package command
import (
"time"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/repository/user"
)
type HumanWebAuthNWriteModel struct {
eventstore.WriteModel
WebauthNTokenID string
Challenge string
KeyID []byte
PublicKey []byte
AttestationType string
AAGUID []byte
SignCount uint32
WebAuthNTokenName string
State domain.MFAState
}
func NewHumanWebAuthNWriteModel(userID, webAuthNTokenID, resourceOwner string) *HumanWebAuthNWriteModel {
return &HumanWebAuthNWriteModel{
WriteModel: eventstore.WriteModel{
AggregateID: userID,
ResourceOwner: resourceOwner,
},
WebauthNTokenID: webAuthNTokenID,
}
}
func (wm *HumanWebAuthNWriteModel) AppendEvents(events ...eventstore.Event) {
for _, event := range events {
switch e := event.(type) {
case *user.HumanWebAuthNAddedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessAddedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNAddedEvent)
}
case *user.HumanU2FAddedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNAddedEvent)
}
case *user.HumanWebAuthNVerifiedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessVerifiedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNVerifiedEvent)
}
case *user.HumanU2FVerifiedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNVerifiedEvent)
}
case *user.HumanWebAuthNSignCountChangedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessSignCountChangedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNSignCountChangedEvent)
}
case *user.HumanU2FSignCountChangedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNSignCountChangedEvent)
}
case *user.HumanWebAuthNRemovedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessRemovedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNRemovedEvent)
}
case *user.HumanU2FRemovedEvent:
if wm.WebauthNTokenID == e.WebAuthNTokenID {
wm.WriteModel.AppendEvents(&e.HumanWebAuthNRemovedEvent)
}
case *user.UserRemovedEvent:
wm.WriteModel.AppendEvents(e)
}
}
}
func (wm *HumanWebAuthNWriteModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *user.HumanWebAuthNAddedEvent:
wm.appendAddedEvent(e)
case *user.HumanWebAuthNVerifiedEvent:
wm.appendVerifiedEvent(e)
case *user.HumanWebAuthNSignCountChangedEvent:
wm.SignCount = e.SignCount
case *user.HumanWebAuthNRemovedEvent:
wm.State = domain.MFAStateRemoved
case *user.UserRemovedEvent:
wm.State = domain.MFAStateRemoved
}
}
return wm.WriteModel.Reduce()
}
func (wm *HumanWebAuthNWriteModel) appendAddedEvent(e *user.HumanWebAuthNAddedEvent) {
wm.WebauthNTokenID = e.WebAuthNTokenID
wm.Challenge = e.Challenge
wm.State = domain.MFAStateNotReady
}
func (wm *HumanWebAuthNWriteModel) appendVerifiedEvent(e *user.HumanWebAuthNVerifiedEvent) {
wm.KeyID = e.KeyID
wm.PublicKey = e.PublicKey
wm.AttestationType = e.AttestationType
wm.AAGUID = e.AAGUID
wm.SignCount = e.SignCount
wm.WebAuthNTokenName = e.WebAuthNTokenName
wm.State = domain.MFAStateReady
}
func (wm *HumanWebAuthNWriteModel) Query() *eventstore.SearchQueryBuilder {
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
ResourceOwner(wm.ResourceOwner).
AddQuery().
AggregateTypes(user.AggregateType).
AggregateIDs(wm.AggregateID).
EventTypes(user.HumanU2FTokenAddedType,
user.HumanPasswordlessTokenAddedType,
user.HumanU2FTokenAddedType,
user.HumanPasswordlessTokenAddedType,
user.HumanU2FTokenSignCountChangedType,
user.HumanPasswordlessTokenSignCountChangedType,
user.HumanU2FTokenRemovedType,
user.HumanPasswordlessTokenRemovedType,
user.UserRemovedType).
Builder()
}
type HumanU2FTokensReadModel struct {
eventstore.WriteModel
WebAuthNTokens []*HumanWebAuthNWriteModel
UserState domain.UserState
}
func NewHumanU2FTokensReadModel(userID, resourceOwner string) *HumanU2FTokensReadModel {
return &HumanU2FTokensReadModel{
WriteModel: eventstore.WriteModel{
AggregateID: userID,
ResourceOwner: resourceOwner,
},
}
}
func (wm *HumanU2FTokensReadModel) AppendEvents(events ...eventstore.Event) {
wm.WriteModel.AppendEvents(events...)
