[pull] main from composer:main

src/Audit/AuditRecordType.php

@@ -40,6 +40,6 @@ enum AuditRecordType: string
     case UsernameChanged = 'username_changed'; // TODO
     case GitHubLinkedWithUser = 'github_linked_with_user'; // TODO
     case GitHubDisconnectedFromUser = 'github_disconnected_from_user'; // TODO
-    case TwoFaActivated = 'two_fa_activated'; // TODO
-    case TwoFaDeactivated = 'two_fa_deactivated'; // TODO
+    case TwoFaAuthenticationActivated = 'two_fa_activated';
+    case TwoFaAuthenticationDeactivated = 'two_fa_deactivated';
 }

src/Audit/Display/AuditLogDisplayFactory.php

@@ -15,6 +15,8 @@
 use App\Audit\AuditRecordType;
 use App\Audit\UserRegistrationMethod;
 use App\Entity\AuditRecord;
+use App\Audit\Display\TwoFaActivatedDisplay;
+use App\Audit\Display\TwoFaDeactivatedDisplay;
 
 class AuditLogDisplayFactory
 {
@@ -117,6 +119,17 @@ public function buildSingle(AuditRecord $record): AuditLogDisplayInterface
                 UserRegistrationMethod::from($record->attributes['method']),
                 $this->buildActor(null),
             ),
+            AuditRecordType::TwoFaAuthenticationActivated => new TwoFaActivatedDisplay(
+                $record->datetime,
+                $record->attributes['username'],
+                $this->buildActor($record->attributes['actor']),
+            ),
+            AuditRecordType::TwoFaAuthenticationDeactivated => new TwoFaDeactivatedDisplay(
+                $record->datetime,
+                $record->attributes['username'],
+                $record->attributes['reason'],
+                $this->buildActor($record->attributes['actor']),
+            ),
             default => throw new \LogicException(sprintf('Unsupported audit record type: %s', $record->type->value)),
         };
     }

src/Audit/Display/TwoFaActivatedDisplay.php

@@ -0,0 +1,36 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of Packagist.
+ *
+ * (c) Jordi Boggiano <j.boggiano@seld.be>
+ *     Nils Adermann <naderman@naderman.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Audit\Display;
+
+use App\Audit\AuditRecordType;
+
+readonly class TwoFaActivatedDisplay extends AbstractAuditLogDisplay
+{
+    public function __construct(
+        \DateTimeImmutable $datetime,
+        public string $username,
+        ActorDisplay $actor,
+    ) {
+        parent::__construct($datetime, $actor);
+    }
+
+    public function getType(): AuditRecordType
+    {
+        return AuditRecordType::TwoFaAuthenticationActivated;
+    }
+
+    public function getTemplateName(): string
+    {
+        return 'audit_log/display/two_fa_activated.html.twig';
+    }
+}

src/Audit/Display/TwoFaDeactivatedDisplay.php

@@ -0,0 +1,37 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of Packagist.
+ *
+ * (c) Jordi Boggiano <j.boggiano@seld.be>
+ *     Nils Adermann <naderman@naderman.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Audit\Display;
+
+use App\Audit\AuditRecordType;
+
+readonly class TwoFaDeactivatedDisplay extends AbstractAuditLogDisplay
+{
+    public function __construct(
+        \DateTimeImmutable $datetime,
+        public string $username,
+        public string $reason,
+        ActorDisplay $actor,
+    ) {
+        parent::__construct($datetime, $actor);
+    }
+
+    public function getType(): AuditRecordType
+    {
+        return AuditRecordType::TwoFaAuthenticationDeactivated;
+    }
+
+    public function getTemplateName(): string
+    {
+        return 'audit_log/display/two_fa_deactivated.html.twig';
+    }
+}

src/Entity/AuditRecord.php

@@ -147,6 +147,33 @@ public static function userCreated(User $user, UserRegistrationMethod $method):
         );
     }
 
+    public static function twoFactorAuthenticationActivated(User $user): self
+    {
+        return new self(
+            AuditRecordType::TwoFaAuthenticationActivated,
+            [
+                'username' => $user->getUsernameCanonical(),
+                'actor' => self::getUserData($user),
+            ],
+            actorId: $user->getId(),
+            userId: $user->getId(),
+        );
+    }
+
+    public static function twoFactorAuthenticationDeactivated(User $user, string $reason): self
+    {
+        return new self(
+            AuditRecordType::TwoFaAuthenticationDeactivated,
+            [
+                'username' => $user->getUsernameCanonical(),
+                'actor' => self::getUserData($user),
+                'reason' => $reason,
+            ],
+            actorId: $user->getId(),
+            userId: $user->getId(),
+        );
+    }
+
     /**
      * @return array{id: int, username: string}|string
      */

src/Security/TwoFactorAuthManager.php

@@ -12,6 +12,8 @@
 
 namespace App\Security;
 
