zitadel/internal/command/org_test.go

package command

import (
	"context"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	openid "github.com/zitadel/oidc/v3/pkg/oidc"
	"go.uber.org/mock/gomock"
	"golang.org/x/text/language"

	"github.com/zitadel/zitadel/internal/api/authz"
	http_util "github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/eventstore"
	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
	"github.com/zitadel/zitadel/internal/id"
	id_mock "github.com/zitadel/zitadel/internal/id/mock"
	"github.com/zitadel/zitadel/internal/repository/org"
	"github.com/zitadel/zitadel/internal/repository/project"
	"github.com/zitadel/zitadel/internal/repository/user"
	"github.com/zitadel/zitadel/internal/zerrors"
)

func TestAddOrg(t *testing.T) {
	type args struct {
		a    *org.Aggregate
		name string
	}

	ctx := context.Background()
	agg := org.NewAggregate("test")

	tests := []struct {
		name string
		args args
		want Want
	}{
		{
			name: "invalid domain",
			args: args{
				a:    agg,
				name: "",
			},
			want: Want{
				ValidationErr: zerrors.ThrowInvalidArgument(nil, "ORG-mruNY", "Errors.Invalid.Argument"),
			},
		},
		{
			name: "correct",
			args: args{
				a:    agg,
				name: "caos ag",
			},
			want: Want{
				Commands: []eventstore.Command{
					org.NewOrgAddedEvent(ctx, &agg.Aggregate, "caos ag"),
					org.NewDomainAddedEvent(ctx, &agg.Aggregate, "caos-ag.localhost"),
					org.NewDomainVerifiedEvent(ctx, &agg.Aggregate, "caos-ag.localhost"),
					org.NewDomainPrimarySetEvent(ctx, &agg.Aggregate, "caos-ag.localhost"),
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			AssertValidation(t, context.Background(), AddOrgCommand(http_util.WithRequestedHost(context.Background(), "localhost"), tt.args.a, tt.args.name), nil, tt.want)
		})
	}
}

func TestCommandSide_AddOrg(t *testing.T) {
	type fields struct {
		eventstore   func(t *testing.T) *eventstore.Eventstore
		idGenerator  id.Generator
		zitadelRoles []authz.RoleMapping
	}
	type args struct {
		ctx            context.Context
		name           string
		userID         string
		resourceOwner  string
		claimedUserIDs []string
	}
	type res struct {
		want *domain.Org
		err  func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "invalid org, error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           context.Background(),
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.IsErrorInvalidArgument,
			},
		},
		{
			name: "invalid org (spaces), error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           context.Background(),
				userID:        "user1",
				resourceOwner: "org1",
				name:          "  ",
			},
			res: res{
				err: zerrors.IsErrorInvalidArgument,
			},
		},
		{
			name: "user removed, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterOrgDomainNotFound(),
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username1",
								"firstname1",
								"lastname1",
								"nickname1",
								"displayname1",
								language.English,
								domain.GenderMale,
								"email1",
								true,
							),
						),
						eventFromEventPusher(
							user.NewUserRemovedEvent(
								context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username1",
								nil,
								true,
							),
						),
					),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "org2"),
			},
			args: args{
				ctx:           context.Background(),
				name:          "Org",
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "push failed unique constraint, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterOrgDomainNotFound(),
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username1",
								"firstname1",
								"lastname1",
								"nickname1",
								"displayname1",
								language.English,
								domain.GenderMale,
								"email1",
								true,
							),
						),
					),
					expectPushFailed(zerrors.ThrowAlreadyExists(nil, "id", "internal"),
						org.NewOrgAddedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"Org",
						),
						org.NewDomainAddedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewDomainVerifiedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewDomainPrimarySetEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewMemberAddedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"user1", domain.RoleOrgOwner,
						),
					),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "org2"),
				zitadelRoles: []authz.RoleMapping{
					{
						Role: "ORG_OWNER",
					},
				},
			},
			args: args{
				ctx:           http_util.WithRequestedHost(context.Background(), "iam-domain"),
				name:          "Org",
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.IsErrorAlreadyExists,
			},
		},
		{
			name: "push failed, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterOrgDomainNotFound(),
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username1",
								"firstname1",
								"lastname1",
								"nickname1",
								"displayname1",
								language.English,
								domain.GenderMale,
								"email1",
								true,
							),
						),
					),
					expectPushFailed(zerrors.ThrowInternal(nil, "id", "internal"),
						org.NewOrgAddedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"Org",
						),
						org.NewDomainAddedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewDomainVerifiedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewDomainPrimarySetEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewMemberAddedEvent(
							context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"user1", domain.RoleOrgOwner,
						),
					),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "org2"),
				zitadelRoles: []authz.RoleMapping{
					{
						Role: "ORG_OWNER",
					},
				},
			},
			args: args{
				ctx:           http_util.WithRequestedHost(context.Background(), "iam-domain"),
				name:          "Org",
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.IsInternal,
			},
		},
		{
			name: "add org, no error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterOrgDomainNotFound(),
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username1",
								"firstname1",
								"lastname1",
								"nickname1",
								"displayname1",
								language.English,
								domain.GenderMale,
								"email1",
								true,
							),
						),
					),
					expectPush(
						org.NewOrgAddedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"Org",
						),
						org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate, "org.iam-domain",
						),
						org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewDomainPrimarySetEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewMemberAddedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"user1",
							domain.RoleOrgOwner,
						),
					),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "org2"),
				zitadelRoles: []authz.RoleMapping{
					{
						Role: "ORG_OWNER",
					},
				},
			},
			args: args{
				ctx:           http_util.WithRequestedHost(context.Background(), "iam-domain"),
				name:          "Org",
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.Org{
					ObjectRoot: models.ObjectRoot{
						AggregateID:   "org2",
						ResourceOwner: "org2",
					},
					Name:          "Org",
					State:         domain.OrgStateActive,
					PrimaryDomain: "org.iam-domain",
				},
			},
		},
		{
			name: "add org (remove spaces), no error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterOrgDomainNotFound(),
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username1",
								"firstname1",
								"lastname1",
								"nickname1",
								"displayname1",
								language.English,
								domain.GenderMale,
								"email1",
								true,
							),
						),
					),
					expectPush(
						org.NewOrgAddedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"Org",
						),
						org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate, "org.iam-domain",
						),
						org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewDomainPrimarySetEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"org.iam-domain",
						),
						org.NewMemberAddedEvent(context.Background(),
							&org.NewAggregate("org2").Aggregate,
							"user1",
							domain.RoleOrgOwner,
						),
					),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "org2"),
				zitadelRoles: []authz.RoleMapping{
					{
						Role: "ORG_OWNER",
					},
				},
			},
			args: args{
				ctx:           http_util.WithRequestedHost(context.Background(), "iam-domain"),
				name:          " Org ",
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.Org{
					ObjectRoot: models.ObjectRoot{
						AggregateID:   "org2",
						ResourceOwner: "org2",
					},
					Name:          "Org",
					State:         domain.OrgStateActive,
					PrimaryDomain: "org.iam-domain",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:   tt.fields.eventstore(t),
				idGenerator:  tt.fields.idGenerator,
				zitadelRoles: tt.fields.zitadelRoles,
			}
			got, err := r.AddOrg(tt.args.ctx, tt.args.name, tt.args.userID, tt.args.resourceOwner, tt.args.claimedUserIDs)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
			if tt.res.err == nil {
				assert.Equal(t, tt.res.want, got)
			}
		})
	}
}

