feat: New event user (#1156)

* feat: change user command side * feat: change user command side * feat: use states on write model * feat: command and query side in auth api * feat: auth commands * feat: check external idp id * feat: user state check * fix: error messages * fix: is active state
2025-12-06 15:12:14 +00:00 · 2021-01-07 16:06:45 +01:00
parent 65a8efeb0e
commit 26c8113930
71 changed files with 1242 additions and 442 deletions
--- a/internal/management/repository/eventsourcing/eventstore/user.go
+++ b/internal/management/repository/eventsourcing/eventstore/user.go
@@ -9,8 +9,6 @@ import (
 	"github.com/caos/zitadel/internal/errors"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	es_int "github.com/caos/zitadel/internal/eventstore"
-	es_models "github.com/caos/zitadel/internal/eventstore/models"
-	es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
 	global_model "github.com/caos/zitadel/internal/model"
@@ -60,100 +58,6 @@ func (repo *UserRepo) UserByID(ctx context.Context, id string) (*usr_model.UserV
 	return model.UserToModel(&userCopy), nil
 }

-func (repo *UserRepo) CreateUser(ctx context.Context, user *usr_model.User) (*usr_model.User, error) {
-	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
-	if err != nil && caos_errs.IsNotFound(err) {
-		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
-	}
-	if err != nil {
-		return nil, err
-	}
-	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(pwPolicy)
-	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
-	if err != nil && errors.IsNotFound(err) {
-		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
-	}
-	if err != nil {
-		return nil, err
-	}
-	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
-	return repo.UserEvents.CreateUser(ctx, user, pwPolicyView, orgPolicyView)
-}
-
-func (repo *UserRepo) RegisterUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*usr_model.User, error) {
-	policyResourceOwner := authz.GetCtxData(ctx).OrgID
-	if resourceOwner != "" {
-		policyResourceOwner = resourceOwner
-	}
-	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(policyResourceOwner)
-	if err != nil && caos_errs.IsNotFound(err) {
-		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
-	}
-	if err != nil {
-		return nil, err
-	}
-	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(pwPolicy)
-	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
-	if err != nil && errors.IsNotFound(err) {
-		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
-	}
-	if err != nil {
-		return nil, err
-	}
-	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
-	return repo.UserEvents.RegisterUser(ctx, user, pwPolicyView, orgPolicyView, resourceOwner)
-}
-
-func (repo *UserRepo) DeactivateUser(ctx context.Context, id string) (*usr_model.User, error) {
-	return repo.UserEvents.DeactivateUser(ctx, id)
-}
-
-func (repo *UserRepo) ReactivateUser(ctx context.Context, id string) (*usr_model.User, error) {
-	return repo.UserEvents.ReactivateUser(ctx, id)
-}
-
-func (repo *UserRepo) LockUser(ctx context.Context, id string) (*usr_model.User, error) {
-	return repo.UserEvents.LockUser(ctx, id)
-}
-
-func (repo *UserRepo) UnlockUser(ctx context.Context, id string) (*usr_model.User, error) {
-	return repo.UserEvents.UnlockUser(ctx, id)
-}
-
-func (repo *UserRepo) RemoveUser(ctx context.Context, id string) error {
-	aggregates := make([]*es_models.Aggregate, 0)
-	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
-	if err != nil && errors.IsNotFound(err) {
-		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
-	}
-	if err != nil {
-		return err
-	}
-	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
-	user, agg, err := repo.UserEvents.PrepareRemoveUser(ctx, id, orgPolicyView)
-	if err != nil {
-		return err
-	}
-	aggregates = append(aggregates, agg...)
-
-	// remove user_grants
-	usergrants, err := repo.View.UserGrantsByUserID(id)
-	if err != nil {
-		return err
-	}
-	for _, grant := range usergrants {
-		_, aggs, err := repo.UserGrantEvents.PrepareRemoveUserGrant(ctx, grant.ID, true)
-		if err != nil {
-			return err
-		}
-		for _, agg := range aggs {
-			aggregates = append(aggregates, agg)
-		}
-	}
-
-	return es_sdk.PushAggregates(ctx, repo.Eventstore.PushAggregates, user.AppendEvents, aggregates...)
-}
-
 func (repo *UserRepo) SearchUsers(ctx context.Context, request *usr_model.UserSearchRequest) (*usr_model.UserSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	sequence, sequenceErr := repo.View.GetLatestUserSequence("")
@@ -225,42 +129,10 @@ func (repo *UserRepo) UserMFAs(ctx context.Context, userID string) ([]*usr_model
 	return mfas, nil
 }

-func (repo *UserRepo) RemoveOTP(ctx context.Context, userID string) error {
-	return repo.UserEvents.RemoveOTP(ctx, userID)
-}
-
-func (repo *UserRepo) RemoveU2F(ctx context.Context, userID, webAuthNTokenID string) error {
-	return repo.UserEvents.RemoveU2FToken(ctx, userID, webAuthNTokenID)
-}
-
 func (repo *UserRepo) GetPasswordless(ctx context.Context, userID string) ([]*usr_model.WebAuthNToken, error) {
 	return repo.UserEvents.GetPasswordless(ctx, userID)
 }

-func (repo *UserRepo) RemovePasswordless(ctx context.Context, userID, webAuthNTokenID string) error {
-	return repo.UserEvents.RemovePasswordlessToken(ctx, userID, webAuthNTokenID)
-}
-
-func (repo *UserRepo) SetOneTimePassword(ctx context.Context, password *usr_model.Password) (*usr_model.Password, error) {
-	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
-	if err != nil && caos_errs.IsNotFound(err) {
-		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
-	}
-	if err != nil {
-		return nil, err
-	}
-	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(policy)
-	return repo.UserEvents.SetOneTimePassword(ctx, pwPolicyView, password)
-}
-
-func (repo *UserRepo) RequestSetPassword(ctx context.Context, id string, notifyType usr_model.NotificationType) error {
-	return repo.UserEvents.RequestSetPassword(ctx, id, notifyType)
-}
-
-func (repo *UserRepo) ResendInitialMail(ctx context.Context, userID, email string) error {
-	return repo.UserEvents.ResendInitialMail(ctx, userID, email)
-}
-
 func (repo *UserRepo) ProfileByID(ctx context.Context, userID string) (*usr_model.Profile, error) {
 	user, err := repo.UserByID(ctx, userID)
 	if err != nil {
@@ -293,14 +165,6 @@ func (repo *UserRepo) SearchExternalIDPs(ctx context.Context, request *usr_model
 	return result, nil
 }

-func (repo *UserRepo) RemoveExternalIDP(ctx context.Context, externalIDP *usr_model.ExternalIDP) error {
-	return repo.UserEvents.RemoveExternalIDP(ctx, externalIDP)
-}
-
-func (repo *UserRepo) ChangeMachine(ctx context.Context, machine *usr_model.Machine) (*usr_model.Machine, error) {
-	return repo.UserEvents.ChangeMachine(ctx, machine)
-}
-
 func (repo *UserRepo) GetMachineKey(ctx context.Context, userID, keyID string) (*usr_model.MachineKeyView, error) {
 	key, err := repo.View.MachineKeyByIDs(userID, keyID)
 	if err != nil {
@@ -338,10 +202,6 @@ func (repo *UserRepo) RemoveMachineKey(ctx context.Context, userID, keyID string
 	return repo.UserEvents.RemoveMachineKey(ctx, userID, keyID)
 }

-func (repo *UserRepo) ChangeProfile(ctx context.Context, profile *usr_model.Profile) (*usr_model.Profile, error) {
-	return repo.UserEvents.ChangeProfile(ctx, profile)
-}
-
 func (repo *UserRepo) ChangeUsername(ctx context.Context, userID, userName string) error {
 	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
 	if err != nil && errors.IsNotFound(err) {
@@ -365,14 +225,6 @@ func (repo *UserRepo) EmailByID(ctx context.Context, userID string) (*usr_model.
 	return user.GetEmail()
 }

-func (repo *UserRepo) ChangeEmail(ctx context.Context, email *usr_model.Email) (*usr_model.Email, error) {
-	return repo.UserEvents.ChangeEmail(ctx, email)
-}
-
-func (repo *UserRepo) CreateEmailVerificationCode(ctx context.Context, userID string) error {
-	return repo.UserEvents.CreateEmailVerificationCode(ctx, userID)
-}
-
 func (repo *UserRepo) PhoneByID(ctx context.Context, userID string) (*usr_model.Phone, error) {
 	user, err := repo.UserByID(ctx, userID)
 	if err != nil {
@@ -384,18 +236,6 @@ func (repo *UserRepo) PhoneByID(ctx context.Context, userID string) (*usr_model.
 	return user.GetPhone()
 }

-func (repo *UserRepo) ChangePhone(ctx context.Context, email *usr_model.Phone) (*usr_model.Phone, error) {
-	return repo.UserEvents.ChangePhone(ctx, email)
-}
-
-func (repo *UserRepo) RemovePhone(ctx context.Context, userID string) error {
-	return repo.UserEvents.RemovePhone(ctx, userID)
-}
-
-func (repo *UserRepo) CreatePhoneVerificationCode(ctx context.Context, userID string) error {
-	return repo.UserEvents.CreatePhoneVerificationCode(ctx, userID)
-}
-
 func (repo *UserRepo) AddressByID(ctx context.Context, userID string) (*usr_model.Address, error) {
 	user, err := repo.UserByID(ctx, userID)
 	if err != nil {
@@ -407,10 +247,6 @@ func (repo *UserRepo) AddressByID(ctx context.Context, userID string) (*usr_mode
 	return user.GetAddress()
 }

-func (repo *UserRepo) ChangeAddress(ctx context.Context, address *usr_model.Address) (*usr_model.Address, error) {
-	return repo.UserEvents.ChangeAddress(ctx, address)
-}
-
 func (repo *UserRepo) SearchUserMemberships(ctx context.Context, request *usr_model.UserMembershipSearchRequest) (*usr_model.UserMembershipSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	sequence, sequenceErr := repo.View.GetLatestUserMembershipSequence("")
--- a/internal/management/repository/user.go
+++ b/internal/management/repository/user.go
@@ -8,13 +8,6 @@ import (

 type UserRepository interface {
 	UserByID(ctx context.Context, id string) (*model.UserView, error)
-	CreateUser(ctx context.Context, user *model.User) (*model.User, error)
-	RegisterUser(ctx context.Context, user *model.User, resourceOwner string) (*model.User, error)
-	DeactivateUser(ctx context.Context, id string) (*model.User, error)
-	ReactivateUser(ctx context.Context, id string) (*model.User, error)
-	LockUser(ctx context.Context, id string) (*model.User, error)
-	UnlockUser(ctx context.Context, id string) (*model.User, error)
-	RemoveUser(ctx context.Context, id string) error
 	SearchUsers(ctx context.Context, request *model.UserSearchRequest) (*model.UserSearchResponse, error)

 	GetUserByLoginNameGlobal(ctx context.Context, email string) (*model.UserView, error)
@@ -22,43 +15,24 @@ type UserRepository interface {

 	UserChanges(ctx context.Context, id string, lastSequence uint64, limit uint64, sortAscending bool) (*model.UserChanges, error)

-	ChangeUsername(ctx context.Context, id, username string) error
-
-	SetOneTimePassword(ctx context.Context, password *model.Password) (*model.Password, error)
-	RequestSetPassword(ctx context.Context, id string, notifyType model.NotificationType) error
-
 	ProfileByID(ctx context.Context, userID string) (*model.Profile, error)
-	ChangeProfile(ctx context.Context, profile *model.Profile) (*model.Profile, error)

 	UserMFAs(ctx context.Context, userID string) ([]*model.MultiFactor, error)
-	RemoveOTP(ctx context.Context, userID string) error
-	RemoveU2F(ctx context.Context, userID, webAuthNTokenID string) error

 	GetPasswordless(ctx context.Context, userID string) ([]*model.WebAuthNToken, error)
-	RemovePasswordless(ctx context.Context, userID, webAuthNTokenID string) error

 	SearchExternalIDPs(ctx context.Context, request *model.ExternalIDPSearchRequest) (*model.ExternalIDPSearchResponse, error)
-	RemoveExternalIDP(ctx context.Context, externalIDP *model.ExternalIDP) error

 	SearchMachineKeys(ctx context.Context, request *model.MachineKeySearchRequest) (*model.MachineKeySearchResponse, error)
 	GetMachineKey(ctx context.Context, userID, keyID string) (*model.MachineKeyView, error)
-	ChangeMachine(ctx context.Context, machine *model.Machine) (*model.Machine, error)
 	AddMachineKey(ctx context.Context, key *model.MachineKey) (*model.MachineKey, error)
 	RemoveMachineKey(ctx context.Context, userID, keyID string) error

 	EmailByID(ctx context.Context, userID string) (*model.Email, error)
-	ChangeEmail(ctx context.Context, email *model.Email) (*model.Email, error)
-	CreateEmailVerificationCode(ctx context.Context, userID string) error

 	PhoneByID(ctx context.Context, userID string) (*model.Phone, error)
-	ChangePhone(ctx context.Context, email *model.Phone) (*model.Phone, error)
-	RemovePhone(ctx context.Context, userID string) error
-	CreatePhoneVerificationCode(ctx context.Context, userID string) error

 	AddressByID(ctx context.Context, userID string) (*model.Address, error)
-	ChangeAddress(ctx context.Context, address *model.Address) (*model.Address, error)

 	SearchUserMemberships(ctx context.Context, request *model.UserMembershipSearchRequest) (*model.UserMembershipSearchResponse, error)
-
-	ResendInitialMail(ctx context.Context, userID, email string) error
 }