Allow 2FA to be setup on first login

Once 2FA is enforced for a user and they have no 2FA setup yet this will
now prompt them with a setup screen. Given that providers are enabled
that allow setup then.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

3 files changed, 87 insertions, 2 deletions

diff --git a/core/templates/twofactorselectchallenge.php b/core/templates/twofactorselectchallenge.php
index 65691f5857d..8508039268e 100644
--- a/core/templates/twofactorselectchallenge.php
+++ b/core/templates/twofactorselectchallenge.php
@@ -15,9 +15,20 @@ $noProviders = empty($_['providers']);
 	<img class="two-factor-icon" src="<?php p(image_path('core', 'actions/password-white.svg')) ?>" alt="" />
 	<p>
 		<?php if (is_null($_['backupProvider'])): ?>
-		<strong><?php p($l->t('Two-factor authentication is enforced but has not been configured on your account. Contact your admin for assistance.')) ?></strong>
+			<?php if (!$_['hasSetupProviders']) { ?>
+				<strong><?php p($l->t('Two-factor authentication is enforced but has not been configured on your account. Contact your admin for assistance.')) ?></strong>
+			<?php } else { ?>
+				<strong><?php p($l->t('Two-factor authentication is enforced but has not been configured on your account. Please continue to setup two-factor authentication.')) ?></strong>
+				<a class="button primary two-factor-primary" href="<?php p(\OC::$server->getURLGenerator()->linkToRoute('core.TwoFactorChallenge.setupProviders',
+					[
+						'redirect_url' => $_['redirect_url'],
+					]
+				)) ?>">
+					<?php p($l->t('Set up two-factor authentication')) ?>
+				</a>
+			<?php } ?>
 		<?php else: ?>
-		<strong><?php p($l->t('Two-factor authentication is enforced but has not been configured on your account. Use one of your backup codes to log in or contact your admin for assistance.')) ?></strong>
+			<strong><?php p($l->t('Two-factor authentication is enforced but has not been configured on your account. Use one of your backup codes to log in or contact your admin for assistance.')) ?></strong>
 		<?php endif; ?>
 	</p>
 	<?php else: ?>
diff --git a/core/templates/twofactorsetupchallenge.php b/core/templates/twofactorsetupchallenge.php
new file mode 100644
index 00000000000..9c182db1715
--- /dev/null
+++ b/core/templates/twofactorsetupchallenge.php
@@ -0,0 +1,16 @@
+<?php
+/** @var $l \OCP\IL10N */
+/** @var $_ array */
+/* @var $provider OCP\Authentication\TwoFactorAuth\IProvider */
+$provider = $_['provider'];
+/* @var $template string */
+$template = $_['template'];
+?>
+
+<div class="body-login-container update">
+	<h2 class="two-factor-header"><?php p($provider->getDisplayName()); ?></h2>
+	<?php print_unescaped($template); ?>
+	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+			<?php p($l->t('Cancel log in')) ?>
+	</a></p>
+</div>
diff --git a/core/templates/twofactorsetupselection.php b/core/templates/twofactorsetupselection.php
new file mode 100644
index 00000000000..7d689b89af7
--- /dev/null
+++ b/core/templates/twofactorsetupselection.php
@@ -0,0 +1,58 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+?>
+<div class="body-login-container update">
+	<h2 class="two-factor-header"><?php p($l->t('Setup two-factor authentication')) ?></h2>
+	<?php p($l->t('Enhanced security is enforced for your account. Choose wich provider to set up:')) ?>
+	<ul>
+	<?php foreach ($_['providers'] as $provider): ?>
+		<li>
+			<a class="two-factor-provider"
+			   href="<?php p(\OC::$server->getURLGenerator()->linkToRoute('core.TwoFactorChallenge.setupProvider',
+								[
+									'providerId' => $provider->getId(),
+									'redirect_url' => $_['redirect_url'],
+								]
+							)) ?>">
+				<?php
+				if ($provider instanceof \OCP\Authentication\TwoFactorAuth\IProvidesIcons) {
+					$icon = $provider->getLightIcon();
+				} else {
+					$icon = image_path('core', 'actions/password-white.svg');
+				}
+				?>
+				<img src="<?php p($icon) ?>" alt="" />
+				<div>
+					<h3><?php p($provider->getDisplayName()) ?></h3>
+					<p><?php p($provider->getDescription()) ?></p>
+				</div>
+			</a>
+		</li>
+	<?php endforeach; ?>
+	</ul>
+	<p><a class="two-factor-secondary" href="<?php print_unescaped($_['logout_url']); ?>">
+		<?php p($l->t('Cancel log in')) ?>
+	</a></p>
+</div>