From 1eee2231f8beefe033b1c1bab5c88b546cfc0055 Mon Sep 17 00:00:00 2001
From: "Pierre H. Lehnen" <Hudell@users.noreply.github.com>
Date: Thu, 20 Dec 2018 22:37:32 -0200
Subject: [PATCH] [NEW] Mandatory 2fa for role (#9748)

* Added setting to force user roles to use 2fa

* Added conditional check to force user to configure 2fa when needed

* Added Missing String; Improved Code Quality

* Update permissionsRole.js
---
 .../client/views/permissionsRole.html         |  5 +++
 .../client/views/permissionsRole.js           |  1 +
 .../server/methods/saveRole.js                |  2 +-
 .../server/models/Roles.js                    |  6 +++-
 .../server/startup.js                         |  2 +-
 packages/rocketchat-i18n/i18n/en.i18n.json    |  1 +
 .../rocketchat-ui-master/client/main.html     | 33 +++++++++++--------
 packages/rocketchat-ui-master/client/main.js  | 11 +++++++
 8 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/packages/rocketchat-authorization/client/views/permissionsRole.html b/packages/rocketchat-authorization/client/views/permissionsRole.html
index 4aaa9f692431..403d69ec50fc 100644
--- a/packages/rocketchat-authorization/client/views/permissionsRole.html
+++ b/packages/rocketchat-authorization/client/views/permissionsRole.html
@@ -21,6 +21,11 @@
 						<option value="Users" selected="{{$eq scope 'Users'}}">{{_ "Global"}}</option>
 						<option value="Subscriptions" selected="{{$eq scope 'Subscriptions'}}">{{_ "Rooms"}}</option>
 					</select>
+
+					<br/>
+					<label for="mandatory2fa">{{_ "Users must use Two Factor Authentication"}} :</label>
+					<input type="checkbox" name="mandatory2fa" checked="{{mandatory2fa}}"> 
+
 					<div class="form-buttons">
 						{{#if editable}}
 							<button name="delete" class="button danger delete-role">{{_ "Delete"}}</button>
diff --git a/packages/rocketchat-authorization/client/views/permissionsRole.js b/packages/rocketchat-authorization/client/views/permissionsRole.js
index 6b92f463bdba..4f06f256f718 100644
--- a/packages/rocketchat-authorization/client/views/permissionsRole.js
+++ b/packages/rocketchat-authorization/client/views/permissionsRole.js
@@ -146,6 +146,7 @@ Template.permissionsRole.events({
 		const roleData = {
 			description: e.currentTarget.elements.description.value,
 			scope: e.currentTarget.elements.scope.value,
+			mandatory2fa: e.currentTarget.elements.mandatory2fa.checked,
 		};
 
 		if (this._id) {
diff --git a/packages/rocketchat-authorization/server/methods/saveRole.js b/packages/rocketchat-authorization/server/methods/saveRole.js
index d83d680ce42e..89f218850b95 100644
--- a/packages/rocketchat-authorization/server/methods/saveRole.js
+++ b/packages/rocketchat-authorization/server/methods/saveRole.js
@@ -20,7 +20,7 @@ Meteor.methods({
 			roleData.scope = 'Users';
 		}
 
-		const update = RocketChat.models.Roles.createOrUpdate(roleData.name, roleData.scope, roleData.description);
+		const update = RocketChat.models.Roles.createOrUpdate(roleData.name, roleData.scope, roleData.description, false, roleData.mandatory2fa);
 		if (RocketChat.settings.get('UI_DisplayRoles')) {
 			RocketChat.Notifications.notifyLogged('roles-change', {
 				type: 'changed',
diff --git a/packages/rocketchat-authorization/server/models/Roles.js b/packages/rocketchat-authorization/server/models/Roles.js
index 2295f1051afd..af660b6c3130 100644
--- a/packages/rocketchat-authorization/server/models/Roles.js
+++ b/packages/rocketchat-authorization/server/models/Roles.js
@@ -26,7 +26,7 @@ class ModelRoles extends RocketChat.models._Base {
 		});
 	}
 
-	createOrUpdate(name, scope = 'Users', description, protectedRole) {
+	createOrUpdate(name, scope = 'Users', description, protectedRole, mandatory2fa) {
 		const updateData = {};
 		updateData.name = name;
 		updateData.scope = scope;
@@ -39,6 +39,10 @@ class ModelRoles extends RocketChat.models._Base {
 			updateData.protected = protectedRole;
 		}
 
+		if (mandatory2fa != null) {
+			updateData.mandatory2fa = mandatory2fa;
+		}
+
 		this.upsert({ _id: name }, { $set: updateData });
 	}
 
diff --git a/packages/rocketchat-authorization/server/startup.js b/packages/rocketchat-authorization/server/startup.js
index db5114060f32..75920aa63472 100644
--- a/packages/rocketchat-authorization/server/startup.js
+++ b/packages/rocketchat-authorization/server/startup.js
@@ -95,6 +95,6 @@ Meteor.startup(function() {
 	];
 
 	for (const role of defaultRoles) {
-		RocketChat.models.Roles.upsert({ _id: role.name }, { $setOnInsert: { scope: role.scope, description: role.description || '', protected: true } });
+		RocketChat.models.Roles.upsert({ _id: role.name }, { $setOnInsert: { scope: role.scope, description: role.description || '', protected: true, mandatory2fa: false } });
 	}
 });
diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
index 3dc61da17dc5..47c8aa1ee2fe 100644
--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -2871,6 +2871,7 @@
   "Users": "Users",
   "Users_added": "The users have been added",
   "Users_in_role": "Users in role",
+  "Users must use Two Factor Authentication": "Users must use Two Factor Authentication",
   "UTF8_Names_Slugify": "UTF8 Names Slugify",
   "UTF8_Names_Validation": "UTF8 Names Validation",
   "UTF8_Names_Validation_Description": "RegExp that will be used to validate usernames and channel names",
diff --git a/packages/rocketchat-ui-master/client/main.html b/packages/rocketchat-ui-master/client/main.html
index b2e8bd574d69..31f68d91c121 100644
--- a/packages/rocketchat-ui-master/client/main.html
+++ b/packages/rocketchat-ui-master/client/main.html
@@ -46,20 +46,27 @@
 					{{#if requirePasswordChange}}
 						{{> loginLayout center="resetPassword"}}
 					{{else}}
-						{{> videoCall overlay=true}}
-						<div id="user-card-popover"></div>
-						<div id="rocket-chat" class="{{embeddedVersion}} menu-nav">
-							{{#unless removeSidenav}}
-								{{> sideNav }}
-							{{/unless}}
-							<div class="{{#unless $eq old false}} rc-old {{/unless}} main-content content-background-color {{readReceiptsEnabled}} {{#if modal}}main-modal{{/if}}">
-								{{> Template.dynamic template=center}}
+						{{#if require2faSetup}}
+							<div class="rc-old">
+								{{> Template.dynamic template="accountSecurity"}}
 							</div>
-						</div>
-						<div class="rc-old connection-status">
-							{{> status}}
-						</div>
-						{{> audioNotification }}
+						{{else}}
+							{{> videoCall overlay=true}}
+							<div id="user-card-popover"></div>
+							<div id="rocket-chat" class="{{embeddedVersion}} menu-nav">
+								{{#unless removeSidenav}}
+									{{> sideNav }}
+								{{/unless}}
+								<div class="{{#unless $eq old false}} rc-old {{/unless}} main-content content-background-color {{readReceiptsEnabled}} {{#if modal}}main-modal{{/if}}">
+									{{> Template.dynamic template=center}}
+								</div>
+							</div>
+
+							<div class="rc-old connection-status">
+								{{> status}}
+							</div>
+							{{> audioNotification }}
+						{{/if}}
 					{{/if}}
 				{{/unless}}
 				{{ CustomScriptLoggedIn }}
diff --git a/packages/rocketchat-ui-master/client/main.js b/packages/rocketchat-ui-master/client/main.js
index 56d76530ffc3..6bffc67cb76a 100644
--- a/packages/rocketchat-ui-master/client/main.js
+++ b/packages/rocketchat-ui-master/client/main.js
@@ -167,6 +167,17 @@ Template.main.helpers({
 		const user = Meteor.user();
 		return user && user.requirePasswordChange === true;
 	},
+	require2faSetup() {
+		const user = Meteor.user();
+
+		// User is already using 2fa
+		if (user.services.totp !== undefined && user.services.totp.enabled) {
+			return false;
+		}
+
+		const mandatoryRole = RocketChat.models.Roles.findOne({ _id: { $in: user.roles }, mandatory2fa: true });
+		return mandatoryRole !== undefined;
+	},
 	CustomScriptLoggedOut() {
 		const script = RocketChat.settings.get('Custom_Script_Logged_Out') || '';
 		if (script.trim()) {