feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-12 08:07:32 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/iam/repository/view/model/password_lockout_policy.go
+++ b/internal/iam/repository/view/model/password_lockout_policy.go
@@ -2,6 +2,7 @@ package model

 import (
 	"encoding/json"
+	"github.com/caos/zitadel/internal/domain"
 	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
 	"time"

@@ -14,65 +15,67 @@ import (
 )

 const (
-	PasswordLockoutKeyAggregateID = "aggregate_id"
+	LockoutKeyAggregateID = "aggregate_id"
 )

-type PasswordLockoutPolicyView struct {
+type LockoutPolicyView struct {
 	AggregateID  string    `json:"-" gorm:"column:aggregate_id;primary_key"`
 	CreationDate time.Time `json:"-" gorm:"column:creation_date"`
 	ChangeDate   time.Time `json:"-" gorm:"column:change_date"`
 	State        int32     `json:"-" gorm:"column:lockout_policy_state"`

-	MaxAttempts         uint64 `json:"maxAttempts" gorm:"column:max_attempts"`
+	MaxPasswordAttempts uint64 `json:"maxPasswordAttempts" gorm:"column:max_password_attempts"`
 	ShowLockOutFailures bool   `json:"showLockOutFailures" gorm:"column:show_lockout_failures"`
 	Default             bool   `json:"-" gorm:"-"`

 	Sequence uint64 `json:"-" gorm:"column:sequence"`
 }

-func PasswordLockoutViewFromModel(policy *model.PasswordLockoutPolicyView) *PasswordLockoutPolicyView {
-	return &PasswordLockoutPolicyView{
+func LockoutViewToModel(policy *LockoutPolicyView) *model.LockoutPolicyView {
+	return &model.LockoutPolicyView{
 		AggregateID:         policy.AggregateID,
 		Sequence:            policy.Sequence,
 		CreationDate:        policy.CreationDate,
 		ChangeDate:          policy.ChangeDate,
-		MaxAttempts:         policy.MaxAttempts,
+		MaxPasswordAttempts: policy.MaxPasswordAttempts,
 		ShowLockOutFailures: policy.ShowLockOutFailures,
 		Default:             policy.Default,
 	}
 }

-func PasswordLockoutViewToModel(policy *PasswordLockoutPolicyView) *model.PasswordLockoutPolicyView {
-	return &model.PasswordLockoutPolicyView{
-		AggregateID:         policy.AggregateID,
-		Sequence:            policy.Sequence,
-		CreationDate:        policy.CreationDate,
-		ChangeDate:          policy.ChangeDate,
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-		Default:             policy.Default,
+func (p *LockoutPolicyView) ToDomain() *domain.LockoutPolicy {
+	return &domain.LockoutPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:  p.AggregateID,
+			CreationDate: p.CreationDate,
+			ChangeDate:   p.ChangeDate,
+			Sequence:     p.Sequence,
+		},
+		MaxPasswordAttempts: p.MaxPasswordAttempts,
+		ShowLockOutFailures: p.ShowLockOutFailures,
+		Default:             p.Default,
 	}
 }

-func (i *PasswordLockoutPolicyView) AppendEvent(event *models.Event) (err error) {
+func (i *LockoutPolicyView) AppendEvent(event *models.Event) (err error) {
 	i.Sequence = event.Sequence
 	i.ChangeDate = event.CreationDate
 	switch event.Type {
-	case es_model.PasswordLockoutPolicyAdded, org_es_model.PasswordLockoutPolicyAdded:
+	case es_model.LockoutPolicyAdded, org_es_model.LockoutPolicyAdded:
 		i.setRootData(event)
 		i.CreationDate = event.CreationDate
 		err = i.SetData(event)
-	case es_model.PasswordLockoutPolicyChanged, org_es_model.PasswordLockoutPolicyChanged:
+	case es_model.LockoutPolicyChanged, org_es_model.LockoutPolicyChanged:
 		err = i.SetData(event)
 	}
 	return err
 }

-func (r *PasswordLockoutPolicyView) setRootData(event *models.Event) {
+func (r *LockoutPolicyView) setRootData(event *models.Event) {
 	r.AggregateID = event.AggregateID
 }

