TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 11:47:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add WebAuthN support for passwordless login and 2fa (#966)

Browse Source 
* at least registration prompt works

* in memory test for login

* buttons to start webauthn process

* begin eventstore impl

* begin eventstore impl

* serialize into bytes

* fix: u2f, passwordless types

* fix for localhost

* fix script

* fix: u2f, passwordless types

* fix: add u2f

* fix: verify u2f

* fix: session data in event store

* fix: u2f credentials in eventstore

* fix: webauthn pkg handles business models

* feat: tests

* feat: append events

* fix: test

* fix: check only ready webauthn creds

* fix: move u2f methods to authrepo

* frontend improvements

* fix return

* feat: add passwordless

* feat: add passwordless

* improve ui / error handling

* separate call for login

* fix login

* js

* feat: u2f login methods

* feat: remove unused session id

* feat: error handling

* feat: error handling

* feat: refactor user eventstore

* feat: finish webauthn

* feat: u2f and passwordlss in auth.proto

* u2f step

* passwordless step

* cleanup js

* EndpointPasswordLessLogin

* migration

* update mfaChecked test

* next step test

* token name

* cleanup

* attribute

* passwordless as tokens

* remove sms as otp type

* add "user" to amr for webauthn

* error handling

* fixes

* fix tests

* naming

* naming

* fixes

* session handler

* i18n

* error handling in login

* Update internal/ui/login/static/i18n/de.yaml

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* improvements

* merge fixes

* fixes

* fixes

Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
This commit is contained in:
Livio Amstutz
2020-12-02 17:00:04 +01:00
committed by GitHub
parent 184e79be97
commit 300ade66a7
115 changed files with 3383 additions and 740 deletions
Download Patch File Download Diff File Expand all files Collapse all files

