LG-13355: filter piv upsell

app/controllers/application_controller.rb

@@ -261,7 +261,7 @@ def user_needs_to_reactivate_account?
   end
 
   def user_recommended_for_piv_cac?
-    current_user.piv_cac_recommended_dismissed_at.nil? && current_user.has_gov_or_mil_email? &&
+    current_user.piv_cac_recommended_dismissed_at.nil? && current_user.has_fed_or_mil_email? &&
       !user_already_has_piv?
   end
 

app/controllers/concerns/mfa_setup_concern.rb

@@ -82,7 +82,7 @@ def show_skip_additional_mfa_link?
   end
 
   def check_if_possible_piv_user
-    if current_user.has_gov_or_mil_email? && current_user.piv_cac_recommended_dismissed_at.nil?
+    if current_user.has_fed_or_mil_email? && current_user.piv_cac_recommended_dismissed_at.nil?
       redirect_to login_piv_cac_recommended_path
     end
   end

app/controllers/users/piv_cac_recommended_controller.rb

@@ -8,7 +8,7 @@ class PivCacRecommendedController < ApplicationController
 
     before_action :confirm_user_authenticated_for_2fa_setup
     before_action :apply_secure_headers_override
-    before_action :redirect_unless_user_email_is_gov_or_mil
+    before_action :redirect_unless_user_email_is_fed_or_mil
 
     def show
       @recommended_presenter = PivCacRecommendedPresenter.new(current_user)
@@ -30,8 +30,8 @@ def skip
 
     private
 
-    def redirect_unless_user_email_is_gov_or_mil
-      redirect_to after_sign_in_path_for(current_user) unless current_user.has_gov_or_mil_email?
+    def redirect_unless_user_email_is_fed_or_mil
+      redirect_to after_sign_in_path_for(current_user) unless current_user.has_fed_or_mil_email?
     end
   end
 end

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -16,7 +16,7 @@ def index
       @presenter = two_factor_options_presenter
       analytics.user_registration_2fa_setup_visit(
         enabled_mfa_methods_count:,
-        gov_or_mil_email: has_gov_or_mil_email?,
+        gov_or_mil_email: fed_or_mil_email?,
       )
     end
 
@@ -44,8 +44,8 @@ def two_factor_options_form
 
     private
 
-    def has_gov_or_mil_email?
-      current_user.confirmed_email_addresses.any?(&:gov_or_mil?)
+    def fed_or_mil_email?
+      current_user.confirmed_email_addresses.any?(&:fed_or_mil_email?)
     end
 
     def mfa_context

app/models/email_address.rb

@@ -29,8 +29,25 @@ def confirmation_period_expired?
     Time.zone.now > expiration_time
   end
 
-  def gov_or_mil?
-    email.end_with?('.gov', '.mil')
+  def domain
+    Mail::Address.new(email).domain
+  end
+
+  def fed_or_mil_email?
+    fed_email? || mil_email?
+  end
+
+  def fed_email?
+    if IdentityConfig.store.use_fed_domain_class
+      return false unless domain
+      FederalEmailDomain.fed_domain?(domain)
+    else
+      email.end_with?('.gov')
+    end
+  end
+
+  def mil_email?
+    email.end_with?('.mil')
   end
 
   class << self

app/models/federal_email_domain.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class FederalEmailDomain < ApplicationRecord
+  def self.fed_domain?(domain)
+    exists?(name: domain)
+  end
+end

app/models/user.rb

@@ -79,8 +79,8 @@ def confirmed?
     email_addresses.where.not(confirmed_at: nil).any?
   end
 
-  def has_gov_or_mil_email?
-    confirmed_email_addresses.any?(&:gov_or_mil?)
+  def has_fed_or_mil_email?
+    confirmed_email_addresses.any?(&:fed_or_mil_email?)
   end
 
   def accepted_rules_of_use_still_valid?

app/presenters/two_factor_authentication/set_up_piv_cac_selection_presenter.rb

@@ -19,7 +19,7 @@ def phishing_resistant?
     end
 
     def recommended?
-      user.confirmed_email_addresses.any?(&:gov_or_mil?)
+      user.confirmed_email_addresses.any?(&:fed_or_mil_email?)
     end
 
     def desktop_only?

app/presenters/two_factor_options_presenter.rb

@@ -11,7 +11,6 @@ class TwoFactorOptionsPresenter
               :user_agent
 
   delegate :two_factor_enabled?, to: :mfa_policy
-
   def initialize(
     user_agent:,
     user: nil,

config/application.yml.default

@@ -349,6 +349,7 @@ test_ssn_allowed_list: ''
 totp_code_interval: 30
 unauthorized_scope_enabled: false
 use_dashboard_service_providers: false
+use_fed_domain_class: false
 use_kms: false
 use_vot_in_sp_requests: true
 usps_auth_token_refresh_job_enabled: false
@@ -432,6 +433,7 @@ development:
   state_tracking_enabled: true
   telephony_adapter: test
   use_dashboard_service_providers: true
+  use_fed_domain_class: true
   usps_eipp_sponsor_id: '222222222222222'
   usps_ipp_sponsor_id: '111111111111111'
   usps_ipp_transliteration_enabled: true
@@ -563,6 +565,7 @@ test:
   telephony_adapter: test
   test_ssn_allowed_list: '999999999'
   totp_code_interval: 3
+  use_fed_domain_class: true
   usps_eipp_sponsor_id: '222222222222222'
   usps_ipp_root_url: 'http://localhost:1000'
   usps_ipp_sponsor_id: '111111111111111'

db/primary_migrate/20240809152808_create_federal_email_domain.rb

@@ -0,0 +1,9 @@
+class CreateFederalEmailDomain < ActiveRecord::Migration[7.1]
+  def change
+    create_table :federal_email_domains do |t|
+      t.citext :name, null: false
+    end
+
+    add_index :federal_email_domains, :name, unique: true
+  end
+end

db/schema.rb

@@ -226,6 +226,11 @@
     t.index ["user_id", "created_at"], name: "index_events_on_user_id_and_created_at"
   end
 
