Enforce 2fa with exclusion groups

jvillafanez · jvillafanez · commit 8dbbb075ee8c · 2023-06-07T18:08:08.000+02:00
diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php
@@ -33,6 +33,7 @@
 use OCP\ILogger;
 use OCP\ISession;
 use OCP\IUser;
+use OCP\IGroupManager;
 
 class Manager {
 	public const SESSION_UID_KEY = 'two_factor_auth_uid';
@@ -43,6 +44,9 @@ class Manager {
 	/** @var ISession */
 	private $session;
 
+	/** @var IGroupManager */
+	private $groupManager;
+
 	/** @var IConfig */
 	private $config;
 
@@ -55,13 +59,15 @@ class Manager {
 	/**
 	 * @param AppManager $appManager
 	 * @param ISession $session
+	 * @param IGroupManager $groupManager
 	 * @param IConfig $config
 	 * @param IRequest $request
 	 * @param ILogger $logger
 	 */
-	public function __construct(AppManager $appManager, ISession $session, IConfig $config, IRequest $request, ILogger $logger) {
+	public function __construct(AppManager $appManager, ISession $session, IGroupManager $groupManager, IConfig $config, IRequest $request, ILogger $logger) {
 		$this->appManager = $appManager;
 		$this->session = $session;
+		$this->groupManager = $groupManager;
 		$this->config = $config;
 		$this->request = $request;
 		$this->logger = $logger;
@@ -74,10 +80,29 @@ public function __construct(AppManager $appManager, ISession $session, IConfig $
 	 * @return boolean
 	 */
 	public function isTwoFactorAuthenticated(IUser $user) {
+		if ($this->isTwoFactorEnforcedForUser($user)) {
+			return \count($this->getProviders($user)) > 0;
+		}
 		$twoFactorEnabled = ((int) $this->config->getUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 0)) === 0;
 		return $twoFactorEnabled && \count($this->getProviders($user)) > 0;
 	}
 
+	public function isTwoFactorEnforcedForUser(IUser $user) {
+		if ($this->config->getAppValue('core', 'enforce_2fa', 'no') !== 'yes') {
+			return false;
+		}
+
+		$enforce2faExcludedGroups = \json_decode($this->config->getAppValue('core', 'enforce_2fa_excluded_groups', '[]'), true);
+		if (!empty($enforce2faExcludedGroups)) {
+			foreach ($enforce2faExcludedGroups as $group) {
+				if ($this->groupManager->isInGroup($user->getUID(), $group)) {
+					return false;
+				}
+			}
+		}
+		return true;
+	}
+
 	/**
 	 * Disable 2FA checks for the given user
 	 *
@@ -135,6 +160,10 @@ public function getProviders(IUser $user) {
 			}
 		}
 
+		if ($this->isTwoFactorEnforcedForUser($user)) {
+			return $providers;
+		}
+
 		return \array_filter($providers, function ($provider) use ($user) {
 			/* @var $provider IProvider */
 			return $provider->isTwoFactorAuthEnabledForUser($user);
diff --git a/lib/private/Server.php b/lib/private/Server.php
@@ -402,7 +402,14 @@ public function __construct($webRoot, \OC\Config $config) {
 		});
 
 		$this->registerService('\OC\Authentication\TwoFactorAuth\Manager', function (Server $c) {
-			return new \OC\Authentication\TwoFactorAuth\Manager($c->getAppManager(), $c->getSession(), $c->getConfig(), $c->getRequest(), $c->getLogger());
+			return new \OC\Authentication\TwoFactorAuth\Manager(
+				$c->getAppManager(),
+				$c->getSession(),
+				$c->getGroupManager(),
+				$c->getConfig(),
+				$c->getRequest(),
+				$c->getLogger()
+			);
 		});
 
