tfa_basic.module

<?php

use Drupal\user\Entity\User;

/**
 * Implements hook_library().
 */
function tfa_basic_library() {
  $items = array();
  $items['qrcodejs'] = array(
    'title' => 'QRCode.js',
    'website' => 'https://github.com/davidshimjs/qrcodejs',
    'version' => '1.0',
    'js' => array(
      drupal_get_path('module', 'tfa_basic') . '/includes/qrcodejs/qrcode.min.js' => array(),
    ),
  );
  return $items;
}

/**
 * Implements hook_menu().
 */
function tfa_basic_menu() {
  $items = array();
  $items['user/%user/security/tfa/trusted-browsers'] = array(
    'title' => 'TFA setup',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('tfa_basic_setup_form', 1, 'tfa_basic_trusted_browser'),
    'access callback' => 'tfa_basic_setup_access',
    'access arguments' => array(1, 'setup own tfa'),
    'type' => MENU_CALLBACK,
    'file' => 'tfa_basic.pages.inc',
  );
  $items['user/%user/security/tfa/recovery-codes'] = array(
    'title' => 'TFA setup',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('tfa_basic_setup_form', 1, 'tfa_recovery_code'),
    'access callback' => 'tfa_basic_setup_access',
    'access arguments' => array(1, 'setup own tfa'),
    'type' => MENU_CALLBACK,
    'file' => 'tfa_basic.pages.inc',
  );
  $items['user/%user/security/tfa/recovery-codes-list'] = array(
    'title' => 'TFA - Unused recovery codes',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('tfa_basic_setup_form', 1, 'recovery_codes_list'),
    'access callback' => 'tfa_basic_setup_access',
    'access arguments' => array(1, 'setup own tfa'),
    'type' => MENU_CALLBACK,
    'file' => 'tfa_basic.pages.inc',
  );
  $items['user/%user/security/tfa/sms-setup'] = array(
    'title' => 'TFA setup',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('tfa_basic_setup_form', 1, 'tfa_basic_sms'),
    'access callback' => 'tfa_basic_setup_access',
    'access arguments' => array(1, 'setup own tfa'),
    'type' => MENU_CALLBACK,
    'file' => 'tfa_basic.pages.inc',
  );

  return $items;
}

/**
 * Access control.
 *
 * @param object $account
 * @param string $permission
 * @return bool
 */
function tfa_basic_setup_access($account, $permission = '') {
  $administer_users = user_access('administer users') && $account->uid > 0;
  $is_account = ($GLOBALS['user']->uid == $account->uid);

  return ($is_account && user_access($permission, $account)) || $administer_users;
}

/**
 * Implements hook_cron().
 */
function tfa_basic_cron() {
  // Delete trusted browser entries older than expiration.
//  $expiration = variable_get('tfa_basic_trust_cookie_expiration', 3600 * 24 * 30);

  $num_deleted = db_delete('tfa_trusted_browser')
    ->condition('created', REQUEST_TIME - $expiration, '<')
    ->execute();
  if ($num_deleted) {
    watchdog('tfa_basic', 'Removed !num TFA trusted browsers older than !time', array('!num' => $num_deleted, '!time' => REQUEST_TIME - $expiration), WATCHDOG_INFO);
  }

  // Delete accepted codes older than expiration.
  //$accepted_expiration = variable_get('tfa_basic_accepted_code_expiration', 3600 * 24);
  db_delete('tfa_accepted_code')
    ->condition('time_accepted', REQUEST_TIME - $accepted_expiration, '<')
    ->execute();
}

/**
 * Implements hook_tfa_api().
 */
function tfa_basic_tfa_api() {
  return array(
    'tfa_totp' => array(
      'class' => 'TfaTotp',
      'name' => 'TOTP',
    ),
    'tfa_basic_trusted_browser' => array(
      'class' => 'TfaTrustedBrowser',
      'name' => 'Trusted Browsers',
    ),
    'tfa_recovery_code' => array(
      'class' => 'TfaRecoveryCode',
      'name' => 'Recovery Codes',
    ),
    'tfa_basic_sms' => array(
      'class' => 'TfaBasicSms',
      'name' => 'Twilio SMS',
    ),
    'tfa_basic_help' => array(
      'class' => 'TfaBasicHelp',
      'name' => 'Help page',
    ),
  );
}

