otp.php

<?php
 
namespace Bitrix\Security\Mfa;
 
use Bitrix\Main\Application;
use Bitrix\Main\ArgumentOutOfRangeException;
use Bitrix\Main\ArgumentTypeException;
use Bitrix\Main\Config\Option;
use Bitrix\Main\Localization\Loc;
use Bitrix\Main\Type;
use Bitrix\Main\Security\Sign\BadSignatureException;
use Bitrix\Main\Security\Sign\TimeSigner;
use Bitrix\Main\Security\Random;
use Bitrix\Main\Text\Base32;
use Bitrix\Main\Security\Mfa\OtpAlgorithm;
use Bitrix\Main\Authentication\Policy;
 
Loc::loadMessages(__FILE__);
 
class Otp
{
    const TYPE_HOTP = 'hotp';
    const TYPE_TOTP = 'totp';
    const TYPE_DEFAULT = self::TYPE_HOTP;
    const SECRET_LENGTH = 20; // Must be power of 5 for "nicely" App Secret view
 
    const SKIP_COOKIE = 'OTPH';
 
    const REJECTED_KEY = 'OTP_REJECT_REASON';
    const REJECT_BY_CODE = 'code';
    const REJECT_BY_MANDATORY = 'mandatory';
 
    const TAGGED_CACHE_TEMPLATE = 'USER_OTP_%d';
 
    protected static $availableTypes = array(self::TYPE_HOTP, self::TYPE_TOTP);
    protected static $typeMap = array(
        self::TYPE_HOTP => '\Bitrix\Main\Security\Mfa\HotpAlgorithm',
        self::TYPE_TOTP => '\Bitrix\Main\Security\Mfa\TotpAlgorithm',
    );
    protected $algorithmClass = null;
    protected array $initParams = [];
    protected $regenerated = false;
    /* @var \Bitrix\Main\Context $context */
    protected $context = null;
 
    protected $userId = null;
    protected $userLogin = null;
    /* @var Policy\RulesCollection*/
    protected $userGroupPolicy;
    protected $active = null;
    protected $userActive = null;
    protected $secret = null;
    protected $issuer = null;
    protected $label = null;
    protected $params = null;
    protected $attempts = null;
    protected $type = null;
    protected $initialDate = null;
    protected $skipMandatory = null;
    protected $deactivateUntil = null;
 
    public function __construct($algorithm = null)
    {
        if ($algorithm === null)
        {
            $this->setType(static::getDefaultType());
        }
        else
        {
            $this->algorithmClass = $algorithm;
        }
    }
 
    public static function getByUser($userId)
    {
        $userId = (int) $userId;
 
        if ($userId <= 0)
            throw new ArgumentTypeException('userId', 'positive integer');
 
        $userInfo = UserTable::getList(array(
            'filter' => array('=USER_ID' => $userId),
            'select' => array('ACTIVE', 'USER_ID', 'SECRET', 'INIT_PARAMS', 'PARAMS', 'TYPE', 'ATTEMPTS', 'INITIAL_DATE', 'SKIP_MANDATORY', 'DEACTIVATE_UNTIL', 'USER_ACTIVE' => 'USER.ACTIVE')
        ));
 
        $userInfo = $userInfo->fetch();
 
        if (!$userInfo)
        {
            // OTP not available for this user
            $instance = new static;
            $instance->setUserId($userId);
            $instance->setActive(false);
        }
        else
        {
            $type = $userInfo['TYPE'] ?: self::TYPE_DEFAULT;
            $userInfo['SECRET'] = pack('H*', $userInfo['SECRET']);
            $userInfo['ACTIVE'] = ($userInfo['ACTIVE'] === 'Y');
            $userInfo['USER_ACTIVE'] = ($userInfo['USER_ACTIVE'] === 'Y');
            $userInfo['SKIP_MANDATORY'] = $userInfo['SKIP_MANDATORY'] === 'Y';
 
