From 9ddea9d0132ea71159baf672ef1f934e554231f2 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 8 Jan 2025 15:56:46 -0600 Subject: [PATCH 1/3] Revert "Refactor to use User#last_sign_in_email_address (#11688)" This reverts commit 0ce504ed65049f8de9ca975ff0debff9d7e9337a. --- app/controllers/idv/forgot_password_controller.rb | 2 +- app/jobs/resolution_proofing_job.rb | 2 +- app/models/user.rb | 2 +- app/views/users/webauthn_setup/new.html.erb | 2 +- .../controllers/idv/by_mail/enter_code_controller_spec.rb | 4 ++-- spec/controllers/idv/enter_password_controller_spec.rb | 2 +- spec/features/multiple_emails/email_management_spec.rb | 6 +++--- spec/features/sp_cost_tracking_spec.rb | 2 +- spec/features/two_factor_authentication/sign_in_spec.rb | 2 +- spec/features/users/sign_in_spec.rb | 8 ++++---- spec/jobs/get_usps_proofing_results_job_spec.rb | 4 ++-- .../user_alerts/alert_user_about_account_verified_spec.rb | 4 ++-- spec/support/features/session_helper.rb | 2 +- spec/support/idv_examples/sp_handoff.rb | 4 ++-- spec/support/shared_examples/phone/rate_limiting.rb | 4 ++-- spec/support/shared_examples/sign_in.rb | 6 +++--- 16 files changed, 28 insertions(+), 28 deletions(-) diff --git a/app/controllers/idv/forgot_password_controller.rb b/app/controllers/idv/forgot_password_controller.rb index af5fce773fa..aa3041b13ff 100644 --- a/app/controllers/idv/forgot_password_controller.rb +++ b/app/controllers/idv/forgot_password_controller.rb @@ -15,7 +15,7 @@ def new def update analytics.idv_forgot_password_confirmed request_id = sp_session[:request_id] - email = current_user.last_sign_in_email_address.email + email = current_user.confirmed_email_addresses.first.email reset_password(email, request_id) end diff --git a/app/jobs/resolution_proofing_job.rb b/app/jobs/resolution_proofing_job.rb index 23e63b75e6e..66c9d635feb 100644 --- a/app/jobs/resolution_proofing_job.rb +++ b/app/jobs/resolution_proofing_job.rb @@ -131,7 +131,7 @@ def make_vendor_proofing_requests( end def user_email_for_proofing(user) - user.last_sign_in_email_address.email + user.confirmed_email_addresses.first.email end def log_threatmetrix_info(threatmetrix_result, user) diff --git a/app/models/user.rb b/app/models/user.rb index 2eca557512a..44270a01e15 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -65,7 +65,7 @@ class User < ApplicationRecord attr_accessor :asserted_attributes, :email def confirmed_email_addresses - email_addresses.confirmed + email_addresses.confirmed.order('last_sign_in_at DESC NULLS LAST') end def fully_registered? diff --git a/app/views/users/webauthn_setup/new.html.erb b/app/views/users/webauthn_setup/new.html.erb index a0ad8a34ce6..1323e2fe05d 100644 --- a/app/views/users/webauthn_setup/new.html.erb +++ b/app/views/users/webauthn_setup/new.html.erb @@ -27,7 +27,7 @@ }, ) do |f| %> <%= hidden_field_tag :user_id, current_user.id, id: 'user_id' %> - <%= hidden_field_tag :user_email, current_user.last_sign_in_email_address.email, id: 'user_email' %> + <%= hidden_field_tag :user_email, current_user.confirmed_email_addresses.first.email, id: 'user_email' %> <%= hidden_field_tag :user_challenge, user_session[:webauthn_challenge].to_json, id: 'user_challenge' %> <%= hidden_field_tag :exclude_credentials, @exclude_credentials&.join(','), id: 'exclude_credentials' %> <%= hidden_field_tag :webauthn_id, '', id: 'webauthn_id' %> diff --git a/spec/controllers/idv/by_mail/enter_code_controller_spec.rb b/spec/controllers/idv/by_mail/enter_code_controller_spec.rb index 277187e96cc..e9f5ef0f835 100644 --- a/spec/controllers/idv/by_mail/enter_code_controller_spec.rb +++ b/spec/controllers/idv/by_mail/enter_code_controller_spec.rb @@ -289,7 +289,7 @@ it 'does not send the "Please Call" email' do action expect_email_not_delivered( - to: user.last_sign_in_email_address.email, + to: user.confirmed_email_addresses.first.email, subject: t('user_mailer.idv_please_call.subject', app_name: APP_NAME), ) end @@ -335,7 +335,7 @@ it 'sends the "Please Call" email' do action expect_delivered_email( - to: user.last_sign_in_email_address.email, + to: user.confirmed_email_addresses.first.email, subject: t('user_mailer.idv_please_call.subject', app_name: APP_NAME), ) end diff --git a/spec/controllers/idv/enter_password_controller_spec.rb b/spec/controllers/idv/enter_password_controller_spec.rb index 7f88fcc31d0..a96a19998d4 100644 --- a/spec/controllers/idv/enter_password_controller_spec.rb +++ b/spec/controllers/idv/enter_password_controller_spec.rb @@ -416,7 +416,7 @@ def show it 'sends the idv_please_call email' do put :create, params: { user: { password: ControllerHelper::VALID_PASSWORD } } expect_delivered_email( - to: user.last_sign_in_email_address.email, + to: user.confirmed_email_addresses.first.email, subject: t('user_mailer.idv_please_call.subject', app_name: APP_NAME), ) end diff --git a/spec/features/multiple_emails/email_management_spec.rb b/spec/features/multiple_emails/email_management_spec.rb index 78deed13679..4018460e401 100644 --- a/spec/features/multiple_emails/email_management_spec.rb +++ b/spec/features/multiple_emails/email_management_spec.rb @@ -40,7 +40,7 @@ context 'allows deletion of email address' do it 'does not allow last confirmed email to be deleted' do user = create(:user, :fully_registered, email: 'test@example.com ') - confirmed_email = user.last_sign_in_email_address + confirmed_email = user.confirmed_email_addresses.first unconfirmed_email = create(:email_address, user: user, confirmed_at: nil) user.email_addresses.reload @@ -56,7 +56,7 @@ it 'Allows delete when more than one confirmed email exists' do user = create(:user, :fully_registered, email: 'test@example.com ') - confirmed_email1 = user.last_sign_in_email_address + confirmed_email1 = user.confirmed_email_addresses.first confirmed_email2 = create( :email_address, user: user, confirmed_at: Time.zone.now @@ -74,7 +74,7 @@ it 'sends notification to all confirmed emails when email address is deleted' do user = create(:user, :fully_registered, email: 'test@example.com ') - confirmed_email1 = user.last_sign_in_email_address + confirmed_email1 = user.confirmed_email_addresses.first confirmed_email2 = create(:email_address, user: user, confirmed_at: Time.zone.now) sign_in_and_2fa_user(user) diff --git a/spec/features/sp_cost_tracking_spec.rb b/spec/features/sp_cost_tracking_spec.rb index 2bf4a64a083..feb8f84eac2 100644 --- a/spec/features/sp_cost_tracking_spec.rb +++ b/spec/features/sp_cost_tracking_spec.rb @@ -45,7 +45,7 @@ user.active_profile.update!(verified_at: 60.days.ago) visit_idp_from_sp_with_ial2(:oidc, verified_within: '45d') - fill_in_credentials_and_submit(user.last_sign_in_email_address.email, password) + fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, password) fill_in_code_with_last_totp(user) click_submit_default complete_all_doc_auth_steps_before_password_step diff --git a/spec/features/two_factor_authentication/sign_in_spec.rb b/spec/features/two_factor_authentication/sign_in_spec.rb index 075dc608440..63ff2dc5a12 100644 --- a/spec/features/two_factor_authentication/sign_in_spec.rb +++ b/spec/features/two_factor_authentication/sign_in_spec.rb @@ -92,7 +92,7 @@ scenario 'allows a user to recreate their account after account reset' do sign_in_before_2fa(user) - email = user.last_sign_in_email_address.email + email = user.confirmed_email_addresses.first.email expect(page).to have_content(t('two_factor_authentication.opt_in.title')) diff --git a/spec/features/users/sign_in_spec.rb b/spec/features/users/sign_in_spec.rb index 15d4e3abe6d..982fbc6a6f8 100644 --- a/spec/features/users/sign_in_spec.rb +++ b/spec/features/users/sign_in_spec.rb @@ -406,7 +406,7 @@ create(:user, :fully_registered, email: email, password: password) user = User.find_with_email(email) - encrypted_email = user.last_sign_in_email_address.encrypted_email + encrypted_email = user.confirmed_email_addresses.first.encrypted_email rotate_attribute_encryption_key_with_invalid_queue @@ -414,7 +414,7 @@ .to raise_error Encryption::EncryptionError, 'unable to decrypt attribute with any key' user = user.reload - expect(user.last_sign_in_email_address.encrypted_email).to eq encrypted_email + expect(user.confirmed_email_addresses.first.encrypted_email).to eq encrypted_email end end @@ -426,14 +426,14 @@ create(:user, :fully_registered, email: email, password: password) user = User.find_with_email(email) - encrypted_email = user.last_sign_in_email_address.encrypted_email + encrypted_email = user.confirmed_email_addresses.first.encrypted_email rotate_attribute_encryption_key_with_invalid_queue sign_in_user_with_piv(user) user = user.reload - expect(user.last_sign_in_email_address.encrypted_email).to eq encrypted_email + expect(user.confirmed_email_addresses.first.encrypted_email).to eq encrypted_email end end end diff --git a/spec/jobs/get_usps_proofing_results_job_spec.rb b/spec/jobs/get_usps_proofing_results_job_spec.rb index b22d3ee27e5..5ea9d8b9131 100644 --- a/spec/jobs/get_usps_proofing_results_job_spec.rb +++ b/spec/jobs/get_usps_proofing_results_job_spec.rb @@ -130,7 +130,7 @@ ) allow(UserMailer).to receive(:with).with( user: enrollment.user, - email_address: enrollment.user.last_sign_in_email_address, + email_address: enrollment.user.confirmed_email_addresses.first, ).and_return(user_mailer) allow(mail_deliverer).to receive(:deliver_later) allow(InPerson::SendProofingNotificationJob).to receive(:set).and_return( @@ -366,7 +366,7 @@ ) allow(UserMailer).to receive(:with).with( user: enrollment.user, - email_address: enrollment.user.last_sign_in_email_address, + email_address: enrollment.user.confirmed_email_addresses.first, ).and_raise(StandardError) subject.perform(current_time) end diff --git a/spec/services/user_alerts/alert_user_about_account_verified_spec.rb b/spec/services/user_alerts/alert_user_about_account_verified_spec.rb index be082872867..c956abd7ba1 100644 --- a/spec/services/user_alerts/alert_user_about_account_verified_spec.rb +++ b/spec/services/user_alerts/alert_user_about_account_verified_spec.rb @@ -36,7 +36,7 @@ described_class.call(profile: profile) expect_delivered_email( - to: [user.last_sign_in_email_address.email], + to: [user.confirmed_email_addresses.first.email], subject: t('user_mailer.account_verified.subject', app_name: APP_NAME), body: [ 'http://www.example.com/redirect/return_to_sp/account_verified_cta', @@ -71,7 +71,7 @@ described_class.call(profile: profile) expect_delivered_email( - to: [user.last_sign_in_email_address.email], + to: [user.confirmed_email_addresses.first.email], subject: t('user_mailer.account_verified.subject', app_name: APP_NAME), body: ['http://example.com'], ) diff --git a/spec/support/features/session_helper.rb b/spec/support/features/session_helper.rb