Add serving new namespace setting field

WIP

app/models/group.rb

@@ -560,12 +560,16 @@ class Group < Namespace
     access_level_roles.values
   end
 
+  def update_two_factor_requirement_for_members
+    members_with_descendants.find_each(&:update_two_factor_requirement)
+  end
+
   private
 
   def update_two_factor_requirement
     return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period?
 
-    members_with_descendants.find_each(&:update_two_factor_requirement)
+    update_two_factor_requirement_for_members
   end
 
   def path_changed_hook

app/services/groups/update_service.rb

@@ -4,6 +4,8 @@ module Groups
   class UpdateService < Groups::BaseService
     include UpdateVisibilityLevel
 
+    SETTINGS_PARAMS = [:allow_mfa_for_subgroups].freeze
+
     def execute
       reject_parent_id!
       remove_unallowed_params
@@ -20,7 +22,7 @@ module Groups
       return false unless valid_path_change_with_npm_packages?
 
       return false unless update_shared_runners
-
+      handle_changes
       before_assignment_hook(group, params)
 
       handle_namespace_settings
@@ -101,6 +103,21 @@ module Groups
       params.delete(:default_branch_protection) unless can?(current_user, :update_default_branch_protection, group)
     end
 
+    def handle_changes
+      handle_settings_update
+    end
+
+    def handle_settings_update
+      settings_params = params.slice(*allowed_settings_params)
+      allowed_settings_params.each { |param| params.delete(param) }
+
+      ::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
+    end
+
+    def allowed_settings_params
+      @allowed_settings_params ||= SETTINGS_PARAMS
+    end
+
     def valid_share_with_group_lock_change?
       return true unless changing_share_with_group_lock?
       return true if can?(current_user, :change_share_with_group_lock, group)

app/services/namespace_settings/update_service.rb

@@ -18,6 +18,18 @@ module NamespaceSettings
       else
         group.build_namespace_settings(settings_params)
       end
+
+      after_update
+    end
+
+    def after_update
+      settings = group.namespace_settings
+      return if settings.allow_mfa_for_subgroups
+
+      if settings.previous_changes.include?(:allow_mfa_for_subgroups)
+        # enque in batches
+        TodosDestroyer::GroupPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, group.id)
+      end
     end
   end
 end

app/workers/disallow_2fa_for_subgroups_members_worker.rb

+# frozen_string_literal: true
+
+class Disallow2FAWorker # rubocop:disable Scalability/IdempotentWorker
+  include ApplicationWorker
+  include ExceptionBacktrace
+
+  feature_category :subgroups
+
+  def perform(group_id)
+    begin
+      group = Group.find(group_id)
+    rescue ActiveRecord::RecordNotFound
+      return
+    end
+
+    group.update_two_factor_requirement_for_members
+  end
+end

app/workers/disallow_2fa_worker.rb

+# frozen_string_literal: true
+
+class Disallow2FAWorker # rubocop:disable Scalability/IdempotentWorker
+  include ApplicationWorker
+  include ExceptionBacktrace
+
+  INTERVAL = 2.seconds.to_i
+
+  feature_category :subgroups
+
+  def perform(group_id)
+    begin
+      group = Group.find(group_id)
+    rescue ActiveRecord::RecordNotFound
+      return
+    end
+    subgroups = group.subgroups.where(require_two_factor_authentication: true)
+    subgroups.update_all(require_two_factor_authentication: false)
+
+    subgroups.find_each(batch_size: 100).with_index do |subgroup, index| # rubocop: disable CodeReuse/ActiveRecord
+      delay = index * INTERVAL
+
+      with_context(subgroup) do
+        Update2FAForSubgroupsMembersWorker.perform_in(delay, subgroup.id)
+      end
+    end
+  end
+end

ee/app/services/ee/groups/update_service.rb

@@ -4,6 +4,7 @@ module EE
   module Groups
     module UpdateService
       extend ::Gitlab::Utils::Override
+      EE_SETTINGS_PARAMS = [:prevent_forking_outside_group].freeze
 
       override :execute
       def execute
@@ -90,10 +91,11 @@ module EE
         end
       end
 
+      override :handle_changes
       def handle_changes
         handle_allowed_email_domains_update
         handle_ip_restriction_update
-        handle_settings_update
+        super
       end
 
       def handle_ip_restriction_update
@@ -112,11 +114,9 @@ module EE
         AllowedEmailDomains::UpdateService.new(current_user, group, comma_separated_domains).execute
       end
 
-      def handle_settings_update
-        settings_params = params.slice(:prevent_forking_outside_group)
-        params.delete(:prevent_forking_outside_group)
-
-        ::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
+      override :allowed_settings_params
+      def allowed_settings_params
+        @allowed_settings_params ||= ::Groups::UpdateService::SETTINGS_PARAMS + EE_SETTINGS_PARAMS
       end
 
       def log_audit_event

spec/factories/groups.rb

@@ -7,7 +7,6 @@ FactoryBot.define do
     type { 'Group' }
     owner { nil }
     project_creation_level { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
-    association :namespace_settings, factory: :namespace_settings
 
     after(:create) do |group|
       if group.owner

spec/services/groups/update_service_spec.rb

@@ -308,6 +308,19 @@ RSpec.describe Groups::UpdateService do
     end
   end
 
+  context 'changes allowing subgroups to establish own 2FA' do
+    let(:group) { create(:group) }
+    let(:params) { { allow_mfa_for_subgroups: false } }
+
+    subject { described_class.new(group, user, params).execute }
+
+    it 'changes settings' do
+      subject
+
+      expect(group.namespace_settings.reload.allow_mfa_for_subgroups).to eq(false)
+    end
+  end
+
   def update_group(group, user, opts)
     Groups::UpdateService.new(group, user, opts).execute
   end