Project

General

Profile

Feature #35439 » 0001-Option-to-require-2FA-authentication-only-for-users-.patch

Marius BĂLTEANU, 2022-01-30 11:10

View differences:

app/models/setting.rb
244 244
  end
245 245

  
246 246
  def self.twofa_optional?
247
    twofa == '1'
247
    %w[1 3].include? twofa
248
  end
249

  
250
  def self.twofa_required_for_administrators?
251
    twofa == '3'
248 252
  end
249 253

  
250 254
  # Helper that returns an array based on per_page_options setting
app/models/user.rb
387 387
    return false if twofa_active?
388 388

  
389 389
    return true if Setting.twofa_required?
390
    return true if Setting.twofa_required_for_administrators? && admin?
390 391
    return true if Setting.twofa_optional? && groups.any?(&:twofa_required?)
391 392
  end
392 393

  
app/views/settings/_authentication.html.erb
31 31
<p>
32 32
  <%= setting_select :twofa, [[l(:label_disabled), "0"],
33 33
                              [l(:label_optional), "1"],
34
                              [l(:label_required_administrators), "3"],
34 35
                              [l(:label_required_lower), "2"]] -%>
35 36
  <em class="info">
36 37
    <%= t 'twofa_hint_disabled_html', label: t(:label_disabled) -%><br/>
37 38
    <%= t 'twofa_hint_optional_html', label: t(:label_optional) -%><br/>
39
    <%= t 'twofa_hint_required_administrators_html', label: t(:label_required_administrators) -%><br/>
38 40
    <%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%>
39 41
  </em>
40 42
</p>
......
48 50
    <p><%= setting_select :session_lifetime, session_lifetime_options %></p>
49 51
    <p><%= setting_select :session_timeout, session_timeout_options %></p>
50 52
  </div>
51
  
53

  
52 54
  <p><em class="info"><%= l(:text_session_expiration_settings) %></em></p>
53 55
</fieldset>
54 56

  
config/locales/en.yml
1019 1019
  label_readonly: Read-only
1020 1020
  label_required: Required
1021 1021
  label_required_lower: required
1022
  label_required_administrators: required for administrators
1022 1023
  label_hidden: Hidden
1023 1024
  label_attribute_of_project: "Project's %{name}"
1024 1025
  label_attribute_of_issue: "Issue's %{name}"
......
1349 1350
  twofa_hint_disabled_html: Setting <strong>%{label}</strong> will deactivate and unpair two-factor authentication devices for all users.
1350 1351
  twofa_hint_optional_html: Setting <strong>%{label}</strong> will let users set up two-factor authentication at will, unless it is required by one of their groups.
1351 1352
  twofa_hint_required_html: Setting <strong>%{label}</strong> will require all users to set up two-factor authentication at their next login.
1353
  twofa_hint_required_administrators_html: Setting <strong>%{label}</strong> behaves like optional, but will require all users with administration rights to set up two-factor authentication at their next login.
1352 1354
  twofa_label_setup: Enable two-factor authentication
1353 1355
  twofa_label_deactivation_confirmation: Disable two-factor authentication
1354 1356
  twofa_notice_select: "Please select the two-factor scheme you would like to use:"
test/integration/twofa_test.rb
31 31
    end
32 32
  end
33 33

  
34
  test "should require twofa setup when required for administrators" do
35
    admin = User.find_by_login 'admin'
36
    user = User.find_by_login 'jsmith'
37

  
38
    assert_not admin.must_activate_twofa?
39
    assert_not user.must_activate_twofa?
40

  
41
    with_settings twofa: "3" do
42
      assert_not Setting.twofa_required?
43

  
44
      assert Setting.twofa_optional?
45
      assert Setting.twofa_required_for_administrators?
46
      assert admin.must_activate_twofa?
47
      assert_not user.must_activate_twofa?
48

  
49
      log_user('admin', 'admin')
50
      follow_redirect!
51
      assert_redirected_to "/my/twofa/totp/activate/confirm"
52
    end
53
  end
54

  
34 55
  test "should require twofa setup when required by group" do
35 56
    user = User.find_by_login 'jsmith'
36 57
    assert_not user.must_activate_twofa?
(4-4/6)