feat: org and policies commands (#1167)

* add setup steps

* refactoring

* omitempty

* cleanup

* begin org

* create org

* setup org

* setup org

* merge

* fixes

* fixes

* fixes

* add project

* add oidc application

* fix app creation

* add resourceOwner to writemodels

* resource owner

* cleanup

* global org, iam project and iam member in setup

* logs

* logs

* logs

* cleanup

* Update internal/v2/command/project.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* check project state

* add org domain commands

* add org status changes and member commands

* fixes

* policies

* login policy

* fix iam project event

* mapper

* label policy

* change to command

* fix

* fix

* handle change event differently and lot of fixes

* fixes

* changedEvent handling

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

internal/v2/repository/org/aggregate.go

@@ -5,7 +5,7 @@ import (
 )
 
 const (
-	iamEventTypePrefix = eventstore.EventType("org.")
+	orgEventTypePrefix = eventstore.EventType("org.")
 )
 
 const (

internal/v2/repository/org/domain.go

@@ -12,13 +12,13 @@ import (
 )
 
 const (
-	domainEventPrefix           = orgEventTypePrefix + "domain."
-	OrgDomainAdded              = domainEventPrefix + "added"
-	OrgDomainVerificationAdded  = domainEventPrefix + "verification.added"
-	OrgDomainVerificationFailed = domainEventPrefix + "verification.failed"
-	OrgDomainVerified           = domainEventPrefix + "verified"
-	OrgDomainPrimarySet         = domainEventPrefix + "primary.set"
-	OrgDomainRemoved            = domainEventPrefix + "removed"
+	domainEventPrefix                    = orgEventTypePrefix + "domain."
+	OrgDomainAddedEventType              = domainEventPrefix + "added"
+	OrgDomainVerificationAddedEventType  = domainEventPrefix + "verification.added"
+	OrgDomainVerificationFailedEventType = domainEventPrefix + "verification.failed"
+	OrgDomainVerifiedEventType           = domainEventPrefix + "verified"
+	OrgDomainPrimarySetEventType         = domainEventPrefix + "primary.set"
+	OrgDomainRemovedEventType            = domainEventPrefix + "removed"
 )
 
 type DomainAddedEvent struct {
@@ -35,7 +35,7 @@ func NewDomainAddedEvent(ctx context.Context, domain string) *DomainAddedEvent {
 	return &DomainAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgDomainAdded,
+			OrgDomainAddedEventType,
 		),
 		Domain: domain,
 	}
@@ -73,7 +73,7 @@ func NewDomainVerificationAddedEvent(
 	return &DomainVerificationAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgDomainVerificationAdded,
+			OrgDomainVerificationAddedEventType,
 		),
 		Domain:         domain,
 		ValidationType: validationType,
@@ -107,7 +107,7 @@ func NewDomainVerificationFailedEvent(ctx context.Context, domain string) *Domai
 	return &DomainVerificationFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgDomainVerificationFailed,
+			OrgDomainVerificationFailedEventType,
 		),
 		Domain: domain,
 	}
@@ -139,7 +139,7 @@ func NewDomainVerifiedEvent(ctx context.Context, domain string) *DomainVerifiedE
 	return &DomainVerifiedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgDomainVerified,
+			OrgDomainVerifiedEventType,
 		),
 		Domain: domain,
 	}
@@ -171,7 +171,7 @@ func NewDomainPrimarySetEvent(ctx context.Context, domain string) *DomainPrimary
 	return &DomainPrimarySetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgDomainPrimarySet,
+			OrgDomainPrimarySetEventType,
 		),
 		Domain: domain,
 	}
@@ -203,7 +203,7 @@ func NewDomainRemovedEvent(ctx context.Context, domain string) *DomainRemovedEve
 	return &DomainRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgDomainRemoved,
+			OrgDomainRemovedEventType,
 		),
 		Domain: domain,
 	}

internal/v2/repository/org/eventstore.go

@@ -5,15 +5,42 @@ import (
 )
 