+use App\Entity\AuditRecord;
+use App\Entity\AuditRecordRepository;
 use App\Entity\User;
 use Doctrine\Persistence\ManagerRegistry;
 use Scheb\TwoFactorBundle\Model\BackupCodeInterface;
@@ -28,6 +30,7 @@ public function __construct(
         private ManagerRegistry $doctrine,
         private RequestStack $requestStack,
         private UserNotifier $userNotifier,
+        private AuditRecordRepository $auditRecordRepository,
     ) {
     }
 
@@ -39,6 +42,8 @@ public function enableTwoFactorAuth(User $user, string $secret): void
         $user->setTotpSecret($secret);
         $this->doctrine->getManager()->flush();
 
+        $this->auditRecordRepository->insert(AuditRecord::twoFactorAuthenticationActivated($user));
+
         $this->userNotifier->notifyChange(
             $user->getEmail(),
             template: 'email/two_factor_enabled.txt.twig',
@@ -56,6 +61,8 @@ public function disableTwoFactorAuth(User $user, string $reason): void
         $user->invalidateAllBackupCodes();
         $this->doctrine->getManager()->flush();
 
+        $this->auditRecordRepository->insert(AuditRecord::twoFactorAuthenticationDeactivated($user, $reason));
+
         $this->userNotifier->notifyChange(
             $user->getEmail(),
             template: 'email/two_factor_disabled.txt.twig',

templates/audit_log/display/two_fa_activated.html.twig

@@ -0,0 +1,3 @@
+{% import 'audit_log/macros.html.twig' as auditLog %}
+
+<strong>Username: {{ display.username }}</strong><br>

templates/audit_log/display/two_fa_deactivated.html.twig

@@ -0,0 +1,4 @@
+{% import 'audit_log/macros.html.twig' as auditLog %}
+
+<strong>Username: {{ display.username }}</strong><br>
+Reason: {{ display.reason }}

tests/Audit/Display/AuditLogDisplayFactoryTest.php

@@ -20,6 +20,8 @@
 use App\Audit\Display\PackageCreatedDisplay;
 use App\Audit\Display\PackageDeletedDisplay;
 use App\Audit\Display\PackageUnabandonedDisplay;
+use App\Audit\Display\TwoFaActivatedDisplay;
+use App\Audit\Display\TwoFaDeactivatedDisplay;
 use App\Audit\Display\VersionDeletedDisplay;
 use App\Audit\Display\VersionReferenceChangedDisplay;
 use App\Entity\AuditRecord;
@@ -393,6 +395,48 @@ public function testDateTimeIsPreserved(): void
         self::assertSame($datetime, $display->getDateTime());
     }
 
+    public function testBuildTwoFaActivated(): void
+    {
+        $auditRecord = $this->createAuditRecord(
+            AuditRecordType::TwoFaAuthenticationActivated,
+            [
+                'username' => 'testuser',
+                'actor' => ['id' => 123, 'username' => 'testuser'],
+            ]
+        );
+
+        $display = $this->factory->buildSingle($auditRecord);
+
+        self::assertInstanceOf(TwoFaActivatedDisplay::class, $display);
+        self::assertSame('testuser', $display->username);
+        self::assertSame(123, $display->actor->id);
+        self::assertSame('testuser', $display->actor->username);
+        self::assertSame(AuditRecordType::TwoFaAuthenticationActivated, $display->getType());
+        self::assertSame('audit_log/display/two_fa_activated.html.twig', $display->getTemplateName());
+    }
+
+    public function testBuildTwoFaDeactivated(): void
+    {
+        $auditRecord = $this->createAuditRecord(
+            AuditRecordType::TwoFaAuthenticationDeactivated,
+            [
+                'username' => 'testuser',
+                'reason' => 'Manually disabled',
+                'actor' => ['id' => 123, 'username' => 'testuser'],
+            ]
+        );
+
+        $display = $this->factory->buildSingle($auditRecord);
+
+        self::assertInstanceOf(TwoFaDeactivatedDisplay::class, $display);
+        self::assertSame('testuser', $display->username);
+        self::assertSame('Manually disabled', $display->reason);
+        self::assertSame(123, $display->actor->id);
+        self::assertSame('testuser', $display->actor->username);
+        self::assertSame(AuditRecordType::TwoFaAuthenticationDeactivated, $display->getType());
+        self::assertSame('audit_log/display/two_fa_deactivated.html.twig', $display->getTemplateName());
+    }
+
     /**
      * @param array<string, mixed> $attributes
      */

translations/messages.en.yml

@@ -185,8 +185,8 @@ audit_log:
         password_changed: Password changed
         password_reset: Password reset
         password_reset_requested: Password reset requested
-        two_fa_activated: Two-factor authentication activated
-        two_fa_deactivated: Two-factor authentication deactivated
+        two_fa_activated: 2FA activated
+        two_fa_deactivated: 2FA deactivated
         user_created: User created
         user_deleted: User deleted
         username_changed: Username changed