feat: mfa policy (#913)

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy

* feat: add mfa to login policy on org

* feat: add mfa to login policy on org

* feat: append events on policy views

* feat: iam login policy mfa definition

* feat: login policies on orgs

* feat: configured mfas in login process

* feat: configured mfas in login process

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: rename software and hardware mfas

* fix: pr requests

* fix user mfa

* fix: test

* fix: oidc version

* fix: oidc version

* fix: proto gen

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>

internal/iam/repository/eventsourcing/model/iam.go

@@ -168,6 +168,14 @@ func (i *IAM) AppendEvent(event *es_models.Event) (err error) {
 		return i.appendAddIDPProviderToLoginPolicyEvent(event)
 	case LoginPolicyIDPProviderRemoved:
 		return i.appendRemoveIDPProviderFromLoginPolicyEvent(event)
+	case LoginPolicySecondFactorAdded:
+		return i.appendAddSecondFactorToLoginPolicyEvent(event)
+	case LoginPolicySecondFactorRemoved:
+		return i.appendRemoveSecondFactorFromLoginPolicyEvent(event)
+	case LoginPolicyMultiFactorAdded:
+		return i.appendAddMultiFactorToLoginPolicyEvent(event)
+	case LoginPolicyMultiFactorRemoved:
+		return i.appendRemoveMultiFactorFromLoginPolicyEvent(event)
 	case LabelPolicyAdded:
 		return i.appendAddLabelPolicyEvent(event)
 	case LabelPolicyChanged:

internal/iam/repository/eventsourcing/model/login_policy.go

@@ -14,7 +14,10 @@ type LoginPolicy struct {
 	AllowUsernamePassword bool           `json:"allowUsernamePassword"`
 	AllowRegister         bool           `json:"allowRegister"`
 	AllowExternalIdp      bool           `json:"allowExternalIdp"`
+	ForceMFA              bool           `json:"forceMfa"`
 	IDPProviders          []*IDPProvider `json:"-"`
+	SecondFactors         []int32        `json:"-"`
+	MultiFactors          []int32        `json:"-"`
 }
 
 type IDPProvider struct {
@@ -27,6 +30,10 @@ type IDPProviderID struct {
 	IDPConfigID string `json:"idpConfigId"`
 }
 
+type MFA struct {
+	MfaType int32 `json:"mfaType"`
+}
+
 func GetIDPProvider(providers []*IDPProvider, id string) (int, *IDPProvider) {
 	for i, p := range providers {
 		if p.IDPConfigID == id {
@@ -36,8 +43,18 @@ func GetIDPProvider(providers []*IDPProvider, id string) (int, *IDPProvider) {
 	return -1, nil
 }
 
+func GetMFA(mfas []int32, mfaType int32) (int, int32) {
+	for i, m := range mfas {
+		if m == mfaType {
+			return i, m
+		}
+	}
+	return -1, 0
+}
 func LoginPolicyToModel(policy *LoginPolicy) *iam_model.LoginPolicy {
 	idps := IDPProvidersToModel(policy.IDPProviders)
+	secondFactors := SecondFactorsToModel(policy.SecondFactors)
+	multiFactors := MultiFactorsToModel(policy.MultiFactors)
 	return &iam_model.LoginPolicy{
 		ObjectRoot:            policy.ObjectRoot,
 		State:                 iam_model.PolicyState(policy.State),
@@ -45,11 +62,16 @@ func LoginPolicyToModel(policy *LoginPolicy) *iam_model.LoginPolicy {
 		AllowRegister:         policy.AllowRegister,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		IDPProviders:          idps,
+		ForceMFA:              policy.ForceMFA,
+		SecondFactors:         secondFactors,
+		MultiFactors:          multiFactors,
 	}
 }
 
 func LoginPolicyFromModel(policy *iam_model.LoginPolicy) *LoginPolicy {
 	idps := IDOProvidersFromModel(policy.IDPProviders)
+	secondFactors := SecondFactorsFromModel(policy.SecondFactors)
+	multiFactors := MultiFactorsFromModel(policy.MultiFactors)
 	return &LoginPolicy{
 		ObjectRoot:            policy.ObjectRoot,
 		State:                 int32(policy.State),
@@ -57,6 +79,9 @@ func LoginPolicyFromModel(policy *iam_model.LoginPolicy) *LoginPolicy {
 		AllowRegister:         policy.AllowRegister,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		IDPProviders:          idps,
+		ForceMFA:              policy.ForceMFA,
+		SecondFactors:         secondFactors,
+		MultiFactors:          multiFactors,
 	}
 }
 
