feat(api): list authentication method types in user api v2 (#6058)

zitadel · Jun 20, 2023 · 7046194 · 7046194 · vercel · Jun 20, 2023
1 parent 82e7333
commit 7046194
Show file tree

Hide file tree

Showing 11 changed files with 523 additions and 1 deletion.
diff --git a/cmd/start/start.go b/cmd/start/start.go
@@ -47,6 +47,7 @@ import (
 	auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
 	"github.com/zitadel/zitadel/internal/authz"
 	authz_repo "github.com/zitadel/zitadel/internal/authz/repository"
+	authz_es "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/crypto"
 	cryptoDB "github.com/zitadel/zitadel/internal/crypto/database"
@@ -145,6 +146,11 @@ func startZitadel(config *Config, masterKey string, server chan<- *Server) error
 		keys.SAML,
 		config.InternalAuthZ.RolePermissionMappings,
 		sessionTokenVerifier,
+		func(q *query.Queries) domain.PermissionCheck {
+			return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+				return internal_authz.CheckPermission(ctx, &authz_es.UserMembershipRepo{Queries: q}, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+			}
+		},
 	)
 	if err != nil {
 		return fmt.Errorf("cannot start queries: %w", err)

diff --git a/internal/api/grpc/user/v2/user.go b/internal/api/grpc/user/v2/user.go
@@ -221,3 +221,41 @@ func (s *Server) checkIntentToken(token string, intentID string) error {
 	}
 	return nil
 }
+
+func (s *Server) ListAuthenticationMethodTypes(ctx context.Context, req *user.ListAuthenticationMethodTypesRequest) (*user.ListAuthenticationMethodTypesResponse, error) {
+	authMethods, err := s.query.ListActiveUserAuthMethodTypes(ctx, req.GetUserId(), false)
+	if err != nil {
+		return nil, err
+	}
+	return &user.ListAuthenticationMethodTypesResponse{
+		Details:         object.ToListDetails(authMethods.SearchResponse),
+		AuthMethodTypes: authMethodTypesToPb(authMethods.AuthMethodTypes),
+	}, nil
+}
+
+func authMethodTypesToPb(methodTypes []domain.UserAuthMethodType) []user.AuthenticationMethodType {
+	methods := make([]user.AuthenticationMethodType, len(methodTypes))
+	for i, method := range methodTypes {
+		methods[i] = authMethodTypeToPb(method)
+	}
+	return methods
+}
+
+func authMethodTypeToPb(methodType domain.UserAuthMethodType) user.AuthenticationMethodType {
+	switch methodType {
+	case domain.UserAuthMethodTypeOTP:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_TOTP
+	case domain.UserAuthMethodTypeU2F:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_U2F
+	case domain.UserAuthMethodTypePasswordless:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSKEY
+	case domain.UserAuthMethodTypePassword:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSWORD
+	case domain.UserAuthMethodTypeIDP:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_IDP
+	case domain.UserAuthMethodTypeUnspecified:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_UNSPECIFIED
+	default:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_UNSPECIFIED
+	}
+}
diff --git a/internal/api/grpc/user/v2/user_integration_test.go b/internal/api/grpc/user/v2/user_integration_test.go
@@ -24,6 +24,7 @@ import (
 	openid "github.com/zitadel/zitadel/internal/idp/providers/oidc"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/internal/repository/idp"
+	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
 )
@@ -712,3 +713,109 @@ func TestServer_RetrieveIdentityProviderInformation(t *testing.T) {
 		})
 	}
 }
+
+func TestServer_ListAuthenticationMethodTypes(t *testing.T) {
+	userIDWithoutAuth := Tester.CreateHumanUser(CTX).GetUserId()
+
+	userIDWithPasskey := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, userIDWithPasskey)
+
+	userMultipleAuth := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, userMultipleAuth)
+	provider, err := Tester.Client.Mgmt.AddGenericOIDCProvider(CTX, &mgmt.AddGenericOIDCProviderRequest{
+		Name:         "ListAuthenticationMethodTypes",
+		Issuer:       "https://example.com",
+		ClientId:     "client_id",
+		ClientSecret: "client_secret",
+	})
+	require.NoError(t, err)
+	idpLink, err := Tester.Client.UserV2.AddIDPLink(CTX, &user.AddIDPLinkRequest{UserId: userMultipleAuth, IdpLink: &user.IDPLink{
+		IdpId:    provider.GetId(),
+		UserId:   "external-id",
