mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 08:27:32 +00:00
feat: Lockout policy (#2121)
* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
This commit is contained in:
Fabi
@@ -36,7 +36,7 @@ type IAM struct {
|
||||
DefaultOrgIAMPolicy *OrgIAMPolicy `json:"-"`
|
||||
DefaultPasswordComplexityPolicy *PasswordComplexityPolicy `json:"-"`
|
||||
DefaultPasswordAgePolicy *PasswordAgePolicy `json:"-"`
|
||||
DefaultPasswordLockoutPolicy *PasswordLockoutPolicy `json:"-"`
|
||||
DefaultLockoutPolicy *LockoutPolicy `json:"-"`
|
||||
}
|
||||
|
||||
func IAMToModel(iam *IAM) *model.IAM {
|
||||
@@ -66,8 +66,8 @@ func IAMToModel(iam *IAM) *model.IAM {
|
||||
if iam.DefaultPasswordAgePolicy != nil {
|
||||
converted.DefaultPasswordAgePolicy = PasswordAgePolicyToModel(iam.DefaultPasswordAgePolicy)
|
||||
}
|
||||
if iam.DefaultPasswordLockoutPolicy != nil {
|
||||
converted.DefaultPasswordLockoutPolicy = PasswordLockoutPolicyToModel(iam.DefaultPasswordLockoutPolicy)
|
||||
if iam.DefaultLockoutPolicy != nil {
|
||||
converted.DefaultLockoutPolicy = LockoutPolicyToModel(iam.DefaultLockoutPolicy)
|
||||
}
|
||||
if iam.DefaultOrgIAMPolicy != nil {
|
||||
converted.DefaultOrgIAMPolicy = OrgIAMPolicyToModel(iam.DefaultOrgIAMPolicy)
|
||||
@@ -166,10 +166,10 @@ func (i *IAM) AppendEvent(event *es_models.Event) (err error) {
|
||||
return i.appendAddPasswordAgePolicyEvent(event)
|
||||
case PasswordAgePolicyChanged:
|
||||
return i.appendChangePasswordAgePolicyEvent(event)
|
||||
case PasswordLockoutPolicyAdded:
|
||||
return i.appendAddPasswordLockoutPolicyEvent(event)
|
||||
case PasswordLockoutPolicyChanged:
|
||||
return i.appendChangePasswordLockoutPolicyEvent(event)
|
||||
case LockoutPolicyAdded:
|
||||
return i.appendAddLockoutPolicyEvent(event)
|
||||
case LockoutPolicyChanged:
|
||||
return i.appendChangeLockoutPolicyEvent(event)
|
||||
case OrgIAMPolicyAdded:
|
||||
return i.appendAddOrgIAMPolicyEvent(event)
|
||||
case OrgIAMPolicyChanged:
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
package model
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
|
||||
"github.com/caos/zitadel/internal/errors"
|
||||
es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
|
||||
iam_model "github.com/caos/zitadel/internal/iam/model"
|
||||
)
|
||||
|
||||
type LockoutPolicy struct {
|
||||
es_models.ObjectRoot
|
||||
|
||||
State int32 `json:"-"`
|
||||
MaxPasswordAttempts uint64 `json:"maxPasswordAttempts"`
|
||||
ShowLockOutFailures bool `json:"showLockOutFailures"`
|
||||
}
|
||||
|
||||
func LockoutPolicyToModel(policy *LockoutPolicy) *iam_model.LockoutPolicy {
|
||||
return &iam_model.LockoutPolicy{
|
||||
ObjectRoot: policy.ObjectRoot,
|
||||
State: iam_model.PolicyState(policy.State),
|
||||
MaxPasswordAttempts: policy.MaxPasswordAttempts,
|
||||
ShowLockOutFailures: policy.ShowLockOutFailures,
|
||||
}
|
||||
}
|
||||
|
||||
func (p *LockoutPolicy) Changes(changed *LockoutPolicy) map[string]interface{} {
|
||||
changes := make(map[string]interface{}, 2)
|
||||
|
||||
if p.MaxPasswordAttempts != changed.MaxPasswordAttempts {
|
||||
changes["maxAttempts"] = changed.MaxPasswordAttempts
|
||||
}
|
||||
if p.ShowLockOutFailures != changed.ShowLockOutFailures {
|
||||
changes["showLockOutFailures"] = changed.ShowLockOutFailures
|
||||
}
|
||||
return changes
|
||||
}
|
||||
|
||||
func (i *IAM) appendAddLockoutPolicyEvent(event *es_models.Event) error {
|
||||
i.DefaultLockoutPolicy = new(LockoutPolicy)
|
||||
err := i.DefaultLockoutPolicy.SetData(event)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
i.DefaultLockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
|
||||
return nil
|
||||
}
|
||||
|
||||
func (i *IAM) appendChangeLockoutPolicyEvent(event *es_models.Event) error {
|
||||
return i.DefaultLockoutPolicy.SetData(event)
|
||||
}
|
||||
|
||||
func (p *LockoutPolicy) SetData(event *es_models.Event) error {
|
||||
err := json.Unmarshal(event.Data, p)
|
||||
if err != nil {
|
||||
return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -8,8 +8,8 @@ import (
|
||||
|
||||
func TestPasswordLockoutPolicyChanges(t *testing.T) {
|
||||
type args struct {
|
||||
existing *PasswordLockoutPolicy
|
||||
new *PasswordLockoutPolicy
