feat: policies on aggregates (#799)

* feat: move pw policy * feat: default pw complexity policy * fix: org password complexity policy * fix: org password complexity policy * fix: pw complexity policy with setup * fix: age and lockout policies on aggregates * fix: migration * fix: org iam policy * fix: org iam policy * fix: org iam policy * fix: tests * fix: policy request * fix: merge master * fix(console): policies frontend (#817) * fix policy build * fix: age, complexity, lockout policies * fix: ready return err of setup not done * fix: fix remove policies in spoolers * fix: fix remove policies in spoolers * feat(console): policy settings for iam and org (#824) * fix policy build * fix: age, complexity, lockout policies * fix pwd complexity * policy remove action * add imports * fix accounts card, enable mgmt login policy * lint * add iam policy to admin * toasts, i18n, show default * routing, i18n * reset policy, toast i18n, cleanup, routing * policy delete permission * lint style * delete iam policy * delete non project from grid list, i18n * lint ts, style * fix: remove instead delete * feat(console): delete external idp from user (#835) * dialog i18n, delete column and function * dialog i18n * fix rm button * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fix: revert env, rename policy, remove comments * fix: lowercase sich * fix: pr requests * Update internal/iam/repository/eventsourcing/eventstore_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: tests * fix: tests * fix(console): policies (#839) * fix: nil pointer on get userdata (#815) * fix: external login (#818) * fix: external login * fix: external login * feat(console): delete user (#819) * add action col to user table, i18n * delete user from detail component * lint * fix(console): cleanup user detail and member components, user/me redirect, permission guards, filter, org policy guard, user table, scss cleanup (#808) * fix: remove user.write guard for filtering * border color * fix user routing from member tables * idp detail layout * generic contact component * fix redirect to auth user, user grant disable * disable policy action without permission, i18n * user-create flex fix, contact ng-content * rm unused styles * sidenav divider * lint * chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console (#806) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console Bumps [@angular/cli](https://github.com/angular/angular-cli) from 10.1.3 to 10.1.4. - [Release notes](https://github.com/angular/angular-cli/releases) - [Commits](https://github.com/angular/angular-cli/compare/v10.1.3...v10.1.4) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @angular/language-service from 10.1.3 to 10.1.4 in /console (#805) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular/language-service in /console Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 10.1.3 to 10.1.4. - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/10.1.4/packages/language-service) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console (#804) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console Bumps [codelyzer](https://github.com/mgechev/codelyzer) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/mgechev/codelyzer/releases) - [Changelog](https://github.com/mgechev/codelyzer/blob/master/CHANGELOG.md) - [Commits](https://github.com/mgechev/codelyzer/commits/6.0.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @angular-devkit/build-angular from 0.1000.8 to 0.1001.4 in /console (#803) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular-devkit/build-angular in /console Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1000.8 to 0.1001.4. - [Release notes](https://github.com/angular/angular-cli/releases) - [Commits](https://github.com/angular/angular-cli/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Max Peintner <max@caos.ch> * chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console (#802) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.0 to 8.3.1. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md) - [Commits](https://github.com/uuidjs/uuid/compare/v8.3.0...v8.3.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * create memberstable as common component * iam member cleanup * iam + org m table, user table service user avatar * toast config * fix selection emitter * fix project grant table width * project grant members refactor * theme optimizations * member table col delete * lint * fix table row color * refactor grey color * lint scss * org list redirect on click, fix user table undef * refresh table after grant add Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> * fix(console): intercept navigator.language, set browser lang as default for user without explicit setting, user table outline, member create dialog import (#820) * i18n interceptor, set language to browser lang * nullcheck * rm external idp log * fix module imports, rm user displayname from i18n * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fix: delete external idps from users (#822) * fix(console): permission regex, account switcher null check, restrict app and member create access (#821) * fix member table disable, gerneal regexp * fix user session card, app disable * memberships max count * fix policy permissions * permission check for member add dialog * lint * rm accounts log * rm id regex * fix: handle usermemberships on project and project grant delete (#825) * fix: go handler Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> * fix: tests * fix: not needed error handling Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch>
2025-08-12 01:47:33 +00:00 · 2020-10-15 10:27:13 +02:00
parent adb24a52fc
commit fbb30840f1
248 changed files with 23960 additions and 13843 deletions
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@@ -14,7 +14,7 @@ func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*ad
 	return loginPolicyViewFromModel(result), nil
 }