+		UserName: "displayName",
+	}})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx context.Context
+		req *user.ListAuthenticationMethodTypesRequest
+	}
+	tests := []struct {
+		name string
+		args args
+		want *user.ListAuthenticationMethodTypesResponse
+	}{
+		{
+			name: "no auth",
+			args: args{
+				CTX,
+				&user.ListAuthenticationMethodTypesRequest{
+					UserId: userIDWithoutAuth,
+				},
+			},
+			want: &user.ListAuthenticationMethodTypesResponse{
+				Details: &object.ListDetails{
+					TotalResult: 0,
+				},
+			},
+		},
+		{
+			name: "with auth (passkey)",
+			args: args{
+				CTX,
+				&user.ListAuthenticationMethodTypesRequest{
+					UserId: userIDWithPasskey,
+				},
+			},
+			want: &user.ListAuthenticationMethodTypesResponse{
+				Details: &object.ListDetails{
+					TotalResult: 1,
+				},
+				AuthMethodTypes: []user.AuthenticationMethodType{
+					user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSKEY,
+				},
+			},
+		},
+		{
+			name: "multiple auth",
+			args: args{
+				CTX,
+				&user.ListAuthenticationMethodTypesRequest{
+					UserId: userMultipleAuth,
+				},
+			},
+			want: &user.ListAuthenticationMethodTypesResponse{
+				Details: &object.ListDetails{
+					TotalResult: 2,
+				},
+				AuthMethodTypes: []user.AuthenticationMethodType{
+					user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSKEY,
+					user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_IDP,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var got *user.ListAuthenticationMethodTypesResponse
+			var err error
+
+			for {
+				got, err = Client.ListAuthenticationMethodTypes(tt.args.ctx, tt.args.req)
+				if err == nil && got.GetDetails().GetProcessedSequence() >= idpLink.GetDetails().GetSequence() {
+					break
+				}
+				select {
+				case <-CTX.Done():
+					t.Fatal(CTX.Err(), err)
+				case <-time.After(time.Second):
+					t.Log("retrying ListAuthenticationMethodTypes")
+					continue
+				}
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.want.GetDetails().GetTotalResult(), got.GetDetails().GetTotalResult())
+			require.Equal(t, tt.want.GetAuthMethodTypes(), got.GetAuthMethodTypes())
+		})
+	}
+}
diff --git a/internal/api/grpc/user/v2/user_test.go b/internal/api/grpc/user/v2/user_test.go
@@ -222,3 +222,75 @@ func Test_intentToIDPInformationPb(t *testing.T) {
 		})
 	}
 }
+
+func Test_authMethodTypesToPb(t *testing.T) {
+	tests := []struct {
+		name        string
+		methodTypes []domain.UserAuthMethodType
+		want        []user.AuthenticationMethodType
+	}{
+		{
+			"empty list",
+			nil,
+			[]user.AuthenticationMethodType{},
+		},
+		{
+			"list",
+			[]domain.UserAuthMethodType{
+				domain.UserAuthMethodTypePasswordless,
+			},
+			[]user.AuthenticationMethodType{
+				user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSKEY,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, authMethodTypesToPb(tt.methodTypes), "authMethodTypesToPb(%v)", tt.methodTypes)
+		})
+	}
+}
+
+func Test_authMethodTypeToPb(t *testing.T) {
+	tests := []struct {
+		name       string
+		methodType domain.UserAuthMethodType
+		want       user.AuthenticationMethodType
+	}{
+		{
+			"uspecified",
+			domain.UserAuthMethodTypeUnspecified,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_UNSPECIFIED,
+		},
+		{
+			"(t)otp",
+			domain.UserAuthMethodTypeOTP,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_TOTP,
+		},
+		{
+			"u2f",
+			domain.UserAuthMethodTypeU2F,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_U2F,
+		},
+		{
+			"passkey",
+			domain.UserAuthMethodTypePasswordless,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSKEY,
+		},
+		{
+			"password",
+			domain.UserAuthMethodTypePassword,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSWORD,
+		},
+		{
+			"idp",
+			domain.UserAuthMethodTypeIDP,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_IDP,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, authMethodTypeToPb(tt.methodType), "authMethodTypeToPb(%v)", tt.methodType)
+		})
+	}
+}
diff --git a/internal/domain/permission.go b/internal/domain/permission.go
@@ -28,7 +28,7 @@ type PermissionCheck func(ctx context.Context, permission, orgID, resourceID str
 
