Bug 1364233 - Add setting to force a group to require MFA and restrict users in that group who have not enabled MFA

3 files changed, 47 insertions, 6 deletions

diff --git a/template/en/default/account/prefs/mfa.html.tmpl b/template/en/default/account/prefs/mfa.html.tmpl
index fc748cdd1..99a4b0f2a 100644
--- a/template/en/default/account/prefs/mfa.html.tmpl
+++ b/template/en/default/account/prefs/mfa.html.tmpl
@@ -6,6 +6,8 @@
   # defined by the Mozilla Public License, v. 2.0.
   #%]
 
+[% SET MFA_HOWTO = "https://wiki.mozilla.org/BMO/UserGuide/Two-Factor_Authentication" %]
+
 [% IF NOT Bugzilla.feature('mfa') %]
   <input type="hidden" name="mfa_action" id="mfa-action" value="">
   <p>
@@ -126,9 +128,25 @@
     </div>
 
   [% ELSE %]
-    <p>
-      Two-factor authentication is currently <b>disabled</b>.
-    </p>
+    [% IF Bugzilla.request_cache.mfa_warning %]
+      <p class="mfa-warning-msg">
+        You <b>must</b> enable two-factor authentication
+        [% UNLESS Bugzilla.request_cache.mfa_grace_period_expired %]
+          before <i>[% Bugzilla.user.mfa_required_date FILTER time %]</i>.
+          After that date, you will be restricted to this page until 2FA is configured.
+        [% ELSE %]
+          before continuing to use [% terms.Bugzilla %].
+        [% END %]
+      </p>
+      <p>
+        <b>Need help setting ip 2FA?</b>
+        You may want to <a href="[% MFA_HOWTO FILTER html %]">read these comprensive instructions</a>.
+      </p>
+    [% ELSE %]
+      <p>
+        Two-factor authentication is currently <b>disabled</b>.
+      </p>
+    [% END %]
     <input type="hidden" name="mfa_action" id="mfa-action" value="enable">
     <input type="hidden" name="mfa" id="mfa">
 
@@ -257,4 +275,4 @@
     <li>If in doubt, generate and print new recovery codes</li>
     <li><b>Do not store these codes electronically</b></li>
   </ul>
-[% END %]
+[% END %]
\ No newline at end of file
diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl
index 99c52f759..e19712351 100644
--- a/template/en/default/admin/params/auth.html.tmpl
+++ b/template/en/default/admin/params/auth.html.tmpl
@@ -244,5 +244,13 @@
     "The 'secret key' for Duo 2FA. This value is provided by your " _
     "Duo Security administrator.",
 
+  mfa_group =>
+    "Members of this group must enable MFA. If the grace period is set, " _
+    "users will receive a warning on every page until end of the grace period. " _
+    "Users without MFA after the grace period (or when it is set to 0) will only " _
+    "be able to access the mfa tab of the user preferences page."
+
+  mfa_group_grace_period =>
+    "Number of days to warn user to turn on 2FA."
   },
 %]
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index e808df9bd..1ea652c10 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -39,7 +39,7 @@
   # no_body: if true the body element will not be generated
   # allow_mobile: allow special CSS and viewport for detected mobile useragents
   # use_login_page: display a link to the full login page, rather than an inline login.
-  # no_index: Disable search engine from adding page into search index. 
+  # no_index: Disable search engine from adding page into search index.
   #%]
 
 [% IF message %]
@@ -234,6 +234,9 @@
   <body
         class="[% urlbase.replace('^https?://','').replace('/$','').replace('[-~@:/.]+','-') FILTER css_class_quote %]
                skin-[% user.settings.skin.value FILTER css_class_quote %]
+               [% IF Bugzilla.request_cache.mfa_warning %]
+                mfa-warning
+               [% END %]
                [% FOREACH class = bodyclasses %]
                  [% ' ' %][% class FILTER css_class_quote %]
                [% END %] yui-skin-sam">
@@ -252,6 +255,18 @@
       </td>
       <td>
         [% Hook.process("message") %]
+        [% IF Bugzilla.request_cache.mfa_warning
+              AND user.mfa_required_date
+              AND NOT Bugzilla.request_cache.on_mfa_page %]
+          <span id="mfa-warning">
+            Please <a href="userprefs.cgi?tab=mfa">enabled two-factor authentication</a>
+            [% IF Param('mfa_group_grace_period') %]
+              before <i>[% user.mfa_required_date FILTER time %]</i>.
+            [% ELSE %]
+              now.
+            [% END %]
+          </span>
+        [% END %]
       </td>
       <td id="moz_login">
         [% IF user.id %]
@@ -355,4 +370,4 @@
 
 [% BLOCK format_js_link %]
   <script [% script_nonce FILTER none %] type="text/javascript" src="[% asset_url FILTER mtime FILTER html %]"></script>
-[% END %]
+[% END %]
\ No newline at end of file