perf(actionsv2): execution target router (#10564)

# Which Problems Are Solved

The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.

# How the Problems Are Solved

Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.

- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15

# Additional Changes

- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)

internal/api/grpc/action/v2/integration_test/execution_target_test.go

@@ -26,6 +26,7 @@ import (
 	oidc_api "github.com/zitadel/zitadel/internal/api/oidc"
 	saml_api "github.com/zitadel/zitadel/internal/api/saml"
 	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/pkg/grpc/action/v2"
@@ -73,7 +74,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				targetCreatedName := gofakeit.Name()
 				targetCreatedURL := "https://nonexistent"
 
-				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, domain.TargetTypeCall, false)
+				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, target_domain.TargetTypeCall, false)
 
 				// request received by target
 				wantRequest := &middleware.ContextInfoRequest{FullMethod: fullMethod, InstanceID: instance.ID(), OrgID: orgID, ProjectID: projectID, UserID: userID, Request: middleware.Message{Message: request}}
@@ -81,7 +82,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				// replace original request with different targetID
 				urlRequest, closeRequest, calledRequest, _ := integration.TestServerCallProto(wantRequest, 0, http.StatusOK, changedRequest)
 
-				targetRequest := waitForTarget(ctx, t, instance, urlRequest, domain.TargetTypeCall, false)
+				targetRequest := waitForTarget(ctx, t, instance, urlRequest, target_domain.TargetTypeCall, false)
 
 				waitForExecutionOnCondition(ctx, t, instance, conditionRequestFullMethod(fullMethod), []string{targetRequest.GetId()})
 
@@ -148,7 +149,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				// after request with different targetID, return changed response
 				targetResponseURL, closeResponse, calledResponse, _ := integration.TestServerCallProto(wantResponse, 0, http.StatusOK, changedResponse)
 
-				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, domain.TargetTypeCall, false)
+				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, target_domain.TargetTypeCall, false)
 				waitForExecutionOnCondition(ctx, t, instance, conditionResponseFullMethod(fullMethod), []string{targetResponse.GetId()})
 				return func() {
 						closeRequest()
@@ -186,7 +187,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				wantRequest := &middleware.ContextInfoRequest{FullMethod: fullMethod, InstanceID: instance.ID(), OrgID: orgID, ProjectID: projectID, UserID: userID, Request: middleware.Message{Message: request}}
 				urlRequest, closeRequest, calledRequest, _ := integration.TestServerCallProto(wantRequest, 0, http.StatusInternalServerError, nil)
 
-				targetRequest := waitForTarget(ctx, t, instance, urlRequest, domain.TargetTypeCall, true)
+				targetRequest := waitForTarget(ctx, t, instance, urlRequest, target_domain.TargetTypeCall, true)
 				waitForExecutionOnCondition(ctx, t, instance, conditionRequestFullMethod(fullMethod), []string{targetRequest.GetId()})
 				// GetTarget with used target
 				request.Id = targetRequest.GetId()
@@ -214,7 +215,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				targetCreatedName := gofakeit.Name()
 				targetCreatedURL := "https://nonexistent"
 
-				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, domain.TargetTypeCall, false)
+				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, target_domain.TargetTypeCall, false)
 
 				// GetTarget with used target
 				request.Id = targetCreated.GetId()
@@ -250,7 +251,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				// after request with different targetID, return changed response
 				targetResponseURL, closeResponse, calledResponse, _ := integration.TestServerCallProto(wantResponse, 0, http.StatusInternalServerError, nil)
 
-				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, domain.TargetTypeCall, true)
+				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, target_domain.TargetTypeCall, true)
 				waitForExecutionOnCondition(ctx, t, instance, conditionResponseFullMethod(fullMethod), []string{targetResponse.GetId()})
 				return func() {
 						closeResponse()
@@ -298,7 +299,7 @@ func TestServer_ExecutionTarget_Event(t *testing.T) {
 	urlRequest, closeF, calledF, resetF := integration.TestServerCall(nil, 0, http.StatusOK, nil)
 	defer closeF()
 
-	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, domain.TargetTypeWebhook, true)
+	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, target_domain.TargetTypeWebhook, true)
 	waitForExecutionOnCondition(isolatedIAMOwnerCTX, t, instance, conditionEvent(event), []string{targetResponse.GetId()})
 
 	tests := []struct {
@@ -356,7 +357,7 @@ func TestServer_ExecutionTarget_Event_LongerThanTargetTimeout(t *testing.T) {
 	urlRequest, closeF, calledF, resetF := integration.TestServerCall(nil, 5*time.Second, http.StatusOK, nil)
 	defer closeF()
 
-	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, domain.TargetTypeWebhook, true)
+	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, target_domain.TargetTypeWebhook, true)
 	waitForExecutionOnCondition(isolatedIAMOwnerCTX, t, instance, conditionEvent(event), []string{targetResponse.GetId()})
 
 	tests := []struct {
@@ -407,7 +408,7 @@ func TestServer_ExecutionTarget_Event_LongerThanTransactionTimeout(t *testing.T)
 	urlRequest, closeF, calledF, resetF := integration.TestServerCall(nil, 1*time.Second, http.StatusOK, nil)
 	defer closeF()
 
-	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, domain.TargetTypeWebhook, true)
+	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, target_domain.TargetTypeWebhook, true)
 	waitForExecutionOnCondition(isolatedIAMOwnerCTX, t, instance, conditionEvent(event), []string{targetResponse.GetId()})
 
 	tests := []struct {
@@ -490,7 +491,7 @@ func waitForExecutionOnCondition(ctx context.Context, t *testing.T, instance *in
 	}, retryDuration, tick, "timeout waiting for expected execution result")
 }
 
-func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Instance, endpoint string, ty domain.TargetType, interrupt bool) *action.CreateTargetResponse {
+func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Instance, endpoint string, ty target_domain.TargetType, interrupt bool) *action.CreateTargetResponse {
 	resp := instance.CreateTarget(ctx, t, "", endpoint, ty, interrupt)
 
 	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
@@ -511,14 +512,14 @@ func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Inst
 		config := got.GetTargets()[0]
 		assert.Equal(ttt, config.GetEndpoint(), endpoint)
 		switch ty {
-		case domain.TargetTypeWebhook:
+		case target_domain.TargetTypeWebhook:
 			if !assert.NotNil(ttt, config.GetRestWebhook()) {
 				return
 			}
 			assert.Equal(ttt, interrupt, config.GetRestWebhook().GetInterruptOnError())
-		case domain.TargetTypeAsync:
+		case target_domain.TargetTypeAsync:
 			assert.NotNil(ttt, config.GetRestAsync())
-		case domain.TargetTypeCall:
+		case target_domain.TargetTypeCall:
 			if !assert.NotNil(ttt, config.GetRestCall()) {
 				return
 			}
@@ -770,7 +771,7 @@ func expectPreUserinfoExecution(ctx context.Context, t *testing.T, instance *int
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 
-	targetResp := waitForTarget(ctx, t, instance, targetURL, domain.TargetTypeCall, true)
+	targetResp := waitForTarget(ctx, t, instance, targetURL, target_domain.TargetTypeCall, true)
 	waitForExecutionOnCondition(ctx, t, instance, conditionFunction("preuserinfo"), []string{targetResp.GetId()})
 	return userResp.GetUserId(), closeF
 }
@@ -1078,7 +1079,7 @@ func expectPreAccessTokenExecution(ctx context.Context, t *testing.T, instance *
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 
-	targetResp := waitForTarget(ctx, t, instance, targetURL, domain.TargetTypeCall, true)
+	targetResp := waitForTarget(ctx, t, instance, targetURL, target_domain.TargetTypeCall, true)
 	waitForExecutionOnCondition(ctx, t, instance, conditionFunction("preaccesstoken"), []string{targetResp.GetId()})
 	return userResp.GetUserId(), closeF
 }
@@ -1243,7 +1244,7 @@ func expectPreSAMLResponseExecution(ctx context.Context, t *testing.T, instance
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 
-	targetResp := waitForTarget(ctx, t, instance, targetURL, domain.TargetTypeCall, true)
+	targetResp := waitForTarget(ctx, t, instance, targetURL, target_domain.TargetTypeCall, true)
 	waitForExecutionOnCondition(ctx, t, instance, conditionFunction("presamlresponse"), []string{targetResp.GetId()})
 
