state the reason to the user for the required 2fa

3 files changed, 130 insertions, 33 deletions

diff --git a/app/controllers/concerns/enforces_two_factor_authentication.rb b/app/controllers/concerns/enforces_two_factor_authentication.rb
index a3696df47e7..3e0c62172de 100644
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -24,6 +24,17 @@ module EnforcesTwoFactorAuthentication
       current_user.try(:require_two_factor_authentication?)
   end
 
+  def two_factor_authentication_reason(global: -> {}, group: -> {})
+    if two_factor_authentication_required?
+      if current_application_settings.require_two_factor_authentication?
+        global.call
+      else
+        groups = current_user.groups.where(require_two_factor_authentication: true).reorder(name: :asc)
+        group.call(groups)
+      end
+    end
+  end
+
   def two_factor_grace_period
     periods = [current_application_settings.two_factor_grace_period]
     periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication?)
diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index b52134d89a4..d3fa81cd623 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -13,11 +13,24 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
     current_user.save! if current_user.changed?
 
     if two_factor_authentication_required? && !current_user.two_factor_enabled?
-      if two_factor_grace_period_expired?
-        flash.now[:alert] = 'You must enable Two-Factor Authentication for your account.'
-      else
+      two_factor_authentication_reason(
+        global: lambda do
+          flash.now[:alert] =
+            'The global settings require you to enable Two-Factor Authentication for your account.'
+        end,
+        group: lambda do |groups|
+          group_links = groups.map { |group| view_context.link_to group.full_name, group_path(group) }.to_sentence
+
+          flash.now[:alert] = %{
+            The group settings for #{group_links} require you to enable
+            Two-Factor Authentication for your account.
+          }.html_safe
+        end
+      )
+
+      unless two_factor_grace_period_expired?
         grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
-        flash.now[:alert] = "You must enable Two-Factor Authentication for your account before #{l(grace_period_deadline)}."
+        flash.now[:alert] << " You need to do this before #{l(grace_period_deadline)}."
       end
     end
 
diff --git a/spec/features/login_spec.rb b/spec/features/login_spec.rb
index f32d1f78b40..11d417c253d 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -199,52 +199,125 @@ feature 'Login', feature: true do
 
   describe 'with required two-factor authentication enabled' do
     let(:user) { create(:user) }
-    before(:each) { stub_application_setting(require_two_factor_authentication: true) }
+    #  TODO: otp_grace_period_started_at
 
-    context 'with grace period defined' do
-      before(:each) do
-        stub_application_setting(two_factor_grace_period: 48)
-        login_with(user)
-      end
+    context 'global setting' do
+      before(:each) { stub_application_setting(require_two_factor_authentication: true) }
 
-      context 'within the grace period' do
-        it 'redirects to two-factor configuration page' do
-          expect(current_path).to eq profile_two_factor_auth_path
-          expect(page).to have_content('You must enable Two-Factor Authentication for your account before')
+      context 'with grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 48)
+          login_with(user)
         end
 
-        it 'allows skipping two-factor configuration', js: true do
-          expect(current_path).to eq profile_two_factor_auth_path
+        context 'within the grace period' do
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content('The global settings require you to enable Two-Factor Authentication for your account. You need to do this before ')
+          end
 
-          click_link 'Configure it later'
-          expect(current_path).to eq root_path
+          it 'allows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+
+            click_link 'Configure it later'
+            expect(current_path).to eq root_path
+          end
         end
-      end
 
-      context 'after the grace period' do
-        let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
+        context 'after the grace period' do
+          let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
 
-        it 'redirects to two-factor configuration page' do
-          expect(current_path).to eq profile_two_factor_auth_path
-          expect(page).to have_content('You must enable Two-Factor Authentication for your account.')
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content(
+              'The global settings require you to enable Two-Factor Authentication for your account.'
+            )
+          end
+
+          it 'disallows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).not_to have_link('Configure it later')
+          end
+        end
+      end
+
+      context 'without grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 0)
+          login_with(user)
         end
 
-        it 'disallows skipping two-factor configuration', js: true do
+        it 'redirects to two-factor configuration page' do
           expect(current_path).to eq profile_two_factor_auth_path
-          expect(page).not_to have_link('Configure it later')
+          expect(page).to have_content(
+            'The global settings require you to enable Two-Factor Authentication for your account.'
+          )
         end
       end
     end
 
-    context 'without grace period defined' do
-      before(:each) do
-        stub_application_setting(two_factor_grace_period: 0)
-        login_with(user)
+    context 'group setting' do
+      before do
+        group1 = create :group, name: 'Group 1', require_two_factor_authentication: true
+        group1.add_user(user, GroupMember::DEVELOPER)
+        group2 = create :group, name: 'Group 2', require_two_factor_authentication: true
+        group2.add_user(user, GroupMember::DEVELOPER)
       end
 
-      it 'redirects to two-factor configuration page' do
-        expect(current_path).to eq profile_two_factor_auth_path
-        expect(page).to have_content('You must enable Two-Factor Authentication for your account.')
+      context 'with grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 48)
+          login_with(user)
+        end
+
+        context 'within the grace period' do
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content(
+              'The group settings for Group 1 and Group 2 require you to enable ' \
+              'Two-Factor Authentication for your account. You need to do this ' \
+              'before ')
+          end
+
+          it 'allows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+
+            click_link 'Configure it later'
+            expect(current_path).to eq root_path
+          end
+        end
+
+        context 'after the grace period' do
+          let(:user) { create(:user, otp_grace_period_started_at: 9999.hours.ago) }
+
+          it 'redirects to two-factor configuration page' do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).to have_content(
+              'The group settings for Group 1 and Group 2 require you to enable ' \
+              'Two-Factor Authentication for your account.'
+            )
+          end
+
+          it 'disallows skipping two-factor configuration', js: true do
+            expect(current_path).to eq profile_two_factor_auth_path
+            expect(page).not_to have_link('Configure it later')
+          end
+        end
+      end
+
+      context 'without grace period defined' do
+        before(:each) do
+          stub_application_setting(two_factor_grace_period: 0)
+          login_with(user)
+        end
+
+        it 'redirects to two-factor configuration page' do
+          expect(current_path).to eq profile_two_factor_auth_path
+          expect(page).to have_content(
+            'The group settings for Group 1 and Group 2 require you to enable ' \
+            'Two-Factor Authentication for your account.'
+          )
+        end
       end
     end
   end