diff --git a/app/controllers/users/piv_cac_authentication_setup_controller.rb b/app/controllers/users/piv_cac_authentication_setup_controller.rb index b0c62e0bba5..d6c30f2106d 100644 --- a/app/controllers/users/piv_cac_authentication_setup_controller.rb +++ b/app/controllers/users/piv_cac_authentication_setup_controller.rb @@ -9,7 +9,6 @@ class PivCacAuthenticationSetupController < ApplicationController before_action :authenticate_user! before_action :confirm_user_authenticated_for_2fa_setup - before_action :authorize_piv_cac_disable, only: :delete before_action :set_piv_cac_setup_csp_form_action_uris, only: :new before_action :cap_piv_cac_count, only: %i[new submit_new_piv_cac] before_action :confirm_recently_authenticated_2fa @@ -33,15 +32,6 @@ def error ) end - def delete - analytics.piv_cac_disabled - remove_piv_cac - clear_piv_cac_information - create_user_event(:piv_cac_disabled) - flash[:success] = t('notices.piv_cac_disabled') - redirect_to account_two_factor_authentication_path - end - def submit_new_piv_cac if good_nickname user_session[:piv_cac_nickname] = params[:name] @@ -59,13 +49,6 @@ def track_piv_cac_setup_visit analytics.piv_cac_setup_visited(**analytics_properties) end - def remove_piv_cac - revoke_remember_device(current_user) - current_user.piv_cac_configurations.where(id: params[:id].to_i).delete_all - event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user) - PushNotification::HttpPush.deliver(event) - end - def render_prompt @presenter = PivCacAuthenticationSetupPresenter.new( current_user, user_fully_authenticated?, user_piv_cac_form @@ -126,10 +109,6 @@ def track_mfa_method_added Funnel::Registration::AddMfa.call(current_user.id, 'piv_cac', analytics) end - def piv_cac_enabled? - TwoFactorAuthentication::PivCacPolicy.new(current_user).enabled? - end - def process_invalid_submission if user_piv_cac_form.name_taken flash.now[:error] = t('errors.piv_cac_setup.unique_name') @@ -140,11 +119,6 @@ def process_invalid_submission end end - def authorize_piv_cac_disable - return if piv_cac_enabled? && MfaPolicy.new(current_user).multiple_factors_enabled? - redirect_to account_two_factor_authentication_path - end - def good_nickname name = params[:name] name.present? && !PivCacConfiguration.exists?(user_id: current_user.id, name: name) diff --git a/app/controllers/users/piv_cac_setup_controller.rb b/app/controllers/users/piv_cac_setup_controller.rb deleted file mode 100644 index aa3f9d9edfa..00000000000 --- a/app/controllers/users/piv_cac_setup_controller.rb +++ /dev/null @@ -1,12 +0,0 @@ -module Users - class PivCacSetupController < ApplicationController - include ReauthenticationRequiredConcern - - before_action :confirm_two_factor_authenticated - before_action :confirm_recently_authenticated_2fa - - def delete; end - - def confirm_delete; end - end -end diff --git a/app/services/analytics_events.rb b/app/services/analytics_events.rb index aa63972278e..df5c5d39819 100644 --- a/app/services/analytics_events.rb +++ b/app/services/analytics_events.rb @@ -3978,6 +3978,9 @@ def phone_input_country_changed(country_code:, **extra) track_event(:phone_input_country_changed, country_code:, **extra) end + # @identity.idp.previous_event_name User Registration: piv cac disabled + # @identity.idp.previous_event_name PIV CAC disabled + # @identity.idp.previous_event_name piv_cac_disabled # @param [Boolean] success # @param [Hash] error_details # @param [Integer] configuration_id @@ -3997,13 +4000,6 @@ def piv_cac_delete_submitted( ) end - # @identity.idp.previous_event_name User Registration: piv cac disabled - # @identity.idp.previous_event_name PIV CAC disabled - # Tracks when user's piv cac is disabled - def piv_cac_disabled - track_event(:piv_cac_disabled) - end - # @identity.idp.previous_event_name