 	return userResp.GetUserId(), closeF

internal/api/grpc/action/v2/integration_test/execution_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/action/v2"
 )
@@ -18,7 +18,7 @@ import (
 func TestServer_SetExecution_Request(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string
@@ -175,7 +175,7 @@ func assertSetExecutionResponse(t *testing.T, creationDate, setDate time.Time, e
 func TestServer_SetExecution_Response(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string
@@ -319,7 +319,7 @@ func TestServer_SetExecution_Response(t *testing.T) {
 func TestServer_SetExecution_Event(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string
@@ -482,7 +482,7 @@ func TestServer_SetExecution_Event(t *testing.T) {
 func TestServer_SetExecution_Function(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string

internal/api/grpc/action/v2/integration_test/query_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/durationpb"
 
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/action/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/filter/v2"
@@ -54,7 +54,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := integration.TargetName()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, false)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -81,7 +81,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := integration.TargetName()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeAsync, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeAsync, false)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -108,7 +108,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := integration.TargetName()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, true)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, true)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -137,7 +137,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := integration.TargetName()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeCall, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeCall, false)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -166,7 +166,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := integration.TargetName()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeCall, true)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeCall, true)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -261,7 +261,7 @@ func TestServer_ListTargets(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.ListTargetsRequest, response *action.ListTargetsResponse) {
 					name := integration.TargetName()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, false)
 					request.Filters[0].Filter = &action.TargetSearchFilter_InTargetIdsFilter{
 						InTargetIdsFilter: &action.InTargetIDsFilter{
 							TargetIds: []string{resp.GetId()},
@@ -301,7 +301,7 @@ func TestServer_ListTargets(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.ListTargetsRequest, response *action.ListTargetsResponse) {
 					name := integration.TargetName()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, false)
 					request.Filters[0].Filter = &action.TargetSearchFilter_TargetNameFilter{
 						TargetNameFilter: &action.TargetNameFilter{
 							TargetName: name,
@@ -344,9 +344,9 @@ func TestServer_ListTargets(t *testing.T) {
 					name1 := integration.TargetName()
 					name2 := integration.TargetName()
 					name3 := integration.TargetName()
-					resp1 := instance.CreateTarget(ctx, t, name1, "https://example.com", domain.TargetTypeWebhook, false)
-					resp2 := instance.CreateTarget(ctx, t, name2, "https://example.com", domain.TargetTypeCall, true)
-					resp3 := instance.CreateTarget(ctx, t, name3, "https://example.com", domain.TargetTypeAsync, false)
+					resp1 := instance.CreateTarget(ctx, t, name1, "https://example.com", target_domain.TargetTypeWebhook, false)
+					resp2 := instance.CreateTarget(ctx, t, name2, "https://example.com", target_domain.TargetTypeCall, true)
+					resp3 := instance.CreateTarget(ctx, t, name3, "https://example.com", target_domain.TargetTypeAsync, false)
 					request.Filters[0].Filter = &action.TargetSearchFilter_InTargetIdsFilter{
 						InTargetIdsFilter: &action.InTargetIDsFilter{
 							TargetIds: []string{resp1.GetId(), resp2.GetId(), resp3.GetId()},
@@ -445,7 +445,7 @@ func assertPaginationResponse(t *assert.CollectT, expected *filter.PaginationRes
 func TestServer_ListExecutions(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false)
 
 	type args struct {
 		ctx context.Context
@@ -523,7 +523,7 @@ func TestServer_ListExecutions(t *testing.T) {
 			args: args{
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.ListExecutionsRequest, response *action.ListExecutionsResponse) {
-					target := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false)
+					target := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false)
 					// add target as Filter to the request
 					request.Filters[0] = &action.ExecutionSearchFilter{
 						Filter: &action.ExecutionSearchFilter_TargetFilter{

internal/api/grpc/action/v2/integration_test/target_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/types/known/durationpb"
 
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/action/v2"
 )
@@ -26,7 +26,7 @@ func TestServer_CreateTarget(t *testing.T) {
 		signingKey   bool
 	}
 	alreadyExistingTargetName := integration.TargetName()
-	instance.CreateTarget(isolatedIAMOwnerCTX, t, alreadyExistingTargetName, "https://example.com", domain.TargetTypeAsync, false)
+	instance.CreateTarget(isolatedIAMOwnerCTX, t, alreadyExistingTargetName, "https://example.com", target_domain.TargetTypeAsync, false)
 	tests := []struct {
 		name string
 		ctx  context.Context
@@ -263,7 +263,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "missing permission",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -290,7 +290,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "no change, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -308,7 +308,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change name, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -326,7 +326,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "regenerate signingkey, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -344,7 +344,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change type, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -366,7 +366,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change url, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -384,7 +384,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change timeout, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -402,7 +402,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change type async, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeAsync, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeAsync, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -498,7 +498,7 @@ func TestServer_DeleteTarget(t *testing.T) {
 			ctx:  iamOwnerCtx,
 			prepare: func(request *action.DeleteTargetRequest) (time.Time, time.Time) {
 				creationDate := time.Now().UTC()
-				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 				return creationDate, time.Time{}
 			},
@@ -510,7 +510,7 @@ func TestServer_DeleteTarget(t *testing.T) {
 			ctx:  iamOwnerCtx,
 			prepare: func(request *action.DeleteTargetRequest) (time.Time, time.Time) {
 				creationDate := time.Now().UTC()
-				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 				instance.DeleteTarget(iamOwnerCtx, t, targetID)
 				return creationDate, time.Now().UTC()

internal/api/grpc/action/v2/query.go

@@ -11,6 +11,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/zerrors"
 	"github.com/zitadel/zitadel/pkg/grpc/action/v2"
@@ -89,11 +90,11 @@ func targetToPb(t *query.Target) *action.Target {
 		SigningKey: t.SigningKey,
 	}
 	switch t.TargetType {
-	case domain.TargetTypeWebhook:
+	case target_domain.TargetTypeWebhook:
 		target.TargetType = &action.Target_RestWebhook{RestWebhook: &action.RESTWebhook{InterruptOnError: t.InterruptOnError}}
-	case domain.TargetTypeCall:
+	case target_domain.TargetTypeCall:
 		target.TargetType = &action.Target_RestCall{RestCall: &action.RESTCall{InterruptOnError: t.InterruptOnError}}
-	case domain.TargetTypeAsync:
+	case target_domain.TargetTypeAsync:
 		target.TargetType = &action.Target_RestAsync{RestAsync: &action.RESTAsync{}}
 	default:
 		target.TargetType = nil

internal/api/grpc/action/v2/target.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command"
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/pkg/grpc/action/v2"
 )
 