501
internal/user/repository/eventsourcing/eventstore.go
View File

@@ -24,6 +24,7 @@ import (
"github.com/caos/zitadel/internal/telemetry/tracing"
usr_model "github.com/caos/zitadel/internal/user/model"
"github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
webauthn_helper "github.com/caos/zitadel/internal/webauthn"
)
const (
@@ -45,6 +46,7 @@ type UserEventstore struct {
MachineKeySize int
Multifactors global_model.Multifactors
validateTOTP func(string, string) bool
webauthn *webauthn_helper.WebAuthN
}
type UserConfig struct {
@@ -66,9 +68,12 @@ func StartUser(conf UserConfig, systemDefaults sd.SystemDefaults) (*UserEventsto
emailVerificationCode := crypto.NewEncryptionGenerator(systemDefaults.SecretGenerators.EmailVerificationCode, aesCrypto)
phoneVerificationCode := crypto.NewEncryptionGenerator(systemDefaults.SecretGenerators.PhoneVerificationCode, aesCrypto)
passwordVerificationCode := crypto.NewEncryptionGenerator(systemDefaults.SecretGenerators.PasswordVerificationCode, aesCrypto)
aesOtpCrypto, err := crypto.NewAESCrypto(systemDefaults.Multifactors.OTP.VerificationKey)
aesOTPCrypto, err := crypto.NewAESCrypto(systemDefaults.Multifactors.OTP.VerificationKey)
passwordAlg := crypto.NewBCrypt(systemDefaults.SecretGenerators.PasswordSaltCost)
web, err := webauthn_helper.StartServer(systemDefaults.WebAuthN.DisplayName, systemDefaults.WebAuthN.ID, systemDefaults.WebAuthN.Origin)
if err != nil {
return nil, err
}
return &UserEventstore{
Eventstore: conf.Eventstore,
userCache: userCache,
@@ -80,7 +85,7 @@ func StartUser(conf UserConfig, systemDefaults sd.SystemDefaults) (*UserEventsto
PasswordVerificationCode: passwordVerificationCode,
Multifactors: global_model.Multifactors{
OTP: global_model.OTP{
CryptoMFA: aesOtpCrypto,
CryptoMFA: aesOTPCrypto,
Issuer: systemDefaults.Multifactors.OTP.Issuer,
},
},
@@ -88,6 +93,7 @@ func StartUser(conf UserConfig, systemDefaults sd.SystemDefaults) (*UserEventsto
validateTOTP: totp.Validate,
MachineKeyAlg: aesCrypto,
MachineKeySize: int(systemDefaults.SecretGenerators.MachineKeySize),
webauthn: web,
}, nil
}
@@ -109,6 +115,20 @@ func (es *UserEventstore) UserByID(ctx context.Context, id string) (*usr_model.U
return model.UserToModel(user), nil
}
func (es *UserEventstore) HumanByID(ctx context.Context, userID string) (*usr_model.User, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-3M9sf", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-jLHYG", "Errors.User.NotHuman")
}
return user, nil
}
func (es *UserEventstore) UserEventsByID(ctx context.Context, id string, sequence uint64) ([]*es_models.Event, error) {
query, err := UserByIDQuery(id, sequence)
if err != nil {
@@ -404,17 +424,10 @@ func ChangesQuery(userID string, latestSequence, limit uint64, sortAscending boo
}
func (es *UserEventstore) InitializeUserCodeByID(ctx context.Context, userID string) (*usr_model.InitUserCode, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-d8diw", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-mDPtj", "Errors.User.NotHuman")
}
if user.InitCode != nil {
return user.InitCode, nil
}
@@ -422,16 +435,10 @@ func (es *UserEventstore) InitializeUserCodeByID(ctx context.Context, userID str
}
func (es *UserEventstore) CreateInitializeUserCodeByID(ctx context.Context, userID string) (*usr_model.InitUserCode, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-dic8s", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-9bbXj", "Errors.User.NotHuman")
}
initCode := new(usr_model.InitUserCode)
err = initCode.GenerateInitUserCode(es.InitializeUserCode)
@@ -452,16 +459,10 @@ func (es *UserEventstore) CreateInitializeUserCodeByID(ctx context.Context, user
}
func (es *UserEventstore) InitCodeSent(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-0posw", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-SvPa6", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
agg := UserInitCodeSentAggregate(es.AggregateCreator(), repoUser)
@@ -474,24 +475,18 @@ func (es *UserEventstore) InitCodeSent(ctx context.Context, userID string) error
}
func (es *UserEventstore) VerifyInitCode(ctx context.Context, policy *iam_model.PasswordComplexityPolicyView, userID, verificationCode, password string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "Errors.User.UserIDMissing")
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "Errors.User.Code.Empty")
}
pw := &usr_model.Password{SecretString: password}
err := pw.HashPasswordIfExisting(policy, es.PasswordAlg, false)
err = pw.HashPasswordIfExisting(policy, es.PasswordAlg, false)
if err != nil {
return err
}
user, err := es.UserByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-b3xda", "Errors.User.NotHuman")
}
if user.InitCode == nil {
return caos_errs.ThrowNotFound(nil, "EVENT-spo9W", "Errors.User.Code.NotFound")
}
@@ -514,20 +509,14 @@ func (es *UserEventstore) VerifyInitCode(ctx context.Context, policy *iam_model.
return nil
}
func (es *UserEventstore) SkipMfaInit(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-dic8s", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
func (es *UserEventstore) SkipMFAInit(ctx context.Context, userID string) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-S1tdl", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
agg := SkipMfaAggregate(es.AggregateCreator(), repoUser)
agg := SkipMFAAggregate(es.AggregateCreator(), repoUser)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, agg)
if err != nil {
return err
@@ -537,16 +526,10 @@ func (es *UserEventstore) SkipMfaInit(ctx context.Context, userID string) error
}
func (es *UserEventstore) UserPasswordByID(ctx context.Context, userID string) (*usr_model.Password, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-di834", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-jLHYG", "Errors.User.NotHuman")
}
if user.Password != nil {
return user.Password, nil
@@ -557,13 +540,10 @@ func (es *UserEventstore) UserPasswordByID(ctx context.Context, userID string) (
func (es *UserEventstore) CheckPassword(ctx context.Context, userID, password string, authRequest *req_model.AuthRequest) (err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-HxcAx", "Errors.User.NotHuman")
}
if user.Password == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-s35Fa", "Errors.User.Password.Empty")
}
@@ -594,24 +574,18 @@ func (es *UserEventstore) setPasswordCheckResult(ctx context.Context, user *usr_
}
func (es *UserEventstore) SetOneTimePassword(ctx context.Context, policy *iam_model.PasswordComplexityPolicyView, password *usr_model.Password) (*usr_model.Password, error) {
user, err := es.UserByID(ctx, password.AggregateID)
user, err := es.HumanByID(ctx, password.AggregateID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-PjDfJ", "Errors.User.NotHuman")
}
return es.changedPassword(ctx, user, policy, password.SecretString, true)
}
func (es *UserEventstore) SetPassword(ctx context.Context, policy *iam_model.PasswordComplexityPolicyView, userID, code, password string) error {
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-pHkAQ", "Errors.User.NotHuman")
}
if user.PasswordCode == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-65sdr", "Errors.User.Code.NotFound")
}
@@ -623,13 +597,10 @@ func (es *UserEventstore) SetPassword(ctx context.Context, policy *iam_model.Pas
}
func (es *UserEventstore) ExternalLoginChecked(ctx context.Context, userID string, authRequest *req_model.AuthRequest) error {
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-Gns8i", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
repoAuthRequest := model.AuthRequestFromModel(authRequest)
agg := ExternalLoginCheckSucceededAggregate(es.AggregateCreator(), repoUser, repoAuthRequest)
@@ -687,13 +658,11 @@ func (es *UserEventstore) ChangeMachine(ctx context.Context, machine *usr_model.
func (es *UserEventstore) ChangePassword(ctx context.Context, policy *iam_model.PasswordComplexityPolicyView, userID, old, new string) (_ *usr_model.Password, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-9AuLE", "Errors.User.NotHuman")
}
if user.Password == nil {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Fds3s", "Errors.User.Password.Empty")
}
@@ -727,16 +696,10 @@ func (es *UserEventstore) changedPassword(ctx context.Context, user *usr_model.U
}
func (es *UserEventstore) RequestSetPassword(ctx context.Context, userID string, notifyType usr_model.NotificationType) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-dic8s", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-33ywz", "Errors.User.NotHuman")
}
if user.State == usr_model.UserStateInitial {
return errors.ThrowPreconditionFailed(nil, "EVENT-Hs11s", "Errors.User.NotInitialised")
}
@@ -787,16 +750,10 @@ func (es *UserEventstore) ResendInitialMail(ctx context.Context, userID, email s
}
func (es *UserEventstore) PasswordCodeSent(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-s09ow", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-tbVAo", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
agg := PasswordCodeSentAggregate(es.AggregateCreator(), repoUser)
@@ -812,13 +769,10 @@ func (es *UserEventstore) AddExternalIDP(ctx context.Context, externalIDP *usr_m
if externalIDP == nil || !externalIDP.IsValid() {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Ek9s", "Errors.User.ExternalIDP.Invalid")
}
existingUser, err := es.UserByID(ctx, externalIDP.AggregateID)
existingUser, err := es.HumanByID(ctx, externalIDP.AggregateID)
if err != nil {
return nil, err
}
if existingUser.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Cnk8s", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(existingUser)
repoExternalIDP := model.ExternalIDPFromModel(externalIDP)
aggregates, err := ExternalIDPAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoUser, repoExternalIDP)
@@ -846,13 +800,10 @@ func (es *UserEventstore) BulkAddExternalIDPs(ctx context.Context, userID string
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-idue3", "Errors.User.ExternalIDP.Invalid")
}
}
existingUser, err := es.UserByID(ctx, userID)
existingUser, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if existingUser.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-Cnk8s", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(existingUser)
repoExternalIDPs := model.ExternalIDPsFromModel(externalIDPs)
aggregates, err := ExternalIDPAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoUser, repoExternalIDPs...)
@@ -872,13 +823,10 @@ func (es *UserEventstore) PrepareRemoveExternalIDP(ctx context.Context, external
if externalIDP == nil || !externalIDP.IsValid() {
return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-Cm8sj", "Errors.User.ExternalIDP.Invalid")
}
existingUser, err := es.UserByID(ctx, externalIDP.AggregateID)
existingUser, err := es.HumanByID(ctx, externalIDP.AggregateID)
if err != nil {
return nil, nil, err
}
if existingUser.Human == nil {
return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-E8iod", "Errors.User.NotHuman")
}
_, existingIDP := existingUser.GetExternalIDP(externalIDP)
if existingIDP == nil {
return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-3Dh7s", "Errors.User.ExternalIDP.NotOnUser")
@@ -906,16 +854,10 @@ func (es *UserEventstore) RemoveExternalIDP(ctx context.Context, externalIDP *us
}
func (es *UserEventstore) ProfileByID(ctx context.Context, userID string) (*usr_model.Profile, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-di834", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-BaE4M", "Errors.User.NotHuman")
}
if user.Profile != nil {
return user.Profile, nil
@@ -928,13 +870,10 @@ func (es *UserEventstore) ChangeProfile(ctx context.Context, profile *usr_model.
if !profile.IsValid() {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-d82i3", "Errors.User.ProfileInvalid")
}
user, err := es.UserByID(ctx, profile.AggregateID)
user, err := es.HumanByID(ctx, profile.AggregateID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Xhw8Y", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
repoProfile := model.ProfileFromModel(profile)
@@ -950,16 +889,10 @@ func (es *UserEventstore) ChangeProfile(ctx context.Context, profile *usr_model.
}
func (es *UserEventstore) EmailByID(ctx context.Context, userID string) (*usr_model.Email, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-di834", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-zHtOg", "Errors.User.NotHuman")
}
if user.Email != nil {
return user.Email, nil
@@ -971,13 +904,10 @@ func (es *UserEventstore) ChangeEmail(ctx context.Context, email *usr_model.Emai
if !email.IsValid() {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-lco09", "Errors.User.EmailInvalid")
}
user, err := es.UserByID(ctx, email.AggregateID)
user, err := es.HumanByID(ctx, email.AggregateID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-tgBdL", "Errors.User.NotHuman")
}
if user.State == usr_model.UserStateInitial {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-3H4q", "Errors.User.NotInitialised")
}
@@ -1005,18 +935,12 @@ func (es *UserEventstore) ChangeEmail(ctx context.Context, email *usr_model.Emai
}
func (es *UserEventstore) VerifyEmail(ctx context.Context, userID, verificationCode string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "Errors.User.UserIDMissing")
}
if verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-skDws", "Errors.User.Code.Empty")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-YgXu6", "Errors.User.NotHuman")
if verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-skDws", "Errors.User.Code.Empty")
}
if user.EmailCode == nil {
return caos_errs.ThrowNotFound(nil, "EVENT-lso9w", "Errors.User.Code.NotFound")
@@ -1043,16 +967,10 @@ func (es *UserEventstore) setEmailVerifyResult(ctx context.Context, user *usr_mo
}
func (es *UserEventstore) CreateEmailVerificationCode(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lco09", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-hqUZP", "Errors.User.NotHuman")
}
if user.State == usr_model.UserStateInitial {
return errors.ThrowPreconditionFailed(nil, "EVENT-E3fbw", "Errors.User.NotInitialised")
}
@@ -1082,16 +1000,10 @@ func (es *UserEventstore) CreateEmailVerificationCode(ctx context.Context, userI
}
func (es *UserEventstore) EmailVerificationCodeSent(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-spo0w", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-BcFVd", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
agg := EmailCodeSentAggregate(es.AggregateCreator(), repoUser)
@@ -1104,16 +1016,10 @@ func (es *UserEventstore) EmailVerificationCodeSent(ctx context.Context, userID
}
func (es *UserEventstore) PhoneByID(ctx context.Context, userID string) (*usr_model.Phone, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-do9se", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-LwQeA", "Errors.User.NotHuman")
}
if user.Phone != nil {
return user.Phone, nil
@@ -1125,13 +1031,10 @@ func (es *UserEventstore) ChangePhone(ctx context.Context, phone *usr_model.Phon
if !phone.IsValid() {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-do9s4", "Errors.User.PhoneInvalid")
}
user, err := es.UserByID(ctx, phone.AggregateID)
user, err := es.HumanByID(ctx, phone.AggregateID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-oREkn", "Errors.User.NotHuman")
}
phoneCode, err := phone.GeneratePhoneCodeIfNeeded(es.PhoneVerificationCode)
if err != nil {
@@ -1156,13 +1059,10 @@ func (es *UserEventstore) VerifyPhone(ctx context.Context, userID, verificationC
if userID == "" || verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-dsi8s", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-UspdK", "Errors.User.NotHuman")
}
if user.PhoneCode == nil {
return caos_errs.ThrowNotFound(nil, "EVENT-slp0s", "Errors.User.Code.NotFound")
}
@@ -1188,16 +1088,10 @@ func (es *UserEventstore) setPhoneVerifyResult(ctx context.Context, user *usr_mo
}
func (es *UserEventstore) CreatePhoneVerificationCode(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-do9sw", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-eEi05", "Errors.User.NotHuman")
}
if user.Phone == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sp9fs", "Errors.User.PhoneNotFound")
}
@@ -1224,16 +1118,10 @@ func (es *UserEventstore) CreatePhoneVerificationCode(ctx context.Context, userI
}
func (es *UserEventstore) PhoneVerificationCodeSent(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sp0wa", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-5bhOP", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
agg := PhoneCodeSentAggregate(es.AggregateCreator(), repoUser)
@@ -1246,13 +1134,10 @@ func (es *UserEventstore) PhoneVerificationCodeSent(ctx context.Context, userID
}
func (es *UserEventstore) RemovePhone(ctx context.Context, userID string) error {
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-Satfl", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
removeAggregate := PhoneRemovedAggregate(es.AggregateCreator(), repoUser)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, removeAggregate)
@@ -1265,16 +1150,10 @@ func (es *UserEventstore) RemovePhone(ctx context.Context, userID string) error
}
func (es *UserEventstore) AddressByID(ctx context.Context, userID string) (*usr_model.Address, error) {
if userID == "" {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-di8ws", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-pHrLu", "Errors.User.NotHuman")
}
if user.Address != nil {
return user.Address, nil
@@ -1283,13 +1162,10 @@ func (es *UserEventstore) AddressByID(ctx context.Context, userID string) (*usr_
}
func (es *UserEventstore) ChangeAddress(ctx context.Context, address *usr_model.Address) (*usr_model.Address, error) {
user, err := es.UserByID(ctx, address.AggregateID)
user, err := es.HumanByID(ctx, address.AggregateID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-crpHD", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
repoAddress := model.AddressFromModel(address)
@@ -1304,15 +1180,12 @@ func (es *UserEventstore) ChangeAddress(ctx context.Context, address *usr_model.
}
func (es *UserEventstore) AddOTP(ctx context.Context, userID, accountName string) (*usr_model.OTP, error) {
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.Human == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-XJvu3", "Errors.User.NotHuman")
}
if user.IsOTPReady() {
return nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-do9se", "Errors.User.Mfa.Otp.AlreadyReady")
return nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-do9se", "Errors.User.MFA.OTP.AlreadyReady")
}
if accountName == "" {
accountName = user.UserName
@@ -1344,15 +1217,12 @@ func (es *UserEventstore) AddOTP(ctx context.Context, userID, accountName string
}
func (es *UserEventstore) RemoveOTP(ctx context.Context, userID string) error {
user, err := es.UserByID(ctx, userID)
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-WsBv9", "Errors.User.NotHuman")
}
if user.OTP == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sp0de", "Errors.User.Mfa.Otp.NotExisting")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sp0de", "Errors.User.MFA.OTP.NotExisting")
}
repoUser := model.UserFromModel(user)
updateAggregate := MFAOTPRemoveAggregate(es.AggregateCreator(), repoUser)
@@ -1365,21 +1235,18 @@ func (es *UserEventstore) RemoveOTP(ctx context.Context, userID string) error {
return nil
}
func (es *UserEventstore) CheckMfaOTPSetup(ctx context.Context, userID, code string) error {
user, err := es.UserByID(ctx, userID)
func (es *UserEventstore) CheckMFAOTPSetup(ctx context.Context, userID, code string) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-7zRQM", "Errors.User.NotHuman")
}
if user.OTP == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-yERHV", "Errors.Users.Mfa.Otp.NotExisting")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-yERHV", "Errors.Users.MFA.OTP.NotExisting")
}
if user.IsOTPReady() {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-qx4ls", "Errors.Users.Mfa.Otp.AlreadyReady")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-qx4ls", "Errors.Users.MFA.OTP.AlreadyReady")
}
if err := es.verifyMfaOTP(user.OTP, code); err != nil {
if err := es.verifyMFAOTP(user.OTP, code); err != nil {
return err
}
repoUser := model.UserFromModel(user)
@@ -1392,23 +1259,20 @@ func (es *UserEventstore) CheckMfaOTPSetup(ctx context.Context, userID, code str
return nil
}
func (es *UserEventstore) CheckMfaOTP(ctx context.Context, userID, code string, authRequest *req_model.AuthRequest) error {
user, err := es.UserByID(ctx, userID)
func (es *UserEventstore) CheckMFAOTP(ctx context.Context, userID, code string, authRequest *req_model.AuthRequest) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if user.Human == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-ckqn5", "Errors.User.NotHuman")
}
if !user.IsOTPReady() {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sd5NJ", "Errors.User.Mfa.Otp.NotReady")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sd5NJ", "Errors.User.MFA.OTP.NotReady")
}
repoUser := model.UserFromModel(user)
repoAuthReq := model.AuthRequestFromModel(authRequest)
var aggregate func(*es_models.AggregateCreator, *model.User, *model.AuthRequest) es_sdk.AggregateFunc
var checkErr error
if checkErr = es.verifyMfaOTP(user.OTP, code); checkErr != nil {
if checkErr = es.verifyMFAOTP(user.OTP, code); checkErr != nil {
aggregate = MFAOTPCheckFailedAggregate
} else {
aggregate = MFAOTPCheckSucceededAggregate
@@ -1425,7 +1289,7 @@ func (es *UserEventstore) CheckMfaOTP(ctx context.Context, userID, code string,
return nil
}
func (es *UserEventstore) verifyMfaOTP(otp *usr_model.OTP, code string) error {
func (es *UserEventstore) verifyMFAOTP(otp *usr_model.OTP, code string) error {
decrypt, err := crypto.DecryptString(otp.Secret, es.Multifactors.OTP.CryptoMFA)
if err != nil {
return err
@@ -1433,11 +1297,222 @@ func (es *UserEventstore) verifyMfaOTP(otp *usr_model.OTP, code string) error {
valid := es.validateTOTP(code, decrypt)
if !valid {
return caos_errs.ThrowInvalidArgument(nil, "EVENT-8isk2", "Errors.User.Mfa.Otp.InvalidCode")
return caos_errs.ThrowInvalidArgument(nil, "EVENT-8isk2", "Errors.User.MFA.OTP.InvalidCode")
}
return nil
}
func (es *UserEventstore) AddU2F(ctx context.Context, userID string) (*usr_model.WebAuthNToken, error) {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
webAuthN, err := es.webauthn.BeginRegistration(user, usr_model.AuthenticatorAttachmentUnspecified, usr_model.UserVerificationRequirementDiscouraged, user.U2FTokens...)
if err != nil {
return nil, err
}
tokenID, err := es.idGenerator.Next()
if err != nil {
return nil, err
}
webAuthN.WebAuthNTokenID = tokenID
repoUser := model.UserFromModel(user)
repoWebAuthN := model.WebAuthNFromModel(webAuthN)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAU2FAddAggregate(es.AggregateCreator(), repoUser, repoWebAuthN))
if err != nil {
return nil, err
}
return webAuthN, nil
}
func (es *UserEventstore) VerifyU2FSetup(ctx context.Context, userID, tokenName string, credentialData []byte) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
_, token := user.Human.GetU2FToVerify()
webAuthN, err := es.webauthn.FinishRegistration(user, token, tokenName, credentialData)
if err != nil {
return err
}
repoUser := model.UserFromModel(user)
repoWebAuthN := model.WebAuthNVerifyFromModel(webAuthN)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAU2FVerifyAggregate(es.AggregateCreator(), repoUser, repoWebAuthN))
if err != nil {
return err
}
es.userCache.cacheUser(repoUser)
return nil
}
func (es *UserEventstore) RemoveU2FToken(ctx context.Context, userID, webAuthNTokenID string) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if _, token := user.Human.GetU2F(webAuthNTokenID); token == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-2M9ds", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAU2FRemoveAggregate(es.AggregateCreator(), repoUser, &model.WebAuthNTokenID{webAuthNTokenID}))
if err != nil {
return err
}
es.userCache.cacheUser(repoUser)
return nil
}
func (es *UserEventstore) BeginU2FLogin(ctx context.Context, userID string, authRequest *req_model.AuthRequest) (*usr_model.WebAuthNLogin, error) {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.U2FTokens == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-5Mk8s", "Errors.User.MFA.U2F.NotExisting")
}
webAuthNLogin, err := es.webauthn.BeginLogin(user, usr_model.UserVerificationRequirementDiscouraged, user.U2FTokens...)
if err != nil {
return nil, err
}
webAuthNLogin.AuthRequest = authRequest
repoUser := model.UserFromModel(user)
repoWebAuthNLogin := model.WebAuthNLoginFromModel(webAuthNLogin)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAU2FBeginLoginAggregate(es.AggregateCreator(), repoUser, repoWebAuthNLogin))
if err != nil {
return nil, err
}
return webAuthNLogin, nil
}
func (es *UserEventstore) VerifyMFAU2F(ctx context.Context, userID string, credentialData []byte, authRequest *req_model.AuthRequest) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
_, u2f := user.GetU2FLogin(authRequest.ID)
keyID, signCount, finishErr := es.webauthn.FinishLogin(user, u2f, credentialData, user.U2FTokens...)
if finishErr != nil && keyID == nil {
return finishErr
}
_, token := user.GetU2FByKeyID(keyID)
repoUser := model.UserFromModel(user)
repoAuthRequest := model.AuthRequestFromModel(authRequest)
signAgg := MFAU2FSignCountAggregate(es.AggregateCreator(), repoUser, &model.WebAuthNSignCount{WebauthNTokenID: token.WebAuthNTokenID, SignCount: signCount}, repoAuthRequest, finishErr == nil)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, signAgg)
if err != nil {
return err
}
return finishErr
}
func (es *UserEventstore) AddPasswordless(ctx context.Context, userID string) (*usr_model.WebAuthNToken, error) {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
webAuthN, err := es.webauthn.BeginRegistration(user, usr_model.AuthenticatorAttachmentUnspecified, usr_model.UserVerificationRequirementRequired, user.PasswordlessTokens...)
if err != nil {
return nil, err
}
tokenID, err := es.idGenerator.Next()
if err != nil {
return nil, err
}
webAuthN.WebAuthNTokenID = tokenID
repoUser := model.UserFromModel(user)
repoWebAuthN := model.WebAuthNFromModel(webAuthN)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAPasswordlessAddAggregate(es.AggregateCreator(), repoUser, repoWebAuthN))
if err != nil {
return nil, err
}
return webAuthN, nil
}
func (es *UserEventstore) VerifyPasswordlessSetup(ctx context.Context, userID, tokenName string, credentialData []byte) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
_, token := user.Human.GetPasswordlessToVerify()
webAuthN, err := es.webauthn.FinishRegistration(user, token, tokenName, credentialData)
if err != nil {
return err
}
repoUser := model.UserFromModel(user)
repoWebAuthN := model.WebAuthNVerifyFromModel(webAuthN)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAPasswordlessVerifyAggregate(es.AggregateCreator(), repoUser, repoWebAuthN))
if err != nil {
return err
}
es.userCache.cacheUser(repoUser)
return nil
}
func (es *UserEventstore) RemovePasswordlessToken(ctx context.Context, userID, webAuthNTokenID string) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
if _, token := user.Human.GetPasswordless(webAuthNTokenID); token == nil {
return errors.ThrowPreconditionFailed(nil, "EVENT-5M0sw", "Errors.User.NotHuman")
}
repoUser := model.UserFromModel(user)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAPasswordlessRemoveAggregate(es.AggregateCreator(), repoUser, &model.WebAuthNTokenID{webAuthNTokenID}))
if err != nil {
return err
}
es.userCache.cacheUser(repoUser)
return nil
}
func (es *UserEventstore) BeginPasswordlessLogin(ctx context.Context, userID string, authRequest *req_model.AuthRequest) (*usr_model.WebAuthNLogin, error) {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return nil, err
}
if user.PasswordlessTokens == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-5M9sd", "Errors.User.MFA.Passwordless.NotExisting")
}
webAuthNLogin, err := es.webauthn.BeginLogin(user, usr_model.UserVerificationRequirementRequired, user.PasswordlessTokens...)
if err != nil {
return nil, err
}
webAuthNLogin.AuthRequest = authRequest
repoUser := model.UserFromModel(user)
repoWebAuthNLogin := model.WebAuthNLoginFromModel(webAuthNLogin)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, MFAPasswordlessBeginLoginAggregate(es.AggregateCreator(), repoUser, repoWebAuthNLogin))
if err != nil {
return nil, err
}
return webAuthNLogin, nil
}
func (es *UserEventstore) VerifyPasswordless(ctx context.Context, userID string, credentialData []byte, authRequest *req_model.AuthRequest) error {
user, err := es.HumanByID(ctx, userID)
if err != nil {
return err
}
_, passwordless := user.GetPasswordlessLogin(authRequest.ID)
keyID, signCount, finishErr := es.webauthn.FinishLogin(user, passwordless, credentialData, user.PasswordlessTokens...)
if finishErr != nil && keyID == nil {
return finishErr
}
_, token := user.GetPasswordlessByKeyID(keyID)
repoUser := model.UserFromModel(user)
repoAuthRequest := model.AuthRequestFromModel(authRequest)
signAgg := MFAPasswordlessSignCountAggregate(es.AggregateCreator(), repoUser, &model.WebAuthNSignCount{WebauthNTokenID: token.WebAuthNTokenID, SignCount: signCount}, repoAuthRequest, finishErr == nil)
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, signAgg)
if err != nil {
return err
}
return finishErr
}
func (es *UserEventstore) SignOut(ctx context.Context, agentID string, userIDs []string) error {
users := make([]*model.User, len(userIDs))
for i, id := range userIDs {

