2021-01-04 14:52:13 +01:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2021-08-25 11:12:24 +02:00
|
|
|
"strings"
|
2021-08-18 17:04:56 +02:00
|
|
|
|
2022-04-20 16:59:37 +02:00
|
|
|
"golang.org/x/text/language"
|
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/command/preparation"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
"github.com/zitadel/zitadel/internal/errors"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
2021-01-04 14:52:13 +01:00
|
|
|
)
|
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
func (c *Commands) getHuman(ctx context.Context, userID, resourceowner string) (*domain.Human, error) {
|
|
|
|
human, err := c.getHumanWriteModelByID(ctx, userID, resourceowner)
|
2021-01-15 09:32:59 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
if !isUserStateExists(human.UserState) {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, errors.ThrowNotFound(nil, "COMMAND-M9dsd", "Errors.User.NotFound")
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
return writeModelToHuman(human), nil
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
type AddHuman struct {
|
|
|
|
// Username is required
|
|
|
|
Username string
|
|
|
|
// FirstName is required
|
|
|
|
FirstName string
|
|
|
|
// LastName is required
|
|
|
|
LastName string
|
|
|
|
// NickName is required
|
|
|
|
NickName string
|
|
|
|
// DisplayName is required
|
|
|
|
DisplayName string
|
|
|
|
// Email is required
|
|
|
|
Email Email
|
2022-04-28 10:30:41 +02:00
|
|
|
// PreferredLanguage is required
|
|
|
|
PreferredLanguage language.Tag
|
2022-04-12 16:20:17 +02:00
|
|
|
// Gender is required
|
|
|
|
Gender domain.Gender
|
|
|
|
//Phone represents an international phone number
|
|
|
|
Phone Phone
|
|
|
|
//Password is optional
|
|
|
|
Password string
|
2022-07-28 15:42:35 +02:00
|
|
|
//BcryptedPassword is optional
|
|
|
|
BcryptedPassword string
|
2022-04-12 16:20:17 +02:00
|
|
|
//PasswordChangeRequired is used if the `Password`-field is set
|
|
|
|
PasswordChangeRequired bool
|
|
|
|
Passwordless bool
|
|
|
|
ExternalIDP bool
|
|
|
|
Register bool
|
|
|
|
}
|
|
|
|
|
2022-07-28 15:42:35 +02:00
|
|
|
func (c *Commands) AddHumanWithID(ctx context.Context, resourceOwner string, userID string, human *AddHuman) (*domain.HumanDetails, error) {
|
|
|
|
existingHuman, err := c.getHumanWriteModelByID(ctx, userID, resourceOwner)
|
2021-03-19 18:46:26 +01:00
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, err
|
2021-03-19 18:46:26 +01:00
|
|
|
}
|
2022-07-28 15:42:35 +02:00
|
|
|
if isUserStateExists(existingHuman.UserState) {
|
|
|
|
return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-k2unb", "Errors.User.AlreadyExisting")
|
|
|
|
}
|
|
|
|
|
|
|
|
return c.addHumanWithID(ctx, resourceOwner, userID, human)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Commands) addHumanWithID(ctx context.Context, resourceOwner string, userID string, human *AddHuman) (*domain.HumanDetails, error) {
|
2022-04-12 16:20:17 +02:00
|
|
|
agg := user.NewAggregate(userID, resourceOwner)
|
2022-04-25 16:36:10 +02:00
|
|
|
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, AddHumanCommand(agg, human, c.userPasswordAlg, c.userEncryption))
|
2021-03-19 18:46:26 +01:00
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, err
|
2021-03-19 18:46:26 +01:00
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
|
2022-04-20 16:59:37 +02:00
|
|
|
events, err := c.eventstore.Push(ctx, cmds...)
