feat(iam): add MFA OTP support for IAM members (#2391)

scaleway · Jan 17, 2025 · 3e93945 · 3e93945
1 parent e9870c4
commit 3e93945
Showing 1 changed file with 111 additions and 0 deletions.
diff --git a/api/iam/v1alpha1/iam_sdk.go b/api/iam/v1alpha1/iam_sdk.go
@@ -1406,6 +1406,12 @@ type CreateSSHKeyRequest struct {
 	ProjectID string `json:"project_id"`
 }
 
+// CreateUserMFAOTPRequest: create user mfaotp request.
+type CreateUserMFAOTPRequest struct {
+	// UserID: user ID of the MFA OTP.
+	UserID string `json:"-"`
+}
+
 // CreateUserRequest: create user request.
 type CreateUserRequest struct {
 	// OrganizationID: ID of the Organization.
@@ -1458,6 +1464,12 @@ type DeleteSSHKeyRequest struct {
 	SSHKeyID string `json:"-"`
 }
 
+// DeleteUserMFAOTPRequest: delete user mfaotp request.
+type DeleteUserMFAOTPRequest struct {
+	// UserID: user ID of the MFA OTP.
+	UserID string `json:"-"`
+}
+
 // DeleteUserRequest: delete user request.
 type DeleteUserRequest struct {
 	// UserID: ID of the user to delete.
@@ -2157,6 +2169,11 @@ type LockUserRequest struct {
 	UserID string `json:"-"`
 }
 
+// MFAOTP: mfaotp.
+type MFAOTP struct {
+	Secret string `json:"secret"`
+}
+
 // OrganizationSecuritySettings: organization security settings.
 type OrganizationSecuritySettings struct {
 	// EnforcePasswordRenewal: defines whether password renewal is enforced during first login.
@@ -2342,6 +2359,21 @@ type UpdateUserUsernameRequest struct {
 	Username string `json:"username"`
 }
 
+// ValidateUserMFAOTPRequest: validate user mfaotp request.
+type ValidateUserMFAOTPRequest struct {
+	// UserID: user ID of the MFA OTP.
+	UserID string `json:"-"`
+
+	// OneTimePassword: a password generated using the OTP.
+	OneTimePassword string `json:"one_time_password"`
+}
+
+// ValidateUserMFAOTPResponse: validate user mfaotp response.
+type ValidateUserMFAOTPResponse struct {
+	// RecoveryCodes: list of recovery codes usable for this OTP method.
+	RecoveryCodes []string `json:"recovery_codes"`
+}
+
 // This API allows you to manage Identity and Access Management (IAM) across your Scaleway Organizations, Projects and resources.
 type API struct {
 	client *scw.Client
@@ -2672,6 +2704,85 @@ func (s *API) UpdateUserPassword(req *UpdateUserPasswordRequest, opts ...scw.Req
 	return &resp, nil
 }
 
+// CreateUserMFAOTP: Create a MFA OTP. Private Beta feature.
+func (s *API) CreateUserMFAOTP(req *CreateUserMFAOTPRequest, opts ...scw.RequestOption) (*MFAOTP, error) {
+	var err error
+
+	if fmt.Sprint(req.UserID) == "" {
+		return nil, errors.New("field UserID cannot be empty in request")
+	}
+
+	scwReq := &scw.ScalewayRequest{
+		Method: "POST",
+		Path:   "/iam/v1alpha1/users/" + fmt.Sprint(req.UserID) + "/mfa-otp",
+	}
+
+	err = scwReq.SetBody(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var resp MFAOTP
+
+	err = s.client.Do(scwReq, &resp, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// ValidateUserMFAOTP: Validate a MFA OTP. Private Beta feature.
+func (s *API) ValidateUserMFAOTP(req *ValidateUserMFAOTPRequest, opts ...scw.RequestOption) (*ValidateUserMFAOTPResponse, error) {
+	var err error
+
+	if fmt.Sprint(req.UserID) == "" {
+		return nil, errors.New("field UserID cannot be empty in request")
+	}
+
+	scwReq := &scw.ScalewayRequest{
+		Method: "POST",
+		Path:   "/iam/v1alpha1/users/" + fmt.Sprint(req.UserID) + "/validate-mfa-otp",
+	}
+
+	err = scwReq.SetBody(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var resp ValidateUserMFAOTPResponse
+
+	err = s.client.Do(scwReq, &resp, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// DeleteUserMFAOTP: Delete a MFA OTP. Private Beta feature.
+func (s *API) DeleteUserMFAOTP(req *DeleteUserMFAOTPRequest, opts ...scw.RequestOption) error {
+	var err error
+
+	if fmt.Sprint(req.UserID) == "" {
+		return errors.New("field UserID cannot be empty in request")
+	}
+
+	scwReq := &scw.ScalewayRequest{
+		Method: "DELETE",
+		Path:   "/iam/v1alpha1/users/" + fmt.Sprint(req.UserID) + "/mfa-otp",
+	}
+
+	err = scwReq.SetBody(req)
+	if err != nil {
+		return err
+	}
+
+	err = s.client.Do(scwReq, nil, opts...)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // LockUser: Lock a member. A locked member cannot log in or use API keys until the locked status is removed. Private Beta feature.
 func (s *API) LockUser(req *LockUserRequest, opts ...scw.RequestOption) (*User, error) {
 	var err error