mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-07 06:12:04 +00:00
feat: Lockout policy (#2121)
* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
This commit is contained in:
Fabi
@@ -71,8 +71,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
|
||||
handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount, es}),
|
||||
newPasswordAgePolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("PasswordAgePolicy"), errorCount, es}),
|
||||
newPasswordLockoutPolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("PasswordLockoutPolicy"), errorCount, es}),
|
||||
newLockoutPolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("LockoutPolicy"), errorCount, es}),
|
||||
newOrgIAMPolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount, es}),
|
||||
newMailTemplate(
|
||||
|
||||
@@ -13,16 +13,16 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
passwordLockoutPolicyTable = "management.password_lockout_policies"
|
||||
lockoutPolicyTable = "management.lockout_policies"
|
||||
)
|
||||
|
||||
type PasswordLockoutPolicy struct {
|
||||
type LockoutPolicy struct {
|
||||
handler
|
||||
subscription *v1.Subscription
|
||||
}
|
||||
|
||||
func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
|
||||
h := &PasswordLockoutPolicy{
|
||||
func newLockoutPolicy(handler handler) *LockoutPolicy {
|
||||
h := &LockoutPolicy{
|
||||
handler: handler,
|
||||
}
|
||||
|
||||
@@ -31,7 +31,7 @@ func newPasswordLockoutPolicy(handler handler) *PasswordLockoutPolicy {
|
||||
return h
|
||||
}
|
||||
|
||||
func (m *PasswordLockoutPolicy) subscribe() {
|
||||
func (m *LockoutPolicy) subscribe() {
|
||||
m.subscription = m.es.Subscribe(m.AggregateTypes()...)
|
||||
go func() {
|
||||
for event := range m.subscription.Events {
|
||||
@@ -40,28 +40,28 @@ func (m *PasswordLockoutPolicy) subscribe() {
|
||||
}()
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) ViewModel() string {
|
||||
return passwordLockoutPolicyTable
|
||||
func (p *LockoutPolicy) ViewModel() string {
|
||||
return lockoutPolicyTable
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) Subscription() *v1.Subscription {
|
||||
func (p *LockoutPolicy) Subscription() *v1.Subscription {
|
||||
return p.subscription
|
||||
}
|
||||
|
||||
func (_ *PasswordLockoutPolicy) AggregateTypes() []es_models.AggregateType {
|
||||
func (_ *LockoutPolicy) AggregateTypes() []es_models.AggregateType {
|
||||
return []es_models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) CurrentSequence() (uint64, error) {
|
||||
sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
|
||||
func (p *LockoutPolicy) CurrentSequence() (uint64, error) {
|
||||
sequence, err := p.view.GetLatestLockoutPolicySequence()
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return sequence.CurrentSequence, nil
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
|
||||
sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
|
||||
func (p *LockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
|
||||
sequence, err := p.view.GetLatestLockoutPolicySequence()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -70,7 +70,7 @@ func (p *PasswordLockoutPolicy) EventQuery() (*es_models.SearchQuery, error) {
|
||||
LatestSequenceFilter(sequence.CurrentSequence), nil
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) Reduce(event *es_models.Event) (err error) {
|
||||
func (p *LockoutPolicy) Reduce(event *es_models.Event) (err error) {
|
||||
switch event.AggregateType {
|
||||
case model.OrgAggregate, iam_es_model.IAMAggregate:
|
||||
err = p.processPasswordLockoutPolicy(event)
|
||||
@@ -78,33 +78,33 @@ func (p *PasswordLockoutPolicy) Reduce(event *es_models.Event) (err error) {
|
||||
return err
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) processPasswordLockoutPolicy(event *es_models.Event) (err error) {
|
||||
policy := new(iam_model.PasswordLockoutPolicyView)
|
||||
func (p *LockoutPolicy) processPasswordLockoutPolicy(event *es_models.Event) (err error) {
|
||||
policy := new(iam_model.LockoutPolicyView)
|
||||
switch event.Type {
|
||||
case iam_es_model.PasswordLockoutPolicyAdded, model.PasswordLockoutPolicyAdded:
|
||||
case iam_es_model.LockoutPolicyAdded, model.LockoutPolicyAdded:
|
||||
err = policy.AppendEvent(event)
|
||||
case iam_es_model.PasswordLockoutPolicyChanged, model.PasswordLockoutPolicyChanged:
|
||||
policy, err = p.view.PasswordLockoutPolicyByAggregateID(event.AggregateID)
|
||||
case iam_es_model.LockoutPolicyChanged, model.LockoutPolicyChanged:
|
||||
policy, err = p.view.LockoutPolicyByAggregateID(event.AggregateID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = policy.AppendEvent(event)
|
||||
case model.PasswordLockoutPolicyRemoved:
|
||||
return p.view.DeletePasswordLockoutPolicy(event.AggregateID, event)
|
||||
case model.LockoutPolicyRemoved:
|
||||
return p.view.DeleteLockoutPolicy(event.AggregateID, event)
|
||||
default:
|
||||
return p.view.ProcessedPasswordLockoutPolicySequence(event)
|
||||
return p.view.ProcessedLockoutPolicySequence(event)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return p.view.PutPasswordLockoutPolicy(policy, event)
|
||||
return p.view.PutLockoutPolicy(policy, event)
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) OnError(event *es_models.Event, err error) error {
|
||||
func (p *LockoutPolicy) OnError(event *es_models.Event, err error) error {
|
||||
logging.LogWithFields("SPOOL-Bms8f", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordLockout policy handler")
|
||||
return spooler.HandleError(event, err, p.view.GetLatestPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicyFailedEvent, p.view.ProcessedPasswordLockoutPolicySequence, p.errorCountUntilSkip)
|
||||
return spooler.HandleError(event, err, p.view.GetLatestLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicyFailedEvent, p.view.ProcessedLockoutPolicySequence, p.errorCountUntilSkip)
|
||||
}
|
||||
|
||||
func (p *PasswordLockoutPolicy) OnSuccess() error {
|
||||
return spooler.HandleSuccess(p.view.UpdatePasswordLockoutPolicySpoolerRunTimestamp)
|
||||
func (p *LockoutPolicy) OnSuccess() error {
|
||||
return spooler.HandleSuccess(p.view.UpdateLockoutPolicySpoolerRunTimestamp)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user