TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-06-12 20:28:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: check login policy before register and password check (#2611)

Browse Source 
* fix: check login policy before register and password check

* remove accidentally pushed overwrite

* Update en.yaml
This commit is contained in:
Livio Amstutz 2021-11-08 08:42:07 +01:00 committed by GitHub
parent 17e00f8204
commit af1f10b7ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 339 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
internal/command/org_policy_login.go
View File

@ -62,6 +62,17 @@ func (c *Commands) orgLoginPolicyWriteModelByID(ctx context.Context, orgID strin
return policyWriteModel, nil return policyWriteModel, nil
} }
func (c *Commands) getOrgLoginPolicy(ctx context.Context, orgID string) (*domain.LoginPolicy, error) {
policy, err := c.orgLoginPolicyWriteModelByID(ctx, orgID)
if err != nil {
return nil, err
}
if policy.State == domain.PolicyStateActive {
return writeModelToLoginPolicy(&policy.LoginPolicyWriteModel), nil
}
return c.getDefaultLoginPolicy(ctx)
}
func (c *Commands) ChangeLoginPolicy(ctx context.Context, resourceOwner string, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) { func (c *Commands) ChangeLoginPolicy(ctx context.Context, resourceOwner string, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
if resourceOwner == "" { if resourceOwner == "" {
return nil, caos_errs.ThrowInvalidArgument(nil, "Org-Mf9sf", "Errors.ResourceOwnerMissing") return nil, caos_errs.ThrowInvalidArgument(nil, "Org-Mf9sf", "Errors.ResourceOwnerMissing")

7
internal/command/user_human.go
View File

@ -129,6 +129,13 @@ func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domai
if err != nil { if err != nil {
return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexity.NotFound") return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexity.NotFound")
} }
loginPolicy, err := c.getOrgLoginPolicy(ctx, orgID)
if err != nil {
return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-Dfg3g", "Errors.Org.LoginPolicy.NotFound")
}
if !loginPolicy.AllowRegister {
return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-SAbr3", "Errors.Org.LoginPolicy.RegistrationNotAllowed")
}
userEvents, registeredHuman, err := c.registerHuman(ctx, orgID, human, link, orgIAMPolicy, pwPolicy) userEvents, registeredHuman, err := c.registerHuman(ctx, orgID, human, link, orgIAMPolicy, pwPolicy)
if err != nil { if err != nil {
return nil, err return nil, err

9
internal/command/user_human_password.go
View File

@ -4,6 +4,7 @@ import (
"context" "context"
"github.com/caos/logging" "github.com/caos/logging"
"github.com/caos/zitadel/internal/crypto" "github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/domain" "github.com/caos/zitadel/internal/domain"
caos_errs "github.com/caos/zitadel/internal/errors" caos_errs "github.com/caos/zitadel/internal/errors"
@ -206,6 +207,14 @@ func (c *Commands) HumanCheckPassword(ctx context.Context, orgID, userID, passwo
return caos_errs.ThrowInvalidArgument(nil, "COMMAND-3n8fs", "Errors.User.Password.Empty") return caos_errs.ThrowInvalidArgument(nil, "COMMAND-3n8fs", "Errors.User.Password.Empty")
} }
loginPolicy, err := c.getOrgLoginPolicy(ctx, orgID)
if err != nil {
return caos_errs.ThrowPreconditionFailed(err, "COMMAND-Edf3g", "Errors.Org.LoginPolicy.NotFound")
}
if !loginPolicy.AllowUsernamePassword {
return caos_errs.ThrowPreconditionFailed(err, "COMMAND-Dft32", "Errors.Org.LoginPolicy.UsernamePasswordNotAllowed")
}
existingPassword, err := c.passwordWriteModel(ctx, userID, orgID) existingPassword, err := c.passwordWriteModel(ctx, userID, orgID)
if err != nil { if err != nil {
return err return err

114
internal/command/user_human_password_test.go
View File

@ -1125,11 +1125,73 @@ func TestCommandSide_CheckPassword(t *testing.T) {
err: caos_errs.IsErrorInvalidArgument, err: caos_errs.IsErrorInvalidArgument,
}, },
}, },
{
name: "login policy not found, precondition error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(),
expectFilter(),
),
},
args: args{
ctx: context.Background(),
userID: "user1",
resourceOwner: "org1",
password: "password",
},
res: res{
err: caos_errs.IsPreconditionFailed,
},
},
{
name: "login policy login password not allowed, precondition error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
false,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
),
},
args: args{
ctx: context.Background(),
userID: "user1",
resourceOwner: "org1",
password: "password",
},
res: res{
err: caos_errs.IsPreconditionFailed,
},
},
{ {
name: "user not existing, precondition error", name: "user not existing, precondition error",
fields: fields{ fields: fields{
eventstore: eventstoreExpect( eventstore: eventstoreExpect(
t, t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
false,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectFilter(), expectFilter(),
), ),
}, },
@ -1148,6 +1210,19 @@ func TestCommandSide_CheckPassword(t *testing.T) {
fields: fields{ fields: fields{
eventstore: eventstoreExpect( eventstore: eventstoreExpect(
t, t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
false,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectFilter( expectFilter(
eventFromEventPusher( eventFromEventPusher(
user.NewHumanAddedEvent(context.Background(), user.NewHumanAddedEvent(context.Background(),
@ -1182,6 +1257,19 @@ func TestCommandSide_CheckPassword(t *testing.T) {
fields: fields{ fields: fields{
eventstore: eventstoreExpect( eventstore: eventstoreExpect(
t, t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
false,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectFilter( expectFilter(
eventFromEventPusher( eventFromEventPusher(
user.NewHumanAddedEvent(context.Background(), user.NewHumanAddedEvent(context.Background(),
@ -1250,6 +1338,19 @@ func TestCommandSide_CheckPassword(t *testing.T) {
fields: fields{ fields: fields{
eventstore: eventstoreExpect( eventstore: eventstoreExpect(
t, t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
false,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectFilter( expectFilter(
eventFromEventPusher( eventFromEventPusher(
user.NewHumanAddedEvent(context.Background(), user.NewHumanAddedEvent(context.Background(),
@ -1325,6 +1426,19 @@ func TestCommandSide_CheckPassword(t *testing.T) {
fields: fields{ fields: fields{
eventstore: eventstoreExpect( eventstore: eventstoreExpect(
t, t,
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
false,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectFilter( expectFilter(
eventFromEventPusher( eventFromEventPusher(
user.NewHumanAddedEvent(context.Background(), user.NewHumanAddedEvent(context.Background(),

