diff --git a/docs/resources/default_login_policy.md b/docs/resources/default_login_policy.md index a7338875..8735d424 100644 --- a/docs/resources/default_login_policy.md +++ b/docs/resources/default_login_policy.md @@ -17,6 +17,7 @@ resource "zitadel_default_login_policy" "default" { allow_register = true allow_external_idp = true force_mfa = false + force_mfa_local_only = false passwordless_type = "PASSWORDLESS_TYPE_ALLOWED" hide_password_reset = "false" password_check_lifetime = "240h0m0s" @@ -45,6 +46,7 @@ resource "zitadel_default_login_policy" "default" { - `default_redirect_uri` (String) defines where the user will be redirected to if the login is started without app context (e.g. from mail) - `external_login_check_lifetime` (String) - `force_mfa` (Boolean) defines if a user MUST use a multi factor to log in +- `force_mfa_local_only` (Boolean) if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login. - `hide_password_reset` (Boolean) defines if password reset link should be shown in the login screen - `ignore_unknown_usernames` (Boolean) defines if unknown username on login screen directly return an error or always display the password screen - `mfa_init_skip_lifetime` (String) diff --git a/docs/resources/login_policy.md b/docs/resources/login_policy.md index 4a6132b5..740c1746 100644 --- a/docs/resources/login_policy.md +++ b/docs/resources/login_policy.md @@ -18,6 +18,7 @@ resource "zitadel_login_policy" "default" { allow_register = true allow_external_idp = true force_mfa = false + force_mfa_local_only = false passwordless_type = "PASSWORDLESS_TYPE_ALLOWED" hide_password_reset = "false" password_check_lifetime = "240h0m0s" @@ -46,6 +47,7 @@ resource "zitadel_login_policy" "default" { - `default_redirect_uri` (String) defines where the user will be redirected to if the login is started without app context (e.g. from mail) - `external_login_check_lifetime` (String) - `force_mfa` (Boolean) defines if a user MUST use a multi factor to log in +- `force_mfa_local_only` (Boolean) if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login. - `hide_password_reset` (Boolean) defines if password reset link should be shown in the login screen - `ignore_unknown_usernames` (Boolean) defines if unknown username on login screen directly return an error or always display the password screen - `mfa_init_skip_lifetime` (String) diff --git a/examples/provider/resources/default_login_policy.tf b/examples/provider/resources/default_login_policy.tf index fc3ddcab..c1222012 100644 --- a/examples/provider/resources/default_login_policy.tf +++ b/examples/provider/resources/default_login_policy.tf @@ -3,6 +3,7 @@ resource "zitadel_default_login_policy" "default" { allow_register = true allow_external_idp = true force_mfa = false + force_mfa_local_only = false passwordless_type = "PASSWORDLESS_TYPE_ALLOWED" hide_password_reset = "false" password_check_lifetime = "240h0m0s" diff --git a/examples/provider/resources/login_policy.tf b/examples/provider/resources/login_policy.tf index 4b45792c..948a1c96 100644 --- a/examples/provider/resources/login_policy.tf +++ b/examples/provider/resources/login_policy.tf @@ -4,6 +4,7 @@ resource "zitadel_login_policy" "default" { allow_register = true allow_external_idp = true force_mfa = false + force_mfa_local_only = false passwordless_type = "PASSWORDLESS_TYPE_ALLOWED" hide_password_reset = "false" password_check_lifetime = "240h0m0s" diff --git a/go.mod b/go.mod index c7b62d3c..080b0662 100644 --- a/go.mod +++ b/go.mod @@ -3,21 +3,23 @@ module github.com/zitadel/terraform-provider-zitadel go 