2021-01-07 16:06:45 +01:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2023-07-14 09:49:57 +03:00
|
|
|
"errors"
|
2024-05-02 11:50:13 +02:00
|
|
|
"time"
|
fix(queries): lockout policy (#2419)
* job queue
* wg improvements
* start handler
* statement
* statements
* imporve handler
* improve statement
* statement in seperate file
* move handlers
* move query/old to query
* handler
* read models
* bulk works
* cleanup
* contrib
* rename readmodel to projection
* rename read_models schema to projections
* rename read_models schema to projections
* search query as func,
bulk iterates as long as new events
* add event sequence less query
* update checks for events between current sequence and sequence of first statement if it has previous sequence 0
* cleanup crdb projection
* refactor projection handler
* start with testing
* tests for handler
* remove todo
* refactor statement: remove table name,
add tests
* improve projection handler shutdown,
no savepoint if noop stmt,
tests for stmt handler
* tests
* start failed events
* seperate branch for contrib
* move statement constructors to crdb pkg
* correct import
* Subscribe for eventtypes (#1800)
* fix: is default (#1737)
* fix: use email as username on global org (#1738)
* fix: use email as username on global org
* Update user_human.go
* Update register_handler.go
* chore(deps): update docusaurus (#1739)
* chore: remove PAT and use GH Token (#1716)
* chore: remove PAT and use GH Token
* fix env
* fix env
* fix env
* md lint
* trigger ci
* change user
* fix GH bug
* replace login part
* chore: add GH Token to sem rel (#1746)
* chore: add GH Token to sem rel
* try branch
* add GH Token
* remove test branch again
* docs: changes acme to acme-caos (#1744)
* changes acme to acme-caos
* Apply suggestions from code review
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
* feat: add additional origins on applications (#1691)
* feat: add additional origins on applications
* app additional redirects
* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console (#1706)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console
Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.2.8 to 11.2.11.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.2.8...v11.2.11)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console (#1703)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console
Bumps [stylelint](https://github.com/stylelint/stylelint) from 13.10.0 to 13.13.1.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/stylelint/stylelint/compare/13.10.0...13.13.1)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console (#1702)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.37 to 15.0.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console (#1701)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console
Bumps [ts-protoc-gen](https://github.com/improbable-eng/ts-protoc-gen) from 0.14.0 to 0.15.0.
- [Release notes](https://github.com/improbable-eng/ts-protoc-gen/releases)
- [Changelog](https://github.com/improbable-eng/ts-protoc-gen/blob/master/CHANGELOG.md)
- [Commits](https://github.com/improbable-eng/ts-protoc-gen/compare/0.14.0...0.15.0)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump @types/jasmine from 3.6.9 to 3.6.10 in /console (#1682)
Bumps [@types/jasmine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jasmine) from 3.6.9 to 3.6.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jasmine)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump @types/google-protobuf in /console (#1681)
Bumps [@types/google-protobuf](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/google-protobuf) from 3.7.4 to 3.15.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/google-protobuf)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump grpc from 1.24.5 to 1.24.7 in /console (#1666)
Bumps [grpc](https://github.com/grpc/grpc-node) from 1.24.5 to 1.24.7.
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/grpc@1.24.5...grpc@1.24.7)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* lock
* chore(deps-dev): bump @angular/language-service from 11.2.9 to 11.2.12 in /console (#1704)
* fix: show org with regex (#1688)
* fix: flag mapping (#1699)
* chore(deps-dev): bump @angular/language-service in /console
Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.2.9 to 11.2.12.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.2.12/packages/language-service)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* package lock
* downgrade grpc
* downgrade protobuf types
* revert npm packs 🥸
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* docs: update run and start section texts (#1745)
* update run and start section texts
* adds showcase
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
* fix: additional origin list (#1753)
* fix: handle api configs in authz handler (#1755)
* fix(console): add model for api keys, fix toast, binding (#1757)
* fix: add model for api keys, fix toast, binding
* show api clientid
* fix: missing patchvalue (#1758)
* feat: refresh token (#1728)
* begin refresh tokens
* refresh tokens
* list and revoke refresh tokens
* handle remove
* tests for refresh tokens
* uniqueness and default expiration
* rename oidc token methods
* cleanup
* migration version
* Update internal/static/i18n/en.yaml
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* fixes
* feat: update oidc pkg for refresh tokens
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* fix: correct json name of clientId in key.json (#1760)
* fix: migration version (#1767)
* start subscription
* eventtypes
* fix(login): links (#1778)
* fix(login): href for help
* fix(login): correct link to tos
* fix: access tokens for service users and refresh token infos (#1779)
* fix: access token for service user
* handle info from refresh request
* uniqueness
* postpone access token uniqueness change
* chore(coc): recommend code of conduct (#1782)
* subscribe for events
* feat(console): refresh toggle out of granttype context (#1785)
* refresh toggle
* disable if not code flow, lint
* lint
* fix: change oidc config order
* accept refresh option within flow
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* fix: refresh token activation (#1795)
* fix: oidc grant type check
* docs: add offline_access scope
* docs: update refresh token status in supported grant types
* fix: update oidc pkg
* fix: check refresh token grant type (#1796)
* configuration structs
* org admins
* failed events
* fixes
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* remove comment
* aggregate reducer
* remove eventtypes
* add protoc-get-validate to mod
* fix transaltion
* upsert
* add gender on org admins,
allow to retry failed stmts after configurable time
* remove if
* sub queries
* fix: tests
* add builder to tests
* new search query
* rename searchquerybuilder to builder
* remove comment from code
* test with multiple queries
* add filters test
* current sequences
* make org and org_admins work again
* add aggregate type to current sequence
* fix(contibute): listing
* add validate module
* fix: search queries
* feat(eventstore): previous aggregate root sequence (#1810)
* feat(eventstore): previous aggregate root sequence
* fix tests
* fix: eventstore v1 test
* add col to all mocked rows
* next try
* fix mig
* rename aggregate root to aggregate type
* update comment
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* small refactorings
* allow update multiple current sequences
* unique log id
* fix migrations
* rename org admin to org owner
* improve error handling and logging
* fix(migration): optimize prev agg root seq
* fix: projection handler test
* fix: sub queries
* small fixes
* additional event types
* correct org owner projection
* fix primary key
* feat(eventstore): jobs for projections (#2026)
* fix: template names in login (#1974)
* fix: template names in login
* fix: error.html
* fix: check for features on mgmt only (#1976)
* fix: add sentry in ui, http and projection handlers (#1977)
* fix: add sentry in ui, http and projection handlers
* fix test
* fix(eventstore): sub queries (#1805)
* sub queries
* fix: tests
* add builder to tests
* new search query
* rename searchquerybuilder to builder
* remove comment from code
* test with multiple queries
* add filters test
* fix(contibute): listing
* add validate module
* fix: search queries
* remove unused event type in query
* ignore query if error in marshal
* go mod tidy
* update privacy policy query
* update queries
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* feat: Extend oidc idp with oauth endpoints (#1980)
* feat: add oauth attributes to oidc idp configuration
* feat: return idpconfig id on create idp
* feat: tests
* feat: descriptions
* feat: docs
* feat: tests
* docs: update to beta 3 (#1984)
* fix: role assertion (#1986)
* fix: enum to display access token role assertion
* improve assertion descriptions
* fix nil pointer
* docs: eventstore (#1982)
* docs: eventstore
* Apply suggestions from code review
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Florian Forster <florian@caos.ch>
* fix(sentry): trigger sentry release (#1989)
* feat(send sentry release): send sentry release
* fix(moved step and added releasetag): moved step and added releasetag
* fix: set version for sentry release (#1990)
* feat(send sentry release): send sentry release
* fix(moved step and added releasetag): moved step and added releasetag
* fix(corrected var name): corrected var name
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
* fix: log error reason on terminate session (#1973)
* fix: return default language file, if requested lang does not exist for default login texts (#1988)
* fix: return default language file, if requested lang doesnt exists
* feat: read default translation file
* feat: docs
* fix: race condition in auth request unmarshalling (#1993)
* feat: handle ui_locales in login (#1994)
* fix: handle ui_locales in login
* move supportedlanguage func into i18n package
* update oidc pkg
* fix: handle closed channels on unsubscribe (#1995)
* fix: give restore more time (#1997)
* fix: translation file read (#2009)
* feat: translation file read
* feat: readme
* fix: enable idp add button for iam users (#2010)
* fix: filter event_data (#2011)
* feat: Custom message files (#1992)
* feat: add get custom message text to admin api
* feat: read custom message texts from files
* feat: get languages in apis
* feat: get languages in apis
* feat: get languages in apis
* feat: pr feedback
* feat: docs
* feat: merge main
* fix: sms notification (#2013)
* fix: phone verifications
* feat: fix password reset as sms
* fix: phone verification
* fix: grpc status in sentry and validation interceptors (#2012)
* fix: remove oauth endpoints from oidc config proto (#2014)
* try with view
* fix(console): disable sw (#2021)
* fix: disable sw
* angular.json disable sw
* project projections
* fix typos
* customize projections
* customizable projections,
add change date to projects
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Christian Jakob <47860090+thesephirot@users.noreply.github.com>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>
* env file
* typo
* correct users
* correct migration
* fix: merge fail
* fix test
* fix(tests): unordered matcher
* improve currentSequenceMatcher
* correct certs
* correct certs
* add zitadel database on database list
* refctor switch in match
* enable all handlers
* Delete io.env
* cleanup
* add handlers
* rename view to projection
* rename view to projection
* fix type typo
* remove unnecessary logs
* refactor stmts
* simplify interval calculation
* fix tests
* fix unlock test
* fix migration
* migs
* fix(operator): update cockroach and flyway versions (#2138)
* chore(deps): bump k8s.io/apiextensions-apiserver from 0.19.2 to 0.21.3
Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.19.2 to 0.21.3.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.19.2...v0.21.3)
---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump google.golang.org/api from 0.34.0 to 0.52.0
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.34.0 to 0.52.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.34.0...v0.52.0)
---
updated-dependencies:
- dependency-name: google.golang.org/api
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* start update dependencies
* update mods and otlp
* fix(build): update to go 1.16
* old version for k8s mods
* update k8s versions
* update orbos
* fix(operator): update cockroach and flyway version
* Update images.go
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stefan Benz <stefan@caos.ch>
* fix import
* fix typo
* fix(migration): add org projection
* fix(projection): correct table for org events in org owners
* better insert stmt
* fix typo
* fix typo
* set max connection lifetime
* set max conns and conn lifetime in eventstore v1
* configure sql connection settings
* add mig for agg type index
* fix replace tab in yaml
* handler interfaces
* subscription
* first try
* handler
* move sql client initialization
* first part implemented
* removed all occurencies of org by id and search orgs
* fix merge issues
* cleanup code
* fix: queries implements orgviewprovider
* cleanup
* refactor text comparison
* remove unused file
* remove unused code
* log
* remove unused code
* remove unused field
* remove unused file
* refactor
* tests for search query
* remove try
* simplify state change mappers
* projection tests
* query functions
* move reusable objects to separate files
* rename domain column to primar_domain
* fix tests
* add current sequence
* remove log prints
* fix tests
* fix: verifier
* fix test
* rename domain col migrations
* simplify search response
* add custom column constructors
* fix: org projection table const
* fix: full column name
* feat: text query extension
* fix: tests for query
* number query
* add deprection message
* projection
* correct migration
* projection
* projection
* column in a single place (#2416)
* column in a single place
* use projection for columns
* query column with aliases
* rename methods
* remove unused code
* column for current sequences
* correct file name
* global counter column
* fix is org unique
* query
* fix wrong code
* remove unused code
* query
* remove unused code
* remove unused code
* query
* api
* remove unused cod
* remove unused code
* remove unused code
* tests
* tests
* tests
* fix: tests
* migrations
* fixes
* errors
* fix test
* add converter option
* fix(auth-repo): add queries to struct
* error messages
* rename method,
correct log message
* small fixes
* correct version
* correct version
* fix(migration): set pk
* fix test
* cleanup code
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Christian Jakob <47860090+thesephirot@users.noreply.github.com>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>
Co-authored-by: Stefan Benz <stefan@caos.ch>
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
2021-10-20 16:28:24 +02:00
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/logging"
|
2023-07-14 09:49:57 +03:00
|
|
|
"github.com/zitadel/passwap"
|
2021-11-08 08:42:07 +01:00
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
2024-09-26 09:14:33 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/notification/senders"
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2021-01-07 16:06:45 +01:00
|
|
|
)
|
|
|
|
|
2024-07-31 14:23:57 +02:00
|
|
|
var (
|
|
|
|
ErrPasswordInvalid = func(err error) error {
|
|
|
|
return zerrors.ThrowInvalidArgument(err, "COMMAND-3M0fs", "Errors.User.Password.Invalid")
|
|
|
|
}
|
|
|
|
ErrPasswordUnchanged = func(err error) error {
|
|
|
|
return zerrors.ThrowPreconditionFailed(err, "COMMAND-Aesh5", "Errors.User.Password.NotChanged")
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-07-14 09:49:57 +03:00
|
|
|
func (c *Commands) SetPassword(ctx context.Context, orgID, userID, password string, oneTime bool) (objectDetails *domain.ObjectDetails, err error) {
|
2021-01-07 16:06:45 +01:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
2021-03-19 11:12:56 +01:00
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-3M0fs", "Errors.IDMissing")
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
wm, err := c.passwordWriteModel(ctx, userID, orgID)
|
2021-01-07 16:06:45 +01:00
|
|
|
if err != nil {
|
feat: protos refactoring
* start with user
* user first try done in all services
* user, org, idp for discussion
* remove unused stuff
* bla
* dockerbuild
* rename search, get multiple to list...
* add annotation
* update proto dependencies
* update proto dependencies
* change proto imports
* replace all old imports
* fix go out
* remove unused lines
* correct protoc flags
* grpc and openapi flags
* go out source path relative
* -p
* remove dead code
* sourcepath relative
* ls
* is onenapi the problem?
* hobla
* authoption output
* wrong field name
* gopf
* correct option, add correct flags
* small improvments
* SIMPLYFY
* relative path
* gopf bin ich en tubel
* correct path
* default policies in admin
* grpc generation in one file
* remove non ascii
* metadata on manipulations
* correct auth_option import
* fixes
* larry
* idp provider to idp
* fix generate
* admin and auth nearly done
* admin and auth nearly done
* gen
* healthz
* imports
* deleted too much imports
* fix org
* add import
* imports
* import
* naming
* auth_opt
* gopf
* management
* imports
* _TYPE_UNSPECIFIED
* improts
* auth opts
* management policies
* imports
* passwordlessType to MFAType
* auth_opt
* add user grant calls
* add missing messages
* result
* fix option
* improvements
* ids
* fix http
* imports
* fixes
* fields
* body
* add fields
* remove wrong member query
* fix request response
* fixes
* add copy files
* variable versions
* generate all files
* improvements
* add dependencies
* factors
* user session
* oidc information, iam
* remove unused file
* changes
* enums
* dockerfile
* fix build
* remove unused folder
* update readme for build
* move old server impl
* add event type to change
* some changes
* start admin
* remove wrong field
* admin only list calls missing
* fix proto numbers
* surprisingly it compiles
* service ts changes
* admin mgmt
* mgmt
* auth manipulation and gets done, lists missing
* validations and some field changes
* validations
* enum validations
* remove todo
* move proto files to proto/zitadel
* change proto path in dockerfile
* it compiles!
* add validate import
* remove duplicate import
* fix protos
* fix import
* tests
* cleanup
* remove unimplemented methods
* iam member multiple queries
* all auth and admin calls
* add initial password on crate human
* message names
* management user server
* machine done
* fix: todos (#1346)
* fix: pub sub in new eventstore
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix tests
* fix: search method domain
* admin service, user import type typescript
* admin changes
* admin changes
* fix: search method domain
* more user grpc and begin org, fix configs
* fix: return object details
* org grpc
* remove creation date add details
* app
* fix: return object details
* fix: return object details
* mgmt service, project members
* app
* fix: convert policies
* project, members, granted projects, searches
* fix: convert usergrants
* fix: convert usergrants
* auth user detail, user detail, mfa, second factor, auth
* fix: convert usergrants
* mfa, memberships, password, owned proj detail
* fix: convert usergrants
* project grant
* missing details
* changes, userview
* idp table, keys
* org list and user table filter
* unify rest paths (#1381)
* unify rest paths
* post for all searches,
mfa to multi_factor,
secondfactor to second_factor
* remove v1
* fix tests
* rename api client key to app key
* machine keys, age policy
* user list, machine keys, changes
* fix: org states
* add default flag to policy
* second factor to type
* idp id
* app type
* unify ListQuery, ListDetails, ObjectDetails field names
* user grants, apps, memberships
* fix type params
* metadata to detail, linke idps
* api create, membership, app detail, create
* idp, app, policy
* queries, multi -> auth factors and missing fields
* update converters
* provider to user, remove old mgmt refs
* temp remove authfactor dialog, build finish
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2021-03-09 10:30:11 +01:00
|
|
|
return nil, err
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2024-05-02 11:50:13 +02:00
|
|
|
return c.setPassword(
|
|
|
|
ctx,
|
|
|
|
wm,
|
|
|
|
password,
|
|
|
|
"", // current api implementations never provide an encoded password
|
|
|
|
"",
|
|
|
|
oneTime,
|
|
|
|
c.setPasswordWithPermission(wm.AggregateID, wm.ResourceOwner),
|
|
|
|
)
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
func (c *Commands) SetPasswordWithVerifyCode(ctx context.Context, orgID, userID, code, password, userAgentID string, changeRequired bool) (objectDetails *domain.ObjectDetails, err error) {
|
2021-02-08 11:30:30 +01:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
2021-03-19 11:12:56 +01:00
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-3M9fs", "Errors.IDMissing")
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
if password == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-Mf0sd", "Errors.User.Password.Empty")
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
wm, err := c.passwordWriteModel(ctx, userID, orgID)
|
2021-02-08 11:30:30 +01:00
|
|
|
if err != nil {
|
2023-06-20 17:34:06 +02:00
|
|
|
return nil, err
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
2024-05-02 11:50:13 +02:00
|
|
|
return c.setPassword(
|
|
|
|
ctx,
|
|
|
|
wm,
|
|
|
|
password,
|
|
|
|
"",
|
|
|
|
userAgentID,
|
|
|
|
changeRequired,
|
2024-09-26 09:14:33 +02:00
|
|
|
c.setPasswordWithVerifyCode(
|
|
|
|
wm.CodeCreationDate,
|
|
|
|
wm.CodeExpiry,
|
|
|
|
wm.Code,
|
|
|
|
wm.GeneratorID,
|
|
|
|
wm.VerificationID,
|
|
|
|
code,
|
|
|
|
),
|
2024-05-02 11:50:13 +02:00
|
|
|
)
|
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
// ChangePassword change password of existing user
