zitadel/internal/command/user_human_otp_test.go

package command

import (
	"context"
	"io"
	"net"
	"testing"
	"time"

	"github.com/pquerna/otp/totp"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"go.uber.org/mock/gomock"
	"golang.org/x/text/language"

	"github.com/zitadel/zitadel/internal/api/authz"
	http_util "github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/eventstore"
	"github.com/zitadel/zitadel/internal/repository/instance"
	"github.com/zitadel/zitadel/internal/repository/org"
	"github.com/zitadel/zitadel/internal/repository/user"
	"github.com/zitadel/zitadel/internal/zerrors"
)

func TestCommandSide_AddHumanTOTP(t *testing.T) {
	type fields struct {
		eventstore      func(t *testing.T) *eventstore.Eventstore
		permissionCheck domain.PermissionCheck
	}
	type (
		args struct {
			ctx    context.Context
			orgID  string
			userID string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:    authz.NewMockContext("instanceID", "org1", "user1"),
				orgID:  "org1",
				userID: "",
			},
			res: res{
				err: zerrors.IsErrorInvalidArgument,
			},
		},
		{
			name: "user not existing, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:    authz.NewMockContext("instanceID", "org1", "user1"),
				orgID:  "org1",
				userID: "user1",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "other user, no permission error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						user.NewHumanAddedEvent(context.Background(),
							&user.NewAggregate("user2", "org1").Aggregate,
							"username",
							"firstname",
							"lastname",
							"nickname",
							"displayname",
							language.German,
							domain.GenderUnspecified,
							"email@test.ch",
							true,
						),
					),
				),
				permissionCheck: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				ctx:    authz.NewMockContext("instanceID", "org1", "user1"),
				orgID:  "org1",
				userID: "user2",
			},
			res: res{
				err: zerrors.IsPermissionDenied,
			},
		},
		{
			name: "org not existing, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						user.NewHumanAddedEvent(context.Background(),
							&user.NewAggregate("user1", "org1").Aggregate,
							"username",
							"firstname",
							"lastname",
							"nickname",
							"displayname",
							language.German,
							domain.GenderUnspecified,
							"email@test.ch",
							true,
						),
					),
					expectFilter(),
				),
			},
			args: args{
				ctx:    authz.NewMockContext("instanceID", "org1", "user1"),
				orgID:  "org1",
				userID: "user1",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "org iam policy not existing, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						user.NewHumanAddedEvent(context.Background(),
							&user.NewAggregate("user1", "org1").Aggregate,
							"username",
							"firstname",
							"lastname",
							"nickname",
							"displayname",
							language.German,
							domain.GenderUnspecified,
							"email@test.ch",
							true,
						),
					),
					expectFilter(
						org.NewOrgAddedEvent(context.Background(),
							&user.NewAggregate("org1", "org1").Aggregate,
							"org",
						),
					),
					expectFilter(),
					expectFilter(),
				),
			},
			args: args{
				ctx:    authz.NewMockContext("instanceID", "org1", "user1"),
				orgID:  "org1",
				userID: "user1",
			},
			res: res{
				err: zerrors.IsPreconditionFailed,
			},
		},
		{
			name: "otp already exists, already exists error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						user.NewHumanAddedEvent(context.Background(),
							&user.NewAggregate("user1", "org1").Aggregate,
							"username",
							"firstname",
							"lastname",
							"nickname",
							"displayname",
							language.German,
							domain.GenderUnspecified,
							"email@test.ch",
							true,
						),
					),
					expectFilter(
						org.NewOrgAddedEvent(context.Background(),
							&user.NewAggregate("org1", "org1").Aggregate,
							"org",
						),
					),
					expectFilter(
						org.NewDomainPolicyAddedEvent(context.Background(),
							&org.NewAggregate("org1").Aggregate,
							true,
							true,
							true,
						),
					),
					expectFilter(
						user.NewHumanOTPAddedEvent(context.Background(),
							&user.NewAggregate("user1", "org1").Aggregate,
							&crypto.CryptoValue{
								CryptoType: crypto.TypeEncryption,
								Algorithm:  "enc",
								KeyID:      "id",
								Crypted:    []byte("a"),
							},
						),
						user.NewHumanOTPVerifiedEvent(context.Background(),
							&user.NewAggregate("user1", "org1").Aggregate,
							"agent1",
						),
					),
				),
			},
			args: args{
				ctx:    authz.NewMockContext("instanceID", "org1", "user1"),
				orgID:  "org1",
				userID: "user1",
			},
			res: res{
				err: zerrors.IsErrorAlreadyExists,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.permissionCheck,
			}
			got, err := r.AddHumanTOTP(tt.args.ctx, tt.args.userID, tt.args.orgID)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
			if tt.res.err == nil {
				assert.Equal(t, tt.res.want, got)
			}
		})
	}
}

