2FA Modifications

This commit adds to the functionality of two factor authentication for osTicket.

- Ensures that we do not clear out external 2fa configurations
- Enables 2fa options in the dropdown box of the profile when they are configured
- Adds help tip to the Default 2FA field
- Forces Agents to configure and save 2FA if 'Require agents to turn on 2FA' is checked upon next login
- Fixes the following error:
	- Call to a member function getTabs() on null in include/staff/templates/navigation.tmpl.php

include/ajax.staff.php

@@ -278,11 +278,17 @@ function configure2FA($staffId, $id=0) {
                     $vars = $_POST ?: $config['config'] ?: array('email' => $staff->getEmail());
                     $form = $auth->getSetupForm($vars);
                     if ($_POST && $form && $form->isValid()) {
+                        if ($config['config'] && $config['config']['external2fa'])
+                            $external2fa = true;
+
                         // Save the setting based on setup form
                         $clean = $form->getClean();
-                        $config = ['config' => $clean, 'verified' => 0];
-                        $staff->updateConfig(array(
-                                    $auth->getId() => JsonDataEncoder::encode($config)));
+                        if (!$external2fa) {
+                            $config = ['config' => $clean, 'verified' => 0];
+                            $staff->updateConfig(array(
+                                        $auth->getId() => JsonDataEncoder::encode($config)));
+                        }
+
                         // Send verification token to the user
                         if ($token=$auth->send($staff)) {
                             // Transition to verify state
@@ -291,7 +297,7 @@ function configure2FA($staffId, $id=0) {
                             $info['notice'] = __('Token sent to you!');
                         } else {
                             // Generic error TODO: better wording
-                            $info['error'] = __('Error sending Token - doubdle check entry');
+                            $info['error'] = __('Error sending Token - double check entry');
                         }
                     }
             }

include/class.staff.php

@@ -389,6 +389,12 @@ function forcePasswdChange() {
         return $this->change_passwd;
     }
 
+    function force2faConfig() {
+        global $cfg;
+
+        return ($cfg->require2FAForAgents() && !$this->get2FABackend());
+    }
+
     function getDepartments() {
         // TODO: Cache this in the agent's session as it is unlikely to
         //       change while logged in

include/i18n/en_US/help/tips/dashboard.my_profile.yaml

@@ -27,6 +27,14 @@ username:
       - title: Change a username as an Administrator
         href: /scp/staff.php
 
+config2fa:
+    title: Two Factor Authentication
+    content: >
+        Two Factor Authentication adds an extra layer of security
+        when logging into the helpdesk. Once you correctly submit
+        your username and password, you will need to enter a token
+        to finish logging into the helpdesk.
+
 time_zone:
     title: Time Zone
     content: >
@@ -83,11 +91,11 @@ confirm_new_password:
 signature:
     title: Signature
     content: >
-        Create an optional <span class="doc-desc-title">Signature</span> 
-        that perhaps appears at the end of your Ticket Responses. Whether this 
-        <span class="doc-desc-title">Signature</span> appears, or not, depends 
-        on the <span class="doc-desc-title">Email Template</span> that will be 
-        used in a Ticket Response. 
+        Create an optional <span class="doc-desc-title">Signature</span>
+        that perhaps appears at the end of your Ticket Responses. Whether this
+        <span class="doc-desc-title">Signature</span> appears, or not, depends
+        on the <span class="doc-desc-title">Email Template</span> that will be
+        used in a Ticket Response.
     links:
       - title: Create Emails Templates in the Admin Panel
         href: /scp/templates.php

include/staff/profile.inc.php

@@ -142,7 +142,8 @@ class="staff-username typeahead"
                  $configured = (isset($_config[$bk->getId()]) &&
                      $_config[$bk->getId()]['verified']);
                  ?>
-              <option value="<?php echo $bk->getId(); ?>" <?php
+              <option id="<?php echo $bk->getId(); ?>"
+                      value="<?php echo $bk->getId(); ?>" <?php
                 if ($current == $bk->getId() && $configured)
                   echo ' selected="selected" '; ?>
                 <?php

