mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-15 04:18:01 +00:00
6398349c24
* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
97 lines
2.5 KiB
Go
97 lines
2.5 KiB
Go
package domain
|
|
|
|
type UserState int32
|
|
|
|
const (
|
|
UserStateUnspecified UserState = iota
|
|
UserStateActive
|
|
UserStateInactive
|
|
UserStateDeleted
|
|
UserStateLocked
|
|
UserStateSuspend
|
|
UserStateInitial
|
|
|
|
userStateCount
|
|
)
|
|
|
|
func (s UserState) Exists() bool {
|
|
return s != UserStateUnspecified && s != UserStateDeleted
|
|
}
|
|
|
|
func (s UserState) IsEnabled() bool {
|
|
return s == UserStateActive || s == UserStateInitial
|
|
}
|
|
|
|
type UserType int32
|
|
|
|
const (
|
|
UserTypeUnspecified UserType = iota
|
|
UserTypeHuman
|
|
UserTypeMachine
|
|
userTypeCount
|
|
)
|
|
|
|
type UserAuthMethodType int32
|
|
|
|
const (
|
|
UserAuthMethodTypeUnspecified UserAuthMethodType = iota
|
|
UserAuthMethodTypeTOTP
|
|
UserAuthMethodTypeU2F
|
|
UserAuthMethodTypePasswordless
|
|
UserAuthMethodTypePassword
|
|
UserAuthMethodTypeIDP
|
|
UserAuthMethodTypeOTPSMS
|
|
UserAuthMethodTypeOTPEmail
|
|
UserAuthMethodTypeOTP // generic OTP when parsing AMR from OIDC
|
|
userAuthMethodTypeCount
|
|
)
|
|
|
|
// HasMFA checks whether the user authenticated with multiple auth factors.
|
|
// This can either be true if the list contains a [UserAuthMethodType] which by itself is MFA (e.g. [UserAuthMethodTypePasswordless])
|
|
// or if multiple factors were used (e.g. [UserAuthMethodTypePassword] and [UserAuthMethodTypeU2F])
|
|
func HasMFA(methods []UserAuthMethodType) bool {
|
|
var factors int
|
|
for _, method := range methods {
|
|
switch method {
|
|
case UserAuthMethodTypePasswordless:
|
|
return true
|
|
case UserAuthMethodTypePassword,
|
|
UserAuthMethodTypeU2F,
|
|
UserAuthMethodTypeTOTP,
|
|
UserAuthMethodTypeOTPSMS,
|
|
UserAuthMethodTypeOTPEmail,
|
|
UserAuthMethodTypeIDP,
|
|
UserAuthMethodTypeOTP:
|
|
factors++
|
|
case UserAuthMethodTypeUnspecified,
|
|
userAuthMethodTypeCount:
|
|
// ignore
|
|
}
|
|
}
|
|
return factors > 1
|
|
}
|
|
|
|
// RequiresMFA checks whether the user requires to authenticate with multiple auth factors based on the LoginPolicy and the authentication type.
|
|
// Internal authentication will require MFA if either option is activated.
|
|
// External authentication will only require MFA if it's forced generally and not local only.
|
|
func RequiresMFA(forceMFA, forceMFALocalOnly, isInternalLogin bool) bool {
|
|
if isInternalLogin {
|
|
return forceMFA || forceMFALocalOnly
|
|
}
|
|
return forceMFA && !forceMFALocalOnly
|
|
}
|
|
|
|
type PersonalAccessTokenState int32
|
|
|
|
const (
|
|
PersonalAccessTokenStateUnspecified PersonalAccessTokenState = iota
|
|
PersonalAccessTokenStateActive
|
|
PersonalAccessTokenStateRemoved
|
|
|
|
personalAccessTokenStateCount
|
|
)
|
|
|
|
func (f PersonalAccessTokenState) Valid() bool {
|
|
return f >= 0 && f < personalAccessTokenStateCount
|
|
}
|