Require MFA to edit MFA providers

Summary: Depends on D20037. Ref T13222. Ref T7667. Although administrators can now disable MFA from the web UI, at least require that they survive MFA gates to do so. T7667 (`bin/auth lock`) should provide a sturdier approach here in the long term.

Test Plan: Created and edited MFA providers, was prompted for MFA.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222, T7667

Differential Revision: https://secure.phabricator.com/D20038

src/__phutil_library_map__.php

@@ -2232,6 +2232,7 @@ phutil_register_library_map(array(
     'PhabricatorAuthFactorProviderEditEngine' => 'applications/auth/editor/PhabricatorAuthFactorProviderEditEngine.php',
     'PhabricatorAuthFactorProviderEditor' => 'applications/auth/editor/PhabricatorAuthFactorProviderEditor.php',
     'PhabricatorAuthFactorProviderListController' => 'applications/auth/controller/mfa/PhabricatorAuthFactorProviderListController.php',
+    'PhabricatorAuthFactorProviderMFAEngine' => 'applications/auth/engine/PhabricatorAuthFactorProviderMFAEngine.php',
     'PhabricatorAuthFactorProviderNameTransaction' => 'applications/auth/xaction/PhabricatorAuthFactorProviderNameTransaction.php',
     'PhabricatorAuthFactorProviderQuery' => 'applications/auth/query/PhabricatorAuthFactorProviderQuery.php',
     'PhabricatorAuthFactorProviderStatus' => 'applications/auth/constants/PhabricatorAuthFactorProviderStatus.php',
@@ -7954,12 +7955,14 @@ phutil_register_library_map(array(
       'PhabricatorApplicationTransactionInterface',
       'PhabricatorPolicyInterface',
       'PhabricatorExtendedPolicyInterface',
+      'PhabricatorEditEngineMFAInterface',
     ),
     'PhabricatorAuthFactorProviderController' => 'PhabricatorAuthProviderController',
     'PhabricatorAuthFactorProviderEditController' => 'PhabricatorAuthFactorProviderController',
     'PhabricatorAuthFactorProviderEditEngine' => 'PhabricatorEditEngine',
     'PhabricatorAuthFactorProviderEditor' => 'PhabricatorApplicationTransactionEditor',
     'PhabricatorAuthFactorProviderListController' => 'PhabricatorAuthProviderController',
+    'PhabricatorAuthFactorProviderMFAEngine' => 'PhabricatorEditEngineMFAEngine',
     'PhabricatorAuthFactorProviderNameTransaction' => 'PhabricatorAuthFactorProviderTransactionType',
     'PhabricatorAuthFactorProviderQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
     'PhabricatorAuthFactorProviderStatus' => 'Phobject',

src/applications/auth/engine/PhabricatorAuthFactorProviderMFAEngine.php

@@ -0,0 +1,10 @@
+<?php
+
+final class PhabricatorAuthFactorProviderMFAEngine
+  extends PhabricatorEditEngineMFAEngine {
+
+  public function shouldTryMFA() {
+    return true;
+  }
+
+}

src/applications/auth/storage/PhabricatorAuthFactorProvider.php

@@ -5,7 +5,8 @@ final class PhabricatorAuthFactorProvider
   implements
      PhabricatorApplicationTransactionInterface,
      PhabricatorPolicyInterface,
-     PhabricatorExtendedPolicyInterface {
+     PhabricatorExtendedPolicyInterface,
+     PhabricatorEditEngineMFAInterface {
 
   protected $providerFactorKey;
   protected $name;
@@ -188,4 +189,11 @@ final class PhabricatorAuthFactorProvider
   }
 
 
+/* -(  PhabricatorEditEngineMFAInterface  )---------------------------------- */
+
+
+  public function newEditEngineMFAEngine() {
+    return new PhabricatorAuthFactorProviderMFAEngine();
+  }
+
 }