index 60b5ecdacfe..123748bd7b9 100644 --- a/spec/support/features/session_helper.rb +++ b/spec/support/features/session_helper.rb @@ -537,7 +537,7 @@ def skip_second_mfa_prompt end def sign_in_via_branded_page(user) - fill_in_credentials_and_submit(user.last_sign_in_email_address.email, user.password) + fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, user.password) fill_in_code_with_last_phone_otp click_submit_default end diff --git a/spec/support/idv_examples/sp_handoff.rb b/spec/support/idv_examples/sp_handoff.rb index ee43a76e175..71786093558 100644 --- a/spec/support/idv_examples/sp_handoff.rb +++ b/spec/support/idv_examples/sp_handoff.rb @@ -145,7 +145,7 @@ def expect_successful_oidc_handoff expect(decoded_id_token[:aud]).to eq(@client_id) expect(decoded_id_token[:acr]).to eq(Saml::Idp::Constants::IAL_VERIFIED_ACR) expect(decoded_id_token[:iss]).to eq(root_url) - expect(decoded_id_token[:email]).to eq(user.last_sign_in_email_address.email) + expect(decoded_id_token[:email]).to eq(user.confirmed_email_addresses.first.email) expect(decoded_id_token[:given_name]).to eq('FAKEY') expect(decoded_id_token[:social_security_number]).to eq(DocAuthHelper::GOOD_SSN) @@ -159,7 +159,7 @@ def expect_successful_oidc_handoff userinfo_response = JSON.parse(page.body).with_indifferent_access expect(userinfo_response[:sub]).to eq(sub) expect(AgencyIdentity.where(user_id: user.id, agency_id: 2).first.uuid).to eq(sub) - expect(userinfo_response[:email]).to eq(user.last_sign_in_email_address.email) + expect(userinfo_response[:email]).to eq(user.confirmed_email_addresses.first.email) expect(userinfo_response[:given_name]).to eq('FAKEY') expect(userinfo_response[:social_security_number]).to eq(DocAuthHelper::GOOD_SSN) end diff --git a/spec/support/shared_examples/phone/rate_limiting.rb b/spec/support/shared_examples/phone/rate_limiting.rb index f0154c9f94b..0d6b2d0c2a4 100644 --- a/spec/support/shared_examples/phone/rate_limiting.rb +++ b/spec/support/shared_examples/phone/rate_limiting.rb @@ -89,7 +89,7 @@ def expect_user_to_be_rate_limitted visit root_path signin( - user.last_sign_in_email_address.email, + user.confirmed_email_addresses.first.email, user.password || Features::SessionHelper::VALID_PASSWORD, ) @@ -101,7 +101,7 @@ def expect_rate_limiting_to_expire visit root_path signin( - user.last_sign_in_email_address.email, + user.confirmed_email_addresses.first.email, user.password || Features::SessionHelper::VALID_PASSWORD, ) diff --git a/spec/support/shared_examples/sign_in.rb b/spec/support/shared_examples/sign_in.rb index 07c1c258f91..013e9ad5172 100644 --- a/spec/support/shared_examples/sign_in.rb +++ b/spec/support/shared_examples/sign_in.rb @@ -130,12 +130,12 @@ old_personal_key = PersonalKeyGenerator.new(user).generate! visit_idp_from_sp_with_ial1(sp) - trigger_reset_password_and_click_email_link(user.last_sign_in_email_address.email) + trigger_reset_password_and_click_email_link(user.confirmed_email_addresses.first.email) fill_in t('forms.passwords.edit.labels.password'), with: new_password fill_in t('components.password_confirmation.confirm_label'), with: new_password click_button t('forms.passwords.edit.buttons.submit') - fill_in_credentials_and_submit(user.last_sign_in_email_address.email, new_password) + fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, new_password) choose_another_security_option('personal_key') enter_personal_key(personal_key: old_personal_key) click_submit_default @@ -392,7 +392,7 @@ def