|
|
|
|
func (c *Commands) ChangePassword(ctx context.Context, orgID, userID, oldPassword, newPassword, userAgentID string, changeRequired bool) (objectDetails *domain.ObjectDetails, err error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
2021-02-08 11:30:30 +01:00
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
if userID == "" {
|
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-3M0fs", "Errors.IDMissing")
|
|
|
|
}
|
|
|
|
if oldPassword == "" || newPassword == "" {
|
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-3M0fs", "Errors.User.Password.Empty")
|
|
|
|
}
|
|
|
|
wm, err := c.passwordWriteModel(ctx, userID, orgID)
|
2021-02-08 11:30:30 +01:00
|
|
|
if err != nil {
|
2023-06-20 17:34:06 +02:00
|
|
|
return nil, err
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
2024-05-02 11:50:13 +02:00
|
|
|
return c.setPassword(
|
|
|
|
ctx,
|
|
|
|
wm,
|
|
|
|
newPassword,
|
|
|
|
"",
|
|
|
|
userAgentID,
|
|
|
|
changeRequired,
|
|
|
|
c.checkCurrentPassword(newPassword, "", oldPassword, wm.EncodedHash),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
type setPasswordVerification func(ctx context.Context) (newEncodedPassword string, err error)
|
2021-02-08 11:30:30 +01:00
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
// setPasswordWithPermission returns a permission check as [setPasswordVerification] implementation
|
|
|
|
func (c *Commands) setPasswordWithPermission(userID, orgID string) setPasswordVerification {
|
|
|
|
return func(ctx context.Context) (_ string, err error) {
|
2024-12-03 11:14:04 +01:00
|
|
|
return "", c.checkPermissionUpdateUser(ctx, orgID, userID)
|
2024-05-02 11:50:13 +02:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
}
|
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
// setPasswordWithVerifyCode returns a password code check as [setPasswordVerification] implementation
|
|
|
|
func (c *Commands) setPasswordWithVerifyCode(
|
|
|
|
passwordCodeCreationDate time.Time,
|
|
|
|
passwordCodeExpiry time.Duration,
|
|
|
|
passwordCode *crypto.CryptoValue,
|
2024-09-26 09:14:33 +02:00
|
|
|
passwordCodeProviderID string,
|
|
|
|
passwordCodeVerificationID string,
|
2024-05-02 11:50:13 +02:00
|
|
|
code string,
|
|
|
|
) setPasswordVerification {
|
|
|
|
return func(ctx context.Context) (_ string, err error) {
|
2024-09-26 09:14:33 +02:00
|
|
|
return "", verifyCode(
|
|
|
|
ctx,
|
|
|
|
passwordCodeCreationDate,
|
|
|
|
passwordCodeExpiry,
|
|
|
|
passwordCode,
|
|
|
|
passwordCodeProviderID,
|
|
|
|
passwordCodeVerificationID,
|
|
|
|
code,
|
|
|
|
c.userEncryption,
|
|
|
|
c.phoneCodeVerifier, // password code can only be custom generated by SMS
|
|
|
|
)
|
2023-06-20 17:34:06 +02:00
|
|
|
}
|
2024-05-02 11:50:13 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// checkCurrentPassword returns a password check as [setPasswordVerification] implementation
|
|
|
|
func (c *Commands) checkCurrentPassword(
|
|
|
|
newPassword, newEncodedPassword, currentPassword, currentEncodePassword string,
|
|
|
|
) setPasswordVerification {
|
|
|
|
// in case the new password is already encoded, we only need to verify the current
|
|
|
|
if newEncodedPassword != "" {
|
|
|
|
return func(ctx context.Context) (_ string, err error) {
|
|
|
|
_, spanPasswap := tracing.NewNamedSpan(ctx, "passwap.Verify")
|
|
|
|
_, err = c.userPasswordHasher.Verify(currentEncodePassword, currentPassword)
|
|
|
|
spanPasswap.EndWithError(err)
|
|
|
|
return "", convertPasswapErr(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// otherwise let's directly verify and return the new generate hash, so we can reuse it in the event
|
|
|
|
return func(ctx context.Context) (string, error) {
|
|
|
|
return c.verifyAndUpdatePassword(ctx, currentEncodePassword, currentPassword, newPassword)
|
2021-02-18 14:48:27 +01:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
}
|
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
// setPassword directly pushes the intent of [setPasswordCommand] to the eventstore and returns the [domain.ObjectDetails]
|
|
|
|
func (c *Commands) setPassword(
|
|
|
|
ctx context.Context,
|
|
|
|
wm *HumanPasswordWriteModel,
|
|
|
|
password, encodedPassword, userAgentID string,
|
|
|
|
changeRequired bool,
|
|
|
|
verificationCheck setPasswordVerification,
|
|
|
|
) (*domain.ObjectDetails, error) {
|
2023-12-21 10:03:37 +01:00
|
|
|
agg := user.NewAggregate(wm.AggregateID, wm.ResourceOwner)
|
2024-05-02 11:50:13 +02:00
|
|
|
command, err := c.setPasswordCommand(ctx, &agg.Aggregate, wm.UserState, password, encodedPassword, userAgentID, changeRequired, verificationCheck)
|
2023-12-21 10:03:37 +01:00
|
|
|
if err != nil {
|
2023-07-14 09:49:57 +03:00
|
|
|
return nil, err
|
|
|
|
}
|
2023-12-21 10:03:37 +01:00
|
|
|
err = c.pushAppendAndReduce(ctx, wm, command)
|
|
|
|
if err != nil {
|
2023-07-14 09:49:57 +03:00
|
|
|
return nil, err
|
|
|
|
}
|
2023-12-21 10:03:37 +01:00
|
|
|
return writeModelToObjectDetails(&wm.WriteModel), nil
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
// setPasswordCommand creates the command / intent for changing a user's password.
|
|
|
|
// It will check the user's [domain.UserState] to be existing and not initial,
|
|
|
|
// if the caller is allowed to change the password (permission, by code or by providing the current password),
|
|
|
|
// and it will ensure the new password (if provided as plain) corresponds to the password complexity policy.
|
|
|
|
// If not already encoded, the new password will be hashed.
