Initial implementation

From #5397

Author: Jan-Schuppik

application/controllers/AccountController.php

@@ -4,13 +4,17 @@
 namespace Icinga\Controllers;
 
 use Icinga\Application\Config;
+use Icinga\Application\Icinga;
 use Icinga\Authentication\User\UserBackend;
 use Icinga\Data\ConfigObject;
 use Icinga\Exception\ConfigurationError;
 use Icinga\Forms\Account\ChangePasswordForm;
+use Icinga\Forms\Account\TotpForm;
 use Icinga\Forms\PreferenceForm;
+use Icinga\Authentication\Totp;
 use Icinga\User\Preferences\PreferencesStore;
 use Icinga\Web\Controller;
+use Icinga\Web\Session;
 
 /**
  * My Account
@@ -67,6 +71,28 @@ public function indexAction()
             }
         }
 
+        // form to add, remove, enable & disable 2FA via TOTP
+
+        if ($user->can('user/two-factor-authentication')) {
+            if (isset($_POST['enabled_2fa'])) {
+                Session::getSession()->set('enabled_2fa', $_POST['enabled_2fa'] == 1);
+            }
+            $totp = Session::getSession()->get('icingaweb_totp', null) ?? new Totp($user->getUsername());
+            $totpForm = (new TotpForm())
+                ->setPreferences($user->getPreferences())
+                ->setTotp($totp)
+                ->setEnabled2FA(Session::getSession()->get('enabled_2fa', false));
+            if (isset($config->config_resource)) {
+                $totpForm->setStore(PreferencesStore::create(new ConfigObject(array(
+                    'resource'  => $config->config_resource
+                )), $user));
+            }
+
+            $totpForm->handleRequest();
+
+            $this->view->totpForm = $totpForm;
+        }
+
         $form = new PreferenceForm();
         $form->setPreferences($user->getPreferences());
         if (isset($config->config_resource)) {

application/controllers/AuthenticationController.php

@@ -8,10 +8,13 @@
 use Icinga\Application\Logger;
 use Icinga\Common\Database;
 use Icinga\Exception\AuthenticationException;
+use Icinga\Forms\Authentication\Cancel2FAForm;
+use Icinga\Forms\Authentication\Challenge2FAForm;
 use Icinga\Forms\Authentication\LoginForm;
 use Icinga\Web\Controller;
 use Icinga\Web\Helper\CookieHelper;
 use Icinga\Web\RememberMe;
+use Icinga\Web\Session;
 use Icinga\Web\Url;
 use RuntimeException;
 
@@ -41,7 +44,16 @@ public function loginAction()
         if (($requiresSetup = $icinga->requiresSetup()) && $icinga->setupTokenExists()) {
             $this->redirectNow(Url::fromPath('setup'));
         }
-        $form = new LoginForm();
+
+        $user = $this->Auth()->getUser();
+        if ($user !== null && $user->getTwoFactorEnabled()
+            && Session::getSession()->get('must_challenge_2fa_token', false) === true) {
+            $form = new Challenge2FAForm();
+            $cancel2faForm = new Cancel2FAForm();
+            $cancel2faForm->handleRequest();
+        } else {
+            $form = new LoginForm();
+        }
 
         if (RememberMe::hasCookie() && $this->hasDb()) {
             $authenticated = false;
@@ -91,14 +103,10 @@ public function loginAction()
                     ->sendResponse();
                 exit;
             }
-            // FORM DOES NOT REDIRECT, IF USER HAS 2FA ENABLED and token hasn't been challenged
             $form->handleRequest();
         }
-//        if ($user->has2FA() && irgendwas_mit_session()) {
-//            // 2 FA form erstellen und zeigen und handeln
-        // in der session speichern ob der token gepasst hat
-//        }
         $this->view->form = $form;
+        $this->view->cancel2faForm = $cancel2faForm ?? null;
         $this->view->defaultTitle = $this->translate('Icinga Web 2 Login');
         $this->view->requiresSetup = $requiresSetup;
     }