zitadel/internal/domain/user.go

package domain

type User interface {
	GetUsername() string
	GetState() UserState
}

type UserState int32

const (
	UserStateUnspecified UserState = iota
	UserStateActive
	UserStateInactive
	UserStateDeleted
	UserStateLocked
	UserStateSuspend
	UserStateInitial

	userStateCount
)

func (f UserState) Valid() bool {
	return f >= 0 && f < userStateCount
}

func (s UserState) Exists() bool {
	return s != UserStateUnspecified && s != UserStateDeleted
}

func (s UserState) NotDisabled() bool {
	return s == UserStateActive || s == UserStateInitial
}

type UserType int32

const (
	UserTypeUnspecified UserType = iota
	UserTypeHuman
	UserTypeMachine
	userTypeCount
)

func (f UserType) Valid() bool {
	return f >= 0 && f < userTypeCount
}

type UserAuthMethodType int32

const (
	UserAuthMethodTypeUnspecified UserAuthMethodType = iota
	UserAuthMethodTypeOTP
	UserAuthMethodTypeU2F
	UserAuthMethodTypePasswordless
	UserAuthMethodTypePassword
	UserAuthMethodTypeIDP
	userAuthMethodTypeCount
)

func (f UserAuthMethodType) Valid() bool {
	return f >= 0 && f < userAuthMethodTypeCount
}

// HasMFA checks whether the user authenticated with multiple auth factors.
// This can either be true if the list contains a [UserAuthMethodType] which by itself is MFA (e.g. [UserAuthMethodTypePasswordless])
// or if multiple factors were used (e.g. [UserAuthMethodTypePassword] and [UserAuthMethodTypeU2F])
func HasMFA(methods []UserAuthMethodType) bool {
	var factors int
	for _, method := range methods {
		switch method {
		case UserAuthMethodTypePassword:
			factors++
		case UserAuthMethodTypePasswordless:
			return true
		case UserAuthMethodTypeU2F:
			factors++
		case UserAuthMethodTypeOTP:
			factors++
		case UserAuthMethodTypeIDP:
			factors++
		case UserAuthMethodTypeUnspecified,
			userAuthMethodTypeCount:
			// ignore
		}
	}
	return factors > 1
}

// RequiresMFA checks whether the user requires to authenticate with multiple auth factors based on the LoginPolicy and the authentication type.
// Internal authentication will require MFA if either option is activated.
// External authentication will only require MFA if it's forced generally and not local only.
func RequiresMFA(forceMFA, forceMFALocalOnly, isInternalLogin bool) bool {
	if isInternalLogin {
		return forceMFA || forceMFALocalOnly
	}
	return forceMFA && !forceMFALocalOnly
}

type PersonalAccessTokenState int32

const (
	PersonalAccessTokenStateUnspecified PersonalAccessTokenState = iota
	PersonalAccessTokenStateActive
	PersonalAccessTokenStateRemoved

	personalAccessTokenStateCount
)

func (f PersonalAccessTokenState) Valid() bool {
	return f >= 0 && f < personalAccessTokenStateCount
}
new pkg structure (#1150) * fix: split command query side * fix: split command query side * fix: members in correct pkg structure * fix: label policy in correct pkg structure * fix: structure * fix: structure of login policy * fix: identityprovider structure * fix: org iam policy structure * fix: password age policy structure * fix: password complexity policy structure * fix: password lockout policy structure * fix: idp structure * fix: user events structure * fix: user write model * fix: profile email changed command * fix: address changed command * fix: user states * fix: user * fix: org structure and add human * begin iam setup command side * setup * step2 * step2 * fix: add user * step2 * isvalid * fix: folder structure v2 business Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> 2021-01-04 13:52:13 +00:00			`package domain`

feat: new user auth api (#1168) * fix: correct selectors for extended writemodel * fix: no previous checks in eventstore * start check previous * feat: auth user commands * feat: auth user commands * feat: auth user commands * feat: otp * feat: corrections from pr merge * feat: webauthn * feat: comment old webauthn * feat: refactor user, human, machine * feat: webauth command side * feat: command and query side in login * feat: fix user writemodel append events * fix: remove creation dates on command side * fix: remove previous sequence * previous sequence * fix: external idps * Update internal/api/grpc/management/user.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/v2/command/user_human_email.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr changes * fix: phone verification Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-15 08:32:59 +00:00			`type User interface {`
			`GetUsername() string`
			`GetState() UserState`
fix: use domain models for v2 eventstore (#1151) * fix: use domain models for v2 eventstore * fix: user domain model * Update internal/api/grpc/admin/login_policy_converter.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-01-05 08:33:45 +00:00			`}`

new pkg structure (#1150) * fix: split command query side * fix: split command query side * fix: members in correct pkg structure * fix: label policy in correct pkg structure * fix: structure * fix: structure of login policy * fix: identityprovider structure * fix: org iam policy structure * fix: password age policy structure * fix: password complexity policy structure * fix: password lockout policy structure * fix: idp structure * fix: user events structure * fix: user write model * fix: profile email changed command * fix: address changed command * fix: user states * fix: user * fix: org structure and add human * begin iam setup command side * setup * step2 * step2 * fix: add user * step2 * isvalid * fix: folder structure v2 business Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> 2021-01-04 13:52:13 +00:00			`type UserState int32`

			`const (`
			`UserStateUnspecified UserState = iota`
			`UserStateActive`
			`UserStateInactive`
			`UserStateDeleted`
			`UserStateLocked`
			`UserStateSuspend`
			`UserStateInitial`

