feat: Login verification lifetimes (#3190)

* feat: add login check lifetimes to login policy

* feat: org features test

* feat: read lifetimes from loginpolicy

internal/repository/iam/policy_login.go

@@ -2,6 +2,7 @@ package iam
 
 import (
 	"context"
+	"time"
 
 	"github.com/caos/zitadel/internal/eventstore"
 
@@ -28,6 +29,11 @@ func NewLoginPolicyAddedEvent(
 	forceMFA,
 	hidePasswordReset bool,
 	passwordlessType domain.PasswordlessType,
+	passwordCheckLifetime,
+	externalLoginCheckLifetime,
+	mfaInitSkipLifetime,
+	secondFactorCheckLifetime,
+	multiFactorCheckLifetime time.Duration,
 ) *LoginPolicyAddedEvent {
 	return &LoginPolicyAddedEvent{
 		LoginPolicyAddedEvent: *policy.NewLoginPolicyAddedEvent(
@@ -40,7 +46,12 @@ func NewLoginPolicyAddedEvent(
 			allowExternalIDP,
 			forceMFA,
 			hidePasswordReset,
-			passwordlessType),
+			passwordlessType,
+			passwordCheckLifetime,
+			externalLoginCheckLifetime,
+			mfaInitSkipLifetime,
+			secondFactorCheckLifetime,
+			multiFactorCheckLifetime),
 	}
 }
 

internal/repository/org/policy_login.go

@@ -2,6 +2,7 @@ package org
 
 import (
 	"context"
+	"time"
 
 	"github.com/caos/zitadel/internal/eventstore"
 
@@ -29,6 +30,11 @@ func NewLoginPolicyAddedEvent(
 	forceMFA,
 	hidePasswordReset bool,
 	passwordlessType domain.PasswordlessType,
+	passwordCheckLifetime,
+	externalLoginCheckLifetime,
+	mfaInitSkipLifetime,
+	secondFactorCheckLifetime,
+	multiFactorCheckLifetime time.Duration,
 ) *LoginPolicyAddedEvent {
 	return &LoginPolicyAddedEvent{
 		LoginPolicyAddedEvent: *policy.NewLoginPolicyAddedEvent(
@@ -41,7 +47,12 @@ func NewLoginPolicyAddedEvent(
 			allowExternalIDP,
 			forceMFA,
 			hidePasswordReset,
-			passwordlessType),
+			passwordlessType,
+			passwordCheckLifetime,
+			externalLoginCheckLifetime,
+			mfaInitSkipLifetime,
+			secondFactorCheckLifetime,
+			multiFactorCheckLifetime),
 	}
 }
 

internal/repository/policy/login.go

@@ -2,6 +2,7 @@ package policy
 
 import (
 	"encoding/json"
+	"time"
 
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
@@ -19,12 +20,17 @@ const (
 type LoginPolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	AllowUserNamePassword bool                    `json:"allowUsernamePassword,omitempty"`
-	AllowRegister         bool                    `json:"allowRegister,omitempty"`
-	AllowExternalIDP      bool                    `json:"allowExternalIdp,omitempty"`
-	ForceMFA              bool                    `json:"forceMFA,omitempty"`
-	HidePasswordReset     bool                    `json:"hidePasswordReset,omitempty"`
-	PasswordlessType      domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	AllowUserNamePassword      bool                    `json:"allowUsernamePassword,omitempty"`
+	AllowRegister              bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP           bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA                   bool                    `json:"forceMFA,omitempty"`
+	HidePasswordReset          bool                    `json:"hidePasswordReset,omitempty"`
+	PasswordlessType           domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	PasswordCheckLifetime      time.Duration           `json:"passwordCheckLifetime,omitempty"`
+	ExternalLoginCheckLifetime time.Duration           `json:"externalLoginCheckLifetime,omitempty"`
+	MFAInitSkipLifetime        time.Duration           `json:"mfaInitSkipLifetime,omitempty"`
+	SecondFactorCheckLifetime  time.Duration           `json:"secondFactorCheckLifetime,omitempty"`
+	MultiFactorCheckLifetime   time.Duration           `json:"multiFactorCheckLifetime,omitempty"`
 }
 
