feat: implement user schema management (#7416)

This PR adds the functionality to manage user schemas through the new user schema service.
It includes the possibility to create a basic JSON schema and also provides a way on defining permissions (read, write) for owner and self context with an annotation.

Further annotations for OIDC claims and SAML attribute mappings will follow.

A guide on how to create a schema and assign permissions has been started. It will be extended though out the process of implementing the schema and users based on those.

Note:
This feature is in an early stage and therefore not enabled by default. To test it out, please enable the UserSchema feature flag on your instance / system though the feature service.

internal/repository/feature/feature_v2/eventstore.go

@@ -9,8 +9,10 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemLoginDefaultOrgEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemTriggerIntrospectionProjectionsEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemLegacyIntrospectionEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, SystemUserSchemaEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceResetEventType, eventstore.GenericEventMapper[ResetEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceLoginDefaultOrgEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceTriggerIntrospectionProjectionsEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceLegacyIntrospectionEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, InstanceUserSchemaEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 }

internal/repository/feature/feature_v2/feature.go

@@ -15,11 +15,13 @@ var (
 	SystemLoginDefaultOrgEventType                 = setEventTypeFromFeature(feature.LevelSystem, feature.KeyLoginDefaultOrg)
 	SystemTriggerIntrospectionProjectionsEventType = setEventTypeFromFeature(feature.LevelSystem, feature.KeyTriggerIntrospectionProjections)
 	SystemLegacyIntrospectionEventType             = setEventTypeFromFeature(feature.LevelSystem, feature.KeyLegacyIntrospection)
+	SystemUserSchemaEventType                      = setEventTypeFromFeature(feature.LevelSystem, feature.KeyUserSchema)
 
 	InstanceResetEventType                           = resetEventTypeFromFeature(feature.LevelInstance)
 	InstanceLoginDefaultOrgEventType                 = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLoginDefaultOrg)
 	InstanceTriggerIntrospectionProjectionsEventType = setEventTypeFromFeature(feature.LevelInstance, feature.KeyTriggerIntrospectionProjections)
 	InstanceLegacyIntrospectionEventType             = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLegacyIntrospection)
+	InstanceUserSchemaEventType                      = setEventTypeFromFeature(feature.LevelInstance, feature.KeyUserSchema)
 )
 
 const (

internal/repository/user/schema/aggregate.go

@@ -0,0 +1,25 @@
+package schema
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "user_schema"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate(id, resourceOwner string) *Aggregate {
+	return &Aggregate{
+		Aggregate: eventstore.Aggregate{
+			Type:          AggregateType,
+			Version:       AggregateVersion,
+			ID:            id,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}

internal/repository/user/schema/eventstore.go

@@ -0,0 +1,11 @@
+package schema
+
+import "github.com/zitadel/zitadel/internal/eventstore"
+
+func init() {
+	eventstore.RegisterFilterEventMapper(AggregateType, CreatedType, eventstore.GenericEventMapper[CreatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, UpdatedType, eventstore.GenericEventMapper[UpdatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, DeactivatedType, eventstore.GenericEventMapper[DeactivatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, ReactivatedType, eventstore.GenericEventMapper[ReactivatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, DeletedType, eventstore.GenericEventMapper[DeletedEvent])
+}

internal/repository/user/schema/schema.go

@@ -0,0 +1,233 @@
+package schema
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	eventPrefix     = "user_schema."
+	CreatedType     = eventPrefix + "created"
+	UpdatedType     = eventPrefix + "updated"
+	DeactivatedType = eventPrefix + "deactivated"
+	ReactivatedType = eventPrefix + "reactivated"
+	DeletedType     = eventPrefix + "deleted"
+
+	uniqueSchemaType = "user_schema_type"
+)
+
+func NewAddSchemaTypeUniqueConstraint(schemaType string) *eventstore.UniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueSchemaType,
+		schemaType,
+		"Errors.UserSchema.Type.AlreadyExists")
+}
+
+func NewRemoveSchemaTypeUniqueConstraint(schemaType string) *eventstore.UniqueConstraint {
+	return eventstore.NewRemoveUniqueConstraint(
+		uniqueSchemaType,
+		schemaType,
+	)
+}
+
+type CreatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	SchemaType             string                     `json:"schemaType"`
+	Schema                 json.RawMessage            `json:"schema,omitempty"`
+	PossibleAuthenticators []domain.AuthenticatorType `json:"possibleAuthenticators,omitempty"`
+}
+
+func (e *CreatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *CreatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *CreatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{NewAddSchemaTypeUniqueConstraint(e.SchemaType)}
+}
+
+func NewCreatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+
+	schemaType string,
+	schema json.RawMessage,
+	possibleAuthenticators []domain.AuthenticatorType,
+) *CreatedEvent {
+	return &CreatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			CreatedType,
+		),
+		SchemaType:             schemaType,
+		Schema:                 schema,
+		PossibleAuthenticators: possibleAuthenticators,
+	}
+}
+
+type UpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	SchemaType             *string                    `json:"schemaType,omitempty"`
+	Schema                 json.RawMessage            `json:"schema,omitempty"`
+	PossibleAuthenticators []domain.AuthenticatorType `json:"possibleAuthenticators,omitempty"`
+	oldSchemaType          string
+}
+
+func (e *UpdatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *UpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *UpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	if e.oldSchemaType == "" {
+		return nil
+	}
+	return []*eventstore.UniqueConstraint{
+		NewRemoveSchemaTypeUniqueConstraint(e.oldSchemaType),
+		NewAddSchemaTypeUniqueConstraint(*e.SchemaType),
+	}
+}
+
+func NewUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []Changes,
+) *UpdatedEvent {
+	updatedEvent := &UpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UpdatedType,
+		),
+	}
+	for _, change := range changes {
+		change(updatedEvent)
+	}
+	return updatedEvent
+}
+
+type Changes func(event *UpdatedEvent)
+
+func ChangeSchemaType(oldSchemaType, schemaType string) func(event *UpdatedEvent) {
+	return func(e *UpdatedEvent) {
+		e.SchemaType = &schemaType
+		e.oldSchemaType = oldSchemaType
+	}
+}
+
+func ChangeSchema(schema json.RawMessage) func(event *UpdatedEvent) {
+	return func(e *UpdatedEvent) {
+		e.Schema = schema
+	}
+}
+
+func ChangePossibleAuthenticators(possibleAuthenticators []domain.AuthenticatorType) func(event *UpdatedEvent) {
+	return func(e *UpdatedEvent) {
+		e.PossibleAuthenticators = possibleAuthenticators
+	}
+}
+
+type DeactivatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+}
+
+func (e *DeactivatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *DeactivatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *DeactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *DeactivatedEvent {
+	return &DeactivatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			DeactivatedType,
+		),
+	}
+}
+
+type ReactivatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ReactivatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *ReactivatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ReactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *ReactivatedEvent {
+	return &ReactivatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ReactivatedType,
+		),
+	}
+}
+
+type DeletedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	schemaType string
+}
+
+func (e *DeletedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *DeletedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *DeletedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return []*eventstore.UniqueConstraint{
+		NewRemoveSchemaTypeUniqueConstraint(e.schemaType),
+	}
+}
+
+func NewDeletedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	schemaType string,
+) *DeletedEvent {
+	return &DeletedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			DeletedType,
+		),
+		schemaType: schemaType,
+	}
+}