mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-17 05:18:04 +00:00
cea0595328
This reverts commit a301c40f9f
.
538 lines
16 KiB
Go
538 lines
16 KiB
Go
package command
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
)
|
|
|
|
type HumanWebAuthNWriteModel struct {
|
|
eventstore.WriteModel
|
|
|
|
WebauthNTokenID string
|
|
Challenge string
|
|
|
|
KeyID []byte
|
|
PublicKey []byte
|
|
AttestationType string
|
|
AAGUID []byte
|
|
SignCount uint32
|
|
WebAuthNTokenName string
|
|
|
|
State domain.MFAState
|
|
}
|
|
|
|
func NewHumanWebAuthNWriteModel(userID, webAuthNTokenID, resourceOwner string) *HumanWebAuthNWriteModel {
|
|
return &HumanWebAuthNWriteModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
WebauthNTokenID: webAuthNTokenID,
|
|
}
|
|
}
|
|
|
|
func (wm *HumanWebAuthNWriteModel) AppendEvents(events ...eventstore.Event) {
|
|
for _, event := range events {
|
|
switch e := event.(type) {
|
|
case *user.HumanWebAuthNAddedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessAddedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNAddedEvent)
|
|
}
|
|
case *user.HumanU2FAddedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNAddedEvent)
|
|
}
|
|
case *user.HumanWebAuthNVerifiedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessVerifiedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNVerifiedEvent)
|
|
}
|
|
case *user.HumanU2FVerifiedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNVerifiedEvent)
|
|
}
|
|
case *user.HumanWebAuthNSignCountChangedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessSignCountChangedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNSignCountChangedEvent)
|
|
}
|
|
case *user.HumanU2FSignCountChangedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNSignCountChangedEvent)
|
|
}
|
|
case *user.HumanWebAuthNRemovedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessRemovedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNRemovedEvent)
|
|
}
|
|
case *user.HumanU2FRemovedEvent:
|
|
if wm.WebauthNTokenID == e.WebAuthNTokenID {
|
|
wm.WriteModel.AppendEvents(&e.HumanWebAuthNRemovedEvent)
|
|
}
|
|
case *user.UserRemovedEvent:
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (wm *HumanWebAuthNWriteModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanWebAuthNAddedEvent:
|
|
wm.appendAddedEvent(e)
|
|
case *user.HumanWebAuthNVerifiedEvent:
|
|
wm.appendVerifiedEvent(e)
|
|
case *user.HumanWebAuthNSignCountChangedEvent:
|
|
wm.SignCount = e.SignCount
|
|
case *user.HumanWebAuthNRemovedEvent:
|
|
wm.State = domain.MFAStateRemoved
|
|
case *user.UserRemovedEvent:
|
|
wm.State = domain.MFAStateRemoved
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (wm *HumanWebAuthNWriteModel) appendAddedEvent(e *user.HumanWebAuthNAddedEvent) {
|
|
wm.WebauthNTokenID = e.WebAuthNTokenID
|
|
wm.Challenge = e.Challenge
|
|
wm.State = domain.MFAStateNotReady
|
|
}
|
|
|
|
func (wm *HumanWebAuthNWriteModel) appendVerifiedEvent(e *user.HumanWebAuthNVerifiedEvent) {
|
|
wm.KeyID = e.KeyID
|
|
wm.PublicKey = e.PublicKey
|
|
wm.AttestationType = e.AttestationType
|
|
wm.AAGUID = e.AAGUID
|
|
wm.SignCount = e.SignCount
|
|
wm.WebAuthNTokenName = e.WebAuthNTokenName
|
|
wm.State = domain.MFAStateReady
|
|
}
|
|
|
|
func (wm *HumanWebAuthNWriteModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
ResourceOwner(wm.ResourceOwner).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(wm.AggregateID).
|
|
EventTypes(user.HumanU2FTokenAddedType,
|
|
user.HumanPasswordlessTokenAddedType,
|
|
user.HumanU2FTokenAddedType,
|
|
user.HumanPasswordlessTokenAddedType,
|
|
user.HumanU2FTokenSignCountChangedType,
|
|
user.HumanPasswordlessTokenSignCountChangedType,
|
|
user.HumanU2FTokenRemovedType,
|
|
user.HumanPasswordlessTokenRemovedType,
|
|
user.UserRemovedType).
