feat: mfa policy (#913)

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy on org

* feat: add mfa to login policy on org

* feat: append events on policy views

* feat: iam login policy mfa definition

* feat: login policies on orgs

* feat: configured mfas in login process

* feat: configured mfas in login process

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: rename software and hardware mfas

* fix: pr requests

* fix user mfa

* fix: test

* fix: oidc version

* fix: oidc version

* fix: proto gen

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>

internal/iam/model/login_policy.go

@@ -13,6 +13,9 @@ type LoginPolicy struct {
 	AllowRegister         bool
 	AllowExternalIdp      bool
 	IDPProviders          []*IDPProvider
+	ForceMFA              bool
+	SecondFactors         []SecondFactorType
+	MultiFactors          []MultiFactorType
 }
 
 type IDPProvider struct {
@@ -35,6 +38,21 @@ const (
 	IDPProviderTypeOrg
 )
 
+type SecondFactorType int32
+
+const (
+	SecondFactorTypeUnspecified SecondFactorType = iota
+	SecondFactorTypeOTP
+	SecondFactorTypeU2F
+)
+
+type MultiFactorType int32
+
+const (
+	MultiFactorTypeUnspecified MultiFactorType = iota
+	MultiFactorTypeU2FWithPIN
+)
+
 func (p *LoginPolicy) IsValid() bool {
 	return p.ObjectRoot.AggregateID != ""
 }
@@ -51,3 +69,21 @@ func (p *LoginPolicy) GetIdpProvider(id string) (int, *IDPProvider) {
 	}
 	return -1, nil
 }
+
+func (p *LoginPolicy) GetSecondFactor(mfaType SecondFactorType) (int, SecondFactorType) {
+	for i, m := range p.SecondFactors {
+		if m == mfaType {
+			return i, m
+		}
+	}
+	return -1, 0
+}
+
+func (p *LoginPolicy) GetMultiFactor(mfaType MultiFactorType) (int, MultiFactorType) {
+	for i, m := range p.MultiFactors {
+		if m == mfaType {
+			return i, m
+		}
+	}
+	return -1, 0
+}

internal/iam/model/login_policy_view.go

@@ -10,6 +10,9 @@ type LoginPolicyView struct {
 	AllowUsernamePassword bool
 	AllowRegister         bool
 	AllowExternalIDP      bool
+	ForceMFA              bool
+	SecondFactors         []SecondFactorType
+	MultiFactors          []MultiFactorType
 	Default               bool
 
 	CreationDate time.Time
@@ -46,3 +49,17 @@ type LoginPolicySearchResponse struct {
 	Sequence    uint64
 	Timestamp   time.Time
 }
+
+func (p *LoginPolicyView) HasSecondFactors() bool {
+	if p.SecondFactors == nil || len(p.SecondFactors) == 0 {
+		return false
+	}
+	return true
+}
+
+func (p *LoginPolicyView) HasMultiFactors() bool {
+	if p.MultiFactors == nil || len(p.MultiFactors) == 0 {
+		return false
+	}
+	return true
+}

internal/iam/model/mfa_view.go

@@ -0,0 +1,47 @@
+package model
+
+import (
+	"github.com/caos/zitadel/internal/model"
+)
+
+type SecondFactorsSearchRequest struct {
+	Queries []*MFASearchQuery
+}
+
+type MultiFactorsSearchRequest struct {
+	Offset  uint64
+	Limit   uint64
+	Asc     bool
+	Queries []*MFASearchQuery
+}
+
+type MFASearchQuery struct {
+	Key    MFASearchKey
+	Method model.SearchMethod
+	Value  interface{}
+}
+
+type MFASearchKey int32
+
+const (
+	MFASearchKeyUnspecified MFASearchKey = iota
+	MFASearchKeyAggregateID
+)
+
+type SecondFactorsSearchResponse struct {
+	TotalResult uint64
+	Result      []SecondFactorType
+}
+
+type MultiFactorsSearchResponse struct {
+	TotalResult uint64
+	Result      []MultiFactorType
+}
+
+func (r *SecondFactorsSearchRequest) AppendAggregateIDQuery(aggregateID string) {
+	r.Queries = append(r.Queries, &MFASearchQuery{Key: MFASearchKeyAggregateID, Method: model.SearchMethodEquals, Value: aggregateID})
+}
+
+func (r *MultiFactorsSearchRequest) AppendAggregateIDQuery(aggregateID string) {
+	r.Queries = append(r.Queries, &MFASearchQuery{Key: MFASearchKeyAggregateID, Method: model.SearchMethodEquals, Value: aggregateID})
+}