Merge pull request #58119 from nextcloud/backport/57854/stable32

[stable32] feat: Add SetupCheck to warn about missing second factor provider

Author: artonge

apps/settings/composer/composer/autoload_classmap.php

@@ -138,6 +138,7 @@
     'OCA\\Settings\\SetupChecks\\TaskProcessingSuccessRate' => $baseDir . '/../lib/SetupChecks/TaskProcessingSuccessRate.php',
     'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => $baseDir . '/../lib/SetupChecks/TempSpaceAvailable.php',
     'OCA\\Settings\\SetupChecks\\TransactionIsolation' => $baseDir . '/../lib/SetupChecks/TransactionIsolation.php',
+    'OCA\\Settings\\SetupChecks\\TwoFactorConfiguration' => $baseDir . '/../lib/SetupChecks/TwoFactorConfiguration.php',
     'OCA\\Settings\\SetupChecks\\WellKnownUrls' => $baseDir . '/../lib/SetupChecks/WellKnownUrls.php',
     'OCA\\Settings\\SetupChecks\\Woff2Loading' => $baseDir . '/../lib/SetupChecks/Woff2Loading.php',
     'OCA\\Settings\\UserMigration\\AccountMigrator' => $baseDir . '/../lib/UserMigration/AccountMigrator.php',

apps/settings/composer/composer/autoload_static.php

@@ -153,6 +153,7 @@ class ComposerStaticInitSettings
         'OCA\\Settings\\SetupChecks\\TaskProcessingSuccessRate' => __DIR__ . '/..' . '/../lib/SetupChecks/TaskProcessingSuccessRate.php',
         'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => __DIR__ . '/..' . '/../lib/SetupChecks/TempSpaceAvailable.php',
         'OCA\\Settings\\SetupChecks\\TransactionIsolation' => __DIR__ . '/..' . '/../lib/SetupChecks/TransactionIsolation.php',
+        'OCA\\Settings\\SetupChecks\\TwoFactorConfiguration' => __DIR__ . '/..' . '/../lib/SetupChecks/TwoFactorConfiguration.php',
         'OCA\\Settings\\SetupChecks\\WellKnownUrls' => __DIR__ . '/..' . '/../lib/SetupChecks/WellKnownUrls.php',
         'OCA\\Settings\\SetupChecks\\Woff2Loading' => __DIR__ . '/..' . '/../lib/SetupChecks/Woff2Loading.php',
         'OCA\\Settings\\UserMigration\\AccountMigrator' => __DIR__ . '/..' . '/../lib/UserMigration/AccountMigrator.php',

apps/settings/lib/AppInfo/Application.php

@@ -74,6 +74,7 @@
 use OCA\Settings\SetupChecks\TaskProcessingPickupSpeed;
 use OCA\Settings\SetupChecks\TempSpaceAvailable;
 use OCA\Settings\SetupChecks\TransactionIsolation;
+use OCA\Settings\SetupChecks\TwoFactorConfiguration;
 use OCA\Settings\SetupChecks\WellKnownUrls;
 use OCA\Settings\SetupChecks\Woff2Loading;
 use OCA\Settings\UserMigration\AccountMigrator;
@@ -213,6 +214,7 @@ public function register(IRegistrationContext $context): void {
 		$context->registerSetupCheck(TaskProcessingPickupSpeed::class);
 		$context->registerSetupCheck(TempSpaceAvailable::class);
 		$context->registerSetupCheck(TransactionIsolation::class);
+		$context->registerSetupCheck(TwoFactorConfiguration::class);
 		$context->registerSetupCheck(PushService::class);
 		$context->registerSetupCheck(WellKnownUrls::class);
 		$context->registerSetupCheck(Woff2Loading::class);

apps/settings/lib/SetupChecks/TwoFactorConfiguration.php

@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Settings\SetupChecks;
+
+use OC\Authentication\TwoFactorAuth\MandatoryTwoFactor;
+use OC\Authentication\TwoFactorAuth\ProviderLoader;
+use OC\Authentication\TwoFactorAuth\ProviderSet;
+use OCP\IL10N;
+use OCP\SetupCheck\ISetupCheck;
+use OCP\SetupCheck\SetupResult;
+
+class TwoFactorConfiguration implements ISetupCheck {
+	public function __construct(
+		private IL10N $l10n,
+		private ProviderLoader $providerLoader,
+		private MandatoryTwoFactor $mandatoryTwoFactor,
+	) {
+	}
+
+	public function getName(): string {
+		return $this->l10n->t('Second factor configuration');
+	}
+
+	public function getCategory(): string {
+		return 'security';
+	}
+
+	public function run(): SetupResult {
+		$providers = $this->providerLoader->getProviders();
+		$providerSet = new ProviderSet($providers, false);
+		$primaryProviders = $providerSet->getPrimaryProviders();
+		if (count($primaryProviders) === 0) {
+			return SetupResult::warning($this->l10n->t('This instance has no second factor provider available.'));
+		}
+
+		$state = $this->mandatoryTwoFactor->getState();
+
+		if (!$state->isEnforced()) {
+			return SetupResult::info(
+				$this->l10n->t(
+					'Second factor providers are available but two-factor authentication is not enforced.'
+				)
+			);
+		} else {
+			return SetupResult::success(
+				$this->l10n->t(
+					'Second factor providers are available and enforced: %s.',
+					[
+						implode(', ', array_map(
+							fn ($p) => '"' . $p->getDisplayName() . '"',
+							$primaryProviders)
+						)
+					]
+				)
+			);
+		}
+	}
+}

lib/private/Authentication/TwoFactorAuth/ProviderLoader.php

@@ -30,8 +30,12 @@ public function __construct(
 	 * @return IProvider[]
 	 * @throws Exception
 	 */
-	public function getProviders(IUser $user): array {
-		$allApps = $this->appManager->getEnabledAppsForUser($user);
+	public function getProviders(?IUser $user = null): array {
+		if ($user === null) {
+			$allApps = $this->appManager->getEnabledApps();
+		} else {
+			$allApps = $this->appManager->getEnabledAppsForUser($user);
+		}
 		$providers = [];
 
 		foreach ($allApps as $appId) {