feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-12 10:57:35 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/auth/repository/eventsourcing/handler/handler.go
+++ b/internal/auth/repository/eventsourcing/handler/handler.go
@@ -73,6 +73,7 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 		newPrivacyPolicy(handler{view, bulkLimit, configs.cycleDuration("PrivacyPolicy"), errorCount, es}),
 		newCustomText(handler{view, bulkLimit, configs.cycleDuration("CustomTexts"), errorCount, es}),
 		newMetadata(handler{view, bulkLimit, configs.cycleDuration("Metadata"), errorCount, es}),
+		newLockoutPolicy(handler{view, bulkLimit, configs.cycleDuration("LockoutPolicy"), errorCount, es}),
 	}
 }

--- a/internal/auth/repository/eventsourcing/handler/lockout_policy.go
+++ b/internal/auth/repository/eventsourcing/handler/lockout_policy.go
@@ -0,0 +1,110 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/eventstore/v1"
+
+	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/eventstore/v1/query"
+	"github.com/caos/zitadel/internal/eventstore/v1/spooler"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+const (
+	lockoutPolicyTable = "auth.lockout_policies"
+)
+
+type LockoutPolicy struct {
+	handler
+	subscription *v1.Subscription
+}
+
+func newLockoutPolicy(handler handler) *LockoutPolicy {
+	h := &LockoutPolicy{
+		handler: handler,
+	}
+
+	h.subscribe()
+
+	return h
+}
+
+func (p *LockoutPolicy) subscribe() {
+	p.subscription = p.es.Subscribe(p.AggregateTypes()...)
+	go func() {
+		for event := range p.subscription.Events {
+			query.ReduceEvent(p, event)
+		}
+	}()
+}
+
+func (p *LockoutPolicy) ViewModel() string {
+	return lockoutPolicyTable
+}
+
+func (p *LockoutPolicy) Subscription() *v1.Subscription {
+	return p.subscription
+}
+
+func (_ *LockoutPolicy) AggregateTypes() []es_models.AggregateType {
+	return []es_models.AggregateType{org_es_model.OrgAggregate, iam_es_model.IAMAggregate}
+}
+
+func (p *LockoutPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestLockoutPolicySequence()
+	if err != nil {
+		return 0, err
+	}
+	return sequence.CurrentSequence, nil
+}
+
+func (p *LockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
+	sequence, err := p.view.GetLatestLockoutPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(p.AggregateTypes()...).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (p *LockoutPolicy) Reduce(event *es_models.Event) (err error) {
+	switch event.AggregateType {
+	case org_es_model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = p.processLockoutPolicy(event)
+	}
+	return err
+}
+
+func (p *LockoutPolicy) processLockoutPolicy(event *es_models.Event) (err error) {
+	policy := new(iam_model.LockoutPolicyView)
+	switch event.Type {
+	case iam_es_model.LockoutPolicyAdded, org_es_model.LockoutPolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.LockoutPolicyChanged, org_es_model.LockoutPolicyChanged:
+		policy, err = p.view.LockoutPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	case org_es_model.LockoutPolicyRemoved:
+		return p.view.DeleteLockoutPolicy(event.AggregateID, event)
+	default:
+		return p.view.ProcessedLockoutPolicySequence(event)
+	}
+	if err != nil {
+		return err
+	}
+	return p.view.PutLockoutPolicy(policy, event)
+}
+
+func (p *LockoutPolicy) OnError(event *es_models.Event, err error) error {
+	logging.LogWithFields("SPOOL-0pos2", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordLockout policy handler")
+	return spooler.HandleError(event, err, p.view.GetLatestLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicySequence, p.errorCountUntilSkip)
+}
+
+func (p *LockoutPolicy) OnSuccess() error {
+	return spooler.HandleSuccess(p.view.UpdateLockoutPolicySpoolerRunTimestamp)
+}