LG-322 Prompt PIV/CAC user to set up phone number

.reek

@@ -99,6 +99,7 @@ TooManyStatements:
     - Idv::Agent#proof
     - Idv::Proofer#configure_vendors
     - Idv::VendorResult#initialize
+    - SamlIdpController#auth
     - Upaya::QueueConfig#self.choose_queue_adapter
     - Upaya::RandomTools#self.random_weighted_sample
     - UserFlowFormatter#stop

app/controllers/account_recovery_setup_controller.rb

@@ -0,0 +1,18 @@
+class AccountRecoverySetupController < ApplicationController
+  include AccountRecoverable
+  include UserAuthenticator
+
+  before_action :confirm_two_factor_authenticated
+
+  def index
+    return redirect_to account_url unless piv_cac_enabled_but_not_phone_enabled?
+    @two_factor_options_form = TwoFactorOptionsForm.new(current_user)
+    @presenter = account_recovery_options_presenter
+  end
+
+  private
+
+  def account_recovery_options_presenter
+    AccountRecoveryOptionsPresenter.new
+  end
+end

app/controllers/concerns/account_recoverable.rb

@@ -0,0 +1,5 @@
+module AccountRecoverable
+  def piv_cac_enabled_but_not_phone_enabled?
+    current_user.piv_cac_enabled? && !current_user.phone_enabled?
+  end
+end

app/controllers/concerns/authorizable.rb

@@ -0,0 +1,11 @@
+module Authorizable
+  def authorize_user
+    return unless current_user.phone_enabled?
+
+    if user_fully_authenticated?
+      redirect_to account_url
+    elsif current_user.two_factor_enabled?
+      redirect_to user_two_factor_authentication_url
+    end
+  end
+end

app/controllers/openid_connect/authorization_controller.rb

@@ -1,5 +1,6 @@
 module OpenidConnect
   class AuthorizationController < ApplicationController
+    include AccountRecoverable
     include FullyAuthenticatable
     include VerifyProfileConcern
     include VerifySPAttributesConcern
@@ -13,14 +14,19 @@ class AuthorizationController < ApplicationController
 
     def index
       return confirm_two_factor_authenticated(request_id) unless user_fully_authenticated?
-      @authorize_form.link_identity_to_service_provider(current_user, session.id)
+      link_identity_to_service_provider
+      return redirect_to account_recovery_setup_url if piv_cac_enabled_but_not_phone_enabled?
       return redirect_to_account_or_verify_profile_url if profile_or_identity_needs_verification?
       return redirect_to(sign_up_completed_url) if needs_sp_attribute_verification?
       handle_successful_handoff
     end
 
     private
 
+    def link_identity_to_service_provider
+      @authorize_form.link_identity_to_service_provider(current_user, session.id)
+    end
+
     def handle_successful_handoff
       redirect_to @authorize_form.success_redirect_uri
       delete_branded_experience

app/controllers/saml_idp_controller.rb

@@ -6,6 +6,7 @@ class SamlIdpController < ApplicationController
   include SamlIdp::Controller
   include SamlIdpAuthConcern
   include SamlIdpLogoutConcern
+  include AccountRecoverable
   include FullyAuthenticatable
   include VerifyProfileConcern
   include VerifySPAttributesConcern
@@ -17,6 +18,7 @@ def auth
     return confirm_two_factor_authenticated(request_id) unless user_fully_authenticated?
     link_identity_from_session_data
     capture_analytics
+    return redirect_to account_recovery_setup_url if piv_cac_enabled_but_not_phone_enabled?
     return redirect_to_account_or_verify_profile_url if profile_or_identity_needs_verification?
     return redirect_to(sign_up_completed_url) if needs_sp_attribute_verification?
     handle_successful_handoff

app/controllers/two_factor_authentication/piv_cac_verification_controller.rb

@@ -35,10 +35,16 @@ def handle_valid_piv_cac
       )
 
       handle_valid_otp_for_authentication_context
-      redirect_to after_otp_verification_confirmation_url
+      redirect_to next_step
       reset_otp_session_data
     end
 
+    def next_step
+      return account_recovery_setup_url unless current_user.phone_enabled?
+
+      after_otp_verification_confirmation_url
+    end
+
     def handle_invalid_piv_cac
       clear_piv_cac_information
       # create new nonce for retry

app/controllers/users/phone_setup_controller.rb

@@ -2,9 +2,10 @@ module Users
   class PhoneSetupController < ApplicationController
     include UserAuthenticator
     include PhoneConfirmation
+    include Authorizable
 
     before_action :authenticate_user
-    before_action :authorize_phone_setup
+    before_action :authorize_user
 
     def index
       @user_phone_form = UserPhoneForm.new(current_user)
@@ -27,14 +28,6 @@ def create
 