|
|
|
|
func (c *Commands) setPasswordCommand(ctx context.Context, agg *eventstore.Aggregate, userState domain.UserState, password, encodedPassword, userAgentID string, changeRequired bool, verificationCheck setPasswordVerification) (_ eventstore.Command, err error) {
|
|
|
|
if !isUserStateExists(userState) {
|
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-G8dh3", "Errors.User.Password.NotFound")
|
|
|
|
}
|
|
|
|
if isUserStateInitial(userState) {
|
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-M9dse", "Errors.User.NotInitialised")
|
|
|
|
}
|
|
|
|
if verificationCheck != nil {
|
|
|
|
newEncodedPassword, err := verificationCheck(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
// use the new hash from the verification in case there is one (e.g. existing pw check)
|
|
|
|
if newEncodedPassword != "" {
|
|
|
|
encodedPassword = newEncodedPassword
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// If password is provided, let's check if is compliant with the policy.
|
|
|
|
// If only a encodedPassword is passed, we can skip this.
|
|
|
|
if password != "" {
|
|
|
|
if err = c.checkPasswordComplexity(ctx, password, agg.ResourceOwner); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2023-12-21 10:03:37 +01:00
|
|
|
}
|
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
// In case only a plain password was passed, we need to hash it.
|
|
|
|
if encodedPassword == "" {
|
|
|
|
_, span := tracing.NewNamedSpan(ctx, "passwap.Hash")
|
|
|
|
encodedPassword, err = c.userPasswordHasher.Hash(password)
|
2023-12-21 10:03:37 +01:00
|
|
|
span.EndWithError(err)
|
|
|
|
if err = convertPasswapErr(err); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
2024-05-02 11:50:13 +02:00
|
|
|
return user.NewHumanPasswordChangedEvent(ctx, agg, encodedPassword, changeRequired, userAgentID), nil
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
|
|
|
|
2023-12-21 10:03:37 +01:00
|
|
|
// verifyAndUpdatePassword verify if the old password is correct with the encoded hash and
|
|
|
|
// returns the hash of the new password if so
|
|
|
|
func (c *Commands) verifyAndUpdatePassword(ctx context.Context, encodedHash, oldPassword, newPassword string) (string, error) {
|
|
|
|
if encodedHash == "" {
|
|
|
|
return "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-Fds3s", "Errors.User.Password.NotSet")
|
|
|
|
}
|
|
|
|
|
|
|
|
_, spanPasswap := tracing.NewNamedSpan(ctx, "passwap.Verify")
|
|
|
|
updated, err := c.userPasswordHasher.VerifyAndUpdate(encodedHash, oldPassword, newPassword)
|
|
|
|
spanPasswap.EndWithError(err)
|
|
|
|
return updated, convertPasswapErr(err)
|
|
|
|
}
|
|
|
|
|
2024-05-02 11:50:13 +02:00
|
|
|
// checkPasswordComplexity checks uf the given password can be used to be the password of a user
|
|
|
|
func (c *Commands) checkPasswordComplexity(ctx context.Context, newPassword string, resourceOwner string) (err error) {
|
2021-01-07 16:06:45 +01:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
2023-12-21 10:03:37 +01:00
|
|
|
policy, err := c.getOrgPasswordComplexityPolicy(ctx, resourceOwner)
|
2021-01-07 16:06:45 +01:00
|
|
|
if err != nil {
|
2023-07-14 09:49:57 +03:00
|
|
|
return err
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
|
|
|
|
if err := policy.Check(newPassword); err != nil {
|
|
|
|
return err
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
return nil
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
|
|
|
|
2023-12-21 10:03:37 +01:00
|
|
|
// RequestSetPassword generate and send out new code to change password for a specific user
|
2024-07-17 06:43:07 +02:00
|
|
|
func (c *Commands) RequestSetPassword(ctx context.Context, userID, resourceOwner string, notifyType domain.NotificationType, authRequestID string) (objectDetails *domain.ObjectDetails, err error) {
|
2021-03-19 11:12:56 +01:00
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-M00oL", "Errors.User.UserIDMissing")
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
existingHuman, err := c.userWriteModelByID(ctx, userID, resourceOwner)
|
2021-01-07 16:06:45 +01:00
|
|
|
if err != nil {
|
feat: protos refactoring
* start with user
* user first try done in all services
* user, org, idp for discussion
* remove unused stuff
* bla
* dockerbuild
* rename search, get multiple to list...
* add annotation
* update proto dependencies
* update proto dependencies
* change proto imports
* replace all old imports
* fix go out
* remove unused lines
* correct protoc flags
* grpc and openapi flags
* go out source path relative
* -p
* remove dead code
* sourcepath relative
* ls
* is onenapi the problem?
* hobla
* authoption output
* wrong field name
* gopf
* correct option, add correct flags
* small improvments
* SIMPLYFY
* relative path
* gopf bin ich en tubel
* correct path
* default policies in admin
* grpc generation in one file
* remove non ascii
* metadata on manipulations
* correct auth_option import
* fixes
* larry
* idp provider to idp
* fix generate
* admin and auth nearly done
* admin and auth nearly done
* gen
* healthz
* imports
* deleted too much imports
* fix org
* add import
* imports
* import
* naming
* auth_opt
* gopf
* management
* imports
* _TYPE_UNSPECIFIED
* improts
* auth opts
* management policies
* imports
* passwordlessType to MFAType
* auth_opt
* add user grant calls
* add missing messages
* result
* fix option
* improvements
* ids
* fix http
* imports
* fixes
* fields
* body
* add fields
* remove wrong member query
* fix request response
* fixes
* add copy files
* variable versions
* generate all files
* improvements
* add dependencies
* factors
* user session
* oidc information, iam
* remove unused file
* changes
* enums
* dockerfile
* fix build
* remove unused folder
* update readme for build
* move old server impl
* add event type to change
* some changes
* start admin
* remove wrong field
* admin only list calls missing
* fix proto numbers
* surprisingly it compiles
* service ts changes
* admin mgmt
* mgmt
* auth manipulation and gets done, lists missing
* validations and some field changes
* validations
* enum validations
* remove todo
* move proto files to proto/zitadel
* change proto path in dockerfile
* it compiles!