include/staff/templates/2fas.tmpl.php

@@ -22,15 +22,22 @@
       foreach (Staff2FABackend::allRegistered() ?: array() as $bk) {
           $isVerified = (isset($config[$bk->getId()]) &&
                   $config[$bk->getId()]['verified']);
+          if ($isVerified) {
           ?>
+          <script type="text/javascript">
+              isVerified = '<?php echo $isVerified;?>';
+              id = '<?php echo $id;?>';
+              enable2fa(isVerified, id);
+          </script>
+          <?php } ?>
       <tr id="<?php echo $bk->getId(); ?>">
         <td nowrap width="10px">
           <i class="faded-more <?php echo sprintf('icon-check-%s',
           $isVerified ? 'sign' : 'empty'); ?>"></i>
           <span data-name="label"></span>
         </td>
         <td width="300px">
-            <a class="config2fa" 
+            <a class="config2fa"
                 href="<?php echo sprintf('#staff/%d/2fa/configure/%s',
                 $staff->getId(), urlencode($bk->getId())); ?>"> <?php echo $bk->getName(); ?>
               </a>
@@ -55,8 +62,8 @@
  <div><?php echo Format::htmlchars($instruction); ?></div>
  <br>
 <form class="bk" method="post" action="<?php echo sprintf('#staff/%d/2fa/configure/%s',
-    $staff->getId(), $auth->getId()); ?>">    
-    <input type="hidden" name="state" value="<?php 
+    $staff->getId(), $auth->getId()); ?>">
+    <input type="hidden" name="state" value="<?php
         echo $state ?: 'validate'; ?>" />
     <?php
     echo csrf_token();
@@ -80,6 +87,11 @@
 </div>
 <div class="clear"></div>
 <script type="text/javascript">
+function enable2fa(isVerified, id) {
+    document.getElementById(id).disabled=false;
+    document.getElementById(id).selected=true;
+}
+
 $(function() {
     $('a.config2fa').click( function(e) {
         e.preventDefault();
@@ -107,4 +119,3 @@
 
 });
 </script>
-

include/staff/templates/navigation.tmpl.php

@@ -1,5 +1,5 @@
 <?php
-if(($tabs=$nav->getTabs()) && is_array($tabs)){
+if($nav && ($tabs=$nav->getTabs()) && is_array($tabs)){
     foreach($tabs as $name =>$tab) {
         if ($tab['href'][0] != '/')
             $tab['href'] = ROOT_PATH . 'scp/' . $tab['href'];

scp/profile.php

@@ -44,6 +44,15 @@
             $thisstaff->getFirstName()
         )
     );
+elseif($thisstaff->force2faConfig() && !$errors['err'])
+    $errors['err'] = str_replace(
+        '<a>',
+        sprintf('<a data-dialog="ajax.php/staff/%d/2fa/configure" href="#">', $thisstaff->getId()),
+        sprintf(
+            __('<b>Hi %s</b> - You must <a>configure and save Two Factor Authentication </a>!'),
+            $thisstaff->getFirstName()
+        )
+    );
 elseif($thisstaff->onVacation() && !$warn)
     $warn=sprintf(__("<b>Welcome back %s</b>! You are listed as 'on vacation' Please let your manager know that you are back."),$thisstaff->getFirstName());
 

scp/staff.inc.php

@@ -136,6 +136,10 @@ function staffLoginPage($msg) {
     $sysnotice = __('Password change required to continue');
     require('profile.php'); //profile.php must request this file as require_once to avoid problems.
     exit;
+} elseif ($thisstaff->force2faConfig() && !$exempt) {
+    $sysnotice = __('Two Factor Authentication configuration required to continue');
+    require('profile.php');
+    exit;
 }
 $ost->setWarning($sysnotice);
 $ost->setPageTitle(__('osTicket :: Staff Control Panel'));