 func RegisterEventMappers(es *eventstore.Eventstore) {
-	es.RegisterFilterEventMapper(OrgAdded, OrgAddedEventMapper).
-		RegisterFilterEventMapper(OrgChanged, OrgChangedEventMapper).
-		//RegisterFilterEventMapper(OrgDeactivated, OrgChangedEventMapper). TODO: !
-		//RegisterFilterEventMapper(OrgReactivated, OrgChangedEventMapper).
-		//RegisterFilterEventMapper(OrgRemoved, OrgChangedEventMapper).
-		RegisterFilterEventMapper(OrgDomainAdded, DomainAddedEventMapper).
-		RegisterFilterEventMapper(OrgDomainVerificationAdded, DomainVerificationAddedEventMapper).
-		RegisterFilterEventMapper(OrgDomainVerificationFailed, DomainVerificationFailedEventMapper).
-		RegisterFilterEventMapper(OrgDomainVerified, DomainVerifiedEventMapper).
-		RegisterFilterEventMapper(OrgDomainPrimarySet, DomainPrimarySetEventMapper).
-		RegisterFilterEventMapper(OrgDomainRemoved, DomainRemovedEventMapper)
+	es.RegisterFilterEventMapper(OrgAddedEventType, OrgAddedEventMapper).
+		RegisterFilterEventMapper(OrgChangedEventType, OrgChangedEventMapper).
+		RegisterFilterEventMapper(OrgDeactivatedEventType, OrgDeactivatedEventMapper).
+		RegisterFilterEventMapper(OrgReactivatedEventType, OrgReactivatedEventMapper).
+		//RegisterFilterEventMapper(OrgRemovedEventType, OrgRemovedEventMapper).  //TODO: implement
+		RegisterFilterEventMapper(OrgDomainAddedEventType, DomainAddedEventMapper).
+		RegisterFilterEventMapper(OrgDomainVerificationAddedEventType, DomainVerificationAddedEventMapper).
+		RegisterFilterEventMapper(OrgDomainVerificationFailedEventType, DomainVerificationFailedEventMapper).
+		RegisterFilterEventMapper(OrgDomainVerifiedEventType, DomainVerifiedEventMapper).
+		RegisterFilterEventMapper(OrgDomainPrimarySetEventType, DomainPrimarySetEventMapper).
+		RegisterFilterEventMapper(OrgDomainRemovedEventType, DomainRemovedEventMapper).
+		RegisterFilterEventMapper(MemberAddedEventType, MemberAddedEventMapper).
+		RegisterFilterEventMapper(MemberChangedEventType, MemberChangedEventMapper).
+		RegisterFilterEventMapper(MemberRemovedEventType, MemberRemovedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyAddedEventType, LabelPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyChangedEventType, LabelPolicyChangedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyRemovedEventType, LabelPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyAddedEventType, LoginPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyChangedEventType, LoginPolicyChangedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyRemovedEventType, LoginPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorAddedEventType, SecondFactorAddedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorRemovedEventType, SecondFactorRemovedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorAddedEventType, MultiFactorAddedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorRemovedEventType, MultiFactorRemovedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderAddedEventType, IdentityProviderAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderRemovedEventType, IdentityProviderRemovedEventMapper).
+		RegisterFilterEventMapper(OrgIAMPolicyAddedEventType, OrgIAMPolicyAddedEventMapper).
+		RegisterFilterEventMapper(OrgIAMPolicyChangedEventType, OrgIAMPolicyChangedEventMapper).
+		RegisterFilterEventMapper(OrgIAMPolicyRemovedEventType, OrgIAMPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyAddedEventType, PasswordAgePolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyChangedEventType, PasswordAgePolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyRemovedEventType, PasswordAgePolicyRemovedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyAddedEventType, PasswordComplexityPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyChangedEventType, PasswordComplexityPolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyRemovedEventType, PasswordComplexityPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyAddedEventType, PasswordLockoutPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyChangedEventType, PasswordLockoutPolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyRemovedEventType, PasswordLockoutPolicyRemovedEventMapper)
 }

internal/v2/repository/org/member.go

@@ -3,13 +3,10 @@ package org
 import (
 	"context"
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
 	"github.com/caos/zitadel/internal/v2/repository/member"
 )
 