            $instance = static::getByType($type);
            $instance->setUserInfo($userInfo);
        }
 
        return $instance;
    }
 
    public static function getByType($type)
    {
        if (!in_array($type, static::$availableTypes))
            throw new ArgumentOutOfRangeException('type', static::$availableTypes);
 
        $algo = static::$typeMap[$type];
        $instance = new static($algo);
        $instance->setType($type);
        return $instance;
    }
 
    public function setType($type)
    {
        if (!in_array($type, static::$availableTypes))
            throw new ArgumentOutOfRangeException('type', static::$availableTypes);
 
        $this->algorithmClass = static::$typeMap[$type];
        $this->type = $type;
 
        return $this;
    }
 
    public function setInitParams(array $params)
    {
        $this->initParams = $params;
        return $this;
    }
 
    public function getInitParams(): array
    {
        return $this->initParams;
    }
 
    public function getType()
    {
        return $this->type;
    }
 
    public function getAlgorithm()
    {
        $algorithm = new $this->algorithmClass($this->getInitParams());
        $algorithm->setSecret($this->getSecret());
 
        return $algorithm;
    }
 
    public function getProvisioningUri(array $opts = array())
    {
        $issuer = $this->getIssuer();
        $opts += array('issuer' => $issuer);
 
        return $this
            ->getAlgorithm()
            ->generateUri(
                $this->getLabel($issuer),
                $opts
            );
    }
 
    public function regenerate($newSecret = null)
    {
        if (!$newSecret)
        {
            $newSecret = Random::getBytes(static::SECRET_LENGTH);
        }
 
        $this->regenerated = true;
        return $this
            ->setType(static::getDefaultType())
            ->setAttempts(0)
            ->setSkipMandatory(false)
            ->setInitialDate(new Type\DateTime)
            ->setDeactivateUntil(null)
            ->setParams(null)
            ->setSecret($newSecret)
            ->setActive(true)
        ;
    }
 
    public function verify($input, $updateParams = true)
    {
        [$result, $newParams] = $this->getAlgorithm()->verify($input, $this->getParams());
 
        if (
            $updateParams
            && $newParams !== null
            && $this->isActivated()
        )
        {
            $this
                ->setParams($newParams)
                ->save()
            ;
        }
        return $result;
    }
 
    public function isAttemptsReached()
    {
        $attempts  = $this->getAttempts();
        $maxAttempts = $this->getMaxLoginAttempts();
        return (
            $maxAttempts > 0
            && $attempts >= $maxAttempts
        );
    }
 
    public function getSyncParameters($inputA, $inputB)
    {
        return $this->getAlgorithm()->getSyncParameters((string) $inputA, (string) $inputB);
    }
 
    public function syncParameters($inputA, $inputB = null)
    {
        if (!$inputA)
            throw new OtpException(Loc::getMessage('SECURITY_OTP_ERROR_PASS1_EMPTY'));
        elseif (!preg_match('/^\d{6}$/D', $inputA))
            throw new OtpException(getMessage('SECURITY_OTP_ERROR_PASS1_INVALID'));
 
        if ($this->getAlgorithm()->isTwoCodeRequired())
        {
            if (!$inputB)
                throw new OtpException(Loc::getMessage('SECURITY_OTP_ERROR_PASS2_EMPTY'));
            elseif (!preg_match('/^\d{6}$/D', $inputB))
                throw new OtpException(Loc::getMessage('SECURITY_OTP_ERROR_PASS2_INVALID'));
        }
 
        try
        {
            $params = $this->getSyncParameters($inputA, $inputB);
        }
        catch (\Bitrix\Main\Security\OtpException)
        {
            throw new OtpException(Loc::getMessage('SECURITY_OTP_ERROR_SYNC_ERROR'));
        }
 
