Deploy RC 341 to Prod #9800
Merged
Deploy RC 341 to Prod #9800
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
) The multi-region KMS migration involved changes to migrate password digests and encrypted PII ciphertexts away from a KMS instance that used a single key to one that supports multi-region keys. This was done with a background job and tooling that would decrypt with the single region key and re-encrypt with the multi-region key. All of the migrateable records have been migrated at this point so this job, its configuration, and the tooling to support it are not longer necessary. [skip changelog]
In the past the IDP used the `Encryption::Encryptors::SessionEncryptor` to encrypt sessions as a whole. This tool was used by the unfortunately named `SessionEncryptor` which acts as a serializer for the session store. The `Encryption::Encryptors::SessionEncryptor` was also used for encrypting PII temporarily while it was queued for letter sending. Two changes led to `Encryption::Encryptors::SessionEncryptor` being unused: - #6315 enabled partial session encryption which made the session encryptor sophisticated enough that it justified its own logic for encrypting elements instead of depending on `Encryption::Encryptors::SessionEncryptor` - #6211 replaced the `Encryption::Encryptors::SessionEncryptor` that was used for encrypting letter PII with a new encryptor built specifically for encrypting background arguments With these changes the `Encryption::Encryptors::SessionEncryptor` no longer has a caller. This commit removes it. [skip changelog]
changelog: User-Facing Improvements, Face or Touch Unlock, Add option to rename face or touch unlock in account dashboard Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Add react plugins, but turn off all the new rules so lint passes * Show exhaustive-deps error for one file * Fix hook linting error * Hoist state for more functions * Resolve lint problems * Lint acuant-camera.tsx for react rules * Don't pass translation function down * Turn lint off for all files on a per package level * Enable new lint rules for only acuant-camera.tsx * Fail on informative test problem * Cause infinite update loop, but move closer to a good state * Revert hooks changes in favor of easier start to linting changes * Lint some easier files first (rather than document-capture) * changelog: Internal, In-Person Proofing, Change React linting to allow gradual enablement * Move override into top level rules * Remove commented out files * Void disabling rthe JSX rule by using the new plugin
…` implementation (#9754) The `Pii::ProfileCacher` was implemented in #9509. As described in that pull request: > The Pii::ProfileCacher class implements the same API as Pii::Cacher and is intended to supersede Pii::Cacher when this work is done. All of the invocations to `Pii::Cacher` that require the deprecated profile-unaware functionality have been removed and the new profile-aware functionality is fully implemented and in-user. This commit does the work of moving the `Pii::ProfileCacher` functionality into `Pii::Cacher` and removing `Pii::ProfileCacher` This should not be merged until both `session_encrypted_profiles_read_enabled` and `session_encrypted_profiles_write_enabled` have been set to true. This commit removes those feature flags and assumes they are set to true. changelog: Internal, Profile and session management, The pii cacher implementation was replaced with the profile cacher implementation
…ession (#9759) We have not clearly defined how we want service providers to request a biometric comparison. This commit adds a query parameter to the OIDC authorization URL to specify that a biometric is required. This is temporary and intended to enable us to test the selfie / in-person requirement end-to-end before the API for requesting this functionality is fully defined. This commit stores the attribute in the SP session. It does not make any changes to functionality based on the attribute or apply any changes to the SAML API. The corresponding change on the sample app is here: 18F/identity-oidc-sinatra#149 changelog: Internal, Biometric comparison, A parameter was added to test the selfie workflow end-to-end
* changelog: Internal, Local setup, Fix headless mode used by Selenium locally This fixes local dev for Chromedriver v120. We found that upgrading Chromedriver to v120 in Docker for CI caused all sorts of issues, so for the time being we are not upgrading CI. This is a workaround from the failures in #9734. [See this documentation for details on the change](https://www.selenium.dev/blog/2023/headless-is-going-away/), [this conversation in Slack for discussion](https://gsa-tts.slack.com/archives/C0NGESUN5/p1702068737905679), and [this issue on Chromedriver](https://bugs.chromium.org/p/chromedriver/issues/detail?id=4440).
