TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-01-06 10:17:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: login (#242)

Browse Source 
* password in init user only if needed

* reactivate user session

* set context AuthorizeClientIDSecret

* fix qr code for light

* fix copy

* check user and org active in auth

* add org view provider

* handle inactive projects

* translate error messages
This commit is contained in:
Livio Amstutz 2020-06-19 14:52:04 +02:00 committed by GitHub
parent fb89241984
commit e653eaab86
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 327 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/zitadel/system-defaults.yaml
View File

@ -116,7 +116,7 @@ SystemDefaults:
Notifications:
DebugMode: $DEBUG_MODE
Endpoints:
InitCode: '$ZITADEL_ACCOUNTS/user/init?userID={{.UserID}}&code={{.Code}}'
InitCode: '$ZITADEL_ACCOUNTS/user/init?userID={{.UserID}}&code={{.Code}}&passwordset={{.PasswordSet}}'
PasswordReset: '$ZITADEL_ACCOUNTS/password/init?userID={{.UserID}}&code={{.Code}}'
VerifyEmail: '$ZITADEL_ACCOUNTS/mail/verification?userID={{.UserID}}&code={{.Code}}'
Providers:

66
internal/auth/repository/eventsourcing/eventstore/auth_request.go
View File

@ -12,10 +12,12 @@ import (
"github.com/caos/zitadel/internal/errors"
es_models "github.com/caos/zitadel/internal/eventstore/models"
"github.com/caos/zitadel/internal/id"
org_model "github.com/caos/zitadel/internal/org/model"
org_view_model "github.com/caos/zitadel/internal/org/repository/view/model"
user_model "github.com/caos/zitadel/internal/user/model"
user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
view_model "github.com/caos/zitadel/internal/user/repository/view/model"
user_view_model "github.com/caos/zitadel/internal/user/repository/view/model"
)
type AuthRequestRepo struct {
@ -26,6 +28,7 @@ type AuthRequestRepo struct {
UserSessionViewProvider userSessionViewProvider
UserViewProvider userViewProvider
UserEventProvider userEventProvider
OrgViewProvider orgViewProvider
IdGenerator id.Generator
@ -36,17 +39,21 @@ type AuthRequestRepo struct {
}
type userSessionViewProvider interface {
UserSessionByIDs(string, string) (*view_model.UserSessionView, error)
UserSessionsByAgentID(string) ([]*view_model.UserSessionView, error)
UserSessionByIDs(string, string) (*user_view_model.UserSessionView, error)
UserSessionsByAgentID(string) ([]*user_view_model.UserSessionView, error)
}
type userViewProvider interface {
UserByID(string) (*view_model.UserView, error)
UserByID(string) (*user_view_model.UserView, error)
}
type userEventProvider interface {
UserEventsByID(ctx context.Context, id string, sequence uint64) ([]*es_models.Event, error)
}
type orgViewProvider interface {
OrgByID(string) (*org_view_model.OrgView, error)
}
func (repo *AuthRequestRepo) Health(ctx context.Context) error {
if err := repo.UserEvents.Health(ctx); err != nil {
return err
@ -124,7 +131,7 @@ func (repo *AuthRequestRepo) SelectUser(ctx context.Context, id, userID string)
if err != nil {
return err
}
user, err := repo.View.UserByID(userID)
user, err := activeUserByID(ctx, repo.UserViewProvider, repo.UserEventProvider, repo.OrgViewProvider, userID)
if err != nil {
return err
}
@ -169,7 +176,7 @@ func (repo *AuthRequestRepo) getAuthRequest(ctx context.Context, id string, chec
func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthRequest, checkLoggedIn bool) ([]model.NextStep, error) {
if request == nil {
return nil, errors.ThrowInvalidArgument(nil, "EVENT-ds27a", "request must not be nil")
return nil, errors.ThrowInvalidArgument(nil, "EVENT-ds27a", "Errors.Internal")
}
steps := make([]model.NextStep, 0)
if !checkLoggedIn && request.Prompt == model.PromptNone {
@ -186,7 +193,7 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
}
return steps, nil
}
user, err := userByID(ctx, repo.UserViewProvider, repo.UserEventProvider, request.UserID)
user, err := activeUserByID(ctx, repo.UserViewProvider, repo.UserEventProvider, repo.OrgViewProvider, request.UserID)
if err != nil {
return nil, err
}
@ -296,7 +303,7 @@ func userSessionsByUserAgentID(provider userSessionViewProvider, agentID string)
if err != nil {
return nil, err
}
return view_model.UserSessionsToModel(session), nil
return user_view_model.UserSessionsToModel(session), nil
}
func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eventProvider userEventProvider, agentID string, user *user_model.UserView) (*user_model.UserSessionView, error) {
@ -305,12 +312,12 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve
if !errors.IsNotFound(err) {
return nil, err
}
session = &view_model.UserSessionView{}
session = &user_view_model.UserSessionView{}
}
events, err := eventProvider.UserEventsByID(ctx, user.ID, session.Sequence)
if err != nil {
logging.Log("EVENT-Hse6s").WithError(err).Debug("error retrieving new events")
return view_model.UserSessionToModel(session), nil
return user_view_model.UserSessionToModel(session), nil
}
sessionCopy := *session
for _, event := range events {
@ -319,19 +326,44 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve
es_model.UserPasswordCheckFailed,
es_model.MfaOtpCheckSucceeded,
es_model.MfaOtpCheckFailed,
es_model.SignedOut:
eventData, err := view_model.UserSessionFromEvent(event)
es_model.SignedOut,
es_model.UserLocked,
es_model.UserDeactivated:
eventData, err := user_view_model.UserSessionFromEvent(event)
if err != nil {
logging.Log("EVENT-sdgT3").WithError(err).Debug("error getting event data")
return view_model.UserSessionToModel(session), nil
return user_view_model.UserSessionToModel(session), nil
}
if eventData.UserAgentID != agentID {
continue
}
case es_model.UserRemoved:
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-dG2fe", "Errors.User.NotActive")
}
sessionCopy.AppendEvent(event)
}
return view_model.UserSessionToModel(&sessionCopy), nil
return user_view_model.UserSessionToModel(&sessionCopy), nil
}
func activeUserByID(ctx context.Context, userViewProvider userViewProvider, userEventProvider userEventProvider, orgViewProvider orgViewProvider, userID string) (*user_model.UserView, error) {
user, err := userByID(ctx, userViewProvider, userEventProvider, userID)
if err != nil {
return nil, err
}
if user.State == user_model.USERSTATE_LOCKED || user.State == user_model.USERSTATE_SUSPEND {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-FJ262", "Errors.User.Locked")
}
if !(user.State == user_model.USERSTATE_ACTIVE || user.State == user_model.USERSTATE_INITIAL) {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-FJ262", "Errors.User.NotActive")
}
org, err := orgViewProvider.OrgByID(user.ResourceOwner)
if err != nil {
return nil, err
}
if org.State != int32(org_model.ORGSTATE_ACTIVE) {
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Zws3s", "Errors.User.NotActive")
}
return user, nil
}
func userByID(ctx context.Context, viewProvider userViewProvider, eventProvider userEventProvider, userID string) (*user_model.UserView, error) {
@ -342,13 +374,13 @@ func userByID(ctx context.Context, viewProvider userViewProvider, eventProvider
events, err := eventProvider.UserEventsByID(ctx, userID, user.Sequence)
if err != nil {
logging.Log("EVENT-dfg42").WithError(err).Debug("error retrieving new events")
return view_model.UserToModel(user), nil
return user_view_model.UserToModel(user), nil
}
userCopy := *user
for _, event := range events {
if err := userCopy.AppendEvent(event); err != nil {
return view_model.UserToModel(user), nil
return user_view_model.UserToModel(user), nil
}
}
return view_model.UserToModel(&userCopy), nil
return user_view_model.UserToModel(&userCopy), nil
}

