production deploy (#461)

* mvi cert and key are figaro required keys, but should not be read in dev (#399)

* mvi cert and key are figaro required keys, but faked values should return nil 

* added initializer to load mvi cert and key

* removing unused vcr_cassettes (#412)

* Changed default rx sort to prescription_name (#403)

* Changed default rx sort to prescription_name

* Doh. spec test heading

* Prune applications that were processed > 1 month ago (#364)

* EVSS: Queue requests for decision (#407)

* EVSS: Queue requests for decision

* Spec fixes

* Finish refactor of common client part 2 (#411)

* adding secure messaging

* adding spec to improve test coverage issue

* stylistic improvements

* refactoring prescriptions

* rubocop style change

* removing old rx parser

* removing unused artifacts

* adding new prescriptions factory

* Allow Education Forms to be sent to a different facility (#400)

* Allow Education Forms to be sent to a different facility

* PR Feedback

* Swallow exception on MVI missing (#413)

* swallow exception on MVI missing

* remove cruft

* Add authorization to SM (#396)

* add authorization to SM

* revert cassettes

* revert cassettes

* fix specs without cassettes

* fix one more

* rubocop

* fix coverage

* Log validation errors in sentry (#404)

* send validation error to sentry

* test raven capture exception

* return the user (#418)

* EVSS: Remove intent to file (#414)

Wasn't being used by us, so remove it.

* re-enabling auth for rx (#417)

* re-enabling auth for rx

* fixing stupid

* DRY up MHV concerns

* add in the concerns

* bypass simplecov stupidness

* fixing issue from code review

* Instrument sidekiq (#410)

* Instrument sidekiq

* Add sidekiq stats job spec

* Cron format for stats job prevents duplicate runs

* Adds notes on usage to sidekiq scheduler

* EVSS: Add an old claim reaper (#419)

* EVSS: Add an old claim reaper

We don't have the ATO to store claims indefinitely, so we need to delete
old ones periodically.

* Update name and schedule

* Return empty vaprofile if mvi nil (#422)

* updating specs for nil va_profile

* va_profile return as null if mvi is down or record not found

* don't need profile in user.mvi nil spec

* rubocop

* Update mock mvi users (#354)

* Changes to reflect updated GeoServices VHA attributes (#425)

* finish daily report job (#392)

* add govdelivery server to app yml

* use govdelivery server in staging email method

* use govdelivery server in config helper

* fix server name

* add year to date report to scheduler

* perform doesnt require argument

* fix statds for spring, add govdelivery server to figaro

* add govdelivery server to travis

* add va stakeholders

* lint

* rename report mailer

* rename constants

* Adding MHV accounts for some mock users (#427)

* flush specific redis namespaces via rake (#421)

* flush specific redis namespaces via rake

* minor fix

* allow rake task to invoke environment for models

* Application Controller: Send exception to Sentry/Raven (#424)

* EVSS: Add a new field/serializer for the list view (#423)

* EVSS: Add a new field/serializer for the list view

* Add some tests

* Add NotImplementedError

* Upload nil tracked item (#429)

* Increase timeout for EVSS

* Remove breakers for testing EVSS

* Add some nocov to get up to coverage while breakers are disabled

* Omit tracked item id if not present

* Set document filename to sanitized name

* Clear workers before each spec

* Thread pagination (#431)

* Removed pagination from threads

* new schema for thread

* added optional draft id in creates (#432)

* added optional draft id in creates

* Added draft id to sm documentation

* Allow a blank gender in User model validation (#428)

* allow a blank gender in User model validation

* ask alastair if this is preferable

* gender is more likely to be nil than blank.  added specific test for it

* per alastairs recommendation, put this check back in

* Fix folder create (#441)

* Update VA stakeholders list (#433)

* update va stakeholders

* lint

* handle routing errors with JSONAPI (#426)

* handle routing errors with JSONAPI

* routing errors fix

* commented out action_missing method, added stylistic improvements

* EVSS: Add receivedFromOthersList to events timeline (#436)

