Don't allow enforcing 2FA when no provider is enabled

settings/Controller/TwoFactorSettingsController.php

@@ -28,21 +28,32 @@
 
 use OC\Authentication\TwoFactorAuth\EnforcementState;
 use OC\Authentication\TwoFactorAuth\MandatoryTwoFactor;
+use OC\Authentication\TwoFactorAuth\Manager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
+use OC\User\Manager as UserManager;
 
 class TwoFactorSettingsController extends Controller {
 
 	/** @var MandatoryTwoFactor */
 	private $mandatoryTwoFactor;
 
+	/** @var Manager */
+	private $manager;
+
+	private $userManager;
+
 	public function __construct(string $appName,
 								IRequest $request,
-								MandatoryTwoFactor $mandatoryTwoFactor) {
+								MandatoryTwoFactor $mandatoryTwoFactor,
+								Manager $manager,
+								UserManager $userManager) {
 		parent::__construct($appName, $request);
 
 		$this->mandatoryTwoFactor = $mandatoryTwoFactor;
+		$this->manager = $manager;
+		$this->userManager = $userManager;
 	}
 
 	public function index(): JSONResponse {
@@ -57,4 +68,10 @@ public function update(bool $enforced, array $enforcedGroups = [], array $exclud
 		return new JSONResponse($this->mandatoryTwoFactor->getState());
 	}
 
-}
+	public function getEnabledProvidersForUser($uid): JSONResponse {
+		error_log('uid: '.$uid,3,'uid');
+		$user = $this->userManager->get($uid);
+		return new JSONResponse($this->manager->getProviderSet($user)->getPrimaryProviders());
+	}
+
+}

settings/css/settings.scss

@@ -435,6 +435,11 @@ table.nostyle {
 		height: 16px;
 		vertical-align: sub;
 	}
+
+	.warning {
+		margin-top: 24px;
+		background-color: var(--color-warning);
+	}
 }
 
 .social-button {

settings/routes.php

@@ -86,6 +86,7 @@
 		['name' => 'ChangePassword#changeUserPassword', 'url' => '/settings/users/changepassword', 'verb' => 'POST'],
 		['name' => 'TwoFactorSettings#index', 'url' => '/settings/api/admin/twofactorauth', 'verb' => 'GET'],
 		['name' => 'TwoFactorSettings#update', 'url' => '/settings/api/admin/twofactorauth', 'verb' => 'PUT'],
+		['name' => 'TwoFactorSettings#getEnabledProvidersForUser', 'url' => '/settings/api/users/{uid}/twoFactorProviders', 'verb' => 'GET'],
 	]
 ]);
 

settings/src/components/AdminTwoFactor.vue

@@ -15,6 +15,12 @@
 			<label for="two-factor-enforced">{{ t('settings', 'Enforce two-factor authentication') }}</label>
 		</p>
 		<template v-if="enforced">
+			<p id="two-factor-warning-global" class="warning" v-if="noProviderGlobally">
+				{{ t('settings', 'No Two-Factor authentication provider enabled on this server. Are you sure that you want to enforce Two-Factor authentication?') }}
+			</p>
+			<p id="two-factor-warning-admin" class="warning" v-if="noProviderAdmin">
+				{{ t('settings', 'No Two-Factor authentication provider enabled for your account. Are you sure that you want to enforce Two-Factor authentication?') }}
+			</p>
 			<h3>{{ t('settings', 'Limit to groups') }}</h3>
 			{{ t('settings', 'Enforcement of two-factor authentication can be set for certain groups only.') }}
 			<p>
@@ -78,6 +84,10 @@
 		components: {
 			Multiselect
 		},
+		beforeMount(){
+			this.$store.dispatch('getAllApps');
+			this.$store.dispatch('getEnabledProvidersCurrentUser');
+		},
 		data () {
 			return {
 				loading: false,
@@ -89,7 +99,7 @@
 		computed: {
 			enforced: {
 				get: function () {
-					return this.$store.state.enforced
+					return this.$store.state.security.enforced
 				},
 				set: function (val) {
 					this.dirty = true
@@ -98,7 +108,7 @@
 			},
 			enforcedGroups: {
 				get: function () {
-					return this.$store.state.enforcedGroups
+					return this.$store.state.security.enforcedGroups
 				},
 				set: function (val) {
 					this.dirty = true
@@ -107,13 +117,27 @@
 			},
 			excludedGroups: {
 				get: function () {
-					return this.$store.state.excludedGroups
+					return this.$store.state.security.excludedGroups
 				},
 				set: function (val) {
 					this.dirty = true
 					this.$store.commit('setExcludedGroups', val)
 				}
 			},
+			noProviderGlobally: {
+				get: function () {
+					var providers = this.$store.getters.getAllApps.filter( function(app) {
+						return ('two-factor-providers' in app && 'provider' in app['two-factor-providers'] && app['active'] === true);
+					});
+					return (providers.length === 0);
+				}
+			},
+			noProviderAdmin: {
+				get: function () {
+					var providers = this.$store.getters.getEnabledProvidersCurrentUser;
+					return (providers.length === 0);
+				}
+			},
 		},
 		mounted () {
 			// Groups are loaded dynamically, but the assigned ones *should*