@@ -66,18 +66,18 @@ func (s *Server) DeleteTarget(ctx context.Context, req *connect.Request[action.D
 
 func createTargetToCommand(req *action.CreateTargetRequest) *command.AddTarget {
 	var (
-		targetType       domain.TargetType
+		targetType       target_domain.TargetType
 		interruptOnError bool
 	)
 	switch t := req.GetTargetType().(type) {
 	case *action.CreateTargetRequest_RestWebhook:
-		targetType = domain.TargetTypeWebhook
+		targetType = target_domain.TargetTypeWebhook
 		interruptOnError = t.RestWebhook.InterruptOnError
 	case *action.CreateTargetRequest_RestCall:
-		targetType = domain.TargetTypeCall
+		targetType = target_domain.TargetTypeCall
 		interruptOnError = t.RestCall.InterruptOnError
 	case *action.CreateTargetRequest_RestAsync:
-		targetType = domain.TargetTypeAsync
+		targetType = target_domain.TargetTypeAsync
 	}
 	return &command.AddTarget{
 		Name:             req.GetName(),
@@ -106,13 +106,13 @@ func updateTargetToCommand(req *action.UpdateTargetRequest) *command.ChangeTarge
 	if req.TargetType != nil {
 		switch t := req.GetTargetType().(type) {
 		case *action.UpdateTargetRequest_RestWebhook:
-			target.TargetType = gu.Ptr(domain.TargetTypeWebhook)
+			target.TargetType = gu.Ptr(target_domain.TargetTypeWebhook)
 			target.InterruptOnError = gu.Ptr(t.RestWebhook.InterruptOnError)
 		case *action.UpdateTargetRequest_RestCall:
-			target.TargetType = gu.Ptr(domain.TargetTypeCall)
+			target.TargetType = gu.Ptr(target_domain.TargetTypeCall)
 			target.InterruptOnError = gu.Ptr(t.RestCall.InterruptOnError)
 		case *action.UpdateTargetRequest_RestAsync:
-			target.TargetType = gu.Ptr(domain.TargetTypeAsync)
+			target.TargetType = gu.Ptr(target_domain.TargetTypeAsync)
 			target.InterruptOnError = gu.Ptr(false)
 		}
 	}

internal/api/grpc/action/v2/target_test.go

@@ -9,7 +9,7 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/zitadel/zitadel/internal/command"
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/pkg/grpc/action/v2"
 )
 
@@ -44,7 +44,7 @@ func Test_createTargetToCommand(t *testing.T) {
 			}},
 			want: &command.AddTarget{
 				Name:             "target 1",
-				TargetType:       domain.TargetTypeWebhook,
+				TargetType:       target_domain.TargetTypeWebhook,
 				Endpoint:         "https://example.com/hooks/1",
 				Timeout:          10 * time.Second,
 				InterruptOnError: false,
@@ -62,7 +62,7 @@ func Test_createTargetToCommand(t *testing.T) {
 			}},
 			want: &command.AddTarget{
 				Name:             "target 1",
-				TargetType:       domain.TargetTypeAsync,
+				TargetType:       target_domain.TargetTypeAsync,
 				Endpoint:         "https://example.com/hooks/1",
 				Timeout:          10 * time.Second,
 				InterruptOnError: false,
@@ -82,7 +82,7 @@ func Test_createTargetToCommand(t *testing.T) {
 			}},
 			want: &command.AddTarget{
 				Name:             "target 1",
-				TargetType:       domain.TargetTypeCall,
+				TargetType:       target_domain.TargetTypeCall,
 				Endpoint:         "https://example.com/hooks/1",
 				Timeout:          10 * time.Second,
 				InterruptOnError: true,
@@ -155,7 +155,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeWebhook),
+				TargetType:       gu.Ptr(target_domain.TargetTypeWebhook),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(false),
@@ -175,7 +175,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeWebhook),
+				TargetType:       gu.Ptr(target_domain.TargetTypeWebhook),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(true),
@@ -193,7 +193,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeAsync),
+				TargetType:       gu.Ptr(target_domain.TargetTypeAsync),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(false),
@@ -213,7 +213,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeCall),
+				TargetType:       gu.Ptr(target_domain.TargetTypeCall),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(true),

internal/api/grpc/action/v2beta/integration_test/execution_target_test.go

@@ -26,6 +26,7 @@ import (
 	oidc_api "github.com/zitadel/zitadel/internal/api/oidc"
 	saml_api "github.com/zitadel/zitadel/internal/api/saml"
 	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/internal/query"
 	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
@@ -73,7 +74,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				targetCreatedName := gofakeit.Name()
 				targetCreatedURL := "https://nonexistent"
 
-				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, domain.TargetTypeCall, false)
+				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, target_domain.TargetTypeCall, false)
 
 				// request received by target
 				wantRequest := &middleware.ContextInfoRequest{FullMethod: fullMethod, InstanceID: instance.ID(), OrgID: orgID, ProjectID: projectID, UserID: userID, Request: middleware.Message{Message: request}}
@@ -81,7 +82,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				// replace original request with different targetID
 				urlRequest, closeRequest, calledRequest, _ := integration.TestServerCallProto(wantRequest, 0, http.StatusOK, changedRequest)
 
-				targetRequest := waitForTarget(ctx, t, instance, urlRequest, domain.TargetTypeCall, false)
+				targetRequest := waitForTarget(ctx, t, instance, urlRequest, target_domain.TargetTypeCall, false)
 
 				waitForExecutionOnCondition(ctx, t, instance, conditionRequestFullMethod(fullMethod), []string{targetRequest.GetId()})
 
@@ -148,7 +149,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				// after request with different targetID, return changed response
 				targetResponseURL, closeResponse, calledResponse, _ := integration.TestServerCallProto(wantResponse, 0, http.StatusOK, changedResponse)
 
-				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, domain.TargetTypeCall, false)
+				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, target_domain.TargetTypeCall, false)
 				waitForExecutionOnCondition(ctx, t, instance, conditionResponseFullMethod(fullMethod), []string{targetResponse.GetId()})
 				return func() {
 						closeRequest()
@@ -186,7 +187,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				wantRequest := &middleware.ContextInfoRequest{FullMethod: fullMethod, InstanceID: instance.ID(), OrgID: orgID, ProjectID: projectID, UserID: userID, Request: middleware.Message{Message: request}}
 				urlRequest, closeRequest, calledRequest, _ := integration.TestServerCallProto(wantRequest, 0, http.StatusInternalServerError, nil)
 
-				targetRequest := waitForTarget(ctx, t, instance, urlRequest, domain.TargetTypeCall, true)
+				targetRequest := waitForTarget(ctx, t, instance, urlRequest, target_domain.TargetTypeCall, true)
 				waitForExecutionOnCondition(ctx, t, instance, conditionRequestFullMethod(fullMethod), []string{targetRequest.GetId()})
 				// GetTarget with used target
 				request.Id = targetRequest.GetId()
@@ -214,7 +215,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				targetCreatedName := gofakeit.Name()
 				targetCreatedURL := "https://nonexistent"
 
-				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, domain.TargetTypeCall, false)
+				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, target_domain.TargetTypeCall, false)
 
 				// GetTarget with used target
 				request.Id = targetCreated.GetId()
@@ -250,7 +251,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				// after request with different targetID, return changed response
 				targetResponseURL, closeResponse, calledResponse, _ := integration.TestServerCallProto(wantResponse, 0, http.StatusInternalServerError, nil)
 
-				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, domain.TargetTypeCall, true)
+				targetResponse := waitForTarget(ctx, t, instance, targetResponseURL, target_domain.TargetTypeCall, true)
 				waitForExecutionOnCondition(ctx, t, instance, conditionResponseFullMethod(fullMethod), []string{targetResponse.GetId()})
 				return func() {
 						closeResponse()
@@ -305,7 +306,7 @@ func TestServer_ExecutionTarget_Event(t *testing.T) {
 	urlRequest, closeF, calledF, resetF := integration.TestServerCall(nil, 0, http.StatusOK, nil)
 	defer closeF()
 