-const (
-	orgEventTypePrefix = eventstore.EventType("org.")
-)
-
 var (
 	MemberAddedEventType   = orgEventTypePrefix + member.AddedEventType
 	MemberChangedEventType = orgEventTypePrefix + member.ChangedEventType
@@ -37,6 +34,15 @@ func NewMemberAddedEvent(
 	}
 }
 
+func MemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.MemberAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberAddedEvent{MemberAddedEvent: *e.(*member.MemberAddedEvent)}, nil
+}
+
 type MemberChangedEvent struct {
 	member.MemberChangedEvent
 }
@@ -59,6 +65,15 @@ func NewMemberChangedEvent(
 	}
 }
 
+func MemberChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberChangedEvent{MemberChangedEvent: *e.(*member.MemberChangedEvent)}, nil
+}
+
 type MemberRemovedEvent struct {
 	member.MemberRemovedEvent
 }
@@ -78,3 +93,12 @@ func NewMemberRemovedEvent(
 		),
 	}
 }
+
+func MemberRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberRemovedEvent{MemberRemovedEvent: *e.(*member.MemberRemovedEvent)}, nil
+}

internal/v2/repository/org/org.go

@@ -10,11 +10,11 @@ import (
 )
 
 const (
-	OrgAdded       = orgEventTypePrefix + "added"
-	OrgChanged     = orgEventTypePrefix + "changed"
-	OrgDeactivated = orgEventTypePrefix + "deactivated"
-	OrgReactivated = orgEventTypePrefix + "reactivated"
-	OrgRemoved     = orgEventTypePrefix + "removed"
+	OrgAddedEventType       = orgEventTypePrefix + "added"
+	OrgChangedEventType     = orgEventTypePrefix + "changed"
+	OrgDeactivatedEventType = orgEventTypePrefix + "deactivated"
+	OrgReactivatedEventType = orgEventTypePrefix + "reactivated"
+	OrgRemovedEventType     = orgEventTypePrefix + "removed"
 )
 
 type OrgAddedEvent struct {
@@ -31,7 +31,7 @@ func NewOrgAddedEvent(ctx context.Context, name string) *OrgAddedEvent {
 	return &OrgAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgAdded,
+			OrgAddedEventType,
 		),
 		Name: name,
 	}
@@ -63,7 +63,7 @@ func NewOrgChangedEvent(ctx context.Context, name string) *OrgChangedEvent {
 	return &OrgChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
-			OrgChanged,
+			OrgChangedEventType,
 		),
 		Name: name,
 	}
@@ -80,3 +80,61 @@ func OrgChangedEventMapper(event *repository.Event) (eventstore.EventReader, err
 
 	return orgChanged, nil
 }
+
+type OrgDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *OrgDeactivatedEvent) Data() interface{} {
+	return e
+}
+
+func NewOrgDeactivatedEvent(ctx context.Context) *OrgDeactivatedEvent {
+	return &OrgDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			OrgDeactivatedEventType,
+		),
+	}
+}
+
+func OrgDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgChanged := &OrgDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-DAfbs", "unable to unmarshal org deactivated")
+	}
+
+	return orgChanged, nil
+}
+
+type OrgReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *OrgReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func NewOrgReactivatedEvent(ctx context.Context) *OrgReactivatedEvent {
+	return &OrgReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			OrgReactivatedEventType,
+		),
+	}
+}
+
+func OrgReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgChanged := &OrgReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-DAfbs", "unable to unmarshal org deactivated")
+	}
+
+	return orgChanged, nil
+}

internal/v2/repository/org/policy_label.go

@@ -1,18 +1,91 @@
 package org
 
 import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
 	"github.com/caos/zitadel/internal/v2/repository/policy"
 )
 
 var (
 	LabelPolicyAddedEventType   = orgEventTypePrefix + policy.LabelPolicyAddedEventType
 	LabelPolicyChangedEventType = orgEventTypePrefix + policy.LabelPolicyChangedEventType
+	LabelPolicyRemovedEventType = orgEventTypePrefix + policy.LabelPolicyRemovedEventType
 )
 