|
2021-02-18 14:48:27 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
|
|
|
|
return &domain.HumanDetails{
|
|
|
|
ID: userID,
|
|
|
|
ObjectDetails: domain.ObjectDetails{
|
|
|
|
Sequence: events[len(events)-1].Sequence(),
|
|
|
|
EventDate: events[len(events)-1].CreationDate(),
|
|
|
|
ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2022-07-28 15:42:35 +02:00
|
|
|
func (c *Commands) AddHuman(ctx context.Context, resourceOwner string, human *AddHuman) (*domain.HumanDetails, error) {
|
|
|
|
if resourceOwner == "" {
|
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "COMMA-5Ky74", "Errors.Internal")
|
|
|
|
}
|
|
|
|
userID, err := c.idGenerator.Next()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return c.addHumanWithID(ctx, resourceOwner, userID, human)
|
|
|
|
}
|
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
type humanCreationCommand interface {
|
|
|
|
eventstore.Command
|
|
|
|
AddPhoneData(phoneNumber string)
|
|
|
|
AddPasswordData(secret *crypto.CryptoValue, changeRequired bool)
|
|
|
|
}
|
|
|
|
|
2022-04-25 16:36:10 +02:00
|
|
|
func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.HashAlgorithm, codeAlg crypto.EncryptionAlgorithm) preparation.Validation {
|
2022-04-12 16:20:17 +02:00
|
|
|
return func() (_ preparation.CreateCommands, err error) {
|
|
|
|
if !human.Email.Valid() {
|
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "USER-Ec7dM", "Errors.Invalid.Argument")
|
|
|
|
}
|
|
|
|
if human.Username = strings.TrimSpace(human.Username); human.Username == "" {
|
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "V2-zzad3", "Errors.Invalid.Argument")
|
|
|
|
}
|
|
|
|
|
|
|
|
if human.FirstName = strings.TrimSpace(human.FirstName); human.FirstName == "" {
|
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument")
|
|
|
|
}
|
|
|
|
if human.LastName = strings.TrimSpace(human.LastName); human.LastName == "" {
|
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "USER-DiAq8", "Errors.Invalid.Argument")
|
|
|
|
}
|
|
|
|
human.ensureDisplayName()
|
|
|
|
|
|
|
|
if human.Phone.Number, err = FormatPhoneNumber(human.Phone.Number); err != nil {
|
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "USER-tD6ax", "Errors.Invalid.Argument")
|
|
|
|
}
|
|
|
|
|
|
|
|
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
|
|
|
|
domainPolicy, err := domainPolicyWriteModel(ctx, filter)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = userValidateDomain(ctx, a, human.Username, domainPolicy.UserLoginMustBeDomain, filter); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
var createCmd humanCreationCommand
|
|
|
|
if human.Register {
|
|
|
|
createCmd = user.NewHumanRegisteredEvent(
|
|
|
|
ctx,
|
|
|
|
&a.Aggregate,
|
|
|
|
human.Username,
|
|
|
|
human.FirstName,
|
|
|
|
human.LastName,
|
|
|
|
human.NickName,
|
|
|
|
human.DisplayName,
|
2022-04-28 10:30:41 +02:00
|
|
|
human.PreferredLanguage,
|
2022-04-12 16:20:17 +02:00
|
|
|
human.Gender,
|
|
|
|
human.Email.Address,
|
|
|
|
domainPolicy.UserLoginMustBeDomain,
|
|
|
|
)
|
|
|
|
} else {
|
|
|
|
createCmd = user.NewHumanAddedEvent(
|
|
|
|
ctx,
|
|
|
|
&a.Aggregate,
|
|
|
|
human.Username,
|
|
|
|
human.FirstName,
|
|
|
|
human.LastName,
|
|
|
|
human.NickName,
|
|
|
|
human.DisplayName,
|
2022-04-28 10:30:41 +02:00
|
|
|
human.PreferredLanguage,
|
2022-04-12 16:20:17 +02:00
|
|
|
human.Gender,
|
|
|
|
human.Email.Address,
|
|
|
|
domainPolicy.UserLoginMustBeDomain,
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
if human.Phone.Number != "" {
|
|
|
|
createCmd.AddPhoneData(human.Phone.Number)
|
|
|
|
}
|
|
|
|
|
|
|
|
if human.Password != "" {
|
|
|
|
if err = humanValidatePassword(ctx, filter, human.Password); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
secret, err := crypto.Hash([]byte(human.Password), passwordAlg)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
createCmd.AddPasswordData(secret, human.PasswordChangeRequired)
|
|
|
|
}
|
|
|
|
|
2022-07-28 15:42:35 +02:00
|
|
|
if human.BcryptedPassword != "" {
|
|
|
|
createCmd.AddPasswordData(crypto.FillHash([]byte(human.BcryptedPassword), passwordAlg), human.PasswordChangeRequired)
|
|
|
|
}
|
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
cmds := make([]eventstore.Command, 0, 3)
|
|
|
|
cmds = append(cmds, createCmd)
|
|
|
|
|
|
|
|
//add init code if
|
|
|
|
// email not verified or
|
|
|
|
// user not registered and password set
|
|
|
|
if human.shouldAddInitCode() {
|
2022-04-25 16:36:10 +02:00
