feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-11 21:47:32 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/admin/repository/eventsourcing/handler/handler.go
+++ b/internal/admin/repository/eventsourcing/handler/handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"time"

+	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/eventstore/v1"
 	"github.com/caos/zitadel/internal/static"

@@ -31,7 +32,7 @@ func (h *handler) Eventstore() v1.Eventstore {
 	return h.es
 }

-func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, defaults systemdefaults.SystemDefaults, static static.Storage, localDevMode bool) []query.Handler {
+func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, defaults systemdefaults.SystemDefaults, command *command.Commands, static static.Storage, localDevMode bool) []query.Handler {
 	handlers := []query.Handler{
 		newOrg(
 			handler{view, bulkLimit, configs.cycleDuration("Org"), errorCount, es}),
@@ -53,8 +54,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 			handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount, es}),
 		newPasswordAgePolicy(
 			handler{view, bulkLimit, configs.cycleDuration("PasswordAgePolicy"), errorCount, es}),
-		newPasswordLockoutPolicy(
-			handler{view, bulkLimit, configs.cycleDuration("PasswordLockoutPolicy"), errorCount, es}),
+		newLockoutPolicy(
+			handler{view, bulkLimit, configs.cycleDuration("LockoutPolicy"), errorCount, es}),
 		newOrgIAMPolicy(
 			handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount, es}),
 		newExternalIDP(
--- a/internal/admin/repository/eventsourcing/handler/password_lockout_policy.go
+++ b/internal/admin/repository/eventsourcing/handler/password_lockout_policy.go
@@ -13,16 +13,16 @@ import (
 )

 const (
-	passwordLockoutPolicyTable = "adminapi.password_lockout_policies"
+	lockoutPolicyTable = "adminapi.lockout_policies"
 )

-type PasswordLockoutPolicy struct {
+type LockoutPolicy struct {
 	handler
 	subscription *v1.Subscription
 }

-func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
-	h := &PasswordLockoutPolicy{
+func newLockoutPolicy(handler handler) *LockoutPolicy {
+	h := &LockoutPolicy{
 		handler: handler,
 	}

@@ -31,7 +31,7 @@ func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
 	return h
 }

-func (p *PasswordLockoutPolicy) subscribe() {
+func (p *LockoutPolicy) subscribe() {
 	p.subscription = p.es.Subscribe(p.AggregateTypes()...)
 	go func() {
 		for event := range p.subscription.Events {
@@ -40,28 +40,28 @@ func (p *PasswordLockoutPolicy) subscribe() {
 	}()
 }

-func (p *PasswordLockoutPolicy) ViewModel() string {
-	return passwordLockoutPolicyTable
+func (p *LockoutPolicy) ViewModel() string {
+	return lockoutPolicyTable
 }

-func (m *PasswordLockoutPolicy) Subscription() *v1.Subscription {
+func (m *LockoutPolicy) Subscription() *v1.Subscription {
 	return m.subscription
 }

-func (p *PasswordLockoutPolicy) AggregateTypes() []es_models.AggregateType {
+func (p *LockoutPolicy) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }

-func (p *PasswordLockoutPolicy) CurrentSequence() (uint64, error) {
-	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
+func (p *LockoutPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestLockoutPolicySequence()
 	if err != nil {
 		return 0, err
 	}
 	return sequence.CurrentSequence, nil
 }

-func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
+func (p *LockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
+	sequence, err := p.view.GetLatestLockoutPolicySequence()
 	if err != nil {
 		return nil, err
 	}
@@ -70,41 +70,41 @@ func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }

-func (p *PasswordLockoutPolicy) Reduce(event *es_models.Event) (err error) {
+func (p *LockoutPolicy) Reduce(event *es_models.Event) (err error) {
 	switch event.AggregateType {
 	case model.OrgAggregate, iam_es_model.IAMAggregate:
-		err = p.processPasswordLockoutPolicy(event)
+		err = p.processLockoutPolicy(event)
 	}
 	return err
 }

-func (p *PasswordLockoutPolicy) processPasswordLockoutPolicy(event *es_models.Event) (err error) {
-	policy := new(iam_model.PasswordLockoutPolicyView)
+func (p *LockoutPolicy) processLockoutPolicy(event *es_models.Event) (err error) {
+	policy := new(iam_model.LockoutPolicyView)
 	switch event.Type {
-	case iam_es_model.PasswordLockoutPolicyAdded, model.PasswordLockoutPolicyAdded:
+	case iam_es_model.LockoutPolicyAdded, model.LockoutPolicyAdded:
 		err = policy.AppendEvent(event)
-	case iam_es_model.PasswordLockoutPolicyChanged, model.PasswordLockoutPolicyChanged:
-		policy, err = p.view.PasswordLockoutPolicyByAggregateID(event.AggregateID)
+	case iam_es_model.LockoutPolicyChanged, model.LockoutPolicyChanged:
+		policy, err = p.view.LockoutPolicyByAggregateID(event.AggregateID)
 		if err != nil {
 			return err
 		}
 		err = policy.AppendEvent(event)
-	case model.PasswordLockoutPolicyRemoved:
-		return p.view.DeletePasswordLockoutPolicy(event.AggregateID, event)
+	case model.LockoutPolicyRemoved:
+		return p.view.DeleteLockoutPolicy(event.AggregateID, event)
 	default:
-		return p.view.ProcessedPasswordLockoutPolicySequence(event)
+		return p.view.ProcessedLockoutPolicySequence(event)
 	}
 	if err != nil {
 		return err
 	}
-	return p.view.PutPasswordLockoutPolicy(policy, event)
+	return p.view.PutLockoutPolicy(policy, event)
 }

-func (p *PasswordLockoutPolicy) OnError(event *es_models.Event, err error) error {
-	logging.LogWithFields("SPOOL-nD8sie", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordLockout policy handler")
-	return spooler.HandleError(event, err, p.view.GetLatestPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicySequence, p.errorCountUntilSkip)
+func (p *LockoutPolicy) OnError(event *es_models.Event, err error) error {
+	logging.LogWithFields("SPOOL-nD8sie", "id", event.AggregateID).WithError(err).Warn("something went wrong in Lockout policy handler")
+	return spooler.HandleError(event, err, p.view.GetLatestLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicySequence, p.errorCountUntilSkip)
 }

-func (p *PasswordLockoutPolicy) OnSuccess() error {
-	return spooler.HandleSuccess(p.view.UpdatePasswordLockoutPolicySpoolerRunTimestamp)
+func (p *LockoutPolicy) OnSuccess() error {
+	return spooler.HandleSuccess(p.view.UpdateLockoutPolicySpoolerRunTimestamp)
 }