2022-07-28 13:42:35 +00:00
|
|
|
package query
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2022-12-01 08:18:53 +00:00
|
|
|
|
2022-07-28 13:42:35 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2023-12-08 14:30:55 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2022-07-28 13:42:35 +00:00
|
|
|
)
|
|
|
|
|
|
2022-12-01 08:18:53 +00:00
|
|
|
func (q *Queries) GetHumanOTPSecret(ctx context.Context, userID, resourceowner string) (_ string, err error) {
|
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
2022-07-28 13:42:35 +00:00
|
|
|
if userID == "" {
|
2023-12-08 14:30:55 +00:00
|
|
|
return "", zerrors.ThrowPreconditionFailed(nil, "QUERY-8N9ds", "Errors.User.UserIDMissing")
|
2022-07-28 13:42:35 +00:00
|
|
|
}
|
2023-02-27 21:36:43 +00:00
|
|
|
existingOTP, err := q.otpReadModelByID(ctx, userID, resourceowner)
|
2022-07-28 13:42:35 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
if existingOTP.State != domain.MFAStateReady {
|
2023-12-08 14:30:55 +00:00
|
|
|
return "", zerrors.ThrowNotFound(nil, "QUERY-01982h", "Errors.User.NotFound")
|
2022-07-28 13:42:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return crypto.DecryptString(existingOTP.Secret, q.multifactors.OTP.CryptoMFA)
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-27 21:36:43 +00:00
|
|
|
func (q *Queries) otpReadModelByID(ctx context.Context, userID, resourceOwner string) (readModel *HumanOTPReadModel, err error) {
|
2022-07-28 13:42:35 +00:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
2023-02-27 21:36:43 +00:00
|
|
|
readModel = NewHumanOTPReadModel(userID, resourceOwner)
|
|
|
|
|
err = q.eventstore.FilterToQueryReducer(ctx, readModel)
|
2022-07-28 13:42:35 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-02-27 21:36:43 +00:00
|
|
|
return readModel, nil
|
2022-07-28 13:42:35 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-27 21:36:43 +00:00
|
|
|
type HumanOTPReadModel struct {
|
|
|
|
|
*eventstore.ReadModel
|
2022-07-28 13:42:35 +00:00
|
|
|
|
|
|
|
|
State domain.MFAState
|
|
|
|
|
Secret *crypto.CryptoValue
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-27 21:36:43 +00:00
|
|
|
func (rm *HumanOTPReadModel) AppendEvents(events ...eventstore.Event) {
|
|
|
|
|
rm.ReadModel.AppendEvents(events...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewHumanOTPReadModel(userID, resourceOwner string) *HumanOTPReadModel {
|
|
|
|
|
return &HumanOTPReadModel{
|
|
|
|
|
ReadModel: &eventstore.ReadModel{
|
2022-07-28 13:42:35 +00:00
|
|
|
AggregateID: userID,
|
|
|
|
|
ResourceOwner: resourceOwner,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-27 21:36:43 +00:00
|
|
|
func (wm *HumanOTPReadModel) Reduce() error {
|
2022-07-28 13:42:35 +00:00
|
|
|
for _, event := range wm.Events {
|
|
|
|
|
switch e := event.(type) {
|
|
|
|
|
case *user.HumanOTPAddedEvent:
|
|
|
|
|
wm.Secret = e.Secret
|
|
|
|
|
wm.State = domain.MFAStateNotReady
|
|
|
|
|
case *user.HumanOTPVerifiedEvent:
|
|
|
|
|
wm.State = domain.MFAStateReady
|
|
|
|
|
case *user.HumanOTPRemovedEvent:
|
|
|
|
|
wm.State = domain.MFAStateRemoved
|
|
|
|
|
case *user.UserRemovedEvent:
|
|
|
|
|
wm.State = domain.MFAStateRemoved
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-27 21:36:43 +00:00
|
|
|
return wm.ReadModel.Reduce()
|
2022-07-28 13:42:35 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-27 21:36:43 +00:00
|
|
|
func (wm *HumanOTPReadModel) Query() *eventstore.SearchQueryBuilder {
|
2022-07-28 13:42:35 +00:00
|
|
|
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
2023-10-19 10:19:10 +00:00
|
|
|
AwaitOpenTransactions().
|
2022-07-28 13:42:35 +00:00
|
|
|
AddQuery().
|
|
|
|
|
AggregateTypes(user.AggregateType).
|
|
|
|
|
AggregateIDs(wm.AggregateID).
|
|
|
|
|
EventTypes(user.HumanMFAOTPAddedType,
|
|
|
|
|
user.HumanMFAOTPVerifiedType,
|
|
|
|
|
user.HumanMFAOTPRemovedType,
|
|
|
|
|
user.UserRemovedType,
|
|
|
|
|
user.UserV1MFAOTPAddedType,
|
|
|
|
|
user.UserV1MFAOTPVerifiedType,
|
|
|
|
|
user.UserV1MFAOTPRemovedType).
|
|
|
|
|
Builder()
|
|
|
|
|
|
|
|
|
|
if wm.ResourceOwner != "" {
|
|
|
|
|
query.ResourceOwner(wm.ResourceOwner)
|
|
|
|
|
}
|
|
|
|
|
return query
|
|
|
|
|
}
|