func TestCommands_createHumanTOTP(t *testing.T) {
	type fields struct {
		eventstore      func(t *testing.T) *eventstore.Eventstore
		checkPermission domain.PermissionCheck
	}
	type args struct {
		ctx           context.Context
		userID        string
		resourceOwner string
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		want    bool
		wantErr error
	}{
		{
			name: "user not existing, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           authz.NewMockContext("instanceID", "org1", "user1"),
				resourceOwner: "org1",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-SqyJz", "Errors.User.NotFound"),
		},
		{
			name: "other user, no permission error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user2", "org1").Aggregate,
								"username",
								"firstname",
								"lastname",
								"nickname",
								"displayname",
								language.German,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
				),
				checkPermission: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				ctx:           authz.NewMockContext("instanceID", "org1", "user1"),
				resourceOwner: "org1",
				userID:        "user2",
			},
			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
		},
		{
			name: "org not existing, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username",
								"firstname",
								"lastname",
								"nickname",
								"displayname",
								language.German,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectFilter(),
				),
			},
			args: args{
				ctx:           authz.NewMockContext("instanceID", "org1", "user1"),
				resourceOwner: "org1",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-55M9f", "Errors.Org.NotFound"),
		},
		{
			name: "org iam policy not existing, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username",
								"firstname",
								"lastname",
								"nickname",
								"displayname",
								language.German,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&user.NewAggregate("org1", "org1").Aggregate,
								"org",
							),
						),
					),
					expectFilter(),
					expectFilter(),
				),
			},
			args: args{
				ctx:           authz.NewMockContext("instanceID", "org1", "user1"),
				resourceOwner: "org1",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-8ugTs", "Errors.Org.DomainPolicy.NotFound"),
		},
		{
			name: "otp already exists, already exists error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username",
								"firstname",
								"lastname",
								"nickname",
								"displayname",
								language.German,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&user.NewAggregate("org1", "org1").Aggregate,
								"org",
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("a"),
								}),
						),
						eventFromEventPusher(
							user.NewHumanOTPVerifiedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"agent1")),
					),
				),
			},
			args: args{
				ctx:           authz.NewMockContext("instanceID", "org1", "user1"),
				resourceOwner: "org1",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowAlreadyExists(nil, "COMMAND-do9se", "Errors.User.MFA.OTP.AlreadyReady"),
		},
		{
			name: "issuer not in context",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username",
								"firstname",
								"lastname",
								"nickname",
								"displayname",
								language.German,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&user.NewAggregate("org1", "org1").Aggregate,
								"org",
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(),
				),
			},
			args: args{
				ctx:           authz.NewMockContext("instanceID", "org1", "user1"),
				resourceOwner: "org1",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowInternal(nil, "TOTP-ieY3o", "Errors.Internal"),
		},
		{
			name: "success",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								"username",
								"firstname",
								"lastname",
								"nickname",
								"displayname",
								language.German,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&user.NewAggregate("org1", "org1").Aggregate,
								"org",
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(),
				),
			},
			args: args{
				ctx:           http_util.WithRequestedHost(authz.NewMockContext("instanceID", "org1", "user1"), "zitadel.com"),
				resourceOwner: "org1",
				userID:        "user1",
			},
			want: true,
		},
		{
			name: "success, other user",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanAddedEvent(context.Background(),
								&user.NewAggregate("user2", "org1").Aggregate,
								"username",
								"firstname",
								"lastname",
								"nickname",
								"displayname",
								language.German,
								domain.GenderUnspecified,
								"email@test.ch",
								true,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewOrgAddedEvent(context.Background(),
								&user.NewAggregate("org1", "org1").Aggregate,
								"org",
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							org.NewDomainPolicyAddedEvent(context.Background(),
								&org.NewAggregate("org1").Aggregate,
								true,
								true,
								true,
							),
						),
					),
					expectFilter(),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:           http_util.WithRequestedHost(authz.NewMockContext("instanceID", "org1", "user1"), "zitadel.com"),
				resourceOwner: "org1",
				userID:        "user2",
			},
			want: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.checkPermission,
				multifactors: domain.MultifactorConfigs{
					OTP: domain.OTPConfig{
						CryptoMFA: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
					},
				},
			}
			got, err := c.createHumanTOTP(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
			require.ErrorIs(t, err, tt.wantErr)
			if tt.want {
				require.NotNil(t, got)
				assert.NotNil(t, got.wm)
				assert.NotNil(t, got.userAgg)
				require.NotNil(t, got.key)
				assert.NotEmpty(t, got.key.URL())
				assert.NotEmpty(t, got.key.Secret())
				assert.Len(t, got.cmds, 1)
			}
		})
	}
}

