zitadel/internal/domain/policy_login.go

package domain

import (
	"net/url"
	"time"

	"github.com/zitadel/logging"

	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
)

type LoginPolicy struct {
	models.ObjectRoot

	Default                    bool
	AllowUsernamePassword      bool
	AllowRegister              bool
	AllowExternalIDP           bool
	IDPProviders               []*IDPProvider
	ForceMFA                   bool
	SecondFactors              []SecondFactorType
	MultiFactors               []MultiFactorType
	PasswordlessType           PasswordlessType
	HidePasswordReset          bool
	IgnoreUnknownUsernames     bool
	AllowDomainDiscovery       bool
	DefaultRedirectURI         string
	PasswordCheckLifetime      time.Duration
	ExternalLoginCheckLifetime time.Duration
	MFAInitSkipLifetime        time.Duration
	SecondFactorCheckLifetime  time.Duration
	MultiFactorCheckLifetime   time.Duration
	DisableLoginWithEmail      bool
	DisableLoginWithPhone      bool
}

func ValidateDefaultRedirectURI(rawURL string) bool {
	if rawURL == "" {
		return true
	}
	parsedURL, err := url.Parse(rawURL)
	if err != nil {
		return false
	}
	switch parsedURL.Scheme {
	case "":
		return false
	case "http", "https":
		return parsedURL.Host != ""
	default:
		return true
	}
}

type IDPProvider struct {
	models.ObjectRoot
	Type        IdentityProviderType
	IDPConfigID string

	Name        string
	StylingType IDPConfigStylingType // deprecated
	IDPType     IDPType
	IDPState    IDPConfigState
}

func (p IDPProvider) IsValid() bool {
	return p.IDPConfigID != ""
}

// DisplayName returns the name or a default
// to be used when always a name must be displayed (e.g. login)
func (p IDPProvider) DisplayName() string {
	if p.Name != "" {
		return p.Name
	}
	switch p.IDPType {
	case IDPTypeGitHub:
		return "GitHub"
	case IDPTypeGitLab:
		return "GitLab"
	case IDPTypeGoogle:
		return "Google"
	case IDPTypeUnspecified,
		IDPTypeOIDC,
		IDPTypeJWT,
		IDPTypeOAuth,
		IDPTypeLDAP,
		IDPTypeAzureAD,
		IDPTypeGitHubEnterprise,
		IDPTypeGitLabSelfHosted:
		fallthrough
	default:
		// we should never get here, so log it
		logging.Errorf("name of provider (type %d) is empty - id: %s", p.IDPType, p.IDPConfigID)
		return ""
	}
}

type PasswordlessType int32

const (
	PasswordlessTypeNotAllowed PasswordlessType = iota
	PasswordlessTypeAllowed

	passwordlessCount
)

func (f PasswordlessType) Valid() bool {
	return f >= 0 && f < passwordlessCount
}

func (p *LoginPolicy) HasSecondFactors() bool {
	return len(p.SecondFactors) > 0
}

func (p *LoginPolicy) HasMultiFactors() bool {
	return len(p.MultiFactors) > 0
}
new pkg structure (#1150) * fix: split command query side * fix: split command query side * fix: members in correct pkg structure * fix: label policy in correct pkg structure * fix: structure * fix: structure of login policy * fix: identityprovider structure * fix: org iam policy structure * fix: password age policy structure * fix: password complexity policy structure * fix: password lockout policy structure * fix: idp structure * fix: user events structure * fix: user write model * fix: profile email changed command * fix: address changed command * fix: user states * fix: user * fix: org structure and add human * begin iam setup command side * setup * step2 * step2 * fix: add user * step2 * isvalid * fix: folder structure v2 business Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> 2021-01-04 14:52:13 +01:00			`package domain`

feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`import (`
feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`"net/url"`
feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`"time"`

feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com> 2023-03-13 17:34:29 +01:00			`"github.com/zitadel/logging"`

chore(v2): move to new org (#3499) * chore: move to new org * logging * fix: org rename caos -> zitadel Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2022-04-27 01:01:45 +02:00			`"github.com/zitadel/zitadel/internal/eventstore/v1/models"`
feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`)`
fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00
			`type LoginPolicy struct {`
			`models.ObjectRoot`

feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`Default bool`
			`AllowUsernamePassword bool`
			`AllowRegister bool`
			`AllowExternalIDP bool`
			`IDPProviders []*IDPProvider`
			`ForceMFA bool`
			`SecondFactors []SecondFactorType`
			`MultiFactors []MultiFactorType`
			`PasswordlessType PasswordlessType`
			`HidePasswordReset bool`
feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`IgnoreUnknownUsernames bool`
feat: allow domain discovery for unknown usernames (#4484) * fix: wait for projection initialization to be done * feat: allow domain discovery for unknown usernames * fix linting * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update console/src/assets/i18n/en.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update console/src/assets/i18n/it.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update console/src/assets/i18n/fr.json Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * fix zh i18n text * fix projection table name Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> 2022-10-06 13:30:14 +02:00			`AllowDomainDiscovery bool`
feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`DefaultRedirectURI string`
feat: Login verification lifetimes (#3190) * feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy 2022-02-21 16:05:02 +01:00			`PasswordCheckLifetime time.Duration`
			`ExternalLoginCheckLifetime time.Duration`
			`MFAInitSkipLifetime time.Duration`
			`SecondFactorCheckLifetime time.Duration`
			`MultiFactorCheckLifetime time.Duration`
feat(login): additionally use email/phone for authentication (#4563) * feat: add ability to disable login by email and phone * feat: check login by email and phone * fix: set verified email / phone correctly on notify users * update projection version * fix merge * fix email/phone verified reduce tests * fix user tests * loginname check * cleanup * fix: update user projection version to handle fixed statement 2022-10-17 21:19:15 +02:00			`DisableLoginWithEmail bool`
			`DisableLoginWithPhone bool`
fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00			`}`

feat: add default redirect uri and handling of unknown usernames (#3616) * feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch> 2022-05-16 15:39:09 +02:00			`func ValidateDefaultRedirectURI(rawURL string) bool {`
			`if rawURL == "" {`
			`return true`
			`}`
			`parsedURL, err := url.Parse(rawURL)`
			`if err != nil {`
			`return false`
			`}`
			`switch parsedURL.Scheme {`
			`case "":`
			`return false`
			`case "http", "https":`
			`return parsedURL.Host != ""`
			`default:`
			`return true`
			`}`
			`}`

fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00			`type IDPProvider struct {`
			`models.ObjectRoot`
			`Type IdentityProviderType`
			`IDPConfigID string`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00
feat(login): use new IDP templates (#5315) The login uses the new template based IDPs with backwards compatibility for old IDPs 2023-02-28 21:20:58 +01:00			`Name string`
			`StylingType IDPConfigStylingType // deprecated`
			`IDPType IDPType`
			`IDPState IDPConfigState`
fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 09:33:45 +01:00			`}`

feat: new es testing2 (#1428) * fix: org tests * fix: org tests * fix: user grant test * fix: user grant test * fix: project and project role test * fix: project grant test * fix: project grant test * fix: project member, grant member, app changed tests * fix: application tests * fix: application tests * fix: add oidc app test * fix: add oidc app test * fix: add api keys test * fix: iam policies * fix: iam and org member tests * fix: idp config tests * fix: iam tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: org domain test * fix: org tests * fix: org tests * fix: implement org idps * fix: pr requests * fix: email tests * fix: fix idp check * fix: fix user profile 2021-03-19 11:12:56 +01:00			`func (p IDPProvider) IsValid() bool {`
			`return p.IDPConfigID != ""`
			`}`

feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com> 2023-03-13 17:34:29 +01:00			`// DisplayName returns the name or a default`
			`// to be used when always a name must be displayed (e.g. login)`
			`func (p IDPProvider) DisplayName() string {`
			`if p.Name != "" {`
			`return p.Name`
			`}`
			`switch p.IDPType {`
			`case IDPTypeGitHub:`
			`return "GitHub"`
			`case IDPTypeGitLab:`
			`return "GitLab"`
			`case IDPTypeGoogle:`
			`return "Google"`
			`case IDPTypeUnspecified,`
			`IDPTypeOIDC,`
			`IDPTypeJWT,`
			`IDPTypeOAuth,`
			`IDPTypeLDAP,`
			`IDPTypeAzureAD,`
			`IDPTypeGitHubEnterprise,`
			`IDPTypeGitLabSelfHosted:`
			`fallthrough`
			`default:`
			`// we should never get here, so log it`
			`logging.Errorf("name of provider (type %d) is empty - id: %s", p.IDPType, p.IDPConfigID)`
			`return ""`
			`}`
			`}`

new pkg structure (#1150) * fix: split command query side * fix: split command query side * fix: members in correct pkg structure * fix: label policy in correct pkg structure * fix: structure * fix: structure of login policy * fix: identityprovider structure * fix: org iam policy structure * fix: password age policy structure * fix: password complexity policy structure * fix: password lockout policy structure * fix: idp structure * fix: user events structure * fix: user write model * fix: profile email changed command * fix: address changed command * fix: user states * fix: user * fix: org structure and add human * begin iam setup command side * setup * step2 * step2 * fix: add user * step2 * isvalid * fix: folder structure v2 business Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> 2021-01-04 14:52:13 +01:00			`type PasswordlessType int32`

			`const (`
			`PasswordlessTypeNotAllowed PasswordlessType = iota`
			`PasswordlessTypeAllowed`

			`passwordlessCount`
			`)`

			`func (f PasswordlessType) Valid() bool {`
			`return f >= 0 && f < passwordlessCount`
			`}`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00
			`func (p *LoginPolicy) HasSecondFactors() bool {`
			`return len(p.SecondFactors) > 0`
			`}`

			`func (p *LoginPolicy) HasMultiFactors() bool {`
			`return len(p.MultiFactors) > 0`
			`}`