1.20 require ( - github.com/envoyproxy/protoc-gen-validate v1.0.1 + github.com/envoyproxy/protoc-gen-validate v1.0.2 github.com/gabriel-vasile/mimetype v1.4.1 github.com/gogo/protobuf v1.3.2 - github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 + github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 + github.com/hashicorp/hcl/v2 v2.16.2 github.com/hashicorp/terraform-plugin-framework v0.15.0 github.com/hashicorp/terraform-plugin-go v0.14.3 github.com/hashicorp/terraform-plugin-log v0.8.0 github.com/hashicorp/terraform-plugin-mux v0.7.0 github.com/hashicorp/terraform-plugin-sdk/v2 v2.26.1 + github.com/zclconf/go-cty v1.13.1 github.com/zitadel/oidc v1.13.4 - github.com/zitadel/zitadel-go/v2 v2.0.14 - golang.org/x/oauth2 v0.8.0 - google.golang.org/grpc v1.53.0-dev - google.golang.org/protobuf v1.30.0 + github.com/zitadel/zitadel-go/v2 v2.0.15 + golang.org/x/oauth2 v0.10.0 + google.golang.org/grpc v1.57.0-dev + google.golang.org/protobuf v1.31.0 ) require ( @@ -38,7 +40,6 @@ require ( github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hc-install v0.5.0 // indirect - github.com/hashicorp/hcl/v2 v2.16.2 // indirect github.com/hashicorp/logutils v1.0.0 // indirect github.com/hashicorp/terraform-exec v0.18.1 // indirect github.com/hashicorp/terraform-json v0.16.0 // indirect @@ -46,7 +47,6 @@ require ( github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734 // indirect github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect github.com/imdario/mergo v0.3.13 // indirect - github.com/kr/pretty v0.3.1 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.17 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -60,13 +60,14 @@ require ( github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect github.com/vmihailenco/msgpack/v4 v4.3.12 // indirect github.com/vmihailenco/tagparser v0.1.1 // indirect - github.com/zclconf/go-cty v1.13.1 // indirect - golang.org/x/crypto v0.9.0 // indirect - golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/crypto v0.11.0 // indirect + golang.org/x/mod v0.11.0 // indirect + golang.org/x/net v0.12.0 // indirect + golang.org/x/sys v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37 // indirect + google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect ) diff --git a/go.sum b/go.sum index 0f9e9312..aa84c1fe 100644 --- a/go.sum +++ b/go.sum @@ -25,8 +25,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= -github.com/envoyproxy/protoc-gen-validate v1.0.1 h1:kt9FtLiooDc0vbwTLhdg3dyNX1K9Qwa1EK9LcD4jVUQ= -github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs= +github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= @@ -47,7 +47,7 @@ github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= +github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE= github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -66,8 +66,8 @@ github.com/gorilla/schema v1.2.0 h1:YufUaxZYCKGFuAq3c96BOhjgd5nmXiOY9NGzF247Tsc= github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU= github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 h1:1JYBfzqrWPcCclBwxFCPAou9n+q86mfnu7NAeHfte7A= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0/go.mod h1:YDZoGHuwE+ov0c8smSH49WLF3F2LaWnYYuDVd+EWrc0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -136,7 +136,6 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -173,13 +172,11 @@ github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -214,8 +211,8 @@ github.com/zclconf/go-cty v1.13.1 h1:0a6bRwuiSHtAmqCqNOE+c2oHgepv0ctoxU4FUe43kwc github.com/zclconf/go-cty v1.13.1/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= github.com/zitadel/oidc