Merge remote-tracking branch 'origin' into feature/updated-es-error-h…

…andling

.github/workflows/build.yml

@@ -8,6 +8,18 @@ on:
 permissions:
   contents: read
 jobs:
+  compare_sha:
+    runs-on: ubuntu-latest
+    name: Compare sha
+    steps:
+      - name: Compare commit ids
+        run: |
+          echo "github.sha: ${{ github.sha }}"
+          echo "github.event.push.head_commit.id: ${{ github.event.push.head_commit.id }}"
+          echo "github.event.pull_request.merge_commit_sha: ${{ github.event.pull_request.merge_commit_sha }}"
+          echo "github.event.head_commit.id: ${{ github.event.head_commit.id }}"
+          echo "github.event.workflow_run.head_commit.id: ${{ github.event.workflow_run.head_commit.id }}"
+
   build_and_push:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     name: Build and Push
@@ -39,7 +51,7 @@ jobs:
           file: ./postman/Dockerfile
           push: true
           tags: |
-            ${{ steps.login-ecr.outputs.registry }}/dsva/vets-api-postman:${{ github.sha }}
+            ${{ steps.login-ecr.outputs.registry }}/dsva/vets-api-postman:${{ github.event.workflow_run.head_commit.id }}
       - name: Build vets-api Docker Image
         uses: docker/build-push-action@v6
         env:
@@ -52,7 +64,7 @@ jobs:
           context: .
           push: true
           tags: |
-            ${{ steps.login-ecr.outputs.registry }}/${{ secrets.ECR_REPOSITORY }}:${{ github.sha }}
+            ${{ steps.login-ecr.outputs.registry }}/${{ secrets.ECR_REPOSITORY }}:${{ github.event.workflow_run.head_commit.id }}
           cache-from: type=registry,ref=$ECR_REGISTRY/$ECR_REPOSITORY
           cache-to: type=inline
   deploy:
@@ -63,7 +75,7 @@ jobs:
       ecr_repository: "vets-api"
       manifests_directory: "vets-api"
       auto_deploy_envs: "dev staging prod sandbox"
-      commit_sha: ${{ github.sha }}
+      commit_sha: ${{ github.event.workflow_run.head_commit.id }}
     secrets:
       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
       aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/code_checks.yml

@@ -8,6 +8,17 @@ permissions:
   contents: read
   checks: write
 jobs:
+  compare_sha:
+    runs-on: ubuntu-latest
+    name: Compare sha
+    steps:
+      - name: Compare commit ids
+        run: |
+          echo "github.sha: ${{ github.sha }}"
+          echo "github.event.push.head_commit.id: ${{ github.event.push.head_commit.id }}"
+          echo "github.event.pull_request.merge_commit_sha: ${{ github.event.pull_request.merge_commit_sha }}"
+          echo "github.event.head_commit.id: ${{ github.event.head_commit.id }}"
+
   linting_and_security:
     name: Linting and Security
     env:

.github/workflows/deploy-template.yml

@@ -12,7 +12,7 @@ on:
       auto_deploy_envs:
         required: true
         type: string
-      commit_sha:  # #${{ github.sha }}
+      commit_sha:  # #${{ github.event.workflow_run.head_commit.id }}
         required: true
         type: string
     secrets:

Gemfile.lock

@@ -272,8 +272,7 @@ GEM
     bcp47 (0.3.3)
       i18n
     benchmark (0.4.0)
-    bigdecimal (3.1.8)
-    bigdecimal (3.1.8-java)
+    bigdecimal (3.1.9)
     bindex (0.8.1)
     blind_index (2.6.1)
       activesupport (>= 7)
@@ -375,7 +374,7 @@ GEM
       libddwaf (~> 1.14.0.0.0)
       msgpack
     debase-ruby_core_source (3.3.1)
-    debug (1.9.2)
+    debug (1.10.0)
       irb (~> 1.10)
       reline (>= 0.3.8)
     declarative (0.0.20)
@@ -543,7 +542,7 @@ GEM
       ffi (~> 1)
       ffi-compiler (~> 1)
       rake (>= 13)
-    googleauth (1.12.0)
+    googleauth (1.12.2)
       faraday (>= 1.0, < 3.a)
       google-cloud-env (~> 2.2)
       google-logging-utils (~> 0.1)
@@ -604,15 +603,15 @@ GEM
       ruby-vips (>= 2.0.17, < 3)
     io-console (0.8.0)
     io-console (0.8.0-java)
-    irb (1.14.1)
+    irb (1.14.3)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     iso_country_codes (0.7.8)
-    jar-dependencies (0.5.0)
+    jar-dependencies (0.5.1)
     jmespath (1.6.2)
     jruby-openssl (0.15.1-java)
-    json (2.9.0)
-    json (2.9.0-java)
+    json (2.9.1)
+    json (2.9.1-java)
     json-schema (5.1.0)
       addressable (~> 2.8)
     json_schema (0.21.0)
@@ -653,7 +652,7 @@ GEM
       ffi-compiler (~> 1.0)
       rake (~> 13.0)
     lockbox (2.0.0)
-    logger (1.6.2)
+    logger (1.6.4)
     loofah (2.23.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
@@ -705,11 +704,9 @@ GEM
     nio4r (2.7.4-java)
     nkf (0.2.0)
     nkf (0.2.0-java)
-    nokogiri (1.16.8)
+    nokogiri (1.17.2)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.16.8-java)
-      racc (~> 1.4)
     nori (2.7.1)
       bigdecimal
     notiffany (0.1.3)
@@ -766,8 +763,8 @@ GEM
       ruby-rc4
       ttfunk
     pg (1.5.9)
-    pg_query (5.1.0)
-      google-protobuf (>= 3.22.3)
+    pg_query (6.0.0)
+      google-protobuf (>= 3.25.3)
     pg_search (2.3.7)
       activerecord (>= 6.1)
       activesupport (>= 6.1)
@@ -793,10 +790,10 @@ GEM
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
     pstore (0.1.3)
-    psych (5.2.1)
+    psych (5.2.2)
       date
       stringio
-    psych (5.2.1-java)
+    psych (5.2.2-java)
       date
       jar-dependencies (>= 0.1.7)
     public_suffix (6.0.1)
@@ -845,7 +842,7 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.1)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails-session_cookie (0.3.0)
@@ -868,7 +865,7 @@ GEM
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rchardet (1.8.0)
-    rdoc (6.8.1)
+    rdoc (6.10.0)
       psych (>= 4.0.0)
     redis (5.3.0)
       redis-client (>= 0.22.0)
@@ -877,7 +874,7 @@ GEM
     redis-namespace (1.11.0)
       redis (>= 4)
     regexp_parser (2.9.3)
-    reline (0.5.12)
+    reline (0.6.0)
       io-console (~> 0.5)
     representable (3.2.0)
       declarative (< 0.1.0)
@@ -886,8 +883,8 @@ GEM
     request_store (1.7.0)
       rack (>= 1.4)
     require_all (3.0.0)
-    restforce (7.5.0)
-      faraday (>= 1.1.0, < 2.12.0)
+    restforce (8.0.0)
+      faraday (>= 1.1.0, < 3.0.0)
       faraday-follow_redirects (<= 0.3.0, < 1.0.0)
       faraday-multipart (>= 1.0.0, < 2.0.0)
       faraday-net_http (< 4.0.0)
@@ -923,7 +920,7 @@ GEM
     rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (7.0.1)
+    rspec-rails (7.1.0)
       actionpack (>= 7.0)
       activesupport (>= 7.0)
       railties (>= 7.0)
@@ -938,7 +935,7 @@ GEM
       rspec-expectations (~> 3.0)
       rspec-mocks (~> 3.0)
       sidekiq (>= 5, < 8)
-    rspec-support (3.13.1)
+    rspec-support (3.13.2)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
     rswag-specs (2.16.0)
@@ -950,7 +947,7 @@ GEM
       actionpack (>= 5.2, < 8.1)
       railties (>= 5.2, < 8.1)
     rtesseract (3.1.3)
-    rubocop (1.69.1)
+    rubocop (1.69.2)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
@@ -960,7 +957,7 @@ GEM
       rubocop-ast (>= 1.36.2, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.36.2)
+    rubocop-ast (1.37.0)
       parser (>= 3.3.1.0)
     rubocop-capybara (2.21.0)
       rubocop (~> 1.41)
@@ -1006,7 +1003,7 @@ GEM
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
     script_utils (0.0.4)
-    securerandom (0.4.0)
+    securerandom (0.4.1)
     seedbank (0.5.0)
       rake (>= 10.0)
     semantic_logger (4.16.0)
@@ -1053,7 +1050,7 @@ GEM
     staccato (0.5.3)
     statsd-instrument (3.9.7)
     stringio (3.1.2)
-    strong_migrations (2.0.2)
+    strong_migrations (2.1.0)
       activerecord (>= 6.1)
     super_diff (0.14.0)
       attr_extras (>= 6.2.4)
@@ -1067,7 +1064,7 @@ GEM
     thread_safe (0.3.6-java)
     tilt (2.3.0)
     timecop (0.9.10)
-    timeout (0.4.2)
+    timeout (0.4.3)
     trailblazer-option (0.1.2)
     ttfunk (1.8.0)
       bigdecimal (~> 3.1)

README.md

@@ -1,5 +1,5 @@
 # Vets API
-This project provides common APIs for applications that live on VA.gov (formerly vets.gov APIs). 
+This project provides common APIs for applications that live on VA.gov (formerly vets.gov APIs).
 