|
||||
existing *LockoutPolicy
|
||||
new *LockoutPolicy
|
||||
}
|
||||
type res struct {
|
||||
changesLen int
|
||||
@@ -22,8 +22,8 @@ func TestPasswordLockoutPolicyChanges(t *testing.T) {
|
||||
{
|
||||
name: "lockout policy all attributes change",
|
||||
args: args{
|
||||
existing: &PasswordLockoutPolicy{MaxAttempts: 365, ShowLockOutFailures: true},
|
||||
new: &PasswordLockoutPolicy{MaxAttempts: 730, ShowLockOutFailures: false},
|
||||
existing: &LockoutPolicy{MaxPasswordAttempts: 365, ShowLockOutFailures: true},
|
||||
new: &LockoutPolicy{MaxPasswordAttempts: 730, ShowLockOutFailures: false},
|
||||
},
|
||||
res: res{
|
||||
changesLen: 2,
|
||||
@@ -32,8 +32,8 @@ func TestPasswordLockoutPolicyChanges(t *testing.T) {
|
||||
{
|
||||
name: "no changes",
|
||||
args: args{
|
||||
existing: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
|
||||
new: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
|
||||
existing: &LockoutPolicy{MaxPasswordAttempts: 10, ShowLockOutFailures: true},
|
||||
new: &LockoutPolicy{MaxPasswordAttempts: 10, ShowLockOutFailures: true},
|
||||
},
|
||||
res: res{
|
||||
changesLen: 0,
|
||||
@@ -53,7 +53,7 @@ func TestPasswordLockoutPolicyChanges(t *testing.T) {
|
||||
func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
|
||||
type args struct {
|
||||
iam *IAM
|
||||
policy *PasswordLockoutPolicy
|
||||
policy *LockoutPolicy
|
||||
event *es_models.Event
|
||||
}
|
||||
tests := []struct {
|
||||
@@ -65,10 +65,10 @@ func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
|
||||
name: "append add password lockout policy event",
|
||||
args: args{
|
||||
iam: new(IAM),
|
||||
policy: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
|
||||
policy: &LockoutPolicy{MaxPasswordAttempts: 10, ShowLockOutFailures: true},
|
||||
event: new(es_models.Event),
|
||||
},
|
||||
result: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true}},
|
||||
result: &IAM{DefaultLockoutPolicy: &LockoutPolicy{MaxPasswordAttempts: 10, ShowLockOutFailures: true}},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
@@ -77,12 +77,12 @@ func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
|
||||
data, _ := json.Marshal(tt.args.policy)
|
||||
tt.args.event.Data = data
|
||||
}
|
||||
tt.args.iam.appendAddPasswordLockoutPolicyEvent(tt.args.event)
|
||||
if tt.result.DefaultPasswordLockoutPolicy.MaxAttempts != tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.MaxAttempts, tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts)
|
||||
tt.args.iam.appendAddLockoutPolicyEvent(tt.args.event)
|
||||
if tt.result.DefaultLockoutPolicy.MaxPasswordAttempts != tt.args.iam.DefaultLockoutPolicy.MaxPasswordAttempts {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLockoutPolicy.MaxPasswordAttempts, tt.args.iam.DefaultLockoutPolicy.MaxPasswordAttempts)
|
||||
}
|
||||
if tt.result.DefaultPasswordLockoutPolicy.ShowLockOutFailures != tt.args.iam.DefaultPasswordLockoutPolicy.ShowLockOutFailures {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.ShowLockOutFailures, tt.args.iam.DefaultPasswordLockoutPolicy.ShowLockOutFailures)
|
||||
if tt.result.DefaultLockoutPolicy.ShowLockOutFailures != tt.args.iam.DefaultLockoutPolicy.ShowLockOutFailures {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLockoutPolicy.ShowLockOutFailures, tt.args.iam.DefaultLockoutPolicy.ShowLockOutFailures)
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -91,7 +91,7 @@ func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
|
||||
func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
|
||||
type args struct {
|
||||
iam *IAM
|
||||
policy *PasswordLockoutPolicy
|
||||
policy *LockoutPolicy
|
||||
event *es_models.Event
|
||||
}
|
||||
tests := []struct {
|
||||
@@ -102,14 +102,14 @@ func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
|
||||
{
|
||||
name: "append change password lockout policy event",
|
||||
args: args{
|
||||
iam: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{
|
||||
MaxAttempts: 10,
|
||||
iam: &IAM{DefaultLockoutPolicy: &LockoutPolicy{
|
||||
MaxPasswordAttempts: 10,
|
||||
}},
|
||||
policy: &PasswordLockoutPolicy{MaxAttempts: 5},
|
||||
policy: &LockoutPolicy{MaxPasswordAttempts: 5},
