Merge pull request #2847 from 18F/stages/rc-2019-03-29

Deploy stages/rc-2019-03-29 to int
18F · Mar 26, 2019 · 6de4f19 · 6de4f19
2 parents 3331321 + 01e1cb4
commit 6de4f19
Show file tree

Hide file tree

Showing 208 changed files with 3,589 additions and 1,073 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -73,11 +73,13 @@ jobs:
           name: Test Setup
           command: |
             cp config/application.yml.example config/application.yml
-            cp certs/saml.crt.example certs/saml.crt
+            cp keys/oidc.key.example keys/oidc.key
+            cp keys/oidc.pub.example keys/oidc.pub
             cp certs/saml2018.crt.example certs/saml2018.crt
+            cp certs/saml2019.crt.example certs/saml2019.crt
             cp certs/samlcloudhsm.crt.example certs/samlcloudhsm.crt
-            cp keys/saml.key.enc.example keys/saml.key.enc
             cp keys/saml2018.key.enc.example keys/saml2018.key.enc
+            cp keys/saml2019.key.enc.example keys/saml2019.key.enc
             bundle exec rake db:setup --trace
             bundle exec rake assets:precompile
 

diff --git a/.gitignore b/.gitignore
@@ -38,8 +38,11 @@ Vagrantfile
 /config/application.yml
 /config/aws.yml
 /geo_data/*
+/keys/*.key
+/keys/*.pub
 /keys/*.key.enc
 !/keys/*.key.enc.example
+!/keys/saml_test_sp.key
 /keys/equifax_rsa
 /keys/equifax_gpg.pub.bin
 /keys/equifax_rsa.pub

diff --git a/Gemfile b/Gemfile
@@ -106,7 +106,7 @@ group :test do
   gem 'rack-test'
   gem 'rack_session_access'
   gem 'rails-controller-testing'
-  gem 'shoulda-matchers', '~> 3.0', require: false
+  gem 'shoulda-matchers', '~> 4.0.1', require: false
   gem 'timecop'
   gem 'webmock'
   gem 'zonebie'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -49,39 +49,39 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.1.6.1)
-      actionpack (= 5.1.6.1)
+    actioncable (5.1.6.2)
+      actionpack (= 5.1.6.2)
       nio4r (~> 2.0)
       websocket-driver (~> 0.6.1)
-    actionmailer (5.1.6.1)
-      actionpack (= 5.1.6.1)
-      actionview (= 5.1.6.1)
-      activejob (= 5.1.6.1)
+    actionmailer (5.1.6.2)
+      actionpack (= 5.1.6.2)
+      actionview (= 5.1.6.2)
+      activejob (= 5.1.6.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.1.6.1)
-      actionview (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
+    actionpack (5.1.6.2)
+      actionview (= 5.1.6.2)
+      activesupport (= 5.1.6.2)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.6.1)
-      activesupport (= 5.1.6.1)
+    actionview (5.1.6.2)
+      activesupport (= 5.1.6.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.6.1)
-      activesupport (= 5.1.6.1)
+    activejob (5.1.6.2)
+      activesupport (= 5.1.6.2)
       globalid (>= 0.3.6)
-    activemodel (5.1.6.1)
-      activesupport (= 5.1.6.1)
-    activerecord (5.1.6.1)
-      activemodel (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
+    activemodel (5.1.6.2)
+      activesupport (= 5.1.6.2)
+    activerecord (5.1.6.2)
+      activemodel (= 5.1.6.2)
+      activesupport (= 5.1.6.2)
       arel (~> 8.0)
-    activesupport (5.1.6.1)
+    activesupport (5.1.6.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -104,24 +104,25 @@ GEM
       io-like (~> 0.3.0)
     arel (8.0.0)
     ast (2.4.0)
-    aws-eventstream (1.0.1)
-    aws-partitions (1.143.0)
-    aws-sdk-core (3.46.2)
-      aws-eventstream (~> 1.0)
+    aws-eventstream (1.0.2)
+    aws-partitions (1.144.0)
+    aws-sdk-core (3.48.1)
+      aws-eventstream (~> 1.0, >= 1.0.2)
       aws-partitions (~> 1.0)
-      aws-sigv4 (~> 1.0)
+      aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-kms (1.13.0)
-      aws-sdk-core (~> 3, >= 3.39.0)
-      aws-sigv4 (~> 1.0)
-    aws-sdk-s3 (1.30.1)
-      aws-sdk-core (~> 3, >= 3.39.0)
+    aws-sdk-kms (1.15.0)
+      aws-sdk-core (~> 3, >= 3.48.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.33.0)
+      aws-sdk-core (~> 3, >= 3.48.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.0)
-    aws-sdk-ses (1.14.0)
-      aws-sdk-core (~> 3, >= 3.39.0)
-      aws-sigv4 (~> 1.0)
-    aws-sigv4 (1.0.3)
+    aws-sdk-ses (1.16.0)
+      aws-sdk-core (~> 3, >= 3.48.0)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.1.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
     axe-matchers (1.3.4)
       dumb_delegator (~> 0.8)
       virtus (~> 1.0)
@@ -139,7 +140,7 @@ GEM
     bindata (2.4.4)
     binding_of_caller (0.8.0)
       debug_inspector (>= 0.0.1)
-    brakeman (4.4.0)
+    brakeman (4.5.0)
     browser (2.5.3)
     builder (3.2.3)
     bullet (5.9.0)
@@ -148,8 +149,8 @@ GEM
     bummr (0.5.0)
       rainbow
       thor
-    byebug (11.0.0)
-    capybara (3.14.0)
+    byebug (11.0.1)
+    capybara (3.15.0)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
@@ -179,9 +180,9 @@ GEM
     coercible (1.0.0)
       descendants_tracker (~> 0.0.1)
     colorize (0.8.1)
-    concurrent-ruby (1.1.4)
+    concurrent-ruby (1.1.5)
     connection_pool (2.2.2)
-    cose (0.1.0)
+    cose (0.4.1)
       cbor (~> 0.5.9.2)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
@@ -235,14 +236,14 @@ GEM
     factory_bot_rails (5.0.1)
       factory_bot (~> 5.0.0)
       railties (>= 4.2.0)
-    fakefs (0.19.2)
+    fakefs (0.20.0)
     faker (1.9.3)
       i18n (>= 0.7)
     faraday (0.15.4)
       multipart-post (>= 1.2, < 3)
-    fasterer (0.4.2)
+    fasterer (0.5.1)
       colorize (~> 0.7)
-      ruby_parser (>= 3.12.0)
+      ruby_parser (>= 3.13.0)
     ffi (1.10.0)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
@@ -342,8 +343,8 @@ GEM
     nenv (0.3.0)
     net-sftp (2.1.2)
       net-ssh (>= 2.6.5)
-    net-ssh (5.1.0)
-    newrelic_rpm (6.1.0.352)
+    net-ssh (5.2.0)
+    newrelic_rpm (6.2.0.354)
     nio4r (2.3.1)
     nokogiri (1.10.1)
       mini_portile2 (~> 2.4.0)
@@ -382,7 +383,7 @@ GEM
       pry (>= 0.10.4)
     psych (3.1.0)
     public_suffix (3.0.3)
-    puma (3.12.0)
+    puma (3.12.1)
     rack (2.0.6)
     rack-attack (5.4.2)
       rack (>= 1.0, < 3)
@@ -400,17 +401,17 @@ GEM
     rack_session_access (0.2.0)
       builder (>= 2.0.0)
       rack (>= 1.0.0)
-    rails (5.1.6.1)
-      actioncable (= 5.1.6.1)
-      actionmailer (= 5.1.6.1)
-      actionpack (= 5.1.6.1)
-      actionview (= 5.1.6.1)
-      activejob (= 5.1.6.1)
-      activemodel (= 5.1.6.1)
-      activerecord (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
+    rails (5.1.6.2)
+      actioncable (= 5.1.6.2)
+      actionmailer (= 5.1.6.2)
+      actionpack (= 5.1.6.2)
+      actionview (= 5.1.6.2)
+      activejob (= 5.1.6.2)
+      activemodel (= 5.1.6.2)
+      activerecord (= 5.1.6.2)
+      activesupport (= 5.1.6.2)
       bundler (>= 1.3.0)
-      railties (= 5.1.6.1)
+      railties (= 5.1.6.2)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.4)
       actionpack (>= 5.0.1.x)
@@ -429,9 +430,9 @@ GEM
     rails-i18n (5.1.3)
       i18n (>= 0.7, < 2)
       railties (>= 5.0, < 6)
-    railties (5.1.6.1)
-      actionpack (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
+    railties (5.1.6.2)
+      actionpack (= 5.1.6.2)
+      activesupport (= 5.1.6.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
@@ -501,7 +502,7 @@ GEM
     ruby-saml (1.9.0)
       nokogiri (>= 1.5.10)
     ruby_dep (1.5.0)
-    ruby_parser (3.12.0)
+    ruby_parser (3.13.0)
       sexp_processor (~> 4.9)
     rubyzip (1.2.2)
     safe_yaml (1.0.5)
@@ -525,10 +526,10 @@ GEM
     selenium-webdriver (3.141.0)
       childprocess (~> 0.5)
       rubyzip (~> 1.2, >= 1.2.2)
-    sexp_processor (4.11.0)
+    sexp_processor (4.12.0)
     shellany (0.0.1)
-    shoulda-matchers (3.1.3)
-      activesupport (>= 4.0.0)
+    shoulda-matchers (4.0.1)
+      activesupport (>= 4.2.0)
     simple_form (4.1.0)
       actionpack (>= 5.0)
       activemodel (>= 5.0)
@@ -573,7 +574,7 @@ GEM
     thread_safe (0.3.6)
     tilt (2.0.9)
     timecop (0.9.1)
-    twilio-ruby (5.21.1)
+    twilio-ruby (5.21.2)
       faraday (~> 0.9)
       jwt (>= 1.5, <= 2.5)
       nokogiri (>= 1.6, < 2.0)
@@ -604,9 +605,9 @@ GEM
       equalizer (~> 0.0, >= 0.0.9)
     warden (1.2.8)
       rack (>= 2.0.6)
-    webauthn (1.10.0)
-      cbor (~> 0.5.9.2)
-      cose (~> 0.1.0)
+    webauthn (1.11.0)
+      cbor (~> 0.5.9)
+      cose (~> 0.4.1)
       jwt (>= 1.5, < 3.0)
       openssl (~> 2.0)
       securecompare (~> 1.0)
@@ -721,7 +722,7 @@ DEPENDENCIES
   sass-rails (~> 5.0)
   scrypt
   secure_headers (~> 6.0)
-  shoulda-matchers (~> 3.0)
+  shoulda-matchers (~> 4.0.1)
   simple_form
   sinatra
   slim-rails
@@ -746,4 +747,4 @@ RUBY VERSION
    ruby 2.5.3p105
 