/**
 * Create TfaTotp plugin.
 *
 * @param array $context
 * @return TfaTotp
 */
function tfa_totp_create($context) {
  return new TfaTotp($context);
}

/**
 * Create TfaTrustedBrowser plugin.
 *
 * @param array $context
 * @return TfaTrustedBrowser
 */
function tfa_basic_trusted_browser_create($context) {
  return new TfaTrustedBrowser($context);
}

/**
 * Create TfaBasicRecoveryCode plugin.
 *
 * @param array $context
 * @return TfaBasicRecoveryCode
 */
function tfa_recovery_code_create($context) {
  return new TfaRecoveryCode($context);
}

/**
 * Create TfaBasicSms plugin.
 *
 * @param array $context
 * @return TfaBasicSms
 */
function tfa_basic_sms_create($context) {
  $account = user_load($context['uid']);
  $number = tfa_basic_get_mobile_number($account);
  return new TfaBasicSms($context, $number);
}

/**
 * Alters tfa_context array to set plugins from user settings.
 */
function tfa_basic_tfa_context_alter(&$context) {
  // $context can be empty during beginning of TFA process.
  if (empty($context)) {
    return;
  }

  $account = User::load($context['uid']);
  dpm($context);
  print_r($context);
  $tfa_data = tfa_basic_get_tfa_data($account->id());
  // Remove SMS plugin if enabled and mobile number is not available.
  $number = tfa_basic_get_mobile_number($account);
  if ((empty($tfa_data['data']['sms']) || !$number)) {
    $fallback_plugins = array();
    if (isset($context['plugins']['fallback'])) {
      foreach ($context['plugins']['fallback'] as $plugin) {
        if ($plugin !== 'tfa_basic_sms') {
          $fallback_plugins[] = $plugin;
        }
      }
    }
    // Remove SMS from validation if set.
    if ('tfa_basic_sms' == $context['plugins']['validate']) {
      $context['plugins']['validate'] = array_shift($fallback_plugins);
    }
    $context['plugins']['fallback'] = $fallback_plugins;
  }
}

/**
 * Implements hook_tfa_ready_require().
 */
function tfa_basic_tfa_ready_require($account) {
  if (tfa_basic_tfa_required($account)) {
    drupal_set_message(t('Login disallowed. You are required to set up two-factor authentication. Please contact a site administrator.'), 'error');
    return TRUE;
  }
  return FALSE;
}

/**
 * Whether TFA is required for the account.
 *
 * @param object $account
 *
 * @return bool
 */
function tfa_basic_tfa_required($account) {
  $required = FALSE;
  $required_roles = \Drupal::config('tfa_basic.settings')->get('roles_require');
  if (!empty($required_roles)) {
    foreach ($required_roles as $rid => $enabled) {
      if ($enabled && array_key_exists($rid, $account->roles)) {
        $required = TRUE;
        break;
      }
    }
  }
  return $required;
}

/**
 * Get mobile number for an account.
 *
 * @param object $account
 *   User account object.
 *
 * @return string|FALSE
 *   Mobile phone number or FALSE if not set.
 */
function tfa_basic_get_mobile_number($account) {
  $phone_field = \Drupal::config('tfa_basic.settings')->get('phone_field');
  $number = FALSE;
  // Note, set tfa_basic_phone_field to FALSE to avoid using account field as
  // storage.
  if (!empty($phone_field)) {
    if (!empty($account->{$phone_field}[LANGUAGE_NONE][0]['value'])) {
      $number = $account->{$phone_field}[LANGUAGE_NONE][0]['value'];
    }
  }
  $alterable = array(
    'account' => $account,
    'number' => $number,
  );
  // Allow other modules to supply the mobile number for this account.
  \Drupal::moduleHandler()->alter('tfa_basic_get_mobile_number', $alterable);
  return $alterable['number'];
}