Remove content from forgot password page changelog: User-Facing Improvements, Authentication, Account reset content update
* Bust pending/active profile caches in User model If the `active` state of a Profile does not match what's expected when calling User::active_profile or User::pending_profile, clear the cached value. This is mostly a convenience for tests. [skip changelog] * Fix a couple of references to user.pending_profile in specs Since they were referencing a profile that's not actually pending anymore. * Update app/models/user.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Also bust cache on reload() * Remove remove_instance_variable Not actually required to achieve the same effect. * Add test for #pending_profile caching nil until reload * Actually, let's maintain the behavior of not caching nil values * 'be' -> 'eq' in dev_rake_spec Since these calls are preceded by .reload (which busts the cache), these are no longer the _exact same_ objects, even though they refer to the same records * Don't remove @active_profile since we don't need to --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Handle query timeouts in Agencies and SPs report - In #9744, we added more correct queries that took much longer. Even though we added the correct transaction_with_timeout wrapper, and even though the queries can succeed, the report still failed in prod. - Adding this rescue allows the report to complete and send partial results still * Remove extra begin...end syntax changelog: Internal, Reporting, Add error handling for long-running queries
[skip changelog]
* LG-11577: Selfie ui content. Separate capture component for selfie capture to add tip list etc. * LG-11577: test for new component. * LG-11577: test for new conditional content in document_step. * LG-11577: test for new conditional content in document_step. * LG-11577: update review issue page and test. * LG-11577: update feature test. * LG-11577: update non-selfie UI. * LG-11577: revert review issue page. * LG-11577: add missing hr for selfie section. * LG-11577: update tests. changelog: User-facing Improvements, Doc Auth, Document capture UI update. * LG-11577: refactor conditionally rendering of the header. * changelog: User-facing Improvements, Doc Auth, Document capture UI update (LG-11577) * LG-11577: minor styling fix for buttons. * LG-11577: translation update and refactor on capturing components. * LG-11577: revert how to render side capturing component, it cause some issues on active element on page during testing. * LG-11577: refactor no subcomponent for selfie. * LG-11577: add missing tips and update tests.
* Sync default reauthn_window with production value changelog: Internal, Configuration, Sync default reauthn_window with production value * Fix tests assuming reauthn before session expired
* Fix link to troubleshooting Replace: broken link within doc => working link to different doc * Remove anchor/jump link * Add changelog changelog: Internal, Documentation, Fix broken link in local development documentation --------- Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>
changelog: Internal, Automated Testing, Add missing spec assertion for password change user event
…nabled` (#9782) The `doc_auth_selfie_capture` is a JSON hash that was intended to manage multiple configs for document selfie capture. Prior to this commit it contains a single value: `enabled`. Using an unstructured hash this way means we do not get many of the benefits of using IdentityConfig e.g. type validation for configs and warnings/errors when configs are missing. This commit moves the enabled config from `doc_auth_selfie_capture` to `doc_auth_selfie_capture_enabled` and deletes the `doc_auth_selfie_capture` config. Future configs for selfie capture can use the `doc_auth_selfie_capture` prefix. [skip changelog]
Bumps [phonelib](https://github.com/daddyz/phonelib) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/daddyz/phonelib/releases) - [Changelog](https://github.com/daddyz/phonelib/blob/master/CHANGELOG.md) - [Commits](daddyz/phonelib@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: phonelib dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* LG-11454: Improve robustness of WebauthnController#edit specs changelog: User-Facing Improvements, Face or Touch Unlock, Add option to rename face or touch unlock in account dashboard * Add additional specs for update/delete
Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.51 to 1.10.52. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.51...v1.10.52) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fix in person address controller analytics Co-authored-by: Gina Yamada <gina.yamada@gsa.gov> * Remove explicit step_count from analytics_events step_count can still be passed in via **extra. It is left over from the Flow State Machine and is in the process of being removed. No one is using the data. * changelog: Internal, In-person proofing, Updated analytic args for non-FSM Address controller --------- Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov>
changelog: Internal, OpenID Connect, Add support for client-side OIDC redirect Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
changelog: Internal, Code Quality, Remove unused code
* changelog: Bug fixes, Personal Key MFA, Personal Key entry as MFA will redirect to MFA selection page * add feature management * update config verification * spec for personal key redirect
mitchellhenke
approved these changes
Dec 19, 2023
mdiarra3
approved these changes
Dec 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
User-Facing Improvements
Bug Fixes
Internal