mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 01:37:31 +00:00
feat: Lockout policy (#2121)
* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
This commit is contained in:
Fabi
@@ -1425,10 +1425,10 @@ service AdminService {
|
||||
};
|
||||
}
|
||||
|
||||
//Returns the password lockout policy defined by the administrators of ZITADEL
|
||||
rpc GetPasswordLockoutPolicy(GetPasswordLockoutPolicyRequest) returns (GetPasswordLockoutPolicyResponse) {
|
||||
//Returns the lockout policy defined by the administrators of ZITADEL
|
||||
rpc GetLockoutPolicy(GetLockoutPolicyRequest) returns (GetLockoutPolicyResponse) {
|
||||
option (google.api.http) = {
|
||||
get: "/policies/password/lockout";
|
||||
get: "/policies/lockout";
|
||||
};
|
||||
|
||||
option (zitadel.v1.auth_option) = {
|
||||
@@ -1437,20 +1437,19 @@ service AdminService {
|
||||
|
||||
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
|
||||
tags: "policy";
|
||||
tags: "password policy";
|
||||
tags: "password lockout policy";
|
||||
tags: "lockout policy";
|
||||
responses: {
|
||||
key: "200";
|
||||
value: {
|
||||
description: "default password lockout policy";
|
||||
description: "default lockout policy";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
//Updates the default password lockout policy of ZITADEL
|
||||
//Updates the default lockout policy of ZITADEL
|
||||
// it impacts all organisations without a customised policy
|
||||
rpc UpdatePasswordLockoutPolicy(UpdatePasswordLockoutPolicyRequest) returns (UpdatePasswordLockoutPolicyResponse) {
|
||||
rpc UpdateLockoutPolicy(UpdateLockoutPolicyRequest) returns (UpdateLockoutPolicyResponse) {
|
||||
option (google.api.http) = {
|
||||
put: "/policies/password/lockout";
|
||||
body: "*";
|
||||
@@ -3086,25 +3085,23 @@ message UpdatePasswordAgePolicyResponse {
|
||||
}
|
||||
|
||||
//This is an empty request
|
||||
message GetPasswordLockoutPolicyRequest {}
|
||||
message GetLockoutPolicyRequest {}
|
||||
|
||||
message GetPasswordLockoutPolicyResponse {
|
||||
zitadel.policy.v1.PasswordLockoutPolicy policy = 1;
|
||||
message GetLockoutPolicyResponse {
|
||||
zitadel.policy.v1.LockoutPolicy policy = 1;
|
||||
}
|
||||
|
||||
message UpdatePasswordLockoutPolicyRequest {
|
||||
message UpdateLockoutPolicyRequest {
|
||||
// failed attempts until a user gets locked
|
||||
uint32 max_attempts = 1 [
|
||||
uint32 max_password_attempts = 1 [
|
||||
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
||||
description: "Maximum attempts before the account gets locked. Attempts are reset as soon as the password is entered correct or the password is reset."
|
||||
description: "Maximum password check attempts before the account gets locked. Attempts are reset as soon as the password is entered correct or the password is reset."
|
||||
example: "\"10\""
|
||||
}
|
||||
];
|
||||
// If an error should be displayed during a lockout or not
|
||||
bool show_lockout_failure = 2;
|
||||
}
|
||||
|
||||
message UpdatePasswordLockoutPolicyResponse {
|
||||
message UpdateLockoutPolicyResponse {
|
||||
zitadel.v1.ObjectDetails details = 1;
|
||||
}
|
||||
|
||||
|
||||
@@ -1971,10 +1971,9 @@ service ManagementService {
|
||||
};
|
||||
}
|
||||
|
||||
// The password lockout policy is not used at the moment
|
||||
rpc GetPasswordLockoutPolicy(GetPasswordLockoutPolicyRequest) returns (GetPasswordLockoutPolicyResponse) {
|
||||
rpc GetLockoutPolicy(GetLockoutPolicyRequest) returns (GetLockoutPolicyResponse) {
|
||||
option (google.api.http) = {
|
||||
get: "/policies/password/lockout"
|
||||
get: "/policies/lockout"
|
||||
};
|
||||
|
||||
option (zitadel.v1.auth_option) = {
|
||||
@@ -1982,10 +1981,9 @@ service ManagementService {
|
||||
};
|
||||
}
|
||||
|
||||
// The password lockout policy is not used at the moment
|
||||
rpc GetDefaultPasswordLockoutPolicy(GetDefaultPasswordLockoutPolicyRequest) returns (GetDefaultPasswordLockoutPolicyResponse) {
|
||||
rpc GetDefaultLockoutPolicy(GetDefaultLockoutPolicyRequest) returns (GetDefaultLockoutPolicyResponse) {
|
||||
option (google.api.http) = {
|
||||
get: "/policies/default/password/lockout"
|
||||
get: "/policies/default/lockout"
|
||||
};
|
||||
|
||||
option (zitadel.v1.auth_option) = {
|
||||
@@ -1993,10 +1991,9 @@ service ManagementService {
|
||||
};
|
||||
}
|
||||
|
||||
// The password lockout policy is not used at the moment
|
||||
rpc AddCustomPasswordLockoutPolicy(AddCustomPasswordLockoutPolicyRequest) returns (AddCustomPasswordLockoutPolicyResponse) {
|
||||
rpc AddCustomLockoutPolicy(AddCustomLockoutPolicyRequest) returns (AddCustomLockoutPolicyResponse) {
|
||||
option (google.api.http) = {
|
||||
post: "/policies/password/lockout"
|
||||
post: "/policies/lockout"
|
||||
body: "*"
|
||||
};
|
||||
|
||||
@@ -2005,10 +2002,9 @@ service ManagementService {
|
||||
};
|
||||
}
|
||||
|
||||
// The password lockout policy is not used at the moment
|
||||
rpc UpdateCustomPasswordLockoutPolicy(UpdateCustomPasswordLockoutPolicyRequest) returns (UpdateCustomPasswordLockoutPolicyResponse) {
|
||||
rpc UpdateCustomLockoutPolicy(UpdateCustomLockoutPolicyRequest) returns (UpdateCustomLockoutPolicyResponse) {
|
||||
option (google.api.http) = {
|
||||
put: "/policies/password/lockout"
|
||||
put: "/policies/lockout"
|
||||
body: "*"
|
||||
};
|
||||
|
||||
@@ -2017,10 +2013,9 @@ service ManagementService {
|
||||
};
|
||||
}
|
||||
|
||||
// The password lockout policy is not used at the moment
|
||||
rpc ResetPasswordLockoutPolicyToDefault(ResetPasswordLockoutPolicyToDefaultRequest) returns (ResetPasswordLockoutPolicyToDefaultResponse) {
|
||||
rpc ResetLockoutPolicyToDefault(ResetLockoutPolicyToDefaultRequest) returns (ResetLockoutPolicyToDefaultResponse) {
|
||||
option (google.api.http) = {
|
||||
delete: "/policies/password/lockout"
|
||||
delete: "/policies/lockout"
|
||||
};
|
||||
|
||||
option (zitadel.v1.auth_option) = {
|
||||
@@ -4275,42 +4270,40 @@ message ResetPasswordAgePolicyToDefaultResponse {
|
||||
}
|
||||
|
||||
//This is an empty request
|
||||
message GetPasswordLockoutPolicyRequest {}
|
||||
message GetLockoutPolicyRequest {}
|
||||
|
||||
message GetPasswordLockoutPolicyResponse {
|
||||
zitadel.policy.v1.PasswordLockoutPolicy policy = 1;
|
||||
message GetLockoutPolicyResponse {
|
||||
zitadel.policy.v1.LockoutPolicy policy = 1;
|
||||
bool is_default = 2;
|
||||
}
|
||||
|
||||
//This is an empty request
|
||||
message GetDefaultPasswordLockoutPolicyRequest {}
|
||||
message GetDefaultLockoutPolicyRequest {}
|
||||
|
||||
message GetDefaultPasswordLockoutPolicyResponse {
|
||||
zitadel.policy.v1.PasswordLockoutPolicy policy = 1;
|
||||
message GetDefaultLockoutPolicyResponse {
|
||||
zitadel.policy.v1.LockoutPolicy policy = 1;
|
||||
}
|
||||
|
||||
message AddCustomPasswordLockoutPolicyRequest {
|
||||
uint32 max_attempts = 1;
|
||||
bool show_lockout_failure = 2;
|
||||
message AddCustomLockoutPolicyRequest {
|
||||
uint32 max_password_attempts = 1;
|
||||
}
|
||||
|
||||
message AddCustomPasswordLockoutPolicyResponse {
|
||||
message AddCustomLockoutPolicyResponse {
|
||||
zitadel.v1.ObjectDetails details = 1;
|
||||
}
|
||||
|
||||
message UpdateCustomPasswordLockoutPolicyRequest {
|
||||
uint32 max_attempts = 1;
|
||||
bool show_lockout_failure = 2;
|
||||
message UpdateCustomLockoutPolicyRequest {
|
||||
uint32 max_password_attempts = 1;
|
||||
}
|
||||
|
||||
message UpdateCustomPasswordLockoutPolicyResponse {
|
||||
message UpdateCustomLockoutPolicyResponse {
|
||||
zitadel.v1.ObjectDetails details = 1;
|
||||
}
|
||||
|
||||
//This is an empty request
|
||||
message ResetPasswordLockoutPolicyToDefaultRequest {}
|
||||
message ResetLockoutPolicyToDefaultRequest {}
|
||||
|
||||
message ResetPasswordLockoutPolicyToDefaultResponse {
|
||||
message ResetLockoutPolicyToDefaultResponse {
|
||||
zitadel.v1.ObjectDetails details = 1;
|
||||
}
|
||||
|
||||
|
||||
@@ -202,19 +202,14 @@ message PasswordAgePolicy {
|
||||
];
|
||||
}
|
||||
|
||||
message PasswordLockoutPolicy {
|
||||
message LockoutPolicy {
|
||||
zitadel.v1.ObjectDetails details = 1;
|
||||
uint64 max_attempts = 2 [
|
||||
uint64 max_password_attempts = 2 [
|
||||
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
||||
description: "Maximum attempts before the account gets locked. Attempts are reset as soon as the password is entered correct or the password is reset."
|
||||
description: "Maximum password check attempts before the account gets locked. Attempts are reset as soon as the password is entered correct or the password is reset."
|
||||
example: "\"10\""
|
||||
}
|
||||
];
|
||||
bool show_lockout_failure = 3 [
|
||||
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
||||
description: "Enables if the failure should be shown to de user, sometimes for security issues the user should not get to much information"
|
||||
}
|
||||
];
|
||||
bool is_default = 4 [
|
||||
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
||||
description: "defines if the organisation's admin changed the policy"
|
||||
|
||||
Reference in New Issue
Block a user