func TestCommands_HumanCheckMFATOTPSetup(t *testing.T) {
	ctx := authz.NewMockContext("", "org1", "user1")

	cryptoAlg := crypto.CreateMockEncryptionAlg(gomock.NewController(t))
	key, err := domain.NewTOTPKey("example.com", "user1")
	require.NoError(t, err)
	secret, err := crypto.Encrypt([]byte(key.Secret()), cryptoAlg)
	require.NoError(t, err)
	userAgg := &user.NewAggregate("user1", "org1").Aggregate
	userAgg2 := &user.NewAggregate("user2", "org1").Aggregate

	code, err := totp.GenerateCode(key.Secret(), time.Now())
	require.NoError(t, err)

	type fields struct {
		eventstore      func(t *testing.T) *eventstore.Eventstore
		checkPermission domain.PermissionCheck
	}
	type args struct {
		userID        string
		code          string
		resourceOwner string
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		want    bool
		wantErr error
	}{
		{
			name: "missing user id",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args:    args{},
			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-8N9ds", "Errors.User.UserIDMissing"),
		},
		{
			name: "filter error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterError(io.ErrClosedPipe),
				),
			},
			args: args{
				userID:        "user1",
				resourceOwner: "org1",
			},
			wantErr: io.ErrClosedPipe,
		},
		{
			name: "other user, no permission error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(ctx, userAgg2, secret),
						),
					),
				),
				checkPermission: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				resourceOwner: "org1",
				userID:        "user2",
			},
			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
		},
		{
			name: "otp not existing error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(ctx, userAgg, secret),
						),
						eventFromEventPusher(
							user.NewHumanOTPRemovedEvent(ctx, userAgg),
						),
					),
				),
			},
			args: args{
				resourceOwner: "org1",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowNotFound(nil, "COMMAND-3Mif9s", "Errors.User.MFA.OTP.NotExisting"),
		},
		{
			name: "otp already ready error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(ctx, userAgg, secret),
						),
						eventFromEventPusher(
							user.NewHumanOTPVerifiedEvent(context.Background(),
								userAgg,
								"agent1",
							),
						),
					),
				),
			},
			args: args{
				resourceOwner: "org1",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-qx4ls", "Errors.Users.MFA.OTP.AlreadyReady"),
		},
		{
			name: "wrong code",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(ctx, userAgg, secret),
						),
					),
				),
			},
			args: args{
				resourceOwner: "org1",
				code:          "wrong",
				userID:        "user1",
			},
			wantErr: zerrors.ThrowInvalidArgument(nil, "EVENT-8isk2", "Errors.User.MFA.OTP.InvalidCode"),
		},
		{
			name: "push error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(ctx, userAgg, secret),
						),
					),
					expectPushFailed(io.ErrClosedPipe,
						user.NewHumanOTPVerifiedEvent(ctx,
							userAgg,
							"agent1",
						),
					),
				),
			},
			args: args{
				resourceOwner: "org1",
				code:          code,
				userID:        "user1",
			},
			wantErr: io.ErrClosedPipe,
		},
		{
			name: "success",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(ctx, userAgg, secret),
						),
					),
					expectPush(
						user.NewHumanOTPVerifiedEvent(ctx,
							userAgg,
							"agent1",
						),
					),
				),
			},
			args: args{
				resourceOwner: "org1",
				code:          code,
				userID:        "user1",
			},
		},
		{
			name: "success, other user",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(ctx, userAgg2, secret),
						),
					),
					expectPush(
						user.NewHumanOTPVerifiedEvent(ctx,
							userAgg2,
							"agent1",
						),
					),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				resourceOwner: "org1",
				code:          code,
				userID:        "user2",
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.checkPermission,
				multifactors: domain.MultifactorConfigs{
					OTP: domain.OTPConfig{
						CryptoMFA: cryptoAlg,
					},
				},
			}
			got, err := c.HumanCheckMFATOTPSetup(ctx, tt.args.userID, tt.args.code, "agent1", tt.args.resourceOwner)
			require.ErrorIs(t, err, tt.wantErr)
			if tt.want {
				require.NotNil(t, got)
				assert.Equal(t, "org1", got.ResourceOwner)
			}
		})
	}
}

