feat(api): list authentication method types in user api v2 (#6058)

2025-08-12 04:57:33 +00:00 · 2023-06-20 18:23:28 +02:00
parent 82e7333169
commit 7046194530
11 changed files with 523 additions and 1 deletions
--- a/internal/query/query.go
+++ b/internal/query/query.go
@@ -34,6 +34,7 @@ type Queries struct {

 	idpConfigEncryption  crypto.EncryptionAlgorithm
 	sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error)
+	checkPermission      domain.PermissionCheck

 	DefaultLanguage                     language.Tag
 	LoginDir                            http.FileSystem
@@ -55,6 +56,7 @@ func StartQueries(
 	idpConfigEncryption, otpEncryption, keyEncryptionAlgorithm, certEncryptionAlgorithm crypto.EncryptionAlgorithm,
 	zitadelRoles []authz.RoleMapping,
 	sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error),
+	permissionCheck func(q *Queries) domain.PermissionCheck,
 ) (repo *Queries, err error) {
 	statikLoginFS, err := fs.NewWithNamespace("login")
 	if err != nil {
@@ -95,6 +97,8 @@ func StartQueries(
 		},
 	}

+	repo.checkPermission = permissionCheck(repo)
+
 	err = projection.Create(ctx, sqlClient, es, projections, keyEncryptionAlgorithm, certEncryptionAlgorithm)
 	if err != nil {
 		return nil, err
--- a/internal/query/user_auth_method.go
+++ b/internal/query/user_auth_method.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	sq "github.com/Masterminds/squirrel"
+	"github.com/zitadel/logging"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/call"
@@ -64,12 +65,27 @@ var (
 		name:  projection.UserAuthMethodOwnerRemovedCol,
 		table: userAuthMethodTable,
 	}
+
+	authMethodTypeTable      = userAuthMethodTable.setAlias("auth_method_types")
+	authMethodTypeUserID     = UserAuthMethodColumnUserID.setTable(authMethodTypeTable)
+	authMethodTypeInstanceID = UserAuthMethodColumnInstanceID.setTable(authMethodTypeTable)
+	authMethodTypeTypes      = UserAuthMethodColumnMethodType.setTable(authMethodTypeTable)
+	authMethodTypeState      = UserAuthMethodColumnState.setTable(authMethodTypeTable)
+
+	userIDPsCountTable      = idpUserLinkTable.setAlias("user_idps_count")
+	userIDPsCountUserID     = IDPUserLinkUserIDCol.setTable(userIDPsCountTable)
+	userIDPsCountInstanceID = IDPUserLinkInstanceIDCol.setTable(userIDPsCountTable)
+	userIDPsCountCount      = Column{
+		name:  "count",
+		table: userIDPsCountTable,
+	}
 )

 type AuthMethods struct {
 	SearchResponse
 	AuthMethods []*AuthMethod
 }
+
 type AuthMethod struct {
 	UserID        string
 	CreationDate  time.Time
@@ -83,6 +99,11 @@ type AuthMethod struct {
 	Type    domain.UserAuthMethodType
 }

+type AuthMethodTypes struct {
+	SearchResponse
+	AuthMethodTypes []domain.UserAuthMethodType
+}
+
 type UserAuthMethodSearchQueries struct {
 	SearchRequest
 	Queries []SearchQuery
@@ -114,6 +135,41 @@ func (q *Queries) SearchUserAuthMethods(ctx context.Context, queries *UserAuthMe
 	return userAuthMethods, err
 }

