18F · mdiarra3 · May 6, 2024 · Apr 26, 2024 · Apr 26, 2024 · Apr 29, 2024
diff --git a/app/forms/concerns/piv_cac_form_helpers.rb b/app/forms/concerns/piv_cac_form_helpers.rb
@@ -13,14 +13,14 @@ def valid_token?
 
   def token_decoded
     @data = PivCacService.decode_token(token)
+    @key_id = @data['key_id']
     true
   end
 
   def not_error_token
     possible_error = @data['error']
     if possible_error
       self.error_type = possible_error
-      self.key_id = @data['key_id']
       false
     else
       self.x509_dn_uuid = @data['uuid']
@@ -35,7 +35,6 @@ def token_has_correct_nonce
       true
     else
       self.error_type = 'token.invalid'
-      self.key_id = @data['key_id']
       false
     end
   end

diff --git a/app/forms/user_piv_cac_setup_form.rb b/app/forms/user_piv_cac_setup_form.rb
@@ -21,7 +21,7 @@ def submit
     FormResponse.new(
       success: success && process_valid_submission,
       errors: errors,
-      extra: extra_analytics_attributes.merge(error_type ? { key_id: key_id } : {}),
+      extra: extra_analytics_attributes,
     )
   end
 
@@ -61,6 +61,7 @@ def piv_cac_not_already_associated
   def extra_analytics_attributes
     {
       multi_factor_auth_method: 'piv_cac',
+      key_id: key_id,
     }
   end
 

diff --git a/app/forms/user_piv_cac_verification_form.rb b/app/forms/user_piv_cac_verification_form.rb
@@ -18,7 +18,7 @@ def submit
     FormResponse.new(
       success: success,
       errors: errors,
-      extra: extra_analytics_attributes.merge(error_type ? { key_id: key_id } : {}),
+      extra: extra_analytics_attributes,
     )
   end
 
@@ -57,6 +57,8 @@ def extra_analytics_attributes
     {
       multi_factor_auth_method: 'piv_cac',
       piv_cac_configuration_id: piv_cac_configuration&.id,
+      piv_cac_configuration_dn_uuid: x509_dn_uuid,
+      key_id: key_id,
       multi_factor_auth_method_created_at: piv_cac_configuration&.created_at&.strftime('%s%L'),
     }
   end

diff --git a/spec/controllers/two_factor_authentication/piv_cac_verification_controller_spec.rb b/spec/controllers/two_factor_authentication/piv_cac_verification_controller_spec.rb
@@ -25,24 +25,28 @@
       'subject' => x509_subject,
       'issuer' => x509_issuer,
       'nonce' => nonce,
+      'key_id' => 'foo',
     )
     allow(PivCacService).to receive(:decode_token).with('good-other-token').and_return(
       'uuid' => user.piv_cac_configurations.first.x509_dn_uuid + 'X',
       'subject' => x509_subject + 'X',
       'issuer' => x509_issuer,
       'nonce' => nonce,
+      'key_id' => 'foo',
     )
     allow(PivCacService).to receive(:decode_token).with('bad-token').and_return(
       'uuid' => 'bad-uuid',
       'subject' => bad_dn,
       'issuer' => x509_issuer,
       'nonce' => nonce,
+      'key_id' => 'foo',
     )
     allow(PivCacService).to receive(:decode_token).with('bad-nonce').and_return(
       'uuid' => user.piv_cac_configurations.first.x509_dn_uuid,
       'subject' => x509_subject,
       'issuer' => x509_issuer,
       'nonce' => 'bad-' + nonce,
+      'key_id' => 'foo',
     )
   end
 
@@ -119,6 +123,8 @@
           new_device: nil,
           multi_factor_auth_method_created_at: cfg.created_at.strftime('%s%L'),
           piv_cac_configuration_id: cfg.id,
+          piv_cac_configuration_dn_uuid: cfg.x509_dn_uuid,
+          key_id: 'foo',
         }
         expect(@analytics).to receive(:track_mfa_submit_event).
           with(submit_attributes)
@@ -154,6 +160,8 @@
             new_device: false,
             multi_factor_auth_method_created_at: cfg.created_at.strftime('%s%L'),
             piv_cac_configuration_id: cfg.id,
+            piv_cac_configuration_dn_uuid: cfg.x509_dn_uuid,
+            key_id: 'foo',
           }
           expect(@analytics).to receive(:track_mfa_submit_event).
             with(submit_attributes)
@@ -264,7 +272,8 @@
           multi_factor_auth_method: 'piv_cac',
           multi_factor_auth_method_created_at: nil,
           new_device: nil,
-          key_id: nil,
+          key_id: 'foo',
+          piv_cac_configuration_dn_uuid: 'bad-uuid',
           piv_cac_configuration_id: nil,
         }
         expect(@analytics).to receive(:track_mfa_submit_event).

diff --git a/spec/forms/user_piv_cac_login_form_spec.rb b/spec/forms/user_piv_cac_login_form_spec.rb
@@ -22,6 +22,7 @@
           'uuid' => piv_cac_configuration.x509_dn_uuid,
           'subject' => 'x509-subject',
           'nonce' => nonce,
+          'key_id' => 'foo',
         }
       end
 
