis', git: '[email protected]:18F/identity-lexisnexis-api-client-gem', tag: 'v1.1.0'
 end

Gemfile.lock

@@ -9,19 +9,6 @@ GIT
       httpi
       xmldsig
 
-GIT
-  remote: [email protected]:18F/identity-equifax-api-client-gem.git
-  revision: de4258c7608997f72e119b16718eeead4d39db70
-  tag: v1.1.0
-  specs:
-    equifax (1.1.0)
-      activesupport
-      dotenv
-      gyoku
-      hashie
-      logger
-      savon
-
 GIT
   remote: [email protected]:18F/identity-lexisnexis-api-client-gem
   revision: d17049ab1a03d50c0cc8a272d86cf2144192fab5
@@ -350,7 +337,6 @@ GEM
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
       ruby_dep (~> 1.2)
-    logger (1.2.8)
     lograge (0.10.0)
       actionpack (>= 4)
       activesupport (>= 4)
@@ -694,7 +680,6 @@ DEPENDENCIES
   devise (~> 4.1)
   dotiw
   email_spec
-  equifax!
   exception_notification
   factory_bot_rails
   fakefs

README.md

@@ -174,7 +174,7 @@ it into the "Index pattern" field, then click the "Next step" button.
 10. On `Step 2 of 2: Configure settings`, select `@timestamp` from the
 `Time Filter field name` dropdown, then click "Create index pattern".
 
-11. Create some more events on the IdP app
+11. Create some more events on the IdP app.
 
 12. Refresh the Kibana website. You should now see new events show up in the
 Discover section.

app/assets/stylesheets/components/_profile-section.scss

@@ -3,6 +3,7 @@
   border-bottom: $border-width solid $border-color;
   border-radius: 0;
   margin-bottom: 0;
+  overflow: hidden;
 
   .bg-lightest-blue img {
     margin-top: -2px;

app/assets/stylesheets/components/_spinner.scss

@@ -0,0 +1,5 @@
+.spinner {
+  margin-left: auto;
+  margin-right: auto;
+  width: 144px;
+}

app/assets/stylesheets/components/_util.scss

@@ -6,6 +6,8 @@
 
 .invisible { visibility: hidden; }
 
+.hidden { display: none; }
+
 .truncate-inline {
   max-width: 80%;
   overflow: hidden;

app/assets/stylesheets/components/all.scss

@@ -23,6 +23,7 @@
 @import 'accordion';
 @import 'util';
 @import 'verification-badge';
+@import 'spinner';
 
 @import 'space-addon';
 @import 'space-misc';

app/assets/stylesheets/variables/_app.scss

@@ -13,7 +13,7 @@ $line-height: 1.5 !default;
 $bold-font-weight: bold !default;
 $heading-font-family: $serif-font-family !default;
 $heading-font-weight: bold !default;
-$heading-line-height: 1.3 !default;
+$heading-line-height: 1.5 !default;
 $caps-letter-spacing: 1px !default;
 
 $line-height-0: .75 !default; // For when a tighter-than-normal leading is desired.

app/controllers/account_reset/confirm_request_controller.rb

@@ -5,7 +5,10 @@ def show
       if email.blank?
         redirect_to root_url
       else
-        render :show, locals: { email: email }
+        render :show, locals: {
+          email: email, sms_phone: SmsLoginOptionPolicy.new(current_user).configured?
+        }
+        sign_out
       end
     end
   end

app/controllers/account_reset/request_controller.rb

@@ -6,13 +6,14 @@ class RequestController < ApplicationController
     before_action :confirm_two_factor_enabled
     before_action :confirm_user_not_verified
 
-    def show; end
+    def show
+      analytics.track_event(Analytics::ACCOUNT_RESET_VISIT)
+    end
 
     def create
-      analytics.track_event(Analytics::ACCOUNT_RESET, event: :request)
-      create_request
-      send_notifications
-      reset_session_with_email
+      analytics.track_event(Analytics::ACCOUNT_RESET, analytics_attributes)
+      AccountReset::CreateRequest.new(current_user).call
+      flash[:email] = current_user.email
       redirect_to account_reset_confirm_request_url
     end
 