@@ -92,6 +117,46 @@ func IDPProviderFromModel(provider *iam_model.IDPProvider) *IDPProvider {
 	}
 }
 
+func SecondFactorsFromModel(mfas []iam_model.SecondFactorType) []int32 {
+	convertedMFAs := make([]int32, len(mfas))
+	for i, mfa := range mfas {
+		convertedMFAs[i] = int32(mfa)
+	}
+	return convertedMFAs
+}
+
+func SecondFactorFromModel(mfa iam_model.SecondFactorType) *MFA {
+	return &MFA{MfaType: int32(mfa)}
+}
+
+func SecondFactorsToModel(mfas []int32) []iam_model.SecondFactorType {
+	convertedMFAs := make([]iam_model.SecondFactorType, len(mfas))
+	for i, mfa := range mfas {
+		convertedMFAs[i] = iam_model.SecondFactorType(mfa)
+	}
+	return convertedMFAs
+}
+
+func MultiFactorsFromModel(mfas []iam_model.MultiFactorType) []int32 {
+	convertedMFAs := make([]int32, len(mfas))
+	for i, mfa := range mfas {
+		convertedMFAs[i] = int32(mfa)
+	}
+	return convertedMFAs
+}
+
+func MultiFactorFromModel(mfa iam_model.MultiFactorType) *MFA {
+	return &MFA{MfaType: int32(mfa)}
+}
+
+func MultiFactorsToModel(mfas []int32) []iam_model.MultiFactorType {
+	convertedMFAs := make([]iam_model.MultiFactorType, len(mfas))
+	for i, mfa := range mfas {
+		convertedMFAs[i] = iam_model.MultiFactorType(mfa)
+	}
+	return convertedMFAs
+}
+
 func (p *LoginPolicy) Changes(changed *LoginPolicy) map[string]interface{} {
 	changes := make(map[string]interface{}, 2)
 
@@ -104,7 +169,9 @@ func (p *LoginPolicy) Changes(changed *LoginPolicy) map[string]interface{} {
 	if changed.AllowExternalIdp != p.AllowExternalIdp {
 		changes["allowExternalIdp"] = changed.AllowExternalIdp
 	}
-
+	if changed.ForceMFA != p.ForceMFA {
+		changes["forceMFA"] = changed.ForceMFA
+	}
 	return changes
 }
 
