feat(identities): add a state to identities

identity/handler.go

@@ -3,6 +3,7 @@ package identity
 import (
 	"encoding/json"
 	"net/http"
+	"time"
 
 	"github.com/ory/kratos/driver/config"
 
@@ -214,7 +215,7 @@ func (h *Handler) create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 		return
 	}
 
-	i := &Identity{SchemaID: cr.SchemaID, Traits: []byte(cr.Traits)}
+	i := &Identity{SchemaID: cr.SchemaID, Traits: []byte(cr.Traits), State: StateActive, StateChangedAt: time.Now()}
 	if err := h.r.IdentityManager().Create(r.Context(), i); err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return

identity/identity.go

@@ -20,6 +20,13 @@ import (
 	"github.com/ory/kratos/x"
 )
 
+type State uint8
+
+const (
+	StateActive State = iota + 1
+	StateDisabled
+)
+
 type (
 	// Identity represents an Ory Kratos identity
 	//
@@ -75,6 +82,12 @@ type (
 		// ---
 		RecoveryAddresses []RecoveryAddress `json:"recovery_addresses,omitempty" faker:"-" has_many:"identity_recovery_addresses" fk_id:"identity_id"`
 
+		// State is the identity's state.
+		State State `json:"-" faker:"-" db:"state"`
+
+		// StateChangedAt contains the last time when the identity's state changed.
+		StateChangedAt time.Time `json:"-" faker:"-" db:"state_changed_at"`
+
 		// CreatedAt is a helper struct field for gobuffalo.pop.
 		CreatedAt time.Time `json:"-" db:"created_at"`
 
@@ -125,6 +138,10 @@ func (i *Identity) lock() *sync.RWMutex {
 	return i.l
 }
 
+func (i *Identity) IsActive() bool {
+	return i.State == StateActive
+}
+
 func (i *Identity) SetCredentials(t CredentialsType, c Credentials) {
 	i.lock().Lock()
 	defer i.lock().Unlock()
@@ -178,6 +195,8 @@ func NewIdentity(traitsSchemaID string) *Identity {
 		Traits:              Traits("{}"),
 		SchemaID:            traitsSchemaID,
 		VerifiableAddresses: []VerifiableAddress{},
+		State:               StateActive,
+		StateChangedAt:      time.Now(),
 		l:                   new(sync.RWMutex),
 	}
 }

identity/identity_test.go

@@ -14,4 +14,5 @@ func TestNewIdentity(t *testing.T) {
 	// assert.NotEmpty(t, i.Metadata)
 	assert.NotEmpty(t, i.Traits)
 	assert.NotNil(t, i.Credentials)
+	assert.True(t, i.IsActive())
 }

internal/testhelpers/handler_mock.go

@@ -35,7 +35,8 @@ func MockSetSession(t *testing.T, reg mockDeps, conf *config.Config) httprouter.
 		i := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
 		require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), i))
 
-		require.NoError(t, reg.SessionManager().CreateAndIssueCookie(context.Background(), w, r, session.NewActiveSession(i, conf, time.Now().UTC())))
+		activeSession, _ := session.NewActiveSession(i, conf, time.Now().UTC())
+		require.NoError(t, reg.SessionManager().CreateAndIssueCookie(context.Background(), w, r, activeSession))
 
 		w.WriteHeader(http.StatusOK)
 	}
@@ -121,5 +122,5 @@ func MockSessionCreateHandlerWithIdentity(t *testing.T, reg mockDeps, i *identit
 
 func MockSessionCreateHandler(t *testing.T, reg mockDeps) (httprouter.Handle, *session.Session) {
 	return MockSessionCreateHandlerWithIdentity(t, reg, &identity.Identity{
-		ID: x.NewUUID(), Traits: identity.Traits(`{"baz":"bar","foo":true,"bar":2.5}`)})
+		ID: x.NewUUID(), State: identity.StateActive, Traits: identity.Traits(`{"baz":"bar","foo":true,"bar":2.5}`)})
 }

internal/testhelpers/session.go

@@ -92,27 +92,33 @@ func NewHTTPClientWithSessionToken(t *testing.T, reg *driver.RegistryDefault, se
 }
 
 func NewHTTPClientWithArbitrarySessionToken(t *testing.T, reg *driver.RegistryDefault) *http.Client {
-	return NewHTTPClientWithSessionToken(t, reg, session.NewActiveSession(
-		&identity.Identity{ID: x.NewUUID()},
+	s, _ := session.NewActiveSession(
+		&identity.Identity{ID: x.NewUUID(), State: identity.StateActive},
 		NewSessionLifespanProvider(time.Hour),
 		time.Now(),
-	))
+	)
+
+	return NewHTTPClientWithSessionToken(t, reg, s)
 }
 