 BUNDLED WITH
-   1.17.1
+   1.17.3
diff --git a/app/assets/images/alert/unphishable.svg b/app/assets/images/alert/unphishable.svg
diff --git a/app/assets/images/sp-logos/hhs-xms.png b/app/assets/images/sp-logos/hhs-xms.png
diff --git a/app/controllers/account_reset/recover_controller.rb b/app/controllers/account_reset/recover_controller.rb
@@ -0,0 +1,48 @@
+module AccountReset
+  class RecoverController < ApplicationController
+    include TwoFactorAuthenticatable
+
+    before_action :confirm_two_factor_enabled
+    before_action :confirm_user_verified
+
+    def show
+      analytics.track_event(Analytics::IAL2_RECOVERY_REQUEST_VISITED)
+    end
+
+    def create
+      analytics.track_event(Analytics::IAL2_RECOVERY_REQUEST, analytics_attributes)
+      Recover::CreateRecoverRequest.call(current_user.id)
+      send_notifications
+      redirect_to account_reset_recover_email_sent_url
+    end
+
+    private
+
+    def send_notifications
+      current_user.confirmed_email_addresses.each do |email_address|
+        UserMailer.confirm_email_and_reverify(email_address,
+                                              current_user.account_recovery_request).deliver_later
+      end
+    end
+
+    def confirm_two_factor_enabled
+      return if MfaPolicy.new(current_user).two_factor_enabled?
+
+      redirect_to two_factor_options_url
+    end
+
+    def confirm_user_verified
+      redirect_to account_url unless decorated_user.identity_verified?
+    end
+
+    def analytics_attributes
+      {
+        event: 'request',
+        sms_phone: TwoFactorAuthentication::PhonePolicy.new(current_user).configured?,
+        totp: TwoFactorAuthentication::AuthAppPolicy.new(current_user).configured?,
+        piv_cac: TwoFactorAuthentication::PivCacPolicy.new(current_user).configured?,
+        email_addresses: current_user.email_addresses.count,
+      }
+    end
+  end
+end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -56,24 +56,10 @@ def analytics_user
     warden.user || AnonymousUser.new
   end
 
-  def create_user_event(event_type, user = current_user)
-    return unless user&.id
-    device = create_or_update_device(user)
-    Event.create(user_id: user.id,
-                 device_id: device.id,
-                 ip: request.remote_ip,
-                 event_type: event_type)
-  end
-
-  def create_or_update_device(user)
-    cookie = cookies[:device]
-    device = DeviceTracking::ManageDevice.call(user, cookie, request.remote_ip, request.user_agent)
-
-    device_cookie_uuid = device.cookie_uuid
-
-    cookies.permanent[:device] = device_cookie_uuid unless device_cookie_uuid == cookie
-    device
+  def user_event_creator
+    @user_event_creator ||= UserEventCreator.new(request, current_user)
   end
+  delegate :create_user_event, :create_user_event_with_disavowal, to: :user_event_creator
 
   def decorated_session
     @_decorated_session ||= DecoratedSession.new(