fix: check domain of username not claimed by other organisation and cleanup (#2265)

* fix: register human

* fix: check domain of username not claimed by other organisation

* fix: create setup step to create domain claimed events for invalid users

* Update setup_step19.go

internal/command/user_human.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"strings"
 
 	"github.com/caos/zitadel/internal/eventstore"
 
@@ -117,8 +118,8 @@ func (c *Commands) importHuman(ctx context.Context, orgID string, human *domain.
 }
 
 func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domain.Human, externalIDP *domain.ExternalIDP, orgMemberRoles []string) (*domain.Human, error) {
-	if orgID == "" || !human.IsValid() || externalIDP == nil && (human.Password == nil || human.SecretString == "") {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-GEdf2", "Errors.User.Invalid")
+	if orgID == "" {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-GEdf2", "Errors.ResourceOwnerMissing")
 	}
 	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, orgID)
 	if err != nil {
@@ -179,6 +180,19 @@ func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.
 	if err := human.CheckOrgIAMPolicy(orgIAMPolicy); err != nil {
 		return nil, nil, err
 	}
+	if !orgIAMPolicy.UserLoginMustBeDomain {
+		usernameSplit := strings.Split(human.Username, "@")
+		if len(usernameSplit) != 2 {
+			return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Dfd21", "Errors.User.Invalid")
+		}
+		domainCheck := NewOrgDomainVerifiedWriteModel(usernameSplit[1])
+		if err := c.eventstore.FilterToQueryReducer(ctx, domainCheck); err != nil {
+			return nil, nil, err
+		}
+		if domainCheck.Verified && domainCheck.ResourceOwner != orgID {
+			return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-SFd21", "Errors.User.DomainNotAllowedAsUsername")
+		}
+	}
 	userID, err := c.idGenerator.Next()
 	if err != nil {
 		return nil, nil, err