feat: add auth command side (#107)

* fix: query tests

* fix: use prepare funcs

* fix: go mod

* fix: generate files

* fix(eventstore): tests

* fix(eventstore): rename modifier to editor

* fix(migrations): add cluster migration,
fix(migrations): fix typo of host in clean clsuter

* fix(eventstore): move health

* fix(eventstore): AggregateTypeFilter aggregateType as param

* code quality

* fix: go tests

* feat: add member funcs

* feat: add member model

* feat: add member events

* feat: add member repo model

* fix: better error func testing

* fix: project member funcs

* fix: add tests

* fix: add tests

* feat: implement member requests

* fix: merge master

* fix: merge master

* fix: read existing in project repo

* fix: fix tests

* feat: add internal cache

* feat: add cache mock

* fix: return values of cache mock

* feat: add project role

* fix: add cache config

* fix: add role to eventstore

* fix: use eventstore sdk

* fix: use eventstore sdk

* fix: add project role grpc requests

* fix: fix getby id

* fix: changes for mr

* fix: change value to interface

* feat: add app event creations

* fix: searchmethods

* Update internal/project/model/project_member.go

Co-Authored-By: Silvan <silvan.reusser@gmail.com>

* fix: use get project func

* fix: append events

* fix: check if value is string on equal ignore case

* fix: add changes test

* fix: add go mod

* fix: add some tests

* fix: return err not nil

* fix: return err not nil

* fix: add aggregate funcs and tests

* fix: add oidc aggregate funcs and tests

* fix: add oidc

* fix: add some tests

* fix: tests

* feat: eventstore repository

* fix: remove gorm

* version

* feat: pkg

* feat: eventstore without eventstore-lib

* rename files

* gnueg

* fix: global model

* feat: add global view functions

* feat(eventstore): sdk

* fix(eventstore): rename app to eventstore

* delete empty test

* fix(models): delete unused struct

* feat(eventstore): overwrite context data

* fix: use global sql config

* fix: oidc validation

* fix: generate client secret

* fix: generate client id

* fix: test change app

* fix: deactivate/reactivate application

* fix: change oidc config

* fix: change oidc config secret

* begin models

* begin repo

* fix: implement grpc app funcs

* fix: add application requests

* fix: converter

* fix: converter

* fix: converter and generate clientid

* fix: tests

* feat: project grant aggregate

* feat: project grant

* fix: project grant check if role existing

* fix: project grant requests

* fix: project grant fixes

* fix: project grant member model

* fix: project grant member aggregate

* fix: project grant member eventstore

* fix: project grant member requests

* feat: user model

* begin repo

* repo models and more

* feat: user command side

* lots of functions

* user command side

* profile requests

* commit before rebase on user

* save

* local config with gopass and more

* begin new auth command (user centric)

* Update internal/user/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/address.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/address.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/mfa.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/mfa.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/model/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/model/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/user_test.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/eventstore_mock_test.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* changes from mr review

* save files into basedir

* changes from mr review

* changes from mr review

* move to auth request

* Update internal/usergrant/repository/eventsourcing/cache.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/usergrant/repository/eventsourcing/cache.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* changes requested on mr

* fix generate codes

* fix return if no events

* password code

* email verification step

* more steps

* lot of mfa

* begin tests

* more next steps

* auth api

* auth api (user)

* auth api (user)

* auth api (user)

* differ requests

* merge

* tests

* fix compilation error

* mock for id generator

* Update internal/user/repository/eventsourcing/model/password.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* requests of mr

* check email

* begin separation of command and query

* otp

* change packages

* some cleanup and fixes

* tests for auth request / next steps

* add VerificationLifetimes to config and make it run

* tests

* fix code challenge validation

* cleanup

* fix merge

* begin view

* repackaging tests and configs

* fix startup config for auth

* add migration

* add PromptSelectAccount

* fix copy / paste

* remove user_agent files

* fixes

* fix sequences in user_session

* token commands

* token queries and signout

* fix

* fix set password test

* add token handler and table

* handle session init

* add session state

* add user view test cases

* change VerifyMyMfaOTP

* some fixes

* fix user repo in auth api

* cleanup

* add user session view test

* fix merge

* fixes

* Update internal/auth/repository/eventsourcing/eventstore/auth_request.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update internal/auth/repository/eventsourcing/eventstore/auth_request.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update internal/auth/repository/eventsourcing/eventstore/auth_request.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update internal/auth/repository/eventsourcing/eventstore/auth_request.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* extract method usersForUserSelection