func TestCommandSide_RemoveHumanTOTP(t *testing.T) {
	type fields struct {
		eventstore      func(t *testing.T) *eventstore.Eventstore
		checkPermission domain.PermissionCheck
	}
	type (
		args struct {
			ctx    context.Context
			orgID  string
			userID string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:    context.Background(),
				orgID:  "org1",
				userID: "",
			},
			res: res{
				err: zerrors.IsErrorInvalidArgument,
			},
		},
		{
			name: "otp not existing, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:    context.Background(),
				orgID:  "org1",
				userID: "user1",
			},
			res: res{
				err: zerrors.IsNotFound,
			},
		},
		{
			name: "otp, no permission error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								nil,
							),
						),
					),
				),
				checkPermission: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				ctx:    context.Background(),
				orgID:  "org1",
				userID: "user1",
			},
			res: res{
				err: zerrors.IsPermissionDenied,
			},
		},
		{
			name: "otp remove, ok",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPAddedEvent(context.Background(),
								&user.NewAggregate("user1", "org1").Aggregate,
								nil,
							),
						),
					),
					expectPush(
						user.NewHumanOTPRemovedEvent(context.Background(),
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:    context.Background(),
				orgID:  "org1",
				userID: "user1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.checkPermission,
			}
			got, err := r.HumanRemoveTOTP(tt.args.ctx, tt.args.userID, tt.args.orgID)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
			if tt.res.err == nil {
				assert.Equal(t, tt.res.want, got)
			}
		})
	}
}

func TestCommandSide_AddHumanOTPSMS(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore      func(*testing.T) *eventstore.Eventstore
		checkPermission domain.PermissionCheck
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-QSF2s", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "wrong user, permission denied error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user2", "org1").Aggregate,
							),
						),
					),
				),
				checkPermission: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user2",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
			},
		},
		{
			name: "otp sms already exists, already exists error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowAlreadyExists(nil, "COMMAND-Ad3g2", "Errors.User.MFA.OTP.AlreadyReady"),
			},
		},
		{
			name: "phone not verified, precondition failed error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Q54j2", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "phone removed, precondition failed error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanPhoneChangedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								"+4179654321",
							),
						),
						eventFromEventPusher(
							user.NewHumanPhoneVerifiedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusher(
							user.NewHumanPhoneRemovedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Q54j2", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanPhoneChangedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								"+4179654321",
							),
						),
						eventFromEventPusher(
							user.NewHumanPhoneVerifiedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add, other user",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanPhoneChangedEvent(ctx,
								&user.NewAggregate("user2", "org1").Aggregate,
								"+4179654321",
							),
						),
						eventFromEventPusher(
							user.NewHumanPhoneVerifiedEvent(ctx,
								&user.NewAggregate("user2", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSAddedEvent(ctx,
							&user.NewAggregate("user2", "org1").Aggregate,
						),
					),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user2",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.checkPermission,
			}
			got, err := r.AddHumanOTPSMS(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
			assert.ErrorIs(t, err, tt.res.err)
			assert.Equal(t, tt.res.want, got)
		})
	}
}

