From 4e89140f19fdf95b9e12ce282de2527a05094abb Mon Sep 17 00:00:00 2001
From: Douglas Price <douglas.price@gsa.gov>
Date: Fri, 23 Feb 2024 15:35:26 -0500
Subject: [PATCH 1/2] LG-12265: Stop reading from
 sp_session[:piv_cac_requested]

In a previous commit the `resolved_authn_context_result` was introduced to return a `Vot::Parser::Result` object that described the requirements for the current SP request considering SP default options. This is intended to be used to replace the keys in the `sp_session` that serve this purpose including the `piv_cac_requested` key.

This commit replaces places where the `sp_session[:piv_cac_requested]` value is read with new reads to the `resolved_authn_context_result`.

[skip changelog]
---
 app/controllers/application_controller.rb                 | 2 +-
 app/controllers/users/piv_cac_login_controller.rb         | 2 +-
 app/services/vot/legacy_component_values.rb               | 2 +-
 .../users/two_factor_authentication_controller_spec.rb    | 8 +++++++-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 66bb1f601d1..d15585666e7 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -405,7 +405,7 @@ def service_provider_mfa_policy
       service_provider: sp_from_sp_session,
       auth_methods_session:,
       aal_level_requested: sp_session[:aal_level_requested],
-      piv_cac_requested: sp_session[:piv_cac_requested],
+      piv_cac_requested: resolved_authn_context_result.hspd12?,
       phishing_resistant_requested: resolved_authn_context_result.phishing_resistant?,
     )
   end
diff --git a/app/controllers/users/piv_cac_login_controller.rb b/app/controllers/users/piv_cac_login_controller.rb
index 7f627d58b9c..9e9b542ef16 100644
--- a/app/controllers/users/piv_cac_login_controller.rb
+++ b/app/controllers/users/piv_cac_login_controller.rb
@@ -58,7 +58,7 @@ def piv_cac_login_form
       @piv_cac_login_form ||= UserPivCacLoginForm.new(
         token: params[:token],
         nonce: piv_cac_nonce,
-        piv_cac_required: sp_session[:piv_cac_requested],
+        piv_cac_required: resolved_authn_context_result.hspd12?,
       )
     end
 
diff --git a/app/services/vot/legacy_component_values.rb b/app/services/vot/legacy_component_values.rb
index 785c70a7bf3..d21b47ccc78 100644
--- a/app/services/vot/legacy_component_values.rb
+++ b/app/services/vot/legacy_component_values.rb
@@ -53,7 +53,7 @@ module LegacyComponentValues
     )
     AAL2_PHISHING_RESISTANT = ComponentValue.new(
       name: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF,
-      description: 'Legacy AAL2 with phishing resitance',
+      description: 'Legacy AAL2 with phishing resistance',
       implied_component_values: [],
       requirements: [:aal2, :phishing_resistant],
     )
diff --git a/spec/controllers/users/two_factor_authentication_controller_spec.rb b/spec/controllers/users/two_factor_authentication_controller_spec.rb
index 20129412a2f..8d6690d8a31 100644
--- a/spec/controllers/users/two_factor_authentication_controller_spec.rb
+++ b/spec/controllers/users/two_factor_authentication_controller_spec.rb
@@ -259,9 +259,15 @@ def index
     end
 
     context 'when SP requires PIV/CAC' do
+      let(:service_provider) { create(:service_provider) }
+
       before do
         stub_sign_in(user)
-        controller.session[:sp] = { phishing_resistant_requeste: true, piv_cac_requested: true }
+        controller.session[:sp] = {
+          phishing_resistant_requeste: true,
+          issuer: service_provider.issuer,
+          acr_values: Saml::Idp::Constants::AAL2_HSPD12_AUTHN_CONTEXT_CLASSREF,
+        }
       end
 
       it 'redirects to MFA setup if no PIV/CAC is enabled' do

From 35df66c252936bd1ff487923f7b897640fb7bb55 Mon Sep 17 00:00:00 2001
From: Douglas Price <douglas.price@gsa.gov>
Date: Fri, 23 Feb 2024 16:05:24 -0500
Subject: [PATCH 2/2] Remove misspelled and unnecessary property in sp_session

---
 .../users/two_factor_authentication_controller_spec.rb           | 1 -
 1 file changed, 1 deletion(-)

diff --git a/spec/controllers/users/two_factor_authentication_controller_spec.rb b/spec/controllers/users/two_factor_authentication_controller_spec.rb
index 8d6690d8a31..4468862f24a 100644
--- a/spec/controllers/users/two_factor_authentication_controller_spec.rb
+++ b/spec/controllers/users/two_factor_authentication_controller_spec.rb
@@ -264,7 +264,6 @@ def index
       before do
         stub_sign_in(user)
         controller.session[:sp] = {
-          phishing_resistant_requeste: true,
           issuer: service_provider.issuer,
           acr_values: Saml::Idp::Constants::AAL2_HSPD12_AUTHN_CONTEXT_CLASSREF,
         }