feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-12 00:27:31 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/api/grpc/admin/lockout.go
+++ b/internal/api/grpc/admin/lockout.go
@@ -0,0 +1,31 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) GetLockoutPolicy(ctx context.Context, req *admin_pb.GetLockoutPolicyRequest) (*admin_pb.GetLockoutPolicyResponse, error) {
+	policy, err := s.iam.GetDefaultLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.GetLockoutPolicyResponse{Policy: policy_grpc.ModelLockoutPolicyToPb(policy)}, nil
+}
+
+func (s *Server) UpdateLockoutPolicy(ctx context.Context, req *admin_pb.UpdateLockoutPolicyRequest) (*admin_pb.UpdateLockoutPolicyResponse, error) {
+	policy, err := s.command.ChangeDefaultLockoutPolicy(ctx, UpdateLockoutPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdateLockoutPolicyResponse{
+		Details: object.ChangeToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
--- a/internal/api/grpc/admin/lockout_converter.go
+++ b/internal/api/grpc/admin/lockout_converter.go
@@ -0,0 +1,12 @@
+package admin
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func UpdateLockoutPolicyToDomain(p *admin.UpdateLockoutPolicyRequest) *domain.LockoutPolicy {
+	return &domain.LockoutPolicy{
+		MaxPasswordAttempts: uint64(p.MaxPasswordAttempts),
+	}
+}
--- a/internal/api/grpc/admin/password_lockout.go
+++ b/internal/api/grpc/admin/password_lockout.go
@@ -1,31 +0,0 @@
-package admin
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/internal/api/grpc/object"
-	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
-	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
-)
-
-func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, req *admin_pb.GetPasswordLockoutPolicyRequest) (*admin_pb.GetPasswordLockoutPolicyResponse, error) {
-	policy, err := s.iam.GetDefaultPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &admin_pb.GetPasswordLockoutPolicyResponse{Policy: policy_grpc.ModelPasswordLockoutPolicyToPb(policy)}, nil
-}
-
-func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, req *admin_pb.UpdatePasswordLockoutPolicyRequest) (*admin_pb.UpdatePasswordLockoutPolicyResponse, error) {
-	policy, err := s.command.ChangeDefaultPasswordLockoutPolicy(ctx, UpdatePasswordLockoutPolicyToDomain(req))
-	if err != nil {
-		return nil, err
-	}
-	return &admin_pb.UpdatePasswordLockoutPolicyResponse{
-		Details: object.ChangeToDetailsPb(
-			policy.Sequence,
-			policy.ChangeDate,
-			policy.ResourceOwner,
-		),
-	}, nil
-}
--- a/internal/api/grpc/admin/password_lockout_converter.go
+++ b/internal/api/grpc/admin/password_lockout_converter.go
@@ -1,13 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-)
-
-func UpdatePasswordLockoutPolicyToDomain(p *admin.UpdatePasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
-	return &domain.PasswordLockoutPolicy{
-		MaxAttempts:         uint64(p.MaxAttempts),
-		ShowLockOutFailures: p.ShowLockoutFailure,
-	}
-}
--- a/internal/api/grpc/management/policy_lockout.go
+++ b/internal/api/grpc/management/policy_lockout.go
@@ -0,0 +1,63 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetLockoutPolicy(ctx context.Context, req *mgmt_pb.GetLockoutPolicyRequest) (*mgmt_pb.GetLockoutPolicyResponse, error) {
+	policy, err := s.org.GetLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetLockoutPolicyResponse{Policy: policy_grpc.ModelLockoutPolicyToPb(policy), IsDefault: policy.Default}, nil
+}
+
+func (s *Server) GetDefaultLockoutPolicy(ctx context.Context, req *mgmt_pb.GetDefaultLockoutPolicyRequest) (*mgmt_pb.GetDefaultLockoutPolicyResponse, error) {
+	policy, err := s.org.GetDefaultLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetDefaultLockoutPolicyResponse{Policy: policy_grpc.ModelLockoutPolicyToPb(policy)}, nil
+}
+
+func (s *Server) AddCustomLockoutPolicy(ctx context.Context, req *mgmt_pb.AddCustomLockoutPolicyRequest) (*mgmt_pb.AddCustomLockoutPolicyResponse, error) {
+	policy, err := s.command.AddLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, AddLockoutPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddCustomLockoutPolicyResponse{
+		Details: object.AddToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateCustomLockoutPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomLockoutPolicyRequest) (*mgmt_pb.UpdateCustomLockoutPolicyResponse, error) {
+	policy, err := s.command.ChangeLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, UpdateLockoutPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateCustomLockoutPolicyResponse{
+		Details: object.ChangeToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) ResetLockoutPolicyToDefault(ctx context.Context, req *mgmt_pb.ResetLockoutPolicyToDefaultRequest) (*mgmt_pb.ResetLockoutPolicyToDefaultResponse, error) {
+	objectDetails, err := s.command.RemovePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResetLockoutPolicyToDefaultResponse{
+		Details: object.DomainToChangeDetailsPb(objectDetails),
+	}, nil
+}
--- a/internal/api/grpc/management/policy_lockout_converter.go
+++ b/internal/api/grpc/management/policy_lockout_converter.go
@@ -0,0 +1,18 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	mgmt "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func AddLockoutPolicyToDomain(p *mgmt.AddCustomLockoutPolicyRequest) *domain.LockoutPolicy {
+	return &domain.LockoutPolicy{
+		MaxPasswordAttempts: uint64(p.MaxPasswordAttempts),
+	}
+}
+
+func UpdateLockoutPolicyToDomain(p *mgmt.UpdateCustomLockoutPolicyRequest) *domain.LockoutPolicy {
+	return &domain.LockoutPolicy{
+		MaxPasswordAttempts: uint64(p.MaxPasswordAttempts),
+	}
+}
--- a/internal/api/grpc/management/policy_password_lockout.go
+++ b/internal/api/grpc/management/policy_password_lockout.go
@@ -1,63 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/api/grpc/object"
-	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
-	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.GetPasswordLockoutPolicyRequest) (*mgmt_pb.GetPasswordLockoutPolicyResponse, error) {
-	policy, err := s.org.GetPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &mgmt_pb.GetPasswordLockoutPolicyResponse{Policy: policy_grpc.ModelPasswordLockoutPolicyToPb(policy), IsDefault: policy.Default}, nil
-}
-
-func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.GetDefaultPasswordLockoutPolicyRequest) (*mgmt_pb.GetDefaultPasswordLockoutPolicyResponse, error) {
-	policy, err := s.org.GetDefaultPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &mgmt_pb.GetDefaultPasswordLockoutPolicyResponse{Policy: policy_grpc.ModelPasswordLockoutPolicyToPb(policy)}, nil
-}
-
-func (s *Server) AddCustomPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.AddCustomPasswordLockoutPolicyRequest) (*mgmt_pb.AddCustomPasswordLockoutPolicyResponse, error) {
-	policy, err := s.command.AddPasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, AddPasswordLockoutPolicyToDomain(req))
-	if err != nil {
-		return nil, err
-	}
-	return &mgmt_pb.AddCustomPasswordLockoutPolicyResponse{
-		Details: object.AddToDetailsPb(
-			policy.Sequence,
-			policy.ChangeDate,
-			policy.ResourceOwner,
-		),
-	}, nil
-}
-
-func (s *Server) UpdateCustomPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomPasswordLockoutPolicyRequest) (*mgmt_pb.UpdateCustomPasswordLockoutPolicyResponse, error) {
-	policy, err := s.command.ChangePasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, UpdatePasswordLockoutPolicyToDomain(req))
-	if err != nil {
-		return nil, err
-	}
-	return &mgmt_pb.UpdateCustomPasswordLockoutPolicyResponse{
-		Details: object.ChangeToDetailsPb(
-			policy.Sequence,
-			policy.ChangeDate,
-			policy.ResourceOwner,
-		),
-	}, nil
-}
-
-func (s *Server) ResetPasswordLockoutPolicyToDefault(ctx context.Context, req *mgmt_pb.ResetPasswordLockoutPolicyToDefaultRequest) (*mgmt_pb.ResetPasswordLockoutPolicyToDefaultResponse, error) {
-	objectDetails, err := s.command.RemovePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return &mgmt_pb.ResetPasswordLockoutPolicyToDefaultResponse{
-		Details: object.DomainToChangeDetailsPb(objectDetails),
-	}, nil
-}
--- a/internal/api/grpc/management/policy_password_lockout_converter.go
+++ b/internal/api/grpc/management/policy_password_lockout_converter.go
@@ -1,20 +0,0 @@
-package management
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	mgmt "github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func AddPasswordLockoutPolicyToDomain(p *mgmt.AddCustomPasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
-	return &domain.PasswordLockoutPolicy{
-		MaxAttempts:         uint64(p.MaxAttempts),
-		ShowLockOutFailures: p.ShowLockoutFailure,
-	}
-}
-
-func UpdatePasswordLockoutPolicyToDomain(p *mgmt.UpdateCustomPasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
-	return &domain.PasswordLockoutPolicy{
-		MaxAttempts:         uint64(p.MaxAttempts),
-		ShowLockOutFailures: p.ShowLockoutFailure,
-	}
-}
--- a/internal/api/grpc/policy/password_lockout_policy.go
+++ b/internal/api/grpc/policy/password_lockout_policy.go
@@ -6,11 +6,10 @@ import (
 	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
 )

-func ModelPasswordLockoutPolicyToPb(policy *model.PasswordLockoutPolicyView) *policy_pb.PasswordLockoutPolicy {
-	return &policy_pb.PasswordLockoutPolicy{
-		IsDefault:          policy.Default,
-		MaxAttempts:        policy.MaxAttempts,
-		ShowLockoutFailure: policy.ShowLockOutFailures,
+func ModelLockoutPolicyToPb(policy *model.LockoutPolicyView) *policy_pb.LockoutPolicy {
+	return &policy_pb.LockoutPolicy{
+		IsDefault:           policy.Default,
+		MaxPasswordAttempts: policy.MaxPasswordAttempts,
 		Details: object.ToViewDetailsPb(
 			policy.Sequence,
 			policy.CreationDate,