120
internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
View File

@ -13,29 +13,31 @@ import (
"github.com/caos/zitadel/internal/auth_request/repository/cache"
"github.com/caos/zitadel/internal/errors"
es_models "github.com/caos/zitadel/internal/eventstore/models"
org_model "github.com/caos/zitadel/internal/org/model"
org_view_model "github.com/caos/zitadel/internal/org/repository/view/model"
user_model "github.com/caos/zitadel/internal/user/model"
user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
user_es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
view_model "github.com/caos/zitadel/internal/user/repository/view/model"
user_view_model "github.com/caos/zitadel/internal/user/repository/view/model"
)
type mockViewNoUserSession struct{}
func (m *mockViewNoUserSession) UserSessionByIDs(string, string) (*view_model.UserSessionView, error) {
func (m *mockViewNoUserSession) UserSessionByIDs(string, string) (*user_view_model.UserSessionView, error) {
return nil, errors.ThrowNotFound(nil, "id", "user session not found")
}
func (m *mockViewNoUserSession) UserSessionsByAgentID(string) ([]*view_model.UserSessionView, error) {
func (m *mockViewNoUserSession) UserSessionsByAgentID(string) ([]*user_view_model.UserSessionView, error) {
return nil, errors.ThrowInternal(nil, "id", "internal error")
}
type mockViewErrUserSession struct{}
func (m *mockViewErrUserSession) UserSessionByIDs(string, string) (*view_model.UserSessionView, error) {
func (m *mockViewErrUserSession) UserSessionByIDs(string, string) (*user_view_model.UserSessionView, error) {
return nil, errors.ThrowInternal(nil, "id", "internal error")
}
func (m *mockViewErrUserSession) UserSessionsByAgentID(string) ([]*view_model.UserSessionView, error) {
func (m *mockViewErrUserSession) UserSessionsByAgentID(string) ([]*user_view_model.UserSessionView, error) {
return nil, errors.ThrowInternal(nil, "id", "internal error")
}
@ -50,17 +52,17 @@ type mockUser struct {
LoginName string
}
func (m *mockViewUserSession) UserSessionByIDs(string, string) (*view_model.UserSessionView, error) {
return &view_model.UserSessionView{
func (m *mockViewUserSession) UserSessionByIDs(string, string) (*user_view_model.UserSessionView, error) {
return &user_view_model.UserSessionView{
PasswordVerification: m.PasswordVerification,
MfaSoftwareVerification: m.MfaSoftwareVerification,
}, nil
}
func (m *mockViewUserSession) UserSessionsByAgentID(string) ([]*view_model.UserSessionView, error) {
sessions := make([]*view_model.UserSessionView, len(m.Users))
func (m *mockViewUserSession) UserSessionsByAgentID(string) ([]*user_view_model.UserSessionView, error) {
sessions := make([]*user_view_model.UserSessionView, len(m.Users))
for i, user := range m.Users {
sessions[i] = &view_model.UserSessionView{
sessions[i] = &user_view_model.UserSessionView{
UserID: user.UserID,
LoginName: user.LoginName,
}
@ -70,7 +72,7 @@ func (m *mockViewUserSession) UserSessionsByAgentID(string) ([]*view_model.UserS
type mockViewNoUser struct{}
func (m *mockViewNoUser) UserByID(string) (*view_model.UserView, error) {
func (m *mockViewNoUser) UserByID(string) (*user_view_model.UserView, error) {
return nil, errors.ThrowNotFound(nil, "id", "user not found")
}
@ -102,8 +104,8 @@ type mockViewUser struct {
MfaInitSkipped time.Time
}
func (m *mockViewUser) UserByID(string) (*view_model.UserView, error) {
return &view_model.UserView{
func (m *mockViewUser) UserByID(string) (*user_view_model.UserView, error) {
return &user_view_model.UserView{
InitRequired: m.InitRequired,
PasswordSet: m.PasswordSet,
PasswordChangeRequired: m.PasswordChangeRequired,
@ -111,9 +113,26 @@ func (m *mockViewUser) UserByID(string) (*view_model.UserView, error) {
OTPState: m.OTPState,
MfaMaxSetUp: m.MfaMaxSetUp,
MfaInitSkipped: m.MfaInitSkipped,
State: int32(user_model.USERSTATE_ACTIVE),
}, nil
}
type mockViewOrg struct {
State org_model.OrgState
}
func (m *mockViewOrg) OrgByID(string) (*org_view_model.OrgView, error) {
return &org_view_model.OrgView{
State: int32(m.State),
}, nil
}
type mockViewErrOrg struct{}
func (m *mockViewErrOrg) OrgByID(string) (*org_view_model.OrgView, error) {
return nil, errors.ThrowInternal(nil, "id", "internal error")
}
func TestAuthRequestRepo_nextSteps(t *testing.T) {
type fields struct {
UserEvents *user_event.UserEventstore
@ -122,6 +141,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
userSessionViewProvider userSessionViewProvider
userViewProvider userViewProvider
userEventProvider userEventProvider
orgViewProvider orgViewProvider
PasswordCheckLifeTime time.Duration
MfaInitSkippedLifeTime time.Duration
MfaSoftwareCheckLifeTime time.Duration
@ -203,7 +223,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
nil,
},
{
"user not not found, not found error",
"user not found, not found error",
fields{
userViewProvider: &mockViewNoUser{},
userEventProvider: &mockEventUser{},
@ -212,6 +232,44 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
nil,
errors.IsNotFound,
},
{
"user not active, precondition failed error",
fields{
userViewProvider: &mockViewUser{},
userEventProvider: &mockEventUser{
&es_models.Event{
AggregateType: user_es_model.UserAggregate,