Fixes https://github.com/department-of-veterans-affairs/sunsets-team/issues/183

* update va_profile, return null for mvi down, 'not found' for no record (#438)

* added mvi status to user va_profile

* EVSS: Return sync status in json meta (#439)

fixes https://github.com/department-of-veterans-affairs/sunsets-team/issues/193

* EVSS: Add other documents to events timeline (#444)

* EVSS: Add other documents to events timeline

Refs https://github.com/department-of-veterans-affairs/sunsets-team/issues/197

* Add date to objects

* Clearer spec

* Add SLO Logout (#443)

* start putting together SLO

* remove junk, add junk, fix signing

* finalize SLO

* set the logout relay

* less dopiness

* delete the user too

* do not delete the user

* implement suggestions from Bill

* change the action name

* Use EVSS ID for disability claims lookup (#446)

* Use EVSS ID for disability claims lookup

* Add comment on ID aliasing

* MHV Activity Logging Client (#442)

* initial commit of mhv activity client

* implementing the client for mhv audit logging

* adding the breakers service to breakers initializer

* dryed up the common issues and addressed comments from code review

* remove unnecessary comma

* change spool filenames (#445)

* EVSS: Set a flag when a user requests a decision (#449)

* EVSS: Set a flag when a user requests a decision

Solves an issue where the job might not be processed for a while

* Rubocop

* simplify spec

* Sidekiq stats job on critical queue (#435)

* Make mvi processing code env var i451 (#453)

* added mvi service handling for 200 from vaafi but 500 from mvi (#454)

* stop using a singleton for SAML::SettingsService (#447)

* stop using a singleton for SAML::SettingsService

* do the whole SSL thing

* fix spec

* MHV Login/Logout facility Integration (#452)

* adding the logout logging facility for mhv as an integration, specs to follow

* remove unused redis_store change

* only do it mhv_correlation_id exists

* allow specs to pass but still need to add specs to test service

* get test coverage to 100%

* addressing comments from @ayal

* oops

* fixing linter issues

* Enable breakers for EVSS services (#457)

* Pv facloc pagination (#437)

* Error logging on GIS errors
* Pagination functional.
* Sorting by distance from bbox center

* use breakers for MVI (#448)

.rubocop.yml

@@ -78,3 +78,4 @@ Style/AccessorMethodName:
   Exclude:
     - 'lib/rx/**/*'
     - 'lib/sm/**/*'
+    - 'lib/mhv_logging/**/*'

.travis.yml

@@ -11,6 +11,7 @@ before_script:
 - export SAML_CERTIFICATE_FILE="spec/support/certificates/ruby-saml.crt"
 - export SAML_KEY_FILE="spec/support/certificates/ruby-saml.key"
 - export SAML_RELAY="http://localhost:3001/auth/login/callback"
+- export SAML_LOGOUT_RELAY="http://localhost:3001/logout"
 - export REDIS_HOST="localhost"
 - export REDIS_PORT="6379"
 - export MHV_HOST='https://mock-prescriptions-api.herokuapp.com'
@@ -25,11 +26,13 @@ before_script:
   "Doe","edipi": "1105051936","participant_id": "123456789"}'''
 - export MVI_CLIENT_CERT_PATH='/fake/client/cert/path'
 - export MVI_CLIENT_KEY_PATH='/fake/client/key/path'
+- export MVI_PROCESSING_CODE='T'
 - export EVSS_S3_UPLOADS=false
 - export VHA_MAPSERVER_URL='https://services3.arcgis.com/aqgBd3l68G8hEFFE/ArcGIS/rest/services/VHA_Facilities/FeatureServer/0'
 - export NCA_MAPSERVER_URL='https://services3.arcgis.com/aqgBd3l68G8hEFFE/ArcGIS/rest/services/NCA_Facilities/FeatureServer/0'
 - export VBA_MAPSERVER_URL='https://services3.arcgis.com/aqgBd3l68G8hEFFE/ArcGIS/rest/services/VBA_Facilities/FeatureServer/0'
 - export MOCK_MVI_SERVICE=false
+- export GOV_DELIVERY_SERVER='stage-tms.govdelivery.com'
 script:
 - bundle exec rake db:create db:schema:load ci
 bundler_args: "--without development"

