diff --git a/tests/tfa_basic.test b/tests/tfa_basic.test index 0f72069..82cc56d 100644 --- a/tests/tfa_basic.test +++ b/tests/tfa_basic.test @@ -202,6 +202,49 @@ class TfaBasicTestCase extends DrupalWebTestCase { $this->assertText($this->uiStrings('tfa-disabled')); } + public function testRequired() { + variable_set('tfa_enabled', TRUE); + variable_set('tfa_validate_plugin', 'tfa_basic_totp'); + $account = $this->drupalCreateUser(array('access content', 'setup own tfa')); + $edit = array( + 'name' => $account->name, + 'pass' => $account->pass_raw, + ); + $this->drupalPost('user/login', $edit, 'Log in'); + // Set up application. + $this->drupalGet('user/' . $account->uid . '/security/tfa/app-setup'); + $pass_form = array( + 'current_pass' => $account->pass_raw, + ); + $this->drupalPost(NULL, $pass_form, 'Confirm'); + $result = $this->xpath('//input[@name="seed"]'); + if (empty($result)) { + $this->fail('Unable to extract seed from page. Aborting test.'); + return; + } + $element = $result[0]; + $this->seed = (string) $element['value']; + + // Submit valid code. + $code_form = array( + 'code' => $this->ga->getCode($this->seed), + ); + $this->drupalPost(NULL, $code_form, 'Verify and save'); + + // Set required for authenticated and confirm messages. + variable_set('tfa_basic_roles_require', array(DRUPAL_AUTHENTICATED_RID => DRUPAL_AUTHENTICATED_RID)); + $this->drupalGet('user/' . $account->uid . '/security/tfa/disable'); + $this->assertText($this->uiStrings('disable-required')); + // Disable TFA. + $this->drupalPost(NULL, $pass_form, 'Disable'); + $this->drupalGet('user/logout'); + + // Confirm cannot log in. + $this->drupalPost('user/login', $edit, 'Log in'); + $this->assertNoLink('Log out', 'Not authenticated'); + $this->assertText($this->uiStrings('required'), 'Required text shows'); + } + /** * TFA module user interface strings. * @@ -248,6 +291,10 @@ class TfaBasicTestCase extends DrupalWebTestCase { return 'Are you sure you want to disable TFA on account'; case 'tfa-disabled': return 'TFA has been disabled'; + case 'required': + return 'Login disallowed. You are required to set up two-factor authentication.'; + case 'disable-required': + return 'Your account must have at least one two-factor authentication method enabled. Continuing will disable your ability to log back into this site.'; } } } diff --git a/tfa_basic.module b/tfa_basic.module index a0c63ed..330ad5b 100644 --- a/tfa_basic.module +++ b/tfa_basic.module @@ -229,6 +229,38 @@ function tfa_basic_tfa_context_alter(&$context) { } /** + * Implements hook_tfa_ready_require(). + */ +function tfa_basic_tfa_ready_require($account) { + if (tfa_basic_tfa_required($account)) { + drupal_set_message(t('Login disallowed. You are required to set up two-factor authentication. Please contact a site administrator.'), 'error'); + return TRUE; + } + return FALSE; +} + +/** + * Whether TFA is required for the account. + * + * @param object $account + * + * @return bool + */ +function tfa_basic_tfa_required($account) { + $required = FALSE; + $required_roles = variable_get('tfa_basic_roles_require', array()); + if (!empty($required_roles)) { + foreach ($required_roles as $rid => $enabled) { + if ($enabled && array_key_exists($rid, $account->roles)) { + $required = TRUE; + break; + } + } + } + return $required; +} + +/** * Get mobile number for an account. * * @param object $account @@ -451,6 +483,14 @@ function tfa_basic_format_number($number) { function tfa_basic_form_tfa_admin_settings_alter(&$form, &$form_state, $form_id) { global $cookie_domain; + $form['required_tfa_roles'] = array( + '#type' => 'checkboxes', + '#title' => t('Roles required to have TFA setup to log in'), + '#description' => t("Login will be denied to an account with any matching role if that user has not set up TFA."), + '#options' => user_roles(TRUE), + '#default_value' => variable_get('tfa_basic_roles_require', array()), + ); + // Add cookie domain field to TFA admin settings. $form['tfa_basic_cookie_domain'] = array( '#type' => 'textfield', @@ -624,6 +664,7 @@ function tfa_basic_form_submit($form, &$form_state) { if ($phone_field !== FALSE && !empty($form_state['values']['tfa_fallback']) && !empty($form_state['values']['tfa_fallback']['tfa_basic_sms']['enable']) && !empty($form_state['values']['tfa_basic_phone_field'])) { variable_set('tfa_basic_phone_field', $form_state['values']['tfa_basic_phone_field']); } + variable_set('tfa_basic_roles_require', $form_state['values']['required_tfa_roles']); } /** diff --git a/tfa_basic.pages.inc b/tfa_basic.pages.inc index 059ecf6..4a9df35 100644 --- a/tfa_basic.pages.inc +++ b/tfa_basic.pages.inc @@ -179,14 +179,14 @@ function tfa_basic_disable_form($form, &$form_state, $account) { if ($account->uid != $user->uid && user_access('administer users')) { $preamble_desc = t('Are you sure you want to disable TFA on account %name?', array('%name' => $account->name)); $notice_desc = t('TFA settings and data will be lost. %name can re-enable TFA again from their profile.', array('%name' => $account->name)); - if (user_access('require tfa', $account)) { + if (tfa_basic_tfa_required($account)) { drupal_set_message(t("This account is required to have TFA enabled per the 'require TFA' permission on one of their roles. Disabling TFA will remove their ability to log back into the site. If you continue, consider also removing the role so they can authenticate and setup TFA again."), 'warning'); } } else { $preamble_desc = t('Are you sure you want to disable your two-factor authentication setup?'); $notice_desc = t("Your settings and data will be lost. You can re-enable two-factor authentication again from your profile."); - if (user_access('require tfa', $account)) { + if (tfa_basic_tfa_required($account)) { drupal_set_message(t('Your account must have at least one two-factor authentication method enabled. Continuing will disable your ability to log back into this site.'), 'warning'); $notice_desc = t('Your settings and data will be lost and you will be unable to log back into the site. To regain access contact a site administrator.'); }