Type: user_es_model.UserDeactivated,
},
},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
},
args{&model.AuthRequest{UserID: "UserID"}, false},
nil,
errors.IsPreconditionFailed,
},
{
"org error, internal error",
fields{
userViewProvider: &mockViewUser{},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewErrOrg{},
},
args{&model.AuthRequest{UserID: "UserID"}, false},
nil,
errors.IsInternal,
},
{
"org not active, precondition failed error",
fields{
userViewProvider: &mockViewUser{},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_INACTIVE},
},
args{&model.AuthRequest{UserID: "UserID"}, false},
nil,
errors.IsPreconditionFailed,
},
{
"usersession not found, new user session, password step",
fields{
@ -220,6 +278,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
PasswordSet: true,
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
},
args{&model.AuthRequest{UserID: "UserID"}, false},
[]model.NextStep{&model.PasswordStep{}},
@ -231,6 +290,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
userSessionViewProvider: &mockViewErrUserSession{},
userViewProvider: &mockViewUser{},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
},
args{&model.AuthRequest{UserID: "UserID"}, false},
nil,
@ -245,6 +305,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
PasswordSet: true,
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
},
args{&model.AuthRequest{UserID: "UserID"}, false},
[]model.NextStep{&model.InitUserStep{
@ -258,6 +319,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
userSessionViewProvider: &mockViewUserSession{},
userViewProvider: &mockViewUser{},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
},
args{&model.AuthRequest{UserID: "UserID"}, false},
[]model.NextStep{&model.InitPasswordStep{}},
@ -271,6 +333,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
PasswordSet: true,
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
PasswordCheckLifeTime: 10 * 24 * time.Hour,
},
args{&model.AuthRequest{UserID: "UserID"}, false},
@ -289,6 +352,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
MfaMaxSetUp: int32(model.MfaLevelSoftware),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
PasswordCheckLifeTime: 10 * 24 * time.Hour,
MfaSoftwareCheckLifeTime: 18 * time.Hour,
},
@ -312,6 +376,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
MfaMaxSetUp: int32(model.MfaLevelSoftware),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
PasswordCheckLifeTime: 10 * 24 * time.Hour,
MfaSoftwareCheckLifeTime: 18 * time.Hour,
},
@ -331,6 +396,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
MfaMaxSetUp: int32(model.MfaLevelSoftware),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
PasswordCheckLifeTime: 10 * 24 * time.Hour,
MfaSoftwareCheckLifeTime: 18 * time.Hour,
},
@ -351,6 +417,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
MfaMaxSetUp: int32(model.MfaLevelSoftware),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
PasswordCheckLifeTime: 10 * 24 * time.Hour,
MfaSoftwareCheckLifeTime: 18 * time.Hour,
},
@ -371,6 +438,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
MfaMaxSetUp: int32(model.MfaLevelSoftware),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
PasswordCheckLifeTime: 10 * 24 * time.Hour,
MfaSoftwareCheckLifeTime: 18 * time.Hour,
},
@ -391,6 +459,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
MfaMaxSetUp: int32(model.MfaLevelSoftware),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: org_model.ORGSTATE_ACTIVE},
PasswordCheckLifeTime: 10 * 24 * time.Hour,
MfaSoftwareCheckLifeTime: 18 * time.Hour,
},
@ -408,6 +477,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
UserSessionViewProvider: tt.fields.userSessionViewProvider,
UserViewProvider: tt.fields.userViewProvider,
UserEventProvider: tt.fields.userEventProvider,
OrgViewProvider: tt.fields.orgViewProvider,
PasswordCheckLifeTime: tt.fields.PasswordCheckLifeTime,
MfaInitSkippedLifeTime: tt.fields.MfaInitSkippedLifeTime,
MfaSoftwareCheckLifeTime: tt.fields.MfaSoftwareCheckLifeTime,
@ -718,6 +788,24 @@ func Test_userSessionByIDs(t *testing.T) {
},
nil,
},
{
"new user events (user deleted), precondition failed error",
args{
userProvider: &mockViewUserSession{
PasswordVerification: time.Now().UTC().Round(1 * time.Second),
},
agentID: "agentID",
user: &user_model.UserView{ID: "id"},
eventProvider: &mockEventUser{
&es_models.Event{
AggregateType: user_es_model.UserAggregate,
Type: user_es_model.UserRemoved,
},
},
},
nil,
errors.IsPreconditionFailed,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@ -763,6 +851,7 @@ func Test_userByID(t *testing.T) {
},
&user_model.UserView{
PasswordChangeRequired: true,
State: user_model.USERSTATE_ACTIVE,
},
nil,
},
@ -783,6 +872,7 @@ func Test_userByID(t *testing.T) {
},
&user_model.UserView{
PasswordChangeRequired: true,
State: user_model.USERSTATE_ACTIVE,
},
nil,
},
@ -807,7 +897,7 @@ func Test_userByID(t *testing.T) {
&user_model.UserView{
PasswordChangeRequired: false,
ChangeDate: time.Now().UTC().Round(1 * time.Second),
State: user_model.USERSTATE_INITIAL,
State: user_model.USERSTATE_ACTIVE,
PasswordChanged: time.Now().UTC().Round(1 * time.Second),
},
nil,

