feat: limit amount of active actions (#3143)

* max actions

* fix: max allowed actions

* fix: max allowed actions

* fix tests

internal/query/projection/feature.go

@@ -5,6 +5,8 @@ import (
 
 	"github.com/caos/logging"
 
+	"github.com/caos/zitadel/internal/domain"
+
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/handler"
@@ -82,7 +84,8 @@ const (
 	FeatureCustomTextMessageCol        = "custom_text_message"
 	FeatureCustomTextLoginCol          = "custom_text_login"
 	FeatureLockoutPolicyCol            = "lockout_policy"
-	FeatureActionsCol                  = "actions"
+	FeatureActionsAllowedCol           = "actions_allowed"
+	FeatureMaxActionsCol               = "max_actions"
 )
 
 func (p *FeatureProjection) reduceFeatureSet(event eventstore.Event) (*handler.Statement, error) {
@@ -173,7 +176,17 @@ func (p *FeatureProjection) reduceFeatureSet(event eventstore.Event) (*handler.S
 		cols = append(cols, handler.NewCol(FeatureLockoutPolicyCol, *featureEvent.LockoutPolicy))
 	}
 	if featureEvent.Actions != nil {
-		cols = append(cols, handler.NewCol(FeatureActionsCol, *featureEvent.Actions))
+		actionsAllowed := domain.ActionsNotAllowed
+		if *featureEvent.Actions {
+			actionsAllowed = domain.ActionsAllowedUnlimited
+		}
+		cols = append(cols, handler.NewCol(FeatureActionsAllowedCol, actionsAllowed))
+	}
+	if featureEvent.ActionsAllowed != nil {
+		cols = append(cols, handler.NewCol(FeatureActionsAllowedCol, *featureEvent.ActionsAllowed))
+	}
+	if featureEvent.MaxActions != nil {
+		cols = append(cols, handler.NewCol(FeatureMaxActionsCol, *featureEvent.MaxActions))
 	}
 	return crdb.NewUpsertStatement(
 		&featureEvent,

internal/query/projection/feature_test.go

@@ -50,7 +50,8 @@ func TestFeatureProjection_reduces(t *testing.T) {
 						"customTextMessage": true,
 						"customTextLogin": true,
 						"lockoutPolicy": true,
-						"actions": true
+						"actionsAllowed": 1,
+						"maxActions": 10
 					}`),
 				), org.FeaturesSetEventMapper),
 			},
@@ -63,7 +64,7 @@ func TestFeatureProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)",
+							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions_allowed, max_actions) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25, $26)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -89,7 +90,8 @@ func TestFeatureProjection_reduces(t *testing.T) {
 								true,
 								true,
 								true,
-								true,
+								domain.ActionsMaxAllowed,
+								10,
 							},
 						},
 					},
@@ -136,7 +138,7 @@ func TestFeatureProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)",
+							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions_allowed) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -162,7 +164,7 @@ func TestFeatureProjection_reduces(t *testing.T) {
 								true,
 								true,
 								true,
-								true,
+								domain.ActionsAllowedUnlimited,
 							},
 						},
 					},
@@ -266,7 +268,7 @@ func TestFeatureProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)",
+							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions_allowed) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -292,7 +294,7 @@ func TestFeatureProjection_reduces(t *testing.T) {
 								true,
 								true,
 								true,
-								true,
+								domain.ActionsAllowedUnlimited,
 							},
 						},
 					},
@@ -327,7 +329,8 @@ func TestFeatureProjection_reduces(t *testing.T) {
 				"customTextMessage": true,
 				"customTextLogin": true,
 				"lockoutPolicy": true,
-				"actions": true
+				"actionsAllowed": 1,
+				"maxActions": 10
 			}`),
 				), iam.FeaturesSetEventMapper),
 			},
@@ -339,7 +342,7 @@ func TestFeatureProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25)",
+							expectedStmt: "UPSERT INTO zitadel.projections.features (aggregate_id, change_date, sequence, is_default, tier_name, tier_description, state, state_description, audit_log_retention, login_policy_factors, login_policy_idp, login_policy_passwordless, login_policy_registration, login_policy_username_login, login_policy_password_reset, password_complexity_policy, label_policy_private_label, label_policy_watermark, custom_domain, privacy_policy, metadata_user, custom_text_message, custom_text_login, lockout_policy, actions_allowed, max_actions) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25, $26)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -365,7 +368,8 @@ func TestFeatureProjection_reduces(t *testing.T) {
 								true,
 								true,
 								true,
-								true,
+								domain.ActionsMaxAllowed,
+								10,
 							},
 						},
 					},