 type LabelPolicyAddedEvent struct {
 	policy.LabelPolicyAddedEvent
 }
 
+func NewLabelPolicyAddedEvent(
+	ctx context.Context,
+	primaryColor,
+	secondaryColor string,
+) *LabelPolicyAddedEvent {
+	return &LabelPolicyAddedEvent{
+		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LabelPolicyAddedEventType),
+			primaryColor,
+			secondaryColor),
+	}
+}
+
+func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyAddedEvent{LabelPolicyAddedEvent: *e.(*policy.LabelPolicyAddedEvent)}, nil
+}
+
 type LabelPolicyChangedEvent struct {
 	policy.LabelPolicyChangedEvent
 }
+
+func NewLabelPolicyChangedEvent(
+	ctx context.Context,
+	changes []policy.LabelPolicyChanges,
+) (*LabelPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLabelPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, LabelPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *e.(*policy.LabelPolicyChangedEvent)}, nil
+}
+
+type LabelPolicyRemovedEvent struct {
+	policy.LabelPolicyRemovedEvent
+}
+
+func NewLabelPolicyRemovedEvent(
+	ctx context.Context,
+) *LabelPolicyRemovedEvent {
+	return &LabelPolicyRemovedEvent{
+		LabelPolicyRemovedEvent: *policy.NewLabelPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LabelPolicyRemovedEventType),
+		),
+	}
+}
+
+func LabelPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyRemovedEvent{LabelPolicyRemovedEvent: *e.(*policy.LabelPolicyRemovedEvent)}, nil
+}

internal/v2/repository/org/policy_login.go

@@ -1,18 +1,98 @@
 package org
 
 import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/policy"
 )
 
 var (
 	LoginPolicyAddedEventType   = orgEventTypePrefix + policy.LoginPolicyAddedEventType
 	LoginPolicyChangedEventType = orgEventTypePrefix + policy.LoginPolicyChangedEventType
+	LoginPolicyRemovedEventType = orgEventTypePrefix + policy.LoginPolicyRemovedEventType
 )
 
 type LoginPolicyAddedEvent struct {
 	policy.LoginPolicyAddedEvent
 }
 
+func NewLoginPolicyAddedEvent(
+	ctx context.Context,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType domain.PasswordlessType,
+) *LoginPolicyAddedEvent {
+	return &LoginPolicyAddedEvent{
+		LoginPolicyAddedEvent: *policy.NewLoginPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyAddedEventType),
+			allowUsernamePassword,
+			allowRegister,
+			allowExternalIDP,
+			forceMFA,
+			passwordlessType),
+	}
+}
+
+func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyAddedEvent{LoginPolicyAddedEvent: *e.(*policy.LoginPolicyAddedEvent)}, nil
+}
+
 type LoginPolicyChangedEvent struct {
 	policy.LoginPolicyChangedEvent
 }
+
+func NewLoginPolicyChangedEvent(
+	ctx context.Context,
+	changes []policy.LoginPolicyChanges,
+) (*LoginPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLoginPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, LoginPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *e.(*policy.LoginPolicyChangedEvent)}, nil
+}
+
+type LoginPolicyRemovedEvent struct {
+	policy.LoginPolicyRemovedEvent
+}
+
+func NewLoginPolicyRemovedEvent(
+	ctx context.Context,
+) *LoginPolicyRemovedEvent {
+	return &LoginPolicyRemovedEvent{
+		LoginPolicyRemovedEvent: *policy.NewLoginPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyRemovedEventType),
+		),
+	}
+}
+
+func LoginPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyRemovedEvent{LoginPolicyRemovedEvent: *e.(*policy.LoginPolicyRemovedEvent)}, nil
+}