2
internal/auth/repository/eventsourcing/handler/handler.go
View File

@ -38,7 +38,7 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, ev
return []spooler.Handler{
&User{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount}, orgEvents: repos.OrgEvents},
&UserSession{handler: handler{view, bulkLimit, configs.cycleDuration("UserSession"), errorCount}, userEvents: repos.UserEvents},
&Token{handler: handler{view, bulkLimit, configs.cycleDuration("Token"), errorCount}},
&Token{handler: handler{view, bulkLimit, configs.cycleDuration("Token"), errorCount}, ProjectEvents: repos.ProjectEvents},
&Key{handler: handler{view, bulkLimit, configs.cycleDuration("Key"), errorCount}},
&Application{handler: handler{view, bulkLimit, configs.cycleDuration("Application"), errorCount}},
&Org{handler: handler{view, bulkLimit, configs.cycleDuration("Org"), errorCount}},

51
internal/auth/repository/eventsourcing/handler/token.go
View File

@ -1,21 +1,24 @@
package handler
import (
"context"
"encoding/json"
"time"
caos_errs "github.com/caos/zitadel/internal/errors"
es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
"github.com/caos/logging"
caos_errs "github.com/caos/zitadel/internal/errors"
"github.com/caos/zitadel/internal/eventstore/models"
es_models "github.com/caos/zitadel/internal/eventstore/models"
"github.com/caos/zitadel/internal/eventstore/spooler"
"github.com/caos/zitadel/internal/user/repository/eventsourcing"
proj_event "github.com/caos/zitadel/internal/project/repository/eventsourcing"
project_es_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
user_es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
)
type Token struct {
handler
ProjectEvents *proj_event.ProjectEventstore
}
const (
@ -33,21 +36,44 @@ func (u *Token) EventQuery() (*models.SearchQuery, error) {
if err != nil {
return nil, err
}
return eventsourcing.UserQuery(sequence), nil
if err != nil {
return nil, err
}
return es_models.NewSearchQuery().
AggregateTypeFilter(user_es_model.UserAggregate, project_es_model.ProjectAggregate).
LatestSequenceFilter(sequence), nil
}
func (u *Token) Process(event *models.Event) (err error) {
switch event.Type {
case es_model.SignedOut:
case user_es_model.SignedOut:
id, err := agentIDFromSession(event)
if err != nil {
return err
}
err = u.view.DeleteSessionTokens(id, event.AggregateID, event.Sequence)
return u.view.DeleteSessionTokens(id, event.AggregateID, event.Sequence)
case user_es_model.UserLocked,
user_es_model.UserDeactivated,
user_es_model.UserRemoved:
return u.view.DeleteUserTokens(event.AggregateID, event.Sequence)
case project_es_model.ApplicationDeactivated,
project_es_model.ApplicationRemoved:
application, err := applicationFromSession(event)
if err != nil {
return err
}
return u.view.ProcessedTokenSequence(event.Sequence)
return u.view.DeleteApplicationTokens(event.Sequence, application.AppID)
case project_es_model.ProjectDeactivated,
project_es_model.ProjectRemoved:
project, err := u.ProjectEvents.ProjectByID(context.Background(), event.AggregateID)
if err != nil {
return err
}
applicationsIDs := make([]string, 0, len(project.Applications))
for _, app := range project.Applications {
applicationsIDs = append(applicationsIDs, app.AppID)
}
return u.view.DeleteApplicationTokens(event.Sequence, applicationsIDs...)
default:
return u.view.ProcessedTokenSequence(event.Sequence)
}
@ -67,3 +93,12 @@ func agentIDFromSession(event *models.Event) (string, error) {
}
return session["userAgentID"].(string), nil
}
func applicationFromSession(event *models.Event) (*project_es_model.Application, error) {
application := new(project_es_model.Application)
if err := json.Unmarshal(event.Data, &application); err != nil {
logging.Log("EVEN-GRE2q").WithError(err).Error("could not unmarshal event data")
return nil, caos_errs.ThrowInternal(nil, "MODEL-Hrw1q", "could not unmarshal data")
}
return application, nil
}

7
internal/auth/repository/eventsourcing/handler/user_session.go
View File

@ -67,7 +67,9 @@ func (u *UserSession) Process(event *models.Event) (err error) {
return u.updateSession(session, event)
case es_model.UserPasswordChanged,
es_model.MfaOtpRemoved,
es_model.UserProfileChanged:
es_model.UserProfileChanged,
es_model.UserLocked,
es_model.UserDeactivated:
sessions, err := u.view.UserSessionsByUserID(event.AggregateID)
if err != nil {
return err
@ -78,6 +80,8 @@ func (u *UserSession) Process(event *models.Event) (err error) {
}
}
return nil
case es_model.UserRemoved:
return u.view.DeleteUserSessions(event.AggregateID, event.Sequence)
default:
return u.view.ProcessedUserSessionSequence(event.Sequence)
}
@ -89,7 +93,6 @@ func (u *UserSession) OnError(event *models.Event, err error) error {
}
func (u *UserSession) updateSession(session *view_model.UserSessionView, event *models.Event) error {
session.Sequence = event.Sequence
session.AppendEvent(event)
if err := u.fillUserInfo(session, event.AggregateID); err != nil {
return err

1
internal/auth/repository/eventsourcing/repository.go
View File

@ -138,6 +138,7 @@ func Start(conf Config, authZ auth.Config, systemDefaults sd.SystemDefaults, aut
UserSessionViewProvider: view,
UserViewProvider: view,
UserEventProvider: user,
OrgViewProvider: view,
IdGenerator: idGenerator,
PasswordCheckLifeTime: systemDefaults.VerificationLifetimes.PasswordCheck.Duration,
MfaInitSkippedLifeTime: systemDefaults.VerificationLifetimes.MfaInitSkip.Duration,

18
internal/auth/repository/eventsourcing/view/token.go
View File

@ -59,7 +59,23 @@ func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
}
func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64) error {
err := view.DeleteTokens(v.Db, tokenTable, agentID, userID)
err := view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
if err != nil {
return nil
}
return v.ProcessedTokenSequence(eventSequence)
}
func (v *View) DeleteUserTokens(userID string, eventSequence uint64) error {
err := view.DeleteUserTokens(v.Db, tokenTable, userID)
if err != nil {
return nil
}
return v.ProcessedTokenSequence(eventSequence)
}
func (v *View) DeleteApplicationTokens(eventSequence uint64, ids ...string) error {
err := view.DeleteApplicationTokens(v.Db, tokenTable, ids)
if err != nil {
return nil
}

4
internal/auth/repository/eventsourcing/view/user_session.go
View File

@ -30,8 +30,8 @@ func (v *View) PutUserSession(userSession *model.UserSessionView) error {
return v.ProcessedUserSessionSequence(userSession.Sequence)
}
func (v *View) DeleteUserSession(sessionID string, eventSequence uint64) error {
err := view.DeleteUserSession(v.Db, userSessionTable, sessionID)
func (v *View) DeleteUserSessions(userID string, eventSequence uint64) error {
err := view.DeleteUserSessions(v.Db, userSessionTable, userID)
if err != nil {
return nil
}

2
internal/authz/repository/eventsourcing/view/token.go
View File

@ -35,7 +35,7 @@ func (v *View) DeleteToken(tokenID string, eventSequence uint64) error {
}
func (v *View) DeleteSessionTokens(agentID, userID string, eventSequence uint64) error {
err := view.DeleteTokens(v.Db, tokenTable, agentID, userID)
err := view.DeleteSessionTokens(v.Db, tokenTable, agentID, userID)
if err != nil {
return nil
}

