feat: mfa policy (#913)

* feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy on org * feat: add mfa to login policy on org * feat: append events on policy views * feat: iam login policy mfa definition * feat: login policies on orgs * feat: configured mfas in login process * feat: configured mfas in login process * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: rename software and hardware mfas * fix: pr requests * fix user mfa * fix: test * fix: oidc version * fix: oidc version * fix: proto gen Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Max Peintner <max@caos.ch>
2025-08-15 01:57:41 +00:00 · 2020-11-04 11:26:10 +01:00
parent 51417be35d
commit 202aae4954
76 changed files with 12913 additions and 5614 deletions
--- a/internal/ui/login/handler/mfa_init_verify_handler.go
+++ b/internal/ui/login/handler/mfa_init_verify_handler.go
@@ -16,7 +16,7 @@ const (
 )

 type mfaInitVerifyData struct {
-	MfaType model.MfaType `schema:"mfaType"`
+	MfaType model.MFAType `schema:"mfaType"`
 	Code    string        `schema:"code"`
 	URL     string        `schema:"url"`
 	Secret  string        `schema:"secret"`
@@ -31,7 +31,7 @@ func (l *Login) handleMfaInitVerify(w http.ResponseWriter, r *http.Request) {
 	}
 	var verifyData *mfaVerifyData
 	switch data.MfaType {
-	case model.MfaTypeOTP:
+	case model.MFATypeOTP:
 		verifyData = l.handleOtpVerify(w, r, authReq, data)
 	}

@@ -69,7 +69,7 @@ func (l *Login) renderMfaInitVerify(w http.ResponseWriter, r *http.Request, auth
 	}
 	data.baseData = l.getBaseData(r, authReq, "Mfa Init Verify", errType, errMessage)
 	data.profileData = l.getProfileData(authReq)
-	if data.MfaType == model.MfaTypeOTP {
+	if data.MfaType == model.MFATypeOTP {
 		code, err := generateQrCode(data.otpData.Url)
 		if err == nil {
 			data.otpData.QrCode = code
--- a/internal/ui/login/handler/mfa_prompt_handler.go
+++ b/internal/ui/login/handler/mfa_prompt_handler.go
@@ -12,7 +12,7 @@ const (
 )

 type mfaPromptData struct {
-	MfaProvider model.MfaType `schema:"provider"`
+	MfaProvider model.MFAType `schema:"provider"`
 	Skip        bool          `schema:"skip"`
 }

@@ -78,7 +78,7 @@ func (l *Login) renderMfaPrompt(w http.ResponseWriter, r *http.Request, authReq

 func (l *Login) handleMfaCreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
 	switch data.MfaType {
-	case model.MfaTypeOTP:
+	case model.MFATypeOTP:
 		l.handleOtpCreation(w, r, authReq, data)
 		return
 	}
--- a/internal/ui/login/handler/mfa_verify_handler.go
+++ b/internal/ui/login/handler/mfa_verify_handler.go
@@ -12,7 +12,7 @@ const (
 )

 type mfaVerifyFormData struct {
-	MfaType model.MfaType `schema:"mfaType"`
+	MfaType model.MFAType `schema:"mfaType"`
 	Code    string        `schema:"code"`
 }

@@ -23,7 +23,7 @@ func (l *Login) handleMfaVerify(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	if data.MfaType == model.MfaTypeOTP {
+	if data.MfaType == model.MFATypeOTP {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
 		err = l.authRepo.VerifyMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, userAgentID, model.BrowserInfoFromRequest(r))
 	}
--- a/internal/ui/login/handler/renderer.go
+++ b/internal/ui/login/handler/renderer.go
@@ -98,7 +98,7 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
 		"mfaPromptUrl": func() string {
 			return path.Join(r.pathPrefix, EndpointMfaPrompt)
 		},
-		"mfaPromptChangeUrl": func(id string, provider model.MfaType) string {
+		"mfaPromptChangeUrl": func(id string, provider model.MFAType) string {
 			return path.Join(r.pathPrefix, fmt.Sprintf("%s?%s=%s;%s=%v", EndpointMfaPrompt, queryAuthRequestID, id, "provider", provider))
 		},
 		"mfaInitVerifyUrl": func() string {
@@ -158,7 +158,7 @@ func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
 	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
 	if err != nil {
-		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-sio0W", "could not get authreq"))
+		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(err, "APP-sio0W", "could not get authreq"))
 		return
 	}
 	if len(authReq.PossibleSteps) == 0 {
@@ -356,8 +356,8 @@ type userData struct {
 	baseData
 	profileData
 	PasswordChecked     string
-	MfaProviders        []model.MfaType
-	SelectedMfaProvider model.MfaType
+	MfaProviders        []model.MFAType
+	SelectedMfaProvider model.MFAType
 	Linking             bool
 }

@@ -386,21 +386,21 @@ type userSelectionData struct {
 type mfaData struct {
 	baseData
 	profileData
-	MfaProviders []model.MfaType
+	MfaProviders []model.MFAType
 	MfaRequired  bool
 }

 type mfaVerifyData struct {
 	baseData
 	profileData
-	MfaType model.MfaType
+	MfaType model.MFAType
 	otpData
 }

 type mfaDoneData struct {
 	baseData
 	profileData
-	MfaType model.MfaType
+	MfaType model.MFAType
 }

 type otpData struct {
--- a/internal/ui/login/static/i18n/de.yaml
+++ b/internal/ui/login/static/i18n/de.yaml
@@ -66,8 +66,8 @@ InitUserDone:
 MfaPrompt:
  Title: Multifaktor hinzufügen
  Description: Möchtest du einen Mulitfaktor hinzufügen?
-  Provider0: OTP
-  Provider1: SMS
+  Provider0: OTP (One Time Password)
+  Provider1: U2F (Universal 2nd Factor)

 MfaInitVerify:
  Title: Multifaktor Verifizierung
--- a/internal/ui/login/static/i18n/en.yaml
+++ b/internal/ui/login/static/i18n/en.yaml
@@ -66,8 +66,8 @@ InitUserDone:
 MfaPrompt:
  Title: Multifactor Setup
  Description: Would you like to setup multifactor authentication?
-  Provider0: OTP
-  Provider1: SMS
+  Provider0: OTP (One Time Password)
+  Provider1: U2F (Universal 2nd Factor)

 MfaInitVerify:
  Title: Multifactor Verification