@@ -143,6 +210,57 @@ func (iam *IAM) appendRemoveIDPProviderFromLoginPolicyEvent(event *es_models.Eve
 		iam.DefaultLoginPolicy.IDPProviders[i] = iam.DefaultLoginPolicy.IDPProviders[len(iam.DefaultLoginPolicy.IDPProviders)-1]
 		iam.DefaultLoginPolicy.IDPProviders[len(iam.DefaultLoginPolicy.IDPProviders)-1] = nil
 		iam.DefaultLoginPolicy.IDPProviders = iam.DefaultLoginPolicy.IDPProviders[:len(iam.DefaultLoginPolicy.IDPProviders)-1]
+		return nil
+	}
+	return nil
+}
+
+func (iam *IAM) appendAddSecondFactorToLoginPolicyEvent(event *es_models.Event) error {
+	mfa := new(MFA)
+	err := mfa.SetData(event)
+	if err != nil {
+		return err
+	}
+	iam.DefaultLoginPolicy.SecondFactors = append(iam.DefaultLoginPolicy.SecondFactors, mfa.MfaType)
+	return nil
+}
+
+func (iam *IAM) appendRemoveSecondFactorFromLoginPolicyEvent(event *es_models.Event) error {
+	mfa := new(MFA)
+	err := mfa.SetData(event)
+	if err != nil {
+		return err
+	}
+	if i, m := GetMFA(iam.DefaultLoginPolicy.SecondFactors, mfa.MfaType); m != 0 {
+		iam.DefaultLoginPolicy.SecondFactors[i] = iam.DefaultLoginPolicy.SecondFactors[len(iam.DefaultLoginPolicy.SecondFactors)-1]
+		iam.DefaultLoginPolicy.SecondFactors[len(iam.DefaultLoginPolicy.SecondFactors)-1] = 0
+		iam.DefaultLoginPolicy.SecondFactors = iam.DefaultLoginPolicy.SecondFactors[:len(iam.DefaultLoginPolicy.SecondFactors)-1]
+		return nil
+	}
+	return nil
+}
+
+func (iam *IAM) appendAddMultiFactorToLoginPolicyEvent(event *es_models.Event) error {
+	mfa := new(MFA)
+	err := mfa.SetData(event)
+	if err != nil {
+		return err
+	}
+	iam.DefaultLoginPolicy.MultiFactors = append(iam.DefaultLoginPolicy.MultiFactors, mfa.MfaType)
+	return nil
+}
+
+func (iam *IAM) appendRemoveMultiFactorFromLoginPolicyEvent(event *es_models.Event) error {
+	mfa := new(MFA)
+	err := mfa.SetData(event)
+	if err != nil {
+		return err
+	}
+	if i, m := GetMFA(iam.DefaultLoginPolicy.MultiFactors, mfa.MfaType); m != 0 {
+		iam.DefaultLoginPolicy.MultiFactors[i] = iam.DefaultLoginPolicy.MultiFactors[len(iam.DefaultLoginPolicy.MultiFactors)-1]
+		iam.DefaultLoginPolicy.MultiFactors[len(iam.DefaultLoginPolicy.MultiFactors)-1] = 0
+		iam.DefaultLoginPolicy.MultiFactors = iam.DefaultLoginPolicy.MultiFactors[:len(iam.DefaultLoginPolicy.MultiFactors)-1]
+		return nil
 	}
 	return nil
 }
@@ -162,3 +280,11 @@ func (p *IDPProvider) SetData(event *es_models.Event) error {
 	}
 	return nil
 }
+
+func (m *MFA) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, m)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-4G9os", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/login_policy_test.go

@@ -23,18 +23,18 @@ func TestLoginPolicyChanges(t *testing.T) {
 		{
 			name: "loginpolicy all attributes change",
 			args: args{
-				existing: &LoginPolicy{AllowUsernamePassword: false, AllowRegister: false, AllowExternalIdp: false},
-				new:      &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true},
+				existing: &LoginPolicy{AllowUsernamePassword: false, AllowRegister: false, AllowExternalIdp: false, ForceMFA: false},
+				new:      &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true, ForceMFA: true},
 			},
 			res: res{
-				changesLen: 3,
+				changesLen: 4,
 			},
 		},
 		{
 			name: "no changes",
 			args: args{
-				existing: &LoginPolicy{AllowUsernamePassword: false, AllowRegister: false, AllowExternalIdp: false},
-				new:      &LoginPolicy{AllowUsernamePassword: false, AllowRegister: false, AllowExternalIdp: false},
+				existing: &LoginPolicy{AllowUsernamePassword: false, AllowRegister: false, AllowExternalIdp: false, ForceMFA: false},
+				new:      &LoginPolicy{AllowUsernamePassword: false, AllowRegister: false, AllowExternalIdp: false, ForceMFA: false},
 			},
 			res: res{
 				changesLen: 0,
@@ -66,10 +66,10 @@ func TestAppendAddLoginPolicyEvent(t *testing.T) {
 			name: "append add login policy event",
 			args: args{
 				iam:    new(IAM),
-				policy: &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true},
+				policy: &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true, ForceMFA: true},
 				event:  new(es_models.Event),
 			},
-			result: &IAM{DefaultLoginPolicy: &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true}},
+			result: &IAM{DefaultLoginPolicy: &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true, ForceMFA: true}},
 		},
 	}
 	for _, tt := range tests {
@@ -88,6 +88,9 @@ func TestAppendAddLoginPolicyEvent(t *testing.T) {
 			if tt.result.DefaultLoginPolicy.AllowExternalIdp != tt.args.iam.DefaultLoginPolicy.AllowExternalIdp {
 				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.AllowExternalIdp, tt.args.iam.DefaultLoginPolicy.AllowExternalIdp)
 			}
+			if tt.result.DefaultLoginPolicy.ForceMFA != tt.args.iam.DefaultLoginPolicy.ForceMFA {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.ForceMFA, tt.args.iam.DefaultLoginPolicy.ForceMFA)
+			}
 		})
 	}
 }
@@ -110,14 +113,16 @@ func TestAppendChangeLoginPolicyEvent(t *testing.T) {
 					AllowExternalIdp:      false,
 					AllowRegister:         false,
 					AllowUsernamePassword: false,
+					ForceMFA:              false,
 				}},
-				policy: &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true},
+				policy: &LoginPolicy{AllowUsernamePassword: true, AllowRegister: true, AllowExternalIdp: true, ForceMFA: true},
 				event:  &es_models.Event{},
 			},
 			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
 				AllowExternalIdp:      true,
 				AllowRegister:         true,
 				AllowUsernamePassword: true,
+				ForceMFA:              true,
 			}},
 		},
 	}
@@ -137,6 +142,9 @@ func TestAppendChangeLoginPolicyEvent(t *testing.T) {
 			if tt.result.DefaultLoginPolicy.AllowExternalIdp != tt.args.iam.DefaultLoginPolicy.AllowExternalIdp {
 				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.AllowExternalIdp, tt.args.iam.DefaultLoginPolicy.AllowExternalIdp)
 			}
+			if tt.result.DefaultLoginPolicy.ForceMFA != tt.args.iam.DefaultLoginPolicy.ForceMFA {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.ForceMFA, tt.args.iam.DefaultLoginPolicy.ForceMFA)
+			}
 		})
 	}
 }
@@ -197,7 +205,7 @@ func TestAppendAddIdpToPolicyEvent(t *testing.T) {
 	}
 }
 