-	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, domain.TargetTypeWebhook, true)
+	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, target_domain.TargetTypeWebhook, true)
 	waitForExecutionOnCondition(isolatedIAMOwnerCTX, t, instance, conditionEvent(event), []string{targetResponse.GetId()})
 
 	tests := []struct {
@@ -363,7 +364,7 @@ func TestServer_ExecutionTarget_Event_LongerThanTargetTimeout(t *testing.T) {
 	urlRequest, closeF, calledF, resetF := integration.TestServerCall(nil, 5*time.Second, http.StatusOK, nil)
 	defer closeF()
 
-	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, domain.TargetTypeWebhook, true)
+	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, target_domain.TargetTypeWebhook, true)
 	waitForExecutionOnCondition(isolatedIAMOwnerCTX, t, instance, conditionEvent(event), []string{targetResponse.GetId()})
 
 	tests := []struct {
@@ -414,7 +415,7 @@ func TestServer_ExecutionTarget_Event_LongerThanTransactionTimeout(t *testing.T)
 	urlRequest, closeF, calledF, resetF := integration.TestServerCall(nil, 1*time.Second, http.StatusOK, nil)
 	defer closeF()
 
-	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, domain.TargetTypeWebhook, true)
+	targetResponse := waitForTarget(isolatedIAMOwnerCTX, t, instance, urlRequest, target_domain.TargetTypeWebhook, true)
 	waitForExecutionOnCondition(isolatedIAMOwnerCTX, t, instance, conditionEvent(event), []string{targetResponse.GetId()})
 
 	tests := []struct {
@@ -506,7 +507,7 @@ func setExecution(ctx context.Context, t *testing.T, instance *integration.Insta
 	return target
 }
 
-func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Instance, endpoint string, ty domain.TargetType, interrupt bool) *action.CreateTargetResponse {
+func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Instance, endpoint string, ty target_domain.TargetType, interrupt bool) *action.CreateTargetResponse {
 	resp := createTarget(ctx, t, instance, "", endpoint, ty, interrupt)
 
 	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
@@ -527,14 +528,14 @@ func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Inst
 		config := got.GetTargets()[0]
 		assert.Equal(ttt, config.GetEndpoint(), endpoint)
 		switch ty {
-		case domain.TargetTypeWebhook:
+		case target_domain.TargetTypeWebhook:
 			if !assert.NotNil(ttt, config.GetRestWebhook()) {
 				return
 			}
 			assert.Equal(ttt, interrupt, config.GetRestWebhook().GetInterruptOnError())
-		case domain.TargetTypeAsync:
+		case target_domain.TargetTypeAsync:
 			assert.NotNil(ttt, config.GetRestAsync())
-		case domain.TargetTypeCall:
+		case target_domain.TargetTypeCall:
 			if !assert.NotNil(ttt, config.GetRestCall()) {
 				return
 			}
@@ -544,7 +545,7 @@ func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Inst
 	return resp
 }
 
-func createTarget(ctx context.Context, t *testing.T, instance *integration.Instance, name, endpoint string, ty domain.TargetType, interrupt bool) *action.CreateTargetResponse {
+func createTarget(ctx context.Context, t *testing.T, instance *integration.Instance, name, endpoint string, ty target_domain.TargetType, interrupt bool) *action.CreateTargetResponse {
 	if name == "" {
 		name = gofakeit.Name()
 	}
@@ -554,19 +555,19 @@ func createTarget(ctx context.Context, t *testing.T, instance *integration.Insta
 		Timeout:  durationpb.New(5 * time.Second),
 	}
 	switch ty {
-	case domain.TargetTypeWebhook:
+	case target_domain.TargetTypeWebhook:
 		req.TargetType = &action.CreateTargetRequest_RestWebhook{
 			RestWebhook: &action.RESTWebhook{
 				InterruptOnError: interrupt,
 			},
 		}
-	case domain.TargetTypeCall:
+	case target_domain.TargetTypeCall:
 		req.TargetType = &action.CreateTargetRequest_RestCall{
 			RestCall: &action.RESTCall{
 				InterruptOnError: interrupt,
 			},
 		}
-	case domain.TargetTypeAsync:
+	case target_domain.TargetTypeAsync:
 		req.TargetType = &action.CreateTargetRequest_RestAsync{
 			RestAsync: &action.RESTAsync{},
 		}
@@ -818,7 +819,7 @@ func expectPreUserinfoExecution(ctx context.Context, t *testing.T, instance *int
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 
-	targetResp := waitForTarget(ctx, t, instance, targetURL, domain.TargetTypeCall, true)
+	targetResp := waitForTarget(ctx, t, instance, targetURL, target_domain.TargetTypeCall, true)
 	waitForExecutionOnCondition(ctx, t, instance, conditionFunction("preuserinfo"), []string{targetResp.GetId()})
 	return userResp.GetUserId(), closeF
 }
@@ -1126,7 +1127,7 @@ func expectPreAccessTokenExecution(ctx context.Context, t *testing.T, instance *
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 
-	targetResp := waitForTarget(ctx, t, instance, targetURL, domain.TargetTypeCall, true)
+	targetResp := waitForTarget(ctx, t, instance, targetURL, target_domain.TargetTypeCall, true)
 	waitForExecutionOnCondition(ctx, t, instance, conditionFunction("preaccesstoken"), []string{targetResp.GetId()})
 	return userResp.GetUserId(), closeF
 }
@@ -1291,7 +1292,7 @@ func expectPreSAMLResponseExecution(ctx context.Context, t *testing.T, instance
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 
-	targetResp := waitForTarget(ctx, t, instance, targetURL, domain.TargetTypeCall, true)
+	targetResp := waitForTarget(ctx, t, instance, targetURL, target_domain.TargetTypeCall, true)
 	waitForExecutionOnCondition(ctx, t, instance, conditionFunction("presamlresponse"), []string{targetResp.GetId()})
 
 	return userResp.GetUserId(), closeF

internal/api/grpc/action/v2beta/integration_test/execution_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
 )
@@ -18,7 +18,7 @@ import (
 func TestServer_SetExecution_Request(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string
@@ -175,7 +175,7 @@ func assertSetExecutionResponse(t *testing.T, creationDate, setDate time.Time, e
 func TestServer_SetExecution_Response(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string
@@ -319,7 +319,7 @@ func TestServer_SetExecution_Response(t *testing.T) {
 func TestServer_SetExecution_Event(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string
@@ -482,7 +482,7 @@ func TestServer_SetExecution_Event(t *testing.T) {
 func TestServer_SetExecution_Function(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://notexisting", target_domain.TargetTypeWebhook, false)
 
 	tests := []struct {
 		name        string

internal/api/grpc/action/v2beta/integration_test/query_test.go

@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/durationpb"
 
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
 	filter "github.com/zitadel/zitadel/pkg/grpc/filter/v2beta"
@@ -55,7 +55,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := gofakeit.Name()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, false)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -82,7 +82,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := gofakeit.Name()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeAsync, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeAsync, false)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -109,7 +109,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := gofakeit.Name()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, true)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, true)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -138,7 +138,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := gofakeit.Name()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeCall, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeCall, false)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -167,7 +167,7 @@ func TestServer_GetTarget(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.GetTargetRequest, response *action.GetTargetResponse) error {
 					name := gofakeit.Name()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeCall, true)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeCall, true)
 					request.Id = resp.GetId()
 					response.Target.Id = resp.GetId()
 					response.Target.Name = name
@@ -262,7 +262,7 @@ func TestServer_ListTargets(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.ListTargetsRequest, response *action.ListTargetsResponse) {
 					name := gofakeit.Name()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, false)
 					request.Filters[0].Filter = &action.TargetSearchFilter_InTargetIdsFilter{
 						InTargetIdsFilter: &action.InTargetIDsFilter{
 							TargetIds: []string{resp.GetId()},
@@ -302,7 +302,7 @@ func TestServer_ListTargets(t *testing.T) {
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.ListTargetsRequest, response *action.ListTargetsResponse) {
 					name := gofakeit.Name()
-					resp := instance.CreateTarget(ctx, t, name, "https://example.com", domain.TargetTypeWebhook, false)
+					resp := instance.CreateTarget(ctx, t, name, "https://example.com", target_domain.TargetTypeWebhook, false)
 					request.Filters[0].Filter = &action.TargetSearchFilter_TargetNameFilter{
 						TargetNameFilter: &action.TargetNameFilter{
 							TargetName: name,
@@ -345,9 +345,9 @@ func TestServer_ListTargets(t *testing.T) {
 					name1 := gofakeit.Name()
 					name2 := gofakeit.Name()
 					name3 := gofakeit.Name()
-					resp1 := instance.CreateTarget(ctx, t, name1, "https://example.com", domain.TargetTypeWebhook, false)
-					resp2 := instance.CreateTarget(ctx, t, name2, "https://example.com", domain.TargetTypeCall, true)
-					resp3 := instance.CreateTarget(ctx, t, name3, "https://example.com", domain.TargetTypeAsync, false)
+					resp1 := instance.CreateTarget(ctx, t, name1, "https://example.com", target_domain.TargetTypeWebhook, false)
+					resp2 := instance.CreateTarget(ctx, t, name2, "https://example.com", target_domain.TargetTypeCall, true)
+					resp3 := instance.CreateTarget(ctx, t, name3, "https://example.com", target_domain.TargetTypeAsync, false)
 					request.Filters[0].Filter = &action.TargetSearchFilter_InTargetIdsFilter{
 						InTargetIdsFilter: &action.InTargetIDsFilter{
 							TargetIds: []string{resp1.GetId(), resp2.GetId(), resp3.GetId()},
@@ -446,7 +446,7 @@ func assertPaginationResponse(t *assert.CollectT, expected *filter.PaginationRes
 func TestServer_ListExecutions(t *testing.T) {
 	instance := integration.NewInstance(CTX)
 	isolatedIAMOwnerCTX := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner)
-	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false)
+	targetResp := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false)
 
 	type args struct {
 		ctx context.Context
@@ -524,7 +524,7 @@ func TestServer_ListExecutions(t *testing.T) {
 			args: args{
 				ctx: isolatedIAMOwnerCTX,
 				dep: func(ctx context.Context, request *action.ListExecutionsRequest, response *action.ListExecutionsResponse) {
-					target := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false)
+					target := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false)
 					// add target as Filter to the request
 					request.Filters[0] = &action.ExecutionSearchFilter{
 						Filter: &action.ExecutionSearchFilter_TargetFilter{

internal/api/grpc/action/v2beta/integration_test/target_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/types/known/durationpb"
 
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/integration"
 	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
 )
@@ -26,7 +26,7 @@ func TestServer_CreateTarget(t *testing.T) {
 		signingKey   bool
 	}
 	alreadyExistingTargetName := gofakeit.AppName()
-	instance.CreateTarget(isolatedIAMOwnerCTX, t, alreadyExistingTargetName, "https://example.com", domain.TargetTypeAsync, false)
+	instance.CreateTarget(isolatedIAMOwnerCTX, t, alreadyExistingTargetName, "https://example.com", target_domain.TargetTypeAsync, false)
 	tests := []struct {
 		name string
 		ctx  context.Context
@@ -263,7 +263,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "missing permission",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -290,7 +290,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "no change, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -308,7 +308,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change name, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -326,7 +326,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "regenerate signingkey, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -344,7 +344,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change type, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -366,7 +366,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change url, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -384,7 +384,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change timeout, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -402,7 +402,7 @@ func TestServer_UpdateTarget(t *testing.T) {
 		{
 			name: "change type async, ok",
 			prepare: func(request *action.UpdateTargetRequest) {
-				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", domain.TargetTypeAsync, false).GetId()
+				targetID := instance.CreateTarget(isolatedIAMOwnerCTX, t, "", "https://example.com", target_domain.TargetTypeAsync, false).GetId()
 				request.Id = targetID
 			},
 			args: args{
@@ -498,7 +498,7 @@ func TestServer_DeleteTarget(t *testing.T) {
 			ctx:  iamOwnerCtx,
 			prepare: func(request *action.DeleteTargetRequest) (time.Time, time.Time) {
 				creationDate := time.Now().UTC()
-				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 				return creationDate, time.Time{}
 			},
@@ -510,7 +510,7 @@ func TestServer_DeleteTarget(t *testing.T) {
 			ctx:  iamOwnerCtx,
 			prepare: func(request *action.DeleteTargetRequest) (time.Time, time.Time) {
 				creationDate := time.Now().UTC()
-				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", domain.TargetTypeWebhook, false).GetId()
+				targetID := instance.CreateTarget(iamOwnerCtx, t, "", "https://example.com", target_domain.TargetTypeWebhook, false).GetId()
 				request.Id = targetID
 				instance.DeleteTarget(iamOwnerCtx, t, targetID)
 				return creationDate, time.Now().UTC()

internal/api/grpc/action/v2beta/query.go

@@ -11,6 +11,7 @@ import (
 	filter "github.com/zitadel/zitadel/internal/api/grpc/filter/v2beta"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/zerrors"
 	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
@@ -89,11 +90,11 @@ func targetToPb(t *query.Target) *action.Target {
 		SigningKey: t.SigningKey,
 	}
 	switch t.TargetType {
-	case domain.TargetTypeWebhook:
+	case target_domain.TargetTypeWebhook:
 		target.TargetType = &action.Target_RestWebhook{RestWebhook: &action.RESTWebhook{InterruptOnError: t.InterruptOnError}}
-	case domain.TargetTypeCall:
+	case target_domain.TargetTypeCall:
 		target.TargetType = &action.Target_RestCall{RestCall: &action.RESTCall{InterruptOnError: t.InterruptOnError}}
-	case domain.TargetTypeAsync:
+	case target_domain.TargetTypeAsync:
 		target.TargetType = &action.Target_RestAsync{RestAsync: &action.RESTAsync{}}
 	default:
 		target.TargetType = nil

internal/api/grpc/action/v2beta/target.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command"
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
 )
 
