18F · aduth · Mar 8, 2024 · Mar 8, 2024 · Mar 8, 2024
diff --git a/app/controllers/users/piv_cac_authentication_setup_controller.rb b/app/controllers/users/piv_cac_authentication_setup_controller.rb
@@ -9,7 +9,6 @@ class PivCacAuthenticationSetupController < ApplicationController
 
     before_action :authenticate_user!
     before_action :confirm_user_authenticated_for_2fa_setup
-    before_action :authorize_piv_cac_disable, only: :delete
     before_action :set_piv_cac_setup_csp_form_action_uris, only: :new
     before_action :cap_piv_cac_count, only: %i[new submit_new_piv_cac]
     before_action :confirm_recently_authenticated_2fa
@@ -33,15 +32,6 @@ def error
       )
     end
 
-    def delete
-      analytics.piv_cac_disabled
-      remove_piv_cac
-      clear_piv_cac_information
-      create_user_event(:piv_cac_disabled)
-      flash[:success] = t('notices.piv_cac_disabled')
-      redirect_to account_two_factor_authentication_path
-    end
-
     def submit_new_piv_cac
       if good_nickname
         user_session[:piv_cac_nickname] = params[:name]
@@ -59,13 +49,6 @@ def track_piv_cac_setup_visit
       analytics.piv_cac_setup_visited(**analytics_properties)
     end
 
-    def remove_piv_cac
-      revoke_remember_device(current_user)
-      current_user.piv_cac_configurations.where(id: params[:id].to_i).delete_all
-      event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-      PushNotification::HttpPush.deliver(event)
-    end
-
     def render_prompt
       @presenter = PivCacAuthenticationSetupPresenter.new(
         current_user, user_fully_authenticated?, user_piv_cac_form
@@ -126,10 +109,6 @@ def track_mfa_method_added
       Funnel::Registration::AddMfa.call(current_user.id, 'piv_cac', analytics)
     end
 
-    def piv_cac_enabled?
-      TwoFactorAuthentication::PivCacPolicy.new(current_user).enabled?
-    end
-
     def process_invalid_submission
       if user_piv_cac_form.name_taken
         flash.now[:error] = t('errors.piv_cac_setup.unique_name')
@@ -140,11 +119,6 @@ def process_invalid_submission
       end
     end
 
-    def authorize_piv_cac_disable
-      return if piv_cac_enabled? && MfaPolicy.new(current_user).multiple_factors_enabled?
-      redirect_to account_two_factor_authentication_path
-    end
-
     def good_nickname
       name = params[:name]
       name.present? && !PivCacConfiguration.exists?(user_id: current_user.id, name: name)

diff --git a/app/controllers/users/piv_cac_setup_controller.rb b/app/controllers/users/piv_cac_setup_controller.rb
diff --git a/app/services/analytics_events.rb b/app/services/analytics_events.rb
@@ -3978,6 +3978,9 @@ def phone_input_country_changed(country_code:, **extra)
     track_event(:phone_input_country_changed, country_code:, **extra)
   end
 
+  # @identity.idp.previous_event_name User Registration: piv cac disabled
+  # @identity.idp.previous_event_name PIV CAC disabled
+  # @identity.idp.previous_event_name piv_cac_disabled
   # @param [Boolean] success
   # @param [Hash] error_details
   # @param [Integer] configuration_id
@@ -3997,13 +4000,6 @@ def piv_cac_delete_submitted(
     )
   end
 
-  # @identity.idp.previous_event_name User Registration: piv cac disabled
-  # @identity.idp.previous_event_name PIV CAC disabled
-  # Tracks when user's piv cac is disabled
-  def piv_cac_disabled
-    track_event(:piv_cac_disabled)
-  end
-
   # @identity.idp.previous_event_name PIV/CAC login
   # @param [Boolean] success
   # @param [Hash] errors

diff --git a/app/views/users/piv_cac_setup/confirm_delete.html.erb b/app/views/users/piv_cac_setup/confirm_delete.html.erb
diff --git a/config/locales/account/en.yml b/config/locales/account/en.yml
@@ -41,7 +41,6 @@ en:
       phone: Phone numbers
       phone_add: Add phone
       piv_cac_add: Add ID
-      piv_cac_confirm_delete: Yes, remove card
       reactivation:
         instructions: Your profile was recently deactivated due to a password reset.
         link: Reactivate your profile now.

diff --git a/config/locales/account/es.yml b/config/locales/account/es.yml
@@ -42,7 +42,6 @@ es:
       phone: Teléfono
       phone_add: Añadir teléfono
       piv_cac_add: Agregar ID
-      piv_cac_confirm_delete: Sí, retire la tarjeta
       reactivation:
         instructions: Su perfil ha sido desactivado debido a un cambio de contraseña.
         link: Reactive su perfil ahora.

