state the reason to the user for the required 2fa

b7ca7330 · Alexis Reigel · a49c5d18 · b7ca7330 · b7ca7330 · b7ca7330
Commit b7ca7330 authored Mar 08, 2017 by Alexis Reigel
3 changed files
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -24,6 +24,17 @@ module EnforcesTwoFactorAuthentication
      current_user.try(:require_two_factor_authentication?)
  end

+  def two_factor_authentication_reason(global: -> {}, group: -> {})
+    if two_factor_authentication_required?
+      if current_application_settings.require_two_factor_authentication?
+        global.call
+      else
+        groups = current_user.groups.where(require_two_factor_authentication: true).reorder(name: :asc)
+        group.call(groups)
+      end
+    end
+  end
+
  def two_factor_grace_period
    periods = [current_application_settings.two_factor_grace_period]
    periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication?)

--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -13,11 +13,24 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
    current_user.save! if current_user.changed?

    if two_factor_authentication_required? && !current_user.two_factor_enabled?
-      if two_factor_grace_period_expired?
-        flash.now[:alert] = 'You must enable Two-Factor Authentication for your account.'
-      else
+      two_factor_authentication_reason(
+        global: lambda do
+          flash.now[:alert] =
+            'The global settings require you to enable Two-Factor Authentication for your account.'
+        end,
+        group: lambda do |groups|
+          group_links = groups.map { |group| view_context.link_to group.full_name, group_path(group) }.to_sentence
+
+          flash.now[:alert] = %{
+            The group settings for #{group_links} require you to enable
+            Two-Factor Authentication for your account.
+          }.html_safe
+        end
+      )
+
+      unless two_factor_grace_period_expired?
        grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
-        flash.now[:alert] = "You must enable Two-Factor Authentication for your account before #{l(grace_period_deadline)}."
+        flash.now[:alert] << " You need to do this before #{l(grace_period_deadline)}."
      end
    end


--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -199,52 +199,125 @@ feature 'Login', feature: true do

  describe 'with required two-factor authentication enabled' do
    let(:user) { create(:user) }
-    before(:each) { stub_application_setting(require_two_factor_authentication: true) }
+    #  TODO: otp_grace_period_started_at

-    context 'with grace period defined' do
-      before(:each) do
-        stub_application_setting(two_factor_grace_period: 48)
-        login_with(user)
-      end
+    context 'global setting' do
+      before(:each) { stub_application_setting(require_two_factor_authentication: true) }

-      context 'within the grace period' do
-        it 'redirects to two-factor configuration page' do
-          expect(current_path).to eq profile_two_factor_auth_path
-          expect(page).to have_content('You must enable Two-Factor Authentication for your account before')
+      context 'with grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 48)
+          login_with(user)
        end

-        it 'allows skipping two-factor configuration', js: true do
-          expect(current_path).to eq profile_two_factor_auth_path
+        context 'within the grace period' do
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content('The global settings require you to enable Two-Factor Authentication for your account. You need to do this before ')
+          end

-          click_link 'Configure it later'
-          expect(current_path).to eq root_path
+          it 'allows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+
+            click_link 'Configure it later'
+            expect(current_path).to eq root_path
+          end
        end
-      end

-      context 'after the grace period' do
-        let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
+        context 'after the grace period' do
+          let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }

-        it 'redirects to two-factor configuration page' do
-          expect(current_path).to eq profile_two_factor_auth_path
-          expect(page).to have_content('You must enable Two-Factor Authentication for your account.')
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content(
+              'The global settings require you to enable Two-Factor Authentication for your account.'
+            )
+          end
+
+          it 'disallows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).not_to have_link('Configure it later')
+          end
+        end
+      end
+
+      context 'without grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 0)
+          login_with(user)
        end

-        it 'disallows skipping two-factor configuration', js: true do
+        it 'redirects to two-factor configuration page' do
          expect(current_path).to eq profile_two_factor_auth_path
-          expect(page).not_to have_link('Configure it later')
+          expect(page).to have_content(
+            'The global settings require you to enable Two-Factor Authentication for your account.'
+          )
        end
      end
    end

-    context 'without grace period defined' do
-      before(:each) do
-        stub_application_setting(two_factor_grace_period: 0)
-        login_with(user)
+    context 'group setting' do
+      before do
+        group1 = create :group, name: 'Group 1', require_two_factor_authentication: true
+        group1.add_user(user, GroupMember::DEVELOPER)
+        group2 = create :group, name: 'Group 2', require_two_factor_authentication: true
+        group2.add_user(user, GroupMember::DEVELOPER)
      end

-      it 'redirects to two-factor configuration page' do
-        expect(current_path).to eq profile_two_factor_auth_path
-        expect(page).to have_content('You must enable Two-Factor Authentication for your account.')
+      context 'with grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 48)
+          login_with(user)
+        end
+
+        context 'within the grace period' do
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content(
+              'The group settings for Group 1 and Group 2 require you to enable ' \
+              'Two-Factor Authentication for your account. You need to do this ' \
+              'before ')
+          end
+
+          it 'allows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+
+            click_link 'Configure it later'
+            expect(current_path).to eq root_path
+          end
+        end
+
+        context 'after the grace period' do
+          let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
+
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content(
+              'The group settings for Group 1 and Group 2 require you to enable ' \
+              'Two-Factor Authentication for your account.'
+            )
+          end
+
+          it 'disallows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).not_to have_link('Configure it later')
+          end
+        end
+      end
+
+      context 'without grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 0)
+          login_with(user)
+        end
+
+        it 'redirects to two-factor configuration page' do
+          expect(current_path).to eq profile_two_factor_auth_path
+          expect(page).to have_content(
+            'The group settings for Group 1 and Group 2 require you to enable ' \
+            'Two-Factor Authentication for your account.'
+          )
+        end
      end
    end
  end