diff --git a/app/controllers/test/piv_cac_authentication_test_subject_controller.rb b/app/controllers/test/piv_cac_authentication_test_subject_controller.rb index 60fa7523534..833dfae05ef 100644 --- a/app/controllers/test/piv_cac_authentication_test_subject_controller.rb +++ b/app/controllers/test/piv_cac_authentication_test_subject_controller.rb @@ -32,7 +32,7 @@ def referrer_uri end def must_be_in_development - redirect_to root_url unless FeatureManagement.development_and_piv_cac_entry_enabled? + redirect_to root_url unless FeatureManagement.development_and_identity_pki_disabled? end def token_from_params diff --git a/app/models/piv_cac_configuration.rb b/app/models/piv_cac_configuration.rb index ff3c8f51ad9..dbd73acd762 100644 --- a/app/models/piv_cac_configuration.rb +++ b/app/models/piv_cac_configuration.rb @@ -8,7 +8,7 @@ def initialize(user) end def mfa_enabled? - FeatureManagement.piv_cac_enabled? && user&.x509_dn_uuid.present? + user&.x509_dn_uuid.present? end def mfa_confirmed?(proposed_uuid) diff --git a/app/policies/two_factor_authentication/piv_cac_policy.rb b/app/policies/two_factor_authentication/piv_cac_policy.rb index 86dd5040c16..281e8242cca 100644 --- a/app/policies/two_factor_authentication/piv_cac_policy.rb +++ b/app/policies/two_factor_authentication/piv_cac_policy.rb @@ -5,7 +5,7 @@ def initialize(user) end def configured? - FeatureManagement.piv_cac_enabled? && user&.x509_dn_uuid.present? + user&.x509_dn_uuid.present? end def enabled? diff --git a/app/services/piv_cac_service.rb b/app/services/piv_cac_service.rb index 20464254015..0d1ec848def 100644 --- a/app/services/piv_cac_service.rb +++ b/app/services/piv_cac_service.rb @@ -14,7 +14,7 @@ def decode_token(token) end def piv_cac_service_link(nonce) - if FeatureManagement.development_and_piv_cac_entry_enabled? + if FeatureManagement.development_and_identity_pki_disabled? test_piv_cac_entry_url else uri = URI(randomize_uri(Figaro.env.piv_cac_service_url)) @@ -29,7 +29,6 @@ def piv_cac_verify_token_link end def piv_cac_available_for_agency?(agency, email = nil) - return unless FeatureManagement.piv_cac_enabled? available_for_agency?(agency) || available_for_email?(agency, email) end @@ -120,7 +119,7 @@ def decode_token_response(res) end def decode_test_token(token) - if FeatureManagement.development_and_piv_cac_entry_enabled? + if FeatureManagement.development_and_identity_pki_disabled? JSON.parse(token[5..-1]) else { 'error' => 'token.bad' } diff --git a/config/application.yml.example b/config/application.yml.example index 7bdf0d9adce..3fd57d05c32 100644 --- a/config/application.yml.example +++ b/config/application.yml.example @@ -143,7 +143,6 @@ development: password_strength_enabled: 'true' piv_cac_agencies: '["Test Government Agency"]' piv_cac_email_domains: '[".mil"]' - piv_cac_enabled: 'true' piv_cac_verify_token_secret: 'ee7f20f44cdc2ba0c6830f70470d1d1d059e1279cdb58134db92b35947b1528ef5525ece5910cf4f2321ab989a618feea12ef95711dbc62b9601e8520a34ee12' piv_cac_service_url: 'https://localhost:8443/' piv_cac_verify_token_url: 'https://localhost:8443/' @@ -261,7 +260,6 @@ production: piv_cac_agencies: '["DOD","NGA","EOP"]' piv_cac_agencies_scoped_by_email: '["GSA"]' piv_cac_email_domains: '[".mil"]' - piv_cac_enabled: 'false' pkcs11_lib: '/opt/cloudhsm/lib/libcloudhsm_pkcs11.so' programmable_sms_countries: 'US,CA,MX' proofer_mock_fallback: 'true' @@ -372,7 +370,6 @@ test: password_strength_enabled: 'false' piv_cac_agencies: '["Test Government Agency"]' piv_cac_email_domains: '[".mil"]' - piv_cac_enabled: 'true' piv_cac_service_url: 'https://localhost:8443/' piv_cac_verify_token_secret: '3ac13bfa23e22adae321194c083e783faf89469f6f85dcc0802b27475c94b5c3891b5657bd87d0c1ad65de459166440512f2311018db90d57b15d8ab6660748f' piv_cac_verify_token_url: 