        $this->setParams($params);
 
        return $this;
    }
 
    public function save()
    {
        $fields = array(
            'ACTIVE' => $this->isActivated()? 'Y': 'N',
            'TYPE' => $this->getType(),
            'INIT_PARAMS' => $this->getInitParams(),
            'ATTEMPTS' => $this->getAttempts(),
            'SECRET' => $this->getHexSecret(),
            'INITIAL_DATE' => $this->getInitialDate()?: new Type\DateTime,
            'PARAMS' => $this->getParams(),
            'SKIP_MANDATORY' => $this->isMandatorySkipped()? 'Y': 'N',
            'DEACTIVATE_UNTIL' => $this->getDeactivateUntil()
        );
 
        if ($this->regenerated)
        {
            if (!$this->isInitialized())
                throw new OtpException('Missing OTP params, forgot to call syncParameters?');
 
            // Clear recovery codes when we connect new device
            RecoveryCodesTable::clearByUser($this->getUserId());
        }
 
        if ($this->isDbRecordExists())
        {
            $result = UserTable::update($this->getUserId(), $fields);
        }
        else
        {
            $fields += array(
                'USER_ID' => $this->getUserId(),
            );
            $result = UserTable::add($fields);
        }
 
        $this->clearGlobalCache();
 
        return $result->isSuccess();
    }
 
    public function delete()
    {
        UserTable::delete($this->getUserId());
 
        return $this;
    }
 
    public function activate()
    {
        if (!$this->isInitialized())
            throw new OtpException('OTP not initialized, if your activate it - user can\'t login anymore. Do you forgot to call regenerate?');
 
        $this
            ->setActive(true)
            ->setDeactivateUntil(null)
            ->save();
 
        return $this;
    }
 
    public function deactivate($days = 0)
    {
        if (!$this->isActivated())
            throw new OtpException('Otp not activated. Do your mean deffer?');
 
        $this->setActive(false);
        $this->setSkipMandatory();
 
        if ($days <= 0)
        {
            $this->setDeactivateUntil(null);
        }
        else
        {
            $deactivateDate = Type\DateTime::createFromTimestamp(time() + $days * 86400);
            $this->setDeactivateUntil($deactivateDate);
        }
 
        $this->save();
 
        return $this;
    }
 
    public function defer($days = 0)
    {
        if ($this->isActivated())
            throw new OtpException('Otp already activated. Do your mean deactivate?');
 
        $this->setSkipMandatory();
        if ($days <= 0)
        {
            $this->setDeactivateUntil(null);
        }
        else
        {
            $deactivateDate = Type\DateTime::createFromTimestamp(time() + $days * 86400);
            $this->setDeactivateUntil($deactivateDate);
        }
 
        $this->save();
 
        return $this;
    }
 
    public function setUserInfo(array $userInfo)
    {
        $this
            ->setActive($userInfo['ACTIVE'])
            ->setUserActive($userInfo['USER_ACTIVE'])
            ->setUserId($userInfo['USER_ID'])
            ->setAttempts($userInfo['ATTEMPTS'])
            ->setSecret($userInfo['SECRET'])
            ->setInitParams($userInfo['INIT_PARAMS'])
            ->setParams($userInfo['PARAMS'])
            ->setSkipMandatory($userInfo['SKIP_MANDATORY'])
        ;
 
        // Old users haven't INITIAL_DATE and DEACTIVATE_UNTIL
        // ToDo: maybe it's not the best approach, think about it later
        if ($userInfo['INITIAL_DATE'])
            $this->setInitialDate($userInfo['INITIAL_DATE']);
 
        if ($userInfo['DEACTIVATE_UNTIL'])
            $this->setDeactivateUntil($userInfo['DEACTIVATE_UNTIL']);
 
        return $this;
    }
 
    protected function setInitialDate(Type\DateTime $date)
    {
        $this->initialDate = $date;
 
        return $this;
    }
 
    public function getInitialDate()
    {
        return $this->initialDate;
    }
 
    protected function setDeactivateUntil($date)
    {
        $this->deactivateUntil = $date;
 
        return $this;
    }
 
    public function getDeactivateUntil()
    {
        return $this->deactivateUntil;
    }
 
    protected function setSkipMandatory($isSkipped = true)
    {
        $this->skipMandatory = $isSkipped;
 
