feat: add MFA OTP support for IAM members (#1727)

Co-authored-by: philibeaux <[email protected]>

Author: scaleway-bot

packages/clients/src/api/iam/v1alpha1/api.gen.ts

@@ -29,6 +29,7 @@ import {
   marshalUpdateUserPasswordRequest,
   marshalUpdateUserRequest,
   marshalUpdateUserUsernameRequest,
+  marshalValidateUserMFAOTPRequest,
   unmarshalAPIKey,
   unmarshalApplication,
   unmarshalEncodedJWT,
@@ -47,12 +48,14 @@ import {
   unmarshalListSSHKeysResponse,
   unmarshalListUsersResponse,
   unmarshalLog,
+  unmarshalMFAOTP,
   unmarshalOrganizationSecuritySettings,
   unmarshalPolicy,
   unmarshalQuotum,
   unmarshalSSHKey,
   unmarshalSetRulesResponse,
   unmarshalUser,
+  unmarshalValidateUserMFAOTPResponse,
 } from './marshalling.gen'
 import type {
   APIKey,
@@ -66,13 +69,15 @@ import type {
   CreateJWTRequest,
   CreatePolicyRequest,
   CreateSSHKeyRequest,
+  CreateUserMFAOTPRequest,
   CreateUserRequest,
   DeleteAPIKeyRequest,
   DeleteApplicationRequest,
   DeleteGroupRequest,
   DeleteJWTRequest,
   DeletePolicyRequest,
   DeleteSSHKeyRequest,
+  DeleteUserMFAOTPRequest,
   DeleteUserRequest,
   EncodedJWT,
   GetAPIKeyRequest,
@@ -113,6 +118,7 @@ import type {
   ListUsersResponse,
   LockUserRequest,
   Log,
+  MFAOTP,
   OrganizationSecuritySettings,
   Policy,
   Quotum,
@@ -132,6 +138,8 @@ import type {
   UpdateUserRequest,
   UpdateUserUsernameRequest,
   User,
+  ValidateUserMFAOTPRequest,
+  ValidateUserMFAOTPResponse,
 } from './types.gen'
 
 const jsonContentHeaders = {
@@ -397,6 +405,58 @@ export class API extends ParentAPI {
       unmarshalUser,
     )
 
+  /**
+   * Create a MFA OTP. Private Beta feature.. Create a MFA OTP. Private Beta
+   * feature.
+   *
+   * @param request - The request {@link CreateUserMFAOTPRequest}
+   * @returns A Promise of MFAOTP
+   */
+  createUserMFAOTP = (request: Readonly<CreateUserMFAOTPRequest>) =>
+    this.client.fetch<MFAOTP>(
+      {
+        body: '{}',
+        headers: jsonContentHeaders,
+        method: 'POST',
+        path: `/iam/v1alpha1/users/${validatePathParam('userId', request.userId)}/mfa-otp`,
+      },
+      unmarshalMFAOTP,
+    )
+
+  /**
+   * Validate a MFA OTP. Private Beta feature.. Validate a MFA OTP. Private Beta
+   * feature.
+   *
+   * @param request - The request {@link ValidateUserMFAOTPRequest}
+   * @returns A Promise of ValidateUserMFAOTPResponse
+   */
+  validateUserMFAOTP = (request: Readonly<ValidateUserMFAOTPRequest>) =>
+    this.client.fetch<ValidateUserMFAOTPResponse>(
+      {
+        body: JSON.stringify(
+          marshalValidateUserMFAOTPRequest(request, this.client.settings),
+        ),
+        headers: jsonContentHeaders,
+        method: 'POST',
+        path: `/iam/v1alpha1/users/${validatePathParam('userId', request.userId)}/validate-mfa-otp`,
+      },
+      unmarshalValidateUserMFAOTPResponse,
+    )
+
+  /**
+   * Delete a MFA OTP. Private Beta feature.. Delete a MFA OTP. Private Beta
+   * feature.
+   *
+   * @param request - The request {@link DeleteUserMFAOTPRequest}
+   */
+  deleteUserMFAOTP = (request: Readonly<DeleteUserMFAOTPRequest>) =>
+    this.client.fetch<void>({
+      body: '{}',
+      headers: jsonContentHeaders,
+      method: 'DELETE',
+      path: `/iam/v1alpha1/users/${validatePathParam('userId', request.userId)}/mfa-otp`,
+    })
+
   /**
    * Lock a member. Lock a member. A locked member cannot log in or use API keys
    * until the locked status is removed. Private Beta feature.