ial1_sign_in_with_personal_key_goes_to_sp(sp) Capybara.reset_sessions! visit_idp_from_sp_with_ial1(sp) - fill_in_credentials_and_submit(user.last_sign_in_email_address.email, 'Val!d Pass w0rd') + fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, 'Val!d Pass w0rd') choose_another_security_option('personal_key') enter_personal_key(personal_key: old_personal_key) click_submit_default From 6cc036752118d1124abc2cdb96203c0692befcf2 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 8 Jan 2025 15:57:04 -0600 Subject: [PATCH 2/3] Revert "Update newrelic_rpm gem (#11699)" This reverts commit 0d65152d4187b16d7d044dd831414b10574b2ddb. --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index fa23eee29b2..e152e8df347 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -458,7 +458,7 @@ GEM net-smtp (0.5.0) net-protocol net-ssh (6.1.0) - newrelic_rpm (9.16.1) + newrelic_rpm (9.7.0) nio4r (2.7.4) nokogiri (1.16.8) mini_portile2 (~> 2.8.2) From 2eefd2e6a24ece8c054fe95786299a79ad800052 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 8 Jan 2025 15:57:23 -0600 Subject: [PATCH 3/3] Revert "Attempts API Storage (#11692)" This reverts commit 4c4e13f302caf94c2c2e98ae57ca6f22258fd27f. --- .gitlab-ci.yml | 2 +- app/services/attempts_api/attempt_event.rb | 86 ----------------- app/services/attempts_api/redis_client.rb | 29 ------ config/application.yml.default | 3 - config/initializers/01_redis.rb | 5 - lib/identity_config.rb | 3 - spec/rails_helper.rb | 1 - .../attempts_api/attempt_event_spec.rb | 70 -------------- .../attempts_api/redis_client_spec.rb | 92 ------------------- 9 files changed, 1 insertion(+), 290 deletions(-) delete mode 100644 app/services/attempts_api/attempt_event.rb delete mode 100644 app/services/attempts_api/redis_client.rb delete mode 100644 spec/services/attempts_api/attempt_event_spec.rb delete mode 100644 spec/services/attempts_api/redis_client_spec.rb diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fa9120acf94..4dcf6078669 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -293,7 +293,7 @@ specs: - cp -a keys.example keys - cp -a certs.example certs - cp pwned_passwords/pwned_passwords.txt.sample pwned_passwords/pwned_passwords.txt - - "echo -e \"test:\n redis_url: 'redis://db-redis:6379/0'\n redis_throttle_url: 'redis://db-redis:6379/1'\n redis_attempts_api_url: 'redis://db-redis:6379/2'\" > config/application.yml" + - "echo -e \"test:\n redis_url: 'redis://db-redis:6379/0'\n redis_throttle_url: 'redis://db-redis:6379/1'\" > config/application.yml" - bundle exec rake db:create db:migrate --trace - bundle exec rake db:seed - bundle exec rake knapsack:rspec["--format documentation --format RspecJunitFormatter --out rspec.xml --format json --out rspec_json/${CI_NODE_INDEX}.json"] diff --git a/app/services/attempts_api/attempt_event.rb b/app/services/attempts_api/attempt_event.rb deleted file mode 100644 index bd5821d5721..00000000000 --- a/app/services/attempts_api/attempt_event.rb +++ /dev/null @@ -1,86 +0,0 @@ -# frozen_string_literal: true - -module AttemptsApi - class AttemptEvent - attr_reader :jti, :iat, :event_type, :session_id, :occurred_at, :event_metadata - - def initialize( - event_type:, - session_id:, - occurred_at:, - event_metadata:, - jti: SecureRandom.uuid, - iat: Time.zone.now.to_i - ) - @jti = jti - @iat = iat - @event_type = event_type - @session_id = session_id - @occurred_at = occurred_at - @event_metadata = event_metadata - end - - def to_jwe(public_key:, issuer:) - jwk = JWT::JWK.new(public_key) - - JWE.encrypt( - payload_json(issuer: issuer), - public_key, - typ: 'secevent+jwe', - zip: 'DEF', - alg: 'RSA-OAEP', - enc: 'A256GCM', - kid: jwk.kid, - ) - end - - def self.from_jwe(jwe, private_key) - decrypted_event = JWE.decrypt(jwe, private_key) - parsed_event = JSON.parse(decrypted_event) - event_type = parsed_event['events'].keys.first.split('/').last - event_data = parsed_event['events'].values.first - jti = parsed_event['jti'].split(':').last - AttemptEvent.new( - jti: jti, - iat: parsed_event['iat'], - event_type: event_type, - session_id: event_data['subject']['session_id'], - occurred_at: Time.zone.at(event_data['occurred_at']), - event_metadata: event_data.symbolize_keys.except(:subject, :occurred_at), - ) - end - - def payload(issuer:) - { - jti: jti, - iat: iat, - iss: Rails.application.routes.url_helpers.root_url, - aud: issuer, - events: { - long_event_type => event_data, - }, - } - end - - def payload_json(issuer:) - @payload_json ||= payload(issuer:).to_json - end - - private - - def event_data - { - 'subject' => { - 'subject_type' => 'session', - 'session_id' => session_id, - }, - 'occurred_at' => occurred_at.to_f, - }.merge(event_metadata || {}) - end - - def long_event_type - dasherized_name = event_type.to_s.dasherize - "https://schemas.login.gov/secevent/attempts-api/event-type/#{dasherized_name}" - end - end -end diff --git a/app/services/attempts_api/redis_client.rb b/app/services/attempts_api/redis_client.rb deleted file mode 100644 index 2f9fd809382..00000000000 --- a/app/services/attempts_api/redis_client.rb +++ /dev/null @@ -1,29 +0,0 @@ -# frozen_string_literal: true - -module AttemptsApi - class RedisClient - def write_event(event_key:, jwe:, timestamp:, issuer:) - key = key(timestamp, issuer) - REDIS_ATTEMPTS_API_POOL.with do |client| - client.hset(key, event_key, jwe) - client.expire(key, IdentityConfig.store.attempts_api_event_ttl_seconds) - end - end - - def read_events(timestamp:, issuer:, batch_size: 5000) - key = key(timestamp, issuer) - events = {} - REDIS_ATTEMPTS_API_POOL.with do |client| - client.hscan_each(key, count: batch_size) do |k, v| - events[k] = v - end - end - events - end - - def key(timestamp, issuer) - formatted_time = timestamp.in_time_zone('UTC').change(min: 0, sec: 0).iso8601 - "attempts-api-events:#{issuer}:#{formatted_time}" - end - end -end diff --git a/config/application.yml.default b/config/application.yml.default index 0c72eaaba56..3aeaffe4dcc 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -40,7 +40,6 @@ allowed_verified_within_providers: '[]' asset_host: '' async_stale_job_timeout_seconds: 300 async_wait_timeout_seconds: 60 -attempts_api_event_ttl_seconds: 3_600 attribute_encryption_key: attribute_encryption_key_queue: '[]' available_locales: 'en,es,fr,zh' @@ -323,8 +322,6 @@ recaptcha_site_key: '' recommend_webauthn_platform_for_sms_ab_test_account_creation_percent: 0 recommend_webauthn_platform_for_sms_ab_test_authentication_percent: 0 recovery_code_length: 4 -redis_attempts_api_pool_size: 1 -redis_attempts_api_url: redis://localhost:6379/2 redis_pool_size: 10 redis_throttle_pool_size: 5 redis_throttle_url: redis://localhost:6379/1 diff --git a/config/initializers/01_redis.rb b/config/initializers/01_redis.rb index 3a88b1c43f9..39851d84299 100644 --- a/config/initializers/01_redis.rb +++ b/config/initializers/01_redis.rb @@ -9,8 +9,3 @@ REDIS_THROTTLE_POOL = ConnectionPool.new(size: IdentityConfig.store.redis_throttle_pool_size) do Redis.new(url: IdentityConfig.store.redis_throttle_url) end.freeze - -REDIS_ATTEMPTS_API_POOL = - ConnectionPool.new(size: IdentityConfig.store.redis_attempts_api_pool_size) do - Redis.new(url: IdentityConfig.store.redis_attempts_api_url) - end.freeze