Merge remote-tracking branch 'remotes/GH/master' into rel_1.x

# Conflicts: # src/Modules/Core/d3_totp_utils.php
2022-09-26 15:03:42 +02:00 · 2022-09-26 15:03:42 +02:00 · 5b6dd4a4da
commit 5b6dd4a4da
parent 6b9130fc79 cdff7abe01
6 changed files with 134 additions and 4 deletions
--- a/src/Application/Controller/Admin/d3force_2fa.php
+++ b/src/Application/Controller/Admin/d3force_2fa.php
@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace D3\Totp\Application\Controller\Admin;
+
+use OxidEsales\Eshop\Core\Registry;
+use OxidEsales\Eshop\Core\Session;
+
+class d3force_2fa extends d3user_totp
+{
+    public function render()
+    {
+        $this->addTplParam('force2FA', true);
+
+        $userID = $this->d3GetSessionObject()->getVariable("auth");
+        $this->_sEditObjectId = $userID;
+
+        return parent::render();
+    }
+
+
+    protected function _authorize()
+    {
+        $userID = $this->d3GetSessionObject()->getVariable("auth");
+
+        return ($this->d3IsAdminForce2FA() && !empty($userID));
+    }
+
+    /**
+     * @return Session
+     */
+    private function d3GetSessionObject()
+    {
+        return Registry::getSession();
+    }
+
+    /**
+     * @return bool
+     */
+    private function d3IsAdminForce2FA()
+    {
+        return $this->isAdmin() &&
+            Registry::getConfig()->getConfigParam('D3_TOTP_ADMIN_FORCE_2FA') == true;
+    }
+}
--- a/src/Application/views/admin/de/d3totp_lang.php
+++ b/src/Application/views/admin/de/d3totp_lang.php
@ -34,6 +34,11 @@ $aLang = [
    'D3_TOTP_CURROTP'                                 => 'Bestätigung mit Einmalpasswort',
    'D3_TOTP_CURROTP_HELP'                            => 'Haben Sie dieses Kundenkonto in Ihrer Authentisierungs-App registriert, generieren Sie damit ein Einmalpasswort, tragen Sie es hier ein und senden das Formular direkt darauf hin ab.',

+    'D3_TOTP_FORCE2FATITLE'                           => 'Verpflichtet Zwei-Faktor-Authentisierung',
+    'D3_TOTP_FORCE2FASUB'                             => 'Alle Administratoren müssen es aktivieren',
+    'D3_TOTP_ADMINBACKEND'                            => 'Admin-Oberfläche',
+    'D3_TOTP_ADMINCONTINUE'                           => 'weiter',
+
    'D3_TOTP_REGISTEREXIST'                           => 'vorhandene Registrierung',
    'D3_TOTP_REGISTERDELETE'                          => 'Registrierung löschen',
    'D3_TOTP_REGISTERDELETE_DESC'                     => 'Um die Registrierung zu ändern, löschen Sie diese bitte vorerst. Sie können sofort im Anschluss eine neue Registrierung anlegen.<br>Wenn Sie die Registrierung löschen, ist das Konto nicht mehr durch die Zwei-Faktor-Authentisierung geschützt.',
@ -48,4 +53,6 @@ $aLang = [

    'D3_TOTP_ERROR_UNVALID'                           => 'Das Einmalpasswort ist ungültig.',
    'D3_TOTP_ALREADY_EXIST'                           => 'Die Registrierung wurde schon gespeichert.',
+
+    'SHOP_MODULE_D3_TOTP_ADMIN_FORCE_2FA'             => 'Administratoren sind verpflichtet 2FA zu aktivieren'
 ];
--- a/src/Application/views/admin/en/d3totp_lang.php
+++ b/src/Application/views/admin/en/d3totp_lang.php
@ -34,6 +34,11 @@ $aLang = [
    'D3_TOTP_CURROTP'                                 => 'Confirmation with one-time password',
    'D3_TOTP_CURROTP_HELP'                            => 'If you have registered this customer account in your authentication app, you generate a one-time password, enter it here and send the form out immediately.',

+    'D3_TOTP_FORCE2FATITLE'                           => 'Mandates two-factor authentication',
+    'D3_TOTP_FORCE2FASUB'                             => 'All administrators need to activate it',
+    'D3_TOTP_ADMINBACKEND'                            => 'Admin-Backend',
+    'D3_TOTP_ADMINCONTINUE'                           => 'continue',
+
    'D3_TOTP_REGISTEREXIST'                           => 'existing registration',
    'D3_TOTP_REGISTERDELETE'                          => 'Delete registration',
    'D3_TOTP_REGISTERDELETE_DESC'                     => 'To change the registration, please delete it. You can then immediately create a new registration. <br> If you delete the registration, the account is no longer protected by the two-factor authentication.',
@ -48,4 +53,6 @@ $aLang = [

    'D3_TOTP_ERROR_UNVALID'                           => 'The one-time password is invalid.',
    'D3_TOTP_ALREADY_EXIST'                           => 'The registration has already been saved.',
+
+    'SHOP_MODULE_D3_TOTP_ADMIN_FORCE_2FA'             => 'Administrators are required to activate 2FA'
 ];
--- a/src/Application/views/admin/tpl/d3user_totp.tpl
+++ b/src/Application/views/admin/tpl/d3user_totp.tpl
@ -14,8 +14,25 @@
    td.edittext {
        white-space: normal;
    }
+    .hero {
+        display: inline-block;
+    }
+    .hero > h1 {
+        padding: 0.3em 0;
+    }
+    .hero > div {
+        text-align: right;
+        color: #6c7c98;
+    }
 </style>

