From 32938f42ff7e4eaec012f309e7abcbaf931325cf Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Tue, 8 Aug 2023 16:14:39 -0500
Subject: [PATCH] Ensure PIV/CAC authentications check rules of use

changelog: Bug Fixes, Authentication, Ensure PIV/CAC authentications check rules of use
---
 app/controllers/application_controller.rb     |  7 ++-
 .../users/piv_cac_login_controller.rb         |  2 +
 .../users/piv_cac_login_controller_spec.rb    | 10 ++++
 spec/features/users/sign_in_spec.rb           | 55 +++++++++++++++++++
 4 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index eb60debb8d9..ee85bbe5536 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -217,7 +217,8 @@ def fix_broken_personal_key_url
   end
 
   def after_sign_in_path_for(_user)
-    service_provider_mfa_setup_url ||
+    accept_rules_of_use_url ||
+      service_provider_mfa_setup_url ||
       add_piv_cac_setup_url ||
       fix_broken_personal_key_url ||
       user_session.delete(:stored_location) ||
@@ -234,6 +235,10 @@ def signed_in_url
     account_url
   end
 
+  def accept_rules_of_use_url
+    rules_of_use_path unless current_user.accepted_rules_of_use_still_valid?
+  end
+
   def after_mfa_setup_path
     if needs_completion_screen_reason
       sign_up_completed_url
diff --git a/app/controllers/users/piv_cac_login_controller.rb b/app/controllers/users/piv_cac_login_controller.rb
index c462accc84e..ffb15acef79 100644
--- a/app/controllers/users/piv_cac_login_controller.rb
+++ b/app/controllers/users/piv_cac_login_controller.rb
@@ -83,6 +83,8 @@ def process_valid_submission
     def next_step
       if ial_context.ial2_requested?
         capture_password_url
+      elsif !current_user.accepted_rules_of_use_still_valid?
+        rules_of_use_path
       else
         after_sign_in_path_for(current_user)
       end
diff --git a/spec/controllers/users/piv_cac_login_controller_spec.rb b/spec/controllers/users/piv_cac_login_controller_spec.rb
index 36eee5da483..4ee93cbd719 100644
--- a/spec/controllers/users/piv_cac_login_controller_spec.rb
+++ b/spec/controllers/users/piv_cac_login_controller_spec.rb
@@ -145,6 +145,16 @@
             expect(controller.user_session[:decrypted_x509]).to eq session_info.to_json
           end
 
+          context 'when the user has not accepted the most recent terms of use' do
+            let(:user) do
+              build(:user, accepted_terms_at: IdentityConfig.store.rules_of_use_updated_at - 1.year)
+            end
+
+            it 'redirects to rules_of_use_path' do
+              expect(response).to redirect_to rules_of_use_path
+            end
+          end
+
           describe 'it handles the otp_context' do
             it 'tracks the user_marked_authed event' do
               expect(@analytics).to have_received(:track_event).with(
diff --git a/spec/features/users/sign_in_spec.rb b/spec/features/users/sign_in_spec.rb
index 97bb3ab9c9e..46551e2266a 100644
--- a/spec/features/users/sign_in_spec.rb
+++ b/spec/features/users/sign_in_spec.rb
@@ -78,6 +78,61 @@
     expect(current_path).to eq sign_up_completed_path
   end
 
+  scenario 'user with old terms of use can accept and continue to IAL1 SP' do
+    user = create(
+      :user,
+      :fully_registered,
+      :with_piv_or_cac,
+      accepted_terms_at: IdentityConfig.store.rules_of_use_updated_at - 1.minute,
+    )
+    service_provider = ServiceProvider.find_by(issuer: OidcAuthHelper::OIDC_IAL1_ISSUER)
+    IdentityLinker.new(user, service_provider).link_identity(
+      verified_attributes: %w[openid email],
+    )
+
+    visit_idp_from_sp_with_ial1(:oidc)
+    click_on t('account.login.piv_cac')
+    fill_in_piv_cac_credentials_and_submit(user, user.piv_cac_configurations.first.x509_dn_uuid)
+
+    expect(current_url).to eq rules_of_use_url
+    accept_rules_of_use_and_continue_if_displayed
+    expect(current_url).to start_with service_provider.redirect_uris.first
+  end
+
+  scenario 'user with old terms of use can accept and continue to IAL2 SP' do
+    user = create(
+      :user,
+      :fully_registered,
+      :with_piv_or_cac,
+      accepted_terms_at: IdentityConfig.store.rules_of_use_updated_at - 1.minute,
+    )
+    create(
+      :profile,
+      :active,
+      :verified,
+      user: user,
+      pii: { first_name: 'John', ssn: '111223333' },
+    )
+    service_provider = ServiceProvider.find_by(issuer: OidcAuthHelper::OIDC_ISSUER)
+    IdentityLinker.new(user, service_provider).link_identity(
+      verified_attributes: %w[email given_name family_name social_security_number address phone],
+      ial: 2,
+    )
+
+    visit_idp_from_sp_with_ial2(:oidc)
+    click_on t('account.login.piv_cac')
+    fill_in_piv_cac_credentials_and_submit(user, user.piv_cac_configurations.first.x509_dn_uuid)
+
+    expect(current_url).to eq capture_password_url
+
+    fill_in 'Password', with: user.password
+    click_submit_default
+
+    expect(current_url).to eq rules_of_use_url
+    accept_rules_of_use_and_continue_if_displayed
+    expect(current_url).to start_with service_provider.redirect_uris.first
+  end
+
   scenario 'user opts to add piv/cac card but gets an error' do
     perform_steps_to_get_to_add_piv_cac_during_sign_up
     nonce = piv_cac_nonce_from_form_action