MandatoryTwoFactor.php 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
  5. *
  6. * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
  7. *
  8. * @license GNU AGPL version 3 or any later version
  9. *
  10. * This program is free software: you can redistribute it and/or modify
  11. * it under the terms of the GNU Affero General Public License as
  12. * published by the Free Software Foundation, either version 3 of the
  13. * License, or (at your option) any later version.
  14. *
  15. * This program is distributed in the hope that it will be useful,
  16. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  18. * GNU Affero General Public License for more details.
  19. *
  20. * You should have received a copy of the GNU Affero General Public License
  21. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  22. *
  23. */
  24. namespace OC\Authentication\TwoFactorAuth;
  25. use OCP\IConfig;
  26. use OCP\IGroupManager;
  27. use OCP\IUser;
  28. class MandatoryTwoFactor {
  29. /** @var IConfig */
  30. private $config;
  31. /** @var IGroupManager */
  32. private $groupManager;
  33. public function __construct(IConfig $config, IGroupManager $groupManager) {
  34. $this->config = $config;
  35. $this->groupManager = $groupManager;
  36. }
  37. /**
  38. * Get the state of enforced two-factor auth
  39. */
  40. public function getState(): EnforcementState {
  41. return new EnforcementState(
  42. $this->config->getSystemValue('twofactor_enforced', 'false') === 'true',
  43. $this->config->getSystemValue('twofactor_enforced_groups', []),
  44. $this->config->getSystemValue('twofactor_enforced_excluded_groups', [])
  45. );
  46. }
  47. /**
  48. * Set the state of enforced two-factor auth
  49. */
  50. public function setState(EnforcementState $state) {
  51. $this->config->setSystemValue('twofactor_enforced', $state->isEnforced() ? 'true' : 'false');
  52. $this->config->setSystemValue('twofactor_enforced_groups', $state->getEnforcedGroups());
  53. $this->config->setSystemValue('twofactor_enforced_excluded_groups', $state->getExcludedGroups());
  54. }
  55. /**
  56. * Check if two-factor auth is enforced for a specific user
  57. *
  58. * The admin(s) can enforce two-factor auth system-wide, for certain groups only
  59. * and also have the option to exclude users of certain groups. This method will
  60. * check their membership of those groups.
  61. *
  62. * @param IUser $user
  63. *
  64. * @return bool
  65. */
  66. public function isEnforcedFor(IUser $user): bool {
  67. $state = $this->getState();
  68. if (!$state->isEnforced()) {
  69. return false;
  70. }
  71. $uid = $user->getUID();
  72. /*
  73. * If there is a list of enforced groups, we only enforce 2FA for members of those groups.
  74. * For all the other users it is not enforced (overruling the excluded groups list).
  75. */
  76. if (!empty($state->getEnforcedGroups())) {
  77. foreach ($state->getEnforcedGroups() as $group) {
  78. if ($this->groupManager->isInGroup($uid, $group)) {
  79. return true;
  80. }
  81. }
  82. // Not a member of any of these groups -> no 2FA enforced
  83. return false;
  84. }
  85. /**
  86. * If the user is member of an excluded group, 2FA won't be enforced.
  87. */
  88. foreach ($state->getExcludedGroups() as $group) {
  89. if ($this->groupManager->isInGroup($uid, $group)) {
  90. return false;
  91. }
  92. }
  93. /**
  94. * No enforced groups configured and user not member of an excluded groups,
  95. * so 2FA is enforced.
  96. */
  97. return true;
  98. }
  99. }