mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-07 05:13:49 +00:00
feat: Lockout policy (#2121)
* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
This commit is contained in:
Fabi
@@ -501,55 +501,55 @@ func (repo *OrgRepository) GetDefaultPasswordAgePolicy(ctx context.Context) (*ia
|
||||
return iam_es_model.PasswordAgeViewToModel(policy), nil
|
||||
}
|
||||
|
||||
func (repo *OrgRepository) GetPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) {
|
||||
policy, viewErr := repo.View.PasswordLockoutPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
|
||||
func (repo *OrgRepository) GetLockoutPolicy(ctx context.Context) (*iam_model.LockoutPolicyView, error) {
|
||||
policy, viewErr := repo.View.LockoutPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
|
||||
if viewErr != nil && !errors.IsNotFound(viewErr) {
|
||||
return nil, viewErr
|
||||
}
|
||||
if errors.IsNotFound(viewErr) {
|
||||
policy = new(iam_es_model.PasswordLockoutPolicyView)
|
||||
policy = new(iam_es_model.LockoutPolicyView)
|
||||
}
|
||||
events, esErr := repo.getOrgEvents(ctx, repo.SystemDefaults.IamID, policy.Sequence)
|
||||
if errors.IsNotFound(viewErr) && len(events) == 0 {
|
||||
return repo.GetDefaultPasswordLockoutPolicy(ctx)
|
||||
return repo.GetDefaultLockoutPolicy(ctx)
|
||||
}
|
||||
if esErr != nil {
|
||||
logging.Log("EVENT-mS9od").WithError(esErr).Debug("error retrieving new events")
|
||||
return iam_es_model.PasswordLockoutViewToModel(policy), nil
|
||||
return iam_es_model.LockoutViewToModel(policy), nil
|
||||
}
|
||||
policyCopy := *policy
|
||||
for _, event := range events {
|
||||
if err := policyCopy.AppendEvent(event); err != nil {
|
||||
return iam_es_model.PasswordLockoutViewToModel(policy), nil
|
||||
return iam_es_model.LockoutViewToModel(policy), nil
|
||||
}
|
||||
}
|
||||
return iam_es_model.PasswordLockoutViewToModel(policy), nil
|
||||
return iam_es_model.LockoutViewToModel(policy), nil
|
||||
}
|
||||
|
||||
func (repo *OrgRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) {
|
||||
policy, viewErr := repo.View.PasswordLockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
|
||||
func (repo *OrgRepository) GetDefaultLockoutPolicy(ctx context.Context) (*iam_model.LockoutPolicyView, error) {
|
||||
policy, viewErr := repo.View.LockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
|
||||
if viewErr != nil && !errors.IsNotFound(viewErr) {
|
||||
return nil, viewErr
|
||||
}
|
||||
if errors.IsNotFound(viewErr) {
|
||||
policy = new(iam_es_model.PasswordLockoutPolicyView)
|
||||
policy = new(iam_es_model.LockoutPolicyView)
|
||||
}
|
||||
events, esErr := repo.getIAMEvents(ctx, policy.Sequence)
|
||||
if errors.IsNotFound(viewErr) && len(events) == 0 {
|
||||
return nil, errors.ThrowNotFound(nil, "EVENT-cmO9s", "Errors.IAM.PasswordLockoutPolicy.NotFound")
|
||||
return nil, errors.ThrowNotFound(nil, "EVENT-cmO9s", "Errors.IAM.LockoutPolicy.NotFound")
|
||||
}
|
||||
if esErr != nil {
|
||||
logging.Log("EVENT-2Ms9f").WithError(esErr).Debug("error retrieving new events")
|
||||
return iam_es_model.PasswordLockoutViewToModel(policy), nil
|
||||
return iam_es_model.LockoutViewToModel(policy), nil
|
||||
}
|
||||
policyCopy := *policy
|
||||
for _, event := range events {
|
||||
if err := policyCopy.AppendEvent(event); err != nil {
|
||||
return iam_es_model.PasswordLockoutViewToModel(policy), nil
|
||||
return iam_es_model.LockoutViewToModel(policy), nil
|
||||
}
|
||||
}
|
||||
policy.Default = true
|
||||
return iam_es_model.PasswordLockoutViewToModel(policy), nil
|
||||
return iam_es_model.LockoutViewToModel(policy), nil
|
||||
}
|
||||
|
||||
