mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-05 14:37:45 +00:00
fb8cd18f93
# Which Problems Are Solved Some organizations / customers have the requirement, that there users regularly need to change their password. ZITADEL already had the possibility to manage a `password age policy` ( thought the API) with the maximum amount of days a password should be valid, resp. days after with the user should be warned of the upcoming expiration. The policy could not be managed though the Console UI and was not checked in the Login UI. # How the Problems Are Solved - The policy can be managed in the Console UI's settings sections on an instance and organization level. - During an authentication in the Login UI, if a policy is set with an expiry (>0) and the user's last password change exceeds the amount of days set, the user will be prompted to change their password. - The prompt message of the Login UI can be customized in the Custom Login Texts though the Console and API on the instance and each organization. - The information when the user last changed their password is returned in the Auth, Management and User V2 API. - The policy can be retrieved in the settings service as `password expiry settings`. # Additional Changes None. # Additional Context - closes #8081 --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
282 lines
6.7 KiB
Go
282 lines
6.7 KiB
Go
package domain
|
|
|
|
import (
|
|
"slices"
|
|
"strings"
|
|
"time"
|
|
|
|
"golang.org/x/text/language"
|
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
type AuthRequest struct {
|
|
ID string
|
|
AgentID string
|
|
CreationDate time.Time
|
|
ChangeDate time.Time
|
|
BrowserInfo *BrowserInfo
|
|
ApplicationID string
|
|
CallbackURI string
|
|
TransferState string
|
|
Prompt []Prompt
|
|
PossibleLOAs []LevelOfAssurance
|
|
UiLocales []string
|
|
LoginHint string
|
|
MaxAuthAge *time.Duration
|
|
InstanceID string
|
|
Request Request
|
|
|
|
levelOfAssurance LevelOfAssurance
|
|
UserID string
|
|
UserName string
|
|
LoginName string
|
|
DisplayName string
|
|
AvatarKey string
|
|
PresignedAvatar string
|
|
UserOrgID string
|
|
PreferredLanguage *language.Tag
|
|
RequestedOrgID string
|
|
RequestedOrgName string
|
|
RequestedPrimaryDomain string
|
|
RequestedOrgDomain bool
|
|
ApplicationResourceOwner string
|
|
PrivateLabelingSetting PrivateLabelingSetting
|
|
SelectedIDPConfigID string
|
|
LinkingUsers []*ExternalUser
|
|
PossibleSteps []NextStep `json:"-"`
|
|
PasswordVerified bool
|
|
IDPLoginChecked bool
|
|
MFAsVerified []MFAType
|
|
Audience []string
|
|
AuthTime time.Time
|
|
Code string
|
|
LoginPolicy *LoginPolicy
|
|
AllowedExternalIDPs []*IDPProvider
|
|
LabelPolicy *LabelPolicy
|
|
PrivacyPolicy *PrivacyPolicy
|
|
LockoutPolicy *LockoutPolicy
|
|
PasswordAgePolicy *PasswordAgePolicy
|
|
DefaultTranslations []*CustomText
|
|
OrgTranslations []*CustomText
|
|
SAMLRequestID string
|
|
// orgID the policies were last loaded with
|
|
policyOrgID string
|
|
}
|
|
|
|
func (a *AuthRequest) SetPolicyOrgID(id string) {
|
|
a.policyOrgID = id
|
|
}
|
|
|
|
func (a *AuthRequest) PolicyOrgID() string {
|
|
return a.policyOrgID
|
|
}
|
|
|
|
func (a *AuthRequest) AuthMethods() []UserAuthMethodType {
|
|
list := make([]UserAuthMethodType, 0, len(a.MFAsVerified)+2)
|
|
if a.PasswordVerified {
|
|
list = append(list, UserAuthMethodTypePassword)
|
|
}
|
|
if a.IDPLoginChecked {
|
|
list = append(list, UserAuthMethodTypeIDP)
|
|
}
|
|
for _, mfa := range a.MFAsVerified {
|
|
list = append(list, mfa.UserAuthMethodType())
|
|
}
|
|
return slices.Compact(list)
|
|
}
|
|
|
|
type ExternalUser struct {
|
|
IDPConfigID string
|
|
ExternalUserID string
|
|
DisplayName string
|
|
PreferredUsername string
|
|
FirstName string
|
|
LastName string
|
|
NickName string
|
|
Email EmailAddress
|
|
IsEmailVerified bool
|
|
PreferredLanguage language.Tag
|
|
Phone PhoneNumber
|
|
IsPhoneVerified bool
|
|
Metadatas []*Metadata
|
|
}
|
|
|
|
type Prompt int32
|
|
|
|
const (
|
|
PromptUnspecified Prompt = iota
|
|
PromptNone
|
|
PromptLogin
|
|
PromptConsent
|
|
PromptSelectAccount
|
|
PromptCreate
|
|
)
|
|
|
|
func IsPrompt(prompt []Prompt, requestedPrompt Prompt) bool {
|
|
for _, p := range prompt {
|
|
if p == requestedPrompt {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