4
internal/user/repository/eventsourcing/eventstore_mock_test.go
View File

@@ -442,10 +442,10 @@ func GetMockManipulateUserWithOTP(ctrl *gomock.Controller, decrypt, verified boo
},
}
dataUser, _ := json.Marshal(user)
dataOtp, _ := json.Marshal(otp)
dataOTP, _ := json.Marshal(otp)
events := []*es_models.Event{
{AggregateID: "AggregateID", AggregateVersion: "v1", Sequence: 1, Type: model.UserAdded, Data: dataUser},
{AggregateID: "AggregateID", AggregateVersion: "v1", Sequence: 1, Type: model.MFAOTPAdded, Data: dataOtp},
{AggregateID: "AggregateID", AggregateVersion: "v1", Sequence: 1, Type: model.MFAOTPAdded, Data: dataOTP},
}
if verified {
events = append(events, &es_models.Event{AggregateID: "AggregateID", AggregateVersion: "v1", Sequence: 1, Type: model.MFAOTPVerified})

12
internal/user/repository/eventsourcing/eventstore_test.go
View File

@@ -1207,7 +1207,7 @@ func TestInitCodeVerify(t *testing.T) {
}
}
func TestSkipMfaInit(t *testing.T) {
func TestSkipMFAInit(t *testing.T) {
ctrl := gomock.NewController(t)
type args struct {
es *UserEventstore
@@ -1256,7 +1256,7 @@ func TestSkipMfaInit(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := tt.args.es.SkipMfaInit(tt.args.ctx, tt.args.user.AggregateID)
err := tt.args.es.SkipMFAInit(tt.args.ctx, tt.args.user.AggregateID)
if tt.res.errFunc == nil && err != nil {
t.Errorf("rshould not get err")
@@ -3479,7 +3479,7 @@ func TestAddOTP(t *testing.T) {
}
}
func TestCheckMfaOTPSetup(t *testing.T) {
func TestCheckMFAOTPSetup(t *testing.T) {
ctrl := gomock.NewController(t)
type args struct {
es *UserEventstore
@@ -3578,7 +3578,7 @@ func TestCheckMfaOTPSetup(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := tt.args.es.CheckMfaOTPSetup(tt.args.ctx, tt.args.userID, tt.args.code)
err := tt.args.es.CheckMFAOTPSetup(tt.args.ctx, tt.args.userID, tt.args.code)
if tt.res.errFunc == nil && err != nil {
t.Errorf("result should not get err")
@@ -3590,7 +3590,7 @@ func TestCheckMfaOTPSetup(t *testing.T) {
}
}
func TestCheckMfaOTP(t *testing.T) {
func TestCheckMFAOTP(t *testing.T) {
ctrl := gomock.NewController(t)
type args struct {
es *UserEventstore
@@ -3708,7 +3708,7 @@ func TestCheckMfaOTP(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := tt.args.es.CheckMfaOTP(tt.args.ctx, tt.args.userID, tt.args.code, tt.args.authRequest)
err := tt.args.es.CheckMFAOTP(tt.args.ctx, tt.args.userID, tt.args.code, tt.args.authRequest)
if tt.res.errFunc == nil && err != nil {
t.Errorf("result should not get err, got : %v", err)

26
internal/user/repository/eventsourcing/model/auth_request.go
View File

@@ -18,12 +18,27 @@ type AuthRequest struct {
}
func AuthRequestFromModel(request *model.AuthRequest) *AuthRequest {
return &AuthRequest{
req := &AuthRequest{
ID: request.ID,
UserAgentID: request.AgentID,
BrowserInfo: BrowserInfoFromModel(request.BrowserInfo),
SelectedIDPConfigID: request.SelectedIDPConfigID,
}
if request.BrowserInfo != nil {
req.BrowserInfo = BrowserInfoFromModel(request.BrowserInfo)
}
return req
}
func AuthRequestToModel(request *AuthRequest) *model.AuthRequest {
req := &model.AuthRequest{
ID: request.ID,
AgentID: request.UserAgentID,
SelectedIDPConfigID: request.SelectedIDPConfigID,
}
if request.BrowserInfo != nil {
req.BrowserInfo = BrowserInfoToModel(request.BrowserInfo)
}
return req
}
type BrowserInfo struct {
@@ -40,6 +55,13 @@ func BrowserInfoFromModel(info *model.BrowserInfo) *BrowserInfo {
}
}
func BrowserInfoToModel(info *BrowserInfo) *model.BrowserInfo {
return &model.BrowserInfo{
UserAgent: info.UserAgent,
AcceptLanguage: info.AcceptLanguage,
RemoteIP: info.RemoteIP,
}
}
func (a *AuthRequest) SetData(event *es_models.Event) error {
if err := json.Unmarshal(event.Data, a); err != nil {
logging.Log("EVEN-T5df6").WithError(err).Error("could not unmarshal event data")

7
internal/user/repository/eventsourcing/model/mfa.go → internal/user/repository/eventsourcing/model/otp.go
View File

@@ -2,7 +2,6 @@ package model
import (
"encoding/json"
"github.com/caos/logging"
"github.com/caos/zitadel/internal/crypto"
caos_errs "github.com/caos/zitadel/internal/errors"
@@ -29,19 +28,19 @@ func OTPToModel(otp *OTP) *model.OTP {
return &model.OTP{
ObjectRoot: otp.ObjectRoot,
Secret: otp.Secret,
State: model.MfaState(otp.State),
State: model.MFAState(otp.State),
}
}
func (u *Human) appendOTPAddedEvent(event *es_models.Event) error {
u.OTP = &OTP{
State: int32(model.MfaStateNotReady),
State: int32(model.MFAStateNotReady),
}
return u.OTP.setData(event)
}
func (u *Human) appendOTPVerifiedEvent() {
u.OTP.State = int32(model.MfaStateReady)
u.OTP.State = int32(model.MFAStateReady)
}
func (u *Human) appendOTPRemovedEvent() {

10
internal/user/repository/eventsourcing/model/mfa_test.go → internal/user/repository/eventsourcing/model/otp_test.go
View File

@@ -9,7 +9,7 @@ import (
"github.com/caos/zitadel/internal/user/model"
)
func TestAppendMfaOTPAddedEvent(t *testing.T) {
func TestAppendMFAOTPAddedEvent(t *testing.T) {
type args struct {
user *Human
otp *OTP
@@ -27,7 +27,7 @@ func TestAppendMfaOTPAddedEvent(t *testing.T) {
otp: &OTP{Secret: &crypto.CryptoValue{KeyID: "KeyID"}},
event: &es_models.Event{},
},
result: &Human{OTP: &OTP{Secret: &crypto.CryptoValue{KeyID: "KeyID"}, State: int32(model.MfaStateNotReady)}},
result: &Human{OTP: &OTP{Secret: &crypto.CryptoValue{KeyID: "KeyID"}, State: int32(model.MFAStateNotReady)}},
},
}
for _, tt := range tests {
@@ -44,7 +44,7 @@ func TestAppendMfaOTPAddedEvent(t *testing.T) {
}
}
func TestAppendMfaOTPVerifyEvent(t *testing.T) {
func TestAppendMFAOTPVerifyEvent(t *testing.T) {
type args struct {
user *Human
otp *OTP
@@ -62,7 +62,7 @@ func TestAppendMfaOTPVerifyEvent(t *testing.T) {
otp: &OTP{Secret: &crypto.CryptoValue{KeyID: "KeyID"}},
event: &es_models.Event{},
},
result: &Human{OTP: &OTP{Secret: &crypto.CryptoValue{KeyID: "KeyID"}, State: int32(model.MfaStateReady)}},
result: &Human{OTP: &OTP{Secret: &crypto.CryptoValue{KeyID: "KeyID"}, State: int32(model.MFAStateReady)}},
},
}
for _, tt := range tests {
@@ -79,7 +79,7 @@ func TestAppendMfaOTPVerifyEvent(t *testing.T) {
}
}
func TestAppendMfaOTPRemoveEvent(t *testing.T) {
func TestAppendMFAOTPRemoveEvent(t *testing.T) {
type args struct {
user *Human
otp *OTP

16
internal/user/repository/eventsourcing/model/types.go
View File

@@ -118,6 +118,22 @@ const (
HumanMFAOTPCheckFailed models.EventType = "user.human.mfa.otp.check.failed"
HumanMFAInitSkipped models.EventType = "user.human.mfa.init.skipped"
HumanMFAU2FTokenAdded models.EventType = "user.human.mfa.u2f.token.added"
HumanMFAU2FTokenVerified models.EventType = "user.human.mfa.u2f.token.verified"
HumanMFAU2FTokenSignCountChanged models.EventType = "user.human.mfa.u2f.token.signcount.changed"
HumanMFAU2FTokenRemoved models.EventType = "user.human.mfa.u2f.token.removed"
HumanMFAU2FTokenBeginLogin models.EventType = "user.human.mfa.u2f.token.begin.login"
HumanMFAU2FTokenCheckSucceeded models.EventType = "user.human.mfa.u2f.token.check.succeeded"
HumanMFAU2FTokenCheckFailed models.EventType = "user.human.mfa.u2f.token.check.failed"
HumanPasswordlessTokenAdded models.EventType = "user.human.passwordless.token.added"
HumanPasswordlessTokenVerified models.EventType = "user.human.passwordless.token.verified"
HumanPasswordlessTokenChangeSignCount models.EventType = "user.human.passwordless.token.signcount.changed"
HumanPasswordlessTokenRemoved models.EventType = "user.human.passwordless.token.removed"
HumanPasswordlessTokenBeginLogin models.EventType = "user.human.passwordless.token.begin.login"
HumanPasswordlessTokenCheckSucceeded models.EventType = "user.human.passwordless.token.check.succeeded"
HumanPasswordlessTokenCheckFailed models.EventType = "user.human.passwordless.token.check.failed"
HumanSignedOut models.EventType = "user.human.signed.out"
)

58
internal/user/repository/eventsourcing/model/user_human.go
View File

@@ -19,12 +19,16 @@ type Human struct {
*Email
*Phone
*Address
ExternalIDPs []*ExternalIDP `json:"-"`
InitCode *InitUserCode `json:"-"`
EmailCode *EmailCode `json:"-"`
PhoneCode *PhoneCode `json:"-"`
PasswordCode *PasswordCode `json:"-"`
OTP *OTP `json:"-"`
ExternalIDPs []*ExternalIDP `json:"-"`
InitCode *InitUserCode `json:"-"`
EmailCode *EmailCode `json:"-"`
PhoneCode *PhoneCode `json:"-"`
PasswordCode *PasswordCode `json:"-"`
OTP *OTP `json:"-"`
U2FTokens []*WebAuthNToken `json:"-"`
PasswordlessTokens []*WebAuthNToken `json:"-"`
U2FLogins []*WebAuthNLogin `json:"-"`
PasswordlessLogins []*WebAuthNLogin `json:"-"`
}
type InitUserCode struct {
@@ -56,6 +60,15 @@ func HumanFromModel(user *model.Human) *Human {
if user.ExternalIDPs != nil {
human.ExternalIDPs = ExternalIDPsFromModel(user.ExternalIDPs)
}
if user.U2FTokens != nil {
human.U2FTokens = WebAuthNsFromModel(user.U2FTokens)
}
if user.PasswordlessTokens != nil {
human.PasswordlessTokens = WebAuthNsFromModel(user.PasswordlessTokens)
}
if user.U2FLogins != nil {
human.U2FLogins = WebAuthNLoginsFromModel(user.U2FLogins)
}
return human
}
@@ -94,6 +107,15 @@ func HumanToModel(user *Human) *model.Human {
if user.OTP != nil {
human.OTP = OTPToModel(user.OTP)
}
if user.U2FTokens != nil {
human.U2FTokens = WebAuthNsToModel(user.U2FTokens)
}
if user.PasswordlessTokens != nil {
human.PasswordlessTokens = WebAuthNsToModel(user.PasswordlessTokens)
}
if user.U2FLogins != nil {
human.U2FLogins = WebAuthNLoginsToModel(user.U2FLogins)
}
return human
}
@@ -133,10 +155,10 @@ func (h *Human) AppendEvent(event *es_models.Event) (err error) {
HumanAdded,
HumanRegistered,
HumanProfileChanged:
h.setData(event)
err = h.setData(event)
case InitializedUserCodeAdded,
InitializedHumanCodeAdded:
h.appendInitUsercodeCreatedEvent(event)
err = h.appendInitUsercodeCreatedEvent(event)
case UserPasswordChanged,
HumanPasswordChanged:
err = h.appendUserPasswordChangedEvent(event)
@@ -180,6 +202,26 @@ func (h *Human) AppendEvent(event *es_models.Event) (err error) {
err = h.appendExternalIDPAddedEvent(event)
case HumanExternalIDPRemoved, HumanExternalIDPCascadeRemoved:
err = h.appendExternalIDPRemovedEvent(event)
case HumanMFAU2FTokenAdded:
err = h.appendU2FAddedEvent(event)
case HumanMFAU2FTokenVerified:
err = h.appendU2FVerifiedEvent(event)
case HumanMFAU2FTokenSignCountChanged:
err = h.appendU2FChangeSignCountEvent(event)
case HumanMFAU2FTokenRemoved:
err = h.appendU2FRemovedEvent(event)
case HumanPasswordlessTokenAdded:
err = h.appendPasswordlessAddedEvent(event)
case HumanPasswordlessTokenVerified:
err = h.appendPasswordlessVerifiedEvent(event)
case HumanPasswordlessTokenChangeSignCount:
err = h.appendPasswordlessChangeSignCountEvent(event)
case HumanPasswordlessTokenRemoved:
err = h.appendPasswordlessRemovedEvent(event)
case HumanMFAU2FTokenBeginLogin:
err = h.appendU2FLoginEvent(event)
case HumanPasswordlessTokenBeginLogin:
err = h.appendPasswordlessLoginEvent(event)
}
if err != nil {
return err

