fix: ensure domain policy is read for the correct org (#4872)

internal/command/org_domain.go

@@ -30,7 +30,7 @@ func (c *Commands) prepareAddOrgDomain(a *org.Aggregate, addDomain string, userI
 			if existing != nil && existing.State == domain.OrgDomainStateActive {
 				return nil, errors.ThrowAlreadyExists(nil, "V2-e1wse", "Errors.Already.Exists")
 			}
-			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
+			domainPolicy, err := domainPolicyWriteModel(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}

internal/command/org_policy_domain.go

@@ -90,7 +90,7 @@ func prepareAddOrgDomainPolicy(
 ) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
-			writeModel, err := orgDomainPolicy(ctx, filter)
+			writeModel, err := orgDomainPolicy(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
@@ -133,7 +133,7 @@ func prepareChangeOrgDomainPolicy(
 ) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
-			writeModel, err := orgDomainPolicy(ctx, filter)
+			writeModel, err := orgDomainPolicy(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
@@ -169,7 +169,7 @@ func prepareRemoveOrgDomainPolicy(
 ) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
-			writeModel, err := orgDomainPolicy(ctx, filter)
+			writeModel, err := orgDomainPolicy(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}

internal/command/user.go

@@ -349,7 +349,7 @@ func (c *Commands) prepareUserDomainClaimed(ctx context.Context, filter preparat
 	if !userWriteModel.UserState.Exists() {
 		return nil, errors.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
 	}
-	domainPolicy, err := domainPolicyWriteModel(ctx, filter)
+	domainPolicy, err := domainPolicyWriteModel(ctx, filter, userWriteModel.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}

internal/command/user_domain_policy.go

@@ -3,13 +3,12 @@ package command
 import (
 	"context"
 
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/errors"
 )
 
-func domainPolicyWriteModel(ctx context.Context, filter preparation.FilterToQueryReducer) (*PolicyDomainWriteModel, error) {
+func domainPolicyWriteModel(ctx context.Context, filter preparation.FilterToQueryReducer, orgID string) (*PolicyDomainWriteModel, error) {
-	wm, err := orgDomainPolicy(ctx, filter)
+	wm, err := orgDomainPolicy(ctx, filter, orgID)
 	if err != nil {
 		return nil, err
 	}
@@ -26,8 +25,8 @@ func domainPolicyWriteModel(ctx context.Context, filter preparation.FilterToQuer
 	return nil, errors.ThrowInternal(nil, "USER-Ggk9n", "Errors.Internal")
 }
 
-func orgDomainPolicy(ctx context.Context, filter preparation.FilterToQueryReducer) (*OrgDomainPolicyWriteModel, error) {
+func orgDomainPolicy(ctx context.Context, filter preparation.FilterToQueryReducer, orgID string) (*OrgDomainPolicyWriteModel, error) {
-	policy := NewOrgDomainPolicyWriteModel(authz.GetCtxData(ctx).OrgID)
+	policy := NewOrgDomainPolicyWriteModel(orgID)
 	events, err := filter(ctx, policy.Query())
 	if err != nil {
 		return nil, err

internal/command/user_domain_policy_test.go

@@ -17,6 +17,7 @@ import (
 func Test_customDomainPolicy(t *testing.T) {
 	type args struct {
 		filter preparation.FilterToQueryReducer
+		orgID  string
 	}
 	tests := []struct {
 		name    string
@@ -30,6 +31,7 @@ func Test_customDomainPolicy(t *testing.T) {
 				filter: func(_ context.Context, _ *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
 					return nil, errors.ThrowInternal(nil, "USER-IgYlN", "Errors.Internal")
 				},
+				orgID: "id",
 			},
 			want:    nil,
 			wantErr: true,
@@ -40,11 +42,15 @@ func Test_customDomainPolicy(t *testing.T) {
 				filter: func(_ context.Context, _ *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
 					return []eventstore.Event{}, nil
 				},
+				orgID: "id",
 			},
 			want: &OrgDomainPolicyWriteModel{
 				PolicyDomainWriteModel: PolicyDomainWriteModel{
-					WriteModel: eventstore.WriteModel{},
+					WriteModel: eventstore.WriteModel{
-					State:      domain.PolicyStateUnspecified,
+						AggregateID:   "id",
+						ResourceOwner: "id",
+					},
+					State: domain.PolicyStateUnspecified,
 				},
 			},
 			wantErr: false,
@@ -63,6 +69,7 @@ func Test_customDomainPolicy(t *testing.T) {
 						),
 					}, nil
 				},
+				orgID: "id",
 			},
 			want: &OrgDomainPolicyWriteModel{
 				PolicyDomainWriteModel: PolicyDomainWriteModel{
@@ -82,7 +89,7 @@ func Test_customDomainPolicy(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := orgDomainPolicy(context.Background(), tt.args.filter)
+			got, err := orgDomainPolicy(context.Background(), tt.args.filter, tt.args.orgID)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("customDomainPolicy() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -181,6 +188,7 @@ func Test_defaultDomainPolicy(t *testing.T) {
 func Test_DomainPolicy(t *testing.T) {
 	type args struct {
 		filter preparation.FilterToQueryReducer
+		orgID  string
 	}
 	tests := []struct {
 		name    string
@@ -194,6 +202,7 @@ func Test_DomainPolicy(t *testing.T) {
 				filter: func(_ context.Context, _ *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
 					return nil, errors.ThrowInternal(nil, "USER-IgYlN", "Errors.Internal")
 				},
+				orgID: "id",
 			},
 			want:    nil,
 			wantErr: true,
@@ -212,6 +221,7 @@ func Test_DomainPolicy(t *testing.T) {
 						),
 					}, nil
 				},
+				orgID: "id",
 			},
 			want: &PolicyDomainWriteModel{
 				WriteModel: eventstore.WriteModel{
@@ -237,6 +247,7 @@ func Test_DomainPolicy(t *testing.T) {
 						return nil, errors.ThrowInternal(nil, "USER-6HnsD", "Errors.Internal")
 					}).
 					Filter(),
+				orgID: "id",
 			},
 			want:    nil,
 			wantErr: true,
@@ -260,6 +271,7 @@ func Test_DomainPolicy(t *testing.T) {
 						}, nil
 					}).
 					Filter(),
+				orgID: "id",
 			},
 			want: &PolicyDomainWriteModel{
 				WriteModel: eventstore.WriteModel{
@@ -288,7 +300,7 @@ func Test_DomainPolicy(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := domainPolicyWriteModel(authz.WithInstanceID(context.Background(), "INSTANCE"), tt.args.filter)
+			got, err := domainPolicyWriteModel(authz.WithInstanceID(context.Background(), "INSTANCE"), tt.args.filter, tt.args.orgID)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("defaultDomainPolicy() error = %v, wantErr %v", err, tt.wantErr)
 				return

internal/command/user_human.go

@@ -130,7 +130,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 		}
 
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
-			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
+			domainPolicy, err := domainPolicyWriteModel(ctx, filter, a.ResourceOwner)
 			if err != nil {
 				return nil, err
 			}

internal/command/user_machine.go

@@ -51,7 +51,7 @@ func AddMachineCommand(a *user.Aggregate, machine *Machine) preparation.Validati
 			if isUserStateExists(writeModel.UserState) {
 				return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-k2una", "Errors.User.AlreadyExisting")
 			}
-			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
+			domainPolicy, err := domainPolicyWriteModel(ctx, filter, a.ResourceOwner)
 			if err != nil {
 				return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-3M9fs", "Errors.Org.DomainPolicy.NotFound")
 			}