Add setting for enforcing 2FA (#1259)

* Add setting for enforcing 2FA

* Changes after code-review

* Add Test-Cases for Obligatory 2FA

src/pretix/control/middleware.py

@@ -35,6 +35,19 @@ class PermissionMiddleware:
         "user.settings.notifications.off",
     )
 
+    EXCEPTIONS_2FA = (
+        "user.settings.2fa",
+        "user.settings.2fa.add",
+        "user.settings.2fa.enable",
+        "user.settings.2fa.disable",
+        "user.settings.2fa.regenemergency",
+        "user.settings.2fa.confirm.totp",
+        "user.settings.2fa.confirm.u2f",
+        "user.settings.2fa.delete",
+        "auth.logout",
+        "user.reauth"
+    )
+
     def __init__(self, get_response=None):
         self.get_response = get_response
         super().__init__()
@@ -83,6 +96,10 @@ class PermissionMiddleware:
             if url_name not in ('user.reauth', 'auth.logout'):
                 return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
 
+        if not request.user.require_2fa and settings.PRETIX_OBLIGATORY_2FA \
+                and url_name not in self.EXCEPTIONS_2FA:
+            return redirect(reverse('control:user.settings.2fa'))
+
         if 'event' in url.kwargs and 'organizer' in url.kwargs:
             with scope(organizer=None):
                 request.event = Event.objects.filter(

src/pretix/control/templates/pretixcontrol/user/2fa_main.html

@@ -11,15 +11,35 @@
             smartphone or a hardware token generator and that changes on a regular basis.
         {% endblocktrans %}
     </p>
+    {% if settings.PRETIX_OBLIGATORY_2FA %}
+        <div class="panel panel-warning">
+            <div class="panel-heading">
+                <h3 class="panel-title">{% trans "Obligatory usage of two-factor authentication" %}</h3>
+            </div>
+            <div class="panel-body">
+                <p>
+                    <strong>{% trans "This system enforces the usage of two-factor authentication!" %}</strong>
+                </p>
+            {% if not devices %}
+                <p>{% trans "Please set up at least one device below." %}</p>
+            {% elif not user.require_2fa %}
+                <p>{% trans "Please activate two-factor authentication using the button below." %}</p>
+            {% endif %}
+            </div>
+        </div>
+
+    {% endif %}
     {% if user.require_2fa %}
         <div class="panel panel-success">
             <div class="panel-heading">
                 <h3 class="panel-title">{% trans "Two-factor status" %}</h3>
             </div>
             <div class="panel-body">
-                <a href="{% url "control:user.settings.2fa.disable" %}" class="btn btn-primary pull-right">
-                    {% trans "Disable" %}
-                </a>
+                {% if not settings.PRETIX_OBLIGATORY_2FA %}
+                    <a href="{% url "control:user.settings.2fa.disable" %}" class="btn btn-primary pull-right">
+                        {% trans "Disable" %}
+                    </a>
+                {% endif %}
                 <p>
                     <strong>{% trans "Two-factor authentication is currently enabled." %}</strong>
                 </p>

src/pretix/settings.py

@@ -120,6 +120,7 @@ PRETIX_REGISTRATION = config.getboolean('pretix', 'registration', fallback=True)
 PRETIX_PASSWORD_RESET = config.getboolean('pretix', 'password_reset', fallback=True)
 PRETIX_LONG_SESSIONS = config.getboolean('pretix', 'long_sessions', fallback=True)
 PRETIX_ADMIN_AUDIT_COMMENTS = config.getboolean('pretix', 'audit_comments', fallback=False)
+PRETIX_OBLIGATORY_2FA = config.getboolean('pretix', 'obligatory_2fa', fallback=False)
 PRETIX_SESSION_TIMEOUT_RELATIVE = 3600 * 3
 PRETIX_SESSION_TIMEOUT_ABSOLUTE = 3600 * 12