feat: mfa policy (#913)

* feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy on org * feat: add mfa to login policy on org * feat: append events on policy views * feat: iam login policy mfa definition * feat: login policies on orgs * feat: configured mfas in login process * feat: configured mfas in login process * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: rename software and hardware mfas * fix: pr requests * fix user mfa * fix: test * fix: oidc version * fix: oidc version * fix: proto gen Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Max Peintner <max@caos.ch>
2025-08-11 19:07:30 +00:00 · 2020-11-04 11:26:10 +01:00
parent 51417be35d
commit 202aae4954
76 changed files with 12913 additions and 5614 deletions
--- a/internal/user/model/user_session_view.go
+++ b/internal/user/model/user_session_view.go
@@ -8,23 +8,23 @@ import (
 )

 type UserSessionView struct {
-	CreationDate                time.Time
-	ChangeDate                  time.Time
-	State                       req_model.UserSessionState
-	ResourceOwner               string
-	UserAgentID                 string
-	UserID                      string
-	UserName                    string
-	LoginName                   string
-	DisplayName                 string
-	SelectedIDPConfigID         string
-	PasswordVerification        time.Time
-	ExternalLoginVerification   time.Time
-	MfaSoftwareVerification     time.Time
-	MfaSoftwareVerificationType req_model.MfaType
-	MfaHardwareVerification     time.Time
-	MfaHardwareVerificationType req_model.MfaType
-	Sequence                    uint64
+	CreationDate                 time.Time
+	ChangeDate                   time.Time
+	State                        req_model.UserSessionState
+	ResourceOwner                string
+	UserAgentID                  string
+	UserID                       string
+	UserName                     string
+	LoginName                    string
+	DisplayName                  string
+	SelectedIDPConfigID          string
+	PasswordVerification         time.Time
+	ExternalLoginVerification    time.Time
+	SecondFactorVerification     time.Time
+	SecondFactorVerificationType req_model.MFAType
+	MultiFactorVerification      time.Time
+	MultiFactorVerificationType  req_model.MFAType
+	Sequence                     uint64
 }

 type UserSessionSearchRequest struct {
--- a/internal/user/model/user_view.go
+++ b/internal/user/model/user_view.go
@@ -1,6 +1,7 @@
 package model

 import (
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"time"

 	req_model "github.com/caos/zitadel/internal/auth_request/model"
@@ -46,7 +47,7 @@ type HumanView struct {
 	Region                 string
 	StreetAddress          string
 	OTPState               MfaState
-	MfaMaxSetUp            req_model.MfaLevel
+	MfaMaxSetUp            req_model.MFALevel
 	MfaInitSkipped         time.Time
 	InitRequired           bool
 }
@@ -107,40 +108,87 @@ func (r *UserSearchRequest) AppendMyOrgQuery(orgID string) {
 	r.Queries = append(r.Queries, &UserSearchQuery{Key: UserSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
 }

-func (u *UserView) MfaTypesSetupPossible(level req_model.MfaLevel) []req_model.MfaType {
-	types := make([]req_model.MfaType, 0)
+func (u *UserView) MfaTypesSetupPossible(level req_model.MFALevel, policy *iam_model.LoginPolicyView) []req_model.MFAType {
+	types := make([]req_model.MFAType, 0)
 	switch level {
 	default:
 		fallthrough
-	case req_model.MfaLevelSoftware:
-		if u.OTPState != MfaStateReady {
-			types = append(types, req_model.MfaTypeOTP)
+	case req_model.MFALevelSecondFactor:
+		if policy.HasSecondFactors() {
+			for _, mfaType := range policy.SecondFactors {
+				switch mfaType {
+				case iam_model.SecondFactorTypeOTP:
+					if u.OTPState != MfaStateReady {
+						types = append(types, req_model.MFATypeOTP)
+					}
+				}
+			}
 		}
+
 		//PLANNED: add sms
 		fallthrough
-	case req_model.MfaLevelHardware:
+	case req_model.MFALevelMultiFactor:
+		if policy.HasMultiFactors() {
+			for _, mfaType := range policy.MultiFactors {
+				switch mfaType {
+				case iam_model.MultiFactorTypeU2FWithPIN:
+					// TODO: Check if not set up already
+					// types = append(types, req_model.MFATypeU2F)
+				}
+			}
+		}
 		//PLANNED: add token
 	}
 	return types
 }

-func (u *UserView) MfaTypesAllowed(level req_model.MfaLevel) []req_model.MfaType {
-	types := make([]req_model.MfaType, 0)
+func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.LoginPolicyView) []req_model.MFAType {
+	types := make([]req_model.MFAType, 0)
 	switch level {
 	default:
 		fallthrough
-	case req_model.MfaLevelSoftware:
-		if u.OTPState == MfaStateReady {
-			types = append(types, req_model.MfaTypeOTP)
+	case req_model.MFALevelSecondFactor:
+		if policy.HasSecondFactors() {
+			for _, mfaType := range policy.SecondFactors {
+				switch mfaType {
+				case iam_model.SecondFactorTypeOTP:
+					if u.OTPState == MfaStateReady {
+						types = append(types, req_model.MFATypeOTP)
+					}
+				}
+			}
 		}
 		//PLANNED: add sms
 		fallthrough
-	case req_model.MfaLevelHardware:
+	case req_model.MFALevelMultiFactor:
+		if policy.HasMultiFactors() {
+			for _, mfaType := range policy.MultiFactors {
+				switch mfaType {
+				case iam_model.MultiFactorTypeU2FWithPIN:
+					// TODO: Check if not set up already
+					// types = append(types, req_model.MFATypeU2F)
+				}
+			}
+		}
 		//PLANNED: add token
 	}
 	return types
 }

+func (u *UserView) HasRequiredOrgMFALevel(policy *iam_model.LoginPolicyView) bool {
+	if !policy.ForceMFA {
+		return true
+	}
+	switch u.MfaMaxSetUp {
+	case req_model.MFALevelSecondFactor:
+		return policy.HasSecondFactors()
+	case req_model.MFALevelMultiFactor:
+		return true
+	default:
+		return false
+	}
+}
+
 func (u *UserView) GetProfile() (*Profile, error) {
 	if u.HumanView == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "MODEL-WLTce", "Errors.User.NotHuman")