 func (e *LoginPolicyAddedEvent) Data() interface{} {
@@ -43,15 +49,25 @@ func NewLoginPolicyAddedEvent(
 	forceMFA,
 	hidePasswordReset bool,
 	passwordlessType domain.PasswordlessType,
+	passwordCheckLifetime,
+	externalLoginCheckLifetime,
+	mfaInitSkipLifetime,
+	secondFactorCheckLifetime,
+	multiFactorCheckLifetime time.Duration,
 ) *LoginPolicyAddedEvent {
 	return &LoginPolicyAddedEvent{
-		BaseEvent:             *base,
-		AllowExternalIDP:      allowExternalIDP,
-		AllowRegister:         allowRegister,
-		AllowUserNamePassword: allowUserNamePassword,
-		ForceMFA:              forceMFA,
-		PasswordlessType:      passwordlessType,
-		HidePasswordReset:     hidePasswordReset,
+		BaseEvent:                  *base,
+		AllowExternalIDP:           allowExternalIDP,
+		AllowRegister:              allowRegister,
+		AllowUserNamePassword:      allowUserNamePassword,
+		ForceMFA:                   forceMFA,
+		PasswordlessType:           passwordlessType,
+		HidePasswordReset:          hidePasswordReset,
+		PasswordCheckLifetime:      passwordCheckLifetime,
+		ExternalLoginCheckLifetime: externalLoginCheckLifetime,
+		MFAInitSkipLifetime:        mfaInitSkipLifetime,
+		SecondFactorCheckLifetime:  secondFactorCheckLifetime,
+		MultiFactorCheckLifetime:   multiFactorCheckLifetime,
 	}
 }
 
@@ -71,12 +87,17 @@ func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, err
 type LoginPolicyChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	AllowUserNamePassword *bool                    `json:"allowUsernamePassword,omitempty"`
-	AllowRegister         *bool                    `json:"allowRegister,omitempty"`
-	AllowExternalIDP      *bool                    `json:"allowExternalIdp,omitempty"`
-	ForceMFA              *bool                    `json:"forceMFA,omitempty"`
-	HidePasswordReset     *bool                    `json:"hidePasswordReset,omitempty"`
-	PasswordlessType      *domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	AllowUserNamePassword      *bool                    `json:"allowUsernamePassword,omitempty"`
+	AllowRegister              *bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP           *bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA                   *bool                    `json:"forceMFA,omitempty"`
+	HidePasswordReset          *bool                    `json:"hidePasswordReset,omitempty"`
+	PasswordlessType           *domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	PasswordCheckLifetime      *time.Duration           `json:"passwordCheckLifetime,omitempty"`
+	ExternalLoginCheckLifetime *time.Duration           `json:"externalLoginCheckLifetime,omitempty"`
+	MFAInitSkipLifetime        *time.Duration           `json:"mfaInitSkipLifetime,omitempty"`
+	SecondFactorCheckLifetime  *time.Duration           `json:"secondFactorCheckLifetime,omitempty"`
+	MultiFactorCheckLifetime   *time.Duration           `json:"multiFactorCheckLifetime,omitempty"`
 }
 
 func (e *LoginPolicyChangedEvent) Data() interface{} {
@@ -141,6 +162,31 @@ func ChangeHidePasswordReset(hidePasswordReset bool) func(*LoginPolicyChangedEve
 	}
 }
 
+func ChangePasswordCheckLifetime(passwordCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.PasswordCheckLifetime = &passwordCheckLifetime
+	}
+}
+func ChangeExternalLoginCheckLifetime(externalLoginCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.ExternalLoginCheckLifetime = &externalLoginCheckLifetime
+	}
+}
+func ChangeMFAInitSkipLifetime(mfaInitSkipLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.MFAInitSkipLifetime = &mfaInitSkipLifetime
+	}
+}
+func ChangeSecondFactorCheckLifetime(secondFactorCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.SecondFactorCheckLifetime = &secondFactorCheckLifetime
+	}
+}
+func ChangeMultiFactorCheckLifetime(multiFactorCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.MultiFactorCheckLifetime = &multiFactorCheckLifetime
+	}
+}
 func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
 	e := &LoginPolicyChangedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),