 		$this->registerService('NavigationManager', function (Server $c) {
diff --git a/lib/private/Settings/SettingsManager.php b/lib/private/Settings/SettingsManager.php
@@ -49,6 +49,7 @@
 use OC\Settings\Panels\Personal\Tokens;
 use OC\Settings\Panels\Personal\Cors;
 use OC\Settings\Panels\Personal\Quota;
+use OC\Settings\Panels\Admin\Enforce2fa;
 use OC\Settings\Panels\Admin\BackgroundJobs;
 use OC\Settings\Panels\Admin\Certificates;
 use OC\Settings\Panels\Admin\Encryption;
@@ -236,6 +237,7 @@ private function getBuiltInSections($type) {
 	private function getBuiltInPanels($type) {
 		if ($type === 'admin') {
 			return [
+				Enforce2fa::class,
 				LegacyAdmin::class,
 				BackgroundJobs::class,
 				Logging::class,
diff --git a/settings/Panels/Admin/Enforce2fa.php b/settings/Panels/Admin/Enforce2fa.php
@@ -0,0 +1,49 @@
+<?php
+/**
+ * @copyright Copyright (c) 2023, ownCloud GmbH
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Settings\Panels\Admin;
+
+use OCP\Settings\ISettings;
+use OCP\Template;
+use OCP\IConfig;
+
+class Enforce2fa implements ISettings {
+	/** @var IConfig */
+	protected $config;
+
+	public function __construct(IConfig $config) {
+		$this->config = $config;
+	}
+
+	public function getPriority() {
+		return 0;
+	}
+
+	public function getPanel() {
+		$enforce2faExcludedGroups = \json_decode($this->config->getAppValue('core', 'enforce_2fa_excluded_groups', '[]'), true);
+		$tmpl = new Template('settings', 'panels/admin/enforce2fa');
+		$tmpl->assign('enforce2fa', $this->config->getAppValue('core', 'enforce_2fa', 'no') === 'yes');
+		$tmpl->assign('enforce2faExcludedGroups', \implode('|', $enforce2faExcludedGroups));
+		return $tmpl;
+	}
+
+	public function getSectionID() {
+		return 'security';
+	}
+}
diff --git a/settings/js/panels/enforce2fa.js b/settings/js/panels/enforce2fa.js
@@ -0,0 +1,19 @@
+$(document).ready(function() {
+
+	var enforce2faGroupsList = $('#enforce_2fa_excluded_groups');
+	OC.Settings.setupGroupsSelect(enforce2faGroupsList);
+	enforce2faGroupsList.change(function(ev) {
+		OC.AppConfig.setValue('core', 'enforce_2fa_excluded_groups', JSON.stringify(ev.val || []));
+	});
+
+	$('#enforce_2fa').change(function() {
+		var name = $(this).attr('name');
+		var value;
+		if (this.checked) {
+			value = 'yes';
+		} else {
+			value = 'no';
+		}
+		OC.AppConfig.setValue('core', name, value);
+	});
+});
diff --git a/settings/templates/panels/admin/enforce2fa.php b/settings/templates/panels/admin/enforce2fa.php
@@ -0,0 +1,33 @@
+<?php
+script('settings', 'panels/enforce2fa');
+?>
+<div class="section" id="2fa">
+	<h2 class="app-name"><?php p($l->t('Two-factor Authentication'));?></h2>
+	<p>
+		<em><?php p($l->t('This section requires a two-factor authentication app to be installed in ownCloud')); ?></em>
+	</p>
+	<h3><?php p($l->t('Enforce two-factor authentication')); ?></h3>
+	<p><?php p($l->t('Before enforcing the two-factor authentication, check the following requirements:')); ?></p>
+	<ul>
+		<li><?php p($l->t('At least a two-factor authentication app is installed and enabled in ownCloud.')); ?></li>
+		<li><?php p($l->t('The users can setup at least a two-factor app from the challenge page. Some apps might not be prepared for this')); ?></li>
+	</ul>
+	<p><?php p($l->t('The "twofactor_totp" app fulfills those requirements, and might be used as a fallback so the users can enter their accounts in order to configure other two-factor authentication apps')); ?></p>
+	<br/>
+	<p>
+	<input type="checkbox" id="enforce_2fa" name="enforce_2fa" value="1" <?php if ($_['enforce2fa']) {
+		print_unescaped('checked="checked"');
+	}?> />
+	<label for="enforce_2fa"><?php p($l->t('Enforce two-factor authentication to all the users')); ?></label>
+	</p>
+	<br/>
+	<p>
+		<?php p($l->t('Exclude the following groups of enforcing the two-factor authentication')); ?>
+		<br />
+		<input name="enforce_2fa_excluded_groups" type="hidden" id="enforce_2fa_excluded_groups" value="<?php p($_['enforce2faExcludedGroups']) ?>" style="width: 400px">
+		<em>
+			<br />
+			<?php p($l->t('Users in these groups can use two-factor authentication on their own')); ?>
+		</em>
+	</p>
+</div>