/**
 * Update mobile number on account.
 *
 * @param object $account
 * @param string $number
 */
function tfa_basic_set_mobile_number($account, $number) {
  $phone_field = variable_get('tfa_basic_phone_field', '');
  if ($phone_field !== FALSE) {
    if (isset($account->{$phone_field})) {
      $edit = array(
        $phone_field => array(LANGUAGE_NONE => array(0 => array('value' => $number))),
      );
      user_save($account, $edit);
    }
  }
  $alterable = array(
    'account' => $account,
    'number' => $number,
  );
  // Allow other modules to set the mobile number for this account.
  \Drupal::moduleHandler()->alter('tfa_basic_set_mobile_number', $alterable);
}

/**
 * Implements hook_form_FORM_ID_alter().
 */
function tfa_basic_form_tfa_form_alter(&$form, &$form_state, $form_id) {
  // Add validation handler for fallback awareness.
  $form['#validate'][] = '_tfa_basic_form_validate';
}

/**
 * Validation handler to encourage use of fallback if there are form errors.
 */
function _tfa_basic_form_validate($form, &$form_state) {
  $errors = form_get_errors();
  if (!empty($errors) && !empty($form_state['values']['code']) && isset($form['actions']['fallback'])) {
    drupal_set_message(t("If you are having trouble click \"Can't access your account?\" for further authentication options."), 'warning');
  }
}

/**
 * Get TFA data for an account.
 *
 * @param object $account
 *   User account.
 *
 * @return array
 *   TFA data.
 *
 * @code
 *   array(
 *     'status' => TRUE,
 *     'data' => array(
 *       'primary' => 'app',
 *       'sms' => FALSE,
 *     ),
 *   )
 * @endcode
 */
function tfa_basic_get_tfa_data($uid) {
  $result = \Drupal::service('user.data')->get('tfa', $uid, 'tfa_user_settings');
  if (!empty($result)) {
    $data = $result['data'];
    $tfa = array(
      'status' => $result['status'] == '1' ? TRUE : FALSE,
      'saved' => $result['saved'],
      'data' => $data,
    );
    return $tfa;
  }
  return array();
}

/**
 * Save TFA settings for an account.
 *
 * @param object $account
 * @param array $data TFA data
 * @code
 *   array(
 *     'plugins' => ['tfa_totp'],
 *     'sms' => FALSE,
 *     'status' => TRUE,
 *   )
 * @endcode
 */
function tfa_basic_setup_save_data($account, $data = array()) {
  // Check if existing data and update.
  $existing = tfa_basic_get_tfa_data($account->id());
  if (!empty($existing['data'])) {
    $tfa_data = $existing['data'];
  }
  else {
    $tfa_data = array(
      'plugins' => '',
      'sms' => FALSE,
    );
  }
  if (isset($data['plugins'])) {
    $tfa_data['plugins'] = $data['plugins'];
  }
  if (isset($data['sms'])) {
    $tfa_data['sms'] = $data['sms'];
  }
  $status = 1;
  if (isset($data['status']) && $data['status'] === FALSE) {
    $tfa_data = array();
    $status = 0;
  }

  $record = array(
    'saved' => REQUEST_TIME,
    'status' => $status,
    'data' => $tfa_data,
  );

//  if (!empty($existing)) {
////    drupal_write_record('tfa_user_settings', $record, 'uid');
//    \Drupal::database()->update('tfa_user_settings')
//      ->condition('uid', $record['uid'])
//      ->fields($record)
//      ->execute();
//  }
//  else {
////    drupal_write_record('tfa_user_settings', $record);
//    \Drupal::database()->insert('tfa_user_settings')
//      ->fields($record)
//      ->execute();
//  }

  \Drupal::service('user.data')->set('tfa', $account->id(), 'tfa_user_settings', $record);

}

/**
 * Validate phone number for use in TFA SMS plugin.
 *
 * @param string $number
 *   Number.
 *
 * @return array()
 *   Array of error messages if the number is not valid, empty array otherwise.
 */
function tfa_basic_valid_number($number) {
  // Strip leading '1' if set.
  if (strpos($number, '1') === 0) {
    $number = ltrim($number, '1');
  }
  // Validate against North American Numbering Plan (NANP) regex.
  // http://en.wikipedia.org/wiki/North_American_Numbering_Plan#Numbering_system
  $pattern = '~^\(?([2-9][0-9]{2})\)?[-. ]?([2-9](?!11)[0-9]{2})[-. ]?([0-9]{4})$~';
  if (preg_match($pattern, $number)) {
    $errors = array();
  }
  else {
    $errors = array(t('Number does not match expected patterns.'));
  }
  $alterable = array(
    'number' => $number,
    'errors' => $errors,
  );
  \Drupal::moduleHandler()->alter('tfa_basic_valid_number', $errors);
  return $alterable['errors'];
}