|
|
Builder()
|
|
}
|
|
|
|
type HumanU2FTokensReadModel struct {
|
|
eventstore.WriteModel
|
|
|
|
WebAuthNTokens []*HumanWebAuthNWriteModel
|
|
UserState domain.UserState
|
|
}
|
|
|
|
func NewHumanU2FTokensReadModel(userID, resourceOwner string) *HumanU2FTokensReadModel {
|
|
return &HumanU2FTokensReadModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
}
|
|
}
|
|
|
|
func (wm *HumanU2FTokensReadModel) AppendEvents(events ...eventstore.Event) {
|
|
wm.WriteModel.AppendEvents(events...)
|
|
}
|
|
|
|
func (wm *HumanU2FTokensReadModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanU2FAddedEvent:
|
|
token := &HumanWebAuthNWriteModel{}
|
|
token.appendAddedEvent(&e.HumanWebAuthNAddedEvent)
|
|
token.WriteModel = eventstore.WriteModel{
|
|
AggregateID: e.Aggregate().ID,
|
|
}
|
|
replaced := false
|
|
for i, existingTokens := range wm.WebAuthNTokens {
|
|
if existingTokens.State == domain.MFAStateNotReady {
|
|
wm.WebAuthNTokens[i] = token
|
|
replaced = true
|
|
}
|
|
}
|
|
if !replaced {
|
|
wm.WebAuthNTokens = append(wm.WebAuthNTokens, token)
|
|
}
|
|
case *user.HumanU2FVerifiedEvent:
|
|
idx, token := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
|
|
if idx < 0 {
|
|
continue
|
|
}
|
|
token.appendVerifiedEvent(&e.HumanWebAuthNVerifiedEvent)
|
|
case *user.HumanU2FRemovedEvent:
|
|
idx, _ := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
|
|
if idx < 0 {
|
|
continue
|
|
}
|
|
copy(wm.WebAuthNTokens[idx:], wm.WebAuthNTokens[idx+1:])
|
|
wm.WebAuthNTokens[len(wm.WebAuthNTokens)-1] = nil
|
|
wm.WebAuthNTokens = wm.WebAuthNTokens[:len(wm.WebAuthNTokens)-1]
|
|
case *user.UserRemovedEvent:
|
|
wm.UserState = domain.UserStateDeleted
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (rm *HumanU2FTokensReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
ResourceOwner(rm.ResourceOwner).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(rm.AggregateID).
|
|
EventTypes(
|
|
user.HumanU2FTokenAddedType,
|
|
user.HumanU2FTokenVerifiedType,
|
|
user.HumanU2FTokenRemovedType).
|
|
Builder()
|
|
|
|
}
|
|
|
|
func (wm *HumanU2FTokensReadModel) WebAuthNTokenByID(id string) (idx int, token *HumanWebAuthNWriteModel) {
|
|
for idx, token = range wm.WebAuthNTokens {
|
|
if token.WebauthNTokenID == id {
|
|
return idx, token
|
|
}
|
|
}
|
|
return -1, nil
|
|
}
|
|
|
|
type HumanPasswordlessTokensReadModel struct {
|
|
eventstore.WriteModel
|
|
|
|
WebAuthNTokens []*HumanWebAuthNWriteModel
|
|
UserState domain.UserState
|
|
}
|
|
|
|
func NewHumanPasswordlessTokensReadModel(userID, resourceOwner string) *HumanPasswordlessTokensReadModel {
|
|
return &HumanPasswordlessTokensReadModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
}
|
|
}
|
|
|
|
func (wm *HumanPasswordlessTokensReadModel) AppendEvents(events ...eventstore.Event) {
|
|
wm.WriteModel.AppendEvents(events...)