34
internal/login/handler/init_user_handler.go
View File

@ -4,11 +4,13 @@ import (
"github.com/caos/zitadel/internal/auth_request/model"
caos_errs "github.com/caos/zitadel/internal/errors"
"net/http"
"strconv"
)
const (
queryInitUserCode = "code"
queryInitUserUserID = "userID"
queryInitUserCode = "code"
queryInitUserUserID = "userID"
queryInitUserPassword = "passwordset"
tmplInitUser = "inituser"
tmplInitUserDone = "inituserdone"
@ -19,19 +21,22 @@ type initUserFormData struct {
Password string `schema:"password"`
PasswordConfirm string `schema:"passwordconfirm"`
UserID string `schema:"userID"`
PasswordSet bool `schema:"passwordSet"`
Resend bool `schema:"resend"`
}
type initUserData struct {
baseData
Code string
UserID string
Code string
UserID string
PasswordSet bool
}
func (l *Login) handleInitUser(w http.ResponseWriter, r *http.Request) {
userID := r.FormValue(queryInitUserUserID)
code := r.FormValue(queryInitUserCode)
l.renderInitUser(w, r, nil, userID, code, nil)
passwordSet, _ := strconv.ParseBool(r.FormValue(queryInitUserPassword))
l.renderInitUser(w, r, nil, userID, code, passwordSet, nil)
}
func (l *Login) handleInitUserCheck(w http.ResponseWriter, r *http.Request) {
@ -43,7 +48,7 @@ func (l *Login) handleInitUserCheck(w http.ResponseWriter, r *http.Request) {
}
if data.Resend {
l.resendUserInit(w, r, authReq, data.UserID)
l.resendUserInit(w, r, authReq, data.UserID, data.PasswordSet)
return
}
l.checkUserInitCode(w, r, authReq, data, nil)
@ -52,7 +57,7 @@ func (l *Login) handleInitUserCheck(w http.ResponseWriter, r *http.Request) {
func (l *Login) checkUserInitCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *initUserFormData, err error) {
if data.Password != data.PasswordConfirm {
err := caos_errs.ThrowInvalidArgument(nil, "VIEW-fsdfd", "Errors.User.Password.ConfirmationWrong")
l.renderInitUser(w, r, nil, data.UserID, data.Code, err)
l.renderInitUser(w, r, authReq, data.UserID, data.Code, data.PasswordSet, err)
return
}
userOrgID := login
@ -61,22 +66,22 @@ func (l *Login) checkUserInitCode(w http.ResponseWriter, r *http.Request, authRe
}
err = l.authRepo.VerifyInitCode(setContext(r.Context(), userOrgID), data.UserID, data.Code, data.Password)
if err != nil {
l.renderInitUser(w, r, nil, data.UserID, "", err)
l.renderInitUser(w, r, nil, data.UserID, "", data.PasswordSet, err)
return
}
l.renderInitUserDone(w, r, nil)
}
func (l *Login) resendUserInit(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID string) {
func (l *Login) resendUserInit(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID string, showPassword bool) {
userOrgID := login
if authReq != nil {
userOrgID = authReq.UserOrgID
}
err := l.authRepo.ResendInitVerificationMail(setContext(r.Context(), userOrgID), userID)
l.renderInitUser(w, r, authReq, userID, "", err)
l.renderInitUser(w, r, authReq, userID, "", showPassword, err)
}
func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, err error) {
func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, passwordSet bool, err error) {
var errType, errMessage string
if err != nil {
errMessage = l.getErrorMessage(r, err)
@ -85,9 +90,10 @@ func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *
userID = authReq.UserID
}
data := initUserData{
baseData: l.getBaseData(r, nil, "Init User", errType, errMessage),
UserID: userID,
Code: code,
baseData: l.getBaseData(r, nil, "Init User", errType, errMessage),
UserID: userID,
Code: code,
PasswordSet: passwordSet,
}
l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitUser], data, nil)
}

2
internal/login/handler/renderer.go
View File

@ -168,7 +168,7 @@ func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *
case *model.MfaPromptStep:
l.renderMfaPrompt(w, r, authReq, step, err)
case *model.InitUserStep:
l.renderInitUser(w, r, authReq, "", "", nil)
l.renderInitUser(w, r, authReq, "", "", step.PasswordSet, nil)
default:
l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-ds3QF", "step no possible"))
}

2
internal/login/static/i18n/de.yaml
View File

@ -153,5 +153,7 @@ Errors:
NotExisting: Multifaktor OTP (OneTimePassword) existiert nicht
InvalidCode: Code ist ungültig
NotReady: Multifaktor OTP (OneTimePassword) ist nicht bereit
Locked: Benutzer ist gesperrt
NotActive: Benutzer ist nicht aktiv
optional: (optional)

2
internal/login/static/i18n/en.yaml
View File

@ -154,6 +154,8 @@ Errors:
NotExisting: Multifactor OTP (OneTimePassword) doesn't exist
InvalidCode: Invalid code
NotReady: Multifactor OTP (OneTimePassword) isn't ready
Locked: User is locked
NotActive: User is not active
optional: (optional)

2
internal/login/static/resources/scripts/copy_to_clipboard.js
View File

@ -3,4 +3,4 @@ const copyToClipboard = str => {
}
let copyButton = document.getElementsByClassName("copy")[0];
copyButton.addEventListener("click", copyToClipboard(copyButton.getAttribute("data-copy").value));
copyButton.addEventListener("click", copyToClipboard(copyButton.getAttribute("data-copy")));

8
internal/login/static/resources/themes/scss/light.scss
View File

@ -68,12 +68,12 @@ html {
}
#qrcode {
svg rect[style*="fill:white"] {
fill: $backgroundColorLight !important;
svg rect.color {
fill: $fontColorLight;
}
svg rect[style*="fill:black"] {
fill: $fontColorLight !important;
svg rect.bg-color {
fill: $backgroundColorLight;
}
}

