mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-05 14:37:45 +00:00
2089992d75
* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
559 lines
15 KiB
Go
559 lines
15 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"golang.org/x/text/language"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
)
|
|
|
|
type UserV2WriteModel struct {
|
|
eventstore.WriteModel
|
|
|
|
UserName string
|
|
|
|
MachineWriteModel bool
|
|
Name string
|
|
Description string
|
|
AccessTokenType domain.OIDCTokenType
|
|
|
|
MachineSecretWriteModel bool
|
|
ClientSecret *crypto.CryptoValue
|
|
|
|
ProfileWriteModel bool
|
|
FirstName string
|
|
LastName string
|
|
NickName string
|
|
DisplayName string
|
|
PreferredLanguage language.Tag
|
|
Gender domain.Gender
|
|
|
|
AvatarWriteModel bool
|
|
Avatar string
|
|
|
|
HumanWriteModel bool
|
|
InitCode *crypto.CryptoValue
|
|
InitCodeCreationDate time.Time
|
|
InitCodeExpiry time.Duration
|
|
InitCheckFailedCount uint64
|
|
|
|
PasswordWriteModel bool
|
|
PasswordEncodedHash string
|
|
PasswordChangeRequired bool
|
|
PasswordCode *crypto.CryptoValue
|
|
PasswordCodeCreationDate time.Time
|
|
PasswordCodeExpiry time.Duration
|
|
PasswordCheckFailedCount uint64
|
|
|
|
EmailWriteModel bool
|
|
Email domain.EmailAddress
|
|
IsEmailVerified bool
|
|
EmailCode *crypto.CryptoValue
|
|
EmailCodeCreationDate time.Time
|
|
EmailCodeExpiry time.Duration
|
|
EmailCheckFailedCount uint64
|
|
|
|
PhoneWriteModel bool
|
|
Phone domain.PhoneNumber
|
|
IsPhoneVerified bool
|
|
PhoneCode *crypto.CryptoValue
|
|
PhoneCodeCreationDate time.Time
|
|
PhoneCodeExpiry time.Duration
|
|
PhoneCheckFailedCount uint64
|
|
|
|
StateWriteModel bool
|
|
UserState domain.UserState
|
|
|
|
IDPLinkWriteModel bool
|
|
IDPLinks []*domain.UserIDPLink
|
|
}
|
|
|
|
func NewUserExistsWriteModel(userID, resourceOwner string) *UserV2WriteModel {
|
|
return newUserV2WriteModel(userID, resourceOwner, WithHuman(), WithMachine())
|
|
}
|
|
|
|
func NewUserStateWriteModel(userID, resourceOwner string) *UserV2WriteModel {
|
|
return newUserV2WriteModel(userID, resourceOwner, WithHuman(), WithMachine(), WithState())
|
|
}
|
|
|
|
func NewUserRemoveWriteModel(userID, resourceOwner string) *UserV2WriteModel {
|
|
return newUserV2WriteModel(userID, resourceOwner, WithHuman(), WithMachine(), WithState(), WithIDPLinks())
|
|
}
|
|
|
|
func NewUserHumanWriteModel(userID, resourceOwner string, profileWM, emailWM, phoneWM, passwordWM, avatarWM, idpLinks bool) *UserV2WriteModel {
|
|
opts := []UserV2WMOption{WithHuman(), WithState()}
|
|
if profileWM {
|
|
opts = append(opts, WithProfile())
|
|
}
|
|
if emailWM {
|
|
opts = append(opts, WithEmail())
|
|
}
|
|
if phoneWM {
|
|
opts = append(opts, WithPhone())
|
|
}
|
|
if passwordWM {
|
|
opts = append(opts, WithPassword())
|
|
}
|
|
if avatarWM {
|
|
opts = append(opts, WithAvatar())
|
|
}
|
|
if idpLinks {
|
|
opts = append(opts, WithIDPLinks())
|
|
}
|
|
return newUserV2WriteModel(userID, resourceOwner, opts...)