-func (r *PasswordLockoutPolicyView) SetData(event *models.Event) error {
+func (r *LockoutPolicyView) SetData(event *models.Event) error {
 	if err := json.Unmarshal(event.Data, r); err != nil {
 		logging.Log("EVEN-gHls0").WithError(err).Error("could not unmarshal event data")
 		return caos_errs.ThrowInternal(err, "MODEL-Hs8uf", "Could not unmarshal data")
--- a/internal/iam/repository/view/model/password_lockout_policy_query.go
+++ b/internal/iam/repository/view/model/password_lockout_policy_query.go
@@ -6,53 +6,53 @@ import (
 	"github.com/caos/zitadel/internal/view/repository"
 )

-type PasswordLockoutPolicySearchRequest iam_model.PasswordLockoutPolicySearchRequest
-type PasswordLockoutPolicySearchQuery iam_model.PasswordLockoutPolicySearchQuery
-type PasswordLockoutPolicySearchKey iam_model.PasswordLockoutPolicySearchKey
+type LockoutPolicySearchRequest iam_model.LockoutPolicySearchRequest
+type LockoutPolicySearchQuery iam_model.LockoutPolicySearchQuery
+type LockoutPolicySearchKey iam_model.LockoutPolicySearchKey

-func (req PasswordLockoutPolicySearchRequest) GetLimit() uint64 {
+func (req LockoutPolicySearchRequest) GetLimit() uint64 {
 	return req.Limit
 }

-func (req PasswordLockoutPolicySearchRequest) GetOffset() uint64 {
+func (req LockoutPolicySearchRequest) GetOffset() uint64 {
 	return req.Offset
 }

-func (req PasswordLockoutPolicySearchRequest) GetSortingColumn() repository.ColumnKey {
-	if req.SortingColumn == iam_model.PasswordLockoutPolicySearchKeyUnspecified {
+func (req LockoutPolicySearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == iam_model.LockoutPolicySearchKeyUnspecified {
 		return nil
 	}
-	return PasswordLockoutPolicySearchKey(req.SortingColumn)
+	return LockoutPolicySearchKey(req.SortingColumn)
 }

-func (req PasswordLockoutPolicySearchRequest) GetAsc() bool {
+func (req LockoutPolicySearchRequest) GetAsc() bool {
 	return req.Asc
 }

-func (req PasswordLockoutPolicySearchRequest) GetQueries() []repository.SearchQuery {
+func (req LockoutPolicySearchRequest) GetQueries() []repository.SearchQuery {
 	result := make([]repository.SearchQuery, len(req.Queries))
 	for i, q := range req.Queries {
-		result[i] = PasswordLockoutPolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+		result[i] = LockoutPolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
 	}
 	return result
 }

-func (req PasswordLockoutPolicySearchQuery) GetKey() repository.ColumnKey {
-	return PasswordLockoutPolicySearchKey(req.Key)
+func (req LockoutPolicySearchQuery) GetKey() repository.ColumnKey {
+	return LockoutPolicySearchKey(req.Key)
 }

-func (req PasswordLockoutPolicySearchQuery) GetMethod() domain.SearchMethod {
+func (req LockoutPolicySearchQuery) GetMethod() domain.SearchMethod {
 	return req.Method
 }

-func (req PasswordLockoutPolicySearchQuery) GetValue() interface{} {
+func (req LockoutPolicySearchQuery) GetValue() interface{} {
 	return req.Value
 }

-func (key PasswordLockoutPolicySearchKey) ToColumnName() string {
-	switch iam_model.PasswordLockoutPolicySearchKey(key) {
-	case iam_model.PasswordLockoutPolicySearchKeyAggregateID:
-		return PasswordLockoutKeyAggregateID
+func (key LockoutPolicySearchKey) ToColumnName() string {
+	switch iam_model.LockoutPolicySearchKey(key) {
+	case iam_model.LockoutPolicySearchKeyAggregateID:
+		return LockoutKeyAggregateID
 	default:
 		return ""
 	}