func (repo *OrgRepository) GetPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error) {
|
||||
|
||||
@@ -71,8 +71,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
|
||||
handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount, es}),
|
||||
newPasswordAgePolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("PasswordAgePolicy"), errorCount, es}),
|
||||
newPasswordLockoutPolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("PasswordLockoutPolicy"), errorCount, es}),
|
||||
newLockoutPolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("LockoutPolicy"), errorCount, es}),
|
||||
newOrgIAMPolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount, es}),
|
||||
newMailTemplate(
|
||||
|
||||
@@ -13,16 +13,16 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
passwordLockoutPolicyTable = "management.password_lockout_policies"
|
||||
lockoutPolicyTable = "management.lockout_policies"
|
||||
)
|
||||
|
||||
type PasswordLockoutPolicy struct {
|
||||
type LockoutPolicy struct {
|
||||
handler
|
||||
subscription *v1.Subscription
|
||||
}
|
||||
|
||||
func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
|
||||
h := &PasswordLockoutPolicy{
|
||||
func newLockoutPolicy(handler handler) *LockoutPolicy {
|
||||
h := &LockoutPolicy{
|
||||
handler: handler,
|
||||
}
|
||||
|
||||
@@ -31,7 +31,7 @@ func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
|
||||
return h
|
||||
}
|
||||
|
||||
func (m *PasswordLockoutPolicy) subscribe() {
|
||||
func (m *LockoutPolicy) subscribe() {
|
||||
m.subscription = m.es.Subscribe(m.AggregateTypes()...)
|
||||
go func() {
|
||||
for event := range m.subscription.Events {
|
||||
@@ -40,28 +40,28 @@ func (m *PasswordLockoutPolicy) subscribe() {
|
||||
}()
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) ViewModel() string {
|
||||
return passwordLockoutPolicyTable
|
||||
func (p *LockoutPolicy) ViewModel() string {
|
||||
return lockoutPolicyTable
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) Subscription() *v1.Subscription {
|
||||
func (p *LockoutPolicy) Subscription() *v1.Subscription {
|
||||
return p.subscription
|
||||
}
|
||||
|
||||
func (_ *PasswordLockoutPolicy) AggregateTypes() []es_models.AggregateType {
|
||||
func (_ *LockoutPolicy) AggregateTypes() []es_models.AggregateType {
|
||||
return []es_models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) CurrentSequence() (uint64, error) {
|
||||
sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
|
||||
func (p *LockoutPolicy) CurrentSequence() (uint64, error) {
|
||||
sequence, err := p.view.GetLatestLockoutPolicySequence()
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return sequence.CurrentSequence, nil
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
|
||||
sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
|
||||
func (p *LockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
|
||||
sequence, err := p.view.GetLatestLockoutPolicySequence()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -70,7 +70,7 @@ func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
|
||||
LatestSequenceFilter(sequence.CurrentSequence), nil
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) Reduce(event *es_models.Event) (err error) {
|
||||
func (p *LockoutPolicy) Reduce(event *es_models.Event) (err error) {
|
||||
switch event.AggregateType {
|
||||
case model.OrgAggregate, iam_es_model.IAMAggregate:
|
||||
err = p.processPasswordLockoutPolicy(event)
|
||||
@@ -78,33 +78,33 @@ func (p *PasswordLockoutPolicy) Reduce(event *es_models.Event) (err error) {
|
||||
return err
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) processPasswordLockoutPolicy(event *es_models.Event) (err error) {
|
||||