PIV/CAC login # @param [Boolean] success # @param [Hash] errors diff --git a/app/views/users/piv_cac_setup/confirm_delete.html.erb b/app/views/users/piv_cac_setup/confirm_delete.html.erb deleted file mode 100644 index acca327023b..00000000000 --- a/app/views/users/piv_cac_setup/confirm_delete.html.erb +++ /dev/null @@ -1,14 +0,0 @@ -<% self.title = t('forms.piv_cac_delete.confirm') %> - -<%= render AlertIconComponent.new(icon_name: :warning, class: 'display-block margin-bottom-4') %> - -<%= render PageHeadingComponent.new.with_content(t('forms.piv_cac_delete.confirm')) %> - -

- <%= t('forms.piv_cac_delete.caution', app_name: APP_NAME) %> -

- -<%= form_tag(disable_piv_cac_url(id: params[:id]), method: :delete, class: 'margin-top-5') do %> - <%= button_tag t('account.index.piv_cac_confirm_delete'), type: 'submit', class: 'usa-button usa-button--big usa-button--wide margin-bottom-2' %> -<% end %> -<%= link_to t('links.cancel'), account_path, class: 'usa-button usa-button--big usa-button--wide usa-button--outline' %> diff --git a/config/locales/account/en.yml b/config/locales/account/en.yml index 024b06e89fd..f1d9ab047e8 100644 --- a/config/locales/account/en.yml +++ b/config/locales/account/en.yml @@ -41,7 +41,6 @@ en: phone: Phone numbers phone_add: Add phone piv_cac_add: Add ID - piv_cac_confirm_delete: Yes, remove card reactivation: instructions: Your profile was recently deactivated due to a password reset. link: Reactivate your profile now. diff --git a/config/locales/account/es.yml b/config/locales/account/es.yml index 2ffae81956a..9d09643015e 100644 --- a/config/locales/account/es.yml +++ b/config/locales/account/es.yml @@ -42,7 +42,6 @@ es: phone: Teléfono phone_add: Añadir teléfono piv_cac_add: Agregar ID - piv_cac_confirm_delete: Sí, retire la tarjeta reactivation: instructions: Su perfil ha sido desactivado debido a un cambio de contraseña. link: Reactive su perfil ahora. diff --git a/config/locales/account/fr.yml b/config/locales/account/fr.yml index abdb9b70614..f079e06f88e 100644 --- a/config/locales/account/fr.yml +++ b/config/locales/account/fr.yml @@ -43,7 +43,6 @@ fr: phone: Numéro de téléphone phone_add: Ajouter un téléphone piv_cac_add: Ajouter un identifiant - piv_cac_confirm_delete: Oui, retirer la carte reactivation: instructions: Votre profil a été récemment désactivé en raison d’une réinitialisation de mot passe. Vous pouvez utiliser votre clé diff --git a/config/locales/forms/en.yml b/config/locales/forms/en.yml index 3913bbf946a..0136ba1452b 100644 --- a/config/locales/forms/en.yml +++ b/config/locales/forms/en.yml @@ -83,10 +83,6 @@ en: phone: buttons: delete: Remove phone - piv_cac_delete: - caution: If you remove your PIV/CAC card you won’t be able to use it to access - your %{app_name} account. - confirm: Are you sure you want to remove your PIV/CAC card? piv_cac_login: submit: Insert your PIV/CAC piv_cac_mfa: diff --git a/config/locales/forms/es.yml b/config/locales/forms/es.yml index a834d40afca..ccf56b21093 100644 --- a/config/locales/forms/es.yml +++ b/config/locales/forms/es.yml @@ -88,10 +88,6 @@ es: phone: buttons: delete: Eliminar el teléfono - piv_cac_delete: - caution: Si retira su tarjeta PIV/CAC, no podrá usarla para acceder a su cuenta - %{app_name}. - confirm: '¿Estás seguro de que deseas eliminar tu tarjeta PIV/CAC?' piv_cac_login: submit: Inserte su PIV/CAC piv_cac_mfa: diff --git a/config/locales/forms/fr.yml b/config/locales/forms/fr.yml index f0043d507d9..af64021bc8c 100644 --- a/config/locales/forms/fr.yml +++ b/config/locales/forms/fr.yml @@ -90,10 +90,6 @@ fr: phone: buttons: delete: Supprimer le numéro de teléfono - piv_cac_delete: - caution: Si vous retirez votre carte PIV/CAC, vous ne pourrez plus l’utiliser - pour accéder à votre compte %{app_name}. - confirm: Êtes-vous sûr de vouloir retirer votre carte PIV/CAC? piv_cac_login: submit: Insérez votre PIV/CAC piv_cac_mfa: diff --git a/config/locales/notices/en.yml b/config/locales/notices/en.yml index 47d03fd6ba8..79cd0f42642 100644 --- a/config/locales/notices/en.yml +++ b/config/locales/notices/en.yml @@ -16,7 +16,6 @@ en: password_changed: You changed your password. phone_confirmed: A phone was added to your account. piv_cac_configured: A PIV/CAC card was added to your account. - piv_cac_disabled: Your PIV/CAC was deleted from your account. privacy: privacy_act_statement: Privacy Act Statement security_and_privacy_practices: Security Practices and Privacy Act Statement diff --git a/config/locales/notices/es.yml b/config/locales/notices/es.yml index 900ab66d96a..43c3208b640 100644 --- a/config/locales/notices/es.yml +++ b/config/locales/notices/es.yml @@ -16,7 +16,6 @@ es: password_changed: Ha cambiado su contraseña. phone_confirmed: Un teléfono fue agregado a tu cuenta. piv_cac_configured: Una tarjeta PIV/CAC fue agregada a tu cuenta. - piv_cac_disabled: Tu PIV/CAC fue eliminado de tu cuenta. privacy: privacy_act_statement: Declaración de la ley de privacidad security_and_privacy_practices: Prácticas de seguridad y privacidad diff --git a/config/locales/notices/fr.yml b/config/locales/notices/fr.yml index 02fb01e12cf..28101deff08 100644 --- a/config/locales/notices/fr.yml +++ b/config/locales/notices/fr.yml @@ -16,7 +16,6 @@ fr: password_changed: Vous avez changé votre mot de passe. phone_confirmed: Un téléphone a été ajouté à votre compte. piv_cac_configured: Une carte PIV / CAC a été ajoutée à votre compte. - piv_cac_disabled: Votre PIV / CAC a été supprimé de votre compte. privacy: privacy_act_statement: Déclaration de confidentialité security_and_privacy_practices: Pratiques de sécurité et de confidentialité diff --git a/config/routes.rb b/config/routes.rb index b6258c589d1..0e11ce3dcc0 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -228,7 +228,6 @@ get '/piv_cac' => 'users/piv_cac_authentication_setup#new', as: :setup_piv_cac get '/piv_cac_error' => 'users/piv_cac_authentication_setup#error', as: :setup_piv_cac_error - delete '/piv_cac' => 'users/piv_cac_authentication_setup#delete', as: :disable_piv_cac post '/present_piv_cac' => 'users/piv_cac_authentication_setup#submit_new_piv_cac', as: :submit_new_piv_cac @@ -288,7 +287,6 @@ delete '/backup_code_delete' => 'users/backup_code_setup#delete' get '/confirm_backup_codes' => 'users/backup_code_setup#confirm_backup_codes' - get '/piv_cac_delete' => 'users/piv_cac_setup#confirm_delete' get '/user_please_call' => 'users/please_call#show' post '/sign_up/create_password' => 'sign_up/passwords#create', as: :sign_up_create_password diff --git a/spec/controllers/users/piv_cac_authentication_setup_controller_spec.rb b/spec/controllers/users/piv_cac_authentication_setup_controller_spec.rb index 0de160d48a7..004e74474f2 100644 --- a/spec/controllers/users/piv_cac_authentication_setup_controller_spec.rb +++ b/spec/controllers/users/piv_cac_authentication_setup_controller_spec.rb @@ -20,14 +20,6 @@ expect(response).to redirect_to(root_url) end end - - describe 'DELETE delete' do - it 'redirects to root url' do - delete :delete - - expect(response).to redirect_to(root_url) - end - end end describe 'when signed out' do @@ -52,13 +44,6 @@ expect(response).to redirect_to(user_two_factor_authentication_url) end end - - describe 'DELETE delete' do - it 'redirects to root url' do - delete :delete - expect(response).to redirect_to(user_two_factor_authentication_url) - end - end end describe 'when signed in' do @@ -220,68 +205,6 @@ end end end - - describe 'DELETE delete' do - it 'redirects to account 2FA page' do - delete :delete - expect(response).to