feat: mfa policy (#913)

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy on org

* feat: add mfa to login policy on org

* feat: append events on policy views

* feat: iam login policy mfa definition

* feat: login policies on orgs

* feat: configured mfas in login process

* feat: configured mfas in login process

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: rename software and hardware mfas

* fix: pr requests

* fix user mfa

* fix: test

* fix: oidc version

* fix: oidc version

* fix: proto gen

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>

internal/api/grpc/management/login_policy.go

@@ -63,3 +63,45 @@ func (s *Server) RemoveIdpProviderFromLoginPolicy(ctx context.Context, provider
 	err := s.org.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderToModel(provider))
 	return &empty.Empty{}, err
 }
+
+func (s *Server) GetLoginPolicySecondFactors(ctx context.Context, _ *empty.Empty) (*management.SecondFactorsResult, error) {
+	result, err := s.org.SearchSecondFactors(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return secondFactorResultFromModel(result), nil
+}
+
+func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*management.SecondFactor, error) {
+	result, err := s.org.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	if err != nil {
+		return nil, err
+	}
+	return secondFactorFromModel(result), nil
+}
+
+func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*empty.Empty, error) {
+	err := s.org.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	return &empty.Empty{}, err
+}
+
+func (s *Server) GetLoginPolicyMultiFactors(ctx context.Context, _ *empty.Empty) (*management.MultiFactorsResult, error) {
+	result, err := s.org.SearchMultiFactors(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return multiFactorResultFromModel(result), nil
+}
+
+func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*management.MultiFactor, error) {
+	result, err := s.org.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	if err != nil {
+		return nil, err
+	}
+	return multiFactorFromModel(result), nil
+}
+
+func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*empty.Empty, error) {
+	err := s.org.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/login_policy_converter.go

@@ -12,6 +12,7 @@ func loginPolicyRequestToModel(policy *management.LoginPolicyRequest) *iam_model
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
+		ForceMFA:              policy.ForceMfa,
 	}
 }
 
@@ -28,6 +29,7 @@ func loginPolicyFromModel(policy *iam_model.LoginPolicy) *management.LoginPolicy
 		AllowRegister:         policy.AllowRegister,
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
+		ForceMfa:              policy.ForceMFA,
 	}
 }
 
@@ -45,6 +47,7 @@ func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *management.Log
 		AllowRegister:         policy.AllowRegister,
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
+		ForceMfa:              policy.ForceMFA,
 	}
 }
 
@@ -140,3 +143,75 @@ func idpProviderTypeFromModel(providerType iam_model.IDPProviderType) management
 		return management.IdpProviderType_IDPPROVIDERTYPE_UNSPECIFIED
 	}
 }
+
+func secondFactorResultFromModel(result *iam_model.SecondFactorsSearchResponse) *management.SecondFactorsResult {
+	converted := make([]management.SecondFactorType, len(result.Result))
+	for i, mfaType := range result.Result {
+		converted[i] = secondFactorTypeFromModel(mfaType)
+	}
+	return &management.SecondFactorsResult{
+		SecondFactors: converted,
+	}
+}
+
+func secondFactorFromModel(mfaType iam_model.SecondFactorType) *management.SecondFactor {
+	return &management.SecondFactor{
+		SecondFactor: secondFactorTypeFromModel(mfaType),
+	}
+}
+
+func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) management.SecondFactorType {
+	switch mfaType {
+	case iam_model.SecondFactorTypeOTP:
+		return management.SecondFactorType_SECONDFACTORTYPE_OTP
+	case iam_model.SecondFactorTypeU2F:
+		return management.SecondFactorType_SECONDFACTORTYPE_U2F
+	default:
+		return management.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
+	}
+}
+
+func secondFactorTypeToModel(mfaType *management.SecondFactor) iam_model.SecondFactorType {
+	switch mfaType.SecondFactor {
+	case management.SecondFactorType_SECONDFACTORTYPE_OTP:
+		return iam_model.SecondFactorTypeOTP
+	case management.SecondFactorType_SECONDFACTORTYPE_U2F:
+		return iam_model.SecondFactorTypeU2F
+	default:
+		return iam_model.SecondFactorTypeUnspecified
+	}
+}
+
+func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *management.MultiFactorsResult {
+	converted := make([]management.MultiFactorType, len(result.Result))
+	for i, mfaType := range result.Result {
+		converted[i] = multiFactorTypeFromModel(mfaType)
+	}
+	return &management.MultiFactorsResult{
+		MultiFactors: converted,
+	}
+}
+
+func multiFactorFromModel(mfaType iam_model.MultiFactorType) *management.MultiFactor {
+	return &management.MultiFactor{
+		MultiFactor: multiFactorTypeFromModel(mfaType),
+	}
+}
+
+func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) management.MultiFactorType {
+	switch mfaType {
+	case iam_model.MultiFactorTypeU2FWithPIN:
+		return management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
+	default:
+		return management.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
+	}
+}
+
+func multiFactorTypeToModel(mfaType *management.MultiFactor) iam_model.MultiFactorType {
+	switch mfaType.MultiFactor {
+	case management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
+		return iam_model.MultiFactorTypeU2FWithPIN
+	default:
+		return iam_model.MultiFactorTypeUnspecified
+	}
+}

internal/api/grpc/management/user.go

@@ -208,12 +208,12 @@ func (s *Server) RemoveExternalIDP(ctx context.Context, request *management.Exte
 	return &empty.Empty{}, err
 }
 
-func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.MultiFactors, error) {
+func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.UserMultiFactors, error) {
 	mfas, err := s.user.UserMfas(ctx, userID.Id)
 	if err != nil {
 		return nil, err
 	}
-	return &management.MultiFactors{Mfas: mfasFromModel(mfas)}, nil
+	return &management.UserMultiFactors{Mfas: mfasFromModel(mfas)}, nil
 }
 
 func (s *Server) SearchUserMemberships(ctx context.Context, in *management.UserMembershipSearchRequest) (*management.UserMembershipSearchResponse, error) {

internal/api/grpc/management/user_converter.go

@@ -491,16 +491,16 @@ func userMembershipViewFromModel(membership *usr_model.UserMembershipView) *mana
 	}
 }
 
-func mfasFromModel(mfas []*usr_model.MultiFactor) []*management.MultiFactor {
-	converted := make([]*management.MultiFactor, len(mfas))
+func mfasFromModel(mfas []*usr_model.MultiFactor) []*management.UserMultiFactor {
+	converted := make([]*management.UserMultiFactor, len(mfas))
 	for i, mfa := range mfas {
 		converted[i] = mfaFromModel(mfa)
 	}
 	return converted
 }
 
-func mfaFromModel(mfa *usr_model.MultiFactor) *management.MultiFactor {
-	return &management.MultiFactor{
+func mfaFromModel(mfa *usr_model.MultiFactor) *management.UserMultiFactor {
+	return &management.UserMultiFactor{
 		State: mfaStateFromModel(mfa.State),
 		Type:  mfaTypeFromModel(mfa.Type),
 	}