Inconsistent 2FA enforcement for subgroups

There's an inconsistency between turning on 2FA for a group vs adding a new group member.

Turning on 2FA for a group only considers direct members while adding a new group member will consider 2FA requirement from the whole group hierarchy, both approaches are wrong.

Turning on 2FA for a group in Group#update_two_factor_requirement should propagate to subgroups.

Adding a new group member in User#expanded_groups_requiring_two_factor_authentication should only consider ancestors, not subgroups. The following spec is currently failing:

it 'does not enable 2FA for ancestor group member' do
  ancestor_group = create(:group)
  group.update!(require_two_factor_authentication: true, parent: ancestor_group)

  expect { ancestor_group.add_user(user, GroupMember::OWNER) }.not_to change { user.reload.require_two_factor_authentication_from_group }.from(false)
end

Fixing Group#update_two_factor_requirement is already tackled by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24965, we should also fix User#expanded_groups_requiring_two_factor_authentication and create a background migration to update 2FA requirement for all users.

/cc @jeremy @tkuah

Edited Jun 13, 2019 by Imre Farkas