diff --git a/lib/identity_config.rb b/lib/identity_config.rb index 9ea782ad0d8..b2dc14f6aab 100644 --- a/lib/identity_config.rb +++ b/lib/identity_config.rb @@ -58,7 +58,6 @@ def self.store config.add(:asset_host, type: :string) config.add(:async_stale_job_timeout_seconds, type: :integer) config.add(:async_wait_timeout_seconds, type: :integer) - config.add(:attempts_api_event_ttl_seconds, type: :integer) config.add(:attribute_encryption_key, type: :string) config.add(:attribute_encryption_key_queue, type: :json) config.add(:available_locales, type: :comma_separated_string_list) @@ -357,8 +356,6 @@ def self.store config.add(:recaptcha_secret_key, type: :string) config.add(:recaptcha_site_key, type: :string) config.add(:recovery_code_length, type: :integer) - config.add(:redis_attempts_api_pool_size, type: :integer) - config.add(:redis_attempts_api_url, type: :string) config.add(:redis_pool_size, type: :integer) config.add(:redis_throttle_pool_size, type: :integer) config.add(:redis_throttle_url, type: :string) diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb index 6c27735fd6d..0beffa39153 100644 --- a/spec/rails_helper.rb +++ b/spec/rails_helper.rb @@ -112,7 +112,6 @@ class Analytics Telephony::Test::Call.clear_calls PushNotification::LocalEventQueue.clear! REDIS_THROTTLE_POOL.with { |client| client.flushdb } if Identity::Hostdata.config - REDIS_ATTEMPTS_API_POOL.with { |client| client.flushdb } if Identity::Hostdata.config end config.before(:each) do diff --git a/spec/services/attempts_api/attempt_event_spec.rb b/spec/services/attempts_api/attempt_event_spec.rb deleted file mode 100644 index 3ed0446151e..00000000000 --- a/spec/services/attempts_api/attempt_event_spec.rb +++ /dev/null @@ -1,70 +0,0 @@ -require 'rails_helper' - -RSpec.describe AttemptsApi::AttemptEvent do - let(:attempts_api_private_key) { OpenSSL::PKey::RSA.new(2048) } - let(:attempts_api_public_key) { attempts_api_private_key.public_key } - - let(:jti) { 'test-unique-id' } - let(:iat) { Time.zone.now.to_i } - let(:event_type) { 'test-event' } - let(:session_id) { 'test-session-id' } - let(:occurred_at) { Time.zone.now.round } - let(:event_metadata) { { 'foo' => 'bar' } } - let(:service_provider) { build(:service_provider) } - - subject do - described_class.new( - jti: jti, - iat: iat, - event_type: event_type, - session_id: session_id, - occurred_at: occurred_at, - event_metadata: event_metadata, - ) - end - - describe '#to_jwe' do - it 'returns a JWE for the event' do - jwe = subject.to_jwe(issuer: service_provider.issuer, public_key: attempts_api_public_key) - - header_str, *_rest = JWE::Serialization::Compact.decode(jwe) - headers = JSON.parse(header_str) - - expect(headers['alg']).to eq('RSA-OAEP') - expect(headers['kid']).to eq(JWT::JWK.new(attempts_api_public_key).kid) - - decrypted_jwe_payload = JWE.decrypt(jwe, attempts_api_private_key) - - token = JSON.parse(decrypted_jwe_payload) - - expect(token['iss']).to eq(Rails.application.routes.url_helpers.root_url) - expect(token['jti']).to eq(jti) - expect(token['iat']).to eq(iat) - expect(token['aud']).to eq(service_provider.issuer) - - event_key = 'https://schemas.login.gov/secevent/attempts-api/event-type/test-event' - event_data = token['events'][event_key] - - expect(event_data['subject']).to eq( - 'subject_type' => 'session', 'session_id' => 'test-session-id', - ) - expect(event_data['foo']).to eq('bar') - expect(event_data['occurred_at']).to eq(occurred_at.to_f) - end - end - - describe '.from_jwe' do - it 'returns an event decrypted from the JWE' do - jwe = subject.to_jwe(issuer: service_provider.issuer, public_key: attempts_api_public_key) - - decrypted_event = described_class.from_jwe(jwe, attempts_api_private_key) - - expect(decrypted_event.jti).to eq(subject.jti) - expect(decrypted_event.iat).to eq(subject.iat) - expect(decrypted_event.event_type).to eq(subject.event_type) - expect(decrypted_event.session_id).to eq(subject.session_id) - expect(decrypted_event.occurred_at).to eq(subject.occurred_at) - expect(decrypted_event.event_metadata).to eq(subject.event_metadata.symbolize_keys) - end - end -end diff --git a/spec/services/attempts_api/redis_client_spec.rb b/spec/services/attempts_api/redis_client_spec.rb deleted file mode 100644 index d768f01eeca..00000000000 --- a/spec/services/attempts_api/redis_client_spec.rb +++ /dev/null @@ -1,92 +0,0 @@ -require 'rails_helper' - -RSpec.describe AttemptsApi::RedisClient do - let(:attempts_api_private_key) { OpenSSL::PKey::RSA.new(2048) } - let(:attempts_api_public_key) { attempts_api_private_key.public_key } - let(:issuer) { 'test' } - - describe '#write_event' do - it 'writes the attempt data to redis with the event key as the key' do - freeze_time do - now = Time.zone.now - event = AttemptsApi::AttemptEvent.new( - event_type: 'test_event', - session_id: 'test-session-id', - occurred_at: Time.zone.now, - event_metadata: { - first_name: Idp::Constants::MOCK_IDV_APPLICANT[:first_name], - }, - ) - event_key = event.jti - jwe = event.to_jwe(issuer: issuer, public_key: attempts_api_public_key) - - subject.write_event(event_key: event_key, jwe: jwe, timestamp: now, issuer: issuer) - - result = subject.read_events(timestamp: now, issuer: issuer) - expect(result[event_key]).to eq(jwe) - end - end - end - - describe '#read_events' do - it 'reads the event events from redis' do - freeze_time do - now = Time.zone.now - events = {} - 3.times do - event = AttemptsApi::AttemptEvent.new( - event_type: 'test_event', - session_id: 'test-session-id', - occurred_at: now, - event_metadata: { - first_name: Idp::Constants::MOCK_IDV_APPLICANT[:first_name], - }, - ) - event_key = event.jti - jwe = event.to_jwe(issuer: issuer, public_key: attempts_api_public_key) - events[event_key] = jwe - end - events.each do |event_key, jwe| - subject.write_event(event_key: event_key, jwe: jwe, timestamp: now, issuer: issuer) - end - - result = subject.read_events(timestamp: now, issuer: issuer) - - expect(result).to eq(events) - end - end - - it 'stores events in hourly buckets' do - time1 = Time.new(2022, 1, 1, 1, 0, 0, 'Z') - time2 = Time.new(2022, 1, 1, 2, 0, 0, 'Z') - event1 = AttemptsApi::AttemptEvent.new( - event_type: 'test_event', - session_id: 'test-session-id', - occurred_at: time1, - event_metadata: { - first_name: Idp::Constants::MOCK_IDV_APPLICANT[:first_name], - }, - ) - event2 = AttemptsApi::AttemptEvent.new( - event_type: 'test_event', - session_id: 'test-session-id', - occurred_at: time2, - event_metadata: { - first_name: Idp::Constants::MOCK_IDV_APPLICANT[:first_name], - }, - ) - jwe1 = event1.to_jwe(issuer: issuer, public_key: attempts_api_public_key) - jwe2 = event2.to_jwe(issuer: issuer, public_key: attempts_api_public_key) - - subject.write_event( - event_key: event1.jti, jwe: jwe1, timestamp: event1.occurred_at, issuer: issuer, - ) - subject.write_event( - event_key: event2.jti, jwe: jwe2, timestamp: event2.occurred_at, issuer: issuer, - ) - - expect(subject.read_events(timestamp: time1, issuer: issuer)).to eq({ event1.jti => jwe1 }) - expect(subject.read_events(timestamp: time2, issuer: issuer)).to eq({ event2.jti => jwe2 }) - end - end -end