func TestCommandSide_AddHumanOTPSMSWithCheckSucceeded(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore func(*testing.T) *eventstore.Eventstore
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
			authRequest   *domain.AuthRequest
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanPhoneChangedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								"+4179654321",
							),
						),
						eventFromEventPusher(
							user.NewHumanPhoneVerifiedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add with auth request",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanPhoneChangedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								"+4179654321",
							),
						),
						eventFromEventPusher(
							user.NewHumanPhoneVerifiedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
						user.NewHumanOTPSMSCheckSucceededEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore: tt.fields.eventstore(t),
			}
			got, err := r.AddHumanOTPSMSWithCheckSucceeded(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.authRequest)
			assert.ErrorIs(t, err, tt.res.err)
			assert.Equal(t, tt.res.want, got)
		})
	}
}

func TestCommandSide_RemoveHumanOTPSMS(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore      func(*testing.T) *eventstore.Eventstore
		checkPermission domain.PermissionCheck
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-S3br2", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "other user not permission, permission denied error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
				checkPermission: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "other",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
			},
		},
		{
			name: "otp sms not added, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowNotFound(nil, "COMMAND-Sr3h3", "Errors.User.MFA.OTP.NotExisting"),
			},
		},
		{
			name: "successful remove",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSRemovedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.checkPermission,
			}
			got, err := r.RemoveHumanOTPSMS(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
			assert.ErrorIs(t, err, tt.res.err)
			assert.Equal(t, tt.res.want, got)
		})
	}
}

func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	defaultGenerators := &SecretGenerators{
		OTPSMS: &crypto.GeneratorConfig{
			Length:              8,
			Expiry:              time.Hour,
			IncludeLowerLetters: true,
			IncludeUpperLetters: true,
			IncludeDigits:       true,
			IncludeSymbols:      true,
		},
	}
	type fields struct {
		eventstore              func(*testing.T) *eventstore.Eventstore
		userEncryption          crypto.EncryptionAlgorithm
		defaultSecretGenerators *SecretGenerators
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
			authRequest   *domain.AuthRequest
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore:              expectEventstore(),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-S3SF1", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "otp sms not added, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-SFD52", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							instance.NewSecretGeneratorAddedEvent(context.Background(),
								&instance.NewAggregate("instanceID").Aggregate,
								domain.SecretGeneratorTypeOTPSMS,
								8,
								time.Hour,
								true,
								true,
								true,
								true,
							)),
					),
					expectPush(
						user.NewHumanOTPSMSCodeAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&crypto.CryptoValue{
								CryptoType: crypto.TypeEncryption,
								Algorithm:  "enc",
								KeyID:      "id",
								Crypted:    []byte("12345678"),
							},
							time.Hour,
							nil,
						),
					),
				),
				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add (without secret config)",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectFilter(),
					expectPush(
						user.NewHumanOTPSMSCodeAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&crypto.CryptoValue{
								CryptoType: crypto.TypeEncryption,
								Algorithm:  "enc",
								KeyID:      "id",
								Crypted:    []byte("12345678"),
							},
							time.Hour,
							nil,
						),
					),
				),
				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add with auth request",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							instance.NewSecretGeneratorAddedEvent(context.Background(),
								&instance.NewAggregate("instanceID").Aggregate,
								domain.SecretGeneratorTypeOTPSMS,
								8,
								time.Hour,
								true,
								true,
								true,
								true,
							)),
					),
					expectPush(
						user.NewHumanOTPSMSCodeAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&crypto.CryptoValue{
								CryptoType: crypto.TypeEncryption,
								Algorithm:  "enc",
								KeyID:      "id",
								Crypted:    []byte("12345678"),
							},
							time.Hour,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:              tt.fields.eventstore(t),
				userEncryption:          tt.fields.userEncryption,
				defaultSecretGenerators: tt.fields.defaultSecretGenerators,
			}
			err := r.HumanSendOTPSMS(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.authRequest)
			assert.ErrorIs(t, err, tt.res.err)
		})
	}
}

func TestCommandSide_HumanOTPSMSCodeSent(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore func(*testing.T) *eventstore.Eventstore
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-AE2h2", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "otp sms not added, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-SD3gh", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSCodeSentEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore: tt.fields.eventstore(t),
			}
			err := r.HumanOTPSMSCodeSent(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
			assert.ErrorIs(t, err, tt.res.err)
		})
	}
}