v1.13.4 h1:+k2GKqP9Ld9S2MSFlj+KaNsoZ3J9oy+Ezw51EzSFuC8= github.com/zitadel/oidc v1.13.4/go.mod h1:3h2DhUcP02YV6q/CA/BG4yla0o6rXjK+DkJGK/dwJfw= -github.com/zitadel/zitadel-go/v2 v2.0.14 h1:+Gp+cb1Qrp752oQnnoetPeTciK0gnEuoygK+S7sRuUM= -github.com/zitadel/zitadel-go/v2 v2.0.14/go.mod h1:apPFRGKTMDAtB2qdC9ELXco/HwyvfS87vD29lfhMRF0= +github.com/zitadel/zitadel-go/v2 v2.0.15 h1:dL2VROG7w32xtdl2DlPqpef6+s7PEP70KEa3SEjGsuI= +github.com/zitadel/zitadel-go/v2 v2.0.15/go.mod h1:2xpHigKocm9hVdNuAHo9eway/jGSo6XhyunbfGr7924= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -226,14 +223,14 @@ golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU= +golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -250,11 +247,11 @@ golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5o golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -282,19 +279,19 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= +golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -309,14 +306,18 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37 h1:jmIfw8+gSvXcZSgaFAGyInDXeWzUhvYH57G/5GKMn70= -google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= -google.golang.org/grpc v1.53.0-dev h1:Bi96+XIrXJLXPJUff19tRXb7mIijir7agn12zNMaPAg= -google.golang.org/grpc v1.53.0-dev/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= +google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e h1:Ao9GzfUMPH3zjVfzXG5rlWlk+Q8MXWKwWpwVQE1MXfw= +google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 h1:DEH99RbiLZhMxrpEJCZ0A+wdTe0EOgou/poSLx9vWf4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/grpc v1.57.0-dev h1:XCvzqke2TBzQUs3a1MO1VsqVkWeAdJ/KmxHCAVtPpe8= +google.golang.org/grpc v1.57.0-dev/go.mod h1:ZPf89/axrdgRDfHqb7fa0GF5t4VUER0vWnqnPNuRP7k= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/zitadel/v2/default_login_policy/const.go b/zitadel/v2/default_login_policy/const.go index 15f96df8..dac49b86 100644 --- a/zitadel/v2/default_login_policy/const.go +++ b/zitadel/v2/default_login_policy/const.go @@ -5,6 +5,7 @@ const ( allowRegisterVar = "allow_register" allowExternalIDPVar = "allow_external_idp" forceMFAVar = "force_mfa" + forceMFALocalOnlyVar = "force_mfa_local_only" passwordlessTypeVar = "passwordless_type" hidePasswordResetVar = "hide_password_reset" passwordCheckLifetimeVar = "password_check_lifetime" diff --git a/zitadel/v2/default_login_policy/funcs.go b/zitadel/v2/default_login_policy/funcs.go index 36cc7e5e..345a5f37 100644 --- a/zitadel/v2/default_login_policy/funcs.go +++ b/zitadel/v2/default_login_policy/funcs.go @@ -42,6 +42,7 @@ func update(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Dia allowRegisterVar, allowExternalIDPVar, forceMFAVar, + forceMFALocalOnlyVar, passwordlessTypeVar, hidePasswordResetVar, ignoreUnknownUsernamesVar, @@ -87,6 +88,7 @@ func update(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Dia AllowDomainDiscovery: d.Get(allowDomainDiscovery).(bool), DisableLoginWithEmail: d.Get(disableLoginWithEmail).(bool), DisableLoginWithPhone: d.Get(disableLoginWithPhone).(bool), + ForceMfaLocalOnly: d.Get(forceMFALocalOnlyVar).