Support Two-factor Authentication for LDAP users

Closes #12653

CHANGELOG

@@ -16,6 +16,7 @@ v 8.5.0 (unreleased)
   - Don't vendor minified JS
   - Display 404 error on group not found
   - Track project import failure
+  - Support Two-factor Authentication for LDAP users
   - Fix visibility level text in admin area (Zeger-Jan van de Weg)
   - Warn admin during OAuth of granting admin rights (Zeger-Jan van de Weg)
   - Update the ExternalIssue regex pattern (Blake Hitchcock)

app/controllers/omniauth_callbacks_controller.rb

@@ -1,4 +1,5 @@
 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  include AuthenticatesWithTwoFactor
 
   protect_from_forgery except: [:kerberos, :saml, :cas3]
 
@@ -29,8 +30,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
 
     # Do additional LDAP checks for the user filter and EE features
     if ldap_user.allowed?
-      log_audit_event(@user, with: :ldap)
+      if @user.two_factor_enabled?
-      sign_in_and_redirect(@user)
+        prompt_for_two_factor(@user)
+      else
+        log_audit_event(@user, with: :ldap)
+        sign_in_and_redirect(@user)
+      end
     else
       flash[:alert] = "Access denied for your LDAP account."
       redirect_to new_user_session_path

app/views/profiles/accounts/show.html.haml

@@ -31,34 +31,33 @@
           - else
             = f.submit 'Generate', class: "btn btn-default"
 
-  - unless current_user.ldap_user?
+  .panel.panel-default
-    .panel.panel-default
+    .panel-heading
-      .panel-heading
+      Two-factor Authentication
-        Two-factor Authentication
+    .panel-body
-      .panel-body
+      - if current_user.two_factor_enabled?
-        - if current_user.two_factor_enabled?
+        .pull-right
-          .pull-right
+          = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
-            = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
+              data: { confirm: 'Are you sure?' }
-                data: { confirm: 'Are you sure?' }
+        %p.text-success
-          %p.text-success
+          %strong
-            %strong
+            Two-factor Authentication is enabled
-              Two-factor Authentication is enabled
+        %p
-          %p
+          If you lose your recovery codes you can
-            If you lose your recovery codes you can
+          %strong
-            %strong
+            = succeed ',' do
-              = succeed ',' do
+              = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
-                = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
+          invalidating all previous codes.
-            invalidating all previous codes.
 
-        - else
+      - else
-          %p
+        %p
-            Increase your account's security by enabling two-factor authentication (2FA).
+          Increase your account's security by enabling two-factor authentication (2FA).
-          %p
+        %p
-            Each time you log in you’ll be required to provide your username and
+          Each time you log in you’ll be required to provide your username and
-            password as usual, plus a randomly-generated code from your phone.
+          password as usual, plus a randomly-generated code from your phone.
 
-          .form-actions
+        .form-actions
-            = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
+          = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
 
   - if button_based_providers.any?
     .panel.panel-default