|
||||
event: &es_models.Event{},
|
||||
},
|
||||
result: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{
|
||||
MaxAttempts: 5,
|
||||
result: &IAM{DefaultLockoutPolicy: &LockoutPolicy{
|
||||
MaxPasswordAttempts: 5,
|
||||
}},
|
||||
},
|
||||
}
|
||||
@@ -119,9 +119,9 @@ func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
|
||||
data, _ := json.Marshal(tt.args.policy)
|
||||
tt.args.event.Data = data
|
||||
}
|
||||
tt.args.iam.appendChangePasswordLockoutPolicyEvent(tt.args.event)
|
||||
if tt.result.DefaultPasswordLockoutPolicy.MaxAttempts != tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.MaxAttempts, tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts)
|
||||
tt.args.iam.appendChangeLockoutPolicyEvent(tt.args.event)
|
||||
if tt.result.DefaultLockoutPolicy.MaxPasswordAttempts != tt.args.iam.DefaultLockoutPolicy.MaxPasswordAttempts {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLockoutPolicy.MaxPasswordAttempts, tt.args.iam.DefaultLockoutPolicy.MaxPasswordAttempts)
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -1,69 +0,0 @@
|
||||
package model
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
|
||||
"github.com/caos/zitadel/internal/errors"
|
||||
es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
|
||||
iam_model "github.com/caos/zitadel/internal/iam/model"
|
||||
)
|
||||
|
||||
type PasswordLockoutPolicy struct {
|
||||
es_models.ObjectRoot
|
||||
|
||||
State int32 `json:"-"`
|
||||
MaxAttempts uint64 `json:"maxAttempts"`
|
||||
ShowLockOutFailures bool `json:"showLockOutFailures"`
|
||||
}
|
||||
|
||||
func PasswordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *PasswordLockoutPolicy {
|
||||
return &PasswordLockoutPolicy{
|
||||
ObjectRoot: policy.ObjectRoot,
|
||||
State: int32(policy.State),
|
||||
MaxAttempts: policy.MaxAttempts,
|
||||
ShowLockOutFailures: policy.ShowLockOutFailures,
|
||||
}
|
||||
}
|
||||
|
||||
func PasswordLockoutPolicyToModel(policy *PasswordLockoutPolicy) *iam_model.PasswordLockoutPolicy {
|
||||
return &iam_model.PasswordLockoutPolicy{
|
||||
ObjectRoot: policy.ObjectRoot,
|
||||
State: iam_model.PolicyState(policy.State),
|
||||
MaxAttempts: policy.MaxAttempts,
|
||||
ShowLockOutFailures: policy.ShowLockOutFailures,
|
||||
}
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) Changes(changed *PasswordLockoutPolicy) map[string]interface{} {
|
||||
changes := make(map[string]interface{}, 2)
|
||||
|
||||
if p.MaxAttempts != changed.MaxAttempts {
|
||||
changes["maxAttempts"] = changed.MaxAttempts
|
||||
}
|
||||
if p.ShowLockOutFailures != changed.ShowLockOutFailures {
|
||||
changes["showLockOutFailures"] = changed.ShowLockOutFailures
|
||||
}
|
||||
return changes
|
||||
}
|
||||
|
||||
func (i *IAM) appendAddPasswordLockoutPolicyEvent(event *es_models.Event) error {
|
||||
i.DefaultPasswordLockoutPolicy = new(PasswordLockoutPolicy)
|
||||
err := i.DefaultPasswordLockoutPolicy.SetData(event)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
i.DefaultPasswordLockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
|
||||
return nil
|
||||
}
|
||||
|
||||
func (i *IAM) appendChangePasswordLockoutPolicyEvent(event *es_models.Event) error {
|
||||
return i.DefaultPasswordLockoutPolicy.SetData(event)
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) SetData(event *es_models.Event) error {
|
||||
err := json.Unmarshal(event.Data, p)
|
||||
if err != nil {
|
||||
return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -65,8 +65,8 @@ const (
|
||||
PasswordAgePolicyAdded models.EventType = "iam.policy.password.age.added"
|
||||
PasswordAgePolicyChanged models.EventType = "iam.policy.password.age.changed"
|
||||
|
||||
PasswordLockoutPolicyAdded models.EventType = "iam.policy.password.lockout.added"
|
||||
PasswordLockoutPolicyChanged models.EventType = "iam.policy.password.lockout.changed"
|
||||
LockoutPolicyAdded models.EventType = "iam.policy.lockout.added"
|
||||
LockoutPolicyChanged models.EventType = "iam.policy.lockout.changed"
|
||||
|
||||
PrivacyPolicyAdded models.EventType = "iam.policy.privacy.added"
|
||||
PrivacyPolicyChanged models.EventType = "iam.policy.privacy.changed"
|
||||
|
||||
Reference in New Issue
Block a user