@@ -30,7 +31,7 @@
 
         expect(result.success?).to eq true
         expect(result.errors).to eq({})
-        expect(result.extra).to eq({ key_id: nil })
+        expect(result.extra).to eq({ key_id: 'foo' })
       end
     end
 

diff --git a/spec/forms/user_piv_cac_setup_form_spec.rb b/spec/forms/user_piv_cac_setup_form_spec.rb
@@ -20,12 +20,13 @@
           'uuid' => x509_dn_uuid,
           'subject' => 'x509-subject',
           'nonce' => nonce,
+          'key_id' => 'foo',
         }
       end
 
       it 'returns FormResponse with success: true' do
         result = instance_double(FormResponse)
-        extra = { multi_factor_auth_method: 'piv_cac' }
+        extra = { multi_factor_auth_method: 'piv_cac', key_id: 'foo' }
 
         expect(FormResponse).to receive(:new).
           with(success: true, errors: {}, extra: extra).and_return(result)
@@ -47,7 +48,7 @@
 
         it 'returns FormResponse with success: true' do
           result = instance_double(FormResponse)
-          extra = { multi_factor_auth_method: 'piv_cac' }
+          extra = { multi_factor_auth_method: 'piv_cac', key_id: 'foo' }
 
           expect(FormResponse).to receive(:new).
             with(success: true, errors: {}, extra: extra).and_return(result)
@@ -62,7 +63,7 @@
 
         it 'returns FormResponse with success: false' do
           result = instance_double(FormResponse)
-          extra = { multi_factor_auth_method: 'piv_cac', key_id: nil }
+          extra = { multi_factor_auth_method: 'piv_cac', key_id: 'foo' }
 
           expect(FormResponse).to receive(:new).
             with(success: false, errors: { type: 'piv_cac.already_associated' },
@@ -115,7 +116,7 @@
 
       it 'returns FormResponse with success: false' do
         result = instance_double(FormResponse)
-        extra = { multi_factor_auth_method: 'piv_cac' }
+        extra = { multi_factor_auth_method: 'piv_cac', key_id: nil }
 
         expect(FormResponse).to receive(:new).
           with(success: false, errors: {}, extra: extra).and_return(result)

diff --git a/spec/forms/user_piv_cac_verification_form_spec.rb b/spec/forms/user_piv_cac_verification_form_spec.rb
@@ -19,6 +19,7 @@
           'uuid' => x509_dn_uuid,
           'subject' => 'x509-subject',
           'nonce' => nonce,
+          'key_id' => 'foo',
         }
       end
 
@@ -33,6 +34,7 @@
             multi_factor_auth_method: 'piv_cac',
             piv_cac_configuration_id: nil,
             multi_factor_auth_method_created_at: nil,
+            piv_cac_configuration_dn_uuid: nil,
             key_id: nil,
           )
 
@@ -52,7 +54,8 @@
             multi_factor_auth_method: 'piv_cac',
             multi_factor_auth_method_created_at: nil,
             piv_cac_configuration_id: nil,
-            key_id: nil,
+            piv_cac_configuration_dn_uuid: 'some-random-uuid',
+            key_id: 'foo',
           )
           expect(form.error_type).to eq 'user.piv_cac_mismatch'
         end
@@ -72,6 +75,8 @@
             multi_factor_auth_method: 'piv_cac',
             piv_cac_configuration_id: piv_cac_configuration.id,
             multi_factor_auth_method_created_at: piv_cac_configuration.created_at.strftime('%s%L'),
+            key_id: 'foo',
+            piv_cac_configuration_dn_uuid: x509_dn_uuid,
           )
         end
 
@@ -88,7 +93,8 @@
               multi_factor_auth_method: 'piv_cac',
               piv_cac_configuration_id: nil,
               multi_factor_auth_method_created_at: nil,
-              key_id: nil,
+              piv_cac_configuration_dn_uuid: nil,
+              key_id: 'foo',
             )
 
             expect(Event).to_not receive(:create)
@@ -101,7 +107,7 @@
     context 'when token is invalid' do
       let(:token) { 'bad-token' }
       let(:token_response) do
-        { 'error' => 'token.bad', 'nonce' => nonce }
+        { 'error' => 'token.bad', 'nonce' => nonce, key_id: 'foo' }
       end
 
       it 'returns FormResponse with success: false' do
@@ -113,6 +119,7 @@
           errors: { type: 'token.bad' },
           multi_factor_auth_method: 'piv_cac',
           multi_factor_auth_method_created_at: nil,
+          piv_cac_configuration_dn_uuid: nil,
           piv_cac_configuration_id: nil,
           key_id: nil,
         )
@@ -132,6 +139,8 @@
           multi_factor_auth_method: 'piv_cac',
           multi_factor_auth_method_created_at: nil,
           piv_cac_configuration_id: nil,
+          piv_cac_configuration_dn_uuid: nil,
+          key_id: nil,
         )
       end
     end