* add todo for policy check

* id on auth req

* fix enum name

Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

internal/user/repository/view/model/user.go

@@ -2,12 +2,15 @@ package model
 
 import (
 	"encoding/json"
+	"time"
+
 	"github.com/caos/logging"
+
+	req_model "github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/user/model"
 	es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
-	"time"
 )
 
 const (
@@ -23,90 +26,102 @@ const (
 )
 
 type UserView struct {
-	ID                string    `json:"-" gorm:"column:id;primary_key"`
-	CreationDate      time.Time `json:"-" gorm:"column:creation_date"`
-	ChangeDate        time.Time `json:"-" gorm:"column:change_date"`
-	ResourceOwner     string    `json:"-" gorm:"column:resource_owner"`
-	State             int32     `json:"-" gorm:"column:user_state"`
-	PasswordChanged   time.Time `json:"-" gorm:"column:password_change"`
-	LastLogin         time.Time `json:"-" gorm:"column:last_login"`
-	UserName          string    `json:"userName" gorm:"column:user_name"`
-	FirstName         string    `json:"firstName" gorm:"column:first_name"`
-	LastName          string    `json:"lastName" gorm:"column:last_name"`
-	NickName          string    `json:"nickName" gorm:"column:nick_name"`
-	DisplayName       string    `json:"displayName" gorm:"column:display_name"`
-	PreferredLanguage string    `json:"preferredLanguage" gorm:"column:preferred_language"`
-	Gender            int32     `json:"gender" gorm:"column:gender"`
-	Email             string    `json:"email" gorm:"column:email"`
-	IsEmailVerified   bool      `json:"-" gorm:"column:is_email_verified"`
-	Phone             string    `json:"phone" gorm:"column:phone"`
-	IsPhoneVerified   bool      `json:"-" gorm:"column:is_phone_verified"`
-	Country           string    `json:"country" gorm:"column:country"`
-	Locality          string    `json:"locality" gorm:"column:locality"`
-	PostalCode        string    `json:"postalCode" gorm:"column:postal_code"`
-	Region            string    `json:"region" gorm:"column:region"`
-	StreetAddress     string    `json:"streetAddress" gorm:"column:street_address"`
-	OTPState          int32     `json:"-" gorm:"column:otp_state"`
-	Sequence          uint64    `json:"-" gorm:"column:sequence"`
+	ID                     string    `json:"-" gorm:"column:id;primary_key"`
+	CreationDate           time.Time `json:"-" gorm:"column:creation_date"`
+	ChangeDate             time.Time `json:"-" gorm:"column:change_date"`
+	ResourceOwner          string    `json:"-" gorm:"column:resource_owner"`
+	State                  int32     `json:"-" gorm:"column:user_state"`
+	PasswordSet            bool      `json:"-" gorm:"column:password_set"`
+	PasswordChangeRequired bool      `json:"-" gorm:"column:password_change_required"`
+	PasswordChanged        time.Time `json:"-" gorm:"column:password_change"`
+	LastLogin              time.Time `json:"-" gorm:"column:last_login"`
+	UserName               string    `json:"userName" gorm:"column:user_name"`
+	FirstName              string    `json:"firstName" gorm:"column:first_name"`
+	LastName               string    `json:"lastName" gorm:"column:last_name"`
+	NickName               string    `json:"nickName" gorm:"column:nick_name"`
+	DisplayName            string    `json:"displayName" gorm:"column:display_name"`
+	PreferredLanguage      string    `json:"preferredLanguage" gorm:"column:preferred_language"`
+	Gender                 int32     `json:"gender" gorm:"column:gender"`
+	Email                  string    `json:"email" gorm:"column:email"`
+	IsEmailVerified        bool      `json:"-" gorm:"column:is_email_verified"`
+	Phone                  string    `json:"phone" gorm:"column:phone"`
+	IsPhoneVerified        bool      `json:"-" gorm:"column:is_phone_verified"`
+	Country                string    `json:"country" gorm:"column:country"`
+	Locality               string    `json:"locality" gorm:"column:locality"`
+	PostalCode             string    `json:"postalCode" gorm:"column:postal_code"`
+	Region                 string    `json:"region" gorm:"column:region"`
+	StreetAddress          string    `json:"streetAddress" gorm:"column:street_address"`
+	OTPState               int32     `json:"-" gorm:"column:otp_state"`
+	MfaMaxSetUp            int32     `json:"-" gorm:"column:mfa_max_set_up"`
+	MfaInitSkipped         time.Time `json:"-" gorm:"column:mfa_init_skipped"`
+	Sequence               uint64    `json:"-" gorm:"column:sequence"`
 }
 