|
|
|
value, expiry, err := newUserInitCode(ctx, filter, codeAlg)
|
2022-04-12 16:20:17 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
cmds = append(cmds, user.NewHumanInitialCodeAddedEvent(ctx, &a.Aggregate, value, expiry))
|
|
|
|
} else {
|
2022-05-18 14:10:49 +02:00
|
|
|
if human.Email.Verified {
|
|
|
|
cmds = append(cmds, user.NewHumanEmailVerifiedEvent(ctx, &a.Aggregate))
|
|
|
|
} else {
|
|
|
|
value, expiry, err := newEmailCode(ctx, filter, codeAlg)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
cmds = append(cmds, user.NewHumanEmailCodeAddedEvent(ctx, &a.Aggregate, value, expiry))
|
2022-04-12 16:20:17 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if human.Phone.Verified {
|
|
|
|
cmds = append(cmds, user.NewHumanPhoneVerifiedEvent(ctx, &a.Aggregate))
|
|
|
|
} else if human.Phone.Number != "" {
|
2022-04-25 16:36:10 +02:00
|
|
|
value, expiry, err := newPhoneCode(ctx, filter, codeAlg)
|
2022-04-12 16:20:17 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
cmds = append(cmds, user.NewHumanPhoneCodeAddedEvent(ctx, &a.Aggregate, value, expiry))
|
|
|
|
}
|
|
|
|
|
|
|
|
return cmds, nil
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func userValidateDomain(ctx context.Context, a *user.Aggregate, username string, mustBeDomain bool, filter preparation.FilterToQueryReducer) error {
|
|
|
|
if mustBeDomain {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
usernameSplit := strings.Split(username, "@")
|
|
|
|
if len(usernameSplit) != 2 {
|
|
|
|
return errors.ThrowInvalidArgument(nil, "COMMAND-Dfd21", "Errors.User.Invalid")
|
|
|
|
}
|
|
|
|
|
|
|
|
domainCheck := NewOrgDomainVerifiedWriteModel(usernameSplit[1])
|
|
|
|
events, err := filter(ctx, domainCheck.Query())
|
2021-01-08 11:33:45 +01:00
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
domainCheck.AppendEvents(events...)
|
|
|
|
if err = domainCheck.Reduce(); err != nil {
|
|
|
|
return err
|
2021-01-08 11:33:45 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
if domainCheck.Verified && domainCheck.ResourceOwner != a.ResourceOwner {
|
|
|
|
return errors.ThrowInvalidArgument(nil, "COMMAND-SFd21", "Errors.User.DomainNotAllowedAsUsername")
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func humanValidatePassword(ctx context.Context, filter preparation.FilterToQueryReducer, password string) error {
|
|
|
|
passwordComplexity, err := passwordComplexityPolicyWriteModel(ctx, filter)
|
2021-01-08 11:33:45 +01:00
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return err
|
2021-01-08 11:33:45 +01:00
|
|
|
}
|
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
return passwordComplexity.Validate(password)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *AddHuman) ensureDisplayName() {
|
|
|
|
if strings.TrimSpace(h.DisplayName) != "" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
h.DisplayName = h.FirstName + " " + h.LastName
|
|
|
|
}
|
|
|
|
|
2022-05-18 14:10:49 +02:00
|
|
|
//shouldAddInitCode returns true for all added Humans which:
|
|
|
|
// - were not added from an external IDP
|
|
|
|
// - and either:
|
|
|
|
// - have no verified email
|
|
|
|
// and / or
|
|
|
|
// - have no authentication method (password / passwordless)
|
2022-04-12 16:20:17 +02:00
|
|
|
func (h *AddHuman) shouldAddInitCode() bool {
|
2022-05-18 14:10:49 +02:00
|
|
|
return !h.ExternalIDP &&
|
|
|
|
!h.Email.Verified ||
|
|
|
|
!h.Passwordless &&
|
|
|
|
h.Password == ""
|
2021-01-08 11:33:45 +01:00
|
|
|
}
|
|
|
|
|
2022-02-16 16:49:17 +01:00
|
|
|
func (c *Commands) ImportHuman(ctx context.Context, orgID string, human *domain.Human, passwordless bool, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator, passwordlessCodeGenerator crypto.Generator) (_ *domain.Human, passwordlessCode *domain.PasswordlessInitCode, err error) {
|
2021-03-25 14:41:07 +01:00
|
|
|
if orgID == "" {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-5N8fs", "Errors.ResourceOwnerMissing")
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
2022-03-28 10:05:09 +02:00
|
|
|
domainPolicy, err := c.getOrgDomainPolicy(ctx, orgID)
|
2021-03-25 14:41:07 +01:00
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, nil, errors.ThrowPreconditionFailed(err, "COMMAND-2N9fs", "Errors.Org.DomainPolicy.NotFound")
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
|
|
|
pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
|