-func TestRemoveAddIdpToPolicyEvent(t *testing.T) {
+func TestRemoveIdpToPolicyEvent(t *testing.T) {
 	type args struct {
 		iam      *IAM
 		provider *IDPProvider
@@ -251,3 +259,171 @@ func TestRemoveAddIdpToPolicyEvent(t *testing.T) {
 		})
 	}
 }
+
+func TestAppendAddSecondFactorToPolicyEvent(t *testing.T) {
+	type args struct {
+		iam   *IAM
+		mfa   *MFA
+		event *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add second factor to login policy event",
+			args: args{
+				iam:   &IAM{DefaultLoginPolicy: &LoginPolicy{AllowExternalIdp: true, AllowRegister: true, AllowUsernamePassword: true}},
+				mfa:   &MFA{MfaType: int32(model.SecondFactorTypeOTP)},
+				event: &es_models.Event{},
+			},
+			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
+				SecondFactors: []int32{
+					int32(model.SecondFactorTypeOTP),
+				}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.mfa != nil {
+				data, _ := json.Marshal(tt.args.mfa)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddSecondFactorToLoginPolicyEvent(tt.args.event)
+			if len(tt.result.DefaultLoginPolicy.SecondFactors) != len(tt.args.iam.DefaultLoginPolicy.SecondFactors) {
+				t.Errorf("got wrong second factors len: expected: %v, actual: %v ", len(tt.result.DefaultLoginPolicy.SecondFactors), len(tt.args.iam.DefaultLoginPolicy.SecondFactors))
+			}
+			if tt.result.DefaultLoginPolicy.SecondFactors[0] != tt.args.mfa.MfaType {
+				t.Errorf("got wrong second factor: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.SecondFactors[0], tt.args.mfa)
+			}
+		})
+	}
+}
+
+func TestRemoveSecondFactorToPolicyEvent(t *testing.T) {
+	type args struct {
+		iam   *IAM
+		mfa   *MFA
+		event *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append remove second factor to login policy event",
+			args: args{
+				iam: &IAM{
+					DefaultLoginPolicy: &LoginPolicy{
+						SecondFactors: []int32{
+							int32(model.SecondFactorTypeOTP),
+						}}},
+				mfa:   &MFA{MfaType: int32(model.SecondFactorTypeOTP)},
+				event: &es_models.Event{},
+			},
+			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
+				AllowExternalIdp:      true,
+				AllowRegister:         true,
+				AllowUsernamePassword: true,
+				SecondFactors:         []int32{}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.mfa != nil {
+				data, _ := json.Marshal(tt.args.mfa)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendRemoveSecondFactorFromLoginPolicyEvent(tt.args.event)
+			if len(tt.result.DefaultLoginPolicy.SecondFactors) != len(tt.args.iam.DefaultLoginPolicy.SecondFactors) {
+				t.Errorf("got wrong second factor len: expected: %v, actual: %v ", len(tt.result.DefaultLoginPolicy.SecondFactors), len(tt.args.iam.DefaultLoginPolicy.SecondFactors))
+			}
+		})
+	}
+}
+
+func TestAppendAddMultiFactorToPolicyEvent(t *testing.T) {
+	type args struct {
+		iam   *IAM
+		mfa   *MFA
+		event *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add mfa to login policy event",
+			args: args{
+				iam:   &IAM{DefaultLoginPolicy: &LoginPolicy{AllowExternalIdp: true, AllowRegister: true, AllowUsernamePassword: true}},
+				mfa:   &MFA{MfaType: int32(model.MultiFactorTypeU2FWithPIN)},
+				event: &es_models.Event{},
+			},
+			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
+				MultiFactors: []int32{
+					int32(model.MultiFactorTypeU2FWithPIN),
+				}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.mfa != nil {
+				data, _ := json.Marshal(tt.args.mfa)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddMultiFactorToLoginPolicyEvent(tt.args.event)
+			if len(tt.result.DefaultLoginPolicy.MultiFactors) != len(tt.args.iam.DefaultLoginPolicy.MultiFactors) {
+				t.Errorf("got wrong mfas len: expected: %v, actual: %v ", len(tt.result.DefaultLoginPolicy.MultiFactors), len(tt.args.iam.DefaultLoginPolicy.MultiFactors))
+			}
+			if tt.result.DefaultLoginPolicy.MultiFactors[0] != tt.args.mfa.MfaType {
+				t.Errorf("got wrong mfa: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.MultiFactors[0], tt.args.mfa)
+			}
+		})
+	}
+}
+
+func TestRemoveMultiFactorToPolicyEvent(t *testing.T) {
+	type args struct {
+		iam   *IAM
+		mfa   *MFA
+		event *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append remove mfa to login policy event",
+			args: args{
+				iam: &IAM{
+					DefaultLoginPolicy: &LoginPolicy{
+						MultiFactors: []int32{
+							int32(model.MultiFactorTypeU2FWithPIN),
+						}}},
+				mfa:   &MFA{MfaType: int32(model.MultiFactorTypeU2FWithPIN)},
+				event: &es_models.Event{},
+			},
+			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
+				AllowExternalIdp:      true,
+				AllowRegister:         true,
+				AllowUsernamePassword: true,
+				MultiFactors:          []int32{}}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.mfa != nil {
+				data, _ := json.Marshal(tt.args.mfa)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendRemoveMultiFactorFromLoginPolicyEvent(tt.args.event)
+			if len(tt.result.DefaultLoginPolicy.MultiFactors) != len(tt.args.iam.DefaultLoginPolicy.MultiFactors) {
+				t.Errorf("got wrong mfa len: expected: %v, actual: %v ", len(tt.result.DefaultLoginPolicy.MultiFactors), len(tt.args.iam.DefaultLoginPolicy.MultiFactors))
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/types.go