 func UserFromModel(user *model.UserView) *UserView {
 	return &UserView{
-		ID:                user.ID,
-		ChangeDate:        user.ChangeDate,
-		CreationDate:      user.CreationDate,
-		ResourceOwner:     user.ResourceOwner,
-		State:             int32(user.State),
-		PasswordChanged:   user.PasswordChanged,
-		LastLogin:         user.LastLogin,
-		UserName:          user.UserName,
-		FirstName:         user.FirstName,
-		LastName:          user.LastName,
-		NickName:          user.NickName,
-		DisplayName:       user.DisplayName,
-		PreferredLanguage: user.PreferredLanguage,
-		Gender:            int32(user.Gender),
-		Email:             user.Email,
-		IsEmailVerified:   user.IsEmailVerified,
-		Phone:             user.Phone,
-		IsPhoneVerified:   user.IsPhoneVerified,
-		Country:           user.Country,
-		Locality:          user.Locality,
-		PostalCode:        user.PostalCode,
-		Region:            user.Region,
-		StreetAddress:     user.StreetAddress,
-		OTPState:          int32(user.OTPState),
-		Sequence:          user.Sequence,
+		ID:                     user.ID,
+		ChangeDate:             user.ChangeDate,
+		CreationDate:           user.CreationDate,
+		ResourceOwner:          user.ResourceOwner,
+		State:                  int32(user.State),
+		PasswordSet:            user.PasswordSet,
+		PasswordChangeRequired: user.PasswordChangeRequired,
+		PasswordChanged:        user.PasswordChanged,
+		LastLogin:              user.LastLogin,
+		UserName:               user.UserName,
+		FirstName:              user.FirstName,
+		LastName:               user.LastName,
+		NickName:               user.NickName,
+		DisplayName:            user.DisplayName,
+		PreferredLanguage:      user.PreferredLanguage,
+		Gender:                 int32(user.Gender),
+		Email:                  user.Email,
+		IsEmailVerified:        user.IsEmailVerified,
+		Phone:                  user.Phone,
+		IsPhoneVerified:        user.IsPhoneVerified,
+		Country:                user.Country,
+		Locality:               user.Locality,
+		PostalCode:             user.PostalCode,
+		Region:                 user.Region,
+		StreetAddress:          user.StreetAddress,
+		OTPState:               int32(user.OTPState),
+		MfaMaxSetUp:            int32(user.MfaMaxSetUp),
+		MfaInitSkipped:         user.MfaInitSkipped,
+		Sequence:               user.Sequence,
 	}
 }
 
 func UserToModel(user *UserView) *model.UserView {
 	return &model.UserView{
-		ID:                user.ID,
-		ChangeDate:        user.ChangeDate,
-		CreationDate:      user.CreationDate,
-		ResourceOwner:     user.ResourceOwner,
-		State:             model.UserState(user.State),
-		PasswordChanged:   user.PasswordChanged,
-		LastLogin:         user.LastLogin,
-		UserName:          user.UserName,
-		FirstName:         user.FirstName,
-		LastName:          user.LastName,
-		NickName:          user.NickName,
-		DisplayName:       user.DisplayName,
-		PreferredLanguage: user.PreferredLanguage,
-		Gender:            model.Gender(user.Gender),
-		Email:             user.Email,
-		IsEmailVerified:   user.IsEmailVerified,
-		Phone:             user.Phone,
-		IsPhoneVerified:   user.IsPhoneVerified,
-		Country:           user.Country,
-		Locality:          user.Locality,
-		PostalCode:        user.PostalCode,
-		Region:            user.Region,
-		StreetAddress:     user.StreetAddress,
-		OTPState:          model.MfaState(user.OTPState),
-		Sequence:          user.Sequence,
+		ID:                     user.ID,
+		ChangeDate:             user.ChangeDate,
+		CreationDate:           user.CreationDate,
+		ResourceOwner:          user.ResourceOwner,
+		State:                  model.UserState(user.State),
+		PasswordSet:            user.PasswordSet,
+		PasswordChangeRequired: user.PasswordChangeRequired,
+		PasswordChanged:        user.PasswordChanged,
+		LastLogin:              user.LastLogin,
+		UserName:               user.UserName,
+		FirstName:              user.FirstName,
+		LastName:               user.LastName,
+		NickName:               user.NickName,
+		DisplayName:            user.DisplayName,
+		PreferredLanguage:      user.PreferredLanguage,
+		Gender:                 model.Gender(user.Gender),
+		Email:                  user.Email,
+		IsEmailVerified:        user.IsEmailVerified,
+		Phone:                  user.Phone,
+		IsPhoneVerified:        user.IsPhoneVerified,
+		Country:                user.Country,
+		Locality:               user.Locality,
+		PostalCode:             user.PostalCode,
+		Region:                 user.Region,
+		StreetAddress:          user.StreetAddress,
+		OTPState:               model.MfaState(user.OTPState),
+		MfaMaxSetUp:            req_model.MfaLevel(user.MfaMaxSetUp),
+		MfaInitSkipped:         user.MfaInitSkipped,
+		Sequence:               user.Sequence,
 	}
 }
 