        return $this;
    }
 
    public function isMandatorySkipped()
    {
        return $this->skipMandatory;
    }
 
    protected function getInitialTimestamp()
    {
        $initialDate = $this->getInitialDate();
        if (!$initialDate)
            return 0;
 
        return $initialDate->getTimestamp();
    }
 
    protected function setUserId($userId)
    {
        $this->userId = $userId;
 
        return $this;
    }
 
    public function getUserId()
    {
        return (int) $this->userId;
    }
 
    public function setActive($isActive)
    {
        $this->active = $isActive;
 
        return $this;
    }
 
    public function isActivated()
    {
        return (bool) $this->active;
    }
 
    public function setUserActive($isActive)
    {
        $this->userActive = $isActive;
 
        return $this;
    }
 
    public function isUserActive()
    {
        return (bool) $this->userActive;
    }
 
    public function isInitialized()
    {
        if ($this->isActivated())
        {
            // Without "hacks" OTP can't be activated without initialization
            return true;
        }
 
        // ToDo: maybe better add new property with column?
        return (bool) $this->getSecret();
    }
 
    protected function setAttempts($attemptsCount)
    {
        $this->attempts = $attemptsCount;
 
        return $this;
    }
 
    public function getAttempts()
    {
        return (int) $this->attempts;
    }
 
    protected function setParams($params)
    {
        $this->params = $params;
 
        return $this;
    }
 
    public function getParams()
    {
        return (string) $this->params;
    }
 
    public function getSecret()
    {
        return $this->secret;
    }
 
    public function getHexSecret()
    {
        $secret = $this->getSecret();
 
        return bin2hex($secret);
    }
 
    public function getAppSecret()
    {
        $secret = $this->getSecret();
        $secret = Base32::encode($secret);
 
        return rtrim($secret, '=');
    }
 
    public function setSecret($secret)
    {
        $this->secret = $secret;
        return $this;
    }
 
    public function setHexSecret($hexValue)
    {
        $secret = pack('H*', $hexValue);
 
        return $this->setSecret($secret);
    }
 
    public function setAppSecret($value)
    {
        $secret = Base32::decode($value);
 
        return $this->setSecret($secret);
    }
 
    public function getIssuer()
    {
        if ($this->issuer === null)
            $this->issuer = $this->getDefaultIssuer();
 
        return $this->issuer;
    }
 
    public function setIssuer($issuer)
    {
        $this->issuer = $issuer;
        return $this;
    }
 
    public function getLabel($issuer = null)
    {
        if ($this->label === null)
            $this->label = $this->generateLabel($issuer);
 
        return $this->label;
    }
 
    public function setLabel($label)
    {
        $this->label = $label;
        return $this;
    }
 
    public function getContext()
    {
        if ($this->context === null)
            $this->context = Application::getInstance()->getContext();
 
        return $this->context;
    }
 
    public function setContext(\Bitrix\Main\Context $context)
    {
        $this->context = $context;
        return $this;
    }
 
    public function setUserLogin($login)
    {
        $this->userLogin = $login;
 
        return $this;
    }
 
    public function getUserLogin()
    {
        if ($this->userLogin === null && $this->userId)
        {
            $this->userLogin = \Bitrix\Main\UserTable::query()
                ->addFilter('=ID', $this->getUserId())
                ->addSelect('LOGIN')
                ->exec()
                ->fetch();
 
