feat: mfa policy (#913)

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy on org

* feat: add mfa to login policy on org

* feat: append events on policy views

* feat: iam login policy mfa definition

* feat: login policies on orgs

* feat: configured mfas in login process

* feat: configured mfas in login process

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: rename software and hardware mfas

* fix: pr requests

* fix user mfa

* fix: test

* fix: oidc version

* fix: oidc version

* fix: proto gen

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>

internal/iam/repository/eventsourcing/iam.go

@@ -346,6 +346,70 @@ func LoginPolicyIDPProviderRemovedAggregate(ctx context.Context, aggCreator *es_
 	return agg.AppendEvent(model.LoginPolicyIDPProviderRemoved, provider)
 }
 
+func LoginPolicySecondFactorAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, mfa *model.MFA) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if mfa == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4Gm9s", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(model.IAMAggregate).
+			AggregateIDFilter(existing.AggregateID)
+
+		validation := checkExistingLoginPolicySecondFactorValidation(mfa.MfaType)
+		agg.SetPrecondition(validationQuery, validation)
+		return agg.AppendEvent(model.LoginPolicySecondFactorAdded, mfa)
+	}
+}
+
+func LoginPolicySecondFactorRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, mfa *model.MFA) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if mfa == nil || existing == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-5Bm9s", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.LoginPolicySecondFactorRemoved, mfa)
+	}
+}
+
+func LoginPolicyMultiFactorAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, mfa *model.MFA) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if mfa == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4Gm9s", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(model.IAMAggregate).
+			AggregateIDFilter(existing.AggregateID)
+
+		validation := checkExistingLoginPolicyMultiFactorValidation(mfa.MfaType)
+		agg.SetPrecondition(validationQuery, validation)
+		return agg.AppendEvent(model.LoginPolicyMultiFactorAdded, mfa)
+	}
+}
+
+func LoginPolicyMultiFactorRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, mfa *model.MFA) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if mfa == nil || existing == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-6Mso9", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.LoginPolicyMultiFactorRemoved, mfa)
+	}
+}
+
 func PasswordComplexityPolicyAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.PasswordComplexityPolicy) (*es_models.Aggregate, error) {
 	if policy == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smla8", "Errors.Internal")
@@ -613,3 +677,77 @@ func checkExistingLoginPolicyIDPProviderValidation(idpConfigID string) func(...*
 		return nil
 	}
 }
+
+func checkExistingLoginPolicySecondFactorValidation(mfaType int32) func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		mfas := make([]int32, 0)
+		for _, event := range events {
+			switch event.Type {
+			case model.LoginPolicySecondFactorAdded:
+				idp := new(model.MFA)
+				err := idp.SetData(event)
+				if err != nil {
+					return err
+				}
+				mfas = append(mfas, idp.MfaType)
+			case model.LoginPolicySecondFactorRemoved:
+				mfa := new(model.MFA)
+				err := mfa.SetData(event)
+				if err != nil {
+					return err
+				}
+				for i := len(mfas) - 1; i >= 0; i-- {
+					if mfas[i] == mfa.MfaType {
+						mfas[i] = mfas[len(mfas)-1]
+						mfas[len(mfas)-1] = 0
+						mfas = mfas[:len(mfas)-1]
+						break
+					}
+				}
+			}
+		}
+		for _, m := range mfas {
+			if m == mfaType {
+				return errors.ThrowPreconditionFailed(nil, "EVENT-3vmHd", "Errors.IAM.LoginPolicy.MFA.AlreadyExisting")
+			}
+		}
+		return nil
+	}
+}
+
+func checkExistingLoginPolicyMultiFactorValidation(mfaType int32) func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		mfas := make([]int32, 0)
+		for _, event := range events {
+			switch event.Type {
+			case model.LoginPolicyMultiFactorAdded:
+				idp := new(model.MFA)
+				err := idp.SetData(event)
+				if err != nil {
+					return err
+				}
+				mfas = append(mfas, idp.MfaType)
+			case model.LoginPolicyMultiFactorRemoved:
+				mfa := new(model.MFA)
+				err := mfa.SetData(event)
+				if err != nil {
+					return err
+				}
+				for i := len(mfas) - 1; i >= 0; i-- {
+					if mfas[i] == mfa.MfaType {
+						mfas[i] = mfas[len(mfas)-1]
+						mfas[len(mfas)-1] = 0
+						mfas = mfas[:len(mfas)-1]
+						break
+					}
+				}
+			}
+		}
+		for _, m := range mfas {
+			if m == mfaType {
+				return errors.ThrowPreconditionFailed(nil, "EVENT-6Hsj89", "Errors.IAM.LoginPolicy.MFA.AlreadyExisting")
+			}
+		}
+		return nil
+	}
+}