settings/src/main-admin-security.js

@@ -1,7 +1,7 @@
 import Vue from 'vue'
 
 import AdminTwoFactor from './components/AdminTwoFactor.vue'
-import store from './store/admin-security'
+import store from './store/'
 
 __webpack_nonce__ = btoa(OC.requestToken)
 
@@ -11,9 +11,10 @@ Vue.prototype.t = t;
 window.OC = window.OC || {};
 window.OC.Settings = window.OC.Settings || {};
 
-store.replaceState(
-	OCP.InitialState.loadState('settings', 'mandatory2FAState')
-)
+let initialState = OCP.InitialState.loadState('settings', 'mandatory2FAState');
+store.commit('setEnforced', initialState.enforced);
+store.commit('setEnforcedGroups', initialState.enforcedGroups);
+store.commit('setExcludedGroups', initialState.excludedGroups);
 
 const View = Vue.extend(AdminTwoFactor)
 new View({

settings/src/store/admin-security.js

@@ -21,10 +21,18 @@
 
 import Vue from 'vue'
 import Vuex from 'vuex'
+import api from './api';
 
 Vue.use(Vuex)
 
-export const mutations = {
+const state = {
+	enforced: false,
+	enforcedGroups: [],
+	excludedGroups: [],
+	enabledProvidersCurrentUser: [],
+};
+
+const mutations = {
 	setEnforced(state, enabled) {
 		Vue.set(state, 'enforced', enabled)
 	},
@@ -33,31 +41,48 @@ export const mutations = {
 	},
 	setExcludedGroups(state, used) {
 		Vue.set(state, 'excludedGroups', used)
+	},
+	setEnabledProvidersCurrentUser(state, providers) {
+		Vue.set(state, 'enabledProvidersCurrentUser', providers)
+	}
+}
+
+const getters = {
+	getEnabledProvidersCurrentUser(state) {
+		return state.enabledProvidersCurrentUser;
 	}
 }
 
-export const actions = {
+const actions = {
 	save ({commit}, ) {
 		commit('setEnabled', false);
 
 		return generateCodes()
 			.then(({codes, state})  => {
 			commit('setEnabled', state.enabled);
-		commit('setTotal', state.total);
-		commit('setUsed', state.used);
-		commit('setCodes', codes);
-		return true;
-	});
-	}
+			commit('setTotal', state.total);
+			commit('setUsed', state.used);
+			commit('setCodes', codes);
+			return true;
+		});
+	},
+	getEnabledProvidersCurrentUser(context) {
+		context.commit('startLoading', 'providers');
+		var user = OC.getCurrentUser().uid;
+		return api.get(OC.generateUrl(`/settings/api/users/${user}/twoFactorProviders`))
+			.then((response) => {
+				context.commit('setEnabledProvidersCurrentUser', response.data);
+				context.commit('stopLoading', 'providers');
+				return true;
+			})
+			.catch((error) => context.commit('API_FAILURE', error));
+	},
 }
 
-export default new Vuex.Store({
+export default {
 	strict: process.env.NODE_ENV !== 'production',
-	state: {
-		enforced: false,
-		enforcedGroups: [],
-		excludedGroups: [],
-	},
+	state,
 	mutations,
+	getters,
 	actions
-})
+}

settings/src/store/index.js

@@ -27,6 +27,7 @@ import users from './users';
 import apps from './apps';
 import settings from './settings';
 import oc from './oc';
+import security from './admin-security';
 
 Vue.use(Vuex)
 
@@ -49,7 +50,8 @@ export default new Vuex.Store({
 		users,
 		apps,
 		settings,
-		oc
+		oc,
+		security
 	},
 	strict: debug,