|
|
}
|
|
|
|
func newUserV2WriteModel(userID, resourceOwner string, opts ...UserV2WMOption) *UserV2WriteModel {
|
|
wm := &UserV2WriteModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
}
|
|
|
|
for _, optFunc := range opts {
|
|
optFunc(wm)
|
|
}
|
|
return wm
|
|
}
|
|
|
|
type UserV2WMOption func(o *UserV2WriteModel)
|
|
|
|
func WithHuman() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.HumanWriteModel = true
|
|
}
|
|
}
|
|
func WithMachine() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.MachineWriteModel = true
|
|
}
|
|
}
|
|
func WithProfile() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.ProfileWriteModel = true
|
|
}
|
|
}
|
|
func WithEmail() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.EmailWriteModel = true
|
|
}
|
|
}
|
|
func WithPhone() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.PhoneWriteModel = true
|
|
}
|
|
}
|
|
func WithPassword() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.PasswordWriteModel = true
|
|
}
|
|
}
|
|
func WithState() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.StateWriteModel = true
|
|
}
|
|
}
|
|
func WithAvatar() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.AvatarWriteModel = true
|
|
}
|
|
}
|
|
func WithIDPLinks() UserV2WMOption {
|
|
return func(o *UserV2WriteModel) {
|
|
o.IDPLinkWriteModel = true
|
|
}
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *user.HumanAddedEvent:
|
|
wm.reduceHumanAddedEvent(e)
|
|
case *user.HumanRegisteredEvent:
|
|
wm.reduceHumanRegisteredEvent(e)
|
|
|
|
case *user.HumanInitialCodeAddedEvent:
|
|
wm.UserState = domain.UserStateInitial
|
|
wm.SetInitCode(e.Code, e.Expiry, e.CreationDate())
|
|
case *user.HumanInitializedCheckSucceededEvent:
|
|
wm.UserState = domain.UserStateActive
|
|
wm.EmptyInitCode()
|
|
case *user.HumanInitializedCheckFailedEvent:
|
|
wm.InitCheckFailedCount += 1
|
|
|
|
case *user.UsernameChangedEvent:
|
|
wm.UserName = e.UserName
|
|
case *user.HumanProfileChangedEvent:
|
|
wm.reduceHumanProfileChangedEvent(e)
|
|
|
|
case *user.MachineChangedEvent:
|
|
if e.Name != nil {
|
|
wm.Name = *e.Name
|
|
}
|
|
if e.Description != nil {
|
|
wm.Description = *e.Description
|
|
}
|
|
if e.AccessTokenType != nil {
|
|
wm.AccessTokenType = *e.AccessTokenType
|
|
}
|
|
|
|
case *user.MachineAddedEvent:
|
|
wm.UserName = e.UserName
|
|
wm.Name = e.Name
|
|
wm.Description = e.Description
|
|
wm.AccessTokenType = e.AccessTokenType
|
|
wm.UserState = domain.UserStateActive
|
|
|
|
case *user.HumanEmailChangedEvent:
|
|
wm.Email = e.EmailAddress
|
|
wm.IsEmailVerified = false
|
|
wm.EmptyEmailCode()
|
|
case *user.HumanEmailCodeAddedEvent:
|
|
wm.IsEmailVerified = false
|
|
wm.SetEMailCode(e.Code, e.Expiry, e.CreationDate())
|
|
case *user.HumanEmailVerifiedEvent:
|
|
wm.IsEmailVerified = true
|
|
wm.EmptyEmailCode()
|
|
case *user.HumanEmailVerificationFailedEvent:
|
|
wm.EmailCheckFailedCount += 1
|
|
|
|
case *user.HumanPhoneChangedEvent:
|
|
wm.IsPhoneVerified = false
|
|
wm.Phone = e.PhoneNumber
|
|
wm.EmptyPhoneCode()
|
|
case *user.HumanPhoneCodeAddedEvent:
|
|
wm.IsPhoneVerified = false
|
|
wm.SetPhoneCode(e.Code, e.Expiry, e.CreationDate())
|
|
case *user.HumanPhoneVerifiedEvent:
|
|
wm.IsPhoneVerified = true
|
|
wm.EmptyPhoneCode()
|
|
case *user.HumanPhoneVerificationFailedEvent:
|
|
wm.PhoneCheckFailedCount += 1
|
|
case *user.HumanPhoneRemovedEvent:
|
|