-func (s *Server) UpdateDefaultLoginPolicy(ctx context.Context, policy *admin.DefaultLoginPolicy) (*admin.DefaultLoginPolicy, error) {
+func (s *Server) UpdateDefaultLoginPolicy(ctx context.Context, policy *admin.DefaultLoginPolicyRequest) (*admin.DefaultLoginPolicy, error) {
 	result, err := s.iam.ChangeDefaultLoginPolicy(ctx, loginPolicyToModel(policy))
 	if err != nil {
 		return nil, err
--- a/internal/api/grpc/admin/login_policy_converter.go
+++ b/internal/api/grpc/admin/login_policy_converter.go
@@ -1,11 +1,13 @@
 package admin

 import (
+	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
 )

-func loginPolicyToModel(policy *admin.DefaultLoginPolicy) *iam_model.LoginPolicy {
+func loginPolicyToModel(policy *admin.DefaultLoginPolicyRequest) *iam_model.LoginPolicy {
 	return &iam_model.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
@@ -14,18 +16,34 @@ func loginPolicyToModel(policy *admin.DefaultLoginPolicy) *iam_model.LoginPolicy
 }

 func loginPolicyFromModel(policy *iam_model.LoginPolicy) *admin.DefaultLoginPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-3Fsm9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-5Gsko").OnError(err).Debug("date parse failed")
+
 	return &admin.DefaultLoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }

 func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *admin.DefaultLoginPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-3Gk9s").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-6Jlos").OnError(err).Debug("date parse failed")
+
 	return &admin.DefaultLoginPolicyView{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIDP,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }

--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@@ -38,31 +38,47 @@ func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *admin.OrgSetUpRequest)
 	return setUpOrgResponseFromModel(setUp), err
 }

-func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.GetOrgIamPolicyByID(ctx, in.OrgId)
+func (s *Server) GetDefaultOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *admin.OrgIamPolicyView, err error) {
+	policy, err := s.iam.GetDefaultOrgIAMPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIAMPolicyViewFromModel(policy), err
+}
+
+func (s *Server) UpdateDefaultOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
+	policy, err := s.iam.ChangeDefaultOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return orgIAMPolicyFromModel(policy), err
+}
+
+func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *admin.OrgIamPolicyView, err error) {
+	policy, err := s.org.GetOrgIAMPolicyByID(ctx, in.OrgId)
+	if err != nil {
+		return nil, err
+	}
+	return orgIAMPolicyViewFromModel(policy), err
 }

 func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.CreateOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
+	policy, err := s.org.CreateOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIAMPolicyFromModel(policy), err
 }

 func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.ChangeOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
+	policy, err := s.org.ChangeOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIAMPolicyFromModel(policy), err
 }

-func (s *Server) DeleteOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {
-	err = s.org.RemoveOrgIamPolicy(ctx, in.OrgId)
+func (s *Server) RemoveOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {
+	err = s.org.RemoveOrgIAMPolicy(ctx, in.OrgId)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/admin/org_converter.go
+++ b/internal/api/grpc/admin/org_converter.go
@@ -2,6 +2,7 @@ package admin

 import (
 	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/golang/protobuf/ptypes"

 	admin_model "github.com/caos/zitadel/internal/admin/model"
@@ -196,7 +197,7 @@ func orgQueryMethodToModel(method admin.OrgSearchMethod) model.SearchMethod {
 	}
 }

-func orgIamPolicyFromModel(policy *org_model.OrgIAMPolicy) *admin.OrgIamPolicy {
+func orgIAMPolicyFromModel(policy *iam_model.OrgIAMPolicy) *admin.OrgIamPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")

@@ -205,20 +206,32 @@ func orgIamPolicyFromModel(policy *org_model.OrgIAMPolicy) *admin.OrgIamPolicy {

 	return &admin.OrgIamPolicy{
 		OrgId:                 policy.AggregateID,
-		Description:           policy.Description,
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-		Default:               policy.Default,
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
 	}
 }