 const (
 	PermissionUserWrite     = "user.write"
-	PermissionSessionRead   = "session.read"
+	PermissionUserRead      = "user.read"
 	PermissionSessionWrite  = "session.write"
 	PermissionSessionDelete = "session.delete"
 )
diff --git a/internal/domain/user.go b/internal/domain/user.go
@@ -51,6 +51,8 @@ const (
 	UserAuthMethodTypeOTP
 	UserAuthMethodTypeU2F
 	UserAuthMethodTypePasswordless
+	UserAuthMethodTypePassword
+	UserAuthMethodTypeIDP
 	userAuthMethodTypeCount
 )
 

diff --git a/internal/integration/client.go b/internal/integration/client.go
@@ -9,6 +9,7 @@ import (
 	"google.golang.org/grpc"
 
 	"github.com/zitadel/zitadel/pkg/grpc/admin"
+	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
 	session "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
@@ -17,6 +18,7 @@ import (
 type Client struct {
 	CC        *grpc.ClientConn
 	Admin     admin.AdminServiceClient
+	Mgmt      mgmt.ManagementServiceClient
 	UserV2    user.UserServiceClient
 	SessionV2 session.SessionServiceClient
 }
@@ -25,6 +27,7 @@ func newClient(cc *grpc.ClientConn) Client {
 	return Client{
 		CC:        cc,
 		Admin:     admin.NewAdminServiceClient(cc),
+		Mgmt:      mgmt.NewManagementServiceClient(cc),
 		UserV2:    user.NewUserServiceClient(cc),
 		SessionV2: session.NewSessionServiceClient(cc),
 	}

diff --git a/internal/query/query.go b/internal/query/query.go
@@ -34,6 +34,7 @@ type Queries struct {
 
 	idpConfigEncryption  crypto.EncryptionAlgorithm
 	sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error)
+	checkPermission      domain.PermissionCheck
 
 	DefaultLanguage                     language.Tag
 	LoginDir                            http.FileSystem
@@ -55,6 +56,7 @@ func StartQueries(
 	idpConfigEncryption, otpEncryption, keyEncryptionAlgorithm, certEncryptionAlgorithm crypto.EncryptionAlgorithm,
 	zitadelRoles []authz.RoleMapping,
 	sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error),
+	permissionCheck func(q *Queries) domain.PermissionCheck,
 ) (repo *Queries, err error) {
 	statikLoginFS, err := fs.NewWithNamespace("login")
 	if err != nil {
@@ -95,6 +97,8 @@ func StartQueries(
 		},
 	}
 
+	repo.checkPermission = permissionCheck(repo)
+
 	err = projection.Create(ctx, sqlClient, es, projections, keyEncryptionAlgorithm, certEncryptionAlgorithm)
 	if err != nil {
 		return nil, err