wm.EmptyPhoneCode()
|
|
wm.Phone = ""
|
|
wm.IsPhoneVerified = false
|
|
|
|
case *user.HumanAvatarAddedEvent:
|
|
wm.Avatar = e.StoreKey
|
|
case *user.HumanAvatarRemovedEvent:
|
|
wm.Avatar = ""
|
|
|
|
case *user.UserLockedEvent:
|
|
wm.UserState = domain.UserStateLocked
|
|
case *user.UserUnlockedEvent:
|
|
wm.PasswordCheckFailedCount = 0
|
|
wm.UserState = domain.UserStateActive
|
|
|
|
case *user.UserDeactivatedEvent:
|
|
wm.UserState = domain.UserStateInactive
|
|
case *user.UserReactivatedEvent:
|
|
wm.UserState = domain.UserStateActive
|
|
|
|
case *user.UserRemovedEvent:
|
|
wm.UserState = domain.UserStateDeleted
|
|
|
|
case *user.HumanPasswordHashUpdatedEvent:
|
|
wm.PasswordEncodedHash = e.EncodedHash
|
|
case *user.HumanPasswordCheckFailedEvent:
|
|
wm.PasswordCheckFailedCount += 1
|
|
case *user.HumanPasswordCheckSucceededEvent:
|
|
wm.PasswordCheckFailedCount = 0
|
|
case *user.HumanPasswordChangedEvent:
|
|
wm.PasswordEncodedHash = crypto.SecretOrEncodedHash(e.Secret, e.EncodedHash)
|
|
wm.PasswordChangeRequired = e.ChangeRequired
|
|
wm.EmptyPasswordCode()
|
|
case *user.HumanPasswordCodeAddedEvent:
|
|
wm.SetPasswordCode(e.Code, e.Expiry, e.CreationDate())
|
|
case *user.UserIDPLinkAddedEvent:
|
|
wm.AddIDPLink(e.IDPConfigID, e.DisplayName, e.ExternalUserID)
|
|
case *user.UserIDPLinkRemovedEvent:
|
|
wm.RemoveIDPLink(e.IDPConfigID, e.ExternalUserID)
|
|
case *user.UserIDPLinkCascadeRemovedEvent:
|
|
wm.RemoveIDPLink(e.IDPConfigID, e.ExternalUserID)
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) AddIDPLink(configID, displayName, externalUserID string) {
|
|
wm.IDPLinks = append(wm.IDPLinks, &domain.UserIDPLink{IDPConfigID: configID, DisplayName: displayName, ExternalUserID: externalUserID})
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) RemoveIDPLink(configID, externalUserID string) {
|
|
idx, _ := wm.IDPLinkByID(configID, externalUserID)
|
|
if idx < 0 {
|
|
return
|
|
}
|
|
copy(wm.IDPLinks[idx:], wm.IDPLinks[idx+1:])
|
|
wm.IDPLinks[len(wm.IDPLinks)-1] = nil
|
|
wm.IDPLinks = wm.IDPLinks[:len(wm.IDPLinks)-1]
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) EmptyInitCode() {
|
|
wm.InitCode = nil
|
|
wm.InitCodeExpiry = 0
|
|
wm.InitCodeCreationDate = time.Time{}
|
|
wm.InitCheckFailedCount = 0
|
|
}
|
|
func (wm *UserV2WriteModel) SetInitCode(code *crypto.CryptoValue, expiry time.Duration, creationDate time.Time) {
|
|
wm.InitCode = code
|
|
wm.InitCodeExpiry = expiry
|
|
wm.InitCodeCreationDate = creationDate
|
|
wm.InitCheckFailedCount = 0
|
|
}
|
|
func (wm *UserV2WriteModel) EmptyEmailCode() {
|
|
wm.EmailCode = nil
|
|
wm.EmailCodeExpiry = 0
|
|
wm.EmailCodeCreationDate = time.Time{}
|
|
wm.EmailCheckFailedCount = 0
|
|
}
|
|
func (wm *UserV2WriteModel) SetEMailCode(code *crypto.CryptoValue, expiry time.Duration, creationDate time.Time) {
|
|
wm.EmailCode = code
|
|
wm.EmailCodeExpiry = expiry
|
|
wm.EmailCodeCreationDate = creationDate
|
|
wm.EmailCheckFailedCount = 0
|
|
}
|
|
func (wm *UserV2WriteModel) EmptyPhoneCode() {
|
|
wm.PhoneCode = nil
|
|
wm.PhoneCodeExpiry = 0
|
|
wm.PhoneCodeCreationDate = time.Time{}
|
|
wm.PhoneCheckFailedCount = 0
|
|
}
|
|
func (wm *UserV2WriteModel) SetPhoneCode(code *crypto.CryptoValue, expiry time.Duration, creationDate time.Time) {
|
|
wm.PhoneCode = code
|
|
wm.PhoneCodeExpiry = expiry
|
|
wm.PhoneCodeCreationDate = creationDate
|