func TestCommandSide_ChangeOrg(t *testing.T) {
	type fields struct {
		eventstore func(t *testing.T) *eventstore.Eventstore
	}
	type args struct {
		ctx   context.Context
		orgID string
		name  string
	}
	type res struct {
		err func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "empty name, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsErrorInvalidArgument,
			},
		},
		{
			name: "empty name (spaces), invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
				name:  "  ",
			},
			res: res{
				err: zerrors.IsErrorInvalidArgument,
			},
		},
		{
			name: "org not found, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
				name:  "org",
			},
			res: res{
				err: zerrors.IsNotFound,
			},
		},
		{
			name: "no change (spaces), error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
				),
			},
			args: args{
				ctx:   http_util.WithRequestedHost(context.Background(), "zitadel.ch"),
				orgID: "org1",
				name:  " org ",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "push failed, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectFilter(),
					expectPushFailed(
						zerrors.ThrowInternal(nil, "id", "message"),
						org.NewOrgChangedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "org", "neworg",
						),
					),
				),
			},
			args: args{
				ctx:   http_util.WithRequestedHost(context.Background(), "zitadel.ch"),
				orgID: "org1",
				name:  "neworg",
			},
			res: res{
				err: zerrors.IsInternal,
			},
		},
		{
			name: "change org name verified, not primary",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
						eventFromEventPusher(
							org.NewDomainAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
						eventFromEventPusher(
							org.NewDomainVerifiedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
					),
					expectPush(
						org.NewOrgChangedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "org", "neworg",
						),
						org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "neworg.zitadel.ch",
						),
						org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "neworg.zitadel.ch",
						),
						org.NewDomainRemovedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "org.zitadel.ch", true,
						),
					),
				),
			},
			args: args{
				ctx:   http_util.WithRequestedHost(context.Background(), "zitadel.ch"),
				orgID: "org1",
				name:  "neworg",
			},
			res: res{},
		},
		{
			name: "change org name verified, with primary",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
						eventFromEventPusher(
							org.NewDomainAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
						eventFromEventPusher(
							org.NewDomainVerifiedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
						eventFromEventPusher(
							org.NewDomainPrimarySetEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
					),
					expectPush(
						org.NewOrgChangedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "org", "neworg",
						),
						org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "neworg.zitadel.ch",
						),
						org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "neworg.zitadel.ch",
						),
						org.NewDomainPrimarySetEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "neworg.zitadel.ch",
						),
						org.NewDomainRemovedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "org.zitadel.ch", true,
						),
					),
				),
			},
			args: args{
				ctx:   http_util.WithRequestedHost(context.Background(), "zitadel.ch"),
				orgID: "org1",
				name:  "neworg",
			},
			res: res{},
		},
		{
			name: "change org name case verified, with primary",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
						eventFromEventPusher(
							org.NewDomainAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
						eventFromEventPusher(
							org.NewDomainVerifiedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
						eventFromEventPusher(
							org.NewDomainPrimarySetEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org.zitadel.ch"),
						),
					),
					expectPush(
						org.NewOrgChangedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate, "org", "ORG",
						),
					),
				),
			},
			args: args{
				ctx:   http_util.WithRequestedHost(context.Background(), "zitadel.ch"),
				orgID: "org1",
				name:  "ORG",
			},
			res: res{},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore: tt.fields.eventstore(t),
			}
			_, err := r.ChangeOrg(tt.args.ctx, tt.args.orgID, tt.args.name)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
		})
	}
}

func TestCommandSide_DeactivateOrg(t *testing.T) {
	type fields struct {
		eventstore  func(t *testing.T) *eventstore.Eventstore
		idGenerator id.Generator
		iamDomain   string
	}
	type args struct {
		ctx   context.Context
		orgID string
	}
	type res struct {
		want *domain.Org
		err  func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "org not found, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsNotFound,
			},
		},
		{
			name: "org already inactive, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
						eventFromEventPusher(
							org.NewOrgDeactivatedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate),
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "push failed, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectPushFailed(
						zerrors.ThrowInternal(nil, "id", "message"),
						org.NewOrgDeactivatedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsInternal,
			},
		},
		{
			name: "deactivate org",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectPush(
						org.NewOrgDeactivatedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:  tt.fields.eventstore(t),
				idGenerator: tt.fields.idGenerator,
			}
			_, err := r.DeactivateOrg(tt.args.ctx, tt.args.orgID)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
		})
	}
}

func TestCommandSide_ReactivateOrg(t *testing.T) {
	type fields struct {
		eventstore  func(t *testing.T) *eventstore.Eventstore
		idGenerator id.Generator
		iamDomain   string
	}
	type args struct {
		ctx   context.Context
		orgID string
	}
	type res struct {
		want *domain.Org
		err  func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "org not found, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsNotFound,
			},
		},
		{
			name: "org already active, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "push failed, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
						eventFromEventPusher(
							org.NewOrgDeactivatedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
							),
						),
					),
					expectPushFailed(
						zerrors.ThrowInternal(nil, "id", "message"),
						org.NewOrgReactivatedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsInternal,
			},
		},
		{
			name: "reactivate org",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
						eventFromEventPusher(
							org.NewOrgDeactivatedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate),
						),
					),
					expectPush(
						org.NewOrgReactivatedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:  tt.fields.eventstore(t),
				idGenerator: tt.fields.idGenerator,
			}
			_, err := r.ReactivateOrg(tt.args.ctx, tt.args.orgID)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
		})
	}
}