194
internal/command/user_human_test.go
View File

@ -1531,6 +1531,109 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
err: caos_errs.IsPreconditionFailed, err: caos_errs.IsPreconditionFailed,
}, },
}, },
{
name: "login policy not found, precondition error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
org.NewOrgIAMPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
1,
false,
false,
false,
false,
),
),
),
expectFilter(),
expectFilter(),
),
},
args: args{
ctx: context.Background(),
orgID: "org1",
human: &domain.Human{
Username: "username",
Profile: &domain.Profile{
FirstName: "firstname",
},
Password: &domain.Password{
SecretString: "password",
},
},
},
res: res{
err: caos_errs.IsPreconditionFailed,
},
},
{
name: "login policy registration not allowed, precondition error",
fields: fields{
eventstore: eventstoreExpect(
t,
expectFilter(
eventFromEventPusher(
org.NewOrgIAMPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
true,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
1,
false,
false,
false,
false,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
false,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
),
},
args: args{
ctx: context.Background(),
orgID: "org1",
human: &domain.Human{
Username: "username",
Profile: &domain.Profile{
FirstName: "firstname",
},
Password: &domain.Password{
SecretString: "password",
},
},
},
res: res{
err: caos_errs.IsPreconditionFailed,
},
},
{ {
name: "user invalid, invalid argument error", name: "user invalid, invalid argument error",
fields: fields{ fields: fields{
@ -1556,6 +1659,19 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
), ),
), ),
), ),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
true,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
), ),
}, },
args: args{ args: args{
@ -1600,6 +1716,19 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
), ),
), ),
), ),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
true,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectFilter( expectFilter(
eventFromEventPusher( eventFromEventPusher(
org.NewDomainAddedEvent(context.Background(), org.NewDomainAddedEvent(context.Background(),
@ -1661,6 +1790,19 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
), ),
), ),
), ),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
true,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectFilter( expectFilter(
eventFromEventPusher( eventFromEventPusher(
org.NewDomainAddedEvent(context.Background(), org.NewDomainAddedEvent(context.Background(),
@ -1780,6 +1922,19 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
), ),
), ),
), ),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
true,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectPush( expectPush(
[]*repository.Event{ []*repository.Event{
eventFromEventPusher( eventFromEventPusher(
@ -1867,6 +2022,19 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
), ),
), ),
), ),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
true,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectPush( expectPush(
[]*repository.Event{ []*repository.Event{
eventFromEventPusher( eventFromEventPusher(
@ -1948,6 +2116,19 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
), ),
), ),
), ),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
true,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectPush( expectPush(
[]*repository.Event{ []*repository.Event{
eventFromEventPusher( eventFromEventPusher(
@ -2051,6 +2232,19 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
), ),
), ),
), ),
expectFilter(
eventFromEventPusher(
org.NewLoginPolicyAddedEvent(context.Background(),
&org.NewAggregate("org1", "org1").Aggregate,
false,
true,
false,
false,
false,
domain.PasswordlessTypeNotAllowed,
),
),
),
expectPush( expectPush(
[]*repository.Event{ []*repository.Event{
eventFromEventPusher( eventFromEventPusher(

2
internal/static/i18n/de.yaml
View File

@ -154,6 +154,8 @@ Errors:
AlreadyExists: Login Policy existiert bereits AlreadyExists: Login Policy existiert bereits
IdpProviderAlreadyExisting: Idp Provider existiert bereits IdpProviderAlreadyExisting: Idp Provider existiert bereits
IdpProviderNotExisting: Idp Provider existiert nicht IdpProviderNotExisting: Idp Provider existiert nicht
RegistrationNotAllowed: Registrierung ist nicht erlaubt
UsernamePasswordNotAllowed: Login mit Username / Passwort nicht erlaubt
MFA: MFA:
AlreadyExists: Multifaktor existiert bereits AlreadyExists: Multifaktor existiert bereits
NotExisting: Multifaktor existiert nicht NotExisting: Multifaktor existiert nicht

2
internal/static/i18n/en.yaml
View File

@ -154,6 +154,8 @@ Errors:
AlreadyExists: Login Policy already exists AlreadyExists: Login Policy already exists
IdpProviderAlreadyExisting: Idp Provider already existing IdpProviderAlreadyExisting: Idp Provider already existing
IdpProviderNotExisting: Idp Provider not existing IdpProviderNotExisting: Idp Provider not existing
RegistrationNotAllowed: Registration is not allowed
UsernamePasswordNotAllowed: Login with Username / Password is not allowed
MFA: MFA:
AlreadyExists: Multifactor already exists AlreadyExists: Multifactor already exists
NotExisting: Multifactor not existing NotExisting: Multifactor not existing