|
wm.PhoneCheckFailedCount = 0
|
|
}
|
|
func (wm *UserV2WriteModel) EmptyPasswordCode() {
|
|
wm.PasswordCode = nil
|
|
wm.PasswordCodeExpiry = 0
|
|
wm.PasswordCodeCreationDate = time.Time{}
|
|
}
|
|
func (wm *UserV2WriteModel) SetPasswordCode(code *crypto.CryptoValue, expiry time.Duration, creationDate time.Time) {
|
|
wm.PasswordCode = code
|
|
wm.PasswordCodeExpiry = expiry
|
|
wm.PasswordCodeCreationDate = creationDate
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) Query() *eventstore.SearchQueryBuilder {
|
|
// remove events are always processed
|
|
// and username is based for machine and human
|
|
eventTypes := []eventstore.EventType{
|
|
user.UserRemovedType,
|
|
user.UserUserNameChangedType,
|
|
}
|
|
|
|
if wm.HumanWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.UserV1AddedType,
|
|
user.HumanAddedType,
|
|
user.UserV1RegisteredType,
|
|
user.HumanRegisteredType,
|
|
)
|
|
}
|
|
|
|
if wm.MachineWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.MachineChangedEventType,
|
|
user.MachineAddedEventType,
|
|
)
|
|
}
|
|
|
|
if wm.EmailWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.UserV1EmailChangedType,
|
|
user.HumanEmailChangedType,
|
|
user.UserV1EmailCodeAddedType,
|
|
user.HumanEmailCodeAddedType,
|
|
|
|
user.UserV1EmailVerifiedType,
|
|
user.HumanEmailVerifiedType,
|
|
user.HumanEmailVerificationFailedType,
|
|
user.UserV1EmailVerificationFailedType,
|
|
)
|
|
}
|
|
if wm.PhoneWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.UserV1PhoneChangedType,
|
|
user.HumanPhoneChangedType,
|
|
user.UserV1PhoneCodeAddedType,
|
|
user.HumanPhoneCodeAddedType,
|
|
|
|
user.UserV1PhoneVerifiedType,
|
|
user.HumanPhoneVerifiedType,
|
|
user.HumanPhoneVerificationFailedType,
|
|
user.UserV1PhoneVerificationFailedType,
|
|
|
|
user.UserV1PhoneRemovedType,
|
|
user.HumanPhoneRemovedType,
|
|
)
|
|
}
|
|
if wm.ProfileWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.UserV1ProfileChangedType,
|
|
user.HumanProfileChangedType,
|
|
)
|
|
}
|
|
if wm.StateWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.UserV1InitialCodeAddedType,
|
|
user.HumanInitialCodeAddedType,
|
|
|
|
user.UserV1InitializedCheckSucceededType,
|
|
user.HumanInitializedCheckSucceededType,
|
|
user.HumanInitializedCheckFailedType,
|
|
user.UserV1InitializedCheckFailedType,
|
|
|
|
user.UserLockedType,
|
|
user.UserUnlockedType,
|
|
user.UserDeactivatedType,
|
|
user.UserReactivatedType,
|
|
)
|
|
}
|
|
if wm.AvatarWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.HumanAvatarAddedType,
|
|
user.HumanAvatarRemovedType,
|
|
)
|
|
}
|
|
if wm.PasswordWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.HumanPasswordHashUpdatedType,
|
|
|
|
user.HumanPasswordChangedType,
|
|
user.UserV1PasswordChangedType,
|
|
user.HumanPasswordCodeAddedType,
|
|
user.UserV1PasswordCodeAddedType,
|
|
|
|
user.HumanPasswordCheckFailedType,
|
|
user.UserV1PasswordCheckFailedType,
|
|
user.HumanPasswordCheckSucceededType,
|
|
user.UserV1PasswordCheckSucceededType,
|
|
)
|
|
}
|
|
if wm.IDPLinkWriteModel {
|
|
eventTypes = append(eventTypes,
|
|
user.UserIDPLinkAddedType,
|
|
user.UserIDPLinkRemovedType,
|
|
user.UserIDPLinkCascadeRemovedType,
|
|
)
|
|
}
|
|
|
|
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
AddQuery().
|
|
AggregateTypes(user.AggregateType).
|
|
AggregateIDs(wm.AggregateID).
|
|
EventTypes(eventTypes...).