func TestCommandSide_RemoveOrg(t *testing.T) {
	type fields struct {
		eventstore  func(t *testing.T) *eventstore.Eventstore
		idGenerator id.Generator
	}
	type args struct {
		ctx   context.Context
		orgID string
	}
	type res struct {
		err func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "default org, error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:   authz.WithInstance(context.Background(), &mockInstance{}),
				orgID: "defaultOrgID",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "zitadel org, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							project.NewProjectAddedEvent(context.Background(),
								&project.NewAggregate("projectID", "org1").Aggregate,
								"ZITADEL",
								false,
								false,
								false,
								domain.PrivateLabelingSettingUnspecified,
							),
						)),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "org not found, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(), // zitadel project check
					expectFilter(),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsNotFound,
			},
		},
		{
			name: "push failed, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(), // zitadel project check
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(),
					expectFilter(),
					expectFilter(),
					expectFilter(),
					expectPushFailed(
						zerrors.ThrowInternal(nil, "id", "message"),
						org.NewOrgRemovedEvent(
							context.Background(), &org.NewAggregate("org1").Aggregate, "org", []string{}, false, []string{}, []*domain.UserIDPLink{}, []string{},
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{
				err: zerrors.IsInternal,
			},
		},
		{
			name: "remove org",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(), // zitadel project check
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(),
					expectFilter(),
					expectFilter(),
					expectFilter(),
					expectPush(
						org.NewOrgRemovedEvent(
							context.Background(), &org.NewAggregate("org1").Aggregate, "org", []string{}, false, []string{}, []*domain.UserIDPLink{}, []string{},
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{},
		},
		{
			name: "remove org with usernames and domains",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(), // zitadel project check
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								"org"),
						),
					),

					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								false,
								true,
								true,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"user1",
								"firstname1",
								"lastname1",
								"nickname1",
								"displayname1",
								language.English,
								domain.GenderMale,
								"email1",
								false,
							),
						), eventFromEventPusher(
							user.NewMachineAddedEvent(context.Background(),
								&user.NewAggregate("user2", "org1").Aggregate,
								"user2",
								"name",
								"description",
								false,
								domain.OIDCTokenTypeBearer,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewDomainVerifiedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, "domain1"),
						),
						eventFromEventPusher(
							org.NewDomainVerifiedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, "domain2"),
						),
					),
					expectFilter(
						eventFromEventPusher(
							user.NewUserIDPLinkAddedEvent(context.Background(), &user.NewAggregate("user1", "org1").Aggregate, "config1", "display1", "id1"),
						),
						eventFromEventPusher(
							user.NewUserIDPLinkAddedEvent(context.Background(), &user.NewAggregate("user2", "org1").Aggregate, "config2", "display2", "id2"),
						),
					),
					expectFilter(
						eventFromEventPusher(
							project.NewSAMLConfigAddedEvent(context.Background(), &project.NewAggregate("project1", "org1").Aggregate, "app1", "entity1", []byte{}, "", domain.LoginVersionUnspecified, ""),
						),
						eventFromEventPusher(
							project.NewSAMLConfigAddedEvent(context.Background(), &project.NewAggregate("project2", "org1").Aggregate, "app2", "entity2", []byte{}, "", domain.LoginVersionUnspecified, ""),
						),
					),
					expectPush(
						org.NewOrgRemovedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, "org",
							[]string{"user1", "user2"},
							false,
							[]string{"domain1", "domain2"},
							[]*domain.UserIDPLink{{IDPConfigID: "config1", ExternalUserID: "id1", DisplayName: "display1"}, {IDPConfigID: "config2", ExternalUserID: "id2", DisplayName: "display2"}},
							[]string{"entity1", "entity2"},
						),
					),
				),
			},
			args: args{
				ctx:   context.Background(),
				orgID: "org1",
			},
			res: res{},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:  tt.fields.eventstore(t),
				idGenerator: tt.fields.idGenerator,
			}
			_, err := r.RemoveOrg(tt.args.ctx, tt.args.orgID)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
		})
	}
}