            $this->userLogin = $this->userLogin['LOGIN'];
        }
 
        return $this->userLogin;
    }
 
    protected function getDefaultIssuer()
    {
        $host = Option::get('main', 'server_name');
        if($host)
        {
            return preg_replace('#:\d+$#D', '', $host);
        }
        else
        {
            return Option::get('security', 'otp_issuer', 'Bitrix');
        }
    }
 
    protected function generateLabel($issuer = null)
    {
        if ($issuer)
            return sprintf('%s:%s', $issuer, $this->getUserLogin());
        else
            return $this->getUserLogin();
    }
 
    protected function getMaxLoginAttempts()
    {
        if (!$this->isActivated())
            return 0;
 
        return (int) $this->getPolicy()->getLoginAttempts();
    }
 
    protected function getRememberLifetime()
    {
        if (!$this->isActivated())
            return 0;
 
        return ((int) $this->getPolicy()->getStoreTimeout()) * 60;
    }
 
    protected function getRememberIpMask()
    {
        if (!$this->isActivated())
            return '255.255.255.255';
 
        return $this->getPolicy()->getStoreIpMask();
    }
 
    public function canSkipMandatory()
    {
        $result = $this->isMandatorySkipped();
 
        if (!$result)
        {
            // Check mandatory rights
            $result = $this->canSkipMandatoryByRights();
        }
 
        return $result;
    }
 
    public function canSkipMandatoryByRights()
    {
        $targetRights = static::getMandatoryRights();
        $userRights = \CAccess::getUserCodesArray($this->getUserId());
        $existedRights = array_intersect($targetRights, $userRights);
        $result = empty($existedRights);
 
        return $result;
    }
 
    protected function canSkipByCookie()
    {
        if (Option::get('security', 'otp_allow_remember') !== 'Y')
            return false;
 
        $signedValue = $this->getContext()->getRequest()->getCookie(static::SKIP_COOKIE);
 
        if (!$signedValue || !is_string($signedValue))
            return false;
 
        try
        {
            $signer = new TimeSigner();
            $value = $signer
                ->setKey($this->getSecret())
                ->unsign($signedValue, 'MFA_SAVE');
        }
        catch (BadSignatureException)
        {
            return false;
        }
 
        return ($value === $this->getSkipCookieValue());
    }
 
    protected function getSkipCookieValue()
    {
        // ToDo: must be tied to the ID of "computer" when it will appear in the main module
        $rememberMask = $this->getRememberIpMask();
        $userIp = $this->getContext()->getRequest()->getRemoteAddress();
        return md5(ip2long($rememberMask) & ip2long($userIp));
    }
 
    protected function setSkipCookie()
    {
        global $APPLICATION;
 
        $signer = new TimeSigner();
        $rememberLifetime = $this->getRememberLifetime();
        $rememberLifetime += time();
        $rememberValue = $this->getSkipCookieValue();
 
        $signedValue = $signer
            ->setKey($this->getSecret())
            ->sign($rememberValue, $rememberLifetime, 'MFA_SAVE');
 
        $isSecure = (
            Option::get('main', 'use_secure_password_cookies', 'N') === 'Y'
            && $this->getContext()->getRequest()->isHttps()
        );
 
        $APPLICATION->set_cookie(
            static::SKIP_COOKIE, // $name
            $signedValue,        // $value
            $rememberLifetime,   // $time = false
            '/',                 // $folder = "/"
            false,               // $domain = false
            $isSecure,           // $secure = false
            true,                // $spread = true
            false,               // $name_prefix = false
            true                 // $httpOnly = false
        );
 
        return $this;
    }
 
    protected function isDbRecordExists()
    {
        return UserTable::getRowById($this->getUserId()) !== null;
    }
 
    protected function getPolicy()
    {
        if (!$this->userGroupPolicy)
        {
            $this->userGroupPolicy = \CUser::getPolicy($this->getUserId());
        }
 
        return $this->userGroupPolicy;
    }
 
    protected function clearGlobalCache()
    {
        $cache_dir = '/otp/user_id/' . substr(md5($this->getUserId()), -2) . '/' . $this->getUserId() . '/';
        $cache = new \CPHPCache;
        $cache->CleanDir($cache_dir);
 
        return $this;
    }
 
    public static function verifyUser(array $params)
    {
        global $APPLICATION;
 
        if (!static::isOtpEnabled()) // OTP disabled in settings
            return true;
 
        $isSuccess = false;
 