internal/v2/repository/org/policy_login_factors.go

@@ -0,0 +1,123 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/policy"
+)
+
+var (
+	LoginPolicySecondFactorAddedEventType   = orgEventTypePrefix + policy.LoginPolicySecondFactorAddedEventType
+	LoginPolicySecondFactorRemovedEventType = orgEventTypePrefix + policy.LoginPolicySecondFactorRemovedEventType
+
+	LoginPolicyMultiFactorAddedEventType   = orgEventTypePrefix + policy.LoginPolicyMultiFactorAddedEventType
+	LoginPolicyMultiFactorRemovedEventType = orgEventTypePrefix + policy.LoginPolicyMultiFactorRemovedEventType
+)
+
+type LoginPolicySecondFactorAddedEvent struct {
+	policy.SecondFactorAddedEvent
+}
+
+func NewLoginPolicySecondFactorAddedEvent(
+	ctx context.Context,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorAddedEvent {
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *policy.NewSecondFactorAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicySecondFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.SecondFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *e.(*policy.SecondFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicySecondFactorRemovedEvent struct {
+	policy.SecondFactorRemovedEvent
+}
+
+func NewLoginPolicySecondFactorRemovedEvent(
+	ctx context.Context,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorRemovedEvent {
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *policy.NewSecondFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicySecondFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.SecondFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *e.(*policy.SecondFactorRemovedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorAddedEvent struct {
+	policy.MultiFactorAddedEvent
+}
+
+func NewLoginPolicyMultiFactorAddedEvent(
+	ctx context.Context,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorAddedEvent {
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *policy.NewMultiFactorAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyMultiFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MultiFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *e.(*policy.MultiFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorRemovedEvent struct {
+	policy.MultiFactorRemovedEvent
+}
+
+func NewLoginPolicyMultiFactorRemovedEvent(
+	ctx context.Context,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorRemovedEvent {
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *policy.NewMultiFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyMultiFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MultiFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *e.(*policy.MultiFactorRemovedEvent),
+	}, nil
+}

internal/v2/repository/org/policy_login_identity_provider.go

@@ -0,0 +1,69 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/policy"
+)
+
+var (
+	LoginPolicyIDPProviderAddedEventType   = orgEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
+	LoginPolicyIDPProviderRemovedEventType = orgEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+)
+
+type IdentityProviderAddedEvent struct {
+	policy.IdentityProviderAddedEvent
+}
+
+func NewIdentityProviderAddedEvent(
+	ctx context.Context,
+	idpConfigID string,
+	idpProviderType domain.IdentityProviderType,
+) *IdentityProviderAddedEvent {
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *policy.NewIdentityProviderAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderAddedEventType),
+			idpConfigID,
+			idpProviderType),
+	}
+}
+
+func IdentityProviderAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *e.(*policy.IdentityProviderAddedEvent),
+	}, nil
+}
+
+type IdentityProviderRemovedEvent struct {
+	policy.IdentityProviderRemovedEvent
+}
+
+func NewIdentityProviderRemovedEvent(
+	ctx context.Context,
+	idpConfigID string,
+) *IdentityProviderRemovedEvent {
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *policy.NewIdentityProviderRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *e.(*policy.IdentityProviderRemovedEvent),
+	}, nil
+}

internal/v2/repository/org/policy_org_iam.go

@@ -13,6 +13,7 @@ var (
 	//OrgIAMPolicyChangedEventType = orgEventTypePrefix + policy.OrgIAMPolicyChangedEventType
 	OrgIAMPolicyAddedEventType   = orgEventTypePrefix + "iam.policy.added"
 	OrgIAMPolicyChangedEventType = orgEventTypePrefix + "iam.policy.changed"
+	OrgIAMPolicyRemovedEventType = orgEventTypePrefix + "iam.policy.removed"
 )
 
 type OrgIAMPolicyAddedEvent struct {
@@ -46,12 +47,16 @@ type OrgIAMPolicyChangedEvent struct {
 
 func NewOrgIAMPolicyChangedEvent(
 	ctx context.Context,
-) *OrgIAMPolicyChangedEvent {
-	return &OrgIAMPolicyChangedEvent{
-		OrgIAMPolicyChangedEvent: *policy.NewOrgIAMPolicyChangedEvent(
-			eventstore.NewBaseEventForPush(ctx, OrgIAMPolicyChangedEventType),
-		),
+	changes []policy.OrgIAMPolicyChanges,
+) (*OrgIAMPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewOrgIAMPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, OrgIAMPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
 	}
+	return &OrgIAMPolicyChangedEvent{OrgIAMPolicyChangedEvent: *changedEvent}, nil
 }
 