func TestCommandSide_SetUpOrg(t *testing.T) {
	type fields struct {
		eventstore   func(t *testing.T) *eventstore.Eventstore
		idGenerator  id.Generator
		newCode      encrypedCodeFunc
		keyAlgorithm crypto.EncryptionAlgorithm
	}
	type args struct {
		ctx              context.Context
		setupOrg         *OrgSetup
		allowInitialMail bool
		userIDs          []string
	}
	type res struct {
		createdOrg *CreatedOrg
		err        error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "org name empty, error",
			fields: fields{
				eventstore:  expectEventstore(),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "orgID"),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name: "",
				},
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "ORG-mruNY", "Errors.Invalid.Argument"),
			},
		},
		{
			name: "org id empty, error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name:  "Org",
					OrgID: " ",
				},
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "ORG-4ABd3", "Errors.Invalid.Argument"),
			},
		},
		{
			name: "userID not existing, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "orgID"),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name: "Org",
					Admins: []*OrgSetupAdmin{
						{
							ID: "userID",
						},
					},
				},
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "ORG-GoXOn", "Errors.User.NotFound"),
			},
		},
		{
			name: "human invalid, error",
			fields: fields{
				eventstore:  expectEventstore(),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "orgID", "userID"),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name: "Org",
					Admins: []*OrgSetupAdmin{
						{
							Human: &AddHuman{
								Username:  "",
								FirstName: "firstname",
								LastName:  "lastname",
								Email: Email{
									Address:  "email@test.ch",
									Verified: true,
								},
								PreferredLanguage: language.English,
							},
						},
					},
				},
				allowInitialMail: true,
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "V2-zzad3", "Errors.Invalid.Argument"),
			},
		},
		{
			name: "human added with initial mail",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(), // add human exists check
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&user.NewAggregate("userID", "orgID").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(), // org member check
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "orgID").Aggregate,
								"username",
								"firstname",
								"lastname",
								"",
								"firstname lastname",
								language.English,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectPush(
						eventFromEventPusher(org.NewOrgAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"Org",
						)),
						eventFromEventPusher(org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate, "org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainPrimarySetEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"org.iam-domain",
						)),
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("userID", "orgID").Aggregate,
								"username",
								"firstname",
								"lastname",
								"",
								"firstname lastname",
								language.English,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
						eventFromEventPusher(
							user.NewHumanEmailVerifiedEvent(context.Background(),
								&user.NewAggregate("userID", "orgID").Aggregate,
							),
						),
						eventFromEventPusher(
							user.NewHumanInitialCodeAddedEvent(
								http_util.WithRequestedHost(context.Background(), "iam-domain"),
								&user.NewAggregate("userID", "orgID").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("userinit"),
								},
								1*time.Hour,
								"",
							),
						),
						eventFromEventPusher(org.NewMemberAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"userID",
							domain.RoleOrgOwner,
						)),
					),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "orgID", "userID"),
				newCode:     mockEncryptedCode("userinit", time.Hour),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name: "Org",
					Admins: []*OrgSetupAdmin{
						{
							Human: &AddHuman{
								Username:  "username",
								FirstName: "firstname",
								LastName:  "lastname",
								Email: Email{
									Address:  "email@test.ch",
									Verified: true,
								},
								PreferredLanguage: language.English,
							},
						},
					},
				},
				allowInitialMail: true,
			},
			res: res{
				createdOrg: &CreatedOrg{
					ObjectDetails: &domain.ObjectDetails{
						ResourceOwner: "orgID",
					},
					OrgAdmins: []OrgAdmin{
						&CreatedOrgAdmin{
							ID: "userID",
						},
					},
				},
			},
		},
		{
			name: "no human added, custom org ID",
			fields: fields{
				eventstore: expectEventstore(
					expectPush(
						eventFromEventPusher(org.NewOrgAddedEvent(context.Background(),
							&org.NewAggregate("custom-org-ID").Aggregate,
							"Org",
						)),
						eventFromEventPusher(org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("custom-org-ID").Aggregate, "org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("custom-org-ID").Aggregate,
							"org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainPrimarySetEvent(context.Background(),
							&org.NewAggregate("custom-org-ID").Aggregate,