     private
 
-    def authorize_phone_setup
-      if user_fully_authenticated?
-        redirect_to account_url
-      elsif current_user.two_factor_enabled?
-        redirect_to user_two_factor_authentication_url
-      end
-    end
-
     def user_phone_form_params
       params.require(:user_phone_form).permit(
         :international_code,

app/controllers/users/piv_cac_authentication_setup_controller.rb

@@ -59,7 +59,12 @@ def process_valid_submission
         subject: user_piv_cac_form.x509_dn,
         presented: true
       )
-      redirect_to account_url
+      redirect_to next_step
+    end
+
+    def next_step
+      return account_url if current_user.phone_enabled?
+      account_recovery_setup_url
     end
 
     def process_invalid_submission

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -1,9 +1,10 @@
 module Users
   class TwoFactorAuthenticationSetupController < ApplicationController
     include UserAuthenticator
+    include Authorizable
 
     before_action :authenticate_user
-    before_action :authorize_2fa_setup
+    before_action :authorize_user
 
     def index
       @two_factor_options_form = TwoFactorOptionsForm.new(current_user)
@@ -30,14 +31,6 @@ def two_factor_options_presenter
       TwoFactorOptionsPresenter.new(current_user, current_sp)
     end
 
-    def authorize_2fa_setup
-      if user_fully_authenticated?
-        redirect_to account_url
-      elsif current_user.two_factor_enabled?
-        redirect_to user_two_factor_authentication_url
-      end
-    end
-
     def process_valid_form
       case @two_factor_options_form.selection
       when 'sms', 'voice'

app/presenters/account_recovery_options_presenter.rb

@@ -0,0 +1,32 @@
+class AccountRecoveryOptionsPresenter
+  include ActionView::Helpers::TranslationHelper
+
+  AVAILABLE_2FA_TYPES = %w[sms voice].freeze
+
+  def title
+    t('titles.account_recovery_setup')
+  end
+
+  def heading
+    t('headings.account_recovery_setup.piv_cac_linked')
+  end
+
+  def info
+    t('instructions.account_recovery_setup.piv_cac_next_step')
+  end
+
+  def label
+    t('forms.account_recovery_setup.legend') + ':'
+  end
+
+  def options
+    AVAILABLE_2FA_TYPES.map do |type|
+      OpenStruct.new(
+        type: type,
+        label: t("devise.two_factor_authentication.two_factor_choice_options.#{type}"),
+        info: t("devise.two_factor_authentication.two_factor_choice_options.#{type}_info"),
+        selected: type == :sms
+      )
+    end
+  end
+end

app/views/account_recovery_setup/index.html.slim

@@ -0,0 +1,23 @@
+- title @presenter.title
+
+h1.h3.my0 = @presenter.heading
+p.mt-tiny.mb3 = @presenter.info
+
+= simple_form_for(@two_factor_options_form,
+      html: { autocomplete: 'off', role: 'form' },
+      method: :patch,
+      url: two_factor_options_path) do |f|
+  .mb3
+    fieldset.m0.p0.border-none.
+      legend.mb1.h4.serif.bold = @presenter.label
+      - @presenter.options.each do |option|
+        label.btn-border.col-12.mb1 for="two_factor_options_form_selection_#{option.type}"
+          .radio
+            = radio_button_tag('two_factor_options_form[selection]',
+              option.type,
+              @two_factor_options_form.selected?(option.type))
+            span.indicator.mt-tiny
+            span.blue.bold.fs-20p = option.label
+            .regular.gray-dark.fs-10p.mb-tiny = option.info
+
+  = f.button :submit, t('forms.buttons.continue')

config/locales/forms/en.yml

@@ -1,6 +1,8 @@
 ---
 en:
   forms:
+    account_recovery_setup:
+      legend: Select a secondary authentication option
     buttons:
       back: Back
       continue: Continue

config/locales/forms/es.yml

@@ -1,6 +1,8 @@
 ---
 es:
   forms:
+    account_recovery_setup:
+      legend: NOT TRANSLATED YET
     buttons:
       back: Atrás
       continue: Continuar

config/locales/forms/fr.yml

@@ -1,6 +1,8 @@
 ---
 fr:
   forms:
+    account_recovery_setup:
+      legend: NOT TRANSLATED YET
     buttons:
       back: Retour
       continue: Continuer

config/locales/headings/en.yml

@@ -9,6 +9,8 @@ en:
       reactivate: Reactivate your account
       two_factor: Two-factor authentication
       verified_account: Verified Account
+    account_recovery_setup:
+      piv_cac_linked: Your PIV/CAC card is linked to your account
     confirmations:
       new: Send another confirmation email
     create_account_with_sp:

config/locales/headings/es.yml

@@ -9,6 +9,8 @@ es:
       reactivate: Reactive su cuenta
       two_factor: Autenticación de dos factores
       verified_account: Cuenta verificada
+    account_recovery_setup:
+      piv_cac_linked: NOT TRANSLATED YET
     confirmations:
       new: Enviar otro email de confirmación
     create_account_with_sp:

config/locales/headings/fr.yml

@@ -9,6 +9,8 @@ fr:
       reactivate: Réactivez votre compte
       two_factor: Authentification à deux facteurs
       verified_account: Compte vérifié
+    account_recovery_setup:
+      piv_cac_linked: NOT TRANSLATED YET
     confirmations:
       new: Envoyer un autre courriel de confirmation
     create_account_with_sp:

config/locales/instructions/en.yml

@@ -13,6 +13,8 @@ en:
             identity again.
           heading: Don't have your personal key?
         with_key: Do you have your personal key?
+    account_recovery_setup:
+      piv_cac_next_step: Next we need to give you a way to recover your account.
     forgot_password:
       close_window: You can close this browser window once you have reset your password.
     go_back_to_mobile_app: To continue, please go back to the %{friendly_name} app

config/locales/instructions/es.yml

@@ -13,6 +13,8 @@ es:
           copy: Si no tiene su clave personal, verifique su identidad nuevamente.
           heading: NOT TRANSLATED YET
         with_key: "¿Tiene su clave personal?"
+    account_recovery_setup:
+      piv_cac_next_step: NOT TRANSLATED YET
     forgot_password:
       close_window: Puede cerrar esta ventana del navegador después que haya restablecido
         su contraseña.

config/locales/instructions/fr.yml

@@ -15,6 +15,8 @@ fr:
             identité de nouveau.
           heading: Vous n'avez pas votre clé personnelle?
         with_key: Vous n'avez pas votre clé personnelle?
+    account_recovery_setup:
+      piv_cac_next_step: NOT TRANSLATED YET
     forgot_password:
       close_window: Vous pourrez fermer cette fenêtre de navigateur lorsque vous aurez
         réinitialisé votre mot de passe.

config/locales/titles/en.yml

@@ -3,6 +3,7 @@ en:
   titles:
     account: Account
     account_locked: Account temporarily locked
+    account_recovery_setup: Account Recovery Setup
     confirmations:
       new: Resend confirmation instructions for your account
       show: Choose a password

config/locales/titles/es.yml

@@ -3,6 +3,7 @@ es:
   titles:
     account: Cuenta
     account_locked: Cuenta bloqueada temporalmente
+    account_recovery_setup: NOT TRANSLATED YET
     confirmations:
       new: Reenviar instrucciones de confirmación de su cuenta
       show: Elija una contraseña

config/locales/titles/fr.yml

@@ -3,6 +3,7 @@ fr:
   titles:
     account: Compte
     account_locked: Compte temporairement verrouillé
+    account_recovery_setup: NOT TRANSLATED YET
     confirmations:
       new: Envoyer les instructions de confirmation pour votre compte
       show: Choisissez un mot de passe

config/routes.rb

@@ -99,6 +99,7 @@
          as: :create_verify_personal_key
     get '/account/verify_phone' => 'users/verify_profile_phone#index', as: :verify_profile_phone
     post '/account/verify_phone' => 'users/verify_profile_phone#create'
+    get '/account_recovery_setup' => 'account_recovery_setup#index'
 
     if FeatureManagement.piv_cac_enabled?
       get '/piv_cac' => 'users/piv_cac_authentication_setup#new', as: :setup_piv_cac

spec/controllers/account_recovery_setup_controller_spec.rb

@@ -0,0 +1,35 @@
+require 'rails_helper'
+
+describe AccountRecoverySetupController do
+  context 'user is not piv_cac enabled' do
+    it 'redirects to account_url' do
+      stub_sign_in
+
+      get :index
+
+      expect(response).to redirect_to account_url
+    end
+  end
+
+  context 'user is piv_cac enabled and phone enabled' do
+    it 'redirects to account_url' do
+      user = build(:user, :signed_up, :with_piv_or_cac)
+      stub_sign_in(user)
+
+      get :index
+
+      expect(response).to redirect_to account_url
+    end
+  end
+
+  context 'user is piv_cac enabled but not phone enabled' do
+    it 'redirects to account_url' do
+      user = build(:user, :signed_up, :with_piv_or_cac, phone: nil)
+      stub_sign_in(user)
+
+      get :index
+
+      expect(response).to render_template(:index)
+    end
+  end
+end

spec/controllers/saml_idp_controller_spec.rb

@@ -894,6 +894,7 @@ def stub_auth
       allow(controller).to receive(:validate_saml_request_and_authn_context).and_return(true)
       allow(controller).to receive(:user_fully_authenticated?).and_return(true)
       allow(controller).to receive(:link_identity_from_session_data).and_return(true)
+      allow(controller).to receive(:current_user).and_return(build(:user))
     end
 
     context 'user requires ID verification' do