redirect_to(account_two_factor_authentication_path) - end - end - end - - context 'with associated piv/cac' do - let(:user) { create(:user, :fully_registered, :with_piv_or_cac) } - - describe 'GET index' do - it 'does not redirect to account page because we allow multiple PIV/CACs' do - get :new - expect(response).to render_template(:new) - end - end - - describe 'DELETE delete' do - let(:piv_cac_configuration_id) { user.piv_cac_configurations.first.id } - - it 'redirects to account page' do - delete :delete, params: { id: piv_cac_configuration_id } - expect(response).to redirect_to(account_two_factor_authentication_path) - end - - it 'removes the piv/cac association' do - delete :delete, params: { id: piv_cac_configuration_id } - expect(user.reload.piv_cac_configurations).to be_empty - end - - it 'sends a recovery information changed event' do - expect(PushNotification::HttpPush).to receive(:deliver). - with(PushNotification::RecoveryInformationChangedEvent.new(user: user)) - delete :delete, params: { id: piv_cac_configuration_id } - end - - it 'resets the remember device revocation date/time' do - expect(user.remember_device_revoked_at).to eq nil - freeze_time do - delete :delete, params: { id: piv_cac_configuration_id } - expect(user.reload.remember_device_revoked_at).to eq Time.zone.now - end - end - - it 'removes the piv/cac information from the user session' do - subject.user_session[:decrypted_x509] = {} - delete :delete, params: { id: piv_cac_configuration_id } - expect(subject.user_session[:decrypted_x509]).to be_nil - end - - it 'does not remove the piv/cac association if it is the last mfa method' do - user.phone_configurations.destroy_all - user.backup_code_configurations.destroy_all - - delete :delete, params: { id: piv_cac_configuration_id } - - expect(response).to redirect_to(account_two_factor_authentication_path) - expect(user.reload.piv_cac_configurations.first.x509_dn_uuid).to_not be_nil - end - end end end end diff --git a/spec/features/users/piv_cac_management_spec.rb b/spec/features/users/piv_cac_management_spec.rb index 7ff12100047..9714cd25880 100644 --- a/spec/features/users/piv_cac_management_spec.rb +++ b/spec/features/users/piv_cac_management_spec.rb @@ -1,12 +1,6 @@ require 'rails_helper' RSpec.feature 'PIV/CAC Management', allowed_extra_analytics: [:*] do - def find_form(page, attributes) - page.all('form').detect do |form| - attributes.all? { |key, value| form[key] == value } - end - end - context 'with no piv/cac associated yet' do let(:uuid) { SecureRandom.uuid } let(:user) { create(:user, :fully_registered, :with_phone, with: { phone: '+1 202-555-1212' }) } @@ -139,15 +133,6 @@ def find_form(page, attributes) ), ) end - - scenario "doesn't allow unassociation of a piv/cac" do - stub_piv_cac_service - - sign_in_and_2fa_user(user) - visit account_path - form = find_form(page, action: disable_piv_cac_url) - expect(form).to be_nil - end end context 'with a piv/cac associated' do @@ -200,12 +185,22 @@ def find_form(page, attributes) context 'with PIV/CAC as the only MFA method' do let(:user) { create(:user, :with_piv_or_cac) } - scenario 'disallows disassociation PIV/CAC' do + scenario 'disallows disassociation PIV/CAC', :js, allow_browser_log: true do sign_in_and_2fa_user(user) visit account_path - form = find_form(page, action: disable_piv_cac_url) - expect(form).to be_nil + click_button( + format( + '%s: %s', + t('two_factor_authentication.piv_cac.manage_accessible_label'), + user.piv_cac_configurations.first.name, + ), + ) + accept_confirm(wait: 5) { click_button t('components.manageable_authenticator.delete') } + expect(page).to have_content( + t('errors.manage_authenticator.remove_only_method_error'), + wait: 5, + ) user.reload expect(user.piv_cac_configurations.first.x509_dn_uuid).to_not be_nil