diff --git a/config/locales/account/fr.yml b/config/locales/account/fr.yml
@@ -43,7 +43,6 @@ fr:
       phone: Numéro de téléphone
       phone_add: Ajouter un téléphone
       piv_cac_add: Ajouter un identifiant
-      piv_cac_confirm_delete: Oui, retirer la carte
       reactivation:
         instructions: Votre profil a été récemment désactivé en raison d’une
           réinitialisation de mot passe. Vous pouvez utiliser votre clé

diff --git a/config/locales/forms/en.yml b/config/locales/forms/en.yml
@@ -83,10 +83,6 @@ en:
     phone:
       buttons:
         delete: Remove phone
-    piv_cac_delete:
-      caution: If you remove your PIV/CAC card you won’t be able to use it to access
-        your %{app_name} account.
-      confirm: Are you sure you want to remove your PIV/CAC card?
     piv_cac_login:
       submit: Insert your PIV/CAC
     piv_cac_mfa:

diff --git a/config/locales/forms/es.yml b/config/locales/forms/es.yml
@@ -88,10 +88,6 @@ es:
     phone:
       buttons:
         delete: Eliminar el teléfono
-    piv_cac_delete:
-      caution: Si retira su tarjeta PIV/CAC, no podrá usarla para acceder a su cuenta
-        %{app_name}.
-      confirm: '¿Estás seguro de que deseas eliminar tu tarjeta PIV/CAC?'
     piv_cac_login:
       submit: Inserte su PIV/CAC
     piv_cac_mfa:

diff --git a/config/locales/forms/fr.yml b/config/locales/forms/fr.yml
@@ -90,10 +90,6 @@ fr:
     phone:
       buttons:
         delete: Supprimer le numéro de teléfono
-    piv_cac_delete:
-      caution: Si vous retirez votre carte PIV/CAC, vous ne pourrez plus l’utiliser
-        pour accéder à votre compte %{app_name}.
-      confirm: Êtes-vous sûr de vouloir retirer votre carte PIV/CAC?
     piv_cac_login:
       submit: Insérez votre PIV/CAC
     piv_cac_mfa:

diff --git a/config/locales/notices/en.yml b/config/locales/notices/en.yml
@@ -16,7 +16,6 @@ en:
     password_changed: You changed your password.
     phone_confirmed: A phone was added to your account.
     piv_cac_configured: A PIV/CAC card was added to your account.
-    piv_cac_disabled: Your PIV/CAC was deleted from your account.
     privacy:
       privacy_act_statement: Privacy Act Statement
       security_and_privacy_practices: Security Practices and Privacy Act Statement

diff --git a/config/locales/notices/es.yml b/config/locales/notices/es.yml
@@ -16,7 +16,6 @@ es:
     password_changed: Ha cambiado su contraseña.
     phone_confirmed: Un teléfono fue agregado a tu cuenta.
     piv_cac_configured: Una tarjeta PIV/CAC fue agregada a tu cuenta.
-    piv_cac_disabled: Tu PIV/CAC fue eliminado de tu cuenta.
     privacy:
       privacy_act_statement: Declaración de la ley de privacidad
       security_and_privacy_practices: Prácticas de seguridad y privacidad

diff --git a/config/locales/notices/fr.yml b/config/locales/notices/fr.yml
@@ -16,7 +16,6 @@ fr:
     password_changed: Vous avez changé votre mot de passe.
     phone_confirmed: Un téléphone a été ajouté à votre compte.
     piv_cac_configured: Une carte PIV / CAC a été ajoutée à votre compte.
-    piv_cac_disabled: Votre PIV / CAC a été supprimé de votre compte.
     privacy:
       privacy_act_statement: Déclaration de confidentialité
       security_and_privacy_practices: Pratiques de sécurité et de confidentialité

diff --git a/config/routes.rb b/config/routes.rb
@@ -228,7 +228,6 @@
 
     get '/piv_cac' => 'users/piv_cac_authentication_setup#new', as: :setup_piv_cac
     get '/piv_cac_error' => 'users/piv_cac_authentication_setup#error', as: :setup_piv_cac_error
-    delete '/piv_cac' => 'users/piv_cac_authentication_setup#delete', as: :disable_piv_cac
     post '/present_piv_cac' => 'users/piv_cac_authentication_setup#submit_new_piv_cac',
          as: :submit_new_piv_cac
 
@@ -288,7 +287,6 @@
     delete '/backup_code_delete' => 'users/backup_code_setup#delete'
     get '/confirm_backup_codes' => 'users/backup_code_setup#confirm_backup_codes'
 