@@ -118,43 +133,52 @@ func UsersToModel(users []*UserView) []*model.UserView {
 	return result
 }
 
-func (p *UserView) AppendEvent(event *models.Event) (err error) {
-	p.ChangeDate = event.CreationDate
-	p.Sequence = event.Sequence
+func (u *UserView) AppendEvent(event *models.Event) (err error) {
+	u.ChangeDate = event.CreationDate
+	u.Sequence = event.Sequence
 	switch event.Type {
 	case es_model.UserAdded,
 		es_model.UserRegistered:
-		p.CreationDate = event.CreationDate
-		p.setRootData(event)
-		err = p.setData(event)
+		u.CreationDate = event.CreationDate
+		u.setRootData(event)
+		err = u.setData(event)
+		if err != nil {
+			return err
+		}
+		err = u.setPasswordData(event)
+	case es_model.UserPasswordChanged:
+		err = u.setPasswordData(event)
 	case es_model.UserProfileChanged,
 		es_model.UserAddressChanged:
-		err = p.setData(event)
+		err = u.setData(event)
 	case es_model.UserEmailChanged:
-		p.IsEmailVerified = false
-		err = p.setData(event)
+		u.IsEmailVerified = false
+		err = u.setData(event)
 	case es_model.UserEmailVerified:
-		p.IsEmailVerified = true
+		u.IsEmailVerified = true
 	case es_model.UserPhoneChanged:
-		p.IsPhoneVerified = false
-		err = p.setData(event)
+		u.IsPhoneVerified = false
+		err = u.setData(event)
 	case es_model.UserPhoneVerified:
-		p.IsPhoneVerified = true
+		u.IsPhoneVerified = true
 	case es_model.UserDeactivated:
-		p.State = int32(model.USERSTATE_INACTIVE)
+		u.State = int32(model.USERSTATE_INACTIVE)
 	case es_model.UserReactivated,
 		es_model.UserUnlocked:
-		p.State = int32(model.USERSTATE_ACTIVE)
+		u.State = int32(model.USERSTATE_ACTIVE)
 	case es_model.UserLocked:
-		p.State = int32(model.USERSTATE_LOCKED)
+		u.State = int32(model.USERSTATE_LOCKED)
 	case es_model.MfaOtpAdded:
-		p.OTPState = int32(model.MFASTATE_NOTREADY)
+		u.OTPState = int32(model.MFASTATE_NOTREADY)
 	case es_model.MfaOtpVerified:
-		p.OTPState = int32(model.MFASTATE_READY)
+		u.OTPState = int32(model.MFASTATE_READY)
+		u.MfaInitSkipped = time.Time{}
 	case es_model.MfaOtpRemoved:
-		p.OTPState = int32(model.MFASTATE_UNSPECIFIED)
+		u.OTPState = int32(model.MFASTATE_UNSPECIFIED)
+	case es_model.MfaInitSkipped:
+		u.MfaInitSkipped = event.CreationDate
 	}
-	p.ComputeObject()
+	u.ComputeObject()
 	return err
 }
 
@@ -165,12 +189,23 @@ func (u *UserView) setRootData(event *models.Event) {
 
 func (u *UserView) setData(event *models.Event) error {
 	if err := json.Unmarshal(event.Data, u); err != nil {
-		logging.Log("EVEN-lso9e").WithError(err).Error("could not unmarshal event data")
+		logging.Log("MODEL-lso9e").WithError(err).Error("could not unmarshal event data")
 		return caos_errs.ThrowInternal(nil, "MODEL-8iows", "could not unmarshal data")
 	}
 	return nil
 }
 
+func (u *UserView) setPasswordData(event *models.Event) error {
+	password := new(es_model.Password)
+	if err := json.Unmarshal(event.Data, password); err != nil {
+		logging.Log("MODEL-sdw4r").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(nil, "MODEL-6jhsw", "could not unmarshal data")
+	}
+	u.PasswordSet = password.Secret != nil
+	u.PasswordChangeRequired = password.ChangeRequired
+	return nil
+}
+
 func (u *UserView) ComputeObject() {
 	if u.State == int32(model.USERSTATE_UNSPECIFIED) || u.State == int32(model.USERSTATE_INITIAL) {
 		if u.IsEmailVerified {
@@ -179,4 +214,7 @@ func (u *UserView) ComputeObject() {
 			u.State = int32(model.USERSTATE_INITIAL)
 		}
 	}
+	if u.OTPState == int32(model.MFASTATE_READY) {
+		u.MfaMaxSetUp = int32(req_model.MfaLevelSoftware)
+	}
 }