diff --git a/tests/tfa_basic.test b/tests/tfa_basic.test index 7a751a1..1cf2556 100644 --- a/tests/tfa_basic.test +++ b/tests/tfa_basic.test @@ -178,6 +178,25 @@ class TfaBasicTestCase extends DrupalWebTestCase { $this->assertText('My account'); } + public function testRequired() { + variable_set('tfa_enabled', TRUE); + variable_set('tfa_validate_plugin', 'tfa_basic_totp'); + $account = $this->drupalCreateUser(array('access content')); + $edit = array( + 'name' => $account->name, + 'pass' => $account->pass_raw, + ); + $this->drupalPost('user/login', $edit, 'Log in'); + $this->assertText('My account'); + $this->drupalGet('user/logout'); + + // Require authenticated users to have TFA set up. + variable_set('tfa_basic_roles_require', array(DRUPAL_AUTHENTICATED_RID => DRUPAL_AUTHENTICATED_RID)); + $this->drupalPost('user/login', $edit, 'Log in'); + $this->assertNoLink('Log out', 'Not authenticated'); + $this->assertText($this->uiStrings('required'), 'Required text shows'); + } + /** * TFA module user interface strings. * @@ -218,6 +237,8 @@ class TfaBasicTestCase extends DrupalWebTestCase { return 'Enter one of your recovery codes'; case 'tfa-status-enabled': return 'TFA enabled'; + case 'required': + return 'Login disallowed. You are required to set up two-factor authentication.'; } } } diff --git a/tfa_basic.module b/tfa_basic.module index c3a7ffe..27e0ee5 100644 --- a/tfa_basic.module +++ b/tfa_basic.module @@ -228,6 +228,26 @@ function tfa_basic_tfa_context_alter(&$context) { } /** + * Implements hook_tfa_ready_require(). + */ +function tfa_basic_tfa_ready_require($account) { + $required = FALSE; + $required_roles = variable_get('tfa_basic_roles_require', array()); + if (!empty($required_roles)) { + foreach ($required_roles as $rid => $enabled) { + if ($enabled && array_key_exists($rid, $account->roles)) { + $required = TRUE; + break; + } + } + } + if ($required) { + drupal_set_message(t('Login disallowed. You are required to set up two-factor authentication. Please contact a site administrator.'), 'error'); + } + return $required; +} + +/** * Get mobile number for an account. * * @param object $account @@ -454,6 +474,14 @@ function tfa_basic_form_tfa_admin_settings_alter(&$form, &$form_state, $form_id) unset($form['tfa_validate']['#options']['tfa_basic_sms']); unset($form['tfa_validate']['#options']['tfa_basic_help']); + $form['required_tfa_roles'] = array( + '#type' => 'checkboxes', + '#title' => t('Roles required to have TFA setup to log in'), + '#description' => t("Login will be denied to an account with any matching role if that user has not set up TFA."), + '#options' => user_roles(TRUE), + '#default_value' => variable_get('tfa_basic_roles_require', array()), + ); + // Add cookie domain field to TFA admin settings. $form['tfa_basic_cookie_domain'] = array( '#type' => 'textfield', @@ -633,6 +661,7 @@ function tfa_basic_form_submit($form, &$form_state) { if ($phone_field !== FALSE && !empty($form_state['values']['tfa_fallback']) && !empty($form_state['values']['tfa_fallback']['tfa_basic_sms']['enable']) && !empty($form_state['values']['tfa_basic_phone_field'])) { variable_set('tfa_basic_phone_field', $form_state['values']['tfa_basic_phone_field']); } + variable_set('tfa_basic_roles_require', $form_state['values']['required_tfa_roles']); } /**