feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-11 19:17:32 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/org/repository/eventsourcing/model/org.go
+++ b/internal/org/repository/eventsourcing/model/org.go
@@ -30,7 +30,7 @@ type Org struct {
 	LoginPolicy              *iam_es_model.LoginPolicy              `json:"-"`
 	PasswordComplexityPolicy *iam_es_model.PasswordComplexityPolicy `json:"-"`
 	PasswordAgePolicy        *iam_es_model.PasswordAgePolicy        `json:"-"`
-	PasswordLockoutPolicy    *iam_es_model.PasswordLockoutPolicy    `json:"-"`
+	LockoutPolicy            *iam_es_model.LockoutPolicy            `json:"-"`
 }

 func OrgToModel(org *Org) *org_model.Org {
@@ -60,8 +60,8 @@ func OrgToModel(org *Org) *org_model.Org {
 	if org.PasswordAgePolicy != nil {
 		converted.PasswordAgePolicy = iam_es_model.PasswordAgePolicyToModel(org.PasswordAgePolicy)
 	}
-	if org.PasswordLockoutPolicy != nil {
-		converted.PasswordLockoutPolicy = iam_es_model.PasswordLockoutPolicyToModel(org.PasswordLockoutPolicy)
+	if org.LockoutPolicy != nil {
+		converted.LockoutPolicy = iam_es_model.LockoutPolicyToModel(org.LockoutPolicy)
 	}
 	return converted
 }
@@ -196,12 +196,12 @@ func (o *Org) AppendEvent(event *es_models.Event) (err error) {
 		err = o.appendChangePasswordAgePolicyEvent(event)
 	case PasswordAgePolicyRemoved:
 		o.appendRemovePasswordAgePolicyEvent(event)
-	case PasswordLockoutPolicyAdded:
-		err = o.appendAddPasswordLockoutPolicyEvent(event)
-	case PasswordLockoutPolicyChanged:
-		err = o.appendChangePasswordLockoutPolicyEvent(event)
-	case PasswordLockoutPolicyRemoved:
-		o.appendRemovePasswordLockoutPolicyEvent(event)
+	case LockoutPolicyAdded:
+		err = o.appendAddLockoutPolicyEvent(event)
+	case LockoutPolicyChanged:
+		err = o.appendChangeLockoutPolicyEvent(event)
+	case LockoutPolicyRemoved:
+		o.appendRemoveLockoutPolicyEvent(event)
 	}
 	if err != nil {
 		return err
--- a/internal/org/repository/eventsourcing/model/password_lockout_policy.go
+++ b/internal/org/repository/eventsourcing/model/password_lockout_policy.go
@@ -5,20 +5,20 @@ import (
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 )

-func (o *Org) appendAddPasswordLockoutPolicyEvent(event *es_models.Event) error {
-	o.PasswordLockoutPolicy = new(iam_es_model.PasswordLockoutPolicy)
-	err := o.PasswordLockoutPolicy.SetData(event)
+func (o *Org) appendAddLockoutPolicyEvent(event *es_models.Event) error {
+	o.LockoutPolicy = new(iam_es_model.LockoutPolicy)
+	err := o.LockoutPolicy.SetData(event)
 	if err != nil {
 		return err
 	}
-	o.PasswordLockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
+	o.LockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
 	return nil
 }

-func (o *Org) appendChangePasswordLockoutPolicyEvent(event *es_models.Event) error {
-	return o.PasswordLockoutPolicy.SetData(event)
+func (o *Org) appendChangeLockoutPolicyEvent(event *es_models.Event) error {
+	return o.LockoutPolicy.SetData(event)
 }

-func (o *Org) appendRemovePasswordLockoutPolicyEvent(event *es_models.Event) {
-	o.PasswordLockoutPolicy = nil
+func (o *Org) appendRemoveLockoutPolicyEvent(event *es_models.Event) {
+	o.LockoutPolicy = nil
 }
--- a/internal/org/repository/eventsourcing/model/password_lockout_policy_test.go
+++ b/internal/org/repository/eventsourcing/model/password_lockout_policy_test.go
@@ -7,10 +7,10 @@ import (
 	"testing"
 )