 func OrgIAMPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
@@ -62,3 +67,26 @@ func OrgIAMPolicyChangedEventMapper(event *repository.Event) (eventstore.EventRe
 
 	return &OrgIAMPolicyChangedEvent{OrgIAMPolicyChangedEvent: *e.(*policy.OrgIAMPolicyChangedEvent)}, nil
 }
+
+type OrgIAMPolicyRemovedEvent struct {
+	policy.OrgIAMPolicyRemovedEvent
+}
+
+func NewOrgIAMPolicyRemovedEvent(
+	ctx context.Context,
+) *OrgIAMPolicyRemovedEvent {
+	return &OrgIAMPolicyRemovedEvent{
+		OrgIAMPolicyRemovedEvent: *policy.NewOrgIAMPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, OrgIAMPolicyRemovedEventType),
+		),
+	}
+}
+
+func OrgIAMPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.OrgIAMPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OrgIAMPolicyRemovedEvent{OrgIAMPolicyRemovedEvent: *e.(*policy.OrgIAMPolicyRemovedEvent)}, nil
+}

internal/v2/repository/org/policy_password_age.go

@@ -1,18 +1,91 @@
 package org
 
 import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
 	"github.com/caos/zitadel/internal/v2/repository/policy"
 )
 
 var (
 	PasswordAgePolicyAddedEventType   = orgEventTypePrefix + policy.PasswordAgePolicyAddedEventType
 	PasswordAgePolicyChangedEventType = orgEventTypePrefix + policy.PasswordAgePolicyChangedEventType
+	PasswordAgePolicyRemovedEventType = orgEventTypePrefix + policy.PasswordAgePolicyRemovedEventType
 )
 
 type PasswordAgePolicyAddedEvent struct {
 	policy.PasswordAgePolicyAddedEvent
 }
 
+func NewPasswordAgePolicyAddedEvent(
+	ctx context.Context,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *PasswordAgePolicyAddedEvent {
+	return &PasswordAgePolicyAddedEvent{
+		PasswordAgePolicyAddedEvent: *policy.NewPasswordAgePolicyAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordAgePolicyAddedEventType),
+			expireWarnDays,
+			maxAgeDays),
+	}
+}
+
+func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyAddedEvent{PasswordAgePolicyAddedEvent: *e.(*policy.PasswordAgePolicyAddedEvent)}, nil
+}
+
 type PasswordAgePolicyChangedEvent struct {
 	policy.PasswordAgePolicyChangedEvent
 }
+
+func NewPasswordAgePolicyChangedEvent(
+	ctx context.Context,
+	changes []policy.PasswordAgePolicyChanges,
+) (*PasswordAgePolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordAgePolicyChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, PasswordAgePolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *e.(*policy.PasswordAgePolicyChangedEvent)}, nil
+}
+
+type PasswordAgePolicyRemovedEvent struct {
+	policy.PasswordAgePolicyRemovedEvent
+}
+
+func NewPasswordAgePolicyRemovedEvent(
+	ctx context.Context,
+) *PasswordAgePolicyRemovedEvent {
+	return &PasswordAgePolicyRemovedEvent{
+		PasswordAgePolicyRemovedEvent: *policy.NewPasswordAgePolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordAgePolicyRemovedEventType),
+		),
+	}
+}
+
+func PasswordAgePolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyRemovedEvent{PasswordAgePolicyRemovedEvent: *e.(*policy.PasswordAgePolicyRemovedEvent)}, nil
+}

internal/v2/repository/org/policy_password_complexity.go

@@ -10,6 +10,7 @@ import (
 var (
 	PasswordComplexityPolicyAddedEventType   = orgEventTypePrefix + policy.PasswordComplexityPolicyAddedEventType
 	PasswordComplexityPolicyChangedEventType = orgEventTypePrefix + policy.PasswordComplexityPolicyChangedEventType
+	PasswordComplexityPolicyRemovedEventType = orgEventTypePrefix + policy.PasswordComplexityPolicyRemovedEventType
 )
 
 type PasswordComplexityPolicyAddedEvent struct {
@@ -50,12 +51,16 @@ type PasswordComplexityPolicyChangedEvent struct {
 