+func (q *Queries) ListActiveUserAuthMethodTypes(ctx context.Context, userID string, withOwnerRemoved bool) (userAuthMethodTypes *AuthMethodTypes, err error) {
+	ctxData := authz.GetCtxData(ctx)
+	if ctxData.UserID != userID {
+		if err := q.checkPermission(ctx, domain.PermissionUserRead, ctxData.OrgID, userID); err != nil {
+			return nil, err
+		}
+	}
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	query, scan := prepareActiveUserAuthMethodTypesQuery(ctx, q.client)
+	eq := sq.Eq{
+		UserIDCol.identifier():         userID,
+		UserInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),
+	}
+	if !withOwnerRemoved {
+		eq[UserOwnerRemovedCol.identifier()] = false
+	}
+	stmt, args, err := query.Where(eq).ToSql()
+	if err != nil {
+		return nil, errors.ThrowInvalidArgument(err, "QUERY-Sfdrg", "Errors.Query.InvalidRequest")
+	}
+
+	rows, err := q.client.QueryContext(ctx, stmt, args...)
+	if err != nil || rows.Err() != nil {
+		return nil, errors.ThrowInternal(err, "QUERY-SDgr3", "Errors.Internal")
+	}
+	userAuthMethodTypes, err = scan(rows)
+	if err != nil {
+		return nil, err
+	}
+	userAuthMethodTypes.LatestSequence, err = q.latestSequence(ctx, userTable, notifyTable, userAuthMethodTable, idpUserLinkTable)
+	return userAuthMethodTypes, err
+}
+
 func NewUserAuthMethodUserIDSearchQuery(value string) (SearchQuery, error) {
 	return NewTextQuery(UserAuthMethodColumnUserID, value, TextEquals)
 }
@@ -253,3 +309,80 @@ func prepareUserAuthMethodsQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			}, nil
 		}
 }
+
+func prepareActiveUserAuthMethodTypesQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*AuthMethodTypes, error)) {
+	authMethodsQuery, authMethodsArgs, err := sq.Select(
+		"DISTINCT("+authMethodTypeTypes.identifier()+")",
+		authMethodTypeUserID.identifier(),
+		authMethodTypeInstanceID.identifier()).
+		From(authMethodTypeTable.identifier()).
+		Where(sq.Eq{authMethodTypeState.identifier(): domain.MFAStateReady}).
+		ToSql()
+	if err != nil {
+		return sq.SelectBuilder{}, nil
+	}
+	idpsQuery, _, err := sq.Select(
+		userIDPsCountUserID.identifier(),
+		userIDPsCountInstanceID.identifier(),
+		"COUNT("+userIDPsCountUserID.identifier()+") AS "+userIDPsCountCount.name).
+		From(userIDPsCountTable.identifier()).
+		GroupBy(
+			userIDPsCountUserID.identifier(),
+			userIDPsCountInstanceID.identifier(),
+		).
+		ToSql()
+	if err != nil {
+		return sq.SelectBuilder{}, nil
+	}
+	return sq.Select(
+			NotifyPasswordSetCol.identifier(),
+			authMethodTypeTypes.identifier(),
+			userIDPsCountCount.identifier()).
+			From(userTable.identifier()).
+			LeftJoin(join(NotifyUserIDCol, UserIDCol)).
+			LeftJoin("("+authMethodsQuery+") AS "+authMethodTypeTable.alias+" ON "+
+				authMethodTypeUserID.identifier()+" = "+UserIDCol.identifier()+" AND "+
+				authMethodTypeInstanceID.identifier()+" = "+UserInstanceIDCol.identifier(),
+				authMethodsArgs...).
+			LeftJoin("(" + idpsQuery + ") AS " + userIDPsCountTable.alias + " ON " +
+				userIDPsCountUserID.identifier() + " = " + UserIDCol.identifier() + " AND " +
+				userIDPsCountInstanceID.identifier() + " = " + UserInstanceIDCol.identifier() + db.Timetravel(call.Took(ctx))).
+			PlaceholderFormat(sq.Dollar),
+		func(rows *sql.Rows) (*AuthMethodTypes, error) {
+			userAuthMethodTypes := make([]domain.UserAuthMethodType, 0)
+			var passwordSet sql.NullBool
+			var idp sql.NullInt64
+			for rows.Next() {
+				var authMethodType sql.NullInt16
+				err := rows.Scan(
+					&passwordSet,
+					&authMethodType,
+					&idp,
+				)
+				if err != nil {
+					return nil, err
+				}
+				if authMethodType.Valid {
+					userAuthMethodTypes = append(userAuthMethodTypes, domain.UserAuthMethodType(authMethodType.Int16))
+				}
+			}
+			if passwordSet.Valid && passwordSet.Bool {
+				userAuthMethodTypes = append(userAuthMethodTypes, domain.UserAuthMethodTypePassword)
+			}
+			if idp.Valid && idp.Int64 > 0 {
+				logging.Error("IDP", idp.Int64)
+				userAuthMethodTypes = append(userAuthMethodTypes, domain.UserAuthMethodTypeIDP)
+			}
+
+			if err := rows.Close(); err != nil {
+				return nil, errors.ThrowInternal(err, "QUERY-3n9fl", "Errors.Query.CloseRows")
+			}
+
+			return &AuthMethodTypes{
+				AuthMethodTypes: userAuthMethodTypes,
+				SearchResponse: SearchResponse{
+					Count: uint64(len(userAuthMethodTypes)),
+				},
+			}, nil
+		}
+}
--- a/internal/query/user_auth_method_test.go
+++ b/internal/query/user_auth_method_test.go
@@ -36,6 +36,23 @@ var (
 		"method_type",
 		"count",
 	}
+	prepareActiveAuthMethodTypesStmt = `SELECT projections.users8_notifications.password_set,` +
+		` auth_method_types.method_type,` +
+		` user_idps_count.count` +
+		` FROM projections.users8` +
+		` LEFT JOIN projections.users8_notifications ON projections.users8.id = projections.users8_notifications.user_id AND projections.users8.instance_id = projections.users8_notifications.instance_id` +
+		` LEFT JOIN (SELECT DISTINCT(auth_method_types.method_type), auth_method_types.user_id, auth_method_types.instance_id FROM projections.user_auth_methods4 AS auth_method_types` +
+		` WHERE auth_method_types.state = $1) AS auth_method_types` +
+		` ON auth_method_types.user_id = projections.users8.id AND auth_method_types.instance_id = projections.users8.instance_id` +
+		` LEFT JOIN (SELECT user_idps_count.user_id, user_idps_count.instance_id, COUNT(user_idps_count.user_id) AS count FROM projections.idp_user_links3 AS user_idps_count` +
+		` GROUP BY user_idps_count.user_id, user_idps_count.instance_id) AS user_idps_count` +
+		` ON user_idps_count.user_id = projections.users8.id AND user_idps_count.instance_id = projections.users8.instance_id` +
+		` AS OF SYSTEM TIME '-1 ms`
+	prepareActiveAuthMethodTypesCols = []string{
+		"password_set",
+		"method_type",
+		"idps_count",
+	}
 )

