fix(queries): login policy projection (#2401)

* job queue

* wg improvements

* start handler

* statement

* statements

* imporve handler

* improve statement

* statement in seperate file

* move handlers

* move query/old to query

* handler

* read models

* bulk works

* cleanup

* contrib

* rename readmodel to projection

* rename read_models schema to projections

* rename read_models schema to projections

* search query as func,
bulk iterates as long as new events

* add event sequence less query

* update checks for events between current sequence and sequence of first statement if it has previous sequence 0

* cleanup crdb projection

* refactor projection handler

* start with testing

* tests for handler

* remove todo

* refactor statement: remove table name,
add tests

* improve projection handler shutdown,
no savepoint if noop stmt,
tests for stmt handler

* tests

* start failed events

* seperate branch for contrib

* move statement constructors to crdb pkg

* correct import

* Subscribe for eventtypes (#1800)

* fix: is default (#1737)

* fix: use email as username on global org (#1738)

* fix: use email as username on global org

* Update user_human.go

* Update register_handler.go

* chore(deps): update docusaurus (#1739)

* chore: remove PAT and use GH Token (#1716)

* chore: remove PAT and use GH Token

* fix env

* fix env

* fix env

* md lint

* trigger ci

* change user

* fix GH bug

* replace login part

* chore: add GH Token to sem rel (#1746)

* chore: add GH Token to sem rel

* try branch

* add GH Token

* remove test branch again

* docs: changes acme to acme-caos (#1744)

* changes acme to acme-caos

* Apply suggestions from code review

Co-authored-by: Florian Forster <florian@caos.ch>

Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>

* feat: add additional origins on applications (#1691)

* feat: add additional origins on applications

* app additional redirects

* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console (#1706)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.2.8 to 11.2.11.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.2.8...v11.2.11)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console (#1703)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console

Bumps [stylelint](https://github.com/stylelint/stylelint) from 13.10.0 to 13.13.1.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/stylelint/stylelint/compare/13.10.0...13.13.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console (#1702)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.37 to 15.0.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console (#1701)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console

Bumps [ts-protoc-gen](https://github.com/improbable-eng/ts-protoc-gen) from 0.14.0 to 0.15.0.
- [Release notes](https://github.com/improbable-eng/ts-protoc-gen/releases)
- [Changelog](https://github.com/improbable-eng/ts-protoc-gen/blob/master/CHANGELOG.md)
- [Commits](https://github.com/improbable-eng/ts-protoc-gen/compare/0.14.0...0.15.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/jasmine from 3.6.9 to 3.6.10 in /console (#1682)

Bumps [@types/jasmine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jasmine) from 3.6.9 to 3.6.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jasmine)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump @types/google-protobuf in /console (#1681)

Bumps [@types/google-protobuf](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/google-protobuf) from 3.7.4 to 3.15.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/google-protobuf)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump grpc from 1.24.5 to 1.24.7 in /console (#1666)

Bumps [grpc](https://github.com/grpc/grpc-node) from 1.24.5 to 1.24.7.
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/grpc@1.24.5...grpc@1.24.7)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* lock

* chore(deps-dev): bump @angular/language-service from 11.2.9 to 11.2.12 in /console (#1704)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump @angular/language-service in /console

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.2.9 to 11.2.12.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.2.12/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* package lock

* downgrade grpc

* downgrade protobuf types

* revert npm packs 🥸

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>

* docs: update run and start section texts (#1745)

* update run and start section texts

* adds showcase

Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>

* fix: additional origin list (#1753)

* fix: handle api configs in authz handler (#1755)

* fix(console): add model for api keys, fix toast, binding (#1757)

* fix: add model for api keys, fix toast, binding

* show api clientid

* fix: missing patchvalue (#1758)

* feat: refresh token (#1728)

* begin refresh tokens

* refresh tokens

* list and revoke refresh tokens

* handle remove

* tests for refresh tokens

* uniqueness and default expiration

* rename oidc token methods

* cleanup

* migration version

* Update internal/static/i18n/en.yaml

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fixes

* feat: update oidc pkg for refresh tokens

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fix: correct json name of clientId in key.json (#1760)

* fix: migration version (#1767)

* start subscription

* eventtypes

* fix(login): links (#1778)

* fix(login): href for help

* fix(login): correct link to tos

* fix: access tokens for service users and refresh token infos (#1779)

* fix: access token for service user

* handle info from refresh request

* uniqueness

* postpone access token uniqueness change

* chore(coc): recommend code of conduct (#1782)

* subscribe for events

* feat(console): refresh toggle out of granttype context (#1785)

* refresh toggle

* disable if not code flow, lint

* lint

* fix: change oidc config order

* accept refresh option within flow

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: refresh token activation (#1795)

* fix: oidc grant type check

* docs: add offline_access scope

* docs: update refresh token status in supported grant types

* fix: update oidc pkg

* fix: check refresh token grant type (#1796)

* configuration structs

* org admins

* failed events

* fixes

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* remove comment

* aggregate reducer

* remove eventtypes

* add protoc-get-validate to mod

* fix transaltion

* upsert

* add gender on org admins,
allow to retry failed stmts after configurable time

* remove if

* sub queries

* fix: tests

* add builder to tests

* new search query

* rename searchquerybuilder to builder

* remove comment from code

* test with multiple queries

* add filters test

* current sequences

* make org and org_admins work again

* add aggregate type to current sequence

* fix(contibute): listing

* add validate module

* fix: search queries

* feat(eventstore): previous aggregate root sequence (#1810)

* feat(eventstore): previous aggregate root sequence

* fix tests

* fix: eventstore v1 test

* add col to all mocked rows

* next try

* fix mig

* rename aggregate root to aggregate type

* update comment

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* small refactorings

* allow update multiple current sequences

* unique log id

* fix migrations

* rename org admin to org owner

* improve error handling and logging

* fix(migration): optimize prev agg root seq

* fix: projection handler test

* fix: sub queries

* small fixes

* additional event types

* correct org owner projection

* fix primary key

* feat(eventstore): jobs for projections (#2026)

* fix: template names in login (#1974)

* fix: template names in login

* fix: error.html

* fix: check for features on mgmt only (#1976)

* fix: add sentry in ui, http and projection handlers (#1977)

* fix: add sentry in ui, http and projection handlers

* fix test

* fix(eventstore): sub queries (#1805)

* sub queries

* fix: tests

* add builder to tests

* new search query

* rename searchquerybuilder to builder

* remove comment from code

* test with multiple queries

* add filters test

* fix(contibute): listing

* add validate module

* fix: search queries

* remove unused event type in query

* ignore query if error in marshal

* go mod tidy

* update privacy policy query

* update queries

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* feat: Extend oidc idp with oauth endpoints (#1980)

* feat: add oauth attributes to oidc idp configuration

* feat: return idpconfig id on create idp

* feat: tests

* feat: descriptions

* feat: docs

* feat: tests

* docs: update to beta 3 (#1984)

* fix: role assertion (#1986)

* fix: enum to display access token role assertion

* improve assertion descriptions

* fix nil pointer

* docs: eventstore (#1982)

* docs: eventstore

* Apply suggestions from code review

Co-authored-by: Florian Forster <florian@caos.ch>

Co-authored-by: Florian Forster <florian@caos.ch>

* fix(sentry): trigger sentry release (#1989)

* feat(send sentry release): send sentry release

* fix(moved step and added releasetag): moved step and added releasetag

* fix: set version for sentry release (#1990)

* feat(send sentry release): send sentry release

* fix(moved step and added releasetag): moved step and added releasetag

* fix(corrected var name): corrected var name

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: log error reason on terminate session (#1973)

* fix: return default language file, if requested lang does not exist for default login texts (#1988)

* fix: return default language file, if requested lang doesnt exists

* feat: read default translation file

* feat: docs

* fix: race condition in auth request unmarshalling (#1993)

* feat: handle ui_locales in login (#1994)

* fix: handle ui_locales in login

* move supportedlanguage func into i18n package

* update oidc pkg

* fix: handle closed channels on unsubscribe (#1995)

* fix: give restore more time (#1997)

* fix: translation file read (#2009)

* feat: translation file read

* feat: readme

* fix: enable idp add button for iam users (#2010)

* fix: filter event_data (#2011)

* feat: Custom message files (#1992)

* feat: add get custom message text to admin api

* feat: read custom message texts from files

* feat: get languages in apis

* feat: get languages in apis

* feat: get languages in apis

* feat: pr feedback

* feat: docs

* feat: merge main

* fix: sms notification (#2013)

* fix: phone verifications

* feat: fix password reset as sms

* fix: phone verification

* fix: grpc status in sentry and validation interceptors (#2012)

* fix: remove oauth endpoints from oidc config proto (#2014)

* try with view

* fix(console): disable sw (#2021)

* fix: disable sw

* angular.json disable sw

* project projections

* fix typos

* customize projections

* customizable projections,
add change date to projects

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Christian Jakob <47860090+thesephirot@users.noreply.github.com>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* env file

* typo

* correct users

* correct migration

* fix: merge fail

* fix test

* fix(tests): unordered matcher

* improve currentSequenceMatcher

* correct certs

* correct certs

* add zitadel database on database list

* refctor switch in match

* enable all handlers

* Delete io.env

* cleanup

* add handlers

* rename view to projection

* rename view to projection

* fix type typo

* remove unnecessary logs

* refactor stmts

* simplify interval calculation

* fix tests

* fix unlock test

* fix migration

* migs

* fix(operator): update cockroach and flyway versions (#2138)

* chore(deps): bump k8s.io/apiextensions-apiserver from 0.19.2 to 0.21.3

Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.19.2 to 0.21.3.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.19.2...v0.21.3)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump google.golang.org/api from 0.34.0 to 0.52.0

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.34.0 to 0.52.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.34.0...v0.52.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* start update dependencies

* update mods and otlp

* fix(build): update to go 1.16

* old version for k8s mods

* update k8s versions

* update orbos

* fix(operator): update cockroach and flyway version

* Update images.go

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stefan Benz <stefan@caos.ch>

* fix import

* fix typo

* fix(migration): add org projection

* fix(projection): correct table for org events in org owners

* better insert stmt

* fix typo

* fix typo

* set max connection lifetime

* set max conns and conn lifetime in eventstore v1

* configure sql connection settings

* add mig for agg type index

* fix replace tab in yaml

* handler interfaces

* subscription

* first try

* handler

* move sql client initialization

* first part implemented

* removed all occurencies of org by id and search orgs

* fix merge issues

* cleanup code

* fix: queries implements orgviewprovider

* cleanup

* refactor text comparison

* remove unused file

* remove unused code

* log

* remove unused code

* remove unused field

* remove unused file

* refactor

* tests for search query

* remove try

* simplify state change mappers

* projection tests

* query functions

* move reusable objects to separate files

* rename domain column to primar_domain

* fix tests

* add current sequence

* remove log prints

* fix tests

* fix: verifier

* fix test

* rename domain col migrations

* simplify search response

* move org domain to query

* cleanup code

* add org id as condition to projection

* begin projection

* add custom column constructors

* start query

* import

* initial implementation of login policy

* remove unused field

* tests

* factors

* simplify reducers

* fix: org projection table const

* fix: full column name

* feat: text query extension

* fix: tests for query

* number query

* add deprection message

* column in a single place (#2416)

* column in a single place

* use projection for columns

* query column with aliases

* rename methods

* remove unused code

* column

* column

* column for current sequences

* latest sequence

* global counter column

* fix is org unique

* remove col

* fix naming

* correct errors

* deprecate duplicated is_default in api's,
error messages,
migrations

* Update internal/query/policy_login.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update login_policy.go

* fix tests

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Maximilian Panne <maximilian.panne@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Christian Jakob <47860090+thesephirot@users.noreply.github.com>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>
Co-authored-by: Stefan Benz <stefan@caos.ch>
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>

internal/query/projection/login_policy.go

@@ -0,0 +1,301 @@
+package projection
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/handler"
+	"github.com/caos/zitadel/internal/eventstore/handler/crdb"
+	"github.com/caos/zitadel/internal/repository/iam"
+	"github.com/caos/zitadel/internal/repository/org"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+type LoginPolicyProjection struct {
+	crdb.StatementHandler
+}
+
+const (
+	LoginPolicyTable = "zitadel.projections.login_policies"
+)
+
+func NewLoginPolicyProjection(ctx context.Context, config crdb.StatementHandlerConfig) *LoginPolicyProjection {
+	p := &LoginPolicyProjection{}
+	config.ProjectionName = LoginPolicyTable
+	config.Reducers = p.reducers()
+	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
+	return p
+}
+
+func (p *LoginPolicyProjection) reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: org.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  org.LoginPolicyAddedEventType,
+					Reduce: p.reduceLoginPolicyAdded,
+				},
+				{
+					Event:  org.LoginPolicyChangedEventType,
+					Reduce: p.reduceLoginPolicyChanged,
+				},
+				{
+					Event:  org.LoginPolicyMultiFactorAddedEventType,
+					Reduce: p.reduceMFAAdded,
+				},
+				{
+					Event:  org.LoginPolicyMultiFactorRemovedEventType,
+					Reduce: p.reduceMFARemoved,
+				},
+				{
+					Event:  org.LoginPolicyRemovedEventType,
+					Reduce: p.reduceLoginPolicyRemoved,
+				},
+				{
+					Event:  org.LoginPolicySecondFactorAddedEventType,
+					Reduce: p.reduce2FAAdded,
+				},
+				{
+					Event:  org.LoginPolicySecondFactorRemovedEventType,
+					Reduce: p.reduce2FARemoved,
+				},
+			},
+		},
+		{
+			Aggregate: iam.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  iam.LoginPolicyAddedEventType,
+					Reduce: p.reduceLoginPolicyAdded,
+				},
+				{
+					Event:  iam.LoginPolicyChangedEventType,
+					Reduce: p.reduceLoginPolicyChanged,
+				},
+				{
+					Event:  iam.LoginPolicyMultiFactorAddedEventType,
+					Reduce: p.reduceMFAAdded,
+				},
+				{
+					Event:  iam.LoginPolicyMultiFactorRemovedEventType,
+					Reduce: p.reduceMFARemoved,
+				},
+				{
+					Event:  iam.LoginPolicySecondFactorAddedEventType,
+					Reduce: p.reduce2FAAdded,
+				},
+				{
+					Event:  iam.LoginPolicySecondFactorRemovedEventType,
+					Reduce: p.reduce2FARemoved,
+				},
+			},
+		},
+	}
+}
+
+const (
+	LoginPolicyIDCol                    = "aggregate_id"
+	LoginPolicyCreationDateCol          = "creation_date"
+	LoginPolicyChangeDateCol            = "change_date"
+	LoginPolicySequenceCol              = "sequence"
+	LoginPolicyAllowRegisterCol         = "allow_register"
+	LoginPolicyAllowUsernamePasswordCol = "allow_username_password"
+	LoginPolicyAllowExternalIDPsCol     = "allow_external_idps"
+	LoginPolicyForceMFACol              = "force_mfa"
+	LoginPolicy2FAsCol                  = "second_factors"
+	LoginPolicyMFAsCol                  = "multi_factors"
+	LoginPolicyPasswordlessTypeCol      = "passwordless_type"
+	LoginPolicyIsDefaultCol             = "is_default"
+	LoginPolicyHidePWResetCol           = "hide_password_reset"
+)
+
+func (p *LoginPolicyProjection) reduceLoginPolicyAdded(event eventstore.EventReader) (*handler.Statement, error) {
+	var policyEvent policy.LoginPolicyAddedEvent
+	var isDefault bool
+	switch e := event.(type) {
+	case *iam.LoginPolicyAddedEvent:
+		policyEvent = e.LoginPolicyAddedEvent
+		isDefault = true
+	case *org.LoginPolicyAddedEvent:
+		policyEvent = e.LoginPolicyAddedEvent
+		isDefault = false
+	default:
+		logging.LogWithFields("HANDL-IW6So", "seq", event.Sequence(), "expectedTypes", []eventstore.EventType{org.LoginPolicyAddedEventType, iam.LoginPolicyAddedEventType}).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-pYPxS", "reduce.wrong.event.type")
+	}
+
+	return crdb.NewCreateStatement(&policyEvent, []handler.Column{
+		handler.NewCol(LoginPolicyIDCol, policyEvent.Aggregate().ID),
+		handler.NewCol(LoginPolicyCreationDateCol, policyEvent.CreationDate()),
+		handler.NewCol(LoginPolicyChangeDateCol, policyEvent.CreationDate()),
+		handler.NewCol(LoginPolicySequenceCol, policyEvent.Sequence()),
+		handler.NewCol(LoginPolicyAllowRegisterCol, policyEvent.AllowRegister),
+		handler.NewCol(LoginPolicyAllowUsernamePasswordCol, policyEvent.AllowUserNamePassword),
+		handler.NewCol(LoginPolicyAllowExternalIDPsCol, policyEvent.AllowExternalIDP),
+		handler.NewCol(LoginPolicyForceMFACol, policyEvent.ForceMFA),
+		handler.NewCol(LoginPolicyPasswordlessTypeCol, policyEvent.PasswordlessType),
+		handler.NewCol(LoginPolicyIsDefaultCol, isDefault),
+		handler.NewCol(LoginPolicyHidePWResetCol, policyEvent.HidePasswordReset),
+	}), nil
+}
+
+func (p *LoginPolicyProjection) reduceLoginPolicyChanged(event eventstore.EventReader) (*handler.Statement, error) {
+	var policyEvent policy.LoginPolicyChangedEvent
+	switch e := event.(type) {
+	case *iam.LoginPolicyChangedEvent:
+		policyEvent = e.LoginPolicyChangedEvent
+	case *org.LoginPolicyChangedEvent:
+		policyEvent = e.LoginPolicyChangedEvent
+	default:
+		logging.LogWithFields("HANDL-NIvFo", "seq", event.Sequence(), "expectedTypes", []eventstore.EventType{org.LoginPolicyChangedEventType, iam.LoginPolicyChangedEventType}).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-BpaO6", "reduce.wrong.event.type")
+	}
+
+	cols := []handler.Column{
+		handler.NewCol(LoginPolicyChangeDateCol, policyEvent.CreationDate()),
+		handler.NewCol(LoginPolicySequenceCol, policyEvent.Sequence()),
+	}
+	if policyEvent.AllowRegister != nil {
+		cols = append(cols, handler.NewCol(LoginPolicyAllowRegisterCol, *policyEvent.AllowRegister))
+	}
+	if policyEvent.AllowUserNamePassword != nil {
+		cols = append(cols, handler.NewCol(LoginPolicyAllowUsernamePasswordCol, *policyEvent.AllowUserNamePassword))
+	}
+	if policyEvent.AllowExternalIDP != nil {
+		cols = append(cols, handler.NewCol(LoginPolicyAllowExternalIDPsCol, *policyEvent.AllowExternalIDP))
+	}
+	if policyEvent.ForceMFA != nil {
+		cols = append(cols, handler.NewCol(LoginPolicyForceMFACol, *policyEvent.ForceMFA))
+	}
+	if policyEvent.PasswordlessType != nil {
+		cols = append(cols, handler.NewCol(LoginPolicyPasswordlessTypeCol, *policyEvent.PasswordlessType))
+	}
+	if policyEvent.HidePasswordReset != nil {
+		cols = append(cols, handler.NewCol(LoginPolicyHidePWResetCol, *policyEvent.HidePasswordReset))
+	}
+	return crdb.NewUpdateStatement(
+		&policyEvent,
+		cols,
+		[]handler.Condition{
+			handler.NewCond(LoginPolicyIDCol, policyEvent.Aggregate().ID),
+		},
+	), nil
+}
+
+func (p *LoginPolicyProjection) reduceMFAAdded(event eventstore.EventReader) (*handler.Statement, error) {
+	var policyEvent policy.MultiFactorAddedEvent
+	switch e := event.(type) {
+	case *iam.LoginPolicyMultiFactorAddedEvent:
+		policyEvent = e.MultiFactorAddedEvent
+	case *org.LoginPolicyMultiFactorAddedEvent:
+		policyEvent = e.MultiFactorAddedEvent
+	default:
+		logging.LogWithFields("HANDL-fYAHO", "seq", event.Sequence(), "expectedTypes", []eventstore.EventType{org.LoginPolicyMultiFactorAddedEventType, iam.LoginPolicyMultiFactorAddedEventType}).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-WMhAV", "reduce.wrong.event.type")
+	}
+
+	return crdb.NewUpdateStatement(
+		&policyEvent,
+		[]handler.Column{
+			handler.NewCol(LoginPolicyChangeDateCol, policyEvent.CreationDate()),
+			handler.NewCol(LoginPolicySequenceCol, policyEvent.Sequence()),
+			crdb.NewArrayAppendCol(LoginPolicyMFAsCol, policyEvent.MFAType),
+		},
+		[]handler.Condition{
+			handler.NewCond(LoginPolicyIDCol, policyEvent.Aggregate().ID),
+		},
+	), nil
+}
+
+func (p *LoginPolicyProjection) reduceMFARemoved(event eventstore.EventReader) (*handler.Statement, error) {
+	var policyEvent policy.MultiFactorRemovedEvent
+	switch e := event.(type) {
+	case *iam.LoginPolicyMultiFactorRemovedEvent:
+		policyEvent = e.MultiFactorRemovedEvent
+	case *org.LoginPolicyMultiFactorRemovedEvent:
+		policyEvent = e.MultiFactorRemovedEvent
+	default:
+		logging.LogWithFields("HANDL-vtC31", "seq", event.Sequence(), "expectedTypes", []eventstore.EventType{org.LoginPolicyMultiFactorRemovedEventType, iam.LoginPolicyMultiFactorRemovedEventType}).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-czU7n", "reduce.wrong.event.type")
+	}
+
+	return crdb.NewUpdateStatement(
+		&policyEvent,
+		[]handler.Column{
+			handler.NewCol(LoginPolicyChangeDateCol, policyEvent.CreationDate()),
+			handler.NewCol(LoginPolicySequenceCol, policyEvent.Sequence()),
+			crdb.NewArrayRemoveCol(LoginPolicyMFAsCol, policyEvent.MFAType),
+		},
+		[]handler.Condition{
+			handler.NewCond(LoginPolicyIDCol, policyEvent.Aggregate().ID),
+		},
+	), nil
+}
+
+func (p *LoginPolicyProjection) reduceLoginPolicyRemoved(event eventstore.EventReader) (*handler.Statement, error) {
+	e, ok := event.(*org.LoginPolicyRemovedEvent)
+	if !ok {
+		logging.LogWithFields("HANDL-gF5q6", "seq", event.Sequence(), "expectedType", org.LoginPolicyRemovedEventType).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-oRSvD", "reduce.wrong.event.type")
+	}
+	return crdb.NewDeleteStatement(
+		e,
+		[]handler.Condition{
+			handler.NewCond(LoginPolicyIDCol, e.Aggregate().ID),
+		},
+	), nil
+}
+
+func (p *LoginPolicyProjection) reduce2FAAdded(event eventstore.EventReader) (*handler.Statement, error) {
+	var policyEvent policy.SecondFactorAddedEvent
+	switch e := event.(type) {
+	case *iam.LoginPolicySecondFactorAddedEvent:
+		policyEvent = e.SecondFactorAddedEvent
+	case *org.LoginPolicySecondFactorAddedEvent:
+		policyEvent = e.SecondFactorAddedEvent
+	default:
+		logging.LogWithFields("HANDL-dwadQ", "seq", event.Sequence(), "expectedTypes", []eventstore.EventType{org.LoginPolicySecondFactorAddedEventType, iam.LoginPolicySecondFactorAddedEventType}).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-agB2E", "reduce.wrong.event.type")
+	}
+
+	return crdb.NewUpdateStatement(
+		&policyEvent,
+		[]handler.Column{
+			handler.NewCol(LoginPolicyChangeDateCol, policyEvent.CreationDate()),
+			handler.NewCol(LoginPolicySequenceCol, policyEvent.Sequence()),
+			crdb.NewArrayAppendCol(LoginPolicy2FAsCol, policyEvent.MFAType),
+		},
+		[]handler.Condition{
+			handler.NewCond(LoginPolicyIDCol, policyEvent.Aggregate().ID),
+		},
+	), nil
+}
+
+func (p *LoginPolicyProjection) reduce2FARemoved(event eventstore.EventReader) (*handler.Statement, error) {
+	var policyEvent policy.SecondFactorRemovedEvent
+	switch e := event.(type) {
+	case *iam.LoginPolicySecondFactorRemovedEvent:
+		policyEvent = e.SecondFactorRemovedEvent
+	case *org.LoginPolicySecondFactorRemovedEvent:
+		policyEvent = e.SecondFactorRemovedEvent
+	default:
+		logging.LogWithFields("HANDL-2IE8Y", "seq", event.Sequence(), "expectedTypes", []eventstore.EventType{org.LoginPolicySecondFactorRemovedEventType, iam.LoginPolicySecondFactorRemovedEventType}).Error("wrong event type")
+		return nil, errors.ThrowInvalidArgument(nil, "HANDL-KYJvA", "reduce.wrong.event.type")
+	}
+
+	return crdb.NewUpdateStatement(
+		&policyEvent,
+		[]handler.Column{
+			handler.NewCol(LoginPolicyChangeDateCol, policyEvent.CreationDate()),
+			handler.NewCol(LoginPolicySequenceCol, policyEvent.Sequence()),
+			crdb.NewArrayRemoveCol(LoginPolicy2FAsCol, policyEvent.MFAType),
+		},
+		[]handler.Condition{
+			handler.NewCond(LoginPolicyIDCol, policyEvent.Aggregate().ID),
+		},
+	), nil
+}

internal/query/projection/login_policy_test.go

@@ -0,0 +1,494 @@
+package projection
+
+import (
+	"testing"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/handler"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/iam"
+	"github.com/caos/zitadel/internal/repository/org"
+)
+
+func TestLoginPolicyProjection_reduces(t *testing.T) {
+	type args struct {
+		event func(t *testing.T) eventstore.EventReader
+	}
+	tests := []struct {
+		name   string
+		args   args
+		reduce func(event eventstore.EventReader) (*handler.Statement, error)
+		want   wantReduce
+	}{
+		{
+			name: "org.reduceLoginPolicyAdded",
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(org.LoginPolicyAddedEventType),
+					org.AggregateType,
+					[]byte(`{
+	"allowUsernamePassword": true,
+	"allowRegister": true,
+	"allowExternalIdp": false,
+	"forceMFA": false,
+	"hidePasswordReset": true,
+	"passwordlessType": 1
+}`),
+				), org.LoginPolicyAddedEventMapper),
+			},
+			reduce: (&LoginPolicyProjection{}).reduceLoginPolicyAdded,
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("org"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO zitadel.projections.login_policies (aggregate_id, creation_date, change_date, sequence, allow_register, allow_username_password, allow_external_idps, force_mfa, passwordless_type, is_default, hide_password_reset) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								anyArg{},
+								anyArg{},
+								uint64(15),
+								true,
+								true,
+								false,
+								false,
+								domain.PasswordlessTypeAllowed,
+								false,
+								true,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "org.reduceLoginPolicyChanged",
+			reduce: (&LoginPolicyProjection{}).reduceLoginPolicyChanged,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(org.LoginPolicyChangedEventType),
+					org.AggregateType,
+					[]byte(`{
+	"allowUsernamePassword": true,
+	"allowRegister": true,
+	"allowExternalIdp": true,
+	"forceMFA": true,
+	"hidePasswordReset": true,
+	"passwordlessType": 1
+}`),
+				), org.LoginPolicyChangedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("org"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, allow_register, allow_username_password, allow_external_idps, force_mfa, passwordless_type, hide_password_reset) = ($1, $2, $3, $4, $5, $6, $7, $8) WHERE (aggregate_id = $9)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+								true,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "org.reduceMFAAdded",
+			reduce: (&LoginPolicyProjection{}).reduceMFAAdded,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(org.LoginPolicyMultiFactorAddedEventType),
+					org.AggregateType,
+					[]byte(`{
+	"mfaType": 1
+}`),
+				), org.MultiFactorAddedEventEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("org"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, multi_factors) = ($1, $2, array_append(multi_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.MultiFactorTypeU2FWithPIN,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "org.reduceMFARemoved",
+			reduce: (&LoginPolicyProjection{}).reduceMFARemoved,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(org.LoginPolicyMultiFactorRemovedEventType),
+					org.AggregateType,
+					[]byte(`{
+			"mfaType": 1
+			}`),
+				), org.MultiFactorRemovedEventEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("org"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, multi_factors) = ($1, $2, array_remove(multi_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.MultiFactorTypeU2FWithPIN,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "org.reduceLoginPolicyRemoved",
+			reduce: (&LoginPolicyProjection{}).reduceLoginPolicyRemoved,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(org.LoginPolicyRemovedEventType),
+					org.AggregateType,
+					nil,
+				), org.LoginPolicyRemovedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("org"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM zitadel.projections.login_policies WHERE (aggregate_id = $1)",
+							expectedArgs: []interface{}{
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "org.reduce2FAAdded",
+			reduce: (&LoginPolicyProjection{}).reduce2FAAdded,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(org.LoginPolicySecondFactorAddedEventType),
+					org.AggregateType,
+					[]byte(`{
+			"mfaType": 2
+			}`),
+				), org.SecondFactorAddedEventEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("org"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, second_factors) = ($1, $2, array_append(second_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.SecondFactorTypeU2F,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "org.reduce2FARemoved",
+			reduce: (&LoginPolicyProjection{}).reduce2FARemoved,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(org.LoginPolicySecondFactorRemovedEventType),
+					org.AggregateType,
+					[]byte(`{
+			"mfaType": 2
+			}`),
+				), org.SecondFactorRemovedEventEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("org"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, second_factors) = ($1, $2, array_remove(second_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.SecondFactorTypeU2F,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "iam.reduceLoginPolicyAdded",
