18F
diff --git a/‎.gitlab-ci.yml‎
Lines changed: 3 additions & 3 deletions b/‎.gitlab-ci.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎Gemfile.lock‎
Lines changed: 5 additions & 5 deletions b/‎Gemfile.lock‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎app/controllers/identify_controller.rb‎
Lines changed: 1 addition & 0 deletions b/‎app/controllers/identify_controller.rb‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/models/certificate.rb‎
Lines changed: 4 additions & 0 deletions b/‎app/models/certificate.rb‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎app/policies/certificate_policies.rb‎
Lines changed: 6 additions & 3 deletions b/‎app/policies/certificate_policies.rb‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎config/application.yml.default‎
Lines changed: 1 addition & 1 deletion b/‎config/application.yml.default‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/cert_bundles/ficam_bundle.pem‎
Lines changed: 0 additions & 316 deletions b/‎config/cert_bundles/ficam_bundle.pem‎
Lines changed: 0 additions & 316 deletions
diff --git a/‎config/cert_bundles/login_bundle.pem‎
Lines changed: 112 additions & 182 deletions b/‎config/cert_bundles/login_bundle.pem‎
Lines changed: 112 additions & 182 deletions
diff --git a/‎config/certs/C=US, O=ORC PKI, CN=WidePoint ORC SSP 5.pem‎
Lines changed: 23 additions & 23 deletions b/‎config/certs/C=US, O=ORC PKI, CN=WidePoint ORC SSP 5.pem‎
Lines changed: 23 additions & 23 deletions
diff --git a/‎config/certs/C=US, O=U.S. Government, OU=Department of State, OU=PIV, OU=Certification Authorities, OU=U.S. Department of State PIV CA2 1785775405.pem‎
Lines changed: 0 additions & 50 deletions b/‎config/certs/C=US, O=U.S. Government, OU=Department of State, OU=PIV, OU=Certification Authorities, OU=U.S. Department of State PIV CA2 1785775405.pem‎
Lines changed: 0 additions & 50 deletions
@@ -73,7 +73,7 @@ specs:
     POSTGRES_HOST_AUTH_METHOD: trust
     RAILS_ENV: test
   services:
-    - name: postgres:13.9
+    - name: postgres:16.4
       alias: db-postgres
       command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
     - name: redis:7.0
@@ -113,7 +113,7 @@ check_certificate_bundle:
     POSTGRES_HOST_AUTH_METHOD: trust
     RAILS_ENV: test
   services:
-    - name: postgres:13.9
+    - name: postgres:16.4
       alias: db-postgres
       command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
   script:
@@ -133,7 +133,7 @@ check_expiring_certificates:
     POSTGRES_HOST_AUTH_METHOD: trust
     RAILS_ENV: test
   services:
-    - name: postgres:13.9
+    - name: postgres:16.4
       alias: db-postgres
       command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
   script:
 
@@ -173,7 +173,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.22.0)
+    loofah (2.23.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -185,7 +185,7 @@ GEM
     method_source (1.1.0)
     mini_cache (1.1.0)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.8)
     minitest (5.25.1)
     msgpack (1.7.3)
     mutex_m (0.2.0)
@@ -200,7 +200,7 @@ GEM
       net-protocol
     newrelic_rpm (8.16.0)
     nio4r (2.7.3)
-    nokogiri (1.16.7)
+    nokogiri (1.16.8)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     pairing_heap (3.1.0)
@@ -253,9 +253,9 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.1)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     railties (7.1.4.1)
       actionpack (= 7.1.4.1)
       activesupport (= 7.1.4.1)
 
@@ -113,6 +113,7 @@ def log_certificate(cert)
       certificate_chain_signing_key_ids: cert.x509_certificate_chain_key_ids,
       issuer: cert.issuer.to_s,
       valid_policies: cert.valid_policies?,
+      mapped_policy_oids: cert.mapped_policies.map { |oid| [oid, true] }.to_h,
       valid: valid,
       error: !valid ? validation_result : nil,
       openssl_valid: login_certs_openssl_result[:valid],
 
@@ -24,6 +24,10 @@ def revoked?
     Certificate.revocation_status?(self) { OcspService.new(self).call.revoked? }
   end
 
+  def mapped_policies
+    @cert_policies.mapped_policies
+  end
+
   def self.revocation_status?(certificate, &block)
     @revocation_cache ||= MiniCache::Store.new
     key = [certificate.issuer, certificate.subject, certificate.serial].map(&:to_s).inspect
 
@@ -31,10 +31,13 @@ def allowed_by_policy?
   end
 
   def matched_policy_oids
-    mapping = PolicyMappingService.new(@certificate).call
     expected_policies = required_policies
-    cert_policies = policies.map { |policy| mapping[policy] }
-    (cert_policies & expected_policies)
+    (mapped_policies & expected_policies)
+  end
+
+  def mapped_policies
+    mapping = PolicyMappingService.new(@certificate).call
+    policies.map { |policy| mapping[policy] }
   end
 
   def policies
 
@@ -9,7 +9,7 @@ aws_http_timeout: '5'
 http_read_timeout: '5'
 http_open_timeout: '5'
 