-func orgIamPolicyRequestToModel(policy *admin.OrgIamPolicyRequest) *org_model.OrgIAMPolicy {
-	return &org_model.OrgIAMPolicy{
+func orgIAMPolicyViewFromModel(policy *iam_model.OrgIAMPolicyView) *admin.OrgIamPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-Ps9fW").OnError(err).Debug("unable to get timestamp from time")
+
+	return &admin.OrgIamPolicyView{
+		OrgId:                 policy.AggregateID,
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
+	}
+}
+
+func orgIAMPolicyRequestToModel(policy *admin.OrgIamPolicyRequest) *iam_model.OrgIAMPolicy {
+	return &iam_model.OrgIAMPolicy{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: policy.OrgId,
 		},
-		Description:           policy.Description,
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
 	}
 }
--- a/internal/api/grpc/admin/password_age_policy.go
+++ b/internal/api/grpc/admin/password_age_policy.go
@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordAgePolicyView, error) {
+	result, err := s.iam.GetDefaultPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultPasswordAgePolicy(ctx context.Context, policy *admin.DefaultPasswordAgePolicyRequest) (*admin.DefaultPasswordAgePolicy, error) {
+	result, err := s.iam.ChangeDefaultPasswordAgePolicy(ctx, passwordAgePolicyToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyFromModel(result), nil
+}
--- a/internal/api/grpc/admin/password_age_policy_converter.go
+++ b/internal/api/grpc/admin/password_age_policy_converter.go
@@ -0,0 +1,45 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordAgePolicyToModel(policy *admin.DefaultPasswordAgePolicyRequest) *iam_model.PasswordAgePolicy {
+	return &iam_model.PasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func passwordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *admin.DefaultPasswordAgePolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-mH9os").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-3tGs9").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		CreationDate:   creationDate,
+		ChangeDate:     changeDate,
+	}
+}
+
+func passwordAgePolicyViewFromModel(policy *iam_model.PasswordAgePolicyView) *admin.DefaultPasswordAgePolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-2Gs9o").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-8Hjss").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordAgePolicyView{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		CreationDate:   creationDate,
+		ChangeDate:     changeDate,
+	}
+}
--- a/internal/api/grpc/admin/password_complexity_policy.go
+++ b/internal/api/grpc/admin/password_complexity_policy.go
@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordComplexityPolicyView, error) {
+	result, err := s.iam.GetDefaultPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultPasswordComplexityPolicy(ctx context.Context, policy *admin.DefaultPasswordComplexityPolicyRequest) (*admin.DefaultPasswordComplexityPolicy, error) {
+	result, err := s.iam.ChangeDefaultPasswordComplexityPolicy(ctx, passwordComplexityPolicyToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyFromModel(result), nil
+}
--- a/internal/api/grpc/admin/password_complexity_policy_converter.go
+++ b/internal/api/grpc/admin/password_complexity_policy_converter.go
@@ -0,0 +1,54 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordComplexityPolicyToModel(policy *admin.DefaultPasswordComplexityPolicyRequest) *iam_model.PasswordComplexityPolicy {
+	return &iam_model.PasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasUppercase: policy.HasUppercase,
+		HasLowercase: policy.HasLowercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}
+
+func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *admin.DefaultPasswordComplexityPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-6Zhs9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-bMso0").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasUppercase: policy.HasUppercase,
+		HasLowercase: policy.HasLowercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}
+
+func passwordComplexityPolicyViewFromModel(policy *iam_model.PasswordComplexityPolicyView) *admin.DefaultPasswordComplexityPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-rTs9f").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-ks9Zt").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordComplexityPolicyView{
+		MinLength:    policy.MinLength,
+		HasUppercase: policy.HasUppercase,
+		HasLowercase: policy.HasLowercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}
--- a/internal/api/grpc/admin/password_lockout_policy.go
+++ b/internal/api/grpc/admin/password_lockout_policy.go
@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordLockoutPolicyView, error) {
+	result, err := s.iam.GetDefaultPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultPasswordLockoutPolicy(ctx context.Context, policy *admin.DefaultPasswordLockoutPolicyRequest) (*admin.DefaultPasswordLockoutPolicy, error) {
+	result, err := s.iam.ChangeDefaultPasswordLockoutPolicy(ctx, passwordLockoutPolicyToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyFromModel(result), nil
+}
--- a/internal/api/grpc/admin/password_lockout_policy_converter.go
+++ b/internal/api/grpc/admin/password_lockout_policy_converter.go
@@ -0,0 +1,45 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordLockoutPolicyToModel(policy *admin.DefaultPasswordLockoutPolicyRequest) *iam_model.PasswordLockoutPolicy {
+	return &iam_model.PasswordLockoutPolicy{
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockoutFailure,
+	}
+}
+
+func passwordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *admin.DefaultPasswordLockoutPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-4Gsm9f").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-3Gms9").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordLockoutPolicy{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		CreationDate:       creationDate,
+		ChangeDate:         changeDate,
+	}
+}
+
+func passwordLockoutPolicyViewFromModel(policy *iam_model.PasswordLockoutPolicyView) *admin.DefaultPasswordLockoutPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-7Hmlo").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-0oLgs").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordLockoutPolicyView{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		CreationDate:       creationDate,
+		ChangeDate:         changeDate,
+	}
+}