feat: Private label email policy (#813)

* Label Policy added * save * chore: update docs action * Save * Save * Get colors from DB * Variables inserted * Get images from global directory. * Add tests * Add tests * Corrections from mergerequest * Corrections from mergerequest * Test corrected. * Added colors to all notifications. * Added colors to Corrected text and formatting.all notifications. * Spelling error corrected. * fix: tests * Merge Branch corrected. * Step6 added * Corrections from mergerequest * fix: generate management * Formatted texts. * fix: migrations Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2025-08-11 19:07:30 +00:00 · 2020-10-20 19:10:23 +02:00
parent cfd119924f
commit 42384763d1
65 changed files with 7143 additions and 13940 deletions
--- a/internal/iam/model/iam.go
+++ b/internal/iam/model/iam.go
@@ -12,6 +12,7 @@ const (
 	Step3
 	Step4
 	Step5
+	Step6
 	//StepCount marks the the length of possible steps (StepCount-1 == last possible step)
 	StepCount
 )
@@ -25,6 +26,7 @@ type IAM struct {
 	Members                         []*IAMMember
 	IDPs                            []*IDPConfig
 	DefaultLoginPolicy              *LoginPolicy
+	DefaultLabelPolicy              *LabelPolicy
 	DefaultOrgIAMPolicy             *OrgIAMPolicy
 	DefaultPasswordComplexityPolicy *PasswordComplexityPolicy
 	DefaultPasswordAgePolicy        *PasswordAgePolicy
--- a/internal/iam/model/label_policy.go
+++ b/internal/iam/model/label_policy.go
@@ -0,0 +1,18 @@
+package model
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type LabelPolicy struct {
+	models.ObjectRoot
+
+	State          PolicyState
+	Default        bool
+	PrimaryColor   string
+	SecondaryColor string
+}
+
+func (p *LabelPolicy) IsValid() bool {
+	return p.ObjectRoot.AggregateID != ""
+}
--- a/internal/iam/model/label_policy_view.go
+++ b/internal/iam/model/label_policy_view.go
@@ -0,0 +1,48 @@
+package model
+
+import (
+	"time"
+
+	"github.com/caos/zitadel/internal/model"
+)
+
+type LabelPolicyView struct {
+	AggregateID    string
+	PrimaryColor   string
+	SecondaryColor string
+	Default        bool
+
+	CreationDate time.Time
+	ChangeDate   time.Time
+	Sequence     uint64
+}
+
+type LabelPolicySearchRequest struct {
+	Offset        uint64
+	Limit         uint64
+	SortingColumn LabelPolicySearchKey
+	Asc           bool
+	Queries       []*LabelPolicySearchQuery
+}
+
+type LabelPolicySearchKey int32
+
+const (
+	LabelPolicySearchKeyUnspecified LabelPolicySearchKey = iota
+	LabelPolicySearchKeyAggregateID
+)
+
+type LabelPolicySearchQuery struct {
+	Key    LabelPolicySearchKey
+	Method model.SearchMethod
+	Value  interface{}
+}
+
+type LabelPolicySearchResponse struct {
+	Offset      uint64
+	Limit       uint64
+	TotalResult uint64
+	Result      []*LabelPolicyView
+	Sequence    uint64
+	Timestamp   time.Time
+}
--- a/internal/iam/repository/eventsourcing/eventstore.go
+++ b/internal/iam/repository/eventsourcing/eventstore.go
@@ -2,6 +2,7 @@ package eventsourcing

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/cache/config"
 	sd "github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/crypto"
@@ -415,6 +416,68 @@ func (es *IAMEventstore) ChangeIDPOIDCConfig(ctx context.Context, config *iam_mo
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-Sldk8", "Errors.Internal")
 }

+func (es *IAMEventstore) PrepareAddLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*model.IAM, *models.Aggregate, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-VwlDv", "Errors.IAM.LabelPolicy.Empty")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	labelPolicy := model.LabelPolicyFromModel(policy)
+
+	addAggregate := LabelPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoIam, labelPolicy)
+	aggregate, err := addAggregate(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIam, aggregate, nil
+}
+
+func (es *IAMEventstore) AddLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	if policy == nil || !policy.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-aAPWI", "Errors.IAM.LabelPolicyInvalid")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoLabelPolicy := model.LabelPolicyFromModel(policy)
+
+	addAggregate := LabelPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoLabelPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.LabelPolicyToModel(repoIam.DefaultLabelPolicy), nil
+}
+
+func (es *IAMEventstore) ChangeLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	if policy == nil || !policy.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-vRqjg", "Errors.IAM.LabelPolicyInvalid")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoLabelPolicy := model.LabelPolicyFromModel(policy)
+
+	addAggregate := LabelPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoLabelPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.LabelPolicyToModel(repoIam.DefaultLabelPolicy), nil
+}
+
 func (es *IAMEventstore) PrepareAddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*model.IAM, *models.Aggregate, error) {
 	if policy == nil || !policy.IsValid() {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.IAM.LoginPolicyInvalid")
--- a/internal/iam/repository/eventsourcing/eventstore_mock_test.go
+++ b/internal/iam/repository/eventsourcing/eventstore_mock_test.go
@@ -2,6 +2,7 @@ package eventsourcing

 import (
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/id"