func TestCommandSide_HumanCheckOTPSMS(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore     func(*testing.T) *eventstore.Eventstore
		userEncryption crypto.EncryptionAlgorithm
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			code          string
			resourceOwner string
			authRequest   *domain.AuthRequest
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				code:          "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-S453v", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "code missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-SJl2g", "Errors.User.Code.Empty"),
			},
		},
		{
			name: "otp sms not added, precondition failed error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-d2r52", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "otp sms code not added, precondition failed error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-S34gh", "Errors.User.Code.NotFound"),
			},
		},
		{
			name: "invalid code, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPSMSCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("other-code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter(), // recheck
					expectFilter(
						eventFromEventPusher(
							org.NewLockoutPolicyAddedEvent(ctx,
								&org.NewAggregate("orgID").Aggregate,
								3, 3, true,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSCheckFailedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "CODE-woT0xc", "Errors.User.Code.Invalid"),
			},
		},
		{
			name: "invalid code, max attempts reached, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPSMSCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("other-code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter(), // recheck
					expectFilter(
						eventFromEventPusher(
							org.NewLockoutPolicyAddedEvent(ctx,
								&org.NewAggregate("orgID").Aggregate,
								1, 1, true,
							),
						),
					),
					expectPush(
						user.NewHumanOTPSMSCheckFailedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
						user.NewUserLockedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "CODE-woT0xc", "Errors.User.Code.Invalid"),
			},
		},
		{
			name: "code ok",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPSMSCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter(), // recheck
					expectPush(
						user.NewHumanOTPSMSCheckSucceededEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "code ok, locked in the meantime",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPSMSAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPSMSCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter( // recheck
						user.NewUserLockedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-S6h4R", "Errors.User.Locked"),
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:     tt.fields.eventstore(t),
				userEncryption: tt.fields.userEncryption,
			}
			err := r.HumanCheckOTPSMS(tt.args.ctx, tt.args.userID, tt.args.code, tt.args.resourceOwner, tt.args.authRequest)
			assert.ErrorIs(t, err, tt.res.err)
		})
	}
}

func TestCommandSide_AddHumanOTPEmail(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore      func(*testing.T) *eventstore.Eventstore
		checkPermission domain.PermissionCheck
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-Sg1hz", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "wrong user, permission denied error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user2", "org1").Aggregate,
							),
						),
					),
				),
				checkPermission: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user2",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
			},
		},
		{
			name: "otp email already exists, already exists error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowAlreadyExists(nil, "COMMAND-MKL2s", "Errors.User.MFA.OTP.AlreadyReady"),
			},
		},
		{
			name: "email not verified, precondition failed error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-KLJ2d", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanEmailChangedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								"email@test.ch",
							),
						),
						eventFromEventPusher(
							user.NewHumanEmailVerifiedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add, other user",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanEmailChangedEvent(ctx,
								&user.NewAggregate("user2", "org1").Aggregate,
								"email@test.ch",
							),
						),
						eventFromEventPusher(
							user.NewHumanEmailVerifiedEvent(ctx,
								&user.NewAggregate("user2", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailAddedEvent(ctx,
							&user.NewAggregate("user2", "org1").Aggregate,
						),
					),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user2",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.checkPermission,
			}
			got, err := r.AddHumanOTPEmail(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
			assert.ErrorIs(t, err, tt.res.err)
			assert.Equal(t, tt.res.want, got)
		})
	}
}

func TestCommandSide_AddHumanOTPEmailWithCheckSucceeded(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore func(*testing.T) *eventstore.Eventstore
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
			authRequest   *domain.AuthRequest
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanEmailChangedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								"email@test.ch",
							),
						),
						eventFromEventPusher(
							user.NewHumanEmailVerifiedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add with auth request",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanEmailChangedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								"email@test.ch",
							),
						),
						eventFromEventPusher(
							user.NewHumanEmailVerifiedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
						user.NewHumanOTPEmailCheckSucceededEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore: tt.fields.eventstore(t),
			}
			got, err := r.AddHumanOTPEmailWithCheckSucceeded(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.authRequest)
			assert.ErrorIs(t, err, tt.res.err)
			assert.Equal(t, tt.res.want, got)
		})
	}
}