* add validate import
* remove duplicate import
* fix protos
* fix import
* tests
* cleanup
* remove unimplemented methods
* iam member multiple queries
* all auth and admin calls
* add initial password on crate human
* message names
* management user server
* machine done
* fix: todos (#1346)
* fix: pub sub in new eventstore
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix tests
* fix: search method domain
* admin service, user import type typescript
* admin changes
* admin changes
* fix: search method domain
* more user grpc and begin org, fix configs
* fix: return object details
* org grpc
* remove creation date add details
* app
* fix: return object details
* fix: return object details
* mgmt service, project members
* app
* fix: convert policies
* project, members, granted projects, searches
* fix: convert usergrants
* fix: convert usergrants
* auth user detail, user detail, mfa, second factor, auth
* fix: convert usergrants
* mfa, memberships, password, owned proj detail
* fix: convert usergrants
* project grant
* missing details
* changes, userview
* idp table, keys
* org list and user table filter
* unify rest paths (#1381)
* unify rest paths
* post for all searches,
mfa to multi_factor,
secondfactor to second_factor
* remove v1
* fix tests
* rename api client key to app key
* machine keys, age policy
* user list, machine keys, changes
* fix: org states
* add default flag to policy
* second factor to type
* idp id
* app type
* unify ListQuery, ListDetails, ObjectDetails field names
* user grants, apps, memberships
* fix type params
* metadata to detail, linke idps
* api create, membership, app detail, create
* idp, app, policy
* queries, multi -> auth factors and missing fields
* update converters
* provider to user, remove old mgmt refs
* temp remove authfactor dialog, build finish
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2021-03-09 10:30:11 +01:00
|
|
|
return nil, err
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2023-12-21 10:03:37 +01:00
|
|
|
if !isUserStateExists(existingHuman.UserState) {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Hj9ds", "Errors.User.NotFound")
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
|
|
|
if existingHuman.UserState == domain.UserStateInitial {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-2M9sd", "Errors.User.NotInitialised")
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
|
|
|
userAgg := UserAggregateFromWriteModel(&existingHuman.WriteModel)
|
2024-09-26 09:14:33 +02:00
|
|
|
var passwordCode *EncryptedCode
|
|
|
|
var generatorID string
|
|
|
|
if notifyType == domain.NotificationTypeSms {
|
|
|
|
passwordCode, generatorID, err = c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordResetCode, c.userEncryption, c.defaultSecretGenerators.PasswordVerificationCode) //nolint:staticcheck
|
|
|
|
} else {
|
|
|
|
passwordCode, err = c.newEncryptedCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordResetCode, c.userEncryption) //nolint:staticcheck
|
|
|
|
}
|
2021-01-07 16:06:45 +01:00
|
|
|
if err != nil {
|
feat: protos refactoring
* start with user
* user first try done in all services
* user, org, idp for discussion
* remove unused stuff
* bla
* dockerbuild
* rename search, get multiple to list...
* add annotation
* update proto dependencies
* update proto dependencies
* change proto imports
* replace all old imports
* fix go out
* remove unused lines
* correct protoc flags
* grpc and openapi flags
* go out source path relative
* -p
* remove dead code
* sourcepath relative
* ls
* is onenapi the problem?
* hobla
* authoption output
* wrong field name
* gopf
* correct option, add correct flags
* small improvments
* SIMPLYFY
* relative path
* gopf bin ich en tubel
* correct path
* default policies in admin
* grpc generation in one file
* remove non ascii
* metadata on manipulations
* correct auth_option import
* fixes
* larry
* idp provider to idp
* fix generate
* admin and auth nearly done
* admin and auth nearly done
* gen
* healthz
* imports
* deleted too much imports
* fix org
* add import
* imports
* import
* naming
* auth_opt
* gopf
* management
* imports
* _TYPE_UNSPECIFIED
* improts
* auth opts
* management policies
* imports
* passwordlessType to MFAType
* auth_opt
* add user grant calls
* add missing messages
* result
* fix option
* improvements
* ids
* fix http
* imports
* fixes
* fields
* body
* add fields
* remove wrong member query
* fix request response
* fixes
* add copy files
* variable versions
* generate all files
* improvements
* add dependencies
* factors
* user session
* oidc information, iam
* remove unused file
* changes
* enums
* dockerfile
* fix build
* remove unused folder
* update readme for build
* move old server impl
* add event type to change
* some changes
* start admin
* remove wrong field
* admin only list calls missing
* fix proto numbers
* surprisingly it compiles
* service ts changes
* admin mgmt
* mgmt
* auth manipulation and gets done, lists missing
* validations and some field changes
* validations
* enum validations
* remove todo
* move proto files to proto/zitadel
* change proto path in dockerfile
* it compiles!
* add validate import
* remove duplicate import
* fix protos
* fix import
* tests
* cleanup
* remove unimplemented methods
* iam member multiple queries
* all auth and admin calls
* add initial password on crate human
* message names
* management user server
* machine done
* fix: todos (#1346)
* fix: pub sub in new eventstore
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix tests
* fix: search method domain
* admin service, user import type typescript
* admin changes
* admin changes
* fix: search method domain
* more user grpc and begin org, fix configs
* fix: return object details
* org grpc
* remove creation date add details
* app
* fix: return object details
* fix: return object details
* mgmt service, project members
* app
* fix: convert policies
* project, members, granted projects, searches
* fix: convert usergrants
* fix: convert usergrants
* auth user detail, user detail, mfa, second factor, auth
* fix: convert usergrants
* mfa, memberships, password, owned proj detail
* fix: convert usergrants
* project grant
* missing details
* changes, userview
* idp table, keys
* org list and user table filter
* unify rest paths (#1381)
* unify rest paths
* post for all searches,
mfa to multi_factor,
secondfactor to second_factor
* remove v1
* fix tests
* rename api client key to app key
* machine keys, age policy
* user list, machine keys, changes
* fix: org states
* add default flag to policy
* second factor to type
* idp id
* app type
* unify ListQuery, ListDetails, ObjectDetails field names
* user grants, apps, memberships
* fix type params
* metadata to detail, linke idps
* api create, membership, app detail, create
* idp, app, policy
* queries, multi -> auth factors and missing fields
* update converters
* provider to user, remove old mgmt refs
* temp remove authfactor dialog, build finish
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2021-03-09 10:30:11 +01:00
|
|
|
return nil, err
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
2024-09-26 09:14:33 +02:00
|
|
|
pushedEvents, err := c.eventstore.Push(ctx, user.NewHumanPasswordCodeAddedEvent(ctx, userAgg, passwordCode.CryptedCode(), passwordCode.CodeExpiry(), notifyType, authRequestID, generatorID))
|
feat: protos refactoring
* start with user
* user first try done in all services
* user, org, idp for discussion
* remove unused stuff
* bla
* dockerbuild
* rename search, get multiple to list...
* add annotation
* update proto dependencies
* update proto dependencies
* change proto imports
* replace all old imports
* fix go out
* remove unused lines
* correct protoc flags
* grpc and openapi flags
* go out source path relative
* -p
* remove dead code
* sourcepath relative
* ls
* is onenapi the problem?