@@ -66,18 +66,18 @@ func (s *Server) DeleteTarget(ctx context.Context, req *connect.Request[action.D
 
 func createTargetToCommand(req *action.CreateTargetRequest) *command.AddTarget {
 	var (
-		targetType       domain.TargetType
+		targetType       target_domain.TargetType
 		interruptOnError bool
 	)
 	switch t := req.GetTargetType().(type) {
 	case *action.CreateTargetRequest_RestWebhook:
-		targetType = domain.TargetTypeWebhook
+		targetType = target_domain.TargetTypeWebhook
 		interruptOnError = t.RestWebhook.InterruptOnError
 	case *action.CreateTargetRequest_RestCall:
-		targetType = domain.TargetTypeCall
+		targetType = target_domain.TargetTypeCall
 		interruptOnError = t.RestCall.InterruptOnError
 	case *action.CreateTargetRequest_RestAsync:
-		targetType = domain.TargetTypeAsync
+		targetType = target_domain.TargetTypeAsync
 	}
 	return &command.AddTarget{
 		Name:             req.GetName(),
@@ -109,13 +109,13 @@ func updateTargetToCommand(req *action.UpdateTargetRequest) *command.ChangeTarge
 	if req.TargetType != nil {
 		switch t := req.GetTargetType().(type) {
 		case *action.UpdateTargetRequest_RestWebhook:
-			target.TargetType = gu.Ptr(domain.TargetTypeWebhook)
+			target.TargetType = gu.Ptr(target_domain.TargetTypeWebhook)
 			target.InterruptOnError = gu.Ptr(t.RestWebhook.InterruptOnError)
 		case *action.UpdateTargetRequest_RestCall:
-			target.TargetType = gu.Ptr(domain.TargetTypeCall)
+			target.TargetType = gu.Ptr(target_domain.TargetTypeCall)
 			target.InterruptOnError = gu.Ptr(t.RestCall.InterruptOnError)
 		case *action.UpdateTargetRequest_RestAsync:
-			target.TargetType = gu.Ptr(domain.TargetTypeAsync)
+			target.TargetType = gu.Ptr(target_domain.TargetTypeAsync)
 			target.InterruptOnError = gu.Ptr(false)
 		}
 	}

internal/api/grpc/action/v2beta/target_test.go

@@ -9,7 +9,7 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/zitadel/zitadel/internal/command"
-	"github.com/zitadel/zitadel/internal/domain"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	action "github.com/zitadel/zitadel/pkg/grpc/action/v2beta"
 )
 
@@ -44,7 +44,7 @@ func Test_createTargetToCommand(t *testing.T) {
 			}},
 			want: &command.AddTarget{
 				Name:             "target 1",
-				TargetType:       domain.TargetTypeWebhook,
+				TargetType:       target_domain.TargetTypeWebhook,
 				Endpoint:         "https://example.com/hooks/1",
 				Timeout:          10 * time.Second,
 				InterruptOnError: false,
@@ -62,7 +62,7 @@ func Test_createTargetToCommand(t *testing.T) {
 			}},
 			want: &command.AddTarget{
 				Name:             "target 1",
-				TargetType:       domain.TargetTypeAsync,
+				TargetType:       target_domain.TargetTypeAsync,
 				Endpoint:         "https://example.com/hooks/1",
 				Timeout:          10 * time.Second,
 				InterruptOnError: false,
@@ -82,7 +82,7 @@ func Test_createTargetToCommand(t *testing.T) {
 			}},
 			want: &command.AddTarget{
 				Name:             "target 1",
-				TargetType:       domain.TargetTypeCall,
+				TargetType:       target_domain.TargetTypeCall,
 				Endpoint:         "https://example.com/hooks/1",
 				Timeout:          10 * time.Second,
 				InterruptOnError: true,
@@ -155,7 +155,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeWebhook),
+				TargetType:       gu.Ptr(target_domain.TargetTypeWebhook),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(false),
@@ -175,7 +175,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeWebhook),
+				TargetType:       gu.Ptr(target_domain.TargetTypeWebhook),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(true),
@@ -193,7 +193,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeAsync),
+				TargetType:       gu.Ptr(target_domain.TargetTypeAsync),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(false),
@@ -213,7 +213,7 @@ func Test_updateTargetToCommand(t *testing.T) {
 			}},
 			want: &command.ChangeTarget{
 				Name:             gu.Ptr("target 1"),
-				TargetType:       gu.Ptr(domain.TargetTypeCall),
+				TargetType:       gu.Ptr(target_domain.TargetTypeCall),
 				Endpoint:         gu.Ptr("https://example.com/hooks/1"),
 				Timeout:          gu.Ptr(10 * time.Second),
 				InterruptOnError: gu.Ptr(true),

internal/api/grpc/server/connect_middleware/execution_interceptor.go

@@ -9,18 +9,18 @@ import (
 	"google.golang.org/protobuf/proto"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/execution"
-	"github.com/zitadel/zitadel/internal/query"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )
 
-func ExecutionHandler(queries *query.Queries) connect.UnaryInterceptorFunc {
+func ExecutionHandler(alg crypto.EncryptionAlgorithm) connect.UnaryInterceptorFunc {
 	return func(handler connect.UnaryFunc) connect.UnaryFunc {
 		return func(ctx context.Context, req connect.AnyRequest) (_ connect.AnyResponse, err error) {
-			requestTargets, responseTargets := execution.QueryExecutionTargetsForRequestAndResponse(ctx, queries, req.Spec().Procedure)
 
-			// call targets otherwise return req
-			handledReq, err := executeTargetsForRequest(ctx, requestTargets, req.Spec().Procedure, req)
+			requestTargets := execution.QueryExecutionTargetsForRequest(ctx, req.Spec().Procedure)
+			handledReq, err := executeTargetsForRequest(ctx, requestTargets, req.Spec().Procedure, req, alg)
 			if err != nil {
 				return nil, err
 			}
@@ -30,12 +30,13 @@ func ExecutionHandler(queries *query.Queries) connect.UnaryInterceptorFunc {
 				return nil, err
 			}
 
-			return executeTargetsForResponse(ctx, responseTargets, req.Spec().Procedure, handledReq, response)
+			responseTargets := execution.QueryExecutionTargetsForResponse(ctx, req.Spec().Procedure)
+			return executeTargetsForResponse(ctx, responseTargets, req.Spec().Procedure, handledReq, response, alg)
 		}
 	}
 }
 
-func executeTargetsForRequest(ctx context.Context, targets []execution.Target, fullMethod string, req connect.AnyRequest) (_ connect.AnyRequest, err error) {
+func executeTargetsForRequest(ctx context.Context, targets []target_domain.Target, fullMethod string, req connect.AnyRequest, alg crypto.EncryptionAlgorithm) (_ connect.AnyRequest, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -54,14 +55,14 @@ func executeTargetsForRequest(ctx context.Context, targets []execution.Target, f
 		Request:    Message{req.Any().(proto.Message)},
 	}
 
-	_, err = execution.CallTargets(ctx, targets, info)
+	_, err = execution.CallTargets(ctx, targets, info, alg)
 	if err != nil {
 		return nil, err
 	}
 	return req, nil
 }
 
-func executeTargetsForResponse(ctx context.Context, targets []execution.Target, fullMethod string, req connect.AnyRequest, resp connect.AnyResponse) (_ connect.AnyResponse, err error) {
+func executeTargetsForResponse(ctx context.Context, targets []target_domain.Target, fullMethod string, req connect.AnyRequest, resp connect.AnyResponse, alg crypto.EncryptionAlgorithm) (_ connect.AnyResponse, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -81,7 +82,7 @@ func executeTargetsForResponse(ctx context.Context, targets []execution.Target,
 		Response:   Message{resp.Any().(proto.Message)},
 	}
 
-	_, err = execution.CallTargets(ctx, targets, info)
+	_, err = execution.CallTargets(ctx, targets, info, alg)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/server/connect_middleware/execution_interceptor_test.go

@@ -16,48 +16,10 @@ import (
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/structpb"
 
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/execution"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 )
 