'https://localhost:8443/' diff --git a/config/routes.rb b/config/routes.rb index 1867b12ec5f..585ed48ead9 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -69,9 +69,7 @@ post '/login/two_factor/authenticator' => 'two_factor_authentication/totp_verification#create' get '/login/two_factor/personal_key' => 'two_factor_authentication/personal_key_verification#show' post '/login/two_factor/personal_key' => 'two_factor_authentication/personal_key_verification#create' - if FeatureManagement.piv_cac_enabled? - get '/login/two_factor/piv_cac' => 'two_factor_authentication/piv_cac_verification#show' - end + get '/login/two_factor/piv_cac' => 'two_factor_authentication/piv_cac_verification#show' if FeatureManagement.webauthn_enabled? get '/login/two_factor/webauthn' => 'two_factor_authentication/webauthn_verification#show' patch '/login/two_factor/webauthn' => 'two_factor_authentication/webauthn_verification#confirm' @@ -93,10 +91,8 @@ get '/saml/decode_assertion' => 'saml_test#start' post '/saml/decode_assertion' => 'saml_test#decode_response' post '/saml/decode_slo_request' => 'saml_test#decode_slo_request' - if FeatureManagement.piv_cac_enabled? - get '/piv_cac_entry' => 'piv_cac_authentication_test_subject#new' - post '/piv_cac_entry' => 'piv_cac_authentication_test_subject#create' - end + get '/piv_cac_entry' => 'piv_cac_authentication_test_subject#new' + post '/piv_cac_entry' => 'piv_cac_authentication_test_subject#create' end end @@ -117,11 +113,9 @@ as: :create_verify_personal_key get '/account_recovery_setup' => 'account_recovery_setup#index' - if FeatureManagement.piv_cac_enabled? - get '/piv_cac' => 'users/piv_cac_authentication_setup#new', as: :setup_piv_cac - delete '/piv_cac' => 'users/piv_cac_authentication_setup#delete', as: :disable_piv_cac - get '/present_piv_cac' => 'users/piv_cac_authentication_setup#redirect_to_piv_cac_service', as: :redirect_to_piv_cac_service - end + get '/piv_cac' => 'users/piv_cac_authentication_setup#new', as: :setup_piv_cac + delete '/piv_cac' => 'users/piv_cac_authentication_setup#delete', as: :disable_piv_cac + get '/present_piv_cac' => 'users/piv_cac_authentication_setup#redirect_to_piv_cac_service', as: :redirect_to_piv_cac_service if FeatureManagement.webauthn_enabled? get '/webauthn_setup' => 'users/webauthn_setup#new', as: :webauthn_setup diff --git a/lib/feature_management.rb b/lib/feature_management.rb index 4ca5caf17e5..89b7ee2cd9d 100644 --- a/lib/feature_management.rb +++ b/lib/feature_management.rb @@ -13,10 +13,6 @@ def self.telephony_disabled? Figaro.env.telephony_disabled == 'true' end - def self.piv_cac_enabled? - Figaro.env.piv_cac_enabled == 'true' - end - def self.identity_pki_disabled? env = Figaro.env env.identity_pki_disabled == 'true' || @@ -24,10 +20,10 @@ def self.identity_pki_disabled? !env.piv_cac_verify_token_url end - def self.development_and_piv_cac_entry_enabled? + def self.development_and_identity_pki_disabled? # This controls if we try to hop over to identity-pki or just throw up # a screen asking for a Subject or one of a list of error conditions. - Rails.env.development? && piv_cac_enabled? && identity_pki_disabled? + Rails.env.development? && identity_pki_disabled? end def self.prefill_otp_codes? diff --git a/spec/controllers/test/piv_cac_authentication_test_subject_controller_spec.rb b/spec/controllers/test/piv_cac_authentication_test_subject_controller_spec.rb index c691bd87d70..ff87a1acbfa 100644 --- a/spec/controllers/test/piv_cac_authentication_test_subject_controller_spec.rb +++ b/spec/controllers/test/piv_cac_authentication_test_subject_controller_spec.rb @@ -5,12 +5,11 @@ before(:each) do allow(Rails.env).to receive(:development?) { false } allow(Figaro.env).to receive(:enable_test_routes) { 