func TestCommandSide_RemoveHumanOTPEmail(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore      func(*testing.T) *eventstore.Eventstore
		checkPermission domain.PermissionCheck
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-S2h11", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "other user not permission, permission denied error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
				checkPermission: newMockPermissionCheckNotAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "other",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
			},
		},
		{
			name: "otp email not added, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowNotFound(nil, "COMMAND-b312D", "Errors.User.MFA.OTP.NotExisting"),
			},
		},
		{
			name: "successful remove",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailRemovedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
				checkPermission: newMockPermissionCheckAllowed(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:      tt.fields.eventstore(t),
				checkPermission: tt.fields.checkPermission,
			}
			got, err := r.RemoveHumanOTPEmail(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
			assert.ErrorIs(t, err, tt.res.err)
			assert.Equal(t, tt.res.want, got)
		})
	}
}

func TestCommandSide_HumanSendOTPEmail(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	defaultGenerators := &SecretGenerators{
		OTPEmail: &crypto.GeneratorConfig{
			Length:              8,
			Expiry:              time.Hour,
			IncludeLowerLetters: true,
			IncludeUpperLetters: true,
			IncludeDigits:       true,
			IncludeSymbols:      true,
		},
	}
	type fields struct {
		eventstore              func(*testing.T) *eventstore.Eventstore
		userEncryption          crypto.EncryptionAlgorithm
		defaultSecretGenerators *SecretGenerators
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
			authRequest   *domain.AuthRequest
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore:              expectEventstore(),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-S3SF1", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "otp email not added, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-SFD52", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							instance.NewSecretGeneratorAddedEvent(context.Background(),
								&instance.NewAggregate("instanceID").Aggregate,
								domain.SecretGeneratorTypeOTPEmail,
								8,
								time.Hour,
								true,
								true,
								true,
								true,
							)),
					),
					expectPush(
						user.NewHumanOTPEmailCodeAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&crypto.CryptoValue{
								CryptoType: crypto.TypeEncryption,
								Algorithm:  "enc",
								KeyID:      "id",
								Crypted:    []byte("12345678"),
							},
							time.Hour,
							nil,
						),
					),
				),
				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add (without secret config)",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectFilter(),
					expectPush(
						user.NewHumanOTPEmailCodeAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&crypto.CryptoValue{
								CryptoType: crypto.TypeEncryption,
								Algorithm:  "enc",
								KeyID:      "id",
								Crypted:    []byte("12345678"),
							},
							time.Hour,
							nil,
						),
					),
				),
				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "successful add with auth request",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectFilter(
						eventFromEventPusher(
							instance.NewSecretGeneratorAddedEvent(context.Background(),
								&instance.NewAggregate("instanceID").Aggregate,
								domain.SecretGeneratorTypeOTPEmail,
								8,
								time.Hour,
								true,
								true,
								true,
								true,
							)),
					),
					expectPush(
						user.NewHumanOTPEmailCodeAddedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&crypto.CryptoValue{
								CryptoType: crypto.TypeEncryption,
								Algorithm:  "enc",
								KeyID:      "id",
								Crypted:    []byte("12345678"),
							},
							time.Hour,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
				defaultSecretGenerators: defaultGenerators,
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:              tt.fields.eventstore(t),
				userEncryption:          tt.fields.userEncryption,
				defaultSecretGenerators: tt.fields.defaultSecretGenerators,
			}
			err := r.HumanSendOTPEmail(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.authRequest)
			assert.ErrorIs(t, err, tt.res.err)
		})
	}
}

func TestCommandSide_HumanOTPEmailCodeSent(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore func(*testing.T) *eventstore.Eventstore
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			resourceOwner string
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-AE2h2", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "otp email not added, not found error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-SD3gh", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "successful add",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailCodeSentEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				resourceOwner: "org1",
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore: tt.fields.eventstore(t),
			}
			err := r.HumanOTPEmailCodeSent(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
			assert.ErrorIs(t, err, tt.res.err)
		})
	}
}