5
internal/login/static/templates/init_user.html
View File

@ -10,12 +10,14 @@
<input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
<input type="hidden" name="userID" value="{{ .UserID }}" />
<input type="hidden" name="passwordSet" value="{{ .PasswordSet }}" />
<div class="fields">
<div class="field">
<label class="label" for="code">{{t "InitUser.Code"}}</label>
<input class="input" type="text" id="code" name="code" value="{{.Code}}" autocomplete="off" autofocus required>
</div>
{{ if not .PasswordSet }}
<div class="field">
<label class="label" for="password">{{t "InitUser.NewPassword"}}</label>
<input class="input" type="password" id="password" name="password" autocomplete="new-password" autofocus required>
@ -24,12 +26,13 @@
<label class="label" for="passwordconfirm">{{t "InitUser.NewPasswordConfirm"}}</label>
<input class="input" type="password" id="passwordconfirm" name="passwordconfirm" autocomplete="new-password" autofocus required>
</div>
{{ end }}
</div>
{{ template "error-message" .}}
<div class="actions">
<button type="submit" name="resend" value="false" class="primary right" >{{t "Actions.Next"}}</buttontype="submit">
<button type="submit" name="resend" value="false" class="primary right" >{{t "Actions.Next"}}</button>
<button type="submit" name="resend" value="true" class="secondary right" formnovalidate>{{t "Actions.Resend" }}</button>
</div>
</form>

7
internal/notification/types/init_code.go
View File

@ -16,8 +16,9 @@ type InitCodeEmailData struct {
}
type UrlData struct {
UserID string
Code string
UserID string
Code string
PasswordSet bool
}
func SendUserInitCode(dir http.FileSystem, i18n *i18n.Translator, user *view_model.NotifyUser, code *es_model.InitUserCode, systemDefaults systemdefaults.SystemDefaults, alg crypto.EncryptionAlgorithm) error {
@ -25,7 +26,7 @@ func SendUserInitCode(dir http.FileSystem, i18n *i18n.Translator, user *view_mod
if err != nil {
return err
}
url, err := templates.ParseTemplateText(systemDefaults.Notifications.Endpoints.InitCode, &UrlData{UserID: user.ID, Code: codeString})
url, err := templates.ParseTemplateText(systemDefaults.Notifications.Endpoints.InitCode, &UrlData{UserID: user.ID, Code: codeString, PasswordSet: user.PasswordSet})
if err != nil {
return err
}

13
internal/token/repository/view/token.go
View File

@ -4,6 +4,7 @@ import (
"time"
"github.com/jinzhu/gorm"
"github.com/lib/pq"
"github.com/caos/zitadel/internal/errors"
token_model "github.com/caos/zitadel/internal/token/model"
@ -39,10 +40,20 @@ func DeleteToken(db *gorm.DB, table, tokenID string) error {
return delete(db)
}
func DeleteTokens(db *gorm.DB, table, agentID, userID string) error {
func DeleteSessionTokens(db *gorm.DB, table, agentID, userID string) error {
delete := view.PrepareDeleteByKeys(table,
view.Key{Key: model.TokenSearchKey(token_model.TOKENSEARCHKEY_USER_AGENT_ID), Value: agentID},
view.Key{Key: model.TokenSearchKey(token_model.TOKENSEARCHKEY_USER_ID), Value: userID},
)
return delete(db)
}
func DeleteUserTokens(db *gorm.DB, table, userID string) error {
delete := view.PrepareDeleteByKey(table, model.TokenSearchKey(token_model.TOKENSEARCHKEY_USER_ID), userID)
return delete(db)
}
func DeleteApplicationTokens(db *gorm.DB, table string, appIDs []string) error {
delete := view.PrepareDeleteByKey(table, model.TokenSearchKey(token_model.TOKENSEARCHKEY_APPLICATION_ID), pq.StringArray(appIDs))
return delete(db)
}

1
internal/user/model/notify_user.go
View File

@ -21,6 +21,7 @@ type NotifyUser struct {
VerifiedEmail string
LastPhone string
VerifiedPhone string
PasswordSet bool
Sequence uint64
}

21
internal/user/repository/view/model/notify_user.go
View File

@ -30,6 +30,7 @@ type NotifyUser struct {
VerifiedEmail string `json:"-" gorm:"column:verified_email"`
LastPhone string `json:"phone" gorm:"column:last_phone"`
VerifiedPhone string `json:"-" gorm:"column:verified_phone"`
PasswordSet bool `json:"-" gorm:"column:password_set"`
Sequence uint64 `json:"-" gorm:"column:sequence"`
}
@ -50,6 +51,7 @@ func NotifyUserFromModel(user *model.NotifyUser) *NotifyUser {
VerifiedEmail: user.VerifiedEmail,
LastPhone: user.LastPhone,
VerifiedPhone: user.VerifiedPhone,
PasswordSet: user.PasswordSet,
Sequence: user.Sequence,
}
}
@ -71,6 +73,7 @@ func NotifyUserToModel(user *NotifyUser) *model.NotifyUser {
VerifiedEmail: user.VerifiedEmail,
LastPhone: user.LastPhone,
VerifiedPhone: user.VerifiedPhone,
PasswordSet: user.PasswordSet,
Sequence: user.Sequence,
}
}
@ -84,6 +87,10 @@ func (u *NotifyUser) AppendEvent(event *models.Event) (err error) {
u.CreationDate = event.CreationDate
u.setRootData(event)
err = u.setData(event)
if err != nil {
return err
}
err = u.setPasswordData(event)
case es_model.UserProfileChanged:
err = u.setData(event)
case es_model.UserEmailChanged:
@ -94,6 +101,8 @@ func (u *NotifyUser) AppendEvent(event *models.Event) (err error) {
err = u.setData(event)
case es_model.UserPhoneVerified:
u.VerifiedPhone = u.LastPhone
case es_model.UserPasswordChanged:
err = u.setPasswordData(event)
}
return err
}
@ -105,8 +114,18 @@ func (u *NotifyUser) setRootData(event *models.Event) {
func (u *NotifyUser) setData(event *models.Event) error {
if err := json.Unmarshal(event.Data, u); err != nil {
logging.Log("EVEN-lso9e").WithError(err).Error("could not unmarshal event data")
logging.Log("MODEL-lso9e").WithError(err).Error("could not unmarshal event data")
return caos_errs.ThrowInternal(nil, "MODEL-8iows", "could not unmarshal data")
}
return nil
}
func (u *NotifyUser) setPasswordData(event *models.Event) error {
password := new(es_model.Password)
if err := json.Unmarshal(event.Data, password); err != nil {
logging.Log("MODEL-dfhw6").WithError(err).Error("could not unmarshal event data")
return caos_errs.ThrowInternal(nil, "MODEL-BHFD2", "could not unmarshal data")
}
u.PasswordSet = password.Secret != nil
return nil
}