'true' } - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } end - describe 'FeatureManagement#development_and_piv_cac_entry_enabled?' do + describe 'FeatureManagement#development_and_identity_pki_disabled?' do it 'is disabled' do - expect(FeatureManagement.development_and_piv_cac_entry_enabled?).to be_falsey + expect(FeatureManagement.development_and_identity_pki_disabled?).to be_falsey end end @@ -39,12 +38,11 @@ before(:each) do allow(Rails.env).to receive(:development?) { true } allow(Figaro.env).to receive(:enable_test_routes) { 'true' } - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } end - describe 'FeatureManagement#development_and_piv_cac_entry_enabled?' do + describe 'FeatureManagement#development_and_identity_pki_disabled?' do it 'is enabled' do - expect(FeatureManagement.development_and_piv_cac_entry_enabled?).to be_truthy + expect(FeatureManagement.development_and_identity_pki_disabled?).to be_truthy end end diff --git a/spec/controllers/two_factor_authentication/options_controller_spec.rb b/spec/controllers/two_factor_authentication/options_controller_spec.rb index 2af1a56d2f1..812bb3d4fc8 100644 --- a/spec/controllers/two_factor_authentication/options_controller_spec.rb +++ b/spec/controllers/two_factor_authentication/options_controller_spec.rb @@ -94,7 +94,6 @@ end def piv_cac_webauthn_enabled(bool) - allow(Figaro.env).to receive(:piv_cac_enabled) { bool } allow(Figaro.env).to receive(:webauthn_enabled) { bool } Rails.application.reload_routes! end diff --git a/spec/features/users/piv_cac_management_spec.rb b/spec/features/users/piv_cac_management_spec.rb index 57428ca7428..0fde0d7782c 100644 --- a/spec/features/users/piv_cac_management_spec.rb +++ b/spec/features/users/piv_cac_management_spec.rb @@ -7,10 +7,6 @@ def find_form(page, attributes) end end - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled).and_return('true') - end - context 'with no piv/cac associated yet' do let(:uuid) { SecureRandom.uuid } let(:user) { create(:user, :signed_up, :with_phone, with: { phone: '+1 202-555-1212' }) } diff --git a/spec/features/users/sign_up_spec.rb b/spec/features/users/sign_up_spec.rb index 8ebebd41b81..c18316701b4 100644 --- a/spec/features/users/sign_up_spec.rb +++ b/spec/features/users/sign_up_spec.rb @@ -168,7 +168,6 @@ it 'does not allow a user to choose piv/cac as 2FA method during sign up' do allow(PivCacService).to receive(:piv_cac_available_for_agency?).and_return(false) - allow(FeatureManagement).to receive(:piv_cac_enabled?).and_return(true) begin_sign_up_with_sp_and_loa(loa3: false) expect(page).to have_current_path two_factor_options_path diff --git a/spec/lib/feature_management_spec.rb b/spec/lib/feature_management_spec.rb index a9e61d67ba6..cacd9db2985 100644 --- a/spec/lib/feature_management_spec.rb +++ b/spec/lib/feature_management_spec.rb @@ -214,28 +214,6 @@ end describe 'piv/cac feature' do - describe '#piv_cac_enabled?' do - context 'when enabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } - end - - it 'has the feature disabled' do - expect(FeatureManagement.piv_cac_enabled?).to be_truthy - end - end - - context 'when disabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'false' } - end - - it 'has the feature disabled' do - expect(FeatureManagement.piv_cac_enabled?).to be_falsey - end - end - end - describe '#identity_pki_disabled?' do context 'when enabled' do before(:each) do @@ -258,29 +236,23 @@ end end - describe '#development_and_piv_cac_entry_enabled?' do + describe '#development_and_identity_pki_disabled?' do context 'in development environment' do before(:each) do allow(Rails.env).to receive(:development?).and_return(true) end - context 'has piv/cac enabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } - end - - it 'has piv/cac test