-func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
+func TestAppendAddLockoutPolicyEvent(t *testing.T) {
 	type args struct {
 		org    *Org
-		policy *iam_es_model.PasswordLockoutPolicy
+		policy *iam_es_model.LockoutPolicy
 		event  *es_models.Event
 	}
 	tests := []struct {
@@ -19,13 +19,13 @@ func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
 		result *Org
 	}{
 		{
-			name: "append add password age policy event",
+			name: "append add lockout policy event",
 			args: args{
 				org:    &Org{},
-				policy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 10},
+				policy: &iam_es_model.LockoutPolicy{MaxPasswordAttempts: 10},
 				event:  &es_models.Event{},
 			},
-			result: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 10}},
+			result: &Org{LockoutPolicy: &iam_es_model.LockoutPolicy{MaxPasswordAttempts: 10}},
 		},
 	}
 	for _, tt := range tests {
@@ -34,18 +34,18 @@ func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
 				data, _ := json.Marshal(tt.args.policy)
 				tt.args.event.Data = data
 			}
-			tt.args.org.appendAddPasswordLockoutPolicyEvent(tt.args.event)
-			if tt.result.PasswordLockoutPolicy.MaxAttempts != tt.args.org.PasswordLockoutPolicy.MaxAttempts {
-				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.MaxAttempts, tt.args.org.PasswordLockoutPolicy.MaxAttempts)
+			tt.args.org.appendAddLockoutPolicyEvent(tt.args.event)
+			if tt.result.LockoutPolicy.MaxPasswordAttempts != tt.args.org.LockoutPolicy.MaxPasswordAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LockoutPolicy.MaxPasswordAttempts, tt.args.org.LockoutPolicy.MaxPasswordAttempts)
 			}
 		})
 	}
 }

-func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
+func TestAppendChangeLockoutPolicyEvent(t *testing.T) {
 	type args struct {
 		org    *Org
-		policy *iam_es_model.PasswordLockoutPolicy
+		policy *iam_es_model.LockoutPolicy
 		event  *es_models.Event
 	}
 	tests := []struct {
@@ -54,16 +54,16 @@ func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
 		result *Org
 	}{
 		{
-			name: "append change password age policy event",
+			name: "append change lockout policy event",
 			args: args{
-				org: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
-					MaxAttempts: 10,
+				org: &Org{LockoutPolicy: &iam_es_model.LockoutPolicy{
+					MaxPasswordAttempts: 10,
 				}},
-				policy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 5, ShowLockOutFailures: true},
+				policy: &iam_es_model.LockoutPolicy{MaxPasswordAttempts: 5, ShowLockOutFailures: true},
 				event:  &es_models.Event{},
 			},
-			result: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
-				MaxAttempts:         5,
+			result: &Org{LockoutPolicy: &iam_es_model.LockoutPolicy{
+				MaxPasswordAttempts: 5,
 				ShowLockOutFailures: true,
 			}},
 		},
@@ -74,12 +74,12 @@ func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
 				data, _ := json.Marshal(tt.args.policy)
 				tt.args.event.Data = data
 			}
-			tt.args.org.appendChangePasswordLockoutPolicyEvent(tt.args.event)
-			if tt.result.PasswordLockoutPolicy.MaxAttempts != tt.args.org.PasswordLockoutPolicy.MaxAttempts {
-				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.MaxAttempts, tt.args.org.PasswordLockoutPolicy.MaxAttempts)
+			tt.args.org.appendChangeLockoutPolicyEvent(tt.args.event)
+			if tt.result.LockoutPolicy.MaxPasswordAttempts != tt.args.org.LockoutPolicy.MaxPasswordAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LockoutPolicy.MaxPasswordAttempts, tt.args.org.LockoutPolicy.MaxPasswordAttempts)
 			}
-			if tt.result.PasswordLockoutPolicy.ShowLockOutFailures != tt.args.org.PasswordLockoutPolicy.ShowLockOutFailures {
-				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.ShowLockOutFailures, tt.args.org.PasswordLockoutPolicy.ShowLockOutFailures)
+			if tt.result.LockoutPolicy.ShowLockOutFailures != tt.args.org.LockoutPolicy.ShowLockOutFailures {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LockoutPolicy.ShowLockOutFailures, tt.args.org.LockoutPolicy.ShowLockOutFailures)
 			}
 		})
 	}
--- a/internal/org/repository/eventsourcing/model/types.go
+++ b/internal/org/repository/eventsourcing/model/types.go
@@ -89,9 +89,9 @@ const (
 	PasswordAgePolicyChanged models.EventType = "org.policy.password.age.changed"
 	PasswordAgePolicyRemoved models.EventType = "org.policy.password.age.removed"

-	PasswordLockoutPolicyAdded   models.EventType = "org.policy.password.lockout.added"
-	PasswordLockoutPolicyChanged models.EventType = "org.policy.password.lockout.changed"
-	PasswordLockoutPolicyRemoved models.EventType = "org.policy.password.lockout.removed"
+	LockoutPolicyAdded   models.EventType = "org.policy.lockout.added"
+	LockoutPolicyChanged models.EventType = "org.policy.lockout.changed"
+	LockoutPolicyRemoved models.EventType = "org.policy.lockout.removed"

 	PrivacyPolicyAdded   models.EventType = "org.policy.privacy.added"
 	PrivacyPolicyChanged models.EventType = "org.policy.privacy.changed"