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, nil, errors.ThrowPreconditionFailed(err, "COMMAND-4N8gs", "Errors.Org.PasswordComplexityPolicy.NotFound")
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
2022-07-28 15:42:35 +02:00
|
|
|
|
|
|
|
if human.AggregateID != "" {
|
|
|
|
existing, err := c.getHumanWriteModelByID(ctx, human.AggregateID, human.ResourceOwner)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if existing.UserState != domain.UserStateUnspecified {
|
|
|
|
return nil, nil, errors.ThrowPreconditionFailed(nil, "COMMAND-ziuna", "Errors.User.AlreadyExisting")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-28 10:05:09 +02:00
|
|
|
events, addedHuman, addedCode, code, err := c.importHuman(ctx, orgID, human, passwordless, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator, passwordlessCodeGenerator)
|
2021-03-25 14:41:07 +01:00
|
|
|
if err != nil {
|
2021-08-02 15:24:58 +02:00
|
|
|
return nil, nil, err
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
2022-01-03 09:19:07 +01:00
|
|
|
pushedEvents, err := c.eventstore.Push(ctx, events...)
|
2021-03-25 14:41:07 +01:00
|
|
|
if err != nil {
|
2021-08-02 15:24:58 +02:00
|
|
|
return nil, nil, err
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
err = AppendAndReduce(addedHuman, pushedEvents...)
|
|
|
|
if err != nil {
|
2021-08-02 15:24:58 +02:00
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
if addedCode != nil {
|
|
|
|
err = AppendAndReduce(addedCode, pushedEvents...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
passwordlessCode = writeModelToPasswordlessInitCode(addedCode, code)
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
|
|
|
|
2021-08-02 15:24:58 +02:00
|
|
|
return writeModelToHuman(addedHuman), passwordlessCode, nil
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
|
|
|
|
2022-02-16 16:49:17 +01:00
|
|
|
func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domain.Human, link *domain.UserIDPLink, orgMemberRoles []string, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) (*domain.Human, error) {
|
2021-08-25 11:12:24 +02:00
|
|
|
if orgID == "" {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "COMMAND-GEdf2", "Errors.ResourceOwnerMissing")
|
2021-08-18 17:04:56 +02:00
|
|
|
}
|
2022-03-28 10:05:09 +02:00
|
|
|
domainPolicy, err := c.getOrgDomainPolicy(ctx, orgID)
|
2021-08-18 17:04:56 +02:00
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, errors.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.DomainPolicy.NotFound")
|
2021-08-18 17:04:56 +02:00
|
|
|
}
|
|
|
|
pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
|
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, errors.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexityPolicy.NotFound")
|
2021-08-18 17:04:56 +02:00
|
|
|
}
|
2021-11-08 08:42:07 +01:00
|
|
|
loginPolicy, err := c.getOrgLoginPolicy(ctx, orgID)
|
|
|
|
if err != nil {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, errors.ThrowPreconditionFailed(err, "COMMAND-Dfg3g", "Errors.Org.LoginPolicy.NotFound")
|
2021-11-08 08:42:07 +01:00
|
|
|
}
|
|
|
|
if !loginPolicy.AllowRegister {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, errors.ThrowPreconditionFailed(err, "COMMAND-SAbr3", "Errors.Org.LoginPolicy.RegistrationNotAllowed")
|
2021-11-08 08:42:07 +01:00
|
|
|
}
|
2022-03-28 10:05:09 +02:00
|
|
|
userEvents, registeredHuman, err := c.registerHuman(ctx, orgID, human, link, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
|
2021-01-15 09:32:59 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
|
2021-02-18 14:48:27 +01:00
|
|
|
orgMemberWriteModel := NewOrgMemberWriteModel(orgID, registeredHuman.AggregateID)
|
2021-02-08 11:30:30 +01:00
|
|
|
orgAgg := OrgAggregateFromWriteModel(&orgMemberWriteModel.WriteModel)
|
2021-02-18 14:48:27 +01:00
|
|
|
if len(orgMemberRoles) > 0 {
|
2021-02-08 11:30:30 +01:00
|
|
|
orgMember := &domain.Member{
|
|
|
|
ObjectRoot: models.ObjectRoot{
|
|
|
|
AggregateID: orgID,
|
|
|
|
},
|
2021-02-18 14:48:27 +01:00
|
|
|
UserID: human.AggregateID,
|
2021-02-08 11:30:30 +01:00
|
|
|
Roles: orgMemberRoles,
|
2021-01-21 10:49:38 +01:00
|
|
|
}
|
2021-02-24 11:17:39 +01:00
|
|
|
memberEvent, err := c.addOrgMember(ctx, orgAgg, orgMemberWriteModel, orgMember)
|
2021-02-18 14:48:27 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
userEvents = append(userEvents, memberEvent)
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
|
|
|
|
2022-01-03 09:19:07 +01:00
|
|
|
pushedEvents, err := c.eventstore.Push(ctx, userEvents...)