							"org.iam-domain",
						)),
					),
				),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name:  "Org",
					OrgID: "custom-org-ID",
				},
			},
			res: res{
				createdOrg: &CreatedOrg{
					ObjectDetails: &domain.ObjectDetails{
						ResourceOwner: "custom-org-ID",
					},
					OrgAdmins: []OrgAdmin{},
				},
			},
		},
		{
			name: "existing human added",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "orgID").Aggregate,
								"username",
								"firstname",
								"lastname",
								"",
								"firstname lastname",
								language.English,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectFilter(), // org member check
					expectPush(
						eventFromEventPusher(org.NewOrgAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"Org",
						)),
						eventFromEventPusher(org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate, "org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainPrimarySetEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"org.iam-domain",
						)),
						eventFromEventPusher(org.NewMemberAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"userID",
							domain.RoleOrgOwner,
						)),
					),
				),
				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "orgID"),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name: "Org",
					Admins: []*OrgSetupAdmin{
						{
							ID: "userID",
						},
					},
				},
				allowInitialMail: true,
			},
			res: res{
				createdOrg: &CreatedOrg{
					ObjectDetails: &domain.ObjectDetails{
						ResourceOwner: "orgID",
					},
					OrgAdmins: []OrgAdmin{
						&AssignedOrgAdmin{
							ID: "userID",
						},
					},
				},
			},
		},
		{
			name: "machine added with pat",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(), // add machine exists check
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&user.NewAggregate("userID", "orgID").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(),
					expectFilter(),
					expectFilter(), // org member check
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "orgID").Aggregate,
								"username",
								"firstname",
								"lastname",
								"",
								"firstname lastname",
								language.English,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectPush(
						eventFromEventPusher(org.NewOrgAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"Org",
						)),
						eventFromEventPusher(org.NewDomainAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate, "org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"org.iam-domain",
						)),
						eventFromEventPusher(org.NewDomainPrimarySetEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"org.iam-domain",
						)),
						eventFromEventPusher(
							user.NewMachineAddedEvent(context.Background(),
								&user.NewAggregate("userID", "orgID").Aggregate,
								"username",
								"name",
								"description",
								true,
								domain.OIDCTokenTypeBearer,
							),
						),
						eventFromEventPusher(
							user.NewPersonalAccessTokenAddedEvent(context.Background(),
								&user.NewAggregate("userID", "orgID").Aggregate,
								"tokenID",
								testNow.Add(time.Hour),
								[]string{openid.ScopeOpenID},
							),
						),
						eventFromEventPusher(org.NewMemberAddedEvent(context.Background(),
							&org.NewAggregate("orgID").Aggregate,
							"userID",
							domain.RoleOrgOwner,
						)),
					),
				),
				idGenerator:  id_mock.NewIDGeneratorExpectIDs(t, "orgID", "userID", "tokenID"),
				newCode:      mockEncryptedCode("userinit", time.Hour),
				keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx: http_util.WithRequestedHost(context.Background(), "iam-domain"),
				setupOrg: &OrgSetup{
					Name: "Org",
					Admins: []*OrgSetupAdmin{
						{
							Machine: &AddMachine{
								Machine: &Machine{
									Username:        "username",
									Name:            "name",
									Description:     "description",
									AccessTokenType: domain.OIDCTokenTypeBearer,
								},
								Pat: &AddPat{
									ExpirationDate: testNow.Add(time.Hour),
									Scopes:         []string{openid.ScopeOpenID},
								},
							},
						},
					},
				},
			},
			res: res{
				createdOrg: &CreatedOrg{
					ObjectDetails: &domain.ObjectDetails{
						ResourceOwner: "orgID",
					},
					OrgAdmins: []OrgAdmin{
						&CreatedOrgAdmin{
							ID: "userID",
							PAT: &PersonalAccessToken{
								ObjectRoot: models.ObjectRoot{
									AggregateID:   "userID",
									ResourceOwner: "orgID",
								},
								ExpirationDate:  testNow.Add(time.Hour),
								Scopes:          []string{openid.ScopeOpenID},
								AllowedUserType: domain.UserTypeMachine,
								TokenID:         "tokenID",
								Token:           "dG9rZW5JRDp1c2VySUQ", // token
							},
						},
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:       tt.fields.eventstore(t),
				idGenerator:      tt.fields.idGenerator,
				newEncryptedCode: tt.fields.newCode,
				keyAlgorithm:     tt.fields.keyAlgorithm,
				zitadelRoles: []authz.RoleMapping{
					{
						Role: domain.RoleOrgOwner,
					},
				},
			}
			got, err := r.SetUpOrg(tt.args.ctx, tt.args.setupOrg, tt.args.allowInitialMail, tt.args.userIDs...)
			assert.ErrorIs(t, err, tt.res.err)
			assert.Equal(t, tt.res.createdOrg, got)
		})
	}
}