        // ToDo: review and refactoring needed
        $otp = static::getByUser($params['USER_ID']);
 
        if (!$otp->isActivated())
        {
            // User does not use OTP
            $isSuccess = true;
 
            if (
                static::isMandatoryUsing()
                && !$otp->canSkipMandatory()
            )
            {
                // Grace full period ends. We must reject authorization and defer reject reason
                if (!$otp->isDbRecordExists() && static::getSkipMandatoryDays())
                {
                    // If mandatory enabled and user never use OTP - let us deffer initialization
                    $otp->defer(static::getSkipMandatoryDays());
 
                    // We forgive the user for the first time
                    static::setDeferredParams(null);
                    return true;
                }
 
                // Save a flag which indicates that an OTP is required, but user doesn't use it :-(
                $params[static::REJECTED_KEY] = static::REJECT_BY_MANDATORY;
                static::setDeferredParams($params);
                return false;
            }
        }
        else
        {
            if (!$otp->isUserActive())
            {
                //non-active user can't log in by OTP
                return false;
            }
        }
 
 
        if (!$isSuccess)
        {
            // User skip OTP on this browser by cookie
            $isSuccess = $otp->canSkipByCookie();
        }
 
        if (!$isSuccess)
        {
            $isCaptchaChecked = (
                !$otp->isAttemptsReached()
                || $APPLICATION->captchaCheckCode($params['CAPTCHA_WORD'], $params['CAPTCHA_SID'])
            );
            $isRememberNeeded = (
                $params['OTP_REMEMBER']
                && Option::get('security', 'otp_allow_remember') === 'Y'
            );
 
            if (!$isCaptchaChecked && !$APPLICATION->NeedCAPTHA())
            {
                // Backward compatibility with old login page
                $APPLICATION->SetNeedCAPTHA(true);
            }
 
            $isOtpPassword = (bool) preg_match('/^\d{6}$/D', $params['OTP']);
            $isRecoveryCode = (
                static::isRecoveryCodesEnabled()
                && preg_match(RecoveryCodesTable::CODE_PATTERN, $params['OTP'])
            );
 
            if ($isCaptchaChecked && ($isOtpPassword || $isRecoveryCode))
            {
                if ($isOtpPassword)
                    $isSuccess = $otp->verify($params['OTP']);
                elseif ($isRecoveryCode)
                    $isSuccess = RecoveryCodesTable::useCode($otp->getUserId(), $params['OTP']);
                else
                    $isSuccess = false;
 
                if (!$isSuccess)
                {
                    $otp
                        ->setAttempts($otp->getAttempts() + 1)
                        ->save();
                }
                else
                {
                    if ($otp->getAttempts() > 0)
                    {
                        // Clear OTP input attempts
                        $otp
                            ->setAttempts(0)
                            ->save();
                    }
 
                    if ($isRememberNeeded && $isOtpPassword)
                    {
                        // If user provide otp password (not recovery codes)
                        // Sets cookie for bypass OTP checking
                        $otp->setSkipCookie();
                    }
                }
            }
        }
 
        if ($isSuccess)
        {
            static::setDeferredParams(null);
        }
        else
        {
            // Save a flag which indicates that a form for OTP is required
            $params[static::REJECTED_KEY] = static::REJECT_BY_CODE;
            static::setDeferredParams($params);
 
            //the OTP form will be shown on the next hit, send the event
            static::sendEvent($otp);
 
            //write to the log ("on" by default)
            if(Option::get("security", "otp_log") <> "N")
            {
                \CSecurityEvent::getInstance()->doLog("SECURITY", "SECURITY_OTP", $otp->getUserId(), "");
            }
        }
 
        return $isSuccess;
    }
 
    protected static function sendEvent(Otp $otp)
    {
        $code = null;
        $algo = $otp->getAlgorithm();
 
        //code value only for TOTP
        if($algo instanceof \Bitrix\Main\Security\Mfa\TotpAlgorithm)
        {
            //value based on the current time
            $timeCode = $algo->timecode(time());
            $code = $algo->generateOTP($timeCode);
        }
 
