18F · jmhooper · Mar 5, 2019 · Feb 15, 2019 · Feb 26, 2019 · Feb 26, 2019
diff --git a/app/services/encryption/kms_client.rb b/app/services/encryption/kms_client.rb
@@ -10,7 +10,6 @@ class KmsClient # rubocop:disable Metrics/ClassLength
     }.freeze
 
     def encrypt(plaintext, encryption_context)
-      return ContextlessKmsClient.new.encrypt(plaintext) unless FeatureManagement.use_kms_contexts?
       KmsLogger.log(:encrypt, encryption_context)
       return encrypt_kms(plaintext, encryption_context) if FeatureManagement.use_kms?
       encrypt_local(plaintext, encryption_context)

diff --git a/app/services/encryption/password_verifier.rb b/app/services/encryption/password_verifier.rb
@@ -34,8 +34,6 @@ def initialize
     end
 
     def digest(password:, user_uuid:)
-      return UakPasswordVerifier.digest(password) unless FeatureManagement.write_2lkms_passwords?
-
       salt = SecureRandom.hex(32)
       cost = Figaro.env.scrypt_cost
       encrypted_password = encrypt_password(

diff --git a/config/application.yml.example b/config/application.yml.example
@@ -206,7 +206,6 @@ development:
   use_dashboard_service_providers: 'true'
   use_kms: 'false'
   use_kms_context_for_sessions: 'false'
-  use_kms_contexts: 'false'
   usps_confirmation_max_days: '10'
   enable_load_testing_mode: 'false'
   usps_download_sftp_directory: '/undeliverable'
@@ -219,7 +218,6 @@ development:
   usps_upload_sftp_username: 'brady'
   usps_upload_sftp_password: 'test'
   usps_upload_token: '123ABC'
-  write_2lkms_passwords: 'false'
 
 # These values serve as defaults for all production-like environments, which
 # includes *.identitysandbox.gov and *.login.gov.
@@ -322,7 +320,6 @@ production:
   twilio_verify_api_key: 'change-me'
   use_kms: 'true'
   use_kms_context_for_sessions: 'false'
-  use_kms_contexts: 'false'
   usps_confirmation_max_days: '30'
   enable_load_testing_mode: 'false'
   usps_download_sftp_directory:
@@ -335,7 +332,6 @@ production:
   usps_upload_sftp_username:
   usps_upload_sftp_password:
   usps_upload_token:
-  write_2lkms_passwords: 'false'
 
 test:
   aamva_cert_enabled: 'true'
@@ -442,7 +438,6 @@ test:
   twilio_verify_api_key: 'secret'
   use_kms: 'false'
   use_kms_context_for_sessions: 'true'
-  use_kms_contexts: 'true'
   usps_confirmation_max_days: '10'
   enable_load_testing_mode: 'false'
   usps_download_sftp_directory: '/undeliverable'
@@ -455,4 +450,3 @@ test:
   usps_upload_sftp_username: 'user'
   usps_upload_sftp_password: 'pass'
   usps_upload_token: 'test_token'
-  write_2lkms_passwords: 'true'
diff --git a/lib/feature_management.rb b/lib/feature_management.rb
@@ -102,14 +102,6 @@ def self.backup_codes_enabled?
     Figaro.env.backup_codes_enabled == 'true'
   end
 
-  def self.use_kms_contexts?
-    Figaro.env.use_kms_contexts == 'true'
-  end
-
-  def self.write_2lkms_passwords?
-    Figaro.env.write_2lkms_passwords == 'true'
-  end
-
   def self.use_kms_context_for_sessions?
     Figaro.env.use_kms_context_for_sessions == 'true'
   end

diff --git a/lib/tasks/add_context_to_pii_bundles.rake b/lib/tasks/add_context_to_pii_bundles.rake
diff --git a/spec/features/idv/uak_password_spec.rb b/spec/features/idv/uak_password_spec.rb
@@ -3,47 +3,21 @@
 feature 'A user with a UAK passwords attempts IdV' do
   include IdvStepHelper
 
-  context 'before we start writing 2L-KMS passwords' do
-    before do
-      allow(FeatureManagement).to receive(:write_2lkms_passwords?).and_return(true)
-    end
+  it 'allows the user to continue to the SP' do
+    user = user_with_2fa
+    user.update!(
+      encrypted_password_digest: Encryption::UakPasswordVerifier.digest(user.password),
+    )
 
-    it 'allows the user to continue to the SP' do
-      user = user_with_2fa
-      user.update!(
-        encrypted_password_digest: Encryption::UakPasswordVerifier.digest(user.password),
-      )
+    start_idv_from_sp(:oidc)
+    complete_idv_steps_with_phone_before_confirmation_step(user)
 
-      start_idv_from_sp(:oidc)
-      complete_idv_steps_with_phone_before_confirmation_step(user)
+    click_acknowledge_personal_key
 
-      click_acknowledge_personal_key
+    expect(page).to have_current_path(sign_up_completed_path)
 
-      expect(page).to have_current_path(sign_up_completed_path)
+    click_on t('forms.buttons.continue')
 
-      click_on t('forms.buttons.continue')
-
-      expect(current_url).to start_with('http://localhost:7654/auth/result')
-    end
-  end
-
-  context 'after we start writing 2L-KMS passwords' do
-    it 'allows the user to continue to the SP' do
-      user = user_with_2fa
-      user.update!(
-        encrypted_password_digest: Encryption::UakPasswordVerifier.digest(user.password),
-      )
-
-      start_idv_from_sp(:oidc)
-      complete_idv_steps_with_phone_before_confirmation_step(user)
-
-      click_acknowledge_personal_key
-
-      expect(page).to have_current_path(sign_up_completed_path)
-
-      click_on t('forms.buttons.continue')
-
-      expect(current_url).to start_with('http://localhost:7654/auth/result')
-    end
+    expect(current_url).to start_with('http://localhost:7654/auth/result')
   end
 end
diff --git a/spec/services/encryption/kms_client_spec.rb b/spec/services/encryption/kms_client_spec.rb
@@ -65,22 +65,6 @@
       end
     end
 
-    context 'with kms contexts disabled' do
-      it 'delegates to the contextless encryptor' do
-        allow(FeatureManagement).to receive(:use_kms_contexts?).and_return(false)
-
-        contextless_client = Encryption::ContextlessKmsClient.new
-        expect(contextless_client).to receive(:encrypt).
-          with(plaintext).
-          and_return('contextless ciphertext')
-        expect(Encryption::ContextlessKmsClient).to receive(:new).and_return(contextless_client)
-
-        result = subject.encrypt(plaintext, encryption_context)
-
-        expect(result).to eq('contextless ciphertext')
-      end
-    end
-
     it 'logs the context' do
       expect(Encryption::KmsLogger).to receive(:log).with(:encrypt, encryption_context)
 

diff --git a/spec/services/encryption/password_verifier_spec.rb b/spec/services/encryption/password_verifier_spec.rb
@@ -38,22 +38,6 @@
         encrypted_password: 'kms_ciphertext',
       )
     end
-
-    context 'with 2lkms password digests disabled' do
-      before do
-        allow(Figaro.env).to receive(:write_2lkms_passwords).and_return(false)
-      end
-
-      it 'delegates to the UAK password encryptor' do
-        expect(Encryption::UakPasswordVerifier).to receive(:digest).
-          with(password).
-          and_return('uak ciphertext')
-
-        result = subject.digest(password: password, user_uuid: user_uuid)
-
-        expect(result).to eq('uak ciphertext')
-      end
-    end
   end
 
   describe '#verify' do