policy := new(iam_model.PasswordLockoutPolicyView)
|
||||
func (p *LockoutPolicy) processPasswordLockoutPolicy(event *es_models.Event) (err error) {
|
||||
policy := new(iam_model.LockoutPolicyView)
|
||||
switch event.Type {
|
||||
case iam_es_model.PasswordLockoutPolicyAdded, model.PasswordLockoutPolicyAdded:
|
||||
case iam_es_model.LockoutPolicyAdded, model.LockoutPolicyAdded:
|
||||
err = policy.AppendEvent(event)
|
||||
case iam_es_model.PasswordLockoutPolicyChanged, model.PasswordLockoutPolicyChanged:
|
||||
policy, err = p.view.PasswordLockoutPolicyByAggregateID(event.AggregateID)
|
||||
case iam_es_model.LockoutPolicyChanged, model.LockoutPolicyChanged:
|
||||
policy, err = p.view.LockoutPolicyByAggregateID(event.AggregateID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = policy.AppendEvent(event)
|
||||
case model.PasswordLockoutPolicyRemoved:
|
||||
return p.view.DeletePasswordLockoutPolicy(event.AggregateID, event)
|
||||
case model.LockoutPolicyRemoved:
|
||||
return p.view.DeleteLockoutPolicy(event.AggregateID, event)
|
||||
default:
|
||||
return p.view.ProcessedPasswordLockoutPolicySequence(event)
|
||||
return p.view.ProcessedLockoutPolicySequence(event)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return p.view.PutPasswordLockoutPolicy(policy, event)
|
||||
return p.view.PutLockoutPolicy(policy, event)
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) OnError(event *es_models.Event, err error) error {
|
||||
func (p *LockoutPolicy) OnError(event *es_models.Event, err error) error {
|
||||
logging.LogWithFields("SPOOL-Bms8f", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordLockout policy handler")
|
||||
return spooler.HandleError(event, err, p.view.GetLatestPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicySequence, p.errorCountUntilSkip)
|
||||
return spooler.HandleError(event, err, p.view.GetLatestLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicySequence, p.errorCountUntilSkip)
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) OnSuccess() error {
|
||||
return spooler.HandleSuccess(p.view.UpdatePasswordLockoutPolicySpoolerRunTimestamp)
|
||||
func (p *LockoutPolicy) OnSuccess() error {
|
||||
return spooler.HandleSuccess(p.view.UpdateLockoutPolicySpoolerRunTimestamp)
|
||||
}
|
||||
|
||||
@@ -0,0 +1,53 @@
|
||||
package view
|
||||
|
||||
import (
|
||||
"github.com/caos/zitadel/internal/errors"
|
||||
"github.com/caos/zitadel/internal/eventstore/v1/models"
|
||||
"github.com/caos/zitadel/internal/iam/repository/view"
|
||||
"github.com/caos/zitadel/internal/iam/repository/view/model"
|
||||
global_view "github.com/caos/zitadel/internal/view/repository"
|
||||
)
|
||||
|
||||
const (
|
||||
lockoutPolicyTable = "management.lockout_policies"
|
||||
)
|
||||
|
||||
func (v *View) LockoutPolicyByAggregateID(aggregateID string) (*model.LockoutPolicyView, error) {
|
||||
return view.GetLockoutPolicyByAggregateID(v.Db, lockoutPolicyTable, aggregateID)
|
||||
}
|
||||
|
||||
func (v *View) PutLockoutPolicy(policy *model.LockoutPolicyView, event *models.Event) error {
|
||||
err := view.PutLockoutPolicy(v.Db, lockoutPolicyTable, policy)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return v.ProcessedLockoutPolicySequence(event)
|
||||
}
|
||||
|
||||
func (v *View) DeleteLockoutPolicy(aggregateID string, event *models.Event) error {
|
||||
err := view.DeleteLockoutPolicy(v.Db, lockoutPolicyTable, aggregateID)
|
||||
if err != nil && !errors.IsNotFound(err) {
|
||||
return err
|
||||
}
|
||||
return v.ProcessedLockoutPolicySequence(event)
|
||||
}
|
||||
|
||||
func (v *View) GetLatestLockoutPolicySequence() (*global_view.CurrentSequence, error) {
|
||||