|
|
Builder()
|
|
if wm.ResourceOwner != "" {
|
|
query.ResourceOwner(wm.ResourceOwner)
|
|
}
|
|
return query
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) reduceHumanAddedEvent(e *user.HumanAddedEvent) {
|
|
wm.UserName = e.UserName
|
|
wm.FirstName = e.FirstName
|
|
wm.LastName = e.LastName
|
|
wm.NickName = e.NickName
|
|
wm.DisplayName = e.DisplayName
|
|
wm.PreferredLanguage = e.PreferredLanguage
|
|
wm.Gender = e.Gender
|
|
wm.Email = e.EmailAddress
|
|
wm.Phone = e.PhoneNumber
|
|
wm.UserState = domain.UserStateActive
|
|
wm.PasswordEncodedHash = crypto.SecretOrEncodedHash(e.Secret, e.EncodedHash)
|
|
wm.PasswordChangeRequired = e.ChangeRequired
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) reduceHumanRegisteredEvent(e *user.HumanRegisteredEvent) {
|
|
wm.UserName = e.UserName
|
|
wm.FirstName = e.FirstName
|
|
wm.LastName = e.LastName
|
|
wm.NickName = e.NickName
|
|
wm.DisplayName = e.DisplayName
|
|
wm.PreferredLanguage = e.PreferredLanguage
|
|
wm.Gender = e.Gender
|
|
wm.Email = e.EmailAddress
|
|
wm.Phone = e.PhoneNumber
|
|
wm.UserState = domain.UserStateActive
|
|
wm.PasswordEncodedHash = crypto.SecretOrEncodedHash(e.Secret, e.EncodedHash)
|
|
wm.PasswordChangeRequired = e.ChangeRequired
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) reduceHumanProfileChangedEvent(e *user.HumanProfileChangedEvent) {
|
|
if e.FirstName != "" {
|
|
wm.FirstName = e.FirstName
|
|
}
|
|
if e.LastName != "" {
|
|
wm.LastName = e.LastName
|
|
}
|
|
if e.NickName != nil {
|
|
wm.NickName = *e.NickName
|
|
}
|
|
if e.DisplayName != nil {
|
|
wm.DisplayName = *e.DisplayName
|
|
}
|
|
if e.PreferredLanguage != nil {
|
|
wm.PreferredLanguage = *e.PreferredLanguage
|
|
}
|
|
if e.Gender != nil {
|
|
wm.Gender = *e.Gender
|
|
}
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) Aggregate() *user.Aggregate {
|
|
return user.NewAggregate(wm.AggregateID, wm.ResourceOwner)
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) NewProfileChangedEvent(
|
|
ctx context.Context,
|
|
firstName,
|
|
lastName,
|
|
nickName,
|
|
displayName *string,
|
|
preferredLanguage *language.Tag,
|
|
gender *domain.Gender,
|
|
) (*user.HumanProfileChangedEvent, error) {
|
|
changes := make([]user.ProfileChanges, 0)
|
|
if firstName != nil && wm.FirstName != *firstName {
|
|
changes = append(changes, user.ChangeFirstName(*firstName))
|
|
}
|
|
if lastName != nil && wm.LastName != *lastName {
|
|
changes = append(changes, user.ChangeLastName(*lastName))
|
|
}
|
|
if nickName != nil && wm.NickName != *nickName {
|
|
changes = append(changes, user.ChangeNickName(*nickName))
|
|
}
|
|
if displayName != nil && wm.DisplayName != *displayName {
|
|
changes = append(changes, user.ChangeDisplayName(*displayName))
|
|
}
|
|
if preferredLanguage != nil && wm.PreferredLanguage != *preferredLanguage {
|
|
changes = append(changes, user.ChangePreferredLanguage(*preferredLanguage))
|
|
}
|
|
if gender != nil && wm.Gender != *gender {
|
|
changes = append(changes, user.ChangeGender(*gender))
|
|
}
|
|
if len(changes) == 0 {
|
|
return nil, nil
|
|
}
|
|
return user.NewHumanProfileChangedEvent(ctx, &wm.Aggregate().Aggregate, changes)
|
|
}
|
|
|
|
func (wm *UserV2WriteModel) IDPLinkByID(idpID, externalUserID string) (idx int, idp *domain.UserIDPLink) {
|
|
for idx, idp = range wm.IDPLinks {
|
|
if idp.IDPConfigID == idpID && idp.ExternalUserID == externalUserID {
|
|
return idx, idp
|
|
}
|
|
}
|
|
return -1, nil
|
|
}
|