+  create_table "federal_email_domains", force: :cascade do |t|
+    t.citext "name", null: false
+    t.index ["name"], name: "index_federal_email_domains_on_name", unique: true
+  end
+
   create_table "fraud_review_requests", force: :cascade do |t|
     t.integer "user_id"
     t.string "uuid"

lib/identity_config.rb

@@ -404,6 +404,7 @@ def self.store
     config.add(:usps_auth_token_refresh_job_enabled, type: :boolean)
     config.add(:usps_confirmation_max_days, type: :integer)
     config.add(:usps_eipp_sponsor_id, type: :string)
+    config.add(:use_fed_domain_class, type: :boolean)
     config.add(:usps_ipp_client_id, type: :string)
     config.add(:usps_ipp_password, type: :string)
     config.add(:usps_ipp_request_timeout, type: :integer)

lib/tasks/federal_email_domains.rake

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'faraday'
+require 'csv'
+
+DOT_GOV_DOWNLOAD_PATH = 'https://raw.githubusercontent.com/cisagov/dotgov-data/main/current-federal.csv'
+namespace :federal_email_domains do
+  task load_to_db: :environment do |_task, _args|
+    response = Faraday.get(DOT_GOV_DOWNLOAD_PATH)
+
+    csv = CSV.parse(response.body, col_sep: ',', headers: true)
+    csv.each do |row|
+      FederalEmailDomain.find_or_create_by(name: row['Domain name'])
+    end
+  end
+end
+# rake "federal_email_domains:load_to_db"

spec/controllers/users/piv_cac_recommended_controller_spec.rb

@@ -2,7 +2,8 @@
 
 RSpec.describe Users::PivCacRecommendedController do
   describe 'New user' do
-    let(:user) { create(:user, email: 'example@example.gov') }
+    let(:user) { create(:user, email: 'example@gsa.gov') }
+    let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') }
     before do
       stub_sign_in_before_2fa(user)
       stub_analytics
@@ -28,10 +29,10 @@
   end
 
   describe 'Sign in flow' do
-    let(:user) { create(:user, :with_phone, { email: 'example@example.gov' }) }
+    let(:user) { create(:user, :with_phone, { email: 'example@gsa.gov' }) }
+    let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') }
     before do
       stub_analytics
-
       stub_sign_in(user)
       user.reload
     end
@@ -49,7 +50,8 @@
   end
 
   context '#confirm' do
-    let(:user) { create(:user, email: 'example@example.gov') }
+    let(:user) { create(:user, email: 'example@gsa.gov') }
+    let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') }
     before do
       stub_sign_in_before_2fa(user)
       stub_analytics
@@ -77,7 +79,8 @@
   end
 
   context '#skip' do
-    let(:user) { create(:user, email: 'example@example.gov') }
+    let(:user) { create(:user, email: 'example@gsa.gov') }
+    let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') }
     before do
       stub_sign_in_before_2fa(user)
       stub_analytics

spec/controllers/users/two_factor_authentication_setup_controller_spec.rb

@@ -19,10 +19,16 @@
       )
     end
 
-    context 'with user having gov or mil email' do
+    context 'with user having gov or mil email and use_fed_domain_class set to false' do
       let(:user) do
         create(:user, email: 'example@example.gov', piv_cac_recommended_dismissed_at: Time.zone.now)
       end
+      let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') }
+
+      before do
+        allow(IdentityConfig.store).to receive(:use_fed_domain_class).and_return(false)
+      end
+
       context 'having already visited the PIV interstitial page' do
         it 'tracks the visit in analytics' do
           get :index
@@ -48,6 +54,40 @@
       end
     end
 
+    context 'with user having gov or mil email and use_fed_domain_class set to true' do
+      before do
+        allow(IdentityConfig.store).to receive(:use_fed_domain_class).and_return(true)
+      end
+
+      let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') }
+      let(:user) do
+        create(:user, email: 'example@gsa.gov', piv_cac_recommended_dismissed_at: Time.zone.now)
+      end
+      context 'having already visited the PIV interstitial page' do
+        it 'tracks the visit in analytics' do
+          get :index
+
+          expect(@analytics).to have_logged_event(
+            'User Registration: 2FA Setup visited',
+            enabled_mfa_methods_count: 0,
+            gov_or_mil_email: true,
+          )
+        end
+      end
+
+      context 'directed to page without having visited PIV interstitial page' do
+        let(:user) do
+          create(:user, email: 'example@gsa.gov')
+        end
+
+        it 'redirects user to piv_recommended_path' do
+          get :index
+
+          expect(response).to redirect_to(login_piv_cac_recommended_url)
+        end
+      end
+    end
+
     context 'when signed out' do
       let(:user) { nil }
 

spec/factories/federal_email_domain.rb

@@ -0,0 +1,4 @@
+FactoryBot.define do
+  factory :federal_email_domain do
+  end
+end