openeuropa
diff --git a/‎README.md
Lines changed: 30 additions & 10 deletions b/‎README.md
Lines changed: 30 additions & 10 deletions
diff --git a/‎config/install/oe_authentication.settings.yml
Lines changed: 2 additions & 0 deletions b/‎config/install/oe_authentication.settings.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎config/schema/oe_authentication.schema.yml
Lines changed: 11 additions & 0 deletions b/‎config/schema/oe_authentication.schema.yml
Lines changed: 11 additions & 0 deletions
diff --git a/‎modules/oe_authentication_corporate_roles/tests/src/Kernel/CorporateRolesTest.php
Lines changed: 2 additions & 0 deletions b/‎modules/oe_authentication_corporate_roles/tests/src/Kernel/CorporateRolesTest.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎oe_authentication.post_update.php
Lines changed: 10 additions & 0 deletions b/‎oe_authentication.post_update.php
Lines changed: 10 additions & 0 deletions
diff --git a/‎oe_authentication.services.yml
Lines changed: 18 additions & 4 deletions b/‎oe_authentication.services.yml
Lines changed: 18 additions & 4 deletions
diff --git a/‎runner.yml.dist
Lines changed: 2 additions & 0 deletions b/‎runner.yml.dist
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Event/EuLoginEventSubscriber.php
Lines changed: 28 additions & 16 deletions b/‎src/Event/EuLoginEventSubscriber.php
Lines changed: 28 additions & 16 deletions
@@ -80,27 +80,47 @@ authenticate via CAS when they hit all or some of the pages on your site.
 
 See the [Cas module](https://www.drupal.org/project/cas) for more information.
 
-### SSL Verification Setting
+### Proxy
 
-The EU Login Authentication server must be accessed over HTTPS and the drupal site will verify the SSL/TLS certificate
-of the server to be sure it is authentic.
+You can configure the module to "Initialize this client as a proxy" which allows
+authentication requests to 3rd party services (e.g. ePOETRY).
 
-For development, you can configure the module to disable this verification:
 ```php
-$config['cas.settings']['server']['verify'] = '2';
+$config['cas.settings']['proxy']['initialize'] = TRUE;
 ```
-_NOTE: DO NOT USE IN PRODUCTION!_
 
 See the [Cas module](https://www.drupal.org/project/cas) for more information.
 
-### Proxy
+### Two-factor authentication
+The module allows to configure if two-factor authentication (in short, 2FA) is required for users to log in.
+It supports three modes:
+* _Never_: 2FA is never required for any registered user account.
+* _Always_: 2FA is always required for any registered user account. A 2FA authentication method will be enforced directly on EU Login.
+* _Based on conditions_: 2FA is required only for registered user accounts that match one of the configured conditions. See below.
 
-You can configure the module to "Initialize this client as a proxy" which allows
-authentication requests to 3rd party services (e.g. ePOETRY).
+**Two-factor authentication conditions**
+
+The conditions are validated after the user logged in via EU Login, and only if
+the login was executed without using a 2FA authentication method.\
+If at least one of the configured conditions evaluate successfully for the user account, the login
+to the website will be rejected.\
+A message will be shown to the user to log in again using a suitable method, together
+with a link that will allow to choose only 2FA authentication methods on EU Login.
+
+The system will allow to configure any condition plugin (`\Drupal\Core\Condition\ConditionInterface`) that requires a user account as context.\
+The default condition available via Drupal core is the User Role condition (`\Drupal\user\Plugin\Condition\UserRole`).
+This condition can be configured with the roles that are required to use 2FA authentication methods in order to log in into the website.
+
+### SSL Verification Setting
+
+The EU Login Authentication server must be accessed over HTTPS and the drupal site will verify the SSL/TLS certificate
+of the server to be sure it is authentic.
 