@@ -30,8 +30,13 @@ const (
 	LoginPolicyIDPProviderAdded          models.EventType = "iam.policy.login.idpprovider.added"
 	LoginPolicyIDPProviderRemoved        models.EventType = "iam.policy.login.idpprovider.removed"
 	LoginPolicyIDPProviderCascadeRemoved models.EventType = "iam.policy.login.idpprovider.cascade.removed"
-	LabelPolicyAdded                     models.EventType = "iam.policy.label.added"
-	LabelPolicyChanged                   models.EventType = "iam.policy.label.changed"
+	LoginPolicySecondFactorAdded         models.EventType = "iam.policy.login.secondfactor.added"
+	LoginPolicySecondFactorRemoved       models.EventType = "iam.policy.login.secondfactor.removed"
+	LoginPolicyMultiFactorAdded          models.EventType = "iam.policy.login.multifactor.added"
+	LoginPolicyMultiFactorRemoved        models.EventType = "iam.policy.login.multifactor.removed"
+
+	LabelPolicyAdded   models.EventType = "iam.policy.label.added"
+	LabelPolicyChanged models.EventType = "iam.policy.label.changed"
 
 	PasswordComplexityPolicyAdded   models.EventType = "iam.policy.password.complexity.added"
 	PasswordComplexityPolicyChanged models.EventType = "iam.policy.password.complexity.changed"