/**
 * Format a mobile number.
 *
 * @param string $number
 *   Phone number.
 *
 * @return string
 *   Formatted number.
 */
function tfa_basic_format_number($number) {
  $number = str_replace(array('-', ' ', '(', ')'), '', $number);
  $formatted = $number;
  if (ctype_digit($number) && strlen($number) == 11) {
    $formatted = 'x-xxx-xxx-' . substr($number, 7);
  }
  elseif (ctype_digit($number) && strlen($number) == 10) {
    $formatted = 'xxx-xxx-' . substr($number, 6);
  }
  elseif (ctype_digit($number) && strlen($number) == 7) {
    $formatted = 'xxx-' . substr($number, 3, 4);
  }
  $alterable = array(
    'number' => $number,
    'formatted' => $formatted,
  );
  \Drupal::moduleHandler()->alter('tfa_basic_format_number', $alterable);
  return $alterable['formatted'];
}

/**
 * Implements hook_form_FORM_ID_alter().
 */
function tfa_basic_form_tfa_admin_settings_alter(&$form, &$form_state, $form_id) {
  global $cookie_domain;

  $form['required_tfa_roles'] = array(
    '#type' => 'checkboxes',
    '#title' => t('Roles required to have set up TFA'),
    '#description' => t("Login will be denied to an account without TFA setup and any matching role."),
    '#options' => user_roles(TRUE),
    '#default_value' => variable_get('tfa_basic_roles_require', array()),
  );

  // Add cookie domain field to TFA admin settings.
  $form['tfa_basic_cookie_domain'] = array(
    '#type' => 'textfield',
    '#title' => t('Cookie domain'),
    '#default_value' => variable_get('tfa_basic_cookie_domain', $cookie_domain),
    '#description' => t('Domain to set for the trusted browser TFA cookie.'),
    '#states' => array(
      'visible' => array(
        ':input[name="tfa_login[tfa_basic_trusted_browser]"]' => array('checked' => TRUE)
      )
    ),
  );
  // Add Twilio configuration if SMS plugin is enabled.
  if (class_exists('Services_Twilio')) {
    $sms_states = array(
      'visible' => array(
        array(
          array(':input[name="tfa_fallback[tfa_basic_sms][enable]"]' => array('checked' => TRUE)),
          'or',
          array(':input[name="tfa_validate"]' => array('value' => 'tfa_basic_sms'))
        )
      )
    );
    $form['tfa_basic_twilio_account_sid'] = array(
      '#type' => 'textfield',
      '#title' => t('Twilio account SID'),
      '#default_value' => variable_get('tfa_basic_twilio_account_sid', ''),
      '#description' => t('Twilio account SID from twilio.com.'),
      '#states' => $sms_states
    );
    $form['tfa_basic_twilio_account_token'] = array(
      '#type' => 'textfield',
      '#title' => t('Twilio account token'),
      '#default_value' => variable_get('tfa_basic_twilio_account_token', ''),
      '#description' => t('Private Twilio account token from twilio.com.'),
      '#states' => $sms_states
    );
    $form['tfa_basic_twilio_account_number'] = array(
      '#type' => 'textfield',
      '#title' => t('Twilio account number'),
      '#default_value' => variable_get('tfa_basic_twilio_account_number', ''),
      '#description' => t('Private Twilio account number from twilio.com.'),
      '#states' => $sms_states
    );
    $form['tfa_basic_twilio_message_text'] = array(
      '#type' => 'textfield',
      '#title' => t('Twilio message text'),
      '#default_value' => variable_get('tfa_basic_twilio_message_text',
        'Verification code: !code'),
      '#description' => t('Text to be sent to the user. Use !code for the verification code.'),
      '#states' => $sms_states
    );

    // Mobile phone storage field. Set variable to FALSE to ignore.
    $phone_field = variable_get('tfa_basic_phone_field', '');
    if ($phone_field !== FALSE) {
      $form['tfa_basic_phone_field'] = array(
        '#title' => t('SMS mobile number'),
        '#type' => 'container',
        '#children'  => t('<div class="error messages">A mobile number account field is required to use the Twilio SMS plugin. Consult the <a href="!url">help documentation for more info</a>.</div>', array('!url' => url('admin/help/tfa'))),
        '#states' => $sms_states
      );

      $instances = field_info_instances('user');
      $options = array();
      foreach ($instances['user'] as $name => $field) {
        $options[$name] = $field['label'];
      }
      // Change to select field.
      if (!empty($options)) {
        unset($form['tfa_basic_phone_field']['#children'], $form['tfa_basic_phone_field']['#prefix'], $form['tfa_basic_phone_field']['#suffix']);
        $form['tfa_basic_phone_field']['#type'] = 'select';
        $form['tfa_basic_phone_field']['#default_value'] = $phone_field;
        $form['tfa_basic_phone_field']['#options'] = $options;
        $form['tfa_basic_phone_field']['#description'] = t('Account field that stores mobile numbers.');
      }
    }
  }
  // SMS is disabled if the Twilio class is not available.
  else {
    $form['tfa_fallback']['tfa_basic_sms']['enable']['#disabled'] = TRUE;
    $form['tfa_fallback']['tfa_basic_sms']['enable']['#description'] = t('Not available for use because Twilio PHP library is not installed. See TFA Basic README.txt.');
  }

  $form['tfa_fallback']['tfa_basic_help']['weight']['#default_value'] = 10;
  $form['tfa_fallback']['tfa_basic_help']['weight']['#disabled'] = TRUE;
  $default_help = t('Contact support to reset your access');
  $form['tfa_basic_help_text'] = array(
    '#type' => 'textfield',
    '#title' => t('Help page text'),
    '#default_value' => variable_get('tfa_basic_help_text', $default_help),
    '#description' => t('Text to display on help page. Plain text only.'),
    '#states' => array(
      'visible' => array(
        array(
          array(':input[name="tfa_fallback[tfa_basic_help][enable]"]' => array('checked' => TRUE)),
          'or',
          array(':input[name="tfa_validate"]' => array('value' => 'tfa_basic_help'))
        )
      )
    ),
  );

  $form['#validate'][] = 'tfa_basic_form_validate';
  $form['#submit'][] = 'tfa_basic_form_submit';
}

/**
 * Validation for TFA admin settings alter.
 */
function tfa_basic_form_validate($form, &$form_state) {
  $login = array();
  $values = $form_state['values'];
  if (!empty($values['tfa_login'])) {
    foreach ($values['tfa_login'] as $key => $enabled) {
      if ($enabled) {
        $login[] = $key;
      }
    }

    if (!empty($login) && in_array('tfa_basic_trusted_browser', $login) && empty($values['tfa_basic_cookie_domain'])) {
      form_set_error('tfa_basic_cookie_domain', t('Cookie domain is required if Trusted Browser plugin is enabled.'));
    }
  }
  if (!empty($values['tfa_fallback']) && (!empty($values['tfa_fallback']['tfa_basic_sms']['enable']) || $values['tfa_validate'] === 'tfa_basic_sms')) {
    if (empty($values['tfa_basic_twilio_account_sid'])) {
      form_set_error('tfa_basic_twilio_account_sid', t('Account SID is required if Twilio SMS plugin is enabled.'));
    }
    if (empty($values['tfa_basic_twilio_account_token'])) {
      form_set_error('tfa_basic_twilio_account_token', t('Account token is required if Twilio SMS plugin is enabled.'));
    }
    if (empty($values['tfa_basic_twilio_account_number'])) {
      form_set_error('tfa_basic_twilio_account_number', t('Account number is required if Twilio SMS plugin is enabled.'));
    }
    if (empty($values['tfa_basic_twilio_message_text'])) {
      form_set_error('tfa_basic_twilio_message_text', t('Message text is required if Twilio SMS plugin is enabled.'));
    }
    elseif (strpos($values['tfa_basic_twilio_message_text'], '!code') === FALSE) {
      form_set_error('tfa_basic_twilio_message_text', t('Message text must include token !code.'));
    }
    $phone_field = variable_get('tfa_basic_phone_field', '');
    if ($phone_field !== FALSE && empty($values['tfa_basic_phone_field'])) {
      form_set_error('', t('An account field for mobile number storage is required to use the Twilio SMS plugin. Consult TFA Basic README.txt for more info.'));
    }
  }
}