+For development, you can configure the module to disable this verification:
 ```php
-$config['cas.settings']['proxy']['initialize'] = TRUE;
+$config['cas.settings']['server']['verify'] = '2';
 ```
+_NOTE: DO NOT USE IN PRODUCTION!_
 
 See the [Cas module](https://www.drupal.org/project/cas) for more information.
 
 
@@ -5,3 +5,5 @@ assurance_level: TOP
 ticket_types: SERVICE,PROXY
 force_2fa: false
 restrict_user_delete_cancel_methods: true
+2fa_conditions: {  }
+message_login_2fa_required: 'Your account is required to log in using a two-factor authentication method. Please <a href=":login">log in again via this link</a>.'
@@ -1,6 +1,8 @@
 oe_authentication.settings:
   type: config_object
   label: 'OpenEuropa Authentication settings'
+  constraints:
+    FullyValidatable: ~
   mapping:
     protocol:
       type: string
@@ -23,3 +25,12 @@ oe_authentication.settings:
     restrict_user_delete_cancel_methods:
       type: boolean
       label: 'Restrict access to user cancel methods that permanently delete the account'
+    2fa_conditions:
+      type: sequence
+      label: 'Two-factor authentication conditions'
+      sequence:
+        type: condition.plugin.[id]
+        label: 'Two-factor authentication condition'
+    message_login_2fa_required:
+      type: text
+      label: 'Error message for login denied: two-factor authentication required'
@@ -22,6 +22,8 @@ class CorporateRolesTest extends KernelTestBase {
    * {@inheritdoc}
    */
   protected static $modules = [
+    'cas',
+    'externalauth',
     'oe_authentication',
     'oe_authentication_corporate_roles',
     'oe_authentication_user_fields',
 
@@ -51,3 +51,13 @@ function oe_authentication_post_update_00005(): void {
     ->set('restrict_user_delete_cancel_methods', TRUE)
     ->save();
 }
+
+/**
+ * Set default values for 2FA conditions and related message.
+ */
+function oe_authentication_post_update_00006(): void {
+  \Drupal::configFactory()->getEditable('oe_authentication.settings')
+    ->set('2fa_conditions', [])
+    ->set('message_login_2fa_required', 'Your account is required to log in using a two-factor authentication method. Please <a href=":login">log in again via this link</a>.')
+    ->save();
+}
@@ -1,15 +1,29 @@
 services:
   oe_authentication.route_subscriber:
-    class: \Drupal\oe_authentication\Routing\RouteSubscriber
+    class: Drupal\oe_authentication\Routing\RouteSubscriber
     tags:
       - { name: event_subscriber }
   oe_authentication.event_subscriber:
-    class: \Drupal\oe_authentication\Event\EuLoginEventSubscriber
+    class: Drupal\oe_authentication\Event\EuLoginEventSubscriber
     tags:
       - { name: event_subscriber }
-    arguments: ['@config.factory']
+    arguments: ['@config.factory', '@request_stack']
   oe_authentication.messenger.event_subscriber:
-    class: \Drupal\oe_authentication\Event\MessengerEuLoginEventSubscriber
+    class: Drupal\oe_authentication\Event\MessengerEuLoginEventSubscriber
     tags:
       - { name: event_subscriber }
     arguments: ['@messenger']
+  oe_authentication.subscriber.two_factor_authentication:
+    class: Drupal\oe_authentication\Event\TwoFactorAuthenticationEventSubscriber
+    arguments:
+      - '@config.factory'
+      - '@plugin.manager.condition'
+      - '@context.handler'
+      - '@logger.channel.oe_authentication'
+      - '@cas.helper'
+      - '@string_translation'
+    tags:
+      - { name: event_subscriber }
+  logger.channel.oe_authentication:
+    parent: logger.channel_base
+    arguments: ['oe_authentication']
@@ -47,5 +47,7 @@ commands:
     - { task: "run", command: "setup:behat" }
   setup:phpunit:
     - { task: "process", source: "phpunit.xml.dist", destination: "phpunit.xml" }
+    # Generate settings.testing.php, it will be used when running functional tests.
+    - { task: "process-php", type: "write", config: "drupal.settings", source: "${drupal.root}/sites/default/default.settings.php", destination: "${drupal.root}/sites/default/settings.testing.php", override: true }
   setup:behat:
     - { task: "process", source: "behat.yml.dist", destination: "behat.yml" }
@@ -4,6 +4,7 @@
 
 namespace Drupal\oe_authentication\Event;
 
