zitadel/internal/domain/policy_login.go

package domain

import (
	"net/url"
	"time"

	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
)

type LoginPolicy struct {
	models.ObjectRoot

	Default                    bool
	AllowUsernamePassword      bool
	AllowRegister              bool
	AllowExternalIDP           bool
	IDPProviders               []*IDPProvider
	ForceMFA                   bool
	SecondFactors              []SecondFactorType
	MultiFactors               []MultiFactorType
	PasswordlessType           PasswordlessType
	HidePasswordReset          bool
	IgnoreUnknownUsernames     bool
	AllowDomainDiscovery       bool
	DefaultRedirectURI         string
	PasswordCheckLifetime      time.Duration
	ExternalLoginCheckLifetime time.Duration
	MFAInitSkipLifetime        time.Duration
	SecondFactorCheckLifetime  time.Duration
	MultiFactorCheckLifetime   time.Duration
}

func ValidateDefaultRedirectURI(rawURL string) bool {
	if rawURL == "" {
		return true
	}
	parsedURL, err := url.Parse(rawURL)
	if err != nil {
		return false
	}
	switch parsedURL.Scheme {
	case "":
		return false
	case "http", "https":
		return parsedURL.Host != ""
	default:
		return true
	}
}

type IDPProvider struct {
	models.ObjectRoot
	Type        IdentityProviderType
	IDPConfigID string

	Name          string
	StylingType   IDPConfigStylingType
	IDPConfigType IDPConfigType
	IDPState      IDPConfigState
}

func (p IDPProvider) IsValid() bool {
	return p.IDPConfigID != ""
}

type PasswordlessType int32

const (
	PasswordlessTypeNotAllowed PasswordlessType = iota
	PasswordlessTypeAllowed

	passwordlessCount
)

func (f PasswordlessType) Valid() bool {
	return f >= 0 && f < passwordlessCount
}

func (p *LoginPolicy) HasSecondFactors() bool {
	return len(p.SecondFactors) > 0
}

func (p *LoginPolicy) HasMultiFactors() bool {
	return len(p.MultiFactors) > 0
}
new pkg structure (#1150) * fix: split command query side * fix: split command query side * fix: members in correct pkg structure * fix: label policy in correct pkg structure * fix: structure * fix: structure of login policy * fix: identityprovider structure * fix: org iam policy structure * fix: password age policy structure * fix: password complexity policy structure * fix: password lockout policy structure * fix: idp structure * fix: user events structure * fix: user write model * fix: profile email changed command * fix: address changed command * fix: user states * fix: user * fix: org structure and add human * begin iam setup command side * setup * step2 * step2 * fix: add user * step2 * isvalid * fix: folder structure v2 business Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> 2021-01-04 14:52:13 +01:00			`package domain`

feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`import (`
feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`"net/url"`
feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`"time"`

chore(v2): move to new org (#3499) * chore: move to new org * logging * fix: org rename caos -> zitadel Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2022-04-27 01:01:45 +02:00			`"github.com/zitadel/zitadel/internal/eventstore/v1/models"`
feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`)`
fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00
			`type LoginPolicy struct {`
			`models.ObjectRoot`

feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`Default bool`
			`AllowUsernamePassword bool`
			`AllowRegister bool`
			`AllowExternalIDP bool`
			`IDPProviders []*IDPProvider`
			`ForceMFA bool`
			`SecondFactors []SecondFactorType`
			`MultiFactors []MultiFactorType`
			`PasswordlessType PasswordlessType`
			`HidePasswordReset bool`
feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`IgnoreUnknownUsernames bool`
feat: allow domain discovery for unknown usernames (#4484) * fix: wait for projection initialization to be done * feat: allow domain discovery for unknown usernames * fix linting * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update console/src/assets/i18n/en.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update console/src/assets/i18n/it.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update console/src/assets/i18n/fr.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * fix zh i18n text * fix projection table name Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> 2022-10-06 13:30:14 +02:00			`AllowDomainDiscovery bool`
feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`DefaultRedirectURI string`
feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`PasswordCheckLifetime time.Duration`
			`ExternalLoginCheckLifetime time.Duration`
			`MFAInitSkipLifetime time.Duration`
			`SecondFactorCheckLifetime time.Duration`
			`MultiFactorCheckLifetime time.Duration`
fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00			`}`

feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`func ValidateDefaultRedirectURI(rawURL string) bool {`
			`if rawURL == "" {`
			`return true`
			`}`
			`parsedURL, err := url.Parse(rawURL)`
			`if err != nil {`
			`return false`
			`}`
			`switch parsedURL.Scheme {`
			`case "":`
			`return false`
			`case "http", "https":`
			`return parsedURL.Host != ""`
			`default:`
			`return true`
			`}`
			`}`

fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00			`type IDPProvider struct {`
			`models.ObjectRoot`
			`Type IdentityProviderType`
			`IDPConfigID string`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00
			`Name string`
			`StylingType IDPConfigStylingType`
			`IDPConfigType IDPConfigType`
			`IDPState IDPConfigState`
fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00			`}`

feat: new es testing2 (#1428) * fix: org tests * fix: org tests * fix: user grant test * fix: user grant test * fix: project and project role test * fix: project grant test * fix: project grant test * fix: project member, grant member, app changed tests * fix: application tests * fix: application tests * fix: add oidc app test * fix: add oidc app test * fix: add api keys test * fix: iam policies * fix: iam and org member tests * fix: idp config tests * fix: iam tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: org domain test * fix: org tests * fix: org tests * fix: implement org idps * fix: pr requests * fix: email tests * fix: fix idp check * fix: fix user profile 2021-03-19 11:12:56 +01:00			`func (p IDPProvider) IsValid() bool {`
			`return p.IDPConfigID != ""`
			`}`

new pkg structure (#1150) * fix: split command query side * fix: split command query side * fix: members in correct pkg structure * fix: label policy in correct pkg structure * fix: structure * fix: structure of login policy * fix: identityprovider structure * fix: org iam policy structure * fix: password age policy structure * fix: password complexity policy structure * fix: password lockout policy structure * fix: idp structure * fix: user events structure * fix: user write model * fix: profile email changed command * fix: address changed command * fix: user states * fix: user * fix: org structure and add human * begin iam setup command side * setup * step2 * step2 * fix: add user * step2 * isvalid * fix: folder structure v2 business Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> 2021-01-04 14:52:13 +01:00			`type PasswordlessType int32`

			`const (`
			`PasswordlessTypeNotAllowed PasswordlessType = iota`
			`PasswordlessTypeAllowed`

			`passwordlessCount`
			`)`

			`func (f PasswordlessType) Valid() bool {`
			`return f >= 0 && f < passwordlessCount`
			`}`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00
			`func (p *LoginPolicy) HasSecondFactors() bool {`
			`return len(p.SecondFactors) > 0`
			`}`

			`func (p *LoginPolicy) HasMultiFactors() bool {`
			`return len(p.MultiFactors) > 0`
			`}`