        $eventParams = [
            "userId" => $otp->getUserId(),
            "code" => $code,
        ];
 
        $event = new \Bitrix\Main\Event("security", "onOtpRequired", $eventParams);
        $event->send();
    }
 
    public static function isOtpRequired()
    {
        return static::getDeferredParams() !== null;
    }
 
    public static function isOtpRequiredByMandatory()
    {
        $params = static::getDeferredParams();
        if (
            !$params
            || !isset($params[static::REJECTED_KEY])
        )
        {
            return false;
        }
 
        return $params[static::REJECTED_KEY] === static::REJECT_BY_MANDATORY;
    }
 
    public static function isCaptchaRequired()
    {
        $params = static::getDeferredParams();
 
        if (!$params || !isset($params['USER_ID']))
            return false;
 
        $otp = static::getByUser($params['USER_ID']);
        return $otp && $otp->isAttemptsReached();
    }
 
    public static function getDeferredParams()
    {
        $kernelSession = Application::getInstance()->getKernelSession();
        if (isset($kernelSession['BX_SECURITY_OTP']) && is_array($kernelSession['BX_SECURITY_OTP']))
        {
            return $kernelSession['BX_SECURITY_OTP'];
        }
 
        return null;
    }
 
    public static function setDeferredParams($params)
    {
        $kernelSession = Application::getInstance()->getKernelSession();
        if ($params === null)
        {
            unset($kernelSession['BX_SECURITY_OTP']);
        }
        else
        {
            // Probably we do not need saving password in deferred params
            // Or need? I don't know right now...
            if (isset($params['PASSWORD']))
                unset($params['PASSWORD']);
 
            $kernelSession['BX_SECURITY_OTP'] = $params;
        }
    }
 
    public static function setSkipMandatoryDays($days = 2)
    {
        Option::set('security', 'otp_mandatory_skip_days', (int) $days, null);
    }
 
    public static function getSkipMandatoryDays()
    {
        return (int) Option::get('security', 'otp_mandatory_skip_days');
    }
 
    public static function setMandatoryUsing($isMandatory = true)
    {
        Option::set('security', 'otp_mandatory_using', $isMandatory? 'Y': 'N', null);
    }
 
    public static function isMandatoryUsing()
    {
        return (Option::get('security', 'otp_mandatory_using') === 'Y');
    }
 
    public static function setMandatoryRights(array $rights)
    {
        Option::set('security', 'otp_mandatory_rights', serialize($rights), null);
    }
 
    public static function getMandatoryRights()
    {
        $targetRights = Option::get('security', 'otp_mandatory_rights');
        $targetRights = unserialize($targetRights, ['allowed_classes' => false]);
        if (!is_array($targetRights))
            $targetRights = array();
 
        return $targetRights;
    }
 
    public static function setDefaultType($value)
    {
        if (!in_array($value, static::$availableTypes))
            throw new ArgumentOutOfRangeException('value', static::$availableTypes);
 
        Option::set('security', 'otp_default_algo', $value, null);
    }
 
 
    public static function getDefaultType()
    {
        return Option::get('security', 'otp_default_algo');
    }
 
    public static function getAvailableTypes()
    {
        return static::$availableTypes;
    }
 
    public static function getTypesDescription()
    {
        return array(
            self::TYPE_HOTP => array(
                'type' => self::TYPE_HOTP,
                'title' => Loc::getMessage('SECURITY_HOTP_TITLE'),
                'required_two_code' => true,
            ),
            self::TYPE_TOTP => array(
                'type' => self::TYPE_TOTP,
                'title' => Loc::getMessage('SECURITY_TOTP_TITLE'),
                'required_two_code' => false,
            )
        );
    }
 
    public static function isOtpEnabled()
    {
        return (Option::get('security', 'otp_enabled') === 'Y');
    }
 
    public static function isRecoveryCodesEnabled()
    {
        return (Option::get('security', 'otp_allow_recovery_codes') === 'Y');
    }
}