 func NewHTTPClientWithArbitrarySessionCookie(t *testing.T, reg *driver.RegistryDefault) *http.Client {
-	return NewHTTPClientWithSessionCookie(t, reg, session.NewActiveSession(
-		&identity.Identity{ID: x.NewUUID()},
+	s, _ := session.NewActiveSession(
+		&identity.Identity{ID: x.NewUUID(), State: identity.StateActive},
 		NewSessionLifespanProvider(time.Hour),
 		time.Now(),
-	))
+	)
+
+	return NewHTTPClientWithSessionCookie(t, reg, s)
 }
 
 func NewHTTPClientWithIdentitySessionCookie(t *testing.T, reg *driver.RegistryDefault, id *identity.Identity) *http.Client {
-	return NewHTTPClientWithSessionCookie(t, reg,
-		session.NewActiveSession(id, NewSessionLifespanProvider(time.Hour), time.Now()))
+	s, _ := session.NewActiveSession(id, NewSessionLifespanProvider(time.Hour), time.Now())
+
+	return NewHTTPClientWithSessionCookie(t, reg, s)
 }
 
 func NewHTTPClientWithIdentitySessionToken(t *testing.T, reg *driver.RegistryDefault, id *identity.Identity) *http.Client {
-	return NewHTTPClientWithSessionToken(t, reg,
-		session.NewActiveSession(id, NewSessionLifespanProvider(time.Hour), time.Now()))
+	s, _ := session.NewActiveSession(id, NewSessionLifespanProvider(time.Hour), time.Now())
+
+	return NewHTTPClientWithSessionToken(t, reg, s)
 }

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.cockroach.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" DROP COLUMN "state_changed_at";

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.cockroach.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" ADD COLUMN "state" int NOT NULL DEFAULT '1';

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.mysql.down.sql

@@ -0,0 +1 @@
+ALTER TABLE `identities` DROP COLUMN `state_changed_at`;

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.mysql.up.sql

@@ -0,0 +1 @@
+ALTER TABLE `identities` ADD COLUMN `state` INTEGER NOT NULL DEFAULT 1;

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.postgres.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" DROP COLUMN "state_changed_at";

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.postgres.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" ADD COLUMN "state" int NOT NULL DEFAULT '1';

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "_identities_tmp" RENAME TO "identities";

persistence/sql/migrations/sql/20210504121624000000_add_identity_states.sqlite3.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" ADD COLUMN "state" INTEGER NOT NULL DEFAULT '1';

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.cockroach.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" DROP COLUMN "state";

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.cockroach.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" ADD COLUMN "state_changed_at" timestamp;

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.mysql.down.sql

@@ -0,0 +1 @@
+ALTER TABLE `identities` DROP COLUMN `state`;

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.mysql.up.sql

@@ -0,0 +1 @@
+ALTER TABLE `identities` ADD COLUMN `state_changed_at` DATETIME;

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.postgres.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" DROP COLUMN "state";

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.postgres.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" ADD COLUMN "state_changed_at" timestamp;

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.sqlite3.down.sql

@@ -0,0 +1,2 @@
+
+DROP TABLE "identities";

persistence/sql/migrations/sql/20210504121624000001_add_identity_states.sqlite3.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "identities" ADD COLUMN "state_changed_at" DATETIME;

persistence/sql/migrations/sql/20210504121624000002_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+INSERT INTO "_identities_tmp" (id, schema_id, traits, created_at, updated_at, nid) SELECT id, schema_id, traits, created_at, updated_at, nid FROM "identities";

persistence/sql/migrations/sql/20210504121624000003_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+CREATE INDEX "identities_nid_idx" ON "_identities_tmp" (id, nid);

persistence/sql/migrations/sql/20210504121624000004_add_identity_states.sqlite3.down.sql

@@ -0,0 +1,8 @@
+CREATE TABLE "_identities_tmp" (
+"id" TEXT PRIMARY KEY,
+"schema_id" TEXT NOT NULL,
+"traits" TEXT NOT NULL,
+"created_at" DATETIME NOT NULL,
+"updated_at" DATETIME NOT NULL,
+"nid" char(36)
+);

persistence/sql/migrations/sql/20210504121624000005_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+DROP INDEX IF EXISTS "identities_nid_idx";

persistence/sql/migrations/sql/20210504121624000006_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "_identities_tmp" RENAME TO "identities";

persistence/sql/migrations/sql/20210504121624000007_add_identity_states.sqlite3.down.sql

@@ -0,0 +1,2 @@
+
+DROP TABLE "identities";

persistence/sql/migrations/sql/20210504121624000008_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+INSERT INTO "_identities_tmp" (id, schema_id, traits, created_at, updated_at, nid, state_changed_at) SELECT id, schema_id, traits, created_at, updated_at, nid, state_changed_at FROM "identities";

persistence/sql/migrations/sql/20210504121624000009_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+CREATE INDEX "identities_nid_idx" ON "_identities_tmp" (id, nid);

persistence/sql/migrations/sql/20210504121624000010_add_identity_states.sqlite3.down.sql