entry enabled' do - expect(FeatureManagement.development_and_piv_cac_entry_enabled?).to be_truthy + context 'identity_pki disabled' do + it 'returns true' do + allow(Figaro.env).to receive(:identity_pki_disabled) { 'true' } + expect(FeatureManagement.development_and_identity_pki_disabled?).to be_truthy end end - context 'has piv/cac disabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'false' } - end - - it 'has piv/cac test entry disabled' do - expect(FeatureManagement.development_and_piv_cac_entry_enabled?).to be_falsey + context 'identity_pki not disabled' do + it 'returns false' do + allow(Figaro.env).to receive(:identity_pki_disabled) { 'false' } + expect(FeatureManagement.development_and_identity_pki_disabled?).to be_falsey end end end @@ -291,23 +263,17 @@ allow(Rails.env).to receive(:development?).and_return(false) end - context 'has piv/cac enabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } - end - - it 'has piv/cac test entry disabled' do - expect(FeatureManagement.development_and_piv_cac_entry_enabled?).to be_falsey + context 'identity_pki disabled' do + it 'returns false' do + allow(Figaro.env).to receive(:identity_pki_disabled) { 'true' } + expect(FeatureManagement.development_and_identity_pki_disabled?).to be_falsey end end - context 'has piv/cac disabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'false' } - end - - it 'has piv/cac test entry disabled' do - expect(FeatureManagement.development_and_piv_cac_entry_enabled?).to be_falsey + context 'identity_pki not disabled' do + it 'returns false' do + allow(Figaro.env).to receive(:identity_pki_disabled) { 'false' } + expect(FeatureManagement.development_and_identity_pki_disabled?).to be_falsey end end end diff --git a/spec/policies/two_factor_authentication/piv_cac_policy_spec.rb b/spec/policies/two_factor_authentication/piv_cac_policy_spec.rb index 56b80db911e..115c3760ac8 100644 --- a/spec/policies/two_factor_authentication/piv_cac_policy_spec.rb +++ b/spec/policies/two_factor_authentication/piv_cac_policy_spec.rb @@ -4,10 +4,6 @@ let(:subject) { described_class.new(user) } describe '#available?' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled).and_return('true') - end - context 'when a user has no identities' do let(:user) { create(:user) } @@ -51,16 +47,6 @@ it 'does allows piv/cac' do expect(subject.available?).to be_truthy end - - context 'but piv/cac feature is not enabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled).and_return('false') - end - - it 'does not allow piv/cac' do - expect(subject.available?).to be_falsey - end - end end end @@ -74,17 +60,6 @@ it 'allow piv/cac visibility' do expect(subject.visible?).to be_truthy end - - context 'but the piv/cac feature is disabled' do - before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled).and_return('false') - end - - it 'does not allow piv/cac' do - expect(subject.available?).to be_falsey - expect(subject.visible?).to be_falsey - end - end end end diff --git a/spec/services/piv_cac_service_spec.rb b/spec/services/piv_cac_service_spec.rb index 5222cb9afc4..f94795b43ad 100644 --- a/spec/services/piv_cac_service_spec.rb +++ b/spec/services/piv_cac_service_spec.rb @@ -27,7 +27,7 @@ describe '#decode_token' do context 'when configured for local development' do before(:each) do - allow(FeatureManagement).to receive(:development_and_piv_cac_entry_enabled?) { true } + allow(FeatureManagement).to receive(:development_and_identity_pki_disabled?) { true } end it 'raises an error if no token provided' do @@ -58,7 +58,7 @@ context 'when communicating with piv/cac service' do context 'when in non-development mode' do before(:each) do - allow(FeatureManagement).to receive(:development_and_piv_cac_entry_enabled?) { false } + allow(FeatureManagement).to