feat: Global 2FA enforcement (#8753)

resolves #8549

This PR add a config to enforce 2FA for the whole Forgejo instance. It can be configured to `none`, `admin` or `all`.
A user who is required to enable 2FA is like a disabled user. He can only see the `/user/settings/security`-Page to enable 2FA, this should be similar to a user which needs to change his password. Also api and git-commands are not allowed.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

I will do it, if the general idea of this PR is a good feature.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8753): <!--number 8753 --><!--line 0 --><!--description R2xvYmFsIDJGQSBlbmZvcmNlbWVudA==-->Global 2FA enforcement<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8753
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Ellen Εμιλία Άννα Zscheile <fogti@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>

tests/integration/integration_test.go

@@ -33,6 +33,7 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/graceful"
 	"forgejo.org/modules/json"
+	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/testlogger"
@@ -50,6 +51,7 @@ import (
 	"github.com/markbates/goth/gothic"
 	goth_github "github.com/markbates/goth/providers/github"
 	goth_gitlab "github.com/markbates/goth/providers/gitlab"
+	"github.com/pquerna/otp/totp"
 	"github.com/santhosh-tekuri/jsonschema/v6"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -276,6 +278,30 @@ func (s *TestSession) MakeRequestNilResponseHashSumRecorder(t testing.TB, rw *Re
 	return resp
 }
 
+func (s *TestSession) EnrollTOTP(t testing.TB) {
+	t.Helper()
+
+	req := NewRequest(t, "GET", "/user/settings/security/two_factor/enroll")
+	resp := s.MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	totpSecretKey, has := htmlDoc.Find(".twofa img[src^='data:image/png;base64']").Attr("alt")
+	assert.True(t, has)
+
+	currentTOTP, err := totp.GenerateCode(totpSecretKey, time.Now())
+	require.NoError(t, err)
+
+	req = NewRequestWithValues(t, "POST", "/user/settings/security/two_factor/enroll", map[string]string{
+		"_csrf":    htmlDoc.GetCSRF(),
+		"passcode": currentTOTP,
+	})
+	s.MakeRequest(t, req, http.StatusSeeOther)
+
+	flashCookie := s.GetCookie(gitea_context.CookieNameFlash)
+	assert.NotNil(t, flashCookie)
+	assert.Contains(t, flashCookie.Value, "success%3DYour%2Baccount%2Bhas%2Bbeen%2Bsuccessfully%2Benrolled.")
+}
+
 const userPassword = "password"
 
 func emptyTestSession(t testing.TB) *TestSession {
@@ -418,6 +444,40 @@ func loginUserWithPasswordRemember(t testing.TB, userName, password string, reme
 	return session
 }
 
+func loginUserWithTOTP(t testing.TB, user *user_model.User) *TestSession {
+	t.Helper()
+	session := loginUser(t, user.Name)
+
+	twoFactor, err := auth.GetTwoFactorByUID(db.DefaultContext, user.ID)
+	require.NoError(t, err)
+
+	key := keying.DeriveKey(keying.ContextTOTP)
+	code, err := key.Decrypt(twoFactor.Secret, keying.ColumnAndID("secret", twoFactor.ID))
+	require.NoError(t, err)
+
+	passcode, err := totp.GenerateCode(string(code), time.Now())
+	require.NoError(t, err)
+
+	req := NewRequestWithValues(t, "POST", "/user/two_factor", map[string]string{
+		"_csrf":    GetCSRF(t, session, "/user/two_factor"),
+		"passcode": passcode,
+	})
+	session.MakeRequest(t, req, http.StatusSeeOther)
+
+	return session
+}
+
+func loginUserMaybeTOTP(t testing.TB, user *user_model.User, useTOTP bool) *TestSession {
+	if useTOTP {
+		sess := loginUser(t, user.Name)
+		sess.EnrollTOTP(t)
+		sess.MakeRequest(t, NewRequest(t, "POST", "/user/logout"), http.StatusOK)
+
+		return loginUserWithTOTP(t, user)
+	}
+	return loginUser(t, user.Name)
+}
+
 // token has to be unique this counter take care of
 var tokenCounter int64