two_factor: Add configuration and URLs.

This adds django-two-factor to the project, but held behind
settings.TWO_FACTOR_AUTHENTICATION_ENABLED, so that this has no effect
by default.

tools/test-migrations

@@ -2,7 +2,7 @@
 set -e
 echo 'Testing whether migrations are consistent with models'
 
-new_auto_named_migrations=$(./manage.py showmigrations | grep -v '0004_auto_20160423_0400\|0005_auto_20160727_2333\|0052_auto_fix_realmalias_realm_nullable\|0089_auto_20170710_1353' | grep "_auto_20" || true)
+new_auto_named_migrations=$(./manage.py showmigrations | grep -v '0004_auto_20160423_0400\|0005_auto_20160727_2333\|0052_auto_fix_realmalias_realm_nullable\|0089_auto_20170710_1353\|0002_auto_20150110_0810\|0003_auto_20150817_1733\|0004_auto_20160205_1827\|0005_auto_20160224_0450' | grep "_auto_20" || true)
 # We check if there is any new migration with the 'auto' keyword in its name and
 # cause a error to rename to a more meaningful name
 if [ "$new_auto_named_migrations" != "" ]; then

zproject/dev_settings.py

@@ -69,3 +69,7 @@ PASSWORD_MIN_GUESSES = 0
 # environment to an email account.
 EMAIL_HOST = ""
 EMAIL_HOST_USER = ""
+
+# Two factor authentication: Use the fake backend for development.
+TWO_FACTOR_CALL_GATEWAY = 'two_factor.gateways.fake.Fake'
+TWO_FACTOR_SMS_GATEWAY = 'two_factor.gateways.fake.Fake'

zproject/settings.py

@@ -192,6 +192,9 @@ DEFAULT_SETTINGS = {
     'RATE_LIMITING': True,
     'SEND_LOGIN_EMAILS': True,
     'EMBEDDED_BOTS_ENABLED': False,
+
+    # Two Factor Authentication is not yet implementation-complete
+    'TWO_FACTOR_AUTHENTICATION_ENABLED': False,
 }
 
 # These settings are not documented in prod_settings_template.py.
@@ -447,6 +450,15 @@ MIDDLEWARE = (
     'django.contrib.auth.middleware.AuthenticationMiddleware',
 )
 
+# Make sure these come after authentication middleware.
+TWO_FACTOR_MIDDLEWARE = (
+    'django_otp.middleware.OTPMiddleware',  # Required by Two Factor auth.
+    'two_factor.middleware.threadlocals.ThreadLocals',  # Required by Twilio
+)
+
+if TWO_FACTOR_AUTHENTICATION_ENABLED:
+    MIDDLEWARE += TWO_FACTOR_MIDDLEWARE
+
 ANONYMOUS_USER_ID = None
 
 AUTH_USER_MODEL = "zerver.UserProfile"
@@ -471,6 +483,10 @@ INSTALLED_APPS = [
     'webpack_loader',
     'zerver',
     'social_django',
+    'django_otp',
+    'django_otp.plugins.otp_static',
+    'django_otp.plugins.otp_totp',
+    'two_factor',
 ]
 if USING_PGROONGA:
     INSTALLED_APPS += ['pgroonga']

zproject/test_settings.py

@@ -153,3 +153,7 @@ GOOGLE_OAUTH2_CLIENT_SECRET = "secret"
 
 SOCIAL_AUTH_GITHUB_KEY = "key"
 SOCIAL_AUTH_GITHUB_SECRET = "secret"
+
+# By default two factor authentication is disabled in tests.
+# Explicitly set this to True within tests that must have this on.
+TWO_FACTOR_AUTHENTICATION_ENABLED = False

zproject/urls.py

@@ -35,6 +35,10 @@ import confirmation.views
 
 from zerver.lib.rest import rest_dispatch
 
+if settings.TWO_FACTOR_AUTHENTICATION_ENABLED:
+    from two_factor.urls import urlpatterns as tf_urls
+    from two_factor.gateways.twilio.urls import urlpatterns as tf_twilio_urls
+
 # NB: There are several other pieces of code which route requests by URL:
 #
 #   - legacy_urls.py contains API endpoint written before the redesign
@@ -578,6 +582,10 @@ urls += [url(r'^api/(?P<article>[-\w]*\/?)$',
              MarkdownDirectoryView.as_view(template_name='zerver/api/main.html',
                                            path_template='/zerver/api/%s.md'))]
 
+# Two Factor urls
+if settings.TWO_FACTOR_AUTHENTICATION_ENABLED:
+    urls += [url(r'', include(tf_urls + tf_twilio_urls, namespace='two_factor'))]
+
 if settings.DEVELOPMENT:
     urls += dev_urls.urls
     i18n_urls += dev_urls.i18n_urls