mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 21:17:32 +00:00
feat: password age policy (#8132)
# Which Problems Are Solved Some organizations / customers have the requirement, that there users regularly need to change their password. ZITADEL already had the possibility to manage a `password age policy` ( thought the API) with the maximum amount of days a password should be valid, resp. days after with the user should be warned of the upcoming expiration. The policy could not be managed though the Console UI and was not checked in the Login UI. # How the Problems Are Solved - The policy can be managed in the Console UI's settings sections on an instance and organization level. - During an authentication in the Login UI, if a policy is set with an expiry (>0) and the user's last password change exceeds the amount of days set, the user will be prompted to change their password. - The prompt message of the Login UI can be customized in the Custom Login Texts though the Console and API on the instance and each organization. - The information when the user last changed their password is returned in the Auth, Management and User V2 API. - The policy can be retrieved in the settings service as `password expiry settings`. # Additional Changes None. # Additional Context - closes #8081 --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
This commit is contained in:
Livio Spring
@@ -1,6 +1,8 @@
|
||||
package user
|
||||
|
||||
import (
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/zitadel/zitadel/internal/api/grpc/object"
|
||||
"github.com/zitadel/zitadel/internal/domain"
|
||||
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
||||
@@ -48,6 +50,10 @@ func UserTypeToPb(user *query.User, assetPrefix string) user_pb.UserType {
|
||||
}
|
||||
|
||||
func HumanToPb(view *query.Human, assetPrefix, owner string) *user_pb.Human {
|
||||
var passwordChanged *timestamppb.Timestamp
|
||||
if !view.PasswordChanged.IsZero() {
|
||||
passwordChanged = timestamppb.New(view.PasswordChanged)
|
||||
}
|
||||
return &user_pb.Human{
|
||||
Profile: &user_pb.Profile{
|
||||
FirstName: view.FirstName,
|
||||
@@ -66,6 +72,7 @@ func HumanToPb(view *query.Human, assetPrefix, owner string) *user_pb.Human {
|
||||
Phone: string(view.Phone),
|
||||
IsPhoneVerified: view.IsPhoneVerified,
|
||||
},
|
||||
PasswordChanged: passwordChanged,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ import (
|
||||
"context"
|
||||
|
||||
"github.com/muhlemmer/gu"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/zitadel/zitadel/internal/api/authz"
|
||||
"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
|
||||
@@ -83,6 +84,10 @@ func userTypeToPb(userQ *query.User, assetPrefix string) user.UserType {
|
||||
}
|
||||
|
||||
func humanToPb(userQ *query.Human, assetPrefix, owner string) *user.HumanUser {
|
||||
var passwordChanged *timestamppb.Timestamp
|
||||
if !userQ.PasswordChanged.IsZero() {
|
||||
passwordChanged = timestamppb.New(userQ.PasswordChanged)
|
||||
}
|
||||
return &user.HumanUser{
|
||||
Profile: &user.HumanProfile{
|
||||
GivenName: userQ.FirstName,
|
||||
@@ -102,6 +107,7 @@ func humanToPb(userQ *query.Human, assetPrefix, owner string) *user.HumanUser {
|
||||
IsVerified: userQ.IsPhoneVerified,
|
||||
},
|
||||
PasswordChangeRequired: userQ.PasswordChangeRequired,
|
||||
PasswordChanged: passwordChanged,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -23,7 +23,7 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
type args struct {
|
||||
ctx context.Context
|
||||
req *user.GetUserByIDRequest
|
||||
dep func(ctx context.Context, username string, request *user.GetUserByIDRequest) error
|
||||
dep func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error)
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
@@ -38,8 +38,8 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
&user.GetUserByIDRequest{
|
||||
UserId: "",
|
||||
},
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
|
||||
return nil
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
|
||||
return nil, nil
|
||||
},
|
||||
},
|
||||
wantErr: true,
|
||||
@@ -51,8 +51,8 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
&user.GetUserByIDRequest{
|
||||
UserId: "unknown",
|
||||
},
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
|
||||
return nil
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
|
||||
return nil, nil
|
||||
},
|
||||
},
|
||||
wantErr: true,
|
||||
@@ -62,10 +62,10 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
args: args{
|
||||
IamCTX,
|
||||
&user.GetUserByIDRequest{},
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
request.UserId = resp.GetUserId()
|
||||
return nil
|
||||
return nil, nil
|
||||
},
|
||||
},
|
||||
want: &user.GetUserByIDResponse{
|
||||
@@ -106,11 +106,11 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
args: args{
|
||||
IamCTX,
|
||||
&user.GetUserByIDRequest{},
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
|
||||
func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
request.UserId = resp.GetUserId()
|
||||
Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
|
||||
return nil
|
||||
changed := Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
|
||||
return changed, nil
|
||||
},
|
||||
},
|
||||
