2FA in CLI in Premium

added to epic &2889

added GitLab Core GitLab Premium GitLab Starter GitLab Ultimate groupauthentication and authorization [DEPRECATED] typefeature labels

removed GitLab Core label

removed GitLab Starter label

Setting label(s) devopsmanage sectiondev based on ~"group::access".

added devopsmanage sectiondev labels

changed milestone to %13.9

@ifarkas Can you please help with refinement for this issue? Is the scope of this issue clear enough to assign a weight to it?

The code we need to move to ee are:

Fortinet related Auth::Otp::Strategies classes
Fortinet related logic in User#two_factor_otp_enabled?
logic selecting the strategy in Users::ValidateOtpService
internal API endpoint
Auth::Otp::SessionEnforcer
GitAccess::check_otp_session!

That seems a lot but it should be straightforward, so I would assign a weight of 3. @manojmj, could you please review my estimation?

Hmm, I am confused about the scope here between Imre's response above and the issue description

Description says: Checking for 2FA in the CLI should be in Premium not CE

which makes me wonder if ONLY 2FA for CLI should be moved to Premium and the other parts - ie, Fortinet as a 2FA provider can continue to remain in CE.

@mushakov could you please clarify?

@manojmj FortiNet as a provider for the web UI could be in CE.

cc: @kmcknight

My reasoning for the above...

2fa is a CE feature today ... Fortinet is a provider that can be configured so it makes sense to me to keep this in CE

Enforcing 2fa in the CLI is a security enhancement that matches the Director persona so it would be a premium feature for all providers.

@ifarkas Can you let me know how my comment above changes your estimation and approach?

cc: @manojmj

@mushakov, apologies , I got confused by having the GitLab Premium label on the whole epic, so I thought we need to move everything to ee/. Moving only the code related to git operations involves: