feat: Global 2FA enforcement (#8753)

resolves #8549

This PR add a config to enforce 2FA for the whole Forgejo instance. It can be configured to `none`, `admin` or `all`.
A user who is required to enable 2FA is like a disabled user. He can only see the `/user/settings/security`-Page to enable 2FA, this should be similar to a user which needs to change his password. Also api and git-commands are not allowed.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

I will do it, if the general idea of this PR is a good feature.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8753): <!--number 8753 --><!--line 0 --><!--description R2xvYmFsIDJGQSBlbmZvcmNlbWVudA==-->Global 2FA enforcement<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8753
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Ellen Εμιλία Άννα Zscheile <fogti@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>

tests/integration/signin_test.go

@@ -5,11 +5,13 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 
+	"forgejo.org/models/auth"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/setting"
@@ -141,3 +143,136 @@ func TestDisableSignin(t *testing.T) {
 		})
 	})
 }
+
+func TestGlobalTwoFactorRequirement(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	locale := translation.NewLocale("en-US")
+
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+	restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29})
+
+	runTest := func(t *testing.T, user *user_model.User, useTOTP, loginAllowed bool) {
+		t.Helper()
+		defer unittest.AssertSuccessfulDelete(t, &auth.TwoFactor{UID: user.ID})
+
+		session := loginUserMaybeTOTP(t, user, useTOTP)
+
+		req := NewRequest(t, "GET", fmt.Sprintf("/%s", user.Name))
+
+		if loginAllowed {
+			session.MakeRequest(t, req, http.StatusOK)
+
+			// not found page
+			req = NewRequest(t, "GET", "/absolutly/not/found")
+			req.Header.Add("Accept", "text/html")
+			resp := session.MakeRequest(t, req, http.StatusNotFound)
+			htmlDoc := NewHTMLParser(t, resp.Body)
+			assert.Greater(t, htmlDoc.Find(".navbar-left > a.item").Length(), 1) // show the Logo, and other links
+			assert.Greater(t, htmlDoc.Find(".navbar-right .user-menu a.item").Length(), 1)
+
+			// 500 page
+			reset := enableDevtest()
+			req = NewRequest(t, "GET", "/devtest/error/500")
+			req.Header.Add("Accept", "text/html")
+			resp = session.MakeRequest(t, req, http.StatusInternalServerError)
+			htmlDoc = NewHTMLParser(t, resp.Body)
+			assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length())
+			htmlDoc.AssertElement(t, ".navbar-right", false)
+			reset()
+		} else {
+			resp := session.MakeRequest(t, req, http.StatusSeeOther)
+			assert.Equal(t, "/user/settings/security", resp.Header().Get("Location"))
+
+			// not found page
+			req = NewRequest(t, "GET", "/absolutly/not/found")
+			req.Header.Add("Accept", "text/html")
+			resp = session.MakeRequest(t, req, http.StatusNotFound)
+			htmlDoc := NewHTMLParser(t, resp.Body)
+			assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) // only show the Logo, no other links
+
+			userLinks := htmlDoc.Find(".navbar-right .user-menu a.item")
+			assert.Equal(t, 1, userLinks.Length()) // only logout link
+			assert.Equal(t, "Sign out", strings.TrimSpace(userLinks.Text()))
+
+			// 500 page
+			reset := enableDevtest()
+			req = NewRequest(t, "GET", "/devtest/error/500")
+			req.Header.Add("Accept", "text/html")
+			resp = session.MakeRequest(t, req, http.StatusInternalServerError)
+			htmlDoc = NewHTMLParser(t, resp.Body)
+			assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length())
+			htmlDoc.AssertElement(t, ".navbar-right", false)
+			reset()
+
+			// 2fa page
+			req = NewRequest(t, "GET", "/user/settings/security")
+			resp = session.MakeRequest(t, req, http.StatusOK)
+			htmlDoc = NewHTMLParser(t, resp.Body)
+			assert.Equal(t, locale.TrString("settings.must_enable_2fa"), htmlDoc.Find(".ui.red.message").Text())
+			assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) // only show the Logo, no other links
+
+			userLinks = htmlDoc.Find(".navbar-right .user-menu a.item")
+			assert.Equal(t, 1, userLinks.Length()) // only logout link
+			assert.Equal(t, "Sign out", strings.TrimSpace(userLinks.Text()))
+
+			assert.Equal(t, 0, htmlDoc.FindByText("a", locale.TrString("settings.twofa_reenroll")).Length())
+
+			headings := htmlDoc.Find(".user-setting-content h4.attached.header")
+			assert.Equal(t, 2, headings.Length())
+			assert.Equal(t, locale.TrString("settings.twofa"), strings.TrimSpace(headings.First().Text()))
+			assert.Equal(t, locale.TrString("settings.webauthn"), strings.TrimSpace(headings.Last().Text()))
+		}
+	}
+
+	t.Run("NoneTwoFactorRequirement", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		t.Run("no 2fa", func(t *testing.T) {
+			runTest(t, adminUser, false, true)
+			runTest(t, normalUser, false, true)
+			runTest(t, restrictedUser, false, true)
+		})
+
+		t.Run("enabled 2fa", func(t *testing.T) {
+			runTest(t, adminUser, true, true)
+			runTest(t, normalUser, true, true)
+			runTest(t, restrictedUser, true, true)
+		})
+	})
+
+	t.Run("AllTwoFactorRequirement", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)()
+
+		t.Run("no 2fa", func(t *testing.T) {
+			runTest(t, adminUser, false, false)
+			runTest(t, normalUser, false, false)
+			runTest(t, restrictedUser, false, false)
+		})
+
+		t.Run("enabled 2fa", func(t *testing.T) {
+			runTest(t, adminUser, true, true)
+			runTest(t, normalUser, true, true)
+			runTest(t, restrictedUser, true, true)
+		})
+	})
+
+	t.Run("AdminTwoFactorRequirement", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)()
+
+		t.Run("no 2fa", func(t *testing.T) {
+			runTest(t, adminUser, false, false)
+			runTest(t, normalUser, false, true)
+			runTest(t, restrictedUser, false, true)
+		})
+
+		t.Run("enabled 2fa", func(t *testing.T) {
+			runTest(t, adminUser, true, true)
+			runTest(t, normalUser, true, true)
+			runTest(t, restrictedUser, true, true)
+		})
+	})
+}