Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously,
some logic was in the Devise initializer and it was not honoring the
`user_filter`. If a user outside the configured `user_filter` signed
in, an account would be created but they would then be denied access.
Now that logic is centralized, the filter is honored and users outside
the filter are never created.
- To hold registrations from U2F devices, and to authenticate them.
- Previously, `User#two_factor_enabled` was aliased to the
`otp_required_for_login` column on `users`.
- This commit changes things a bit:
- `User#two_factor_enabled` is not a method anymore
- `User#two_factor_enabled?` checks both the
`otp_required_for_login` column, as well as `U2fRegistration`s
- Change all instances of `User#two_factor_enabled` to
`User#two_factor_enabled?`
- Add the `u2f` gem, and implement registration/authentication at the
model level.
We were doing all kinds of code gymnastics to "enable" Crowd in the
feature spec and this would sometimes cause a transient failure.
Really what it's testing is if the Crowd login form shows when Crowd's
enabled, so this is much better suited to a view spec.
There is no Kerberos auth in gitlab-ce, so it shouldn't be noted
as a form-driven auth mechanism in app/helpers/auth_helper.rb.
This breaks using Kerberos as a custom omniauth provider.
See issue #2510