receive(:development_and_identity_pki_disabled?) { false } end it 'raises an error if no token provided' do @@ -69,7 +69,6 @@ describe 'when configured with a user-facing endpoint' do before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } allow(Figaro.env).to receive(:identity_pki_disabled) { 'false' } allow(Figaro.env).to receive(:piv_cac_service_url) { base_url } end @@ -85,7 +84,7 @@ context 'when in development mode' do before(:each) do - allow(FeatureManagement).to receive(:development_and_piv_cac_entry_enabled?) { true } + allow(FeatureManagement).to receive(:development_and_identity_pki_disabled?) { true } end let(:nonce) { 'once' } @@ -97,7 +96,6 @@ describe 'when configured to contact remote service' do before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } allow(Figaro.env).to receive(:identity_pki_disabled) { 'false' } allow(Figaro.env).to receive(:piv_cac_verify_token_url) { 'http://localhost:8443/' } end @@ -138,7 +136,6 @@ describe 'with bad json' do before(:each) do - allow(Figaro.env).to receive(:piv_cac_enabled) { 'true' } allow(Figaro.env).to receive(:identity_pki_disabled) { 'false' } allow(Figaro.env).to receive(:piv_cac_verify_token_url) { 'http://localhost:8443/' } end @@ -198,7 +195,6 @@ context 'with the agency not configured to be available' do before(:each) do - allow(FeatureManagement).to receive(:piv_cac_enabled?).and_return(true) allow(Figaro.env).to receive(:piv_cac_agencies).and_return('["bar"]') end @@ -207,7 +203,6 @@ context 'with the agency configured to be available' do before(:each) do - allow(FeatureManagement).to receive(:piv_cac_enabled?).and_return(true) allow(Figaro.env).to receive(:piv_cac_agencies).and_return('["bar","foo"]') end @@ -220,7 +215,6 @@ context 'with the agency not configured to be available' do before(:each) do - allow(FeatureManagement).to receive(:piv_cac_enabled?).and_return(true) allow(Figaro.env).to receive(:piv_cac_agencies_scoped_by_email).and_return('["bar"]') end @@ -229,7 +223,6 @@ context 'with the agency configured to be available' do before(:each) do - allow(FeatureManagement).to receive(:piv_cac_enabled?).and_return(true) allow(Figaro.env).to receive(:piv_cac_agencies_scoped_by_email).and_return('["bar","foo"]') end diff --git a/spec/support/features/session_helper.rb b/spec/support/features/session_helper.rb index 88d9cd8a5a3..0873b43dfba 100644 --- a/spec/support/features/session_helper.rb +++ b/spec/support/features/session_helper.rb @@ -144,8 +144,7 @@ def sign_in_live_with_2fa(user = user_with_2fa) def sign_in_live_with_piv_cac(user = user_with_piv_cac) sign_in_user(user) - allow(FeatureManagement).to receive(:piv_cac_enabled?).and_return(true) - allow(FeatureManagement).to receive(:development_and_piv_cac_entry_enabled?).and_return(true) + allow(FeatureManagement).to receive(:development_and_identity_pki_disabled?).and_return(true) visit login_two_factor_piv_cac_path stub_piv_cac_service visit_piv_cac_service( @@ -417,7 +416,6 @@ def set_up_2fa_with_authenticator_app def register_user_with_piv_cac(email = 'test@test.com') allow(PivCacService).to receive(:piv_cac_available_for_agency?).and_return(true) - allow(FeatureManagement).to receive(:piv_cac_enabled?).and_return(true) confirm_email_and_password(email) expect(page).to have_current_path two_factor_options_path @@ -458,7 +456,6 @@ def stub_twilio_service def stub_piv_cac_service allow(Figaro.env).to receive(:identity_pki_disabled).and_return('false') - allow(Figaro.env).to receive(:piv_cac_enabled).and_return('true') allow(Figaro.env).to receive(:piv_cac_service_url).and_return('http://piv.example.com/') allow(Figaro.env).to receive(:piv_cac_verify_token_url).and_return('http://piv.example.com/') stub_request(:post, 'piv.example.com').to_return do |request|