Gemfile

@@ -29,6 +29,7 @@ gem 'savon', '~> 2.0'
 gem 'sidekiq'
 gem 'sidekiq-unique-jobs'
 gem 'sidekiq-scheduler', '~> 2.0'
+gem 'sidekiq-instrument'
 gem 'multi_json'
 gem 'carrierwave-aws'
 gem 'carrierwave', '~> 0.11'

Gemfile.lock

@@ -325,6 +325,9 @@ GEM
       connection_pool (~> 2.2, >= 2.2.0)
       rack-protection (>= 1.5.0)
       redis (~> 3.2, >= 3.2.1)
+    sidekiq-instrument (0.2.1)
+      sidekiq (~> 4.0)
+      statsd-instrument (~> 2.0, >= 2.0.4)
     sidekiq-scheduler (2.0.19)
       hashie (~> 3.4)
       redis (~> 3)
@@ -434,6 +437,7 @@ DEPENDENCIES
   sdoc (~> 0.4.0)
   sentry-raven
   sidekiq
+  sidekiq-instrument
   sidekiq-scheduler (~> 2.0)
   sidekiq-unique-jobs
   simplecov (~> 0.11)

app/controllers/application_controller.rb

@@ -9,12 +9,22 @@ class ApplicationController < ActionController::API
 
   before_action :authenticate
   before_action :set_app_info_headers
-  skip_before_action :authenticate, only: [:cors_preflight]
+  skip_before_action :authenticate, only: [:cors_preflight, :routing_error]
 
   def cors_preflight
     head(:ok)
   end
 
+  def routing_error
+    raise Common::Exceptions::RoutingError, params[:path]
+  end
+
+  # I'm commenting this out for now, we can put it back in if we encounter it
+  # def action_missing(m, *_args)
+  #   Rails.logger.error(m)
+  #   raise Common::Exceptions::RoutingError
+  # end
+
   private
 
   rescue_from 'Exception' do |exception|
@@ -42,6 +52,7 @@ def cors_preflight
   end
 
   def log_error(exception)
+    Raven.capture_exception(exception) if ENV['SENTRY_DSN'].present?
     Rails.logger.error "#{exception.message}."
     Rails.logger.error exception.backtrace.join("\n") unless exception.backtrace.nil?
   end
@@ -75,7 +86,7 @@ def render_unauthorized
   end
 
   def saml_settings
-    settings = SAML::SettingsService.instance.saml_settings
+    settings = SAML::SettingsService.new.saml_settings
     # TODO: 'level' should be its own class with proper validation
     level = LOA::MAPPING.invert[params[:level]&.to_i]
     settings.authn_context = level || LOA::MAPPING.invert[1]

app/controllers/concerns/mhv_controller_concerns.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module MHVControllerConcerns
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authorize
+    before_action :authenticate_client
+  end
+
+  def authorize
+    current_user&.can_access_mhv? || raise_access_denied
+  end
+
+  def authenticate_client
+    MHVLoggingService.login(current_user)
+    client.authenticate if client.session.expired?
+  end
+end

app/controllers/rx_controller.rb

@@ -3,33 +3,15 @@
 
 class RxController < ApplicationController
   include ActionController::Serialization
-
-  # Temporarily disabling authenticate from ApplicationController
-  skip_before_action :authenticate
-  # before_action :authorize_rx
-  before_action :authenticate_client
+  include MHVControllerConcerns
 
   protected
 
   def client
-    @client ||= Rx::Client.new(session: { user_id: mhv_correlation_id })
+    @client ||= Rx::Client.new(session: { user_id: current_user.mhv_correlation_id })
   end
 