336
internal/user/repository/eventsourcing/model/web_auth_n.go Normal file
View File

@@ -0,0 +1,336 @@
package model
import (
"encoding/json"
"github.com/caos/logging"
caos_errs "github.com/caos/zitadel/internal/errors"
es_models "github.com/caos/zitadel/internal/eventstore/models"
"github.com/caos/zitadel/internal/user/model"
)
type WebAuthNToken struct {
es_models.ObjectRoot
WebauthNTokenID string `json:"webAuthNTokenId"`
Challenge string `json:"challenge"`
State int32 `json:"-"`
KeyID []byte `json:"keyId"`
PublicKey []byte `json:"publicKey"`
AttestationType string `json:"attestationType"`
AAGUID []byte `json:"aaguid"`
SignCount uint32 `json:"signCount"`
}
type WebAuthNVerify struct {
WebAuthNTokenID string `json:"webAuthNTokenId"`
KeyID []byte `json:"keyId"`
PublicKey []byte `json:"publicKey"`
AttestationType string `json:"attestationType"`
AAGUID []byte `json:"aaguid"`
SignCount uint32 `json:"signCount"`
WebAuthNTokenName string `json:"webAuthNTokenName"`
}
type WebAuthNSignCount struct {
WebauthNTokenID string `json:"webAuthNTokenId"`
SignCount uint32 `json:"signCount"`
}
type WebAuthNTokenID struct {
WebauthNTokenID string `json:"webAuthNTokenId"`
}
type WebAuthNLogin struct {
es_models.ObjectRoot
WebauthNTokenID string `json:"webAuthNTokenId"`
Challenge string `json:"challenge"`
*AuthRequest
}
func GetWebauthn(webauthnTokens []*WebAuthNToken, id string) (int, *WebAuthNToken) {
for i, webauthn := range webauthnTokens {
if webauthn.WebauthNTokenID == id {
return i, webauthn
}
}
return -1, nil
}
func WebAuthNsToModel(u2fs []*WebAuthNToken) []*model.WebAuthNToken {
convertedIDPs := make([]*model.WebAuthNToken, len(u2fs))
for i, m := range u2fs {
convertedIDPs[i] = WebAuthNToModel(m)
}
return convertedIDPs
}
func WebAuthNsFromModel(u2fs []*model.WebAuthNToken) []*WebAuthNToken {
convertedIDPs := make([]*WebAuthNToken, len(u2fs))
for i, m := range u2fs {
convertedIDPs[i] = WebAuthNFromModel(m)
}
return convertedIDPs
}
func WebAuthNFromModel(webAuthN *model.WebAuthNToken) *WebAuthNToken {
return &WebAuthNToken{
ObjectRoot: webAuthN.ObjectRoot,
WebauthNTokenID: webAuthN.WebAuthNTokenID,
Challenge: webAuthN.Challenge,
State: int32(webAuthN.State),
KeyID: webAuthN.KeyID,
PublicKey: webAuthN.PublicKey,
AAGUID: webAuthN.AAGUID,
SignCount: webAuthN.SignCount,
AttestationType: webAuthN.AttestationType,
}
}
func WebAuthNToModel(webAuthN *WebAuthNToken) *model.WebAuthNToken {
return &model.WebAuthNToken{
ObjectRoot: webAuthN.ObjectRoot,
WebAuthNTokenID: webAuthN.WebauthNTokenID,
Challenge: webAuthN.Challenge,
State: model.MFAState(webAuthN.State),
KeyID: webAuthN.KeyID,
PublicKey: webAuthN.PublicKey,
AAGUID: webAuthN.AAGUID,
SignCount: webAuthN.SignCount,
AttestationType: webAuthN.AttestationType,
}
}
func WebAuthNVerifyFromModel(webAuthN *model.WebAuthNToken) *WebAuthNVerify {
return &WebAuthNVerify{
WebAuthNTokenID: webAuthN.WebAuthNTokenID,
KeyID: webAuthN.KeyID,
PublicKey: webAuthN.PublicKey,
AAGUID: webAuthN.AAGUID,
SignCount: webAuthN.SignCount,
AttestationType: webAuthN.AttestationType,
WebAuthNTokenName: webAuthN.WebAuthNTokenName,
}
}
func WebAuthNLoginsToModel(u2fs []*WebAuthNLogin) []*model.WebAuthNLogin {
convertedIDPs := make([]*model.WebAuthNLogin, len(u2fs))
for i, m := range u2fs {
convertedIDPs[i] = WebAuthNLoginToModel(m)
}
return convertedIDPs
}
func WebAuthNLoginsFromModel(u2fs []*model.WebAuthNLogin) []*WebAuthNLogin {
convertedIDPs := make([]*WebAuthNLogin, len(u2fs))
for i, m := range u2fs {
convertedIDPs[i] = WebAuthNLoginFromModel(m)
}
return convertedIDPs
}
func WebAuthNLoginFromModel(webAuthN *model.WebAuthNLogin) *WebAuthNLogin {
return &WebAuthNLogin{
ObjectRoot: webAuthN.ObjectRoot,
Challenge: webAuthN.Challenge,
AuthRequest: AuthRequestFromModel(webAuthN.AuthRequest),
}
}
func WebAuthNLoginToModel(webAuthN *WebAuthNLogin) *model.WebAuthNLogin {
return &model.WebAuthNLogin{
ObjectRoot: webAuthN.ObjectRoot,
Challenge: webAuthN.Challenge,
AuthRequest: AuthRequestToModel(webAuthN.AuthRequest),
}
}
func (u *Human) appendU2FAddedEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
webauthn.ObjectRoot.CreationDate = event.CreationDate
webauthn.State = int32(model.MFAStateNotReady)
for i, token := range u.U2FTokens {
if token.State == int32(model.MFAStateNotReady) {
u.U2FTokens[i] = webauthn
return nil
}
}
u.U2FTokens = append(u.U2FTokens, webauthn)
return nil
}
func (u *Human) appendU2FVerifiedEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
if _, token := GetWebauthn(u.U2FTokens, webauthn.WebauthNTokenID); token != nil {
err := token.setData(event)
if err != nil {
return err
}
token.State = int32(model.MFAStateReady)
return nil
}
return caos_errs.ThrowPreconditionFailed(nil, "MODEL-4hu9s", "Errors.Users.MFA.U2F.NotExisting")
}
func (u *Human) appendU2FChangeSignCountEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
if _, token := GetWebauthn(u.U2FTokens, webauthn.WebauthNTokenID); token != nil {
token.setData(event)
return nil
}
return caos_errs.ThrowPreconditionFailed(nil, "MODEL-5Ms8h", "Errors.Users.MFA.U2F.NotExisting")
}
func (u *Human) appendU2FRemovedEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
for i := len(u.U2FTokens) - 1; i >= 0; i-- {
if u.U2FTokens[i].WebauthNTokenID == webauthn.WebauthNTokenID {
copy(u.U2FTokens[i:], u.U2FTokens[i+1:])
u.U2FTokens[len(u.U2FTokens)-1] = nil
u.U2FTokens = u.U2FTokens[:len(u.U2FTokens)-1]
return nil
}
}
return nil
}
func (u *Human) appendPasswordlessAddedEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
webauthn.ObjectRoot.CreationDate = event.CreationDate
webauthn.State = int32(model.MFAStateNotReady)
for i, token := range u.PasswordlessTokens {
if token.State == int32(model.MFAStateNotReady) {
u.PasswordlessTokens[i] = webauthn
return nil
}
}
u.PasswordlessTokens = append(u.PasswordlessTokens, webauthn)
return nil
}
func (u *Human) appendPasswordlessVerifiedEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
if _, token := GetWebauthn(u.PasswordlessTokens, webauthn.WebauthNTokenID); token != nil {
err := token.setData(event)
if err != nil {
return err
}
token.State = int32(model.MFAStateReady)
return nil
}
return caos_errs.ThrowPreconditionFailed(nil, "MODEL-mKns8", "Errors.Users.MFA.Passwordless.NotExisting")
}
func (u *Human) appendPasswordlessChangeSignCountEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
if _, token := GetWebauthn(u.PasswordlessTokens, webauthn.WebauthNTokenID); token != nil {
err := token.setData(event)
if err != nil {
return err
}
return nil
}
return caos_errs.ThrowPreconditionFailed(nil, "MODEL-2Mv9s", "Errors.Users.MFA.Passwordless.NotExisting")
}
func (u *Human) appendPasswordlessRemovedEvent(event *es_models.Event) error {
webauthn := new(WebAuthNToken)
err := webauthn.setData(event)
if err != nil {
return err
}
for i := len(u.PasswordlessTokens) - 1; i >= 0; i-- {
if u.PasswordlessTokens[i].WebauthNTokenID == webauthn.WebauthNTokenID {
copy(u.PasswordlessTokens[i:], u.PasswordlessTokens[i+1:])
u.PasswordlessTokens[len(u.PasswordlessTokens)-1] = nil
u.PasswordlessTokens = u.PasswordlessTokens[:len(u.PasswordlessTokens)-1]
return nil
}
}
return nil
}
func (w *WebAuthNToken) setData(event *es_models.Event) error {
w.ObjectRoot.AppendEvent(event)
if err := json.Unmarshal(event.Data, w); err != nil {
logging.Log("EVEN-4M9is").WithError(err).Error("could not unmarshal event data")
return caos_errs.ThrowInternal(err, "MODEL-lo023", "could not unmarshal event")
}
return nil
}
func (u *Human) appendU2FLoginEvent(event *es_models.Event) error {
webauthn := new(WebAuthNLogin)
webauthn.ObjectRoot.AppendEvent(event)
err := webauthn.setData(event)
if err != nil {
return err
}
webauthn.ObjectRoot.CreationDate = event.CreationDate
for i, token := range u.U2FLogins {
if token.AuthRequest.ID == webauthn.AuthRequest.ID {
u.U2FLogins[i] = webauthn
return nil
}
}
u.U2FLogins = append(u.U2FLogins, webauthn)
return nil
}
func (u *Human) appendPasswordlessLoginEvent(event *es_models.Event) error {
webauthn := new(WebAuthNLogin)
webauthn.ObjectRoot.AppendEvent(event)
err := webauthn.setData(event)
if err != nil {
return err
}
webauthn.ObjectRoot.CreationDate = event.CreationDate
for i, token := range u.PasswordlessLogins {
if token.AuthRequest.ID == webauthn.AuthRequest.ID {
u.PasswordlessLogins[i] = webauthn
return nil
}
}
u.PasswordlessLogins = append(u.PasswordlessLogins, webauthn)
return nil
}
func (w *WebAuthNLogin) setData(event *es_models.Event) error {
w.ObjectRoot.AppendEvent(event)
if err := json.Unmarshal(event.Data, w); err != nil {
logging.Log("EVEN-hmSlo").WithError(err).Error("could not unmarshal event data")
return caos_errs.ThrowInternal(err, "MODEL-lo023", "could not unmarshal event")
}
return nil
}