+use Drupal\Component\Utility\UrlHelper;
 use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\cas\Event\CasPostValidateEvent;
@@ -12,8 +13,8 @@
 use Drupal\cas\Event\CasPreValidateEvent;
 use Drupal\oe_authentication\CasProcessor;
 use Drupal\user\UserInterface;
-use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\RequestStack;
 
 /**
  * Event subscriber for CAS module events.
@@ -33,22 +34,20 @@ class EuLoginEventSubscriber implements EventSubscriberInterface {
   protected $configFactory;
 
   /**
-   * Constructors the EuLoginEventSubscriber.
+   * The request stack.
    *
-   * @param \Drupal\Core\Config\ConfigFactoryInterface $configFactory
-   *   The config factory.
+   * @var \Symfony\Component\HttpFoundation\RequestStack
    */
-  public function __construct(ConfigFactoryInterface $configFactory) {
-    $this->configFactory = $configFactory;
-  }
+  protected RequestStack $requestStack;
 
-  /**
-   * {@inheritdoc}
-   */
-  public static function create(ContainerInterface $container) {
-    return new static(
-      $container->get('config.factory'),
-    );
+  public function __construct(ConfigFactoryInterface $configFactory, ?RequestStack $requestStack = NULL) {
+    $this->configFactory = $configFactory;
+    if ($requestStack === NULL) {
+      // phpcs:ignore Drupal.Semantics.FunctionTriggerError.TriggerErrorTextLayoutRelaxed
+      @trigger_error('Calling ' . __METHOD__ . '() without the $requestStack argument is deprecated in oe_authentication:1.x and will be required in oe_authentication:2.x.', E_USER_DEPRECATED);
+      $requestStack = \Drupal::requestStack();
+    }
+    $this->requestStack = $requestStack;
   }
 
   /**
@@ -110,9 +109,17 @@ public function processUserProperties(CasPreRegisterEvent $event): void {
    *   The triggered event.
    */
   public function forceTwoFactorAuthentication(CasPreRedirectEvent $event): void {
-    if ($this->configFactory->get('oe_authentication.settings')->get('force_2fa')) {
+    $config_forced_2fa = $this->configFactory->get('oe_authentication.settings')->get('force_2fa');
+    $request_forced_2fa = $this->requestStack->getCurrentRequest()->query->has('force_2fa');
+
+    if ($config_forced_2fa || $request_forced_2fa) {
       $data = $event->getCasRedirectData();
       $data->setParameter('authenticationLevel', 'MEDIUM');
+
+      // Add a parameter to the service URL to add 2FA during ticket validation.
+      if ($request_forced_2fa) {
+        $data->setServiceParameter('force_2fa', 1);
+      }
     }
   }
 
@@ -148,7 +155,12 @@ public function alterValidationPath(CasPreValidateEvent $event): void {
       'userDetails' => 'true',
       'groups' => '*',
     ];
-    if ($config->get('force_2fa')) {
+
+    $service_url = UrlHelper::parse($event->getParameters()['service']);
+    // Add 2FA validation is 2FA is always required via config, or if it has
+    // been required for this request.
+    // @see ::forceTwoFactorAuthentication()
+    if ($config->get('force_2fa') || isset($service_url['query']['force_2fa'])) {
       $params['authenticationLevel'] = 'MEDIUM';
     }
     $event->addParameters($params);