-  # def authorize_rx
-  #   mhv_correlation_id || raise_access_denied
-  # end
-
-  def mhv_correlation_id
-    # Temporarily disabling token based auth and MVI based integration of fetching mhv id
-    # current_user.mhv_correlation_id
-    ENV['MHV_USER_ID']
-  end
-
-  # def raise_access_denied
-  #   raise Common::Exceptions::Forbidden, detail: 'You do not have access to prescriptions'
-  # end
-
-  def authenticate_client
-    client.authenticate if client.session.expired?
+  def raise_access_denied
+    raise Common::Exceptions::Forbidden, detail: 'You do not have access to prescriptions'
   end
 end

app/controllers/sm_controller.rb

@@ -3,17 +3,15 @@
 
 class SMController < ApplicationController
   include ActionController::Serialization
-
-  skip_before_action :authenticate
-  before_action :authenticate_client
+  include MHVControllerConcerns
 
   protected
 
   def client
-    @client ||= SM::Client.new(session: { user_id: ENV['MHV_SM_USER_ID'] })
+    @client ||= SM::Client.new(session: { user_id: current_user.mhv_correlation_id })
   end
 
-  def authenticate_client
-    client.authenticate if client.session.expired?
+  def raise_access_denied
+    raise Common::Exceptions::Forbidden, detail: 'You do not have access to messaging'
   end
 end

app/controllers/v0/disability_claims_controller.rb

@@ -2,21 +2,26 @@
 module V0
   class DisabilityClaimsController < DisabilityClaimsBaseController
     def index
-      render json: claim_service.all,
+      claims, synchronized = claim_service.all
+      render json: claims,
              serializer: ActiveModel::Serializer::CollectionSerializer,
-             each_serializer: DisabilityClaimBaseSerializer
+             each_serializer: DisabilityClaimListSerializer,
+             meta: { successful_sync: synchronized }
     end
 
     def show
-      claim = DisabilityClaim.for_user(current_user).find(params[:id])
-      claim = claim_service.update_from_remote(claim)
-      render json: claim, serializer: DisabilityClaimDetailSerializer
+      claim = DisabilityClaim.for_user(current_user).find_by(evss_id: params[:id])
+      claim, synchronized = claim_service.update_from_remote(claim)
+      render json: claim, serializer: DisabilityClaimDetailSerializer,
+             meta: { successful_sync: synchronized }
     end
 
     def request_decision
-      claim = DisabilityClaim.for_user(current_user).find(params[:id])
-      claim_service.request_decision(claim)
-      head :no_content
+      claim = DisabilityClaim.for_user(current_user).find_by(evss_id: params[:id])
+      jid = claim_service.request_decision(claim)
+      claim.requested_decision = true
+      claim.save
+      render_job_id(jid)
     end
   end
 end

app/controllers/v0/documents_controller.rb

@@ -3,7 +3,7 @@ module V0
   class DocumentsController < DisabilityClaimsBaseController
     def create
       params.require :file
-      claim = DisabilityClaim.for_user(current_user).find(params[:disability_claim_id])
+      claim = DisabilityClaim.for_user(current_user).find_by(evss_id: params[:disability_claim_id])
       document_data = DisabilityClaimDocument.new(
         evss_claim_id: claim.evss_id,
         file_name: params[:file].original_filename,

app/controllers/v0/education_benefits_claims_controller.rb

@@ -7,7 +7,12 @@ def create
       education_benefits_claim = EducationBenefitsClaim.new(education_benefits_claim_params)
 
       unless education_benefits_claim.save
-        logger.error(education_benefits_claim.errors.full_messages.join(', '))
+        validation_error = education_benefits_claim.errors.full_messages.join(', ')
+
+        Raven.tags_context(validation: 'education_benefits_claim')
+        Raven.capture_exception(validation_error)
+
+        logger.error(validation_error)
         raise Common::Exceptions::ValidationErrors, education_benefits_claim
       end
 

app/controllers/v0/facilities/va_controller.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+require 'common/models/collection'
 