type LevelOfAssurance int
|
|
|
|
const (
|
|
LevelOfAssuranceNone LevelOfAssurance = iota
|
|
)
|
|
|
|
type MFAType int
|
|
|
|
const (
|
|
MFATypeTOTP MFAType = iota
|
|
MFATypeU2F
|
|
MFATypeU2FUserVerification
|
|
MFATypeOTPSMS
|
|
MFATypeOTPEmail
|
|
)
|
|
|
|
func (m MFAType) UserAuthMethodType() UserAuthMethodType {
|
|
switch m {
|
|
case MFATypeTOTP:
|
|
return UserAuthMethodTypeTOTP
|
|
case MFATypeU2F:
|
|
return UserAuthMethodTypeU2F
|
|
case MFATypeU2FUserVerification:
|
|
return UserAuthMethodTypePasswordless
|
|
case MFATypeOTPSMS:
|
|
return UserAuthMethodTypeOTPSMS
|
|
case MFATypeOTPEmail:
|
|
return UserAuthMethodTypeOTPEmail
|
|
default:
|
|
return UserAuthMethodTypeUnspecified
|
|
}
|
|
}
|
|
|
|
type MFALevel int
|
|
|
|
const (
|
|
MFALevelNotSetUp MFALevel = iota
|
|
MFALevelSecondFactor
|
|
MFALevelMultiFactor
|
|
MFALevelMultiFactorCertified
|
|
)
|
|
|
|
type AuthRequestState int
|
|
|
|
const (
|
|
AuthRequestStateUnspecified AuthRequestState = iota
|
|
AuthRequestStateAdded
|
|
AuthRequestStateCodeAdded
|
|
AuthRequestStateCodeExchanged
|
|
AuthRequestStateFailed
|
|
AuthRequestStateSucceeded
|
|
)
|
|
|
|
func NewAuthRequestFromType(requestType AuthRequestType) (*AuthRequest, error) {
|
|
switch requestType {
|
|
case AuthRequestTypeOIDC:
|
|
return &AuthRequest{Request: &AuthRequestOIDC{}}, nil
|
|
case AuthRequestTypeSAML:
|
|
return &AuthRequest{Request: &AuthRequestSAML{}}, nil
|
|
case AuthRequestTypeDevice:
|
|
return &AuthRequest{Request: &AuthRequestDevice{}}, nil
|
|
}
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "DOMAIN-ds2kl", "invalid request type")
|
|
}
|
|
|
|
func (a *AuthRequest) WithCurrentInfo(info *BrowserInfo) *AuthRequest {
|
|
a.BrowserInfo = info
|
|
return a
|
|
}
|
|
|
|
func (a *AuthRequest) SetUserInfo(userID, userName, loginName, displayName, avatar, userOrgID string) {
|
|
a.UserID = userID
|
|
a.UserName = userName
|
|
a.LoginName = loginName
|
|
a.DisplayName = displayName
|
|
a.AvatarKey = avatar
|
|
a.UserOrgID = userOrgID
|
|
}
|
|
|
|
func (a *AuthRequest) SetOrgInformation(id, name, primaryDomain string, requestedByDomain bool) {
|
|
a.RequestedOrgID = id
|
|
a.RequestedOrgName = name
|
|
a.RequestedPrimaryDomain = primaryDomain
|
|
a.RequestedOrgDomain = requestedByDomain
|
|
}
|
|
|
|
func (a *AuthRequest) MFALevel() MFALevel {
|
|
return -1
|
|
//PLANNED: check a.PossibleLOAs (and Prompt Login?)
|
|
}
|
|
|
|
func (a *AuthRequest) AppendAudIfNotExisting(aud string) {
|
|
for _, a := range a.Audience {
|
|
if a == aud {
|
|
return
|
|
}
|
|
}
|
|
a.Audience = append(a.Audience, aud)
|
|
}
|
|
|
|
func (a *AuthRequest) GetScopeOrgPrimaryDomain() string {
|
|
switch request := a.Request.(type) {
|
|
case *AuthRequestOIDC:
|
|
for _, scope := range request.Scopes {
|
|
if strings.HasPrefix(scope, OrgDomainPrimaryScope) {
|
|
return strings.TrimPrefix(scope, OrgDomainPrimaryScope)
|
|
}
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
func (a *AuthRequest) GetScopeOrgID() string {
|
|
switch request := a.Request.(type) {
|
|
case *AuthRequestOIDC:
|
|
for _, scope := range request.Scopes {
|
|
if strings.HasPrefix(scope, OrgIDScope) {
|
|
return strings.TrimPrefix(scope, OrgIDScope)
|
|
}
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
func (a *AuthRequest) Done() bool {
|
|
for _, step := range a.PossibleSteps {
|
|
if step.Type() == NextStepRedirectToCallback {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func (a *AuthRequest) PrivateLabelingOrgID(defaultID string) string {
|
|
if a.RequestedOrgID != "" {
|
|
return a.RequestedOrgID
|
|
}
|
|
if (a.PrivateLabelingSetting == PrivateLabelingSettingAllowLoginUserResourceOwnerPolicy || a.PrivateLabelingSetting == PrivateLabelingSettingUnspecified) &&
|
|
a.UserOrgID != "" {
|
|
return a.UserOrgID
|
|
}
|
|
if a.PrivateLabelingSetting != PrivateLabelingSettingUnspecified {
|
|
return a.ApplicationResourceOwner
|
|
}
|
|
return defaultID
|
|
}
|
|
|
|
func (a *AuthRequest) UserAuthMethodTypes() []UserAuthMethodType {
|
|
list := make([]UserAuthMethodType, 0, len(a.MFAsVerified)+1)
|
|
if a.PasswordVerified {
|
|
list = append(list, UserAuthMethodTypePassword)
|
|
}
|
|
for _, mfa := range a.MFAsVerified {
|
|
list = append(list, mfa.UserAuthMethodType())
|
|
}
|
|
return list
|
|
}
|