Enable 2FA for LDAP logins

CHANGELOG-EE

 v 7.11.0
   - Skip git hooks commit validation when pushing new tag.
+  - Add Two-factor authentication (2FA) for LDAP logins
 
 v 7.10.1
   - Check if comment exists in Jira before sending a reference

app/controllers/concerns/authenticates_with_two_factor.rb

+# == AuthenticatesWithTwoFactor
+#
+# Controller concern to handle two-factor authentication
+#
+# Upon inclusion, skips `require_no_authentication` on `:create`.
+module AuthenticatesWithTwoFactor
+  extend ActiveSupport::Concern
+
+  included do
+    # This action comes from DeviseController, but because we call `sign_in`
+    # manually, not skipping this action would cause a "You are already signed
+    # in." error message to be shown upon successful login.
+    skip_before_action :require_no_authentication, only: [:create]
+  end
+
+  # Store the user's ID in the session for later retrieval and render the
+  # two factor code prompt
+  #
+  # The user must have been authenticated with a valid login and password
+  # before calling this method!
+  #
+  # user - User record
+  #
+  # Returns nil
+  def prompt_for_two_factor(user)
+    session[:otp_user_id] = user.id
+
+    render 'devise/sessions/two_factor' and return
+  end
+end

app/controllers/omniauth_callbacks_controller.rb

 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  include AuthenticatesWithTwoFactor
+
   protect_from_forgery except: :kerberos
+
   Gitlab.config.omniauth.providers.each do |provider|
     define_method provider['name'] do
       handle_omniauth
@@ -26,7 +29,11 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
 
     # Do additional LDAP checks for the user filter and EE features
     if @user.allowed?
-      sign_in_and_redirect(gl_user)
+      if @user.otp_required_for_login?
+        prompt_for_two_factor(gl_user)
+      else
+        sign_in_and_redirect(gl_user)
+      end
     else
       flash[:alert] = "Access denied for your LDAP account."
       redirect_to new_user_session_path

app/views/profiles/accounts/show.html.haml

@@ -26,33 +26,32 @@
               %span You don`t have one yet. Click generate to fix it.
               = f.submit 'Generate', class: "btn success btn-build-token"
 
-  - unless current_user.ldap_user?
-    %fieldset
-      - if current_user.otp_required_for_login
-        %legend.text-success
-          = icon('check')
-          Two-factor Authentication enabled
-        %div
-          .pull-right
-            = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
-                data: { confirm: 'Are you sure?' }
-          %p
-            If you lose your recovery codes you can
-            %strong
-              = succeed ',' do
-                = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
-            invalidating all previous codes.
+  %fieldset
+    - if current_user.otp_required_for_login
+      %legend.text-success
+        = icon('check')
+        Two-factor Authentication enabled
+      %div
+        .pull-right
+          = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
+              data: { confirm: 'Are you sure?' }
+        %p
+          If you lose your recovery codes you can
+          %strong
+            = succeed ',' do
+              = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
+          invalidating all previous codes.
 
-      - else
-        %legend Two-factor Authentication
+    - else
+      %legend Two-factor Authentication
+      %div
+        %p
+          Increase your account's security by enabling two-factor authentication (2FA).
+        %p
+          Each time you log in you’ll be required to provide your username and
+          password as usual, plus a randomly-generated code from your phone.
         %div
-          %p
-            Increase your account's security by enabling two-factor authentication (2FA).
-          %p
-            Each time you log in you’ll be required to provide your username and
-            password as usual, plus a randomly-generated code from your phone.
-          %div
-            = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
+          = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
 
   - if show_profile_social_tab?
     %fieldset

lib/gitlab/ldap/user.rb

@@ -24,7 +24,9 @@ module Gitlab
         update_user_attributes
       end
 
-      # instance methods
+      delegate :otp_required_for_login?, :otp_backup_codes, :otp_attempt,
+        to: :gl_user
+
       def gl_user
         @gl_user ||= find_by_uid_and_provider || find_by_email || build_new_user
       end