+			reduce: (&LoginPolicyProjection{}).reduceLoginPolicyAdded,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(iam.LoginPolicyAddedEventType),
+					iam.AggregateType,
+					[]byte(`{
+			"allowUsernamePassword": true,
+			"allowRegister": true,
+			"allowExternalIdp": false,
+			"forceMFA": false,
+			"hidePasswordReset": true,
+			"passwordlessType": 1
+			}`),
+				), iam.LoginPolicyAddedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("iam"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO zitadel.projections.login_policies (aggregate_id, creation_date, change_date, sequence, allow_register, allow_username_password, allow_external_idps, force_mfa, passwordless_type, is_default, hide_password_reset) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								anyArg{},
+								anyArg{},
+								uint64(15),
+								true,
+								true,
+								false,
+								false,
+								domain.PasswordlessTypeAllowed,
+								true,
+								true,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "iam.reduceLoginPolicyChanged",
+			reduce: (&LoginPolicyProjection{}).reduceLoginPolicyChanged,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(iam.LoginPolicyChangedEventType),
+					iam.AggregateType,
+					[]byte(`{
+			"allowUsernamePassword": true,
+			"allowRegister": true,
+			"allowExternalIdp": true,
+			"forceMFA": true,
+			"hidePasswordReset": true,
+			"passwordlessType": 1
+			}`),
+				), iam.LoginPolicyChangedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("iam"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, allow_register, allow_username_password, allow_external_idps, force_mfa, passwordless_type, hide_password_reset) = ($1, $2, $3, $4, $5, $6, $7, $8) WHERE (aggregate_id = $9)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								true,
+								true,
+								true,
+								true,
+								domain.PasswordlessTypeAllowed,
+								true,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "iam.reduceMFAAdded",
+			reduce: (&LoginPolicyProjection{}).reduceMFAAdded,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(iam.LoginPolicyMultiFactorAddedEventType),
+					iam.AggregateType,
+					[]byte(`{
+		"mfaType": 1
+		}`),
+				), iam.MultiFactorAddedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("iam"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, multi_factors) = ($1, $2, array_append(multi_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.MultiFactorTypeU2FWithPIN,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "iam.reduceMFARemoved",
+			reduce: (&LoginPolicyProjection{}).reduceMFARemoved,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(iam.LoginPolicyMultiFactorRemovedEventType),
+					iam.AggregateType,
+					[]byte(`{
+			"mfaType": 1
+			}`),
+				), iam.MultiFactorRemovedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("iam"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, multi_factors) = ($1, $2, array_remove(multi_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.MultiFactorTypeU2FWithPIN,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "iam.reduce2FAAdded",
+			reduce: (&LoginPolicyProjection{}).reduce2FAAdded,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(iam.LoginPolicySecondFactorAddedEventType),
+					iam.AggregateType,
+					[]byte(`{
+			"mfaType": 2
+			}`),
+				), iam.SecondFactorAddedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("iam"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, second_factors) = ($1, $2, array_append(second_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.SecondFactorTypeU2F,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "iam.reduce2FARemoved",
+			reduce: (&LoginPolicyProjection{}).reduce2FARemoved,
+			args: args{
+				event: getEvent(testEvent(
+					repository.EventType(iam.LoginPolicySecondFactorRemovedEventType),
+					iam.AggregateType,
+					[]byte(`{
+			"mfaType": 2
+			}`),
+				), iam.SecondFactorRemovedEventMapper),
+			},
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("iam"),
+				sequence:         15,
+				previousSequence: 10,
+				projection:       LoginPolicyTable,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE zitadel.projections.login_policies SET (change_date, sequence, second_factors) = ($1, $2, array_remove(second_factors, $3)) WHERE (aggregate_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								domain.SecondFactorTypeU2F,
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			event := baseEvent(t)
+			got, err := tt.reduce(event)
+			if _, ok := err.(errors.InvalidArgument); !ok {
+				t.Errorf("no wrong event mapping: %v, got: %v", err, got)
+			}
+
+			event = tt.args.event(t)
+			got, err = tt.reduce(event)
+			assertReduce(t, got, err, tt.want)
+		})
+	}
+}

internal/query/projection/projection.go

@@ -41,6 +41,7 @@ func Start(ctx context.Context, sqlClient *sql.DB, es *eventstore.Eventstore, co
 	NewProjectRoleProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["project_roles"]))
 	// owner.NewOrgOwnerProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["org_owners"]))
 	NewOrgDomainProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["org_domains"]))
+	NewLoginPolicyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["login_policies"]))
 
 	return nil
 }