* hobla
* authoption output
* wrong field name
* gopf
* correct option, add correct flags
* small improvments
* SIMPLYFY
* relative path
* gopf bin ich en tubel
* correct path
* default policies in admin
* grpc generation in one file
* remove non ascii
* metadata on manipulations
* correct auth_option import
* fixes
* larry
* idp provider to idp
* fix generate
* admin and auth nearly done
* admin and auth nearly done
* gen
* healthz
* imports
* deleted too much imports
* fix org
* add import
* imports
* import
* naming
* auth_opt
* gopf
* management
* imports
* _TYPE_UNSPECIFIED
* improts
* auth opts
* management policies
* imports
* passwordlessType to MFAType
* auth_opt
* add user grant calls
* add missing messages
* result
* fix option
* improvements
* ids
* fix http
* imports
* fixes
* fields
* body
* add fields
* remove wrong member query
* fix request response
* fixes
* add copy files
* variable versions
* generate all files
* improvements
* add dependencies
* factors
* user session
* oidc information, iam
* remove unused file
* changes
* enums
* dockerfile
* fix build
* remove unused folder
* update readme for build
* move old server impl
* add event type to change
* some changes
* start admin
* remove wrong field
* admin only list calls missing
* fix proto numbers
* surprisingly it compiles
* service ts changes
* admin mgmt
* mgmt
* auth manipulation and gets done, lists missing
* validations and some field changes
* validations
* enum validations
* remove todo
* move proto files to proto/zitadel
* change proto path in dockerfile
* it compiles!
* add validate import
* remove duplicate import
* fix protos
* fix import
* tests
* cleanup
* remove unimplemented methods
* iam member multiple queries
* all auth and admin calls
* add initial password on crate human
* message names
* management user server
* machine done
* fix: todos (#1346)
* fix: pub sub in new eventstore
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix: todos
* fix tests
* fix: search method domain
* admin service, user import type typescript
* admin changes
* admin changes
* fix: search method domain
* more user grpc and begin org, fix configs
* fix: return object details
* org grpc
* remove creation date add details
* app
* fix: return object details
* fix: return object details
* mgmt service, project members
* app
* fix: convert policies
* project, members, granted projects, searches
* fix: convert usergrants
* fix: convert usergrants
* auth user detail, user detail, mfa, second factor, auth
* fix: convert usergrants
* mfa, memberships, password, owned proj detail
* fix: convert usergrants
* project grant
* missing details
* changes, userview
* idp table, keys
* org list and user table filter
* unify rest paths (#1381)
* unify rest paths
* post for all searches,
mfa to multi_factor,
secondfactor to second_factor
* remove v1
* fix tests
* rename api client key to app key
* machine keys, age policy
* user list, machine keys, changes
* fix: org states
* add default flag to policy
* second factor to type
* idp id
* app type
* unify ListQuery, ListDetails, ObjectDetails field names
* user grants, apps, memberships
* fix type params
* metadata to detail, linke idps
* api create, membership, app detail, create
* idp, app, policy
* queries, multi -> auth factors and missing fields
* update converters
* provider to user, remove old mgmt refs
* temp remove authfactor dialog, build finish
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2021-03-09 10:30:11 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
err = AppendAndReduce(existingHuman, pushedEvents...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return writeModelToObjectDetails(&existingHuman.WriteModel), nil
|
2021-01-07 16:06:45 +01:00
|
|
|
}
|
|
|
|
|
2023-12-21 10:03:37 +01:00
|
|
|
// PasswordCodeSent notification send with code to change password
|
2024-09-26 09:14:33 +02:00
|
|
|
func (c *Commands) PasswordCodeSent(ctx context.Context, orgID, userID string, generatorInfo *senders.CodeGeneratorInfo) (err error) {
|
2021-03-19 11:12:56 +01:00
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-meEfe", "Errors.User.UserIDMissing")
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
existingPassword, err := c.passwordWriteModel(ctx, userID, orgID)
|
2021-02-08 11:30:30 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if existingPassword.UserState == domain.UserStateUnspecified || existingPassword.UserState == domain.UserStateDeleted {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "COMMAND-3n77z", "Errors.User.NotFound")
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
|
|
|
userAgg := UserAggregateFromWriteModel(&existingPassword.WriteModel)
|
2024-09-26 09:14:33 +02:00
|
|
|
_, err = c.eventstore.Push(ctx, user.NewHumanPasswordCodeSentEvent(ctx, userAgg, generatorInfo))
|
2021-02-18 14:48:27 +01:00
|
|
|
return err
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
|
|
|
|
2024-02-26 14:11:09 +01:00
|
|
|
// PasswordChangeSent notification sent that user changed password
|
2023-01-25 09:49:41 +01:00
|
|
|
func (c *Commands) PasswordChangeSent(ctx context.Context, orgID, userID string) (err error) {
|
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-pqlm2n", "Errors.User.UserIDMissing")
|
2023-01-25 09:49:41 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
existingPassword, err := c.passwordWriteModel(ctx, userID, orgID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if existingPassword.UserState == domain.UserStateUnspecified || existingPassword.UserState == domain.UserStateDeleted {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "COMMAND-x902b2v", "Errors.User.NotFound")
|
2023-01-25 09:49:41 +01:00
|
|
|
}
|
|
|
|
userAgg := UserAggregateFromWriteModel(&existingPassword.WriteModel)
|
|
|
|
_, err = c.eventstore.Push(ctx, user.NewHumanPasswordChangeSentEvent(ctx, userAgg))
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-05-31 00:08:48 +02:00
|
|
|
// HumanCheckPassword check password for user with additional information from authRequest
|
|
|
|
func (c *Commands) HumanCheckPassword(ctx context.Context, orgID, userID, password string, authRequest *domain.AuthRequest) (err error) {
|
2021-02-08 11:30:30 +01:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
2021-03-19 11:12:56 +01:00
|
|
|
if userID == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-4Mfsf", "Errors.User.UserIDMissing")
|
2021-03-19 11:12:56 +01:00
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
if password == "" {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-3n8fs", "Errors.User.Password.Empty")
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
|
|
|
|
2021-11-08 08:42:07 +01:00
|
|
|
loginPolicy, err := c.getOrgLoginPolicy(ctx, orgID)
|
|
|
|
if err != nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(err, "COMMAND-Edf3g", "Errors.Org.LoginPolicy.NotFound")
|
2021-11-08 08:42:07 +01:00
|
|
|
}
|
|
|
|
if !loginPolicy.AllowUsernamePassword {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(err, "COMMAND-Dft32", "Errors.Org.LoginPolicy.UsernamePasswordNotAllowed")
|
2021-11-08 08:42:07 +01:00
|
|
|
}
|
2024-05-31 00:08:48 +02:00
|
|
|
commands, err := checkPassword(ctx, userID, password, c.eventstore, c.userPasswordHasher, authRequestDomainToAuthRequestInfo(authRequest))
|
|
|
|
if len(commands) == 0 {
|
2021-02-08 11:30:30 +01:00
|
|
|
return err
|
|
|
|
}
|
2024-05-31 00:08:48 +02:00
|
|
|
_, pushErr := c.eventstore.Push(ctx, commands...)