 
 [![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](https://www.rubydoc.info/github/department-of-veterans-affairs/vets-api)

app/controllers/claims_base_controller.rb

@@ -41,7 +41,7 @@ def create
 
   def show
     submission = CentralMailSubmission.joins(:central_mail_claim).find_by(saved_claims: { guid: params[:id] })
-    render json: CentralMailSubmissionSerializer.new(submission)
+    render json: BenefitsIntakeSubmissionSerializer.new(submission)
   end
 
   private

app/controllers/concerns/exception_handling.rb

@@ -83,7 +83,7 @@ def report_mapped_exception(exception, va_exception)
     # Add additional user specific context to the logs
     if exception.is_a?(Common::Exceptions::BackendServiceException) && current_user.present?
       extra[:icn] = current_user.icn
-      extra[:mhv_correlation_id] = current_user.mhv_correlation_id
+      extra[:mhv_credential_uuid] = current_user.mhv_credential_uuid
     end
     va_exception_info = { va_exception_errors: va_exception.errors.map(&:to_hash) }
     log_exception_to_sentry(exception, extra.merge(va_exception_info))

app/controllers/v0/claim_documents_controller.rb

@@ -2,36 +2,46 @@
 
 require 'pension_burial/tag_sentry'
 require 'lgy/tag_sentry'
+require 'claim_documents/monitor'
+require 'lighthouse/benefits_intake/service'
+require 'pdf_utilities/datestamp_pdf'
 
 module V0
   class ClaimDocumentsController < ApplicationController
     service_tag 'claims-shared'
     skip_before_action(:authenticate)
+    before_action :load_user
 
     def create
-      Rails.logger.info "Creating PersistentAttachment FormID=#{form_id}"
+      uploads_monitor.track_document_upload_attempt(form_id, current_user)
 
-      attachment = klass.new(form_id:)
+      @attachment = klass&.new(form_id:)
       # add the file after so that we have a form_id and guid for the uploader to use
-      attachment.file = unlock_file(params['file'], params['password'])
+      @attachment.file = unlock_file(params['file'], params['password'])
 
-      raise Common::Exceptions::ValidationErrors, attachment unless attachment.valid?
+      if %w[21P-527EZ 21P-530 21P-530V2].include?(form_id) &&
+         Flipper.enabled?(:document_upload_validation_enabled) && !stamped_pdf_valid?
 
-      attachment.save
+        raise Common::Exceptions::ValidationErrors, @attachment
+      end
+
+      raise Common::Exceptions::ValidationErrors, @attachment unless @attachment.valid?
 
-      Rails.logger.info "Success creating PersistentAttachment FormID=#{form_id} AttachmentID=#{attachment.id}"
+      @attachment.save
 
-      render json: PersistentAttachmentSerializer.new(attachment)
+      uploads_monitor.track_document_upload_success(form_id, @attachment.id, current_user)
+
+      render json: PersistentAttachmentSerializer.new(@attachment)
     rescue => e
-      Rails.logger.error "Error creating PersistentAttachment FormID=#{form_id} AttachmentID=#{attachment.id} #{e}"
+      uploads_monitor.track_document_upload_failed(form_id, @attachment&.id, current_user, e)
       raise e
     end
 
     private
 
     def klass
       case form_id
-      when '21P-527EZ', '21P-530EZ'
+      when '21P-527EZ', '21P-530EZ', '21P-530V2'
         PensionBurial::TagSentry.tag_sentry
         PersistentAttachments::PensionBurial
       when '21-686C', '686C-674'
@@ -47,7 +57,7 @@ def form_id
     end
 
     def unlock_file(file, file_password)
-      return file unless File.extname(file) == '.pdf' && file_password
+      return file unless File.extname(file) == '.pdf' && file_password.present?
 
       pdftk = PdfForms.new(Settings.binaries.pdftk)
       tmpf = Tempfile.new(['decrypted_form_attachment', '.pdf'])
@@ -69,5 +79,41 @@ def unlock_file(file, file_password)
       file.tempfile = tmpf
       file
     end
+
+    # rubocop:disable Metrics/MethodLength
+    def stamped_pdf_valid?
+      extension = File.extname(@attachment&.file&.id)
+      allowed_types = PersistentAttachment::ALLOWED_DOCUMENT_TYPES
+
+      if allowed_types.exclude?(extension)
+        raise Common::Exceptions::UnprocessableEntity.new(
+          detail: I18n.t('errors.messages.extension_allowlist_error', extension:, allowed_types:),
+          source: 'PersistentAttachment.stamped_pdf_valid?'
+        )
+      elsif @attachment&.file&.size&.< PersistentAttachment::MINIMUM_FILE_SIZE
+        raise Common::Exceptions::UnprocessableEntity.new(
+          detail: 'File size must not be less than 1.0 KB',
+          source: 'PersistentAttachment.stamped_pdf_valid?'
+        )
+      end
+
+      document = PDFUtilities::DatestampPdf.new(@attachment.to_pdf).run(text: 'VA.GOV', x: 5, y: 5)
+      intake_service.valid_document?(document:)
+    rescue BenefitsIntake::Service::InvalidDocumentError => e
+      @attachment.errors.add(:attachment, e.message)
+      false
+    rescue PdfForms::PdftkError
+      @attachment.errors.add(:attachment, 'File is corrupt and cannot be uploaded')
+      false
+    end
+    # rubocop:enable Metrics/MethodLength
+
+    def intake_service
+      @intake_service ||= BenefitsIntake::Service.new
+    end
+
+    def uploads_monitor
+      @uploads_monitor ||= ClaimDocuments::Monitor.new
+    end
   end
 end