 func NewPasswordComplexityPolicyChangedEvent(
 	ctx context.Context,
-) *PasswordComplexityPolicyChangedEvent {
-	return &PasswordComplexityPolicyChangedEvent{
-		PasswordComplexityPolicyChangedEvent: *policy.NewPasswordComplexityPolicyChangedEvent(
-			eventstore.NewBaseEventForPush(ctx, PasswordComplexityPolicyAddedEventType),
-		),
+	changes []policy.PasswordComplexityPolicyChanges,
+) (*PasswordComplexityPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordComplexityPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, PasswordComplexityPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
 	}
+	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *changedEvent}, nil
 }
 
 func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
@@ -66,3 +71,26 @@ func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (events
 
 	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *e.(*policy.PasswordComplexityPolicyChangedEvent)}, nil
 }
+
+type PasswordComplexityPolicyRemovedEvent struct {
+	policy.PasswordComplexityPolicyRemovedEvent
+}
+
+func NewPasswordComplexityPolicyRemovedEvent(
+	ctx context.Context,
+) *PasswordComplexityPolicyRemovedEvent {
+	return &PasswordComplexityPolicyRemovedEvent{
+		PasswordComplexityPolicyRemovedEvent: *policy.NewPasswordComplexityPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordComplexityPolicyRemovedEventType),
+		),
+	}
+}
+
+func PasswordComplexityPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordComplexityPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyRemovedEvent{PasswordComplexityPolicyRemovedEvent: *e.(*policy.PasswordComplexityPolicyRemovedEvent)}, nil
+}

internal/v2/repository/org/policy_password_lockout.go

@@ -1,18 +1,91 @@
 package org
 
 import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
 	"github.com/caos/zitadel/internal/v2/repository/policy"
 )
 
 var (
 	PasswordLockoutPolicyAddedEventType   = orgEventTypePrefix + policy.PasswordLockoutPolicyAddedEventType
 	PasswordLockoutPolicyChangedEventType = orgEventTypePrefix + policy.PasswordLockoutPolicyChangedEventType
+	PasswordLockoutPolicyRemovedEventType = orgEventTypePrefix + policy.PasswordLockoutPolicyRemovedEventType
 )
 
 type PasswordLockoutPolicyAddedEvent struct {
 	policy.PasswordLockoutPolicyAddedEvent
 }
 
+func NewPasswordLockoutPolicyAddedEvent(
+	ctx context.Context,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) *PasswordLockoutPolicyAddedEvent {
+	return &PasswordLockoutPolicyAddedEvent{
+		PasswordLockoutPolicyAddedEvent: *policy.NewPasswordLockoutPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordLockoutPolicyAddedEventType),
+			maxAttempts,
+			showLockoutFailure),
+	}
+}
+
+func PasswordLockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyAddedEvent{PasswordLockoutPolicyAddedEvent: *e.(*policy.PasswordLockoutPolicyAddedEvent)}, nil
+}
+
 type PasswordLockoutPolicyChangedEvent struct {
 	policy.PasswordLockoutPolicyChangedEvent
 }
+
+func NewPasswordLockoutPolicyChangedEvent(
+	ctx context.Context,
+	changes []policy.PasswordLockoutPolicyChanges,
+) (*PasswordLockoutPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordLockoutPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, PasswordLockoutPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordLockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *e.(*policy.PasswordLockoutPolicyChangedEvent)}, nil
+}
+
+type PasswordLockoutPolicyRemovedEvent struct {
+	policy.PasswordLockoutPolicyRemovedEvent
+}
+
+func NewPasswordLockoutPolicyRemovedEvent(
+	ctx context.Context,
+) *PasswordLockoutPolicyRemovedEvent {
+	return &PasswordLockoutPolicyRemovedEvent{
+		PasswordLockoutPolicyRemovedEvent: *policy.NewPasswordLockoutPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordLockoutPolicyRemovedEventType),
+		),
+	}
+}
+
+func PasswordLockoutPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyRemovedEvent{PasswordLockoutPolicyRemovedEvent: *e.(*policy.PasswordLockoutPolicyRemovedEvent)}, nil
+}