 func Test_UserAuthMethodPrepares(t *testing.T) {
@@ -182,6 +199,95 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 			},
 			object: nil,
 		},
+		{
+			name:    "prepareActiveUserAuthMethodTypesQuery no result",
+			prepare: prepareActiveUserAuthMethodTypesQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					regexp.QuoteMeta(prepareActiveAuthMethodTypesStmt),
+					nil,
+					nil,
+				),
+			},
+			object: &AuthMethodTypes{AuthMethodTypes: []domain.UserAuthMethodType{}},
+		},
+		{
+			name:    "prepareActiveUserAuthMethodTypesQuery one second factor",
+			prepare: prepareActiveUserAuthMethodTypesQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					regexp.QuoteMeta(prepareActiveAuthMethodTypesStmt),
+					prepareActiveAuthMethodTypesCols,
+					[][]driver.Value{
+						{
+							true,
+							domain.UserAuthMethodTypePasswordless,
+							1,
+						},
+					},
+				),
+			},
+			object: &AuthMethodTypes{
+				SearchResponse: SearchResponse{
+					Count: 3,
+				},
+				AuthMethodTypes: []domain.UserAuthMethodType{
+					domain.UserAuthMethodTypePasswordless,
+					domain.UserAuthMethodTypePassword,
+					domain.UserAuthMethodTypeIDP,
+				},
+			},
+		},
+		{
+			name:    "prepareActiveUserAuthMethodTypesQuery multiple second factors",
+			prepare: prepareActiveUserAuthMethodTypesQuery,
+			want: want{
+				sqlExpectations: mockQueries(
+					regexp.QuoteMeta(prepareActiveAuthMethodTypesStmt),
+					prepareActiveAuthMethodTypesCols,
+					[][]driver.Value{
+						{
+							true,
+							domain.UserAuthMethodTypePasswordless,
+							1,
+						},
+						{
+							true,
+							domain.UserAuthMethodTypeOTP,
+							1,
+						},
+					},
+				),
+			},
+			object: &AuthMethodTypes{
+				SearchResponse: SearchResponse{
+					Count: 4,
+				},
+				AuthMethodTypes: []domain.UserAuthMethodType{
+					domain.UserAuthMethodTypePasswordless,
+					domain.UserAuthMethodTypeOTP,
+					domain.UserAuthMethodTypePassword,
+					domain.UserAuthMethodTypeIDP,
+				},
+			},
+		},
+		{
+			name:    "prepareActiveUserAuthMethodTypesQuery sql err",
+			prepare: prepareActiveUserAuthMethodTypesQuery,
+			want: want{
+				sqlExpectations: mockQueryErr(
+					regexp.QuoteMeta(prepareActiveAuthMethodTypesStmt),
+					sql.ErrConnDone,
+				),
+				err: func(err error) (error, bool) {
+					if !errors.Is(err, sql.ErrConnDone) {
+						return fmt.Errorf("err should be sql.ErrConnDone got: %w", err), false
+					}
+					return nil, true
+				},
+			},
+			object: nil,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {