2 files changed, 12 insertions, 3 deletions

diff --git a/app/controllers/concerns/enforces_two_factor_authentication.rb b/app/controllers/concerns/enforces_two_factor_authentication.rb
index 0fddf15d197..825181568ad 100644
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -23,7 +23,8 @@ module EnforcesTwoFactorAuthentication
 
   def two_factor_authentication_required?
     Gitlab::CurrentSettings.require_two_factor_authentication? ||
-      current_user.try(:require_two_factor_authentication_from_group?)
+      current_user.try(:require_two_factor_authentication_from_group?) ||
+      current_user.try(:ultraauth_user?)
   end
 
   # rubocop: disable CodeReuse/ActiveRecord
diff --git a/app/models/user.rb b/app/models/user.rb
index 2eb5c63a4cc..38cb4d1a6e8 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -835,11 +835,11 @@ class User < ApplicationRecord
   end
 
   def allow_password_authentication_for_web?
-    Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user?
+    Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user? && !ultraauth_user?
   end
 
   def allow_password_authentication_for_git?
-    Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user?
+    Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user? && !ultraauth_user?
   end
 
   def can_change_username?
@@ -919,6 +919,14 @@ class User < ApplicationRecord
     end
   end
 
+  def ultraauth_user?
+    if identities.loaded?
+      identities.find { |identity| Gitlab::Auth::OAuth::Provider.ultraauth_provider?(identity.provider) && !identity.extern_uid.nil? }
+    else
+      identities.exists?(["provider = ? AND extern_uid IS NOT NULL", "ultraauth"])
+    end
+  end
+
   def ldap_identity
     @ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
   end