/**
 * Submit for TFA admin settings alter.
 */
function tfa_basic_form_submit($form, &$form_state) {
  if (!empty($form_state['values']['tfa_basic_cookie_domain'])) {
    variable_set('tfa_basic_cookie_domain', $form_state['values']['tfa_basic_cookie_domain']);
  }
  if (!empty($form_state['values']['tfa_basic_twilio_account_sid'])) {
    variable_set('tfa_basic_twilio_account_sid', $form_state['values']['tfa_basic_twilio_account_sid']);
  }
  if (!empty($form_state['values']['tfa_basic_twilio_account_token'])) {
    variable_set('tfa_basic_twilio_account_token', $form_state['values']['tfa_basic_twilio_account_token']);
  }
  if (!empty($form_state['values']['tfa_basic_twilio_account_number'])) {
    variable_set('tfa_basic_twilio_account_number', $form_state['values']['tfa_basic_twilio_account_number']);
  }
  if (!empty($form_state['values']['tfa_basic_twilio_message_text'])) {
    variable_set('tfa_basic_twilio_message_text', $form_state['values']['tfa_basic_twilio_message_text']);
  }
  if (!empty($form_state['values']['tfa_basic_help_text'])) {
    variable_set('tfa_basic_help_text', $form_state['values']['tfa_basic_help_text']);
  }
  $phone_field = variable_get('tfa_basic_phone_field', '');
  if ($phone_field !== FALSE && !empty($form_state['values']['tfa_fallback']) && !empty($form_state['values']['tfa_fallback']['tfa_basic_sms']['enable']) && !empty($form_state['values']['tfa_basic_phone_field'])) {
    variable_set('tfa_basic_phone_field', $form_state['values']['tfa_basic_phone_field']);
  }
  variable_set('tfa_basic_roles_require', $form_state['values']['required_tfa_roles']);
}

/**
 * Implements hook_mail().
 */
function tfa_basic_mail($key, &$message, $params) {
  $config = \Drupal::config('system.site');
  switch ($key) {
    case 'tfa_basic_tfa_enabled':
      $message['subject'] = t('Your @site_name account now has two-factor authentication', array('@site_name' => $config->get('name')));
      $message['body']['body'] = tfa_basic_tfa_enabled_body($message, $params);
      break;

    case 'tfa_basic_disabled_configuration':
      $message['subject'] = t('Your @site_name account no longer has two-factor authentication', array('@site_name' => $config->get('name')));
      $message['body']['body'] = tfa_basic_tfa_disabled_body($message, $params);
      break;

  }
}

/**
 * Returns text appropriate for an email when someone has enabled tfa.
 *
 * @param array $message
 *   The message, must include the language.
 * @param array $params
 *   Parameters from drupal_mail. Must include the account.
 *
 * @return string
 *   Message body.
 */
function tfa_basic_tfa_enabled_body($message, $params) {
  $text = t("[user:name],

Thanks for configuring two-factor authentication on your @site_name account!

This additional level of security will help to ensure that only you are able to log in to your account.

If you ever lose the device you configured, you should act quickly to delete its association with this account.

-- @site_name team", array('@site_name' => \Drupal::config('system.site')->get('name')));

  return \Drupal::token()->replace($text, array('user' => $params['account']), array('language' => $message['language'], 'sanitize' => FALSE, 'clear' => TRUE));
}

/**
 * Returns text appropriate for an email when someone has disabled tfa.
 *
 * @param array $message
 *   The message, must include the language.
 * @param array $params
 *   Parameters from drupal_mail. Must include the account.
 *
 * @return string
 *   Message body.
 */
function tfa_basic_tfa_disabled_body($message, $params) {
  $text = t("[user:name],

Two-factor authentication has been disabled on your account.

If you did not take this action, please contact a site administrator immediately.

-- @site_name team", array('@site_name' => \Drupal::config('system.site')->get('name')));

  return \Drupal::token()->replace($text, array('user' => $params['account']), array('language' => $message['language'], 'sanitize' => FALSE, 'clear' => TRUE));
}