|
|
|
|
logging.OnError(pushErr).Error("error create password check failed event")
|
|
|
|
return err
|
|
|
|
}
|
2023-12-21 10:03:37 +01:00
|
|
|
|
2024-05-31 00:08:48 +02:00
|
|
|
func checkPassword(ctx context.Context, userID, password string, es *eventstore.Eventstore, hasher *crypto.Hasher, optionalAuthRequestInfo *user.AuthRequestInfo) ([]eventstore.Command, error) {
|
|
|
|
if userID == "" {
|
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sfw3f", "Errors.User.UserIDMissing")
|
|
|
|
}
|
|
|
|
wm := NewHumanPasswordWriteModel(userID, "")
|
|
|
|
err := es.FilterToQueryReducer(ctx, wm)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if !wm.UserState.Exists() {
|
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-3n77z", "Errors.User.NotFound")
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
2023-11-08 15:19:13 +02:00
|
|
|
if wm.UserState == domain.UserStateLocked {
|
2024-05-31 00:08:48 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-JLK35", "Errors.User.Locked")
|
2023-11-08 15:19:13 +02:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
if wm.EncodedHash == "" {
|
2024-05-31 00:08:48 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-3nJ4t", "Errors.User.Password.NotSet")
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
|
|
|
|
2023-07-14 09:49:57 +03:00
|
|
|
userAgg := UserAggregateFromWriteModel(&wm.WriteModel)
|
|
|
|
ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "passwap.Verify")
|
2024-05-31 00:08:48 +02:00
|
|
|
updated, err := hasher.Verify(wm.EncodedHash, password)
|
2021-02-08 11:30:30 +01:00
|
|
|
spanPasswordComparison.EndWithError(err)
|
2023-07-14 09:49:57 +03:00
|
|
|
err = convertPasswapErr(err)
|
|
|
|
commands := make([]eventstore.Command, 0, 2)
|
2023-11-08 15:19:13 +02:00
|
|
|
|
|
|
|
// recheck for additional events (failed password checks or locks)
|
2024-05-31 00:08:48 +02:00
|
|
|
recheckErr := es.FilterToQueryReducer(ctx, wm)
|
2023-11-08 15:19:13 +02:00
|
|
|
if recheckErr != nil {
|
2024-05-31 00:08:48 +02:00
|
|
|
return nil, recheckErr
|
2023-11-08 15:19:13 +02:00
|
|
|
}
|
|
|
|
if wm.UserState == domain.UserStateLocked {
|
2024-05-31 00:08:48 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-SFA3t", "Errors.User.Locked")
|
2023-11-08 15:19:13 +02:00
|
|
|
}
|
|
|
|
|
2021-02-08 11:30:30 +01:00
|
|
|
if err == nil {
|
2024-05-31 00:08:48 +02:00
|
|
|
commands = append(commands, user.NewHumanPasswordCheckSucceededEvent(ctx, userAgg, optionalAuthRequestInfo))
|
2023-07-14 09:49:57 +03:00
|
|
|
if updated != "" {
|
|
|
|
commands = append(commands, user.NewHumanPasswordHashUpdatedEvent(ctx, userAgg, updated))
|
|
|
|
}
|
2024-05-31 00:08:48 +02:00
|
|
|
return commands, nil
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
|
2024-05-31 00:08:48 +02:00
|
|
|
commands = append(commands, user.NewHumanPasswordCheckFailedEvent(ctx, userAgg, optionalAuthRequestInfo))
|
|
|
|
|
|
|
|
lockoutPolicy, lockoutErr := getLockoutPolicy(ctx, wm.ResourceOwner, es.FilterToQueryReducer)
|
|
|
|
logging.OnError(lockoutErr).Error("unable to get lockout policy")
|
|
|
|
if lockoutPolicy != nil && lockoutPolicy.MaxPasswordAttempts > 0 && wm.PasswordCheckFailedCount+1 >= lockoutPolicy.MaxPasswordAttempts {
|
|
|
|
commands = append(commands, user.NewUserLockedEvent(ctx, userAgg))
|
2021-08-11 08:36:32 +02:00
|
|
|
}
|
2024-05-31 00:08:48 +02:00
|
|
|
return commands, err
|
2021-02-08 11:30:30 +01:00
|
|
|
}
|
|
|
|
|
2021-02-24 11:17:39 +01:00
|
|
|
func (c *Commands) passwordWriteModel(ctx context.Context, userID, resourceOwner string) (writeModel *HumanPasswordWriteModel, err error) {
|
2021-01-07 16:06:45 +01:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
2021-01-12 12:59:51 +01:00
|
|
|
writeModel = NewHumanPasswordWriteModel(userID, resourceOwner)
|
2021-02-24 11:17:39 +01:00
|
|
|
err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
|
2021-01-07 16:06:45 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return writeModel, nil
|
|
|
|
}
|
2023-07-14 09:49:57 +03:00
|
|
|
|
|
|
|
func convertPasswapErr(err error) error {
|
|
|
|
if err == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if errors.Is(err, passwap.ErrPasswordMismatch) {
|
2024-07-31 14:23:57 +02:00
|
|
|
return ErrPasswordInvalid(err)
|
2023-07-14 09:49:57 +03:00
|
|
|
}
|
|
|
|
if errors.Is(err, passwap.ErrPasswordNoChange) {
|
2024-07-31 14:23:57 +02:00
|
|
|
return ErrPasswordUnchanged(err)
|
2023-07-14 09:49:57 +03:00
|
|
|
}
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInternal(err, "COMMAND-CahN2", "Errors.Internal")
|
2023-07-14 09:49:57 +03:00
|
|
|
}
|