 class V0::Facilities::VaController < FacilitiesController
   before_action :validate_params, only: [:index]
@@ -9,9 +10,12 @@ class V0::Facilities::VaController < FacilitiesController
   # @param services - Optional specialty services filter
   def index
     results = VAFacility.query(bbox: params[:bbox], type: params[:type], services: params[:services])
-    render json: results,
+    resource = Common::Collection.new(::VAFacility, data: results)
+    resource = resource.paginate(pagination_params)
+    render json: resource.data,
            serializer: CollectionSerializer,
-           each_serializer: VAFacilitySerializer
+           each_serializer: VAFacilitySerializer,
+           meta: resource.metadata
   end
 
   def show

app/controllers/v0/messages_controller.rb

@@ -32,6 +32,7 @@ def create
       message = Message.new(message_params.merge(upload_params))
       raise Common::Exceptions::ValidationErrors, message unless message.valid?
 
+      message_params[:id] = message_params.delete(:draft_id) if message_params[:draft_id].present?
       create_message_params = { message: message_params }.merge(upload_params)
 
       client_response = if message.uploads.present?
@@ -55,7 +56,6 @@ def thread
       message_id = params[:id].try(:to_i)
       resource = client.get_message_history(message_id)
       raise Common::Exceptions::RecordNotFound, message_id unless resource.present?
-      resource = resource.paginate(pagination_params)
 
       render json: resource.data,
              serializer: CollectionSerializer,
@@ -67,6 +67,7 @@ def reply
       message = Message.new(message_params.merge(upload_params)).as_reply
       raise Common::Exceptions::ValidationErrors, message unless message.valid?
 
+      message_params[:id] = message_params.delete(:draft_id) if message_params[:draft_id].present?
       create_message_params = { message: message_params }.merge(upload_params)
 
       if message.uploads.present?

app/controllers/v0/sessions_controller.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module V0
   class SessionsController < ApplicationController
-    skip_before_action :authenticate, only: [:new, :saml_callback]
+    skip_before_action :authenticate, only: [:new, :saml_callback, :saml_logout_callback]
 
     def new
       saml_auth_request = OneLogin::RubySaml::Authrequest.new
@@ -13,8 +13,21 @@ def show
     end
 
     def destroy
-      @session.destroy
-      head :no_content
+      logout_request = OneLogin::RubySaml::Logoutrequest.new
+      logger.info "New SP SLO for userid '#{@session.uuid}'"
+
+      saml_settings.name_identifier_value = @session.uuid
+      saml_settings.security[:logout_requests_signed] = true
+      saml_settings.security[:embed_sign] = true
+
+      render json: { logout_via_get: logout_request.create(saml_settings, RelayState: @session.token) }, status: 202
+    end
+
+    def saml_logout_callback
+      if params[:SAMLResponse]
+        # We initiated an SLO and are receiving the bounce-back after the IDP performed it
+        handle_completed_slo
+      end
     end
 
     def saml_callback
@@ -84,7 +97,7 @@ def saml_user
 
     def create_saml_user
       user = User.new(user_attributes)
-      user = Decorators::MviUserDecorator.new(user).create unless user.loa1?
+      user = Decorators::MviUserDecorator.new(user).create unless user.loa1? || user.gender.nil?
       user
     end
 
@@ -93,5 +106,26 @@ def async_create_evss_account(user)
       auth_headers = EVSS::AuthHeaders.new(user).to_h
       EVSS::CreateUserAccountJob.perform_async(auth_headers)
     end
+
+    # :nocov:
+    def handle_completed_slo
+      logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], saml_settings)
+
+      logger.info "LogoutResponse is: #{logout_response}"
+
+      if !logout_response.validate
+        logger.error 'The SAML Logout Response is invalid'
+        redirect_to SAML_CONFIG['logout_relay'] + '?success=false'
+      elsif logout_response.success?
+        MHVLoggingService.logout(current_user)
+        delete_session(params[:RelayState])
+        redirect_to SAML_CONFIG['logout_relay'] + '?success=true'
+      end
+    end
+
+    def delete_session(token)
+      Session.find(token)&.destroy
+    end
+    # :nocov:
   end
 end