|
2021-02-18 14:48:27 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
|
2021-02-18 14:48:27 +01:00
|
|
|
err = AppendAndReduce(registeredHuman, pushedEvents...)
|
2021-02-08 11:30:30 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
return writeModelToHuman(registeredHuman), nil
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
func (c *Commands) addHuman(ctx context.Context, orgID string, human *domain.Human, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) ([]eventstore.Command, *HumanWriteModel, error) {
|
|
|
|
if orgID == "" || !human.IsValid() {
|
|
|
|
return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-67Ms8", "Errors.User.Invalid")
|
|
|
|
}
|
2022-07-28 15:42:35 +02:00
|
|
|
if human.Password != nil && human.Password.SecretString != "" {
|
|
|
|
human.Password.ChangeRequired = true
|
2022-04-12 16:20:17 +02:00
|
|
|
}
|
|
|
|
return c.createHuman(ctx, orgID, human, nil, false, false, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Commands) importHuman(ctx context.Context, orgID string, human *domain.Human, passwordless bool, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator, passwordlessCodeGenerator crypto.Generator) (events []eventstore.Command, humanWriteModel *HumanWriteModel, passwordlessCodeWriteModel *HumanPasswordlessInitCodeWriteModel, code string, err error) {
|
|
|
|
if orgID == "" || !human.IsValid() {
|
|
|
|
return nil, nil, nil, "", errors.ThrowInvalidArgument(nil, "COMMAND-00p2b", "Errors.User.Invalid")
|
|
|
|
}
|
|
|
|
events, humanWriteModel, err = c.createHuman(ctx, orgID, human, nil, false, passwordless, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, nil, "", err
|
|
|
|
}
|
|
|
|
if passwordless {
|
|
|
|
var codeEvent eventstore.Command
|
|
|
|
codeEvent, passwordlessCodeWriteModel, code, err = c.humanAddPasswordlessInitCode(ctx, human.AggregateID, orgID, true, passwordlessCodeGenerator)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, nil, "", err
|
|
|
|
}
|
|
|
|
events = append(events, codeEvent)
|
|
|
|
}
|
|
|
|
return events, humanWriteModel, passwordlessCodeWriteModel, code, nil
|
|
|
|
}
|
|
|
|
|
2022-03-28 10:05:09 +02:00
|
|
|
func (c *Commands) registerHuman(ctx context.Context, orgID string, human *domain.Human, link *domain.UserIDPLink, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) ([]eventstore.Command, *HumanWriteModel, error) {
|
2021-05-17 13:39:51 +02:00
|
|
|
if human != nil && human.Username == "" {
|
|
|
|
human.Username = human.EmailAddress
|
|
|
|
}
|
2022-07-28 15:42:35 +02:00
|
|
|
if orgID == "" || !human.IsValid() || link == nil && (human.Password == nil || human.Password.SecretString == "") {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-9dk45", "Errors.User.Invalid")
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
2022-07-28 15:42:35 +02:00
|
|
|
if human.Password != nil && human.Password.SecretString != "" {
|
|
|
|
human.Password.ChangeRequired = false
|
2021-03-25 14:41:07 +01:00
|
|
|
}
|
2022-03-28 10:05:09 +02:00
|
|
|
return c.createHuman(ctx, orgID, human, link, true, false, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
|
2021-03-19 18:46:26 +01:00
|
|
|
}
|
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.Human, link *domain.UserIDPLink, selfregister, passwordless bool, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) (events []eventstore.Command, addedHuman *HumanWriteModel, err error) {
|
2022-03-28 10:05:09 +02:00
|
|
|
if err := human.CheckDomainPolicy(domainPolicy); err != nil {
|
2021-01-08 11:33:45 +01:00