|
|
}
|
|
|
|
func (wm *HumanPasswordlessTokensReadModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanPasswordlessAddedEvent:
|
|
token := &HumanWebAuthNWriteModel{}
|
|
token.appendAddedEvent(&e.HumanWebAuthNAddedEvent)
|
|
token.WriteModel = eventstore.WriteModel{
|
|
AggregateID: e.Aggregate().ID,
|
|
}
|
|
replaced := false
|
|
for i, existingTokens := range wm.WebAuthNTokens {
|
|
if existingTokens.State == domain.MFAStateNotReady {
|
|
wm.WebAuthNTokens[i] = token
|
|
replaced = true
|
|
}
|
|
}
|
|
if !replaced {
|
|
wm.WebAuthNTokens = append(wm.WebAuthNTokens, token)
|
|
}
|
|
case *user.HumanPasswordlessVerifiedEvent:
|
|
idx, token := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
|
|
if idx < 0 {
|
|
continue
|
|
}
|
|
token.appendVerifiedEvent(&e.HumanWebAuthNVerifiedEvent)
|
|
case *user.HumanPasswordlessRemovedEvent:
|
|
idx, _ := wm.WebAuthNTokenByID(e.WebAuthNTokenID)
|
|
if idx < 0 {
|
|
continue
|
|
}
|
|
copy(wm.WebAuthNTokens[idx:], wm.WebAuthNTokens[idx+1:])
|
|
wm.WebAuthNTokens[len(wm.WebAuthNTokens)-1] = nil
|
|
wm.WebAuthNTokens = wm.WebAuthNTokens[:len(wm.WebAuthNTokens)-1]
|
|
case *user.UserRemovedEvent:
|
|
wm.UserState = domain.UserStateDeleted
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (rm *HumanPasswordlessTokensReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
ResourceOwner(rm.ResourceOwner).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(rm.AggregateID).
|
|
EventTypes(
|
|
user.HumanPasswordlessTokenAddedType,
|
|
user.HumanPasswordlessTokenVerifiedType,
|
|
user.HumanPasswordlessTokenRemovedType).
|
|
Builder()
|
|
|
|
}
|
|
|
|
func (wm *HumanPasswordlessTokensReadModel) WebAuthNTokenByID(id string) (idx int, token *HumanWebAuthNWriteModel) {
|
|
for idx, token = range wm.WebAuthNTokens {
|
|
if token.WebauthNTokenID == id {
|
|
return idx, token
|
|
}
|
|
}
|
|
return -1, nil
|
|
}
|
|
|
|
type HumanU2FLoginReadModel struct {
|
|
eventstore.WriteModel
|
|
|
|
AuthReqID string
|
|
Challenge string
|
|
AllowedCredentialIDs [][]byte
|
|
UserVerification domain.UserVerificationRequirement
|
|
State domain.UserState
|
|
}
|
|
|
|
func NewHumanU2FLoginReadModel(userID, authReqID, resourceOwner string) *HumanU2FLoginReadModel {
|
|
return &HumanU2FLoginReadModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
AuthReqID: authReqID,
|
|
}
|
|
}
|
|
|
|
func (wm *HumanU2FLoginReadModel) AppendEvents(events ...eventstore.Event) {
|
|
for _, event := range events {
|
|
switch e := event.(type) {
|
|
case *user.HumanU2FBeginLoginEvent:
|
|
if e.AuthRequestInfo.ID != wm.AuthReqID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *user.UserRemovedEvent:
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (wm *HumanU2FLoginReadModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanU2FBeginLoginEvent:
|
|
wm.Challenge = e.Challenge
|
|
wm.AllowedCredentialIDs = e.AllowedCredentialIDs
|
|
wm.UserVerification = e.UserVerification
|
|
wm.State = domain.UserStateActive
|
|
case *user.UserRemovedEvent:
|
|
wm.State = domain.UserStateDeleted
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (rm *HumanU2FLoginReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
ResourceOwner(rm.ResourceOwner).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(rm.AggregateID).
|
|
EventTypes(
|
|
user.HumanU2FTokenBeginLoginType,
|
|
user.UserRemovedType).
|
|
Builder()
|
|
}
|
|
|
|
type HumanPasswordlessLoginReadModel struct {
|
|
eventstore.WriteModel
|
|
|
|
AuthReqID string
|
|
Challenge string
|
|
AllowedCredentialIDs [][]byte
|
|
UserVerification domain.UserVerificationRequirement
|
|
State domain.UserState
|
|
}
|
|
|
|
func NewHumanPasswordlessLoginReadModel(userID, authReqID, resourceOwner string) *HumanPasswordlessLoginReadModel {
|
|
return &HumanPasswordlessLoginReadModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
AuthReqID: authReqID,
|
|
}
|
|
}
|
|
|
|
func (wm *HumanPasswordlessLoginReadModel) AppendEvents(events ...eventstore.Event) {
|
|
for _, event := range events {
|
|
switch e := event.(type) {
|
|
case *user.HumanPasswordlessBeginLoginEvent:
|
|
if e.AuthRequestInfo.ID != wm.AuthReqID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *user.UserRemovedEvent:
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (wm *HumanPasswordlessLoginReadModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanPasswordlessBeginLoginEvent:
|
|
wm.Challenge = e.Challenge
|
|
wm.AllowedCredentialIDs = e.AllowedCredentialIDs
|
|
wm.UserVerification = e.UserVerification
|
|
wm.State = domain.UserStateActive
|
|
case *user.UserRemovedEvent:
|
|
wm.State = domain.UserStateDeleted
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (rm *HumanPasswordlessLoginReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
ResourceOwner(rm.ResourceOwner).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(rm.AggregateID).