packages/clients/src/api/iam/v1alpha1/index.gen.ts

@@ -14,6 +14,7 @@ export type {
   CreateJWTRequest,
   CreatePolicyRequest,
   CreateSSHKeyRequest,
+  CreateUserMFAOTPRequest,
   CreateUserRequest,
   CreateUserRequestMember,
   DeleteAPIKeyRequest,
@@ -22,6 +23,7 @@ export type {
   DeleteJWTRequest,
   DeletePolicyRequest,
   DeleteSSHKeyRequest,
+  DeleteUserMFAOTPRequest,
   DeleteUserRequest,
   EncodedJWT,
   GetAPIKeyRequest,
@@ -76,6 +78,7 @@ export type {
   Log,
   LogAction,
   LogResourceType,
+  MFAOTP,
   OrganizationSecuritySettings,
   PermissionSet,
   PermissionSetScopeType,
@@ -101,5 +104,7 @@ export type {
   User,
   UserStatus,
   UserType,
+  ValidateUserMFAOTPRequest,
+  ValidateUserMFAOTPResponse,
 } from './types.gen'
 export * as ValidationRules from './validation-rules.gen'

packages/clients/src/api/iam/v1alpha1/marshalling.gen.ts

@@ -38,6 +38,7 @@ import type {
   ListSSHKeysResponse,
   ListUsersResponse,
   Log,
+  MFAOTP,
   OrganizationSecuritySettings,
   PermissionSet,
   Policy,
@@ -59,6 +60,8 @@ import type {
   UpdateUserRequest,
   UpdateUserUsernameRequest,
   User,
+  ValidateUserMFAOTPRequest,
+  ValidateUserMFAOTPResponse,
 } from './types.gen'
 
 export const unmarshalJWT = (data: unknown): JWT => {
@@ -506,6 +509,18 @@ export const unmarshalListUsersResponse = (
   } as ListUsersResponse
 }
 
+export const unmarshalMFAOTP = (data: unknown): MFAOTP => {
+  if (!isJSONObject(data)) {
+    throw new TypeError(
+      `Unmarshalling the type 'MFAOTP' failed as data isn't a dictionary.`,
+    )
+  }
+
+  return {
+    secret: data.secret,
+  } as MFAOTP
+}
+
 export const unmarshalOrganizationSecuritySettings = (
   data: unknown,
 ): OrganizationSecuritySettings => {
@@ -534,6 +549,20 @@ export const unmarshalSetRulesResponse = (data: unknown): SetRulesResponse => {
   } as SetRulesResponse
 }
 
+export const unmarshalValidateUserMFAOTPResponse = (
+  data: unknown,
+): ValidateUserMFAOTPResponse => {
+  if (!isJSONObject(data)) {
+    throw new TypeError(
+      `Unmarshalling the type 'ValidateUserMFAOTPResponse' failed as data isn't a dictionary.`,
+    )
+  }
+
+  return {
+    recoveryCodes: data.recovery_codes,
+  } as ValidateUserMFAOTPResponse
+}
+
 export const marshalAddGroupMemberRequest = (
   request: AddGroupMemberRequest,
   defaults: DefaultValues,
@@ -768,3 +797,10 @@ export const marshalUpdateUserUsernameRequest = (
 ): Record<string, unknown> => ({
   username: request.username,
 })
+
+export const marshalValidateUserMFAOTPRequest = (
+  request: ValidateUserMFAOTPRequest,
+  defaults: DefaultValues,
+): Record<string, unknown> => ({
+  one_time_password: request.oneTimePassword,
+})

packages/clients/src/api/iam/v1alpha1/types.gen.ts

@@ -586,6 +586,11 @@ export type CreateSSHKeyRequest = {
   projectId?: string
 }
 
+export type CreateUserMFAOTPRequest = {
+  /** User ID of the MFA OTP. */
+  userId: string
+}
+
 export type CreateUserRequest = {
   /** ID of the Organization. */
   organizationId?: string
@@ -634,6 +639,11 @@ export type DeleteSSHKeyRequest = {
   sshKeyId: string
 }
 
+export type DeleteUserMFAOTPRequest = {
+  /** User ID of the MFA OTP. */
+  userId: string
+}
+
 export type DeleteUserRequest = {
   /** ID of the user to delete. */
   userId: string
@@ -995,6 +1005,10 @@ export type LockUserRequest = {
   userId: string
 }
 
+export interface MFAOTP {
+  secret: string
+}
+
 export interface OrganizationSecuritySettings {
   /** Defines whether password renewal is enforced during first login. */
   enforcePasswordRenewal: boolean
@@ -1158,3 +1172,15 @@ export type UpdateUserUsernameRequest = {
   /** The new username. */
   username: string
 }
+
+export type ValidateUserMFAOTPRequest = {
+  /** User ID of the MFA OTP. */
+  userId: string
+  /** A password generated using the OTP. */
+  oneTimePassword: string
+}
+
+export interface ValidateUserMFAOTPResponse {
+  /** List of recovery codes usable for this OTP method. */
+  recoveryCodes: string[]
+}

packages/clients/src/api/iam/v1alpha1/validation-rules.gen.ts

@@ -269,3 +269,9 @@ export const UpdateUserUsernameRequest = {
     pattern: /^[a-zA-Z0-9._-]+$/,
   },
 }
+
+export const ValidateUserMFAOTPRequest = {
+  oneTimePassword: {
+    pattern: /^[0-9]{6}$/,
+  },
+}