|
|
|
return nil, nil, err
|
2021-01-04 14:52:13 +01:00
|
|
|
}
|
2022-03-28 10:05:09 +02:00
|
|
|
if !domainPolicy.UserLoginMustBeDomain {
|
2021-08-25 11:12:24 +02:00
|
|
|
usernameSplit := strings.Split(human.Username, "@")
|
|
|
|
if len(usernameSplit) != 2 {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-Dfd21", "Errors.User.Invalid")
|
2021-08-25 11:12:24 +02:00
|
|
|
}
|
|
|
|
domainCheck := NewOrgDomainVerifiedWriteModel(usernameSplit[1])
|
|
|
|
if err := c.eventstore.FilterToQueryReducer(ctx, domainCheck); err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
if domainCheck.Verified && domainCheck.ResourceOwner != orgID {
|
2022-04-12 16:20:17 +02:00
|
|
|
return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-SFd21", "Errors.User.DomainNotAllowedAsUsername")
|
2021-08-25 11:12:24 +02:00
|
|
|
}
|
|
|
|
}
|
2022-07-28 15:42:35 +02:00
|
|
|
|
|
|
|
if human.AggregateID == "" {
|
|
|
|
userID, err := c.idGenerator.Next()
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
human.AggregateID = userID
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2022-07-28 15:42:35 +02:00
|
|
|
|
2021-01-04 14:52:13 +01:00
|
|
|
human.SetNamesAsDisplayname()
|
2021-03-25 14:41:07 +01:00
|
|
|
if human.Password != nil {
|
2022-07-28 15:42:35 +02:00
|
|
|
if err := human.HashPasswordIfExisting(pwPolicy, c.userPasswordAlg, human.Password.ChangeRequired); err != nil {
|
2021-03-25 14:41:07 +01:00
|
|
|
return nil, nil, err
|
|
|
|
}
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2021-03-25 14:41:07 +01:00
|
|
|
|
2022-04-12 16:20:17 +02:00
|
|
|
addedHuman = NewHumanWriteModel(human.AggregateID, orgID)
|
2021-02-18 14:48:27 +01:00
|
|
|
//TODO: adlerhurst maybe we could simplify the code below
|
2021-01-04 14:52:13 +01:00
|
|
|
userAgg := UserAggregateFromWriteModel(&addedHuman.WriteModel)
|
2021-02-18 14:48:27 +01:00
|
|
|
|
2021-01-15 09:32:59 +01:00
|
|
|
if selfregister {
|
2022-03-28 10:05:09 +02:00
|
|
|
events = append(events, createRegisterHumanEvent(ctx, userAgg, human, domainPolicy.UserLoginMustBeDomain))
|
2021-01-15 09:32:59 +01:00
|
|
|
} else {
|
2022-03-28 10:05:09 +02:00
|
|
|
events = append(events, createAddHumanEvent(ctx, userAgg, human, domainPolicy.UserLoginMustBeDomain))
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
|
|
|
|
2021-11-02 10:08:47 +01:00
|
|
|
if link != nil {
|
|
|
|
event, err := c.addUserIDPLink(ctx, userAgg, link)
|
2021-02-08 11:30:30 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
events = append(events, event)
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
|
2021-11-02 10:08:47 +01:00
|
|
|
if human.IsInitialState(passwordless, link != nil) {
|
2022-02-16 16:49:17 +01:00
|
|
|
initCode, err := domain.NewInitUserCode(initCodeGenerator)
|
2021-01-06 11:12:56 +01:00
|
|
|
if err != nil {
|
2021-01-08 11:33:45 +01:00
|
|
|
return nil, nil, err
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
events = append(events, user.NewHumanInitialCodeAddedEvent(ctx, userAgg, initCode.Code, initCode.Expiry))
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
|
2021-01-04 14:52:13 +01:00
|
|
|
if human.Email != nil && human.EmailAddress != "" && human.IsEmailVerified {
|
2021-02-18 14:48:27 +01:00
|
|
|
events = append(events, user.NewHumanEmailVerifiedEvent(ctx, userAgg))
|
2021-01-04 14:52:13 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
|
2021-01-06 11:12:56 +01:00
|
|
|
if human.Phone != nil && human.PhoneNumber != "" && !human.IsPhoneVerified {
|
2022-02-16 16:49:17 +01:00