-var _ execution.Target = &mockExecutionTarget{}
-
-type mockExecutionTarget struct {
-	InstanceID       string
-	ExecutionID      string
-	TargetID         string
-	TargetType       domain.TargetType
-	Endpoint         string
-	Timeout          time.Duration
-	InterruptOnError bool
-	SigningKey       string
-}
-
-func (e *mockExecutionTarget) SetEndpoint(endpoint string) {
-	e.Endpoint = endpoint
-}
-func (e *mockExecutionTarget) IsInterruptOnError() bool {
-	return e.InterruptOnError
-}
-func (e *mockExecutionTarget) GetEndpoint() string {
-	return e.Endpoint
-}
-func (e *mockExecutionTarget) GetTargetType() domain.TargetType {
-	return e.TargetType
-}
-func (e *mockExecutionTarget) GetTimeout() time.Duration {
-	return e.Timeout
-}
-func (e *mockExecutionTarget) GetTargetID() string {
-	return e.TargetID
-}
-func (e *mockExecutionTarget) GetExecutionID() string {
-	return e.ExecutionID
-}
-func (e *mockExecutionTarget) GetSigningKey() string {
-	return e.SigningKey
-}
-
 func newMockContentRequest(content string) *connect.Request[structpb.Struct] {
 	return connect.NewRequest(&structpb.Struct{
 		Fields: map[string]*structpb.Value{
@@ -103,7 +65,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 	type args struct {
 		ctx context.Context
 
-		executionTargets []execution.Target
+		executionTargets []target_domain.Target
 		targets          []target
 		fullMethod       string
 		req              connect.AnyRequest
@@ -134,7 +96,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:              context.Background(),
 				fullMethod:       "/service/method",
-				executionTargets: []execution.Target{},
+				executionTargets: []target_domain.Target{},
 				req:              newMockContentRequest("request"),
 			},
 			res{
@@ -146,12 +108,11 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
 					},
@@ -168,14 +129,12 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:  "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID: "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:    "target",
-						TargetType:  domain.TargetTypeCall,
+						TargetType:  target_domain.TargetTypeCall,
 						Timeout:     time.Minute,
-						SigningKey:  "signingkey",
 					},
 				},
 				targets: []target{
@@ -197,15 +156,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 
@@ -228,15 +185,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -258,15 +213,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -283,15 +236,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -313,14 +264,12 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:  "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID: "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:    "target",
-						TargetType:  domain.TargetTypeAsync,
+						TargetType:  target_domain.TargetTypeAsync,
 						Timeout:     time.Second,
-						SigningKey:  "signingkey",
 					},
 				},
 				targets: []target{
@@ -342,14 +291,12 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:  "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID: "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:    "target",
-						TargetType:  domain.TargetTypeAsync,
+						TargetType:  target_domain.TargetTypeAsync,
 						Timeout:     time.Minute,
-						SigningKey:  "signingkey",
 					},
 				},
 				targets: []target{
@@ -371,15 +318,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeWebhook,
+						TargetType:       target_domain.TargetTypeWebhook,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -400,15 +345,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeWebhook,
+						TargetType:       target_domain.TargetTypeWebhook,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -430,15 +373,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeWebhook,
+						TargetType:       target_domain.TargetTypeWebhook,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -460,33 +401,27 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target1",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target2",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target3",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 
@@ -521,33 +456,27 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target1",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target2",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target3",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -588,8 +517,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 					target.respBody,
 				)
 
-				et := tt.args.executionTargets[i].(*mockExecutionTarget)
-				et.SetEndpoint(url)
+				tt.args.executionTargets[i].Endpoint = url
 				closeFuncs[i] = closeF
 			}
 
@@ -598,6 +526,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 				tt.args.executionTargets,
 				tt.args.fullMethod,
 				tt.args.req,
+				nil,
 			)
 
 			if tt.res.wantErr {
@@ -672,7 +601,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 	type args struct {
 		ctx context.Context
 
-		executionTargets []execution.Target
+		executionTargets []target_domain.Target
 		targets          []target
 		fullMethod       string
 		req              connect.AnyRequest
@@ -705,7 +634,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 			args{
 				ctx:              context.Background(),
 				fullMethod:       "/service/method",
-				executionTargets: []execution.Target{},
+				executionTargets: []target_domain.Target{},
 				req:              newMockContentRequest("request"),
 				resp:             newMockContentResponse("response"),
 			},
@@ -718,15 +647,13 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -749,15 +676,13 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "response./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -787,8 +712,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 					target.respBody,
 				)
 
-				et := tt.args.executionTargets[i].(*mockExecutionTarget)
-				et.SetEndpoint(url)
+				tt.args.executionTargets[i].Endpoint = url
 				closeFuncs[i] = closeF
 			}
 
@@ -798,6 +722,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 				tt.args.fullMethod,
 				tt.args.req,
 				tt.args.resp,
+				nil,
 			)
 
 			if tt.res.wantErr {

internal/api/grpc/server/middleware/execution_interceptor.go

@@ -9,17 +9,17 @@ import (
 	"google.golang.org/protobuf/proto"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/execution"
-	"github.com/zitadel/zitadel/internal/query"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )
 
-func ExecutionHandler(queries *query.Queries) grpc.UnaryServerInterceptor {
+func ExecutionHandler(alg crypto.EncryptionAlgorithm) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		requestTargets, responseTargets := execution.QueryExecutionTargetsForRequestAndResponse(ctx, queries, info.FullMethod)
-
+		requestTargets := execution.QueryExecutionTargetsForRequest(ctx, info.FullMethod)
 		// call targets otherwise return req
-		handledReq, err := executeTargetsForRequest(ctx, requestTargets, info.FullMethod, req)
+		handledReq, err := executeTargetsForRequest(ctx, requestTargets, info.FullMethod, req, alg)
 		if err != nil {
 			return nil, err
 		}
@@ -29,11 +29,12 @@ func ExecutionHandler(queries *query.Queries) grpc.UnaryServerInterceptor {
 			return nil, err
 		}
 
-		return executeTargetsForResponse(ctx, responseTargets, info.FullMethod, handledReq, response)
+		responseTargets := execution.QueryExecutionTargetsForResponse(ctx, info.FullMethod)
+		return executeTargetsForResponse(ctx, responseTargets, info.FullMethod, handledReq, response, alg)
 	}
 }
 
-func executeTargetsForRequest(ctx context.Context, targets []execution.Target, fullMethod string, req interface{}) (_ interface{}, err error) {
+func executeTargetsForRequest(ctx context.Context, targets []target_domain.Target, fullMethod string, req interface{}, alg crypto.EncryptionAlgorithm) (_ interface{}, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -52,10 +53,10 @@ func executeTargetsForRequest(ctx context.Context, targets []execution.Target, f
 		Request:    Message{req.(proto.Message)},
 	}
 
-	return execution.CallTargets(ctx, targets, info)
+	return execution.CallTargets(ctx, targets, info, alg)
 }
 
-func executeTargetsForResponse(ctx context.Context, targets []execution.Target, fullMethod string, req, resp interface{}) (_ interface{}, err error) {
+func executeTargetsForResponse(ctx context.Context, targets []target_domain.Target, fullMethod string, req, resp interface{}, alg crypto.EncryptionAlgorithm) (_ interface{}, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -75,7 +76,7 @@ func executeTargetsForResponse(ctx context.Context, targets []execution.Target,
 		Response:   Message{resp.(proto.Message)},
 	}
 
-	return execution.CallTargets(ctx, targets, info)
+	return execution.CallTargets(ctx, targets, info, alg)
 }
 
 var _ execution.ContextInfo = &ContextInfoRequest{}

internal/api/grpc/server/middleware/execution_interceptor_test.go

@@ -15,48 +15,10 @@ import (
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/structpb"
 
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/execution"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 )
 
