Commit b7ca7330 authored by Alexis Reigel's avatar Alexis Reigel

state the reason to the user for the required 2fa

parent a49c5d18
...@@ -24,6 +24,17 @@ module EnforcesTwoFactorAuthentication ...@@ -24,6 +24,17 @@ module EnforcesTwoFactorAuthentication
current_user.try(:require_two_factor_authentication?) current_user.try(:require_two_factor_authentication?)
end end
def two_factor_authentication_reason(global: -> {}, group: -> {})
if two_factor_authentication_required?
if current_application_settings.require_two_factor_authentication?
global.call
else
groups = current_user.groups.where(require_two_factor_authentication: true).reorder(name: :asc)
group.call(groups)
end
end
end
def two_factor_grace_period def two_factor_grace_period
periods = [current_application_settings.two_factor_grace_period] periods = [current_application_settings.two_factor_grace_period]
periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication?) periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication?)
......
...@@ -13,11 +13,24 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController ...@@ -13,11 +13,24 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
current_user.save! if current_user.changed? current_user.save! if current_user.changed?
if two_factor_authentication_required? && !current_user.two_factor_enabled? if two_factor_authentication_required? && !current_user.two_factor_enabled?
if two_factor_grace_period_expired? two_factor_authentication_reason(
flash.now[:alert] = 'You must enable Two-Factor Authentication for your account.' global: lambda do
else flash.now[:alert] =
'The global settings require you to enable Two-Factor Authentication for your account.'
end,
group: lambda do |groups|
group_links = groups.map { |group| view_context.link_to group.full_name, group_path(group) }.to_sentence
flash.now[:alert] = %{
The group settings for #{group_links} require you to enable
Two-Factor Authentication for your account.
}.html_safe
end
)
unless two_factor_grace_period_expired?
grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
flash.now[:alert] = "You must enable Two-Factor Authentication for your account before #{l(grace_period_deadline)}." flash.now[:alert] << " You need to do this before #{l(grace_period_deadline)}."
end end
end end
......
...@@ -199,6 +199,9 @@ feature 'Login', feature: true do ...@@ -199,6 +199,9 @@ feature 'Login', feature: true do
describe 'with required two-factor authentication enabled' do describe 'with required two-factor authentication enabled' do
let(:user) { create(:user) } let(:user) { create(:user) }
# TODO: otp_grace_period_started_at
context 'global setting' do
before(:each) { stub_application_setting(require_two_factor_authentication: true) } before(:each) { stub_application_setting(require_two_factor_authentication: true) }
context 'with grace period defined' do context 'with grace period defined' do
...@@ -210,7 +213,70 @@ feature 'Login', feature: true do ...@@ -210,7 +213,70 @@ feature 'Login', feature: true do
context 'within the grace period' do context 'within the grace period' do
it 'redirects to two-factor configuration page' do it 'redirects to two-factor configuration page' do
expect(current_path).to eq profile_two_factor_auth_path expect(current_path).to eq profile_two_factor_auth_path
expect(page).to have_content('You must enable Two-Factor Authentication for your account before') expect(page).to have_content('The global settings require you to enable Two-Factor Authentication for your account. You need to do this before ')
end
it 'allows skipping two-factor configuration', js: true do
expect(current_path).to eq profile_two_factor_auth_path
click_link 'Configure it later'
expect(current_path).to eq root_path
end
end
context 'after the grace period' do
let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
it 'redirects to two-factor configuration page' do
expect(current_path).to eq profile_two_factor_auth_path
expect(page).to have_content(
'The global settings require you to enable Two-Factor Authentication for your account.'
)
end
it 'disallows skipping two-factor configuration', js: true do
expect(current_path).to eq profile_two_factor_auth_path
expect(page).not_to have_link('Configure it later')
end
end
end
context 'without grace period defined' do
before(:each) do
stub_application_setting(two_factor_grace_period: 0)
login_with(user)
end
it 'redirects to two-factor configuration page' do
expect(current_path).to eq profile_two_factor_auth_path
expect(page).to have_content(
'The global settings require you to enable Two-Factor Authentication for your account.'
)
end
end
end
context 'group setting' do
before do
group1 = create :group, name: 'Group 1', require_two_factor_authentication: true
group1.add_user(user, GroupMember::DEVELOPER)
group2 = create :group, name: 'Group 2', require_two_factor_authentication: true
group2.add_user(user, GroupMember::DEVELOPER)
end
context 'with grace period defined' do
before(:each) do
stub_application_setting(two_factor_grace_period: 48)
login_with(user)
end
context 'within the grace period' do
it 'redirects to two-factor configuration page' do
expect(current_path).to eq profile_two_factor_auth_path
expect(page).to have_content(
'The group settings for Group 1 and Group 2 require you to enable ' \
'Two-Factor Authentication for your account. You need to do this ' \
'before ')
end end
it 'allows skipping two-factor configuration', js: true do it 'allows skipping two-factor configuration', js: true do
...@@ -226,7 +292,10 @@ feature 'Login', feature: true do ...@@ -226,7 +292,10 @@ feature 'Login', feature: true do
it 'redirects to two-factor configuration page' do it 'redirects to two-factor configuration page' do
expect(current_path).to eq profile_two_factor_auth_path expect(current_path).to eq profile_two_factor_auth_path
expect(page).to have_content('You must enable Two-Factor Authentication for your account.') expect(page).to have_content(
'The group settings for Group 1 and Group 2 require you to enable ' \
'Two-Factor Authentication for your account.'
)
end end
it 'disallows skipping two-factor configuration', js: true do it 'disallows skipping two-factor configuration', js: true do
...@@ -244,7 +313,11 @@ feature 'Login', feature: true do ...@@ -244,7 +313,11 @@ feature 'Login', feature: true do
it 'redirects to two-factor configuration page' do it 'redirects to two-factor configuration page' do
expect(current_path).to eq profile_two_factor_auth_path expect(current_path).to eq profile_two_factor_auth_path
expect(page).to have_content('You must enable Two-Factor Authentication for your account.') expect(page).to have_content(
'The group settings for Group 1 and Group 2 require you to enable ' \
'Two-Factor Authentication for your account.'
)
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment