feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-11 21:47:32 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/admin/repository/eventsourcing/eventstore/iam.go
+++ b/internal/admin/repository/eventsourcing/eventstore/iam.go
@@ -282,30 +282,30 @@ func (repo *IAMRepository) GetDefaultPasswordAgePolicy(ctx context.Context) (*ia
 	return iam_es_model.PasswordAgeViewToModel(policy), nil
 }

-func (repo *IAMRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) {
-	policy, viewErr := repo.View.PasswordLockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
+func (repo *IAMRepository) GetDefaultLockoutPolicy(ctx context.Context) (*iam_model.LockoutPolicyView, error) {
+	policy, viewErr := repo.View.LockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
 		return nil, viewErr
 	}
 	if caos_errs.IsNotFound(viewErr) {
-		policy = new(iam_es_model.PasswordLockoutPolicyView)
+		policy = new(iam_es_model.LockoutPolicyView)
 	}

 	events, esErr := repo.getIAMEvents(ctx, policy.Sequence)
 	if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
-		return nil, caos_errs.ThrowNotFound(nil, "EVENT-2M9oP", "Errors.IAM.PasswordLockoutPolicy.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "EVENT-2M9oP", "Errors.IAM.LockoutPolicy.NotFound")
 	}
 	if esErr != nil {
 		logging.Log("EVENT-3M0xs").WithError(esErr).Debug("error retrieving new events")
-		return iam_es_model.PasswordLockoutViewToModel(policy), nil
+		return iam_es_model.LockoutViewToModel(policy), nil
 	}
 	policyCopy := *policy
 	for _, event := range events {
 		if err := policyCopy.AppendEvent(event); err != nil {
-			return iam_es_model.PasswordLockoutViewToModel(policy), nil
+			return iam_es_model.LockoutViewToModel(policy), nil
 		}
 	}
-	return iam_es_model.PasswordLockoutViewToModel(policy), nil
+	return iam_es_model.LockoutViewToModel(policy), nil
 }

 func (repo *IAMRepository) GetOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error) {
--- a/internal/admin/repository/eventsourcing/handler/handler.go
+++ b/internal/admin/repository/eventsourcing/handler/handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"time"

+	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/eventstore/v1"
 	"github.com/caos/zitadel/internal/static"

@@ -31,7 +32,7 @@ func (h *handler) Eventstore() v1.Eventstore {
 	return h.es
 }

-func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, defaults systemdefaults.SystemDefaults, static static.Storage, localDevMode bool) []query.Handler {
+func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, defaults systemdefaults.SystemDefaults, command *command.Commands, static static.Storage, localDevMode bool) []query.Handler {
 	handlers := []query.Handler{
 		newOrg(
 			handler{view, bulkLimit, configs.cycleDuration("Org"), errorCount, es}),
@@ -53,8 +54,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 			handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount, es}),
 		newPasswordAgePolicy(
 			handler{view, bulkLimit, configs.cycleDuration("PasswordAgePolicy"), errorCount, es}),
-		newPasswordLockoutPolicy(
-			handler{view, bulkLimit, configs.cycleDuration("PasswordLockoutPolicy"), errorCount, es}),
+		newLockoutPolicy(
+			handler{view, bulkLimit, configs.cycleDuration("LockoutPolicy"), errorCount, es}),
 		newOrgIAMPolicy(
 			handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount, es}),
 		newExternalIDP(
--- a/internal/admin/repository/eventsourcing/handler/password_lockout_policy.go
+++ b/internal/admin/repository/eventsourcing/handler/password_lockout_policy.go
@@ -13,16 +13,16 @@ import (
 )

 const (
-	passwordLockoutPolicyTable = "adminapi.password_lockout_policies"
+	lockoutPolicyTable = "adminapi.lockout_policies"
 )

-type PasswordLockoutPolicy struct {
+type LockoutPolicy struct {
 	handler
 	subscription *v1.Subscription
 }

-func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
-	h := &PasswordLockoutPolicy{
+func newLockoutPolicy(handler handler) *LockoutPolicy {
+	h := &LockoutPolicy{
 		handler: handler,
 	}

@@ -31,7 +31,7 @@ func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
 	return h
 }

-func (p *PasswordLockoutPolicy) subscribe() {
+func (p *LockoutPolicy) subscribe() {
 	p.subscription = p.es.Subscribe(p.AggregateTypes()...)
 	go func() {
 		for event := range p.subscription.Events {
@@ -40,28 +40,28 @@ func (p *PasswordLockoutPolicy) subscribe() {
 	}()
 }

-func (p *PasswordLockoutPolicy) ViewModel() string {
-	return passwordLockoutPolicyTable
+func (p *LockoutPolicy) ViewModel() string {
+	return lockoutPolicyTable
 }

-func (m *PasswordLockoutPolicy) Subscription() *v1.Subscription {
+func (m *LockoutPolicy) Subscription() *v1.Subscription {
 	return m.subscription
 }

-func (p *PasswordLockoutPolicy) AggregateTypes() []es_models.AggregateType {
+func (p *LockoutPolicy) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }

-func (p *PasswordLockoutPolicy) CurrentSequence() (uint64, error) {
-	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
+func (p *LockoutPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestLockoutPolicySequence()
 	if err != nil {
 		return 0, err
 	}
 	return sequence.CurrentSequence, nil
 }

-func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
+func (p *LockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
+	sequence, err := p.view.GetLatestLockoutPolicySequence()
 	if err != nil {
 		return nil, err
 	}
@@ -70,41 +70,41 @@ func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }

-func (p *PasswordLockoutPolicy) Reduce(event *es_models.Event) (err error) {
+func (p *LockoutPolicy) Reduce(event *es_models.Event) (err error) {
 	switch event.AggregateType {
 	case model.OrgAggregate, iam_es_model.IAMAggregate:
-		err = p.processPasswordLockoutPolicy(event)
+		err = p.processLockoutPolicy(event)
 	}
 	return err
 }

-func (p *PasswordLockoutPolicy) processPasswordLockoutPolicy(event *es_models.Event) (err error) {
-	policy := new(iam_model.PasswordLockoutPolicyView)
+func (p *LockoutPolicy) processLockoutPolicy(event *es_models.Event) (err error) {
+	policy := new(iam_model.LockoutPolicyView)
 	switch event.Type {
-	case iam_es_model.PasswordLockoutPolicyAdded, model.PasswordLockoutPolicyAdded:
+	case iam_es_model.LockoutPolicyAdded, model.LockoutPolicyAdded:
 		err = policy.AppendEvent(event)
-	case iam_es_model.PasswordLockoutPolicyChanged, model.PasswordLockoutPolicyChanged:
-		policy, err = p.view.PasswordLockoutPolicyByAggregateID(event.AggregateID)
+	case iam_es_model.LockoutPolicyChanged, model.LockoutPolicyChanged:
+		policy, err = p.view.LockoutPolicyByAggregateID(event.AggregateID)
 		if err != nil {
 			return err
 		}
 		err = policy.AppendEvent(event)
-	case model.PasswordLockoutPolicyRemoved:
-		return p.view.DeletePasswordLockoutPolicy(event.AggregateID, event)
+	case model.LockoutPolicyRemoved:
+		return p.view.DeleteLockoutPolicy(event.AggregateID, event)
 	default:
-		return p.view.ProcessedPasswordLockoutPolicySequence(event)
+		return p.view.ProcessedLockoutPolicySequence(event)
 	}
 	if err != nil {
 		return err
 	}
-	return p.view.PutPasswordLockoutPolicy(policy, event)
+	return p.view.PutLockoutPolicy(policy, event)
 }

-func (p *PasswordLockoutPolicy) OnError(event *es_models.Event, err error) error {
-	logging.LogWithFields("SPOOL-nD8sie", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordLockout policy handler")
-	return spooler.HandleError(event, err, p.view.GetLatestPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicySequence, p.errorCountUntilSkip)
+func (p *LockoutPolicy) OnError(event *es_models.Event, err error) error {
+	logging.LogWithFields("SPOOL-nD8sie", "id", event.AggregateID).WithError(err).Warn("something went wrong in Lockout policy handler")
+	return spooler.HandleError(event, err, p.view.GetLatestLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicySequence, p.errorCountUntilSkip)
 }

-func (p *PasswordLockoutPolicy) OnSuccess() error {
-	return spooler.HandleSuccess(p.view.UpdatePasswordLockoutPolicySpoolerRunTimestamp)
+func (p *LockoutPolicy) OnSuccess() error {
+	return spooler.HandleSuccess(p.view.UpdateLockoutPolicySpoolerRunTimestamp)
 }
--- a/internal/admin/repository/eventsourcing/repository.go
+++ b/internal/admin/repository/eventsourcing/repository.go
@@ -9,6 +9,7 @@ import (
 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/eventstore"
 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/spooler"
 	admin_view "github.com/caos/zitadel/internal/admin/repository/eventsourcing/view"
+	"github.com/caos/zitadel/internal/command"
 	sd "github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/config/types"
 	"github.com/caos/zitadel/internal/eventstore/v1"
@@ -34,7 +35,7 @@ type EsRepository struct {
 	eventstore.UserRepo
 }

-func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, static static.Storage, roles []string, localDevMode bool) (*EsRepository, error) {
+func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, command *command.Commands, static static.Storage, roles []string, localDevMode bool) (*EsRepository, error) {
 	es, err := v1.Start(conf.Eventstore)
 	if err != nil {
 		return nil, err
@@ -48,7 +49,7 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, s
 		return nil, err
 	}

-	spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, systemDefaults, static, localDevMode)
+	spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, systemDefaults, command, static, localDevMode)
 	assetsAPI := conf.APIDomain + "/assets/v1/"

 	statikLoginFS, err := fs.NewWithNamespace("login")
--- a/internal/admin/repository/eventsourcing/spooler/spooler.go
+++ b/internal/admin/repository/eventsourcing/spooler/spooler.go
@@ -2,6 +2,7 @@ package spooler

 import (
 	"database/sql"
+	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/eventstore/v1"
 	"github.com/caos/zitadel/internal/static"
@@ -18,12 +19,12 @@ type SpoolerConfig struct {
 	Handlers              handler.Configs
 }

-func StartSpooler(c SpoolerConfig, es v1.Eventstore, view *view.View, sql *sql.DB, defaults systemdefaults.SystemDefaults, static static.Storage, localDevMode bool) *spooler.Spooler {
+func StartSpooler(c SpoolerConfig, es v1.Eventstore, view *view.View, sql *sql.DB, defaults systemdefaults.SystemDefaults, command *command.Commands, static static.Storage, localDevMode bool) *spooler.Spooler {
 	spoolerConfig := spooler.Config{
 		Eventstore:        es,
 		Locker:            &locker{dbClient: sql},
 		ConcurrentWorkers: c.ConcurrentWorkers,
-		ViewHandlers:      handler.Register(c.Handlers, c.BulkLimit, c.FailureCountUntilSkip, view, es, defaults, static, localDevMode),
+		ViewHandlers:      handler.Register(c.Handlers, c.BulkLimit, c.FailureCountUntilSkip, view, es, defaults, command, static, localDevMode),
 	}
 	spool := spoolerConfig.New()
 	spool.Start()
--- a/internal/admin/repository/eventsourcing/view/lockout_policy.go
+++ b/internal/admin/repository/eventsourcing/view/lockout_policy.go
@@ -0,0 +1,53 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	lockoutPolicyTable = "adminapi.lockout_policies"
+)
+
+func (v *View) LockoutPolicyByAggregateID(aggregateID string) (*model.LockoutPolicyView, error) {
+	return view.GetLockoutPolicyByAggregateID(v.Db, lockoutPolicyTable, aggregateID)
+}
+
+func (v *View) PutLockoutPolicy(policy *model.LockoutPolicyView, event *models.Event) error {
+	err := view.PutLockoutPolicy(v.Db, lockoutPolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedLockoutPolicySequence(event)
+}
+
+func (v *View) DeleteLockoutPolicy(aggregateID string, event *models.Event) error {
+	err := view.DeleteLockoutPolicy(v.Db, lockoutPolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedLockoutPolicySequence(event)
+}
+
+func (v *View) GetLatestLockoutPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(lockoutPolicyTable)
+}
+
+func (v *View) ProcessedLockoutPolicySequence(event *models.Event) error {
+	return v.saveCurrentSequence(lockoutPolicyTable, event)
+}
+
+func (v *View) UpdateLockoutPolicySpoolerRunTimestamp() error {
+	return v.updateSpoolerRunSequence(lockoutPolicyTable)
+}
+
+func (v *View) GetLatestLockoutPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(lockoutPolicyTable, sequence)
+}
+
+func (v *View) ProcessedLockoutPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/admin/repository/eventsourcing/view/password_lockout_policy.go
+++ b/internal/admin/repository/eventsourcing/view/password_lockout_policy.go
@@ -1,53 +0,0 @@
-package view
-
-import (
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	"github.com/caos/zitadel/internal/iam/repository/view"
-	"github.com/caos/zitadel/internal/iam/repository/view/model"
-	global_view "github.com/caos/zitadel/internal/view/repository"
-)
-
-const (
-	passwordLockoutPolicyTable = "adminapi.password_lockout_policies"
-)
-
-func (v *View) PasswordLockoutPolicyByAggregateID(aggregateID string) (*model.PasswordLockoutPolicyView, error) {
-	return view.GetPasswordLockoutPolicyByAggregateID(v.Db, passwordLockoutPolicyTable, aggregateID)
-}
-
-func (v *View) PutPasswordLockoutPolicy(policy *model.PasswordLockoutPolicyView, event *models.Event) error {
-	err := view.PutPasswordLockoutPolicy(v.Db, passwordLockoutPolicyTable, policy)
-	if err != nil {
-		return err
-	}
-	return v.ProcessedPasswordLockoutPolicySequence(event)
-}
-
-func (v *View) DeletePasswordLockoutPolicy(aggregateID string, event *models.Event) error {
-	err := view.DeletePasswordLockoutPolicy(v.Db, passwordLockoutPolicyTable, aggregateID)
-	if err != nil && !errors.IsNotFound(err) {
-		return err
-	}
-	return v.ProcessedPasswordLockoutPolicySequence(event)
-}
-
-func (v *View) GetLatestPasswordLockoutPolicySequence() (*global_view.CurrentSequence, error) {
-	return v.latestSequence(passwordLockoutPolicyTable)
-}
-
-func (v *View) ProcessedPasswordLockoutPolicySequence(event *models.Event) error {
-	return v.saveCurrentSequence(passwordLockoutPolicyTable, event)
-}
-
-func (v *View) UpdatePasswordLockoutPolicySpoolerRunTimestamp() error {
-	return v.updateSpoolerRunSequence(passwordLockoutPolicyTable)
-}
-
-func (v *View) GetLatestPasswordLockoutPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
-	return v.latestFailedEvent(passwordLockoutPolicyTable, sequence)
-}
-
-func (v *View) ProcessedPasswordLockoutPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
-	return v.saveFailedEvent(failedEvent)
-}
--- a/internal/admin/repository/iam.go
+++ b/internal/admin/repository/iam.go
@@ -43,7 +43,7 @@ type IAMRepository interface {

 	GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error)

-	GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error)
+	GetDefaultLockoutPolicy(ctx context.Context) (*iam_model.LockoutPolicyView, error)

 	GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error)