@@ -22,36 +23,24 @@ def check_account_reset_enabled
       redirect_to root_url unless FeatureManagement.account_reset_enabled?
     end
 
-    def confirm_user_not_verified
-      # IAL2 users should not be able to reset account to comply with AAL2 reqs
-      redirect_to account_url if decorated_user.identity_verified?
-    end
-
-    def reset_session_with_email
-      email = current_user.email
-      sign_out
-      flash[:email] = email
-    end
+    def confirm_two_factor_enabled
+      return if current_user.two_factor_enabled?
 
-    def send_notifications
-      phone = current_user.phone
-      if phone
-        SmsAccountResetNotifierJob.perform_now(
-          phone: phone,
-          cancel_token: current_user.account_reset_request.request_token
-        )
-      end
-      UserMailer.account_reset_request(current_user).deliver_later
+      redirect_to two_factor_options_url
     end
 
-    def create_request
-      AccountResetService.new(current_user).create_request
+    def confirm_user_not_verified
+      # IAL2 users should not be able to reset account to comply with AAL2 reqs
+      redirect_to account_url if decorated_user.identity_verified?
     end
 
-    def confirm_two_factor_enabled
-      return if current_user.two_factor_enabled?
-
-      redirect_to phone_setup_url
+    def analytics_attributes
+      {
+        event: 'request',
+        sms_phone: SmsLoginOptionPolicy.new(current_user).configured?,
+        totp: AuthAppLoginOptionPolicy.new(current_user).configured?,
+        piv_cac: PivCacLoginOptionPolicy.new(current_user).configured?,
+      }
     end
   end
 end

app/controllers/application_controller.rb

@@ -126,7 +126,7 @@ def service_provider_request
   end
 
   def after_sign_in_path_for(_user)
-    user_session[:stored_location] || sp_session[:request_url] || signed_in_url
+    user_session.delete(:stored_location) || sp_session[:request_url] || signed_in_url
   end
 
   def signed_in_url

app/controllers/concerns/account_recoverable.rb

@@ -1,5 +1,5 @@
 module AccountRecoverable
   def piv_cac_enabled_but_not_phone_enabled?
-    current_user.piv_cac_enabled? && !current_user.phone_enabled?
+    current_user.piv_cac_enabled? && !current_user.phone_configuration&.mfa_enabled?
   end
 end

app/controllers/concerns/authorizable.rb

@@ -1,6 +1,6 @@
 module Authorizable
   def authorize_user
-    return unless current_user.phone_enabled?
+    return unless current_user.phone_configuration&.mfa_enabled?
 
     if user_fully_authenticated?
       redirect_to account_url

app/controllers/concerns/idv_session.rb

@@ -2,7 +2,7 @@ module IdvSession
   extend ActiveSupport::Concern
 
   def confirm_idv_session_started
-    return if current_user.decorate.needs_profile_usps_verification?
+    return if current_user.decorate.pending_profile_requires_verification?
     redirect_to idv_session_url if idv_session.params.blank?
   end
 

app/controllers/concerns/phone_confirmation.rb

@@ -15,6 +15,6 @@ def prompt_to_confirm_phone(phone:, context: 'confirmation', selected_delivery_m
   def otp_delivery_method(phone, selected_delivery_method)
     return :sms if PhoneNumberCapabilities.new(phone).sms_only?
     return selected_delivery_method if selected_delivery_method.present?
-    current_user.otp_delivery_preference
+    current_user.phone_configuration&.delivery_preference || current_user.otp_delivery_preference
   end
 end

app/controllers/concerns/two_factor_authenticatable.rb

@@ -54,7 +54,7 @@ def current_password_required?
   def check_already_authenticated
     return unless initial_authentication_context?
 
-    redirect_to account_url if user_fully_authenticated?
+    redirect_to after_otp_verification_confirmation_url if user_fully_authenticated?
   end
 
   def reset_attempt_count_if_user_no_longer_locked_out
@@ -140,7 +140,7 @@ def assign_phone
   end
 
   def old_phone
-    current_user.phone
+    current_user.phone_configuration&.phone
   end
 
   def phone_changed
@@ -260,7 +260,7 @@ def authenticator_view_data
       two_factor_authentication_method: two_factor_authentication_method,
       user_email: current_user.email,
       remember_device_available: false,
-      phone_enabled: current_user.phone_enabled?,
+      phone_enabled: current_user.phone_configuration&.mfa_enabled?,
     }.merge(generic_data)
   end
 
@@ -282,7 +282,7 @@ def display_phone_to_deliver_to
 
   def voice_otp_delivery_unsupported?
     phone_number = if authentication_context?
-                     current_user.phone
+                     current_user.phone_configuration&.phone
                    else
                      user_session[:unconfirmed_phone]
                    end
@@ -297,15 +297,15 @@ def reenter_phone_number_path
     locale = LinkLocaleResolver.locale
     if idv_context?
       idv_phone_path(locale: locale)
-    elsif current_user.phone.present?
+    elsif current_user.phone_configuration.present?
       manage_phone_path(locale: locale)
     else
       phone_setup_path(locale: locale)
     end
   end
 
   def confirmation_for_phone_change?
-    confirmation_context? && current_user.phone.present?
+    confirmation_context? && current_user.phone_configuration.present?
   end
 
   def presenter_for_two_factor_authentication_method

app/controllers/concerns/verify_profile_concern.rb

@@ -11,17 +11,8 @@ def account_or_verify_profile_url
 
   def account_or_verify_profile_route
     return 'account' if idv_context? || profile_context?
-    return 'account' unless current_user.decorate.pending_profile_requires_verification?
-    verify_profile_route
-  end
-
-  def verify_profile_route
-    decorated_user = current_user.decorate
-    if decorated_user.needs_profile_phone_verification?
-      flash[:notice] = t('account.index.verification.instructions')
-      return 'verify_profile_phone'
-    end
-    return 'verify_account' if decorated_user.needs_profile_usps_verification?
+    return 'account' unless profile_needs_verification?
+    'verify_account'
   end
 
   def profile_needs_verification?

app/controllers/idv/cancellations_controller.rb

@@ -6,7 +6,8 @@ class CancellationsController < ApplicationController
     before_action :confirm_idv_needed
 
     def new
-      analytics.track_event(Analytics::IDV_CANCELLATION)
+      properties = ParseControllerFromReferer.new(request.referer).call
+      analytics.track_event(Analytics::IDV_CANCELLATION, properties)
       @presenter = CancellationPresenter.new(view_context: view_context)
     end
 

app/controllers/idv/come_back_later_controller.rb

@@ -4,12 +4,14 @@ class ComeBackLaterController < ApplicationController
 
     before_action :confirm_user_needs_usps_confirmation
 
-    def show; end
+    def show
+      analytics.track_event(Analytics::IDV_COME_BACK_LATER_VISIT)
+    end
 
     private
 
     def confirm_user_needs_usps_confirmation
-      redirect_to account_url unless current_user.decorate.needs_profile_usps_verification?
+      redirect_to account_url unless current_user.decorate.pending_profile_requires_verification?
     end
   end
 end

app/controllers/idv/confirmations_controller.rb

@@ -35,7 +35,7 @@ def confirm_profile_has_been_created
     def track_final_idv_event
       result = {
         success: true,
-        new_phone_added: idv_session.params['phone'] != current_user.phone,
+        new_phone_added: idv_session.params['phone'] != current_user.phone_configuration&.phone,
       }
       analytics.track_event(Analytics::IDV_FINAL, result)
     end