feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-12 01:37:31 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/query/converter.go
+++ b/internal/query/converter.go
@@ -20,7 +20,7 @@ func readModelToIAM(readModel *ReadModel) *model.IAM {
 		DefaultOrgIAMPolicy:             readModelToOrgIAMPolicy(&readModel.DefaultOrgIAMPolicy),
 		DefaultPasswordAgePolicy:        readModelToPasswordAgePolicy(&readModel.DefaultPasswordAgePolicy),
 		DefaultPasswordComplexityPolicy: readModelToPasswordComplexityPolicy(&readModel.DefaultPasswordComplexityPolicy),
-		DefaultPasswordLockoutPolicy:    readModelToPasswordLockoutPolicy(&readModel.DefaultPasswordLockoutPolicy),
+		DefaultLockoutPolicy:            readModelToPasswordLockoutPolicy(&readModel.DefaultPasswordLockoutPolicy),
 		IDPs:                            readModelToIDPConfigs(&readModel.IDPs),
 	}
 }
@@ -121,10 +121,10 @@ func readModelToPasswordComplexityPolicy(readModel *IAMPasswordComplexityPolicyR
 		MinLength:    readModel.MinLength,
 	}
 }
-func readModelToPasswordLockoutPolicy(readModel *IAMPasswordLockoutPolicyReadModel) *model.PasswordLockoutPolicy {
-	return &model.PasswordLockoutPolicy{
-		ObjectRoot:          readModelToObjectRoot(readModel.PasswordLockoutPolicyReadModel.ReadModel),
-		MaxAttempts:         readModel.MaxAttempts,
+func readModelToPasswordLockoutPolicy(readModel *IAMLockoutPolicyReadModel) *model.LockoutPolicy {
+	return &model.LockoutPolicy{
+		ObjectRoot:          readModelToObjectRoot(readModel.LockoutPolicyReadModel.ReadModel),
+		MaxPasswordAttempts: readModel.MaxAttempts,
 		ShowLockOutFailures: readModel.ShowLockOutFailures,
 	}
 }
--- a/internal/query/iam_model.go
+++ b/internal/query/iam_model.go
@@ -25,7 +25,7 @@ type ReadModel struct {
 	DefaultOrgIAMPolicy             IAMOrgIAMPolicyReadModel
 	DefaultPasswordComplexityPolicy IAMPasswordComplexityPolicyReadModel
 	DefaultPasswordAgePolicy        IAMPasswordAgePolicyReadModel
-	DefaultPasswordLockoutPolicy    IAMPasswordLockoutPolicyReadModel
+	DefaultPasswordLockoutPolicy    IAMLockoutPolicyReadModel
 }

 func NewReadModel(id string) *ReadModel {
@@ -80,8 +80,8 @@ func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
 			*policy.PasswordAgePolicyChangedEvent:

 			rm.DefaultPasswordAgePolicy.AppendEvents(event)
-		case *policy.PasswordLockoutPolicyAddedEvent,
-			*policy.PasswordLockoutPolicyChangedEvent:
+		case *policy.LockoutPolicyAddedEvent,
+			*policy.LockoutPolicyChangedEvent:

 			rm.DefaultPasswordLockoutPolicy.AppendEvents(event)
 		}
--- a/internal/query/iam_policy_password_lockout_model.go
+++ b/internal/query/iam_policy_password_lockout_model.go
@@ -6,19 +6,19 @@ import (
 	"github.com/caos/zitadel/internal/repository/policy"
 )

-type IAMPasswordLockoutPolicyReadModel struct {
-	PasswordLockoutPolicyReadModel
+type IAMLockoutPolicyReadModel struct {
+	LockoutPolicyReadModel
 }

