2FA enforcement: add more validation, fix test

2025-06-24 11:57:19 +03:00 · 2025-06-24 11:57:19 +03:00 · 85804837db
commit 85804837db
parent 16102d22aa
2 changed files with 14 additions and 3 deletions
--- a/application/src/main/java/org/thingsboard/server/service/security/auth/mfa/config/DefaultTwoFaConfigManager.java
+++ b/application/src/main/java/org/thingsboard/server/service/security/auth/mfa/config/DefaultTwoFaConfigManager.java
@ -167,9 +167,20 @@ public class DefaultTwoFaConfigManager implements TwoFaConfigManager {
        for (TwoFaProviderConfig providerConfig : twoFactorAuthSettings.getProviders()) {
            twoFactorAuthService.checkProvider(tenantId, providerConfig.getProviderType());
        }
-        if (tenantId.isSysTenantId() && twoFactorAuthSettings.isEnforceTwoFa() && twoFactorAuthSettings.getProviders().isEmpty()) {
+        if (tenantId.isSysTenantId()) {
+            if (twoFactorAuthSettings.isEnforceTwoFa()) {
+                if (twoFactorAuthSettings.getProviders().isEmpty()) {
                    throw new DataValidationException("At least one 2FA provider is required if enforcing is enabled");
                }
+                if (twoFactorAuthSettings.getEnforcedUsersFilter() == null) {
+                    throw new DataValidationException("Users filter to enforce 2FA for is required");
+                }
+            }
+        } else {
+            twoFactorAuthSettings.setEnforceTwoFa(false);
+            twoFactorAuthSettings.setEnforcedUsersFilter(null);
+        }
+
        AdminSettings settings = Optional.ofNullable(adminSettingsService.findAdminSettingsByKey(tenantId, TWO_FACTOR_AUTH_SETTINGS_KEY))
                .orElseGet(() -> {
                    AdminSettings newSettings = new AdminSettings();
--- a/application/src/test/java/org/thingsboard/server/controller/TwoFactorAuthTest.java
+++ b/application/src/test/java/org/thingsboard/server/controller/TwoFactorAuthTest.java
@ -430,7 +430,7 @@ public class TwoFactorAuthTest extends AbstractControllerTest {

        // verifying enforced users filter
        createDifferentTenant();
-        doGet("/api/user/" + user.getId()).andExpect(status().isOk());
+        doGet("/api/user/" + savedDifferentTenantUser.getId()).andExpect(status().isOk());

        twoFaSettings.setEnforceTwoFa(false);
        twoFaConfigManager.savePlatformTwoFaSettings(TenantId.SYS_TENANT_ID, twoFaSettings);