feat: mfa policy (#913)

* feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy on org * feat: add mfa to login policy on org * feat: append events on policy views * feat: iam login policy mfa definition * feat: login policies on orgs * feat: configured mfas in login process * feat: configured mfas in login process * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: rename software and hardware mfas * fix: pr requests * fix user mfa * fix: test * fix: oidc version * fix: oidc version * fix: proto gen Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Max Peintner <max@caos.ch>
2025-12-06 07:12:17 +00:00 · 2020-11-04 11:26:10 +01:00
parent 51417be35d
commit 202aae4954
76 changed files with 12913 additions and 5614 deletions
--- a/pkg/grpc/management/proto/management.proto
+++ b/pkg/grpc/management/proto/management.proto
@@ -390,7 +390,7 @@ rpc GetUserByID(UserID) returns (UserView) {
    };
  }

-  rpc GetUserMfas(UserID) returns (MultiFactors) {
+  rpc GetUserMfas(UserID) returns (UserMultiFactors) {
    option (google.api.http) = {
      get: "/users/{id}/mfas"
    };
@@ -1363,6 +1363,68 @@ rpc GetUserByID(UserID) returns (UserView) {
    };
  }

+  rpc GetLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) {
+    option (google.api.http) = {
+            get: "/orgs/me/policies/login/secondfactors/_search"
+        };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+  }
+
+  rpc AddSecondFactorToLoginPolicy(SecondFactor) returns (SecondFactor) {
+    option (google.api.http) = {
+            post: "/orgs/me/policies/login/secondfactors"
+            body: "*"
+        };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+  }
+
+  rpc RemoveSecondFactorFromLoginPolicy(SecondFactor) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+            delete: "/orgs/me/policies/login/secondfactors/{second_factor}"
+        };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+  }
+
+  rpc GetLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) {
+    option (google.api.http) = {
+            get: "/orgs/me/policies/login/multifactors/_search"
+        };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+  }
+
+  rpc AddMultiFactorToLoginPolicy(MultiFactor) returns (MultiFactor) {
+    option (google.api.http) = {
+            post: "/orgs/me/policies/login/multifactors"
+            body: "*"
+        };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+  }
+
+  rpc RemoveMultiFactorFromLoginPolicy(MultiFactor) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+            delete: "/orgs/me/policies/login/multifactors/{multi_factor}"
+        };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+  }
+
  rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) {
    option (google.api.http) = {
      get: "/orgs/me/policies/password/complexity"
@@ -1950,11 +2012,11 @@ message UpdateUserAddressRequest {
  string street_address = 6 [(validate.rules).string = {max_len: 200}];
 }

-message MultiFactors {
-  repeated MultiFactor mfas = 1;
+message UserMultiFactors {
+  repeated UserMultiFactor mfas = 1;
 }

-message MultiFactor {
+message UserMultiFactor {
  MfaType type = 1;
  MFAState state = 2;
 }
@@ -2980,12 +3042,14 @@ message LoginPolicy {
    bool allow_external_idp = 3;
    google.protobuf.Timestamp creation_date = 4;
    google.protobuf.Timestamp change_date = 5;
+    bool force_mfa = 6;
 }

 message LoginPolicyRequest {
  bool allow_username_password = 1;
  bool allow_register = 2;
  bool allow_external_idp = 3;
+  bool force_mfa = 4;
 }

 message IdpProviderID {
@@ -3009,6 +3073,7 @@ message LoginPolicyView {
    bool allow_external_idp = 4;
    google.protobuf.Timestamp creation_date = 5;
    google.protobuf.Timestamp change_date = 6;
+    bool force_mfa = 7;
 }

 message IdpProviderView {
@@ -3081,6 +3146,33 @@ message ExternalIDPRemoveRequest {
  string external_user_id = 3;
 }

+message SecondFactorsResult {
+  repeated SecondFactorType second_factors = 1;
+}
+
+message SecondFactor {
+  SecondFactorType second_factor = 1;
+}
+
+enum SecondFactorType {
+  SECONDFACTORTYPE_UNSPECIFIED = 0;
+  SECONDFACTORTYPE_OTP = 1;
+  SECONDFACTORTYPE_U2F = 2;
+}
+
+message MultiFactorsResult {
+  repeated MultiFactorType multi_factors = 1;
+}
+
+message MultiFactor {
+  MultiFactorType multi_factor = 1;
+}
+
+enum MultiFactorType {
+  MULTIFACTORTYPE_UNSPECIFIED = 0;
+  MULTIFACTORTYPE_U2F_WITH_PIN = 1;
+}
+
 message PasswordComplexityPolicy {
  uint64 min_length = 1;
  bool has_lowercase = 2;