-var _ execution.Target = &mockExecutionTarget{}
-
-type mockExecutionTarget struct {
-	InstanceID       string
-	ExecutionID      string
-	TargetID         string
-	TargetType       domain.TargetType
-	Endpoint         string
-	Timeout          time.Duration
-	InterruptOnError bool
-	SigningKey       string
-}
-
-func (e *mockExecutionTarget) SetEndpoint(endpoint string) {
-	e.Endpoint = endpoint
-}
-func (e *mockExecutionTarget) IsInterruptOnError() bool {
-	return e.InterruptOnError
-}
-func (e *mockExecutionTarget) GetEndpoint() string {
-	return e.Endpoint
-}
-func (e *mockExecutionTarget) GetTargetType() domain.TargetType {
-	return e.TargetType
-}
-func (e *mockExecutionTarget) GetTimeout() time.Duration {
-	return e.Timeout
-}
-func (e *mockExecutionTarget) GetTargetID() string {
-	return e.TargetID
-}
-func (e *mockExecutionTarget) GetExecutionID() string {
-	return e.ExecutionID
-}
-func (e *mockExecutionTarget) GetSigningKey() string {
-	return e.SigningKey
-}
-
 func newMockContentRequest(content string) proto.Message {
 	return &structpb.Struct{
 		Fields: map[string]*structpb.Value{
@@ -92,7 +54,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 	type args struct {
 		ctx context.Context
 
-		executionTargets []execution.Target
+		executionTargets []target_domain.Target
 		targets          []target
 		fullMethod       string
 		req              interface{}
@@ -123,7 +85,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:              context.Background(),
 				fullMethod:       "/service/method",
-				executionTargets: []execution.Target{},
+				executionTargets: []target_domain.Target{},
 				req:              newMockContentRequest("request"),
 			},
 			res{
@@ -135,12 +97,11 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
 					},
@@ -157,14 +118,12 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:  "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID: "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:    "target",
-						TargetType:  domain.TargetTypeCall,
+						TargetType:  target_domain.TargetTypeCall,
 						Timeout:     time.Minute,
-						SigningKey:  "signingkey",
 					},
 				},
 				targets: []target{
@@ -186,15 +145,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 
@@ -217,15 +174,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -247,15 +202,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -272,15 +225,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -302,14 +253,12 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:  "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID: "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:    "target",
-						TargetType:  domain.TargetTypeAsync,
+						TargetType:  target_domain.TargetTypeAsync,
 						Timeout:     time.Second,
-						SigningKey:  "signingkey",
 					},
 				},
 				targets: []target{
@@ -331,14 +280,12 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:  "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID: "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:    "target",
-						TargetType:  domain.TargetTypeAsync,
+						TargetType:  target_domain.TargetTypeAsync,
 						Timeout:     time.Minute,
-						SigningKey:  "signingkey",
 					},
 				},
 				targets: []target{
@@ -360,15 +307,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeWebhook,
+						TargetType:       target_domain.TargetTypeWebhook,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -389,15 +334,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeWebhook,
+						TargetType:       target_domain.TargetTypeWebhook,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -419,15 +362,13 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeWebhook,
+						TargetType:       target_domain.TargetTypeWebhook,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -449,33 +390,27 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target1",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target2",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target3",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 
@@ -510,33 +445,27 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target1",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target2",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target3",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Second,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -577,8 +506,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 					target.respBody,
 				)
 
-				et := tt.args.executionTargets[i].(*mockExecutionTarget)
-				et.SetEndpoint(url)
+				tt.args.executionTargets[i].Endpoint = url
 				closeFuncs[i] = closeF
 			}
 
@@ -587,6 +515,7 @@ func Test_executeTargetsForGRPCFullMethod_request(t *testing.T) {
 				tt.args.executionTargets,
 				tt.args.fullMethod,
 				tt.args.req,
+				nil,
 			)
 
 			if tt.res.wantErr {
@@ -640,7 +569,7 @@ func testServerCall(
 			http.Error(w, "error", http.StatusInternalServerError)
 			return
 		}
-		if _, err := io.WriteString(w, string(resp)); err != nil {
+		if _, err := w.Write(resp); err != nil {
 			http.Error(w, "error", http.StatusInternalServerError)
 			return
 		}
@@ -661,7 +590,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 	type args struct {
 		ctx context.Context
 
-		executionTargets []execution.Target
+		executionTargets []target_domain.Target
 		targets          []target
 		fullMethod       string
 		req              interface{}
@@ -694,7 +623,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 			args{
 				ctx:              context.Background(),
 				fullMethod:       "/service/method",
-				executionTargets: []execution.Target{},
+				executionTargets: []target_domain.Target{},
 				req:              newMockContentRequest("request"),
 				resp:             newMockContentRequest("response"),
 			},
@@ -707,15 +636,13 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "request./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -738,15 +665,13 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 			args{
 				ctx:        context.Background(),
 				fullMethod: "/service/method",
-				executionTargets: []execution.Target{
-					&mockExecutionTarget{
-						InstanceID:       "instance",
+				executionTargets: []target_domain.Target{
+					{
 						ExecutionID:      "response./zitadel.session.v2.SessionService/SetSession",
 						TargetID:         "target",
-						TargetType:       domain.TargetTypeCall,
+						TargetType:       target_domain.TargetTypeCall,
 						Timeout:          time.Minute,
 						InterruptOnError: true,
-						SigningKey:       "signingkey",
 					},
 				},
 				targets: []target{
@@ -776,8 +701,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 					target.respBody,
 				)
 
-				et := tt.args.executionTargets[i].(*mockExecutionTarget)
-				et.SetEndpoint(url)
+				tt.args.executionTargets[i].Endpoint = url
 				closeFuncs[i] = closeF
 			}
 
@@ -787,6 +711,7 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 				tt.args.fullMethod,
 				tt.args.req,
 				tt.args.resp,
+				nil,
 			)
 
 			if tt.res.wantErr {

internal/api/grpc/server/middleware/instance_interceptor_test.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_util "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/feature"
 	object_v3 "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
 )
@@ -295,3 +296,7 @@ func (m *mockInstance) EnableImpersonation() bool {
 func (m *mockInstance) Features() feature.Features {
 	return feature.Features{}
 }
+
+func (m *mockInstance) ExecutionRouter() target.Router {
+	return target.NewRouter(nil)
+}

internal/api/grpc/server/server.go

@@ -9,11 +9,12 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	healthpb "google.golang.org/grpc/health/grpc_health_v1"
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	"google.golang.org/protobuf/reflect/protoreflect"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	grpc_api "github.com/zitadel/zitadel/internal/api/grpc"
 	"github.com/zitadel/zitadel/internal/api/grpc/server/middleware"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/logstore"
 	"github.com/zitadel/zitadel/internal/logstore/record"
 	"github.com/zitadel/zitadel/internal/query"
@@ -60,6 +61,7 @@ func CreateServer(
 	externalDomain string,
 	tlsConfig *tls.Config,
 	accessSvc *logstore.Service[*record.AccessLog],
+	targetEncAlg crypto.EncryptionAlgorithm,
 ) *grpc.Server {
 	metricTypes := []metrics.MetricType{metrics.MetricTypeTotalCount, metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode}
 	serverOptions := []grpc.ServerOption{
@@ -75,7 +77,7 @@ func CreateServer(
 				middleware.AuthorizationInterceptor(verifier, systemAuthz, authConfig),
 				middleware.TranslationHandler(),
 				middleware.QuotaExhaustedInterceptor(accessSvc, system_pb.SystemService_ServiceDesc.ServiceName),
-				middleware.ExecutionHandler(queries),
+				middleware.ExecutionHandler(targetEncAlg),
 				middleware.ValidationHandler(),
 				middleware.ServiceHandler(),
 				middleware.ActivityInterceptor(),