7
internal/user/repository/view/model/user_session.go
View File

@ -76,20 +76,25 @@ func UserSessionsToModel(userSessions []*UserSessionView) []*model.UserSessionVi
}
func (v *UserSessionView) AppendEvent(event *models.Event) {
v.Sequence = event.Sequence
v.ChangeDate = event.CreationDate
switch event.Type {
case es_model.UserPasswordCheckSucceeded:
v.PasswordVerification = event.CreationDate
v.State = int32(req_model.UserSessionStateActive)
case es_model.UserPasswordCheckFailed,
es_model.UserPasswordChanged:
v.PasswordVerification = time.Time{}
case es_model.MfaOtpCheckSucceeded:
v.MfaSoftwareVerification = event.CreationDate
v.MfaSoftwareVerificationType = int32(req_model.MfaTypeOTP)
v.State = int32(req_model.UserSessionStateActive)
case es_model.MfaOtpCheckFailed,
es_model.MfaOtpRemoved:
v.MfaSoftwareVerification = time.Time{}
case es_model.SignedOut:
case es_model.SignedOut,
es_model.UserLocked,
es_model.UserDeactivated:
v.PasswordVerification = time.Time{}
v.MfaSoftwareVerification = time.Time{}
v.State = int32(req_model.UserSessionStateTerminated)

4
internal/user/repository/view/user_session_view.go
View File

@ -59,7 +59,7 @@ func PutUserSession(db *gorm.DB, table string, session *model.UserSessionView) e
return save(db, session)
}
func DeleteUserSession(db *gorm.DB, table, sessionID string) error {
delete := view.PrepareDeleteByKey(table, model.UserSessionSearchKey(usr_model.USERSESSIONSEARCHKEY_USER_ID), sessionID)
func DeleteUserSessions(db *gorm.DB, table, userID string) error {
delete := view.PrepareDeleteByKey(table, model.UserSessionSearchKey(usr_model.USERSESSIONSEARCHKEY_USER_ID), userID)
return delete(db)
}

2
internal/view/requests.go
View File

@ -60,7 +60,7 @@ func PrepareSave(table string) func(db *gorm.DB, object interface{}) error {
}
}
func PrepareDeleteByKey(table string, key ColumnKey, id string) func(db *gorm.DB) error {
func PrepareDeleteByKey(table string, key ColumnKey, id interface{}) func(db *gorm.DB) error {
return func(db *gorm.DB) error {
err := db.Table(table).
Where(fmt.Sprintf("%s = ?", key.ToColumnName()), id).

5
migrations/cockroach/V1.20__notification_passwordset.sql Normal file
View File

@ -0,0 +1,5 @@
BEGIN;
ALTER TABLE notification.notify_users ADD COLUMN password_set BOOLEAN;
COMMIT;

22
pkg/auth/api/oidc/client.go
View File

@ -6,7 +6,10 @@ import (
"github.com/caos/oidc/pkg/oidc"
"github.com/caos/oidc/pkg/op"
"github.com/caos/zitadel/internal/user/model"
"github.com/caos/zitadel/internal/api/auth"
"github.com/caos/zitadel/internal/errors"
proj_model "github.com/caos/zitadel/internal/project/model"
user_model "github.com/caos/zitadel/internal/user/model"
)
const (
@ -15,6 +18,8 @@ const (
scopeEmail = "email"
scopePhone = "phone"
scopeAddress = "address"
oidcCtx = "oidc"
)
func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (op.Client, error) {
@ -22,10 +27,17 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (op.Clie
if err != nil {
return nil, err
}
if client.State != proj_model.APPSTATE_ACTIVE {
return nil, errors.ThrowPreconditionFailed(nil, "OIDC-sdaGg", "client is not active")
}
return ClientFromBusiness(client, o.defaultLoginURL, o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime)
}
func (o *OPStorage) AuthorizeClientIDSecret(ctx context.Context, id string, secret string) error {
ctx = auth.SetCtxData(ctx, auth.CtxData{
UserID: oidcCtx,
OrgID: oidcCtx,
})
return o.repo.AuthorizeOIDCApplication(ctx, id, secret)
}
@ -72,13 +84,13 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID string, sc
return userInfo, nil
}
func getGender(gender model.Gender) string {
func getGender(gender user_model.Gender) string {
switch gender {
case model.GENDER_FEMALE:
case user_model.GENDER_FEMALE:
return "female"
case model.GENDER_MALE:
case user_model.GENDER_MALE:
return "male"
case model.GENDER_DIVERSE:
case user_model.GENDER_DIVERSE:
return "diverse"
}
return ""