|
|
|
phoneCode, err := domain.NewPhoneCode(phoneCodeGenerator)
|
2021-01-06 11:12:56 +01:00
|
|
|
if err != nil {
|
2021-01-08 11:33:45 +01:00
|
|
|
return nil, nil, err
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
events = append(events, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.Code, phoneCode.Expiry))
|
2021-01-06 11:12:56 +01:00
|
|
|
} else if human.Phone != nil && human.PhoneNumber != "" && human.IsPhoneVerified {
|
2021-02-18 14:48:27 +01:00
|
|
|
events = append(events, user.NewHumanPhoneVerifiedEvent(ctx, userAgg))
|
2021-01-04 14:52:13 +01:00
|
|
|
}
|
|
|
|
|
2021-02-18 14:48:27 +01:00
|
|
|
return events, addedHuman, nil
|
2021-01-04 14:52:13 +01:00
|
|
|
}
|
2021-01-06 11:12:56 +01:00
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
func (c *Commands) HumanSkipMFAInit(ctx context.Context, userID, resourceowner string) (err error) {
|
2021-01-15 09:32:59 +01:00
|
|
|
if userID == "" {
|
2022-04-12 16:20:17 +02:00
|
|
|
return errors.ThrowInvalidArgument(nil, "COMMAND-2xpX9", "Errors.User.UserIDMissing")
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-01-15 09:32:59 +01:00
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
existingHuman, err := c.getHumanWriteModelByID(ctx, userID, resourceowner)
|
2021-01-06 11:12:56 +01:00
|
|
|
if err != nil {
|
2021-01-15 09:32:59 +01:00
|
|
|
return err
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
if !isUserStateExists(existingHuman.UserState) {
|
2022-04-12 16:20:17 +02:00
|
|
|
return errors.ThrowNotFound(nil, "COMMAND-m9cV8", "Errors.User.NotFound")
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
|
2022-01-03 09:19:07 +01:00
|
|
|
_, err = c.eventstore.Push(ctx,
|
2021-02-18 14:48:27 +01:00
|
|
|
user.NewHumanMFAInitSkippedEvent(ctx, UserAggregateFromWriteModel(&existingHuman.WriteModel)))
|
|
|
|
return err
|
2021-01-15 09:32:59 +01:00
|
|
|
}
|
2021-01-06 11:12:56 +01:00
|
|
|
|
2021-02-18 14:48:27 +01:00
|
|
|
///TODO: adlerhurst maybe we can simplify createAddHumanEvent and createRegisterHumanEvent
|
|
|
|
func createAddHumanEvent(ctx context.Context, aggregate *eventstore.Aggregate, human *domain.Human, userLoginMustBeDomain bool) *user.HumanAddedEvent {
|
2021-01-15 09:32:59 +01:00
|
|
|
addEvent := user.NewHumanAddedEvent(
|
2021-01-06 11:12:56 +01:00
|
|
|
ctx,
|
2021-02-18 14:48:27 +01:00
|
|
|
aggregate,
|
2021-01-21 10:49:38 +01:00
|
|
|
human.Username,
|
2021-01-06 11:12:56 +01:00
|
|
|
human.FirstName,
|
|
|
|
human.LastName,
|
|
|
|
human.NickName,
|
|
|
|
human.DisplayName,
|
|
|
|
human.PreferredLanguage,
|
|
|
|
human.Gender,
|
|
|
|
human.EmailAddress,
|
2021-01-21 10:49:38 +01:00
|
|
|
userLoginMustBeDomain,
|
2021-01-06 11:12:56 +01:00
|
|
|
)
|
|
|
|
if human.Phone != nil {
|
|
|
|
addEvent.AddPhoneData(human.PhoneNumber)
|
|
|
|
}
|
|
|
|
if human.Address != nil {
|
|
|
|
addEvent.AddAddressData(
|
|
|
|
human.Country,
|
|
|
|
human.Locality,
|
|
|
|
human.PostalCode,
|
|
|
|
human.Region,
|
|
|
|
human.StreetAddress)
|
|
|
|
}
|
|
|
|
if human.Password != nil {
|
2022-07-28 15:42:35 +02:00
|
|
|
addEvent.AddPasswordData(human.Password.SecretCrypto, human.Password.ChangeRequired)
|
|
|
|
}
|
|
|
|
if human.HashedPassword != nil {
|
|
|
|
addEvent.AddPasswordData(human.HashedPassword.SecretCrypto, false)
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-01-15 09:32:59 +01:00
|
|
|
return addEvent
|
|
|
|
}
|
2021-01-06 11:12:56 +01:00
|
|
|
|
2021-02-18 14:48:27 +01:00
|
|
|