return v.latestSequence(lockoutPolicyTable)
|
||||
}
|
||||
|
||||
func (v *View) ProcessedLockoutPolicySequence(event *models.Event) error {
|
||||
return v.saveCurrentSequence(lockoutPolicyTable, event)
|
||||
}
|
||||
|
||||
func (v *View) UpdateLockoutPolicySpoolerRunTimestamp() error {
|
||||
return v.updateSpoolerRunSequence(lockoutPolicyTable)
|
||||
}
|
||||
|
||||
func (v *View) GetLatestLockoutPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
|
||||
return v.latestFailedEvent(lockoutPolicyTable, sequence)
|
||||
}
|
||||
|
||||
func (v *View) ProcessedLockoutPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
|
||||
return v.saveFailedEvent(failedEvent)
|
||||
}
|
||||
@@ -1,53 +0,0 @@
|
||||
package view
|
||||
|
||||
import (
|
||||
"github.com/caos/zitadel/internal/errors"
|
||||
"github.com/caos/zitadel/internal/eventstore/v1/models"
|
||||
"github.com/caos/zitadel/internal/iam/repository/view"
|
||||
"github.com/caos/zitadel/internal/iam/repository/view/model"
|
||||
global_view "github.com/caos/zitadel/internal/view/repository"
|
||||
)
|
||||
|
||||
const (
|
||||
passwordLockoutPolicyTable = "management.password_lockout_policies"
|
||||
)
|
||||
|
||||
func (v *View) PasswordLockoutPolicyByAggregateID(aggregateID string) (*model.PasswordLockoutPolicyView, error) {
|
||||
return view.GetPasswordLockoutPolicyByAggregateID(v.Db, passwordLockoutPolicyTable, aggregateID)
|
||||
}
|
||||
|
||||
func (v *View) PutPasswordLockoutPolicy(policy *model.PasswordLockoutPolicyView, event *models.Event) error {
|
||||
err := view.PutPasswordLockoutPolicy(v.Db, passwordLockoutPolicyTable, policy)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return v.ProcessedPasswordLockoutPolicySequence(event)
|
||||
}
|
||||
|
||||
func (v *View) DeletePasswordLockoutPolicy(aggregateID string, event *models.Event) error {
|
||||
err := view.DeletePasswordLockoutPolicy(v.Db, passwordLockoutPolicyTable, aggregateID)
|
||||
if err != nil && !errors.IsNotFound(err) {
|
||||
return err
|
||||
}
|
||||
return v.ProcessedPasswordLockoutPolicySequence(event)
|
||||
}
|
||||
|
||||
func (v *View) GetLatestPasswordLockoutPolicySequence() (*global_view.CurrentSequence, error) {
|
||||
return v.latestSequence(passwordLockoutPolicyTable)
|
||||
}
|
||||
|
||||
func (v *View) ProcessedPasswordLockoutPolicySequence(event *models.Event) error {
|
||||
return v.saveCurrentSequence(passwordLockoutPolicyTable, event)
|
||||
}
|
||||
|
||||
func (v *View) UpdatePasswordLockoutPolicySpoolerRunTimestamp() error {
|
||||
return v.updateSpoolerRunSequence(passwordLockoutPolicyTable)
|
||||
}
|
||||
|
||||
func (v *View) GetLatestPasswordLockoutPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
|
||||
return v.latestFailedEvent(passwordLockoutPolicyTable, sequence)
|
||||
}
|
||||
|
||||
func (v *View) ProcessedPasswordLockoutPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
|
||||
return v.saveFailedEvent(failedEvent)
|
||||
}
|
||||
@@ -42,8 +42,8 @@ type OrgRepository interface {
|
||||
GetPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error)
|
||||
GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error)
|
||||
|
||||
GetPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error)
|
||||
GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error)
|
||||
GetLockoutPolicy(ctx context.Context) (*iam_model.LockoutPolicyView, error)
|
||||
GetDefaultLockoutPolicy(ctx context.Context) (*iam_model.LockoutPolicyView, error)
|
||||
|
||||
GetPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error)
|
||||
GetDefaultPrivacyPolicy(ctx context.Context) (*iam_model.PrivacyPolicyView, error)
|
||||
|
||||
Reference in New Issue
Block a user