18F · zachmargolis · Nov 10, 2021 · Nov 4, 2021 · Nov 4, 2021 · Nov 4, 2021
diff --git a/app/jobs/backup_code_backfiller_job.rb b/app/jobs/backup_code_backfiller_job.rb
diff --git a/app/models/backup_code_configuration.rb b/app/models/backup_code_configuration.rb
@@ -1,6 +1,8 @@
 class BackupCodeConfiguration < ApplicationRecord
   NUM_WORDS = 3
 
+  self.ignored_columns = %w[encrypted_code code_fingerprint]
+
   include EncryptableAttribute
 
   encrypted_attribute_without_setter(name: :code)
@@ -9,9 +11,6 @@ class BackupCodeConfiguration < ApplicationRecord
 
   belongs_to :user
 
-  attr_accessor :skip_legacy_encryption
-  alias_method :skip_legacy_encryption?, :skip_legacy_encryption
-
   def self.unused
     where(used_at: nil)
   end
@@ -51,23 +50,13 @@ def find_with_code(code:, user_id:)
         scrypt_password_digest(password: code, salt: salt, cost: cost)
       end
 
-      where(
-        code_fingerprint: create_fingerprint(code),
-      ).or(
-        where(salted_code_fingerprint: salted_fingerprints),
-      ).find_by(user_id: user_id)
+      where(salted_code_fingerprint: salted_fingerprints).find_by(user_id: user_id)
     end
 
     def scrypt_password_digest(password:, salt:, cost:)
       scrypt_salt = cost + OpenSSL::Digest::SHA256.hexdigest(salt)
       scrypted = SCrypt::Engine.hash_secret password, scrypt_salt, 32
       SCrypt::Password.new(scrypted).digest
     end
-
-    private
-
-    def create_fingerprint(code)
-      Pii::Fingerprinter.fingerprint(code)
-    end
   end
 end
diff --git a/app/models/concerns/backup_code_encrypted_attribute_overrides.rb b/app/models/concerns/backup_code_encrypted_attribute_overrides.rb
@@ -2,15 +2,11 @@ module BackupCodeEncryptedAttributeOverrides
   extend ActiveSupport::Concern
 
   # Override ActiveModel::Dirty methods in order to
-  # use code_fingerprint_changed? instead of code_changed?
+  # use salted_code_fingerprint_changed? instead of code_changed?
   # This is necessary because code is no longer an ActiveRecord
   # attribute and all the *_changed and *_was magic no longer works.
   def will_save_change_to_code?
-    code_fingerprint_changed?
-  end
-
-  def code_in_database
-    EncryptedAttribute.new(encrypted_code_was).decrypted if encrypted_code_was.present?
+    salted_code_fingerprint_changed?
   end
 
   # Override usual setter method in order to also set fingerprint
@@ -24,13 +20,5 @@ def code=(code)
         cost: code_cost,
       )
     end
-
-    if skip_legacy_encryption?
-      self.encrypted_code = ''
-      self.code_fingerprint = self.salted_code_fingerprint # "garbage" value, has to be unique
-    else
-      set_encrypted_attribute(name: :code, value: code)
-      self.code_fingerprint = code.present? ? encrypted_attributes[:code].fingerprint : ''
-    end
   end
 end
diff --git a/app/services/backup_code_benchmarker.rb b/app/services/backup_code_benchmarker.rb
diff --git a/app/services/backup_code_generator.rb b/app/services/backup_code_generator.rb
@@ -5,18 +5,9 @@ class BackupCodeGenerator
 
   NUMBER_OF_CODES = 10
 
-  def initialize(
-    user,
-    num_words: BackupCodeConfiguration::NUM_WORDS,
-    skip_legacy_encryption: IdentityConfig.store.backup_code_skip_symmetric_encryption
-  )
+  def initialize(user, num_words: BackupCodeConfiguration::NUM_WORDS)
     @num_words = num_words
     @user = user
-    @skip_legacy_encryption = skip_legacy_encryption
-  end
-
-  def skip_legacy_encryption?
-    @skip_legacy_encryption
   end
 
   # @return [Array<String>]
@@ -68,7 +59,6 @@ def save_code(code:, salt:)
     @user.backup_code_configurations.create!(
       code_salt: salt,
       code_cost: cost,
-      skip_legacy_encryption: skip_legacy_encryption?,
       code: code,
     )
   end

diff --git a/config/application.yml.default b/config/application.yml.default
@@ -47,7 +47,6 @@ aws_logo_bucket: ''
 aws_region: 'us-west-2'
 aws_kms_multi_region_enabled: 'false'
 backup_code_cost: '2000$8$1$'
-backup_code_skip_symmetric_encryption: 'false'
 country_phone_number_overrides: '{}'
 doc_auth_error_dpi_threshold: '290'
 doc_auth_error_sharpness_threshold: '40'

diff --git a/lib/identity_config.rb b/lib/identity_config.rb
@@ -101,7 +101,6 @@ def self.build_store(config_map)
     config.add(:aws_logo_bucket, type: :string)
     config.add(:aws_region, type: :string)
     config.add(:backup_code_cost, type: :string)
-    config.add(:backup_code_skip_symmetric_encryption, type: :boolean)
     config.add(:country_phone_number_overrides, type: :json)
     config.add(:dashboard_api_token, type: :string)
     config.add(:dashboard_url, type: :string)

diff --git a/spec/jobs/backup_code_backfiller_job_spec.rb b/spec/jobs/backup_code_backfiller_job_spec.rb
diff --git a/spec/models/backup_code_configuration_spec.rb b/spec/models/backup_code_configuration_spec.rb
@@ -47,14 +47,6 @@
     end
   end
 
-  describe 'code_in_database' do
-    it 'returns nil' do
-      backup_code_config = BackupCodeConfiguration.new
-
-      expect(backup_code_config.code_in_database).to eq nil
-    end
-  end
-
   describe 'will_save_change_to_code?' do
     it 'returns false if code did not change' do
       backup_code_config = BackupCodeConfiguration.new
@@ -64,6 +56,8 @@
 
     it 'returns true if code changed' do
       backup_code_config = BackupCodeConfiguration.new
+      backup_code_config.code_cost = IdentityConfig.store.backup_code_cost
+      backup_code_config.code_salt = 'aaa'
       backup_code_config.code = 'foo'
 
       expect(backup_code_config.will_save_change_to_code?).to eq true
@@ -87,28 +81,10 @@
       expect(BackupCodeConfiguration.find_with_code(code: first_code, user_id: 1234)).to be_nil
     end
 
-    it 'finds codes via code_fingerprint' do
-      codes = BackupCodeGenerator.new(user, skip_legacy_encryption: false).create
-      first_code = codes.first
-
-      # overwrite with a wrong value so queries use the other column
-      BackupCodeConfiguration.all.each_with_index do |code, index|
-        code.update!(salted_code_fingerprint: index)
-      end
-
-      backup_code = BackupCodeConfiguration.find_with_code(code: first_code, user_id: user.id)
-      expect(backup_code).to be
-    end
-
     it 'finds codes via salted_code_fingerprint' do
       codes = BackupCodeGenerator.new(user).create
       first_code = codes.first
 
-      # overwrite with a wrong value so queries use the other column
-      BackupCodeConfiguration.all.each_with_index do |code, index|
-        code.update!(code_fingerprint: index)
-      end
-
       backup_code = BackupCodeConfiguration.find_with_code(code: first_code, user_id: user.id)
       expect(backup_code).to be
     end
@@ -137,9 +113,7 @@ def save_and_find(find:, save: 'just-some-not-null-value', fingerprint: nil)
         code_cost: '10$8$4$',
         code_salt: 'abcdefg',
         code: save,
-      ).tap do |config|
-        config.code_fingerprint = fingerprint if fingerprint
-      end.save!
+      ).save!
 
       BackupCodeConfiguration.find_with_code(code: find, user_id: user.id)
     end
@@ -151,9 +125,6 @@ def save_and_find(find:, save: 'just-some-not-null-value', fingerprint: nil)
     it 'finds codes if they were generated the old way (with SecureRandom.hex)' do
       code = SecureRandom.hex(3 * 4 / 2)
       expect(save_and_find(save: code, find: code)).to be
-
-      code = SecureRandom.hex(3 * 4 / 2)
-      expect(save_and_find(fingerprint: Pii::Fingerprinter.fingerprint(code), find: code)).to be
     end
   end