151
internal/user/repository/eventsourcing/model/web_auth_n_test.go Normal file
View File

@@ -0,0 +1,151 @@
package model
import (
"encoding/json"
"github.com/caos/zitadel/pkg/grpc/auth"
"testing"
es_models "github.com/caos/zitadel/internal/eventstore/models"
)
func TestAppendMFAU2FAddedEvent(t *testing.T) {
type args struct {
user *Human
u2f *WebAuthNToken
event *es_models.Event
}
tests := []struct {
name string
args args
result *Human
}{
{
name: "append user u2f event",
args: args{
user: &Human{},
u2f: &WebAuthNToken{WebauthNTokenID: "WebauthNTokenID", Challenge: "Challenge"},
event: &es_models.Event{},
},
result: &Human{
U2FTokens: []*WebAuthNToken{
{WebauthNTokenID: "WebauthNTokenID", Challenge: "Challenge", State: int32(auth.MFAState_MFASTATE_NOT_READY)},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.args.u2f != nil {
data, _ := json.Marshal(tt.args.u2f)
tt.args.event.Data = data
}
tt.args.user.appendU2FAddedEvent(tt.args.event)
if tt.args.user.U2FTokens[0].State != tt.result.U2FTokens[0].State {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.U2FTokens[0].State, tt.args.user.U2FTokens[0].State)
}
})
}
}
func TestAppendMFAU2FVerifyEvent(t *testing.T) {
type args struct {
user *Human
u2f *WebAuthNVerify
event *es_models.Event
}
tests := []struct {
name string
args args
result *Human
}{
{
name: "append u2f verify event",
args: args{
user: &Human{
U2FTokens: []*WebAuthNToken{
{WebauthNTokenID: "WebauthNTokenID", Challenge: "Challenge", State: int32(auth.MFAState_MFASTATE_NOT_READY)},
},
},
u2f: &WebAuthNVerify{WebAuthNTokenID: "WebauthNTokenID", KeyID: []byte("KeyID"), PublicKey: []byte("PublicKey"), AttestationType: "AttestationType", AAGUID: []byte("AAGUID"), SignCount: 1},
event: &es_models.Event{},
},
result: &Human{
U2FTokens: []*WebAuthNToken{
{
WebauthNTokenID: "WebauthNTokenID",
Challenge: "Challenge",
State: int32(auth.MFAState_MFASTATE_READY),
KeyID: []byte("KeyID"),
PublicKey: []byte("PublicKey"),
AttestationType: "AttestationType",
AAGUID: []byte("AAGUID"),
SignCount: 1,
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.args.u2f != nil {
data, _ := json.Marshal(tt.args.u2f)
tt.args.event.Data = data
}
tt.args.user.appendU2FVerifiedEvent(tt.args.event)
if tt.args.user.U2FTokens[0].State != tt.result.U2FTokens[0].State {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.U2FTokens[0].State, tt.args.user.U2FTokens[0].State)
}
if tt.args.user.U2FTokens[0].AttestationType != tt.result.U2FTokens[0].AttestationType {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.U2FTokens[0].AttestationType, tt.args.user.U2FTokens[0].AttestationType)
}
})
}
}
func TestAppendMFAU2FRemoveEvent(t *testing.T) {
type args struct {
user *Human
u2f *WebAuthNTokenID
event *es_models.Event
}
tests := []struct {
name string
args args
result *Human
}{
{
name: "append u2f remove event",
args: args{
user: &Human{
U2FTokens: []*WebAuthNToken{
{
WebauthNTokenID: "WebauthNTokenID",
Challenge: "Challenge",
State: int32(auth.MFAState_MFASTATE_NOT_READY),
KeyID: []byte("KeyID"),
PublicKey: []byte("PublicKey"),
AttestationType: "AttestationType",
AAGUID: []byte("AAGUID"),
SignCount: 1,
},
},
},
u2f: &WebAuthNTokenID{WebauthNTokenID: "WebauthNTokenID"},
event: &es_models.Event{},
},
result: &Human{},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.args.u2f != nil {
data, _ := json.Marshal(tt.args.u2f)
tt.args.event.Data = data
}
tt.args.user.appendU2FRemovedEvent(tt.args.event)
if len(tt.args.user.U2FTokens) != 0 {
t.Errorf("got wrong result: actual: %v ", tt.result.U2FTokens)
}
})
}
}

130
internal/user/repository/eventsourcing/user.go
View File

@@ -400,7 +400,7 @@ func InitCodeCheckFailedAggregate(aggCreator *es_models.AggregateCreator, user *
}
}
func SkipMfaAggregate(aggCreator *es_models.AggregateCreator, user *model.User) func(ctx context.Context) (*es_models.Aggregate, error) {
func SkipMFAAggregate(aggCreator *es_models.AggregateCreator, user *model.User) func(ctx context.Context) (*es_models.Aggregate, error) {
return func(ctx context.Context) (*es_models.Aggregate, error) {
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
@@ -773,7 +773,7 @@ func MFAOTPCheckFailedAggregate(aggCreator *es_models.AggregateCreator, user *mo
}
}
func MFAOTPRemoveAggregate(aggCreator *es_models.AggregateCreator, user *model.User) func(ctx context.Context) (*es_models.Aggregate, error) {
func MFAOTPRemoveAggregate(aggCreator *es_models.AggregateCreator, user *model.User) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
@@ -783,6 +783,132 @@ func MFAOTPRemoveAggregate(aggCreator *es_models.AggregateCreator, user *model.U
}
}
func MFAU2FAddAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNToken) es_sdk.AggregateFunc {
return MFAWebauthNAddAggregate(aggCreator, user, webauthN, model.HumanMFAU2FTokenAdded)
}
func MFAPasswordlessAddAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNToken) es_sdk.AggregateFunc {
return MFAWebauthNAddAggregate(aggCreator, user, webauthN, model.HumanPasswordlessTokenAdded)
}
func MFAWebauthNAddAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNToken, event es_models.EventType) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if webauthN == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4N90s", "Errors.Internal")
}
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
return nil, err
}
return agg.AppendEvent(event, webauthN)
}
}
func MFAU2FVerifyAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNVerify) es_sdk.AggregateFunc {
return MFAWebauthNVerifyAggregate(aggCreator, user, webauthN, model.HumanMFAU2FTokenVerified)
}
func MFAPasswordlessVerifyAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNVerify) es_sdk.AggregateFunc {
return MFAWebauthNVerifyAggregate(aggCreator, user, webauthN, model.HumanPasswordlessTokenVerified)
}
func MFAWebauthNVerifyAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNVerify, event es_models.EventType) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if webauthN == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4N90s", "Errors.Internal")
}
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
return nil, err
}
return agg.AppendEvent(event, webauthN)
}
}
func MFAU2FSignCountAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNSignCount, check *model.AuthRequest, checkSucceeded bool) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if webauthN == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4N90s", "Errors.Internal")
}
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
return nil, err
}
agg, err = agg.AppendEvent(model.HumanMFAU2FTokenSignCountChanged, webauthN)
if err != nil {
return nil, err
}
if checkSucceeded {
return agg.AppendEvent(model.HumanMFAU2FTokenCheckSucceeded, check)
} else {
return agg.AppendEvent(model.HumanMFAU2FTokenCheckFailed, check)
}
}
}
func MFAPasswordlessSignCountAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNSignCount, check *model.AuthRequest, checkSucceeded bool) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if webauthN == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4N90s", "Errors.Internal")
}
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
return nil, err
}
agg, err = agg.AppendEvent(model.HumanPasswordlessTokenChangeSignCount, webauthN)
if err != nil {
return nil, err
}
if checkSucceeded {
return agg.AppendEvent(model.HumanPasswordlessTokenCheckSucceeded, check)
} else {
return agg.AppendEvent(model.HumanPasswordlessTokenCheckFailed, check)
}
}
}
func MFAU2FRemoveAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNTokenID) es_sdk.AggregateFunc {
return MFAWebauthNRemoveAggregate(aggCreator, user, webauthN, model.HumanMFAU2FTokenRemoved)
}
func MFAPasswordlessRemoveAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNTokenID) es_sdk.AggregateFunc {
return MFAWebauthNRemoveAggregate(aggCreator, user, webauthN, model.HumanPasswordlessTokenRemoved)
}
func MFAWebauthNRemoveAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNTokenID, event es_models.EventType) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if webauthN == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4Ms9l", "Errors.Internal")
}
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
return nil, err
}
return agg.AppendEvent(event, webauthN)
}
}
func MFAU2FBeginLoginAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNLogin) es_sdk.AggregateFunc {
return MFAWebauthNBeginLoginAggregate(aggCreator, user, webauthN, model.HumanMFAU2FTokenBeginLogin)
}
func MFAPasswordlessBeginLoginAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNLogin) es_sdk.AggregateFunc {
return MFAWebauthNBeginLoginAggregate(aggCreator, user, webauthN, model.HumanPasswordlessTokenBeginLogin)
}
func MFAWebauthNBeginLoginAggregate(aggCreator *es_models.AggregateCreator, user *model.User, webauthN *model.WebAuthNLogin, event es_models.EventType) es_sdk.AggregateFunc {
return func(ctx context.Context) (*es_models.Aggregate, error) {
if webauthN == nil {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4N90s", "Errors.Internal")
}
agg, err := UserAggregate(ctx, aggCreator, user)
if err != nil {
return nil, err
}
return agg.AppendEvent(event, webauthN)
}
}
func SignOutAggregates(aggCreator *es_models.AggregateCreator, users []*model.User, agentID string) func(ctx context.Context) ([]*es_models.Aggregate, error) {
return func(ctx context.Context) ([]*es_models.Aggregate, error) {
aggregates := make([]*es_models.Aggregate, len(users))