			`userStateCount`
			`)`

			`func (f UserState) Valid() bool {`
			`return f >= 0 && f < userStateCount`
			`}`
feat: new es testing2 (#1428) * fix: org tests * fix: org tests * fix: user grant test * fix: user grant test * fix: project and project role test * fix: project grant test * fix: project grant test * fix: project member, grant member, app changed tests * fix: application tests * fix: application tests * fix: add oidc app test * fix: add oidc app test * fix: add api keys test * fix: iam policies * fix: iam and org member tests * fix: idp config tests * fix: iam tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: user tests * fix: org domain test * fix: org tests * fix: org tests * fix: implement org idps * fix: pr requests * fix: email tests * fix: fix idp check * fix: fix user profile 2021-03-19 10:12:56 +00:00
			`func (s UserState) Exists() bool {`
			`return s != UserStateUnspecified && s != UserStateDeleted`
			`}`
fix(projections): login names projection (#2698) * refactor(domain): add user type * fix(projections): start with login names * fix(login_policy): correct handling of user domain claimed event * refactor: login name projection * fix: set correct suffixes on login name projections * test(projections): login name reduces * migration versioning * refactor: use const for login name table name 2021-11-23 09:31:23 +00:00
fix: login for initial users (#4506) 2022-10-07 11:56:50 +00:00			`func (s UserState) NotDisabled() bool {`
			`return s == UserStateActive \|\| s == UserStateInitial`
			`}`

fix(projections): login names projection (#2698) * refactor(domain): add user type * fix(projections): start with login names * fix(login_policy): correct handling of user domain claimed event * refactor: login name projection * fix: set correct suffixes on login name projections * test(projections): login name reduces * migration versioning * refactor: use const for login name table name 2021-11-23 09:31:23 +00:00			`type UserType int32`

			`const (`
			`UserTypeUnspecified UserType = iota`
			`UserTypeHuman`
			`UserTypeMachine`
			`userTypeCount`
			`)`

			`func (f UserType) Valid() bool {`
			`return f >= 0 && f < userTypeCount`
			`}`
feat: auth method projection (#3020) * feat: auth method projection * feat: auth method projection * feat: add tests 2022-01-19 13:49:50 +00:00
			`type UserAuthMethodType int32`

			`const (`
			`UserAuthMethodTypeUnspecified UserAuthMethodType = iota`
			`UserAuthMethodTypeOTP`
			`UserAuthMethodTypeU2F`
			`UserAuthMethodTypePasswordless`
feat(api): list authentication method types in user api v2 (#6058) 2023-06-20 16:23:28 +00:00			`UserAuthMethodTypePassword`
			`UserAuthMethodTypeIDP`
feat: auth method projection (#3020) * feat: auth method projection * feat: auth method projection * feat: add tests 2022-01-19 13:49:50 +00:00			`userAuthMethodTypeCount`
			`)`

			`func (f UserAuthMethodType) Valid() bool {`
			`return f >= 0 && f < userAuthMethodTypeCount`
			`}`
feat: add personal access tokens for service users (#2974) * feat: add machine tokens * fix test * rename to pat * fix merge and tests * fix scopes * fix migration version * fix test * Update internal/repository/user/personal_access_token.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> 2022-02-08 08:37:28 +00:00
feat(API): support V2 token and session token usage (#6180) This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens). 2023-07-14 11:16:16 +00:00			`// HasMFA checks whether the user authenticated with multiple auth factors.`
			`// This can either be true if the list contains a [UserAuthMethodType] which by itself is MFA (e.g. [UserAuthMethodTypePasswordless])`
			`// or if multiple factors were used (e.g. [UserAuthMethodTypePassword] and [UserAuthMethodTypeU2F])`
			`func HasMFA(methods []UserAuthMethodType) bool {`
			`var factors int`
			`for _, method := range methods {`
			`switch method {`
			`case UserAuthMethodTypePassword:`
			`factors++`
			`case UserAuthMethodTypePasswordless:`
			`return true`
			`case UserAuthMethodTypeU2F:`
			`factors++`
			`case UserAuthMethodTypeOTP:`
			`factors++`
			`case UserAuthMethodTypeIDP:`
			`factors++`
			`case UserAuthMethodTypeUnspecified,`
			`userAuthMethodTypeCount:`
			`// ignore`
			`}`
			`}`
			`return factors > 1`
			`}`

feat: allow to force MFA local only (#6234) This PR adds an option to the LoginPolicy to "Force MFA for local users", so that users authenticated through an IDP must not configure (and verify) an MFA. 2023-07-20 04:06:16 +00:00			`// RequiresMFA checks whether the user requires to authenticate with multiple auth factors based on the LoginPolicy and the authentication type.`
			`// Internal authentication will require MFA if either option is activated.`
			`// External authentication will only require MFA if it's forced generally and not local only.`
			`func RequiresMFA(forceMFA, forceMFALocalOnly, isInternalLogin bool) bool {`
			`if isInternalLogin {`
			`return forceMFA \|\| forceMFALocalOnly`
			`}`
			`return forceMFA && !forceMFALocalOnly`
			`}`

feat: add personal access tokens for service users (#2974) * feat: add machine tokens * fix test * rename to pat * fix merge and tests * fix scopes * fix migration version * fix test * Update internal/repository/user/personal_access_token.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> 2022-02-08 08:37:28 +00:00			`type PersonalAccessTokenState int32`

			`const (`
			`PersonalAccessTokenStateUnspecified PersonalAccessTokenState = iota`
			`PersonalAccessTokenStateActive`
			`PersonalAccessTokenStateRemoved`

			`personalAccessTokenStateCount`
			`)`

			`func (f PersonalAccessTokenState) Valid() bool {`
			`return f >= 0 && f < personalAccessTokenStateCount`
			`}`