@@ -0,0 +1,9 @@
+CREATE TABLE "_identities_tmp" (
+"id" TEXT PRIMARY KEY,
+"schema_id" TEXT NOT NULL,
+"traits" TEXT NOT NULL,
+"created_at" DATETIME NOT NULL,
+"updated_at" DATETIME NOT NULL,
+"nid" char(36),
+"state_changed_at" DATETIME
+);

persistence/sql/migrations/sql/20210504121624000011_add_identity_states.sqlite3.down.sql

@@ -0,0 +1 @@
+DROP INDEX IF EXISTS "identities_nid_idx";

persistence/sql/migrations/templates/20210504121624_add_identity_states.down.fizz

@@ -0,0 +1,2 @@
+drop_column("identities", "state")
+drop_column("identities", "state_changed_at")

persistence/sql/migrations/templates/20210504121624_add_identity_states.up.fizz

@@ -0,0 +1,2 @@
+add_column("identities", "state", "int", {"default": 1})
+add_column("identities", "state_changed_at", "timestamp", {"null": true})

persistence/sql/persister_identity.go

@@ -213,6 +213,11 @@ func (p *Persister) CreateIdentity(ctx context.Context, i *identity.Identity) er
 		i.SchemaID = config.DefaultIdentityTraitsSchemaID
 	}
 
+	i.StateChangedAt = time.Now()
+	if i.State == 0 {
+		i.State = identity.StateActive
+	}
+
 	if len(i.Traits) == 0 {
 		i.Traits = identity.Traits("{}")
 	}

persistence/sql/persister_test.go

@@ -217,6 +217,7 @@ func TestPersister_Transaction(t *testing.T) {
 	t.Run("case=should not create identity because callback returned error", func(t *testing.T) {
 		i := &ri.Identity{
 			ID:     x.NewUUID(),
+			State:  ri.StateActive,
 			Traits: ri.Traits(`{}`),
 		}
 		errMessage := "failing because why not"

selfservice/flow/login/hook.go

@@ -61,7 +61,11 @@ func NewHookExecutor(d executorDependencies) *HookExecutor {
 }
 
 func (e *HookExecutor) PostLoginHook(w http.ResponseWriter, r *http.Request, ct identity.CredentialsType, a *Flow, i *identity.Identity) error {
-	s := session.NewActiveSession(i, e.d.Config(r.Context()), time.Now().UTC()).Declassify()
+	s, err := session.NewActiveSession(i, e.d.Config(r.Context()), time.Now().UTC())
+	if err != nil {
+		return err
+	}
+	s = s.Declassify()
 
 	e.d.Logger().
 		WithRequest(r).

selfservice/flow/registration/hook.go

@@ -129,7 +129,11 @@ func (e *HookExecutor) PostRegistrationHook(w http.ResponseWriter, r *http.Reque
 		WithField("identity_id", i.ID).
 		Info("A new identity has registered using self-service registration.")
 
-	s := session.NewActiveSession(i, e.d.Config(r.Context()), time.Now().UTC())
+	s, err := session.NewActiveSession(i, e.d.Config(r.Context()), time.Now().UTC())
+	if err != nil {
+		return err
+	}
+
 	e.d.Logger().
 		WithRequest(r).
 		WithField("identity_id", i.ID).

selfservice/flow/settings/error_test.go

@@ -127,8 +127,8 @@ func TestHandleError(t *testing.T) {
 			t.Cleanup(reset)
 
 			// This needs an authenticated client in order to call the RouteGetFlow endpoint
-			c := testhelpers.NewHTTPClientWithSessionToken(t, reg, session.NewActiveSession(&id,
-				testhelpers.NewSessionLifespanProvider(time.Hour), time.Now()))
+			s, _ := session.NewActiveSession(&id, testhelpers.NewSessionLifespanProvider(time.Hour), time.Now())
+			c := testhelpers.NewHTTPClientWithSessionToken(t, reg, s)
 
 			settingsFlow = newFlow(t, time.Minute, flow.TypeAPI)
 			flowError = settings.NewFlowExpiredError(expiredAnHourAgo)

selfservice/flow/settings/hook_test.go

@@ -46,7 +46,7 @@ func TestSettingsExecutor(t *testing.T) {
 				handleErr := testhelpers.SelfServiceHookSettingsErrorHandler
 				router.GET("/settings/post", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 					i := testhelpers.SelfServiceHookCreateFakeIdentity(t, reg)
-					sess := session.NewActiveSession(i, conf, time.Now().UTC())
+					sess, _ := session.NewActiveSession(i, conf, time.Now().UTC())
 
 					a := settings.NewFlow(conf, time.Minute, r, sess.Identity, ft)
 					a.RequestURL = x.RequestURL(r).String()

selfservice/strategy/link/strategy_recovery.go

@@ -323,7 +323,7 @@ func (s *Strategy) recoveryIssueSession(w http.ResponseWriter, r *http.Request,
 		return s.handleRecoveryError(w, r, f, nil, err)
 	}
 