-    get '/piv_cac_delete' => 'users/piv_cac_setup#confirm_delete'
     get '/user_please_call' => 'users/please_call#show'
 
     post '/sign_up/create_password' => 'sign_up/passwords#create', as: :sign_up_create_password

diff --git a/spec/controllers/users/piv_cac_authentication_setup_controller_spec.rb b/spec/controllers/users/piv_cac_authentication_setup_controller_spec.rb
@@ -20,14 +20,6 @@
         expect(response).to redirect_to(root_url)
       end
     end
-
-    describe 'DELETE delete' do
-      it 'redirects to root url' do
-        delete :delete
-
-        expect(response).to redirect_to(root_url)
-      end
-    end
   end
 
   describe 'when signed out' do
@@ -52,13 +44,6 @@
         expect(response).to redirect_to(user_two_factor_authentication_url)
       end
     end
-
-    describe 'DELETE delete' do
-      it 'redirects to root url' do
-        delete :delete
-        expect(response).to redirect_to(user_two_factor_authentication_url)
-      end
-    end
   end
 
   describe 'when signed in' do
@@ -220,68 +205,6 @@
           end
         end
       end
-
-      describe 'DELETE delete' do
-        it 'redirects to account 2FA page' do
-          delete :delete
-          expect(response).to redirect_to(account_two_factor_authentication_path)
-        end
-      end
-    end
-
-    context 'with associated piv/cac' do
-      let(:user) { create(:user, :fully_registered, :with_piv_or_cac) }
-
-      describe 'GET index' do
-        it 'does not redirect to account page because we allow multiple PIV/CACs' do
-          get :new
-          expect(response).to render_template(:new)
-        end
-      end
-
-      describe 'DELETE delete' do
-        let(:piv_cac_configuration_id) { user.piv_cac_configurations.first.id }
-
-        it 'redirects to account page' do
-          delete :delete, params: { id: piv_cac_configuration_id }
-          expect(response).to redirect_to(account_two_factor_authentication_path)
-        end
-
-        it 'removes the piv/cac association' do
-          delete :delete, params: { id: piv_cac_configuration_id }
-          expect(user.reload.piv_cac_configurations).to be_empty
-        end
-
-        it 'sends a recovery information changed event' do
-          expect(PushNotification::HttpPush).to receive(:deliver).
-            with(PushNotification::RecoveryInformationChangedEvent.new(user: user))
-          delete :delete, params: { id: piv_cac_configuration_id }
-        end
-
-        it 'resets the remember device revocation date/time' do
-          expect(user.remember_device_revoked_at).to eq nil
-          freeze_time do
-            delete :delete, params: { id: piv_cac_configuration_id }
-            expect(user.reload.remember_device_revoked_at).to eq Time.zone.now
-          end
-        end
-
-        it 'removes the piv/cac information from the user session' do
-          subject.user_session[:decrypted_x509] = {}
-          delete :delete, params: { id: piv_cac_configuration_id }
-          expect(subject.user_session[:decrypted_x509]).to be_nil
-        end
-
-        it 'does not remove the piv/cac association if it is the last mfa method' do
-          user.phone_configurations.destroy_all
-          user.backup_code_configurations.destroy_all
-
-          delete :delete, params: { id: piv_cac_configuration_id }
-
-          expect(response).to redirect_to(account_two_factor_authentication_path)
-          expect(user.reload.piv_cac_configurations.first.x509_dn_uuid).to_not be_nil
-        end
-      end
     end
   end
 end
diff --git a/spec/features/users/piv_cac_management_spec.rb b/spec/features/users/piv_cac_management_spec.rb
@@ -1,12 +1,6 @@
 require 'rails_helper'
 
 RSpec.feature 'PIV/CAC Management', allowed_extra_analytics: [:*] do
-  def find_form(page, attributes)
-    page.all('form').detect do |form|
-      attributes.all? { |key, value| form[key] == value }
-    end
-  end
-
   context 'with no piv/cac associated yet' do
     let(:uuid) { SecureRandom.uuid }
     let(:user) { create(:user, :fully_registered, :with_phone, with: { phone: '+1 202-555-1212' }) }
@@ -139,15 +133,6 @@ def find_form(page, attributes)
         ),
       )
     end
-
-    scenario "doesn't allow unassociation of a piv/cac" do
-      stub_piv_cac_service
-
-      sign_in_and_2fa_user(user)
-      visit account_path
-      form = find_form(page, action: disable_piv_cac_url)
-      expect(form).to be_nil
-    end
   end
 
   context 'with a piv/cac associated' do
@@ -200,12 +185,22 @@ def find_form(page, attributes)
   context 'with PIV/CAC as the only MFA method' do
     let(:user) { create(:user, :with_piv_or_cac) }
 
-    scenario 'disallows disassociation PIV/CAC' do
+    scenario 'disallows disassociation PIV/CAC', :js, allow_browser_log: true do
       sign_in_and_2fa_user(user)
       visit account_path
 
-      form = find_form(page, action: disable_piv_cac_url)
-      expect(form).to be_nil
+      click_button(
+        format(
+          '%s: %s',
+          t('two_factor_authentication.piv_cac.manage_accessible_label'),
+          user.piv_cac_configurations.first.name,
+        ),
+      )
+      accept_confirm(wait: 5) { click_button t('components.manageable_authenticator.delete') }
+      expect(page).to have_content(
+        t('errors.manage_authenticator.remove_only_method_error'),
+        wait: 5,
+      )
 
       user.reload
       expect(user.piv_cac_configurations.first.x509_dn_uuid).to_not be_nil