(bool), }) if helper.IgnorePreconditionError(err) != nil { return diag.Errorf("failed to update login policy: %v", err) @@ -224,6 +226,7 @@ func read(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagn allowDomainDiscovery: resp.Policy.GetAllowDomainDiscovery(), disableLoginWithEmail: resp.Policy.GetDisableLoginWithEmail(), disableLoginWithPhone: resp.Policy.GetDisableLoginWithPhone(), + forceMFALocalOnlyVar: resp.Policy.GetForceMfaLocalOnly(), } respSecond, err := client.ListLoginPolicySecondFactors(ctx, &admin.ListLoginPolicySecondFactorsRequest{}) diff --git a/zitadel/v2/default_login_policy/resource.go b/zitadel/v2/default_login_policy/resource.go index 08cc45aa..e45efc59 100644 --- a/zitadel/v2/default_login_policy/resource.go +++ b/zitadel/v2/default_login_policy/resource.go @@ -28,6 +28,11 @@ func GetResource() *schema.Resource { Required: true, Description: "defines if a user MUST use a multi factor to log in", }, + forceMFALocalOnlyVar: { + Type: schema.TypeBool, + Required: true, + Description: "if activated, ZITADEL only enforces MFA on local authentications. On authentications through MFA, ZITADEL won't prompt for MFA.", + }, passwordlessTypeVar: { Type: schema.TypeString, Required: true, diff --git a/zitadel/v2/login_policy/const.go b/zitadel/v2/login_policy/const.go index d8188bab..4fc0150a 100644 --- a/zitadel/v2/login_policy/const.go +++ b/zitadel/v2/login_policy/const.go @@ -6,6 +6,7 @@ const ( allowRegisterVar = "allow_register" allowExternalIDPVar = "allow_external_idp" forceMFAVar = "force_mfa" + forceMFALocalOnlyVar = "force_mfa_local_only" passwordlessTypeVar = "passwordless_type" hidePasswordResetVar = "hide_password_reset" passwordCheckLifetimeVar = "password_check_lifetime" diff --git a/zitadel/v2/login_policy/funcs.go b/zitadel/v2/login_policy/funcs.go index b37fb7b9..3a4f5a61 100644 --- a/zitadel/v2/login_policy/funcs.go +++ b/zitadel/v2/login_policy/funcs.go @@ -55,6 +55,7 @@ func update(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Dia allowRegisterVar, allowExternalIDPVar, forceMFAVar, + forceMFALocalOnlyVar, passwordlessTypeVar, hidePasswordResetVar, ignoreUnknownUsernamesVar, @@ -105,6 +106,7 @@ func update(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Dia AllowDomainDiscovery: d.Get(allowDomainDiscovery).(bool), DisableLoginWithEmail: d.Get(disableLoginWithEmail).(bool), DisableLoginWithPhone: d.Get(disableLoginWithPhone).(bool), + ForceMfaLocalOnly: d.Get(forceMFALocalOnlyVar).(bool), }) if err != nil { return diag.Errorf("failed to update login policy: %v", err) @@ -240,6 +242,7 @@ func create(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Dia AllowDomainDiscovery: d.Get(allowDomainDiscovery).(bool), DisableLoginWithEmail: d.Get(disableLoginWithEmail).(bool), DisableLoginWithPhone: d.Get(disableLoginWithPhone).(bool), + ForceMfaLocalOnly: d.Get(forceMFALocalOnlyVar).(bool), }) if err != nil { return diag.Errorf("failed to create login policy: %v", err) @@ -330,6 +333,7 @@ func read(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagn allowDomainDiscovery: policy.GetAllowDomainDiscovery(), disableLoginWithEmail: policy.GetDisableLoginWithEmail(), disableLoginWithPhone: policy.GetDisableLoginWithPhone(), + forceMFALocalOnlyVar: policy.GetForceMfaLocalOnly(), } respSecond, err := client.ListLoginPolicySecondFactors(ctx, &management.ListLoginPolicySecondFactorsRequest{}) diff --git a/zitadel/v2/login_policy/resource.go b/zitadel/v2/login_policy/resource.go index 9e4bedee..cba41721 100644 --- a/zitadel/v2/login_policy/resource.go +++ b/zitadel/v2/login_policy/resource.go @@ -34,6 +34,11 @@ func GetResource() *schema.Resource { Required: true, Description: "defines if a user MUST use a multi factor to log in", }, + forceMFALocalOnlyVar: { + Type: schema.TypeBool, + Required: true, + Description: "if activated, ZITADEL only enforces MFA on local authentications. On authentications through MFA, ZITADEL won't prompt for MFA.", + }, passwordlessTypeVar: { Type: schema.TypeString, Required: true,