4
internal/user/repository/eventsourcing/user_test.go
View File

@@ -991,7 +991,7 @@ func TestInitCodeCheckFailedAggregate(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
agg, err := SkipMfaAggregate(tt.args.aggCreator, tt.args.user)(tt.args.ctx)
agg, err := SkipMFAAggregate(tt.args.aggCreator, tt.args.user)(tt.args.ctx)
if tt.res.errFunc == nil && len(agg.Events) != tt.res.eventLen {
t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
@@ -1006,7 +1006,7 @@ func TestInitCodeCheckFailedAggregate(t *testing.T) {
}
}
func TestSkipMfaAggregate(t *testing.T) {
func TestSkipMFAAggregate(t *testing.T) {
type args struct {
ctx context.Context
user *model.User

261
internal/user/repository/view/model/user.go
View File

@@ -1,18 +1,18 @@
package model
import (
"database/sql/driver"
"encoding/json"
iam_model "github.com/caos/zitadel/internal/iam/model"
"time"
org_model "github.com/caos/zitadel/internal/org/model"
"github.com/lib/pq"
"github.com/caos/logging"
"github.com/lib/pq"
req_model "github.com/caos/zitadel/internal/auth_request/model"
caos_errs "github.com/caos/zitadel/internal/errors"
"github.com/caos/zitadel/internal/eventstore/models"
iam_model "github.com/caos/zitadel/internal/iam/model"
org_model "github.com/caos/zitadel/internal/org/model"
"github.com/caos/zitadel/internal/user/model"
es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
)
@@ -67,30 +67,57 @@ const (
)
type HumanView struct {
FirstName string `json:"firstName" gorm:"column:first_name"`
LastName string `json:"lastName" gorm:"column:last_name"`
NickName string `json:"nickName" gorm:"column:nick_name"`
DisplayName string `json:"displayName" gorm:"column:display_name"`
PreferredLanguage string `json:"preferredLanguage" gorm:"column:preferred_language"`
Gender int32 `json:"gender" gorm:"column:gender"`
Email string `json:"email" gorm:"column:email"`
IsEmailVerified bool `json:"-" gorm:"column:is_email_verified"`
Phone string `json:"phone" gorm:"column:phone"`
IsPhoneVerified bool `json:"-" gorm:"column:is_phone_verified"`
Country string `json:"country" gorm:"column:country"`
Locality string `json:"locality" gorm:"column:locality"`
PostalCode string `json:"postalCode" gorm:"column:postal_code"`
Region string `json:"region" gorm:"column:region"`
StreetAddress string `json:"streetAddress" gorm:"column:street_address"`
OTPState int32 `json:"-" gorm:"column:otp_state"`
MfaMaxSetUp int32 `json:"-" gorm:"column:mfa_max_set_up"`
MfaInitSkipped time.Time `json:"-" gorm:"column:mfa_init_skipped"`
InitRequired bool `json:"-" gorm:"column:init_required"`
FirstName string `json:"firstName" gorm:"column:first_name"`
LastName string `json:"lastName" gorm:"column:last_name"`
NickName string `json:"nickName" gorm:"column:nick_name"`
DisplayName string `json:"displayName" gorm:"column:display_name"`
PreferredLanguage string `json:"preferredLanguage" gorm:"column:preferred_language"`
Gender int32 `json:"gender" gorm:"column:gender"`
Email string `json:"email" gorm:"column:email"`
IsEmailVerified bool `json:"-" gorm:"column:is_email_verified"`
Phone string `json:"phone" gorm:"column:phone"`
IsPhoneVerified bool `json:"-" gorm:"column:is_phone_verified"`
Country string `json:"country" gorm:"column:country"`
Locality string `json:"locality" gorm:"column:locality"`
PostalCode string `json:"postalCode" gorm:"column:postal_code"`
Region string `json:"region" gorm:"column:region"`
StreetAddress string `json:"streetAddress" gorm:"column:street_address"`
OTPState int32 `json:"-" gorm:"column:otp_state"`
U2FTokens WebAuthNTokens `json:"-" gorm:"column:u2f_tokens"`
MFAMaxSetUp int32 `json:"-" gorm:"column:mfa_max_set_up"`
MFAInitSkipped time.Time `json:"-" gorm:"column:mfa_init_skipped"`
InitRequired bool `json:"-" gorm:"column:init_required"`
PasswordSet bool `json:"-" gorm:"column:password_set"`
PasswordChangeRequired bool `json:"-" gorm:"column:password_change_required"`
UsernameChangeRequired bool `json:"-" gorm:"column:username_change_required"`
PasswordChanged time.Time `json:"-" gorm:"column:password_change"`
PasswordSet bool `json:"-" gorm:"column:password_set"`
PasswordChangeRequired bool `json:"-" gorm:"column:password_change_required"`
UsernameChangeRequired bool `json:"-" gorm:"column:username_change_required"`
PasswordChanged time.Time `json:"-" gorm:"column:password_change"`
PasswordlessTokens WebAuthNTokens `json:"-" gorm:"column:passwordless_tokens"`
}
type WebAuthNTokens []*WebAuthNView
type WebAuthNView struct {
ID string `json:"webAuthNTokenId"`
Name string `json:"webAuthNTokenName,omitempty"`
State int32 `json:"state,omitempty"`
}
func (t WebAuthNTokens) Value() (driver.Value, error) {
if t == nil {
return nil, nil
}
return json.Marshal(&t)
}
func (t *WebAuthNTokens) Scan(src interface{}) error {
if b, ok := src.([]byte); ok {
return json.Unmarshal(b, t)
}
if s, ok := src.(string); ok {
return json.Unmarshal([]byte(s), t)
}
return nil
}
func (h *HumanView) IsZero() bool {
@@ -124,6 +151,8 @@ func UserToModel(user *UserView) *model.UserView {
PasswordSet: user.PasswordSet,
PasswordChangeRequired: user.PasswordChangeRequired,
PasswordChanged: user.PasswordChanged,
PasswordlessTokens: WebauthnTokensToModel(user.PasswordlessTokens),
U2FTokens: WebauthnTokensToModel(user.U2FTokens),
FirstName: user.FirstName,
LastName: user.LastName,
NickName: user.NickName,
@@ -139,9 +168,9 @@ func UserToModel(user *UserView) *model.UserView {
PostalCode: user.PostalCode,
Region: user.Region,
StreetAddress: user.StreetAddress,
OTPState: model.MfaState(user.OTPState),
MfaMaxSetUp: req_model.MFALevel(user.MfaMaxSetUp),
MfaInitSkipped: user.MfaInitSkipped,
OTPState: model.MFAState(user.OTPState),
MFAMaxSetUp: req_model.MFALevel(user.MFAMaxSetUp),
MFAInitSkipped: user.MFAInitSkipped,
InitRequired: user.InitRequired,
}
}
@@ -163,6 +192,25 @@ func UsersToModel(users []*UserView) []*model.UserView {
return result
}
func WebauthnTokensToModel(tokens []*WebAuthNView) []*model.WebAuthNView {
if tokens == nil {
return nil
}
result := make([]*model.WebAuthNView, len(tokens))
for i, t := range tokens {
result[i] = WebauthnTokenToModel(t)
}
return result
}
func WebauthnTokenToModel(token *WebAuthNView) *model.WebAuthNView {
return &model.WebAuthNView{
TokenID: token.ID,
Name: token.Name,
State: model.MFAState(token.State),
}
}
func (u *UserView) GenerateLoginName(domain string, appendDomain bool) string {
if !appendDomain {
return u.UserName
@@ -212,6 +260,12 @@ func (u *UserView) AppendEvent(event *models.Event) (err error) {
case es_model.UserPasswordChanged,
es_model.HumanPasswordChanged:
err = u.setPasswordData(event)
case es_model.HumanPasswordlessTokenAdded:
err = u.addPasswordlessToken(event)
case es_model.HumanPasswordlessTokenVerified:
err = u.updatePasswordlessToken(event)
case es_model.HumanPasswordlessTokenRemoved:
err = u.removePasswordlessToken(event)
case es_model.UserProfileChanged,
es_model.HumanProfileChanged,
es_model.UserAddressChanged,
@@ -251,17 +305,27 @@ func (u *UserView) AppendEvent(event *models.Event) (err error) {
u.State = int32(model.UserStateLocked)
case es_model.MFAOTPAdded,
es_model.HumanMFAOTPAdded:
u.OTPState = int32(model.MfaStateNotReady)
u.OTPState = int32(model.MFAStateNotReady)
case es_model.MFAOTPVerified,
es_model.HumanMFAOTPVerified:
u.OTPState = int32(model.MfaStateReady)
u.MfaInitSkipped = time.Time{}
u.OTPState = int32(model.MFAStateReady)
u.MFAInitSkipped = time.Time{}
case es_model.MFAOTPRemoved,
es_model.HumanMFAOTPRemoved:
u.OTPState = int32(model.MfaStateUnspecified)
u.OTPState = int32(model.MFAStateUnspecified)
case es_model.HumanMFAU2FTokenAdded:
err = u.addU2FToken(event)
case es_model.HumanMFAU2FTokenVerified:
err = u.updateU2FToken(event)
if err != nil {
return err
}
u.MFAInitSkipped = time.Time{}
case es_model.HumanMFAU2FTokenRemoved:
err = u.removeU2FToken(event)
case es_model.MFAInitSkipped,
es_model.HumanMFAInitSkipped:
u.MfaInitSkipped = event.CreationDate
u.MFAInitSkipped = event.CreationDate
case es_model.InitializedUserCodeAdded,
es_model.InitializedHumanCodeAdded:
u.InitRequired = true
@@ -298,6 +362,106 @@ func (u *UserView) setPasswordData(event *models.Event) error {
return nil
}
func (u *UserView) addPasswordlessToken(event *models.Event) error {
token, err := webAuthNViewFromEvent(event)
if err != nil {
return err
}
for _, t := range u.PasswordlessTokens {
if t.State == int32(model.MFAStateNotReady) {
t = token
return nil
}
}
u.U2FTokens = append(u.U2FTokens, token)
return nil
}
func (u *UserView) updatePasswordlessToken(event *models.Event) error {
token, err := webAuthNViewFromEvent(event)
if err != nil {
return err
}
for i, t := range u.PasswordlessTokens {
if t.ID == token.ID {
u.PasswordlessTokens[i].Name = token.Name
u.PasswordlessTokens[i].State = int32(model.MFAStateReady)
return nil
}
}
return nil
}
func (u *UserView) removePasswordlessToken(event *models.Event) error {
token, err := webAuthNViewFromEvent(event)
if err != nil {
return err
}
for i, t := range u.PasswordlessTokens {
if t.ID == token.ID {
u.PasswordlessTokens[i] = u.PasswordlessTokens[len(u.PasswordlessTokens)-1]
u.PasswordlessTokens[len(u.PasswordlessTokens)-1] = nil
u.PasswordlessTokens = u.PasswordlessTokens[:len(u.PasswordlessTokens)-1]
return nil
}
}
return nil
}
func (u *UserView) addU2FToken(event *models.Event) error {
token, err := webAuthNViewFromEvent(event)
if err != nil {
return err
}
for _, t := range u.U2FTokens {
if t.State == int32(model.MFAStateNotReady) {
t = token
return nil
}
}
u.U2FTokens = append(u.U2FTokens, token)
return nil
}
func (u *UserView) updateU2FToken(event *models.Event) error {
token, err := webAuthNViewFromEvent(event)
if err != nil {
return err
}
for i, t := range u.U2FTokens {
if t.ID == token.ID {
u.U2FTokens[i].Name = token.Name
u.U2FTokens[i].State = int32(model.MFAStateReady)
return nil
}
}
return nil
}
func (u *UserView) removeU2FToken(event *models.Event) error {
token, err := webAuthNViewFromEvent(event)
if err != nil {
return err
}
for i := len(u.U2FTokens) - 1; i >= 0; i-- {
if u.U2FTokens[i].ID == token.ID {
u.U2FTokens[i] = u.U2FTokens[len(u.U2FTokens)-1]
u.U2FTokens[len(u.U2FTokens)-1] = nil
u.U2FTokens = u.U2FTokens[:len(u.U2FTokens)-1]
}
}
return nil
}
func webAuthNViewFromEvent(event *models.Event) (*WebAuthNView, error) {
token := new(WebAuthNView)
err := json.Unmarshal(event.Data, token)
if err != nil {
return nil, caos_errs.ThrowInternal(err, "MODEL-FSaq1", "could not unmarshal data")
}
return token, err
}
func (u *UserView) ComputeObject() {
if !u.MachineView.IsZero() {
if u.State == int32(model.UserStateUnspecified) {
@@ -312,10 +476,25 @@ func (u *UserView) ComputeObject() {
u.State = int32(model.UserStateInitial)
}
}
if u.OTPState != int32(model.MfaStateReady) {
u.MfaMaxSetUp = int32(req_model.MFALevelNotSetUp)
}
if u.OTPState == int32(model.MfaStateReady) {
u.MfaMaxSetUp = int32(req_model.MFALevelSecondFactor)
}
u.ComputeMFAMaxSetUp()
}
func (u *UserView) ComputeMFAMaxSetUp() {
for _, token := range u.PasswordlessTokens {
if token.State == int32(model.MFAStateReady) {
u.MFAMaxSetUp = int32(req_model.MFALevelMultiFactor)
return
}
}
for _, token := range u.U2FTokens {
if token.State == int32(model.MFAStateReady) {
u.MFAMaxSetUp = int32(req_model.MFALevelSecondFactor)
return
}
}
if u.OTPState == int32(model.MFAStateReady) {
u.MFAMaxSetUp = int32(req_model.MFALevelSecondFactor)
return
}
u.MFAMaxSetUp = int32(req_model.MFALevelNotSetUp)
}

