feat: mfa policy (#913)

* feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy on org * feat: add mfa to login policy on org * feat: append events on policy views * feat: iam login policy mfa definition * feat: login policies on orgs * feat: configured mfas in login process * feat: configured mfas in login process * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: rename software and hardware mfas * fix: pr requests * fix user mfa * fix: test * fix: oidc version * fix: oidc version * fix: proto gen Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Max Peintner <max@caos.ch>
2025-08-12 00:07:36 +00:00 · 2020-11-04 11:26:10 +01:00
parent 51417be35d
commit 202aae4954
76 changed files with 12913 additions and 5614 deletions
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@@ -42,3 +42,45 @@ func (s *Server) RemoveIdpProviderFromDefaultLoginPolicy(ctx context.Context, pr
 	err := s.iam.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderToModel(provider))
 	return &empty.Empty{}, err
 }
+
+func (s *Server) GetDefaultLoginPolicySecondFactors(ctx context.Context, _ *empty.Empty) (*admin.SecondFactorsResult, error) {
+	result, err := s.iam.SearchDefaultSecondFactors(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return secondFactorsResultFromModel(result), nil
+}
+
+func (s *Server) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*admin.SecondFactor, error) {
+	result, err := s.iam.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	if err != nil {
+		return nil, err
+	}
+	return secondFactorFromModel(result), nil
+}
+
+func (s *Server) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*empty.Empty, error) {
+	err := s.iam.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	return &empty.Empty{}, err
+}
+
+func (s *Server) GetDefaultLoginPolicyMultiFactors(ctx context.Context, _ *empty.Empty) (*admin.MultiFactorsResult, error) {
+	result, err := s.iam.SearchDefaultMultiFactors(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return multiFactorResultFromModel(result), nil
+}
+
+func (s *Server) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*admin.MultiFactor, error) {
+	result, err := s.iam.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	if err != nil {
+		return nil, err
+	}
+	return multiFactorFromModel(result), nil
+}
+
+func (s *Server) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*empty.Empty, error) {
+	err := s.iam.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	return &empty.Empty{}, err
+}
--- a/internal/api/grpc/admin/login_policy_converter.go
+++ b/internal/api/grpc/admin/login_policy_converter.go
@@ -12,6 +12,7 @@ func loginPolicyToModel(policy *admin.DefaultLoginPolicyRequest) *iam_model.Logi
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
+		ForceMFA:              policy.ForceMfa,
 	}
 }

@@ -26,6 +27,7 @@ func loginPolicyFromModel(policy *iam_model.LoginPolicy) *admin.DefaultLoginPoli
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
+		ForceMfa:              policy.ForceMFA,
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
 	}
@@ -42,6 +44,7 @@ func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *admin.DefaultL
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIDP,
 		AllowRegister:         policy.AllowRegister,
+		ForceMfa:              policy.ForceMFA,
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
 	}
@@ -103,3 +106,75 @@ func idpConfigTypeToModel(providerType iam_model.IdpConfigType) admin.IdpType {
 		return admin.IdpType_IDPTYPE_UNSPECIFIED
 	}
 }
+
+func secondFactorsResultFromModel(result *iam_model.SecondFactorsSearchResponse) *admin.SecondFactorsResult {
+	converted := make([]admin.SecondFactorType, len(result.Result))
+	for i, mfaType := range result.Result {
+		converted[i] = secondFactorTypeFromModel(mfaType)
+	}
+	return &admin.SecondFactorsResult{
+		SecondFactors: converted,
+	}
+}
+
+func secondFactorFromModel(mfaType iam_model.SecondFactorType) *admin.SecondFactor {
+	return &admin.SecondFactor{
+		SecondFactor: secondFactorTypeFromModel(mfaType),
+	}
+}
+
+func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) admin.SecondFactorType {
+	switch mfaType {
+	case iam_model.SecondFactorTypeOTP:
+		return admin.SecondFactorType_SECONDFACTORTYPE_OTP
+	case iam_model.SecondFactorTypeU2F:
+		return admin.SecondFactorType_SECONDFACTORTYPE_U2F
+	default:
+		return admin.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
+	}
+}
+
+func secondFactorTypeToModel(mfaType *admin.SecondFactor) iam_model.SecondFactorType {
+	switch mfaType.SecondFactor {
+	case admin.SecondFactorType_SECONDFACTORTYPE_OTP:
+		return iam_model.SecondFactorTypeOTP
+	case admin.SecondFactorType_SECONDFACTORTYPE_U2F:
+		return iam_model.SecondFactorTypeU2F
+	default:
+		return iam_model.SecondFactorTypeUnspecified
+	}
+}
+
+func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *admin.MultiFactorsResult {
+	converted := make([]admin.MultiFactorType, len(result.Result))
+	for i, mfaType := range result.Result {
+		converted[i] = multiFactorTypeFromModel(mfaType)
+	}
+	return &admin.MultiFactorsResult{
+		MultiFactors: converted,
+	}
+}
+
+func multiFactorFromModel(mfaType iam_model.MultiFactorType) *admin.MultiFactor {
+	return &admin.MultiFactor{
+		MultiFactor: multiFactorTypeFromModel(mfaType),
+	}
+}
+
+func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) admin.MultiFactorType {
+	switch mfaType {
+	case iam_model.MultiFactorTypeU2FWithPIN:
+		return admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
+	default:
+		return admin.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
+	}
+}
+
+func multiFactorTypeToModel(mfaType *admin.MultiFactor) iam_model.MultiFactorType {
+	switch mfaType.MultiFactor {
+	case admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
+		return iam_model.MultiFactorTypeU2FWithPIN
+	default:
+		return iam_model.MultiFactorTypeUnspecified
+	}
+}