+[{if $force2FA}]
+    <div class="hero">
+        <h1>[{oxmultilang ident="D3_TOTP_FORCE2FATITLE"}]</h1>
+        <div>[{oxmultilang ident="D3_TOTP_FORCE2FASUB"}]</div>
+    </div>
+[{/if}]
+
 <form name="transfer" id="transfer" action="[{$oViewConf->getSelfLink()}]" method="post">
    [{$oViewConf->getHiddenSid()}]
    <input type="hidden" name="oxid" value="[{$oxid}]">
@ -60,6 +77,22 @@
                                        [{oxinputhelp ident="D3_TOTP_QRCODE_HELP"}]
                                    </td>
                                </tr>
+                            [{elseif $force2FA}]
+                                <tr>
+                                    <td class="edittext" colspan="2">
+                                        <h4>[{oxmultilang ident="D3_TOTP_ADMINBACKEND"}]</h4>
+                                    </td>
+                                </tr>
+                                <tr>
+                                    <td class="edittext" colspan="2">
+                                        <input
+                                            type="submit" class="edittext" id="oLockButton" name="delete"
+                                            value="[{oxmultilang ident="D3_TOTP_ADMINCONTINUE"}]"
+                                            onClick="document.myedit.fnc.value='';document.myedit.cl.value='admin_start'"
+                                        >
+
+                                    </td>
+                                </tr>
                            [{else}]
                                <tr>
                                    <td class="edittext" colspan="2">
@ -153,5 +186,7 @@
    [{/if}]
 </form>

-[{include file="bottomnaviitem.tpl"}]
-[{include file="bottomitem.tpl"}]
+[{if !$force2FA}]
+    [{include file="bottomnaviitem.tpl"}]
+    [{include file="bottomitem.tpl"}]
+[{/if}]
--- a/src/Modules/Core/d3_totp_utils.php
+++ b/src/Modules/Core/d3_totp_utils.php
@ -38,6 +38,22 @@ class d3_totp_utils extends d3_totp_utils_parent
        $totp = $this->d3GetTotpObject();
        $totp->loadByUserId($userID);

+        //checkt ob alle Admin 2FA aktiviert hat
+        //todo braucht Unit Test
+        if (
+            $this->d3IsAdminForce2FA()
+            && $blAuth
+            && $totp->isActive() === false
+        ) {
+            $this->redirect('index.php?cl=d3force_2fa', true, 302);
+            if (false == defined('OXID_PHP_UNIT')) {
+                // @codeCoverageIgnoreStart
+                exit;
+                // @codeCoverageIgnoreEnd
+            }
+        }
+
+        //staten der prüfung vom einmalpasswort
        if ($blAuth && $totp->isActive() && false === $totpAuth) {
            $this->redirect('index.php?cl=login', true, 302);
            if (false == defined('OXID_PHP_UNIT')) {
@ -65,4 +81,13 @@ class d3_totp_utils extends d3_totp_utils_parent
    {
        return oxNew(d3totp::class);
    }
-}
+
+    /**
+     * @return bool
+     */
+    private function d3IsAdminForce2FA()
+    {
+        return $this->isAdmin() &&
+            Registry::getConfig()->getConfigParam('D3_TOTP_ADMIN_FORCE_2FA') == true;
+    }
+}
--- a/src/metadata.php
+++ b/src/metadata.php
@ -16,6 +16,7 @@
 */

 use D3\Totp\Application\Controller\Admin\d3user_totp;
+use D3\Totp\Application\Controller\Admin\d3force_2fa;
 use D3\Totp\Application\Controller\d3_account_totp;
 use D3\Totp\Application\Controller\d3totplogin;
 use D3\Totp\Modules\Application\Component\d3_totp_UserComponent;
@ -74,6 +75,7 @@ $aModule = [
    ],
    'controllers'           => [
        'd3user_totp'       =>  d3user_totp::class,
+        'd3force_2fa'       =>  d3force_2fa::class,
        'd3totplogin'       =>  d3totplogin::class,
        'd3_account_totp'   =>  d3_account_totp::class,
    ],
@ -82,6 +84,14 @@ $aModule = [
        'd3totplogin.tpl'       => 'd3/totp/Application/views/tpl/d3totplogin.tpl',
        'd3_account_totp.tpl'   => 'd3/totp/Application/views/tpl/d3_account_totp.tpl',
    ],
+    'settings'                => [
+        [
+            'group' => 'main',
+            'name' => 'D3_TOTP_ADMIN_FORCE_2FA',
+            'type' => 'bool',
+            'value' => false,
+        ]
+    ],
    'events'                => [
        'onActivate'        => '\D3\Totp\Setup\Events::onActivate',
        'onDeactivate'      => '\D3\Totp\Setup\Events::onDeactivate',
@ -96,6 +106,6 @@ $aModule = [
            'template'      => 'page/account/inc/account_menu.tpl',
            'block'         => 'account_menu',
            'file'          => 'Application/views/blocks/page/account/inc/account_menu.tpl',
-        ]
+        ],
    ]
 ];