func createRegisterHumanEvent(ctx context.Context, aggregate *eventstore.Aggregate, human *domain.Human, userLoginMustBeDomain bool) *user.HumanRegisteredEvent {
|
2021-01-15 09:32:59 +01:00
|
|
|
addEvent := user.NewHumanRegisteredEvent(
|
|
|
|
ctx,
|
2021-02-18 14:48:27 +01:00
|
|
|
aggregate,
|
2021-01-21 10:49:38 +01:00
|
|
|
human.Username,
|
2021-01-15 09:32:59 +01:00
|
|
|
human.FirstName,
|
|
|
|
human.LastName,
|
|
|
|
human.NickName,
|
|
|
|
human.DisplayName,
|
|
|
|
human.PreferredLanguage,
|
|
|
|
human.Gender,
|
|
|
|
human.EmailAddress,
|
2021-01-21 10:49:38 +01:00
|
|
|
userLoginMustBeDomain,
|
2021-01-15 09:32:59 +01:00
|
|
|
)
|
|
|
|
if human.Phone != nil {
|
|
|
|
addEvent.AddPhoneData(human.PhoneNumber)
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-01-15 09:32:59 +01:00
|
|
|
if human.Address != nil {
|
|
|
|
addEvent.AddAddressData(
|
|
|
|
human.Country,
|
|
|
|
human.Locality,
|
|
|
|
human.PostalCode,
|
|
|
|
human.Region,
|
|
|
|
human.StreetAddress)
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-01-15 09:32:59 +01:00
|
|
|
if human.Password != nil {
|
2022-07-28 15:42:35 +02:00
|
|
|
addEvent.AddPasswordData(human.Password.SecretCrypto, human.Password.ChangeRequired)
|
|
|
|
}
|
|
|
|
if human.HashedPassword != nil {
|
|
|
|
addEvent.AddPasswordData(human.HashedPassword.SecretCrypto, false)
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-01-15 09:32:59 +01:00
|
|
|
return addEvent
|
2021-01-06 11:12:56 +01:00
|
|
|
}
|
2021-01-07 16:06:45 +01:00
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
func (c *Commands) HumansSignOut(ctx context.Context, agentID string, userIDs []string) error {
|
2021-02-08 11:30:30 +01:00
|
|
|
if agentID == "" {
|
2022-04-12 16:20:17 +02:00
|
|
|
return errors.ThrowInvalidArgument(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
|
|
|
if len(userIDs) == 0 {
|
2022-04-12 16:20:17 +02:00
|
|
|
return errors.ThrowInvalidArgument(nil, "COMMAND-M0od3", "Errors.User.UserIDMissing")
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
2022-01-03 09:19:07 +01:00
|
|
|
events := make([]eventstore.Command, 0)
|
2021-03-19 11:12:56 +01:00
|
|
|
for _, userID := range userIDs {
|
2021-02-24 11:17:39 +01:00
|
|
|
existingUser, err := c.getHumanWriteModelByID(ctx, userID, "")
|
2021-02-08 11:30:30 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-02-18 14:48:27 +01:00
|
|
|
if !isUserStateExists(existingUser.UserState) {
|
2021-02-08 11:30:30 +01:00
|
|
|
continue
|
|
|
|
}
|
2021-03-19 11:12:56 +01:00
|
|
|
events = append(events, user.NewHumanSignedOutEvent(
|
2021-02-18 14:48:27 +01:00
|
|
|
ctx,
|
|
|
|
UserAggregateFromWriteModel(&existingUser.WriteModel),
|
2021-03-19 11:12:56 +01:00
|
|
|
agentID))
|
|
|
|
}
|
|
|
|
if len(events) == 0 {
|
|
|
|
return nil
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
2022-01-03 09:19:07 +01:00
|
|
|
_, err := c.eventstore.Push(ctx, events...)
|
2021-02-08 11:30:30 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
func (c *Commands) getHumanWriteModelByID(ctx context.Context, userID, resourceowner string) (*HumanWriteModel, error) {
|
2021-01-15 09:32:59 +01:00
|
|
|
humanWriteModel := NewHumanWriteModel(userID, resourceowner)
|
2021-02-24 11:17:39 +01:00
|
|
|
err := c.eventstore.FilterToQueryReducer(ctx, humanWriteModel)
|
2021-01-07 16:06:45 +01:00
|
|
|
if err != nil {
|
2021-01-15 09:32:59 +01:00
|
|
|
return nil, err
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2021-01-15 09:32:59 +01:00
|
|
|
return humanWriteModel, nil
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|