func TestCommandSide_HumanCheckOTPEmail(t *testing.T) {
	ctx := authz.NewMockContext("inst1", "org1", "user1")
	type fields struct {
		eventstore     func(*testing.T) *eventstore.Eventstore
		userEncryption crypto.EncryptionAlgorithm
	}
	type (
		args struct {
			ctx           context.Context
			userID        string
			code          string
			resourceOwner string
			authRequest   *domain.AuthRequest
		}
	)
	type res struct {
		want *domain.ObjectDetails
		err  error
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "userid missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "",
				code:          "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-S453v", "Errors.User.UserIDMissing"),
			},
		},
		{
			name: "code missing, invalid argument error",
			fields: fields{
				eventstore: expectEventstore(),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "COMMAND-SJl2g", "Errors.User.Code.Empty"),
			},
		},
		{
			name: "otp email not added, precondition failed error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-d2r52", "Errors.User.MFA.OTP.NotReady"),
			},
		},
		{
			name: "otp email code not added, precondition failed error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
					),
				),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-S34gh", "Errors.User.Code.NotFound"),
			},
		},
		{
			name: "invalid code, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPEmailCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("other-code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter(), // recheck
					expectFilter(
						eventFromEventPusher(
							org.NewLockoutPolicyAddedEvent(ctx,
								&org.NewAggregate("orgID").Aggregate,
								3, 3, true,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailCheckFailedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "CODE-woT0xc", "Errors.User.Code.Invalid"),
			},
		},
		{
			name: "invalid code, max attempts reached, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPEmailCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("other-code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter(), // recheck
					expectFilter(
						eventFromEventPusher(
							org.NewLockoutPolicyAddedEvent(ctx,
								&org.NewAggregate("orgID").Aggregate,
								1, 1, true,
							),
						),
					),
					expectPush(
						user.NewHumanOTPEmailCheckFailedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
						user.NewUserLockedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				err: zerrors.ThrowInvalidArgument(nil, "CODE-woT0xc", "Errors.User.Code.Invalid"),
			},
		},
		{
			name: "code ok",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPEmailCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter(), // recheck
					expectPush(
						user.NewHumanOTPEmailCheckSucceededEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
							&user.AuthRequestInfo{
								ID:          "authRequestID",
								UserAgentID: "userAgentID",
								BrowserInfo: &user.BrowserInfo{
									UserAgent:      "user-agent",
									AcceptLanguage: "en",
									RemoteIP:       net.IP{192, 0, 2, 1},
								},
							},
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				want: &domain.ObjectDetails{
					ResourceOwner: "org1",
				},
			},
		},
		{
			name: "code ok, locked in the meantime",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(
						eventFromEventPusher(
							user.NewHumanOTPEmailAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
							),
						),
						eventFromEventPusherWithCreationDateNow(
							user.NewHumanOTPEmailCodeAddedEvent(ctx,
								&user.NewAggregate("user1", "org1").Aggregate,
								&crypto.CryptoValue{
									CryptoType: crypto.TypeEncryption,
									Algorithm:  "enc",
									KeyID:      "id",
									Crypted:    []byte("code"),
								},
								time.Hour,
								&user.AuthRequestInfo{
									ID:          "authRequestID",
									UserAgentID: "userAgentID",
									BrowserInfo: &user.BrowserInfo{
										UserAgent:      "user-agent",
										AcceptLanguage: "en",
										RemoteIP:       net.IP{192, 0, 2, 1},
									},
								},
							),
						),
					),
					expectFilter( // recheck
						user.NewUserLockedEvent(ctx,
							&user.NewAggregate("user1", "org1").Aggregate,
						),
					),
				),
				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
			},
			args: args{
				ctx:           ctx,
				userID:        "user1",
				code:          "code",
				resourceOwner: "org1",
				authRequest: &domain.AuthRequest{
					ID:      "authRequestID",
					AgentID: "userAgentID",
					BrowserInfo: &domain.BrowserInfo{
						UserAgent:      "user-agent",
						AcceptLanguage: "en",
						RemoteIP:       net.IP{192, 0, 2, 1},
					},
				},
			},
			res: res{
				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-S6h4R", "Errors.User.Locked"),
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore:     tt.fields.eventstore(t),
				userEncryption: tt.fields.userEncryption,
			}
			err := r.HumanCheckOTPEmail(tt.args.ctx, tt.args.userID, tt.args.code, tt.args.resourceOwner, tt.args.authRequest)
			assert.ErrorIs(t, err, tt.res.err)
		})
	}
}