-func (rm *IAMPasswordLockoutPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
+func (rm *IAMLockoutPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
-		case *iam.PasswordLockoutPolicyAddedEvent:
-			rm.PasswordLockoutPolicyReadModel.AppendEvents(&e.PasswordLockoutPolicyAddedEvent)
-		case *iam.PasswordLockoutPolicyChangedEvent:
-			rm.PasswordLockoutPolicyReadModel.AppendEvents(&e.PasswordLockoutPolicyChangedEvent)
-		case *policy.PasswordLockoutPolicyAddedEvent, *policy.PasswordLockoutPolicyChangedEvent:
-			rm.PasswordLockoutPolicyReadModel.AppendEvents(e)
+		case *iam.LockoutPolicyAddedEvent:
+			rm.LockoutPolicyReadModel.AppendEvents(&e.LockoutPolicyAddedEvent)
+		case *iam.LockoutPolicyChangedEvent:
+			rm.LockoutPolicyReadModel.AppendEvents(&e.LockoutPolicyChangedEvent)
+		case *policy.LockoutPolicyAddedEvent, *policy.LockoutPolicyChangedEvent:
+			rm.LockoutPolicyReadModel.AppendEvents(e)
 		}
 	}
 }
--- a/internal/query/org_policy_password_lockout_model.go
+++ b/internal/query/org_policy_password_lockout_model.go
@@ -7,18 +7,18 @@ import (
 )

 type OrgPasswordLockoutPolicyReadModel struct {
-	PasswordLockoutPolicyReadModel
+	LockoutPolicyReadModel
 }

 func (rm *OrgPasswordLockoutPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
-		case *org.PasswordLockoutPolicyAddedEvent:
-			rm.PasswordLockoutPolicyReadModel.AppendEvents(&e.PasswordLockoutPolicyAddedEvent)
-		case *org.PasswordLockoutPolicyChangedEvent:
-			rm.PasswordLockoutPolicyReadModel.AppendEvents(&e.PasswordLockoutPolicyChangedEvent)
-		case *policy.PasswordLockoutPolicyAddedEvent, *policy.PasswordLockoutPolicyChangedEvent:
-			rm.PasswordLockoutPolicyReadModel.AppendEvents(e)
+		case *org.LockoutPolicyAddedEvent:
+			rm.LockoutPolicyReadModel.AppendEvents(&e.LockoutPolicyAddedEvent)
+		case *org.LockoutPolicyChangedEvent:
+			rm.LockoutPolicyReadModel.AppendEvents(&e.LockoutPolicyChangedEvent)
+		case *policy.LockoutPolicyAddedEvent, *policy.LockoutPolicyChangedEvent:
+			rm.LockoutPolicyReadModel.AppendEvents(e)
 		}
 	}
 }
--- a/internal/query/policy_password_lockout_model.go
+++ b/internal/query/policy_password_lockout_model.go
@@ -5,22 +5,22 @@ import (
 	"github.com/caos/zitadel/internal/repository/policy"
 )

-type PasswordLockoutPolicyReadModel struct {
+type LockoutPolicyReadModel struct {
 	eventstore.ReadModel

 	MaxAttempts         uint64
 	ShowLockOutFailures bool
 }

-func (rm *PasswordLockoutPolicyReadModel) Reduce() error {
+func (rm *LockoutPolicyReadModel) Reduce() error {
 	for _, event := range rm.Events {
 		switch e := event.(type) {
-		case *policy.PasswordLockoutPolicyAddedEvent:
-			rm.MaxAttempts = e.MaxAttempts
+		case *policy.LockoutPolicyAddedEvent:
+			rm.MaxAttempts = e.MaxPasswordAttempts
 			rm.ShowLockOutFailures = e.ShowLockOutFailures
-		case *policy.PasswordLockoutPolicyChangedEvent:
-			if e.MaxAttempts != nil {
-				rm.MaxAttempts = *e.MaxAttempts
+		case *policy.LockoutPolicyChangedEvent:
+			if e.MaxPasswordAttempts != nil {
+				rm.MaxAttempts = *e.MaxPasswordAttempts
 			}
 			if e.ShowLockOutFailures != nil {
 				rm.ShowLockOutFailures = *e.ShowLockOutFailures