|
|
EventTypes(
|
|
user.HumanPasswordlessTokenBeginLoginType,
|
|
user.UserRemovedType).
|
|
Builder()
|
|
|
|
}
|
|
|
|
type HumanPasswordlessInitCodeWriteModel struct {
|
|
eventstore.WriteModel
|
|
|
|
CodeID string
|
|
Attempts uint8
|
|
CryptoCode *crypto.CryptoValue
|
|
Expiration time.Duration
|
|
State domain.PasswordlessInitCodeState
|
|
}
|
|
|
|
func NewHumanPasswordlessInitCodeWriteModel(userID, codeID, resourceOwner string) *HumanPasswordlessInitCodeWriteModel {
|
|
return &HumanPasswordlessInitCodeWriteModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
CodeID: codeID,
|
|
}
|
|
}
|
|
|
|
func (wm *HumanPasswordlessInitCodeWriteModel) AppendEvents(events ...eventstore.Event) {
|
|
for _, event := range events {
|
|
switch e := event.(type) {
|
|
case *user.HumanPasswordlessInitCodeAddedEvent:
|
|
if wm.CodeID == e.ID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessInitCodeRequestedEvent:
|
|
if wm.CodeID == e.ID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessInitCodeSentEvent:
|
|
if wm.CodeID == e.ID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessInitCodeCheckFailedEvent:
|
|
if wm.CodeID == e.ID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.HumanPasswordlessInitCodeCheckSucceededEvent:
|
|
if wm.CodeID == e.ID {
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
case *user.UserRemovedEvent:
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (wm *HumanPasswordlessInitCodeWriteModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanPasswordlessInitCodeAddedEvent:
|
|
wm.appendAddedEvent(e)
|
|
case *user.HumanPasswordlessInitCodeRequestedEvent:
|
|
wm.appendRequestedEvent(e)
|
|
case *user.HumanPasswordlessInitCodeSentEvent:
|
|
wm.State = domain.PasswordlessInitCodeStateActive
|
|
case *user.HumanPasswordlessInitCodeCheckFailedEvent:
|
|
wm.appendCheckFailedEvent(e)
|
|
case *user.HumanPasswordlessInitCodeCheckSucceededEvent:
|
|
wm.State = domain.PasswordlessInitCodeStateRemoved
|
|
case *user.UserRemovedEvent:
|
|
wm.State = domain.PasswordlessInitCodeStateRemoved
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (wm *HumanPasswordlessInitCodeWriteModel) appendAddedEvent(e *user.HumanPasswordlessInitCodeAddedEvent) {
|
|
wm.CryptoCode = e.Code
|
|
wm.Expiration = e.Expiry
|
|
wm.State = domain.PasswordlessInitCodeStateActive
|
|
}
|
|
|
|
func (wm *HumanPasswordlessInitCodeWriteModel) appendRequestedEvent(e *user.HumanPasswordlessInitCodeRequestedEvent) {
|
|
wm.CryptoCode = e.Code
|
|
wm.Expiration = e.Expiry
|
|
wm.State = domain.PasswordlessInitCodeStateRequested
|
|
}
|
|
|
|
func (wm *HumanPasswordlessInitCodeWriteModel) appendCheckFailedEvent(e *user.HumanPasswordlessInitCodeCheckFailedEvent) {
|
|
wm.Attempts++
|
|
if wm.Attempts == 3 { //TODO: config?
|
|
wm.State = domain.PasswordlessInitCodeStateRemoved
|
|
}
|
|
}
|
|
|
|
func (wm *HumanPasswordlessInitCodeWriteModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
ResourceOwner(wm.ResourceOwner).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(wm.AggregateID).
|
|
EventTypes(user.HumanPasswordlessInitCodeAddedType,
|
|
user.HumanPasswordlessInitCodeRequestedType,
|
|
user.HumanPasswordlessInitCodeSentType,
|
|
user.HumanPasswordlessInitCodeCheckFailedType,
|
|
user.HumanPasswordlessInitCodeCheckSucceededType,
|
|
user.UserRemovedType).
|
|
Builder()
|
|
}
|