}
func (wm *HumanU2FTokensReadModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *user.HumanU2FAddedEvent:
token := &HumanWebAuthNWriteModel{}
token.appendAddedEvent(&e.HumanWebAuthNAddedEvent)
token.WriteModel = eventstore.WriteModel{
AggregateID: e.Aggregate().ID,
}
replaced := false
for i, existingTokens := range wm.WebAuthNTokens {
if existingTokens.State == domain.MFAStateNotReady {
wm.WebAuthNTokens[i] = token
replaced = true
}
}
if !replaced {
wm.WebAuthNTokens = append(wm.WebAuthNTokens, token)
}
case *user.HumanU2FVerifiedEvent:
idx, token := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
if idx < 0 {
continue
}
token.appendVerifiedEvent(&e.HumanWebAuthNVerifiedEvent)
case *user.HumanU2FRemovedEvent:
idx, _ := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
if idx < 0 {
continue
}
copy(wm.WebAuthNTokens[idx:], wm.WebAuthNTokens[idx+1:])
wm.WebAuthNTokens[len(wm.WebAuthNTokens)-1] = nil
wm.WebAuthNTokens = wm.WebAuthNTokens[:len(wm.WebAuthNTokens)-1]
case *user.UserRemovedEvent:
wm.UserState = domain.UserStateDeleted
}
}
return wm.WriteModel.Reduce()
}
func (rm *HumanU2FTokensReadModel) Query() *eventstore.SearchQueryBuilder {
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
ResourceOwner(rm.ResourceOwner).
AddQuery().
AggregateTypes(user.AggregateType).
AggregateIDs(rm.AggregateID).
EventTypes(
user.HumanU2FTokenAddedType,
user.HumanU2FTokenVerifiedType,
user.HumanU2FTokenRemovedType).
Builder()
}
func (wm *HumanU2FTokensReadModel) WebAuthNTokenByID(id string) (idx int, token *HumanWebAuthNWriteModel) {
for idx, token = range wm.WebAuthNTokens {
if token.WebauthNTokenID == id {
return idx, token
}
}
return -1, nil
}
type HumanPasswordlessTokensReadModel struct {
eventstore.WriteModel
WebAuthNTokens []*HumanWebAuthNWriteModel
UserState domain.UserState
}
func NewHumanPasswordlessTokensReadModel(userID, resourceOwner string) *HumanPasswordlessTokensReadModel {
return &HumanPasswordlessTokensReadModel{
WriteModel: eventstore.WriteModel{
AggregateID: userID,
ResourceOwner: resourceOwner,
},
}
}
func (wm *HumanPasswordlessTokensReadModel) AppendEvents(events ...eventstore.Event) {
wm.WriteModel.AppendEvents(events...)
}
func (wm *HumanPasswordlessTokensReadModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *user.HumanPasswordlessAddedEvent:
token := &HumanWebAuthNWriteModel{}
token.appendAddedEvent(&e.HumanWebAuthNAddedEvent)
token.WriteModel = eventstore.WriteModel{
AggregateID: e.Aggregate().ID,
}
replaced := false
for i, existingTokens := range wm.WebAuthNTokens {
if existingTokens.State == domain.MFAStateNotReady {
wm.WebAuthNTokens[i] = token
replaced = true
}
}
if !replaced {
wm.WebAuthNTokens = append(wm.WebAuthNTokens, token)
}
case *user.HumanPasswordlessVerifiedEvent:
idx, token := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
if idx < 0 {
continue
}
token.appendVerifiedEvent(&e.HumanWebAuthNVerifiedEvent)
case *user.HumanPasswordlessRemovedEvent:
idx, _ := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
if idx < 0 {
continue
}
copy(wm.WebAuthNTokens[idx:], wm.WebAuthNTokens[idx+1:])
wm.WebAuthNTokens[len(wm.WebAuthNTokens)-1] = nil
wm.WebAuthNTokens = wm.WebAuthNTokens[:len(wm.WebAuthNTokens)-1]
case *user.UserRemovedEvent:
wm.UserState = domain.UserStateDeleted
}
}
return wm.WriteModel.Reduce()
}
func (rm *HumanPasswordlessTokensReadModel) Query() *eventstore.SearchQueryBuilder {
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
ResourceOwner(rm.ResourceOwner).
AddQuery().
AggregateTypes(user.AggregateType).
AggregateIDs(rm.AggregateID).
EventTypes(
user.HumanPasswordlessTokenAddedType,
user.HumanPasswordlessTokenVerifiedType,
user.HumanPasswordlessTokenRemovedType).
Builder()
}
func (wm *HumanPasswordlessTokensReadModel) WebAuthNTokenByID(id string) (idx int, token *HumanWebAuthNWriteModel) {
for idx, token = range wm.WebAuthNTokens {
if token.WebauthNTokenID == id {
return idx, token
}
}
return -1, nil
}
type HumanU2FLoginReadModel struct {
eventstore.WriteModel
AuthReqID string
Challenge string
AllowedCredentialIDs [][]byte
UserVerification domain.UserVerificationRequirement
State domain.UserState
}
func NewHumanU2FLoginReadModel(userID, authReqID, resourceOwner string) *HumanU2FLoginReadModel {
return &HumanU2FLoginReadModel{
WriteModel: eventstore.WriteModel{
AggregateID: userID,
ResourceOwner: resourceOwner,
},
AuthReqID: authReqID,
}
}
func (wm *HumanU2FLoginReadModel) AppendEvents(events ...eventstore.Event) {
for _, event := range events {
switch e := event.(type) {
case *user.HumanU2FBeginLoginEvent:
if e.AuthRequestInfo.ID != wm.AuthReqID {
continue
}
wm.WriteModel.AppendEvents(e)
case *user.UserRemovedEvent:
wm.WriteModel.AppendEvents(e)
}
}
}
func (wm *HumanU2FLoginReadModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *user.HumanU2FBeginLoginEvent:
wm.Challenge = e.Challenge
wm.AllowedCredentialIDs = e.AllowedCredentialIDs
wm.UserVerification = e.UserVerification
wm.State = domain.UserStateActive
case *user.UserRemovedEvent:
wm.State = domain.UserStateDeleted
}
}
return wm.WriteModel.Reduce()
}
func (rm *HumanU2FLoginReadModel) Query() *eventstore.SearchQueryBuilder {
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
ResourceOwner(rm.ResourceOwner).
AddQuery().
AggregateTypes(user.AggregateType).
AggregateIDs(rm.AggregateID).
EventTypes(
user.HumanU2FTokenBeginLoginType,
user.UserRemovedType).
Builder()
}
type HumanPasswordlessLoginReadModel struct {
eventstore.WriteModel
AuthReqID string
Challenge string
AllowedCredentialIDs [][]byte
UserVerification domain.UserVerificationRequirement
State domain.UserState
}
func NewHumanPasswordlessLoginReadModel(userID, authReqID, resourceOwner string) *HumanPasswordlessLoginReadModel {
return &HumanPasswordlessLoginReadModel{
WriteModel: eventstore.WriteModel{
AggregateID: userID,
ResourceOwner: resourceOwner,
},
AuthReqID: authReqID,
}
}
func (wm *HumanPasswordlessLoginReadModel) AppendEvents(events ...eventstore.Event) {
for _, event := range events {
switch e := event.(type) {
case *user.HumanPasswordlessBeginLoginEvent:
if e.AuthRequestInfo.ID != wm.AuthReqID {
continue
}
wm.WriteModel.AppendEvents(e)
case *user.UserRemovedEvent:
wm.WriteModel.AppendEvents(e)
}
}
}
func (wm *HumanPasswordlessLoginReadModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *user.HumanPasswordlessBeginLoginEvent:
wm.Challenge = e.Challenge
wm.AllowedCredentialIDs = e.AllowedCredentialIDs
wm.UserVerification = e.UserVerification
wm.State = domain.UserStateActive
case *user.UserRemovedEvent:
wm.State = domain.UserStateDeleted
}
}
return wm.WriteModel.Reduce()
}
func (rm *HumanPasswordlessLoginReadModel) Query() *eventstore.SearchQueryBuilder {
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
ResourceOwner(rm.ResourceOwner).
AddQuery().
AggregateTypes(user.AggregateType).
AggregateIDs(rm.AggregateID).
EventTypes(
user.HumanPasswordlessTokenBeginLoginType,
user.UserRemovedType).
Builder()
}
type HumanPasswordlessInitCodeWriteModel struct {
eventstore.WriteModel
CodeID string
Attempts uint8
CryptoCode *crypto.CryptoValue
Expiration time.Duration
State domain.PasswordlessInitCodeState
}
func NewHumanPasswordlessInitCodeWriteModel(userID, codeID, resourceOwner string) *HumanPasswordlessInitCodeWriteModel {
return &HumanPasswordlessInitCodeWriteModel{
WriteModel: eventstore.WriteModel{
AggregateID: userID,
ResourceOwner: resourceOwner,
},
CodeID: codeID,
}
}
func (wm *HumanPasswordlessInitCodeWriteModel) AppendEvents(events ...eventstore.Event) {
for _, event := range events {
switch e := event.(type) {
case *user.HumanPasswordlessInitCodeAddedEvent:
if wm.CodeID == e.ID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessInitCodeRequestedEvent:
if wm.CodeID == e.ID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessInitCodeSentEvent:
if wm.CodeID == e.ID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessInitCodeCheckFailedEvent:
if wm.CodeID == e.ID {
wm.WriteModel.AppendEvents(e)
}
case *user.HumanPasswordlessInitCodeCheckSucceededEvent:
if wm.CodeID == e.ID {
wm.WriteModel.AppendEvents(e)
}
case *user.UserRemovedEvent:
wm.WriteModel.AppendEvents(e)
}
}
}
func (wm *HumanPasswordlessInitCodeWriteModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *user.HumanPasswordlessInitCodeAddedEvent:
wm.appendAddedEvent(e)
case *user.HumanPasswordlessInitCodeRequestedEvent:
wm.appendRequestedEvent(e)
case *user.HumanPasswordlessInitCodeSentEvent:
wm.State = domain.PasswordlessInitCodeStateActive
case *user.HumanPasswordlessInitCodeCheckFailedEvent:
wm.appendCheckFailedEvent(e)
case *user.HumanPasswordlessInitCodeCheckSucceededEvent:
wm.State = domain.PasswordlessInitCodeStateRemoved
case *user.UserRemovedEvent:
wm.State = domain.PasswordlessInitCodeStateRemoved
}
}
return wm.WriteModel.Reduce()
}
func (wm *HumanPasswordlessInitCodeWriteModel) appendAddedEvent(e *user.HumanPasswordlessInitCodeAddedEvent) {
wm.CryptoCode = e.Code
wm.Expiration = e.Expiry
wm.State = domain.PasswordlessInitCodeStateActive
}
func (wm *HumanPasswordlessInitCodeWriteModel) appendRequestedEvent(e *user.HumanPasswordlessInitCodeRequestedEvent) {
wm.CryptoCode = e.Code
wm.Expiration = e.Expiry
wm.State = domain.PasswordlessInitCodeStateRequested
}
func (wm *HumanPasswordlessInitCodeWriteModel) appendCheckFailedEvent(e *user.HumanPasswordlessInitCodeCheckFailedEvent) {
wm.Attempts++
if wm.Attempts == 3 { //TODO: config?
wm.State = domain.PasswordlessInitCodeStateRemoved
}
}
func (wm *HumanPasswordlessInitCodeWriteModel) Query() *eventstore.SearchQueryBuilder {
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
ResourceOwner(wm.ResourceOwner).
AddQuery().
AggregateTypes(user.AggregateType).
AggregateIDs(wm.AggregateID).
EventTypes(user.HumanPasswordlessInitCodeAddedType,
user.HumanPasswordlessInitCodeRequestedType,
user.HumanPasswordlessInitCodeSentType,
user.HumanPasswordlessInitCodeCheckFailedType,
user.HumanPasswordlessInitCodeCheckSucceededType,
user.UserRemovedType).
Builder()
}