want: &user.GetUserByIDResponse{
|
||||
@@ -138,6 +138,7 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
IsVerified: true,
|
||||
},
|
||||
PasswordChangeRequired: true,
|
||||
PasswordChanged: timestamppb.Now(),
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -151,7 +152,7 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
username := fmt.Sprintf("%d@mouse.com", time.Now().UnixNano())
|
||||
err := tt.args.dep(tt.args.ctx, username, tt.args.req)
|
||||
changed, err := tt.args.dep(tt.args.ctx, username, tt.args.req)
|
||||
require.NoError(t, err)
|
||||
retryDuration := time.Minute
|
||||
if ctxDeadline, ok := CTX.Deadline(); ok {
|
||||
@@ -173,6 +174,9 @@ func TestServer_GetUserByID(t *testing.T) {
|
||||
tt.want.User.LoginNames = []string{username}
|
||||
if human := tt.want.User.GetHuman(); human != nil {
|
||||
human.Email.Email = username
|
||||
if tt.want.User.GetHuman().GetPasswordChanged() != nil {
|
||||
human.PasswordChanged = changed
|
||||
}
|
||||
}
|
||||
assert.Equal(ttt, tt.want.User, got.User)
|
||||
integration.AssertDetails(t, tt.want, got)
|
||||
@@ -316,6 +320,7 @@ func TestServer_GetUserByID_Permission(t *testing.T) {
|
||||
type userAttr struct {
|
||||
UserID string
|
||||
Username string
|
||||
Changed *timestamppb.Timestamp
|
||||
}
|
||||
|
||||
func TestServer_ListUsers(t *testing.T) {
|
||||
@@ -369,7 +374,7 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
for i, username := range usernames {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
userIDs[i] = resp.GetUserId()
|
||||
infos[i] = userAttr{resp.GetUserId(), username}
|
||||
infos[i] = userAttr{resp.GetUserId(), username, nil}
|
||||
}
|
||||
request.Queries = append(request.Queries, InUserIDsQuery(userIDs))
|
||||
return infos, nil
|
||||
@@ -423,8 +428,8 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
for i, username := range usernames {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
userIDs[i] = resp.GetUserId()
|
||||
Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
|
||||
infos[i] = userAttr{resp.GetUserId(), username}
|
||||
changed := Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
|
||||
infos[i] = userAttr{resp.GetUserId(), username, changed}
|
||||
}
|
||||
request.Queries = append(request.Queries, InUserIDsQuery(userIDs))
|
||||
return infos, nil
|
||||
@@ -457,6 +462,7 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
IsVerified: true,
|
||||
},
|
||||
PasswordChangeRequired: true,
|
||||
PasswordChanged: timestamppb.Now(),
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -479,7 +485,7 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
for i, username := range usernames {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
userIDs[i] = resp.GetUserId()
|
||||
infos[i] = userAttr{resp.GetUserId(), username}
|
||||
infos[i] = userAttr{resp.GetUserId(), username, nil}
|
||||
}
|
||||
request.Queries = append(request.Queries, InUserIDsQuery(userIDs))
|
||||
return infos, nil
|
||||
@@ -575,7 +581,7 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
for i, username := range usernames {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
userIDs[i] = resp.GetUserId()
|
||||
infos[i] = userAttr{resp.GetUserId(), username}
|
||||
infos[i] = userAttr{resp.GetUserId(), username, nil}
|
||||
request.Queries = append(request.Queries, UsernameQuery(username))
|
||||
}
|
||||
return infos, nil
|
||||
@@ -627,7 +633,7 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
infos := make([]userAttr, len(usernames))
|
||||
for i, username := range usernames {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
infos[i] = userAttr{resp.GetUserId(), username}
|
||||
infos[i] = userAttr{resp.GetUserId(), username, nil}
|
||||
}
|
||||
request.Queries = append(request.Queries, InUserEmailsQuery(usernames))
|
||||
return infos, nil
|
||||
@@ -679,7 +685,7 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
infos := make([]userAttr, len(usernames))
|
||||
for i, username := range usernames {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
infos[i] = userAttr{resp.GetUserId(), username}
|
||||
infos[i] = userAttr{resp.GetUserId(), username, nil}
|
||||
}
|
||||
request.Queries = append(request.Queries, InUserEmailsQuery(usernames))
|
||||
return infos, nil
|
||||
@@ -794,7 +800,7 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
infos := make([]userAttr, len(usernames))
|
||||
for i, username := range usernames {
|
||||
resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
|
||||
infos[i] = userAttr{resp.GetUserId(), username}
|
||||
infos[i] = userAttr{resp.GetUserId(), username, nil}
|
||||
}
|
||||
request.Queries = append(request.Queries, OrganizationIdQuery(orgResp.OrganizationId))
|
||||
request.Queries = append(request.Queries, InUserEmailsQuery(usernames))
|
||||
@@ -910,6 +916,9 @@ func TestServer_ListUsers(t *testing.T) {
|
||||
tt.want.Result[i].LoginNames = []string{infos[i].Username}
|
||||
if human := tt.want.Result[i].GetHuman(); human != nil {
|
||||
human.Email.Email = infos[i].Username
|
||||
if tt.want.Result[i].GetHuman().GetPasswordChanged() != nil {
|
||||
human.PasswordChanged = infos[i].Changed
|
||||
}
|
||||
}
|
||||
}
|
||||
for i := range tt.want.Result {
|
||||
|
||||
Reference in New Issue
Block a user