-ca_issuer_host_allow_list: 'aia.certipath.com,repo.fpki.gov,crl.disa.mil,http.fpki.gov,ssp-aia.symauth.com,pki.treasury.gov,rootweb.managed.entrust.com,aia1.ssp-strong-id.net,pki.treas.gov,crls.pki.state.gov,sspweb.managed.entrust.com,nfirootweb.managed.entrust.com,ssp-aia.digicert.com,www.fis.evincible.com,crl-server.orc.com'
+ca_issuer_host_allow_list: 'aia.certipath.com,repo.fpki.gov,crl.disa.mil,http.fpki.gov,ssp-aia.symauth.com,pki.treasury.gov,rootweb.managed.entrust.com,aia1.ssp-strong-id.net,pki.treas.gov,crls.pki.state.gov,sspweb.managed.entrust.com,nfirootweb.managed.entrust.com,ssp-aia.digicert.com,www.fis.evincible.com,crl-server.orc.com,ipki.uspto.gov'
 ficam_certificate_bundle_file: 'config/cert_bundles/ficam_bundle.pem'
 login_certificate_bundle_file: 'config/cert_bundles/login_bundle.pem'
 client_cert_logger_s3_bucket_name: ''
 
@@ -1,37 +1,37 @@
 Subject: /C=US/O=ORC PKI/CN=WidePoint ORC SSP 5
 Issuer: /C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA G2
 -----BEGIN CERTIFICATE-----
-MIIF/jCCA+agAwIBAgIUIQs/F9t1DmFusl8/C0kz5amMRJswDQYJKoZIhvcNAQEM
+MIIGHDCCBASgAwIBAgIUIRnLUBTIBJvNs9kBwQUYKv2vnggwDQYJKoZIhvcNAQEM
 BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG
 A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy
-MB4XDTIwMTExOTE0MTYwMFoXDTMwMTEwNTE0MTYwMFowPTELMAkGA1UEBhMCVVMx
+MB4XDTI0MDIwMTE1NDE1MFoXDTMwMTEwNTE0MTYwMFowPTELMAkGA1UEBhMCVVMx
 EDAOBgNVBAoMB09SQyBQS0kxHDAaBgNVBAMME1dpZGVQb2ludCBPUkMgU1NQIDUw
 ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVxl6v6mG30QXESgG+8sKl
 qoWrn8WGnmGGd9JJBXxmf00h5/NTaPbh4kwxikD3DSoJV3r0U5dzRYlH2/SDA2mC
 BRjRz8I8VE6LWJilvIl2gzm9CASUmeK5M/gp4zMPbOB19jzHj3CuRI3YKPgczCFu
 DPznovY3xLUIsUlVYyciLiVR1GbtpgihvrLUl47+teSWn9rF7OJe8DI9TTqA1HEK
 JbYY3ng1Y3aA/+7aGloNYHyJZhsAijTxuABPktwhVOp+J0pc8PSnTUA3dJe5cPex
 DUsw5pWp9mT9fluQ9hfoSYeKLTQhlJpn2ZumbCkCNE38ny6ZxwWjy5U+4MwPzyJd
-AgMBAAGjggHVMIIB0TAdBgNVHQ4EFgQUI7hOsU5tJESLRGenZc+hOzmUZtwwHwYD
+AgMBAAGjggHzMIIB7zAdBgNVHQ4EFgQUI7hOsU5tJESLRGenZc+hOzmUZtwwHwYD
 VR0jBBgwFoAU9CdcqcN8R/T6pqewWZeq3TUmF+MwDgYDVR0PAQH/BAQDAgEGMA8G
-A1UdEwEB/wQFMAMBAf8wawYDVR0gBGQwYjAMBgpghkgBZQMCAQMGMAwGCmCGSAFl
-AwIBAwcwDAYKYIZIAWUDAgEDCDAMBgpghkgBZQMCAQMkMAwGCmCGSAFlAwIBAw0w
-DAYKYIZIAWUDAgEDETAMBgpghkgBZQMCAQMnMFIGCCsGAQUFBwELBEYwRDBCBggr
-BgEFBQcwBYY2aHR0cDovL2NybC1zZXJ2ZXIub3JjLmNvbS9jYUNlcnRzL1dpZGVQ
-b2ludE9SQ1NTUDUucDdjMBIGA1UdJAEB/wQIMAaAAQCBAQAwDQYDVR02AQH/BAMC
-AQAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUFBzAChjVodHRwOi8vcmVwby5mcGtp
-Lmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVkVG9mY3BjYWcyLnA3YzA3BgNVHR8EMDAu
-MCygKqAohiZodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9mY3BjYWcyLmNybDAN
-BgkqhkiG9w0BAQwFAAOCAgEAo8X9GhqzuIWWEIERj2U3cJF2dx7RWYW1+w+Ypxjh
-Xbnbu4Vd9qE1/an6w8h0z//UZohrtsI3BTXibfldG9DKvG0xIiiXvZOOXzX09phg
-BGEtP4uPXSjBlN43jsF65/K21NH5NHh2so1FpBIxwsvfLiQtN91opi9iq4X+qC4+
-g/nTFaEvlM2Ip6xImBsG7kB5hsSigrmBapI4ncdWMpCd/HMbI0v/EH6vvib0blEs
-nzd5sZ6KcwaVZe0xjHZCS4pbqKeMDiyemujDHQNcnYGHJIlxAzRbCzx8sNwpb75d
-EeeiwxCjd/NXjlBeDW4YA+2K9VuzZNy39jKCETGt0rpKPYkuNptw8h2z4u4bk4QV
-gvjlrg/drnCXmFEBsWfFqFndJKTK4mgimMqZEMDOtRGd3mG2lHWpT4ILBEQ24n5f
-4QKSro/hNv4epQc/3Rg23E3S5r3izRElaTE/ABa6dyZyjdBVpCwcGni2qzhelILa
-mir2PwVdfrHRxbamBJfB1ZcVh7hnbF9oUtB2iKal87jFx/DuU0ZrH6izES6e0/yy
-lFmSL2IufXbRo/FPVJO1RSmQ6ZhO08O88ekmb39dqW6OrickuzxA0aHB8rhC3LKi
-lHqCzBK+yqQ17eTy6bBoHswADAgPfSbza8VYlqt7yHbJ1YTAH+fhWePjhyMHBpV7
-9QM=
+A1UdEwEB/wQFMAMBAf8wgYgGA1UdIASBgDB+MAwGCmCGSAFlAwIBAwYwDAYKYIZI
+AWUDAgEDBzAMBgpghkgBZQMCAQMIMAwGCmCGSAFlAwIBAyQwDAYKYIZIAWUDAgED
+DTAMBgpghkgBZQMCAQMRMAwGCmCGSAFlAwIBAycwDAYKYIZIAWUDAgEDKDAMBgpg
+hkgBZQMCAQMpMFIGCCsGAQUFBwELBEYwRDBCBggrBgEFBQcwBYY2aHR0cDovL2Ny
+bC1zZXJ2ZXIub3JjLmNvbS9jYUNlcnRzL1dpZGVQb2ludE9SQ1NTUDUucDdjMBIG
+A1UdJAEB/wQIMAaAAQCBAQAwDQYDVR02AQH/BAMCAQAwUQYIKwYBBQUHAQEERTBD
+MEEGCCsGAQUFBzAChjVodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNlcnRz
+SXNzdWVkVG9mY3BjYWcyLnA3YzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vcmVw
+by5mcGtpLmdvdi9mY3BjYS9mY3BjYWcyLmNybDANBgkqhkiG9w0BAQwFAAOCAgEA
+FaQ5Ytr61l7+J1/D3fYxS6wQrIHxSCRGizud+gJysAB52KSthmnapH64Ly60cSOx
+wDdXrQkwINeh8mldWrit1/yj65lpWl0y/qBFFmleq5jazIg6n5cx/N/KTuECx0qE
+qqxm3URQkrQENFzItkUxzrBw3cBjXdp3CRg82aX0Dy7uUvDKrjmsSAendfc5YZQp
+oYKufaZH5UUOmwYqDq1RlWy1f624sUNkIGK4vJcyCCcvJtyM6rbQ+N45GIEyErQv
+e/MQ3/3kTAkVgqIxc/3GVlcRNRPnEr1iU1FVxf357dWeRNlgORda4CPBO9oBX3Xo
+gpRgUDgv/6jDiPRIp0BsApgDZ1mNGUMc+BjRkB6flrHAPFWUj6ZAN1Hr2Nrz1jIg
+8e4/G0i6War+VHZGhDY36S7wBZ8AKYT0WgfTlSE7tQGYnBUiIHJQ0nrCDaRp1fvM
+EtRQ70hPnhPua84qtydLku4td464iLZaJar4xXLC8z5rUI/hopou30vWaquGQwFp
+WbvehEL3fEXE87f2UHoJm94UE5Vorh8kXa6rTq1zj9Rafmjo5qkahgwvSYrmglA8
+qjQoOQIDjEP8+GHU7yh6pD2EMUpJa/GrPye8+iLn6JpqV1x53cJYAKaSoBRUS/2l
+GxCqnznYVkXi9XNQNuVSVIPQNspSBvA436FI5KkTcZ8=
 -----END CERTIFICATE-----