19
internal/user/repository/view/model/user_session.go
View File

@@ -32,6 +32,7 @@ type UserSessionView struct {
DisplayName string `json:"-" gorm:"column:user_display_name"`
SelectedIDPConfigID string `json:"selectedIDPConfigID" gorm:"column:selected_idp_config_id"`
PasswordVerification time.Time `json:"-" gorm:"column:password_verification"`
PasswordlessVerification time.Time `json:"-" gorm:"column:passwordless_verification"`
ExternalLoginVerification time.Time `json:"-" gorm:"column:external_login_verification"`
SecondFactorVerification time.Time `json:"-" gorm:"column:second_factor_verification"`
SecondFactorVerificationType int32 `json:"-" gorm:"column:second_factor_verification_type"`
@@ -62,6 +63,7 @@ func UserSessionToModel(userSession *UserSessionView) *model.UserSessionView {
DisplayName: userSession.DisplayName,
SelectedIDPConfigID: userSession.SelectedIDPConfigID,
PasswordVerification: userSession.PasswordVerification,
PasswordlessVerification: userSession.PasswordlessVerification,
ExternalLoginVerification: userSession.ExternalLoginVerification,
SecondFactorVerification: userSession.SecondFactorVerification,
SecondFactorVerificationType: req_model.MFAType(userSession.SecondFactorVerificationType),
@@ -93,6 +95,15 @@ func (v *UserSessionView) AppendEvent(event *models.Event) {
v.ExternalLoginVerification = event.CreationDate
v.SelectedIDPConfigID = data.SelectedIDPConfigID
v.State = int32(req_model.UserSessionStateActive)
case es_model.HumanPasswordlessTokenCheckSucceeded:
v.PasswordlessVerification = event.CreationDate
v.MultiFactorVerification = event.CreationDate
v.MultiFactorVerificationType = int32(req_model.MFATypeU2FUserVerification)
v.State = int32(req_model.UserSessionStateActive)
case es_model.HumanPasswordlessTokenCheckFailed,
es_model.HumanPasswordlessTokenRemoved:
v.PasswordlessVerification = time.Time{}
v.MultiFactorVerification = time.Time{}
case es_model.UserPasswordCheckFailed,
es_model.UserPasswordChanged,
es_model.HumanPasswordCheckFailed,
@@ -106,8 +117,14 @@ func (v *UserSessionView) AppendEvent(event *models.Event) {
case es_model.MFAOTPCheckFailed,
es_model.MFAOTPRemoved,
es_model.HumanMFAOTPCheckFailed,
es_model.HumanMFAOTPRemoved:
es_model.HumanMFAOTPRemoved,
es_model.HumanMFAU2FTokenCheckFailed,
es_model.HumanMFAU2FTokenRemoved:
v.SecondFactorVerification = time.Time{}
case es_model.HumanMFAU2FTokenCheckSucceeded:
v.SecondFactorVerification = event.CreationDate
v.SecondFactorVerificationType = int32(req_model.MFATypeU2F)
v.State = int32(req_model.UserSessionStateActive)
case es_model.SignedOut,
es_model.HumanSignedOut,
es_model.UserLocked,

28
internal/user/repository/view/model/user_test.go
View File

@@ -305,7 +305,7 @@ func TestUserAppendEvent(t *testing.T) {
event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: es_model.MFAOTPAdded, ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country"}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateNotReady)}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateNotReady)}, State: int32(model.UserStateActive)},
},
{
name: "append human add otp event",
@@ -313,39 +313,39 @@ func TestUserAppendEvent(t *testing.T) {
event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: es_model.HumanMFAOTPAdded, ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country"}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateNotReady)}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateNotReady)}, State: int32(model.UserStateActive)},
},
{
name: "append user verify otp event",
args: args{
event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: es_model.MFAOTPVerified, ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateNotReady)}, State: int32(model.UserStateActive)},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateNotReady)}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateReady)}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateReady)}, State: int32(model.UserStateActive)},
},
{
name: "append human verify otp event",
args: args{
event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: es_model.HumanMFAOTPVerified, ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateNotReady)}, State: int32(model.UserStateActive)},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateNotReady)}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateReady)}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateReady)}, State: int32(model.UserStateActive)},
},
{
name: "append user remove otp event",
args: args{
event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: es_model.MFAOTPRemoved, ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateReady)}, State: int32(model.UserStateActive)},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateReady)}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateUnspecified)}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateUnspecified)}, State: int32(model.UserStateActive)},
},
{
name: "append human remove otp event",
args: args{
event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: es_model.HumanMFAOTPRemoved, ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateReady)}, State: int32(model.UserStateActive)},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateReady)}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MfaStateUnspecified)}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", OTPState: int32(model.MFAStateUnspecified)}, State: int32(model.UserStateActive)},
},
{
name: "append user mfa init skipped event",
@@ -353,7 +353,7 @@ func TestUserAppendEvent(t *testing.T) {
event: &es_models.Event{Sequence: 1, CreationDate: time.Now().UTC(), Type: es_model.MFAInitSkipped, AggregateID: "AggregateID", ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country"}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", MfaInitSkipped: time.Now().UTC()}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", MFAInitSkipped: time.Now().UTC()}, State: int32(model.UserStateActive)},
},
{
name: "append human mfa init skipped event",
@@ -361,7 +361,7 @@ func TestUserAppendEvent(t *testing.T) {
event: &es_models.Event{Sequence: 1, CreationDate: time.Now().UTC(), Type: es_model.HumanMFAInitSkipped, AggregateID: "AggregateID", ResourceOwner: "OrgID"},
user: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country"}, State: int32(model.UserStateActive)},
},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", MfaInitSkipped: time.Now().UTC()}, State: int32(model.UserStateActive)},
result: &UserView{ID: "AggregateID", ResourceOwner: "OrgID", UserName: "UserName", HumanView: &HumanView{FirstName: "FirstName", LastName: "LastName", Email: "Email", Phone: "Phone", Country: "Country", MFAInitSkipped: time.Now().UTC()}, State: int32(model.UserStateActive)},
},
}
for _, tt := range tests {
@@ -401,8 +401,8 @@ func TestUserAppendEvent(t *testing.T) {
if human.OTPState != tt.result.OTPState {
t.Errorf("got wrong result OTPState: expected: %v, actual: %v ", tt.result.OTPState, human.OTPState)
}
if human.MfaInitSkipped.Round(1*time.Second) != tt.result.MfaInitSkipped.Round(1*time.Second) {
t.Errorf("got wrong result MfaInitSkipped: expected: %v, actual: %v ", tt.result.MfaInitSkipped.Round(1*time.Second), human.MfaInitSkipped.Round(1*time.Second))
if human.MFAInitSkipped.Round(1*time.Second) != tt.result.MFAInitSkipped.Round(1*time.Second) {
t.Errorf("got wrong result MFAInitSkipped: expected: %v, actual: %v ", tt.result.MFAInitSkipped.Round(1*time.Second), human.MFAInitSkipped.Round(1*time.Second))
}
if human.PasswordSet != tt.result.PasswordSet {
t.Errorf("got wrong result PasswordSet: expected: %v, actual: %v ", tt.result.PasswordSet, human.PasswordSet)

6
internal/user/repository/view/user_view.go
View File

@@ -142,15 +142,15 @@ func IsUserUnique(db *gorm.DB, table, userName, email string) (bool, error) {
return user.UserName == "", nil
}
func UserMfas(db *gorm.DB, table, userID string) ([]*usr_model.MultiFactor, error) {
func UserMFAs(db *gorm.DB, table, userID string) ([]*usr_model.MultiFactor, error) {
user, err := UserByID(db, table, userID)
if err != nil {
return nil, err
}
if user.OTPState == int32(usr_model.MfaStateUnspecified) {
if user.OTPState == int32(usr_model.MFAStateUnspecified) {
return []*usr_model.MultiFactor{}, nil
}
return []*usr_model.MultiFactor{{Type: usr_model.MfaTypeOTP, State: usr_model.MfaState(user.OTPState)}}, nil
return []*usr_model.MultiFactor{{Type: usr_model.MFATypeOTP, State: usr_model.MFAState(user.OTPState)}}, nil
}
func PutUsers(db *gorm.DB, table string, users ...*model.UserView) error {