-	sess := session.NewActiveSession(recovered, s.d.Config(r.Context()), time.Now().UTC())
+	sess, _ := session.NewActiveSession(recovered, s.d.Config(r.Context()), time.Now().UTC())
 	if err := s.d.SessionManager().CreateAndIssueCookie(r.Context(), w, r, sess); err != nil {
 		return s.handleRecoveryError(w, r, f, nil, err)
 	}

session/handler_test.go

@@ -85,7 +85,7 @@ func TestSessionRevoke(t *testing.T) {
 	conf.MustSet(config.ViperKeyDefaultIdentitySchemaURL, "file://stub/identity.schema.json")
 	i := &identity.Identity{Traits: identity.Traits(`{"baz":"bar"}`)}
 	require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), i))
-	sess := NewActiveSession(i, conf, time.Now())
+	sess, _ := NewActiveSession(i, conf, time.Now())
 	require.NoError(t, reg.SessionPersister().CreateSession(context.Background(), sess))
 
 	sdk := testhelpers.NewSDKClient(publicTS)

session/manager_http_test.go

@@ -87,7 +87,7 @@ func TestManagerHTTP(t *testing.T) {
 
 			i := identity.Identity{Traits: []byte("{}")}
 			require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), &i))
-			s = session.NewActiveSession(&i, conf, time.Now())
+			s, _ = session.NewActiveSession(&i, conf, time.Now())
 
 			c := testhelpers.NewClientWithCookies(t)
 			testhelpers.MockHydrateCookieClient(t, c, pts.URL+"/session/set")
@@ -105,7 +105,7 @@ func TestManagerHTTP(t *testing.T) {
 
 			i := identity.Identity{Traits: []byte("{}")}
 			require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), &i))
-			s = session.NewActiveSession(&i, conf, time.Now())
+			s, _ = session.NewActiveSession(&i, conf, time.Now())
 
 			c := testhelpers.NewClientWithCookies(t)
 			testhelpers.MockHydrateCookieClient(t, c, pts.URL+"/session/set")
@@ -120,9 +120,9 @@ func TestManagerHTTP(t *testing.T) {
 		t.Run("case=revoked", func(t *testing.T) {
 			i := identity.Identity{Traits: []byte("{}")}
 			require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), &i))
-			s = session.NewActiveSession(&i, conf, time.Now())
+			s, _ = session.NewActiveSession(&i, conf, time.Now())
 
-			s = session.NewActiveSession(&i, conf, time.Now())
+			s, _ = session.NewActiveSession(&i, conf, time.Now())
 
 			c := testhelpers.NewClientWithCookies(t)
 			testhelpers.MockHydrateCookieClient(t, c, pts.URL+"/session/set")

session/session.go

@@ -2,6 +2,7 @@ package session
 
 import (
 	"context"
+	"github.com/ory/herodot"
 	"time"
 
 	"github.com/ory/kratos/corp"
@@ -14,6 +15,8 @@ import (
 	"github.com/ory/kratos/x"
 )
 
+var ErrIdentityDisabled = herodot.ErrUnauthorized.WithError("identity is disabled").WithReason("This account was disabled.")
+
 // swagger:model session
 type Session struct {
 	// required: true
@@ -49,7 +52,11 @@ func (s Session) TableName(ctx context.Context) string {
 
 func NewActiveSession(i *identity.Identity, c interface {
 	SessionLifespan() time.Duration
-}, authenticatedAt time.Time) *Session {
+}, authenticatedAt time.Time) (*Session, error) {
+	if i != nil && !i.IsActive() {
+		return nil, ErrIdentityDisabled
+	}
+
 	return &Session{
 		ID:              x.NewUUID(),
 		ExpiresAt:       authenticatedAt.Add(c.SessionLifespan()),
@@ -59,7 +66,7 @@ func NewActiveSession(i *identity.Identity, c interface {
 		IdentityID:      i.ID,
 		Token:           randx.MustString(32, randx.AlphaNum),
 		Active:          true,
-	}
+	}, nil
 }
 
 type Device struct {
@@ -73,5 +80,5 @@ func (s *Session) Declassify() *Session {
 }
 
 func (s *Session) IsActive() bool {
-	return s.Active && s.ExpiresAt.After(time.Now())
+	return s.Active && s.ExpiresAt.After(time.Now()) && (s.Identity == nil || s.Identity.IsActive())
 }