@@ -182,3 +183,16 @@ func GetMockManipulateIAMNotExisting(ctrl *gomock.Controller) *IAMEventstore {
 	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
 	return GetMockedEventstore(ctrl, mockEs)
 }
+
+func GetMockManipulateIAMWithLabelPolicy(ctrl *gomock.Controller) *IAMEventstore {
+	policyData, _ := json.Marshal(model.LabelPolicy{PrimaryColor: "000001", SecondaryColor: "FFFFF1"})
+	events := []*es_models.Event{
+		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.LabelPolicyAdded, Data: policyData},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
--- a/internal/iam/repository/eventsourcing/eventstore_test.go
+++ b/internal/iam/repository/eventsourcing/eventstore_test.go
@@ -1657,6 +1657,170 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 	}
 }

+func TestAddLabelPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *IAMEventstore
+		ctx    context.Context
+		policy *iam_model.LabelPolicy
+	}
+	type res struct {
+		result  *iam_model.LabelPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add label policy, ok",
+			args: args{
+				es:  GetMockManipulateIAM(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor: "000000",
+				},
+			},
+			res: res{
+				result: &iam_model.LabelPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor: "000000",
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockManipulateIAM(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockManipulateIAMNotExisting(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.AddLabelPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.PrimaryColor != tt.res.result.PrimaryColor {
+				t.Errorf("got wrong result PrimaryColor: expected: %v, actual: %v ", tt.res.result.PrimaryColor, result.PrimaryColor)
+			}
+		})
+	}
+}
+
+func TestChangeLabelPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *IAMEventstore
+		ctx    context.Context
+		policy *iam_model.LabelPolicy
+	}
+	type res struct {
+		result  *iam_model.LabelPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change label policy, ok",
+			args: args{
+				es:  GetMockManipulateIAMWithLabelPolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor:   "000000",
+					SecondaryColor: "FFFFFF",
+				},
+			},
+			res: res{
+				result: &iam_model.LabelPolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor:   "000000",
+					SecondaryColor: "FFFFFF",
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockManipulateIAM(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockManipulateIAMNotExisting(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.ChangeLabelPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.PrimaryColor != tt.res.result.PrimaryColor {
+				t.Errorf("got wrong result PrimaryColor: expected: %v, actual: %v ", tt.res.result.PrimaryColor, result.PrimaryColor)
+			}
+			if result.SecondaryColor != tt.res.result.SecondaryColor {
+				t.Errorf("got wrong result SecondaryColor: expected: %v, actual: %v ", tt.res.result.SecondaryColor, result.SecondaryColor)
+			}
+		})
+	}
+}
 func TestAddPasswordComplexityPolicy(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	type args struct {
--- a/internal/iam/repository/eventsourcing/iam.go
+++ b/internal/iam/repository/eventsourcing/iam.go
@@ -2,6 +2,7 @@ package eventsourcing

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
@@ -231,6 +232,54 @@ func OIDCIDPConfigChangedAggregate(aggCreator *es_models.AggregateCreator, exist
 		return agg.AppendEvent(model.OIDCIDPConfigChanged, changes)
 	}
 }
+func LabelPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.LabelPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-e248Y", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(model.IAMAggregate).
+			EventTypesFilter(model.LabelPolicyAdded).
+			AggregateIDFilter(existing.AggregateID)
+
+		validation := checkExistingLabelPolicyValidation()
+		agg.SetPrecondition(validationQuery, validation)
+		return agg.AppendEvent(model.LabelPolicyAdded, policy)
+	}
+}
+
+func checkExistingLabelPolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		for _, event := range events {
+			switch event.Type {
+			case model.LabelPolicyAdded:
+				return errors.ThrowPreconditionFailed(nil, "EVENT-KyLIK", "Errors.IAM.LabelPolicy.AlreadyExists")
+			}
+		}
+		return nil
+	}
+}
+
+func LabelPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.LabelPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-uP6HQ", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.DefaultLabelPolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-hZE24", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.LabelPolicyChanged, changes)
+	}
+}

 func LoginPolicyAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.LoginPolicy) (*es_models.Aggregate, error) {
 	if policy == nil {
--- a/internal/iam/repository/eventsourcing/model/iam.go
+++ b/internal/iam/repository/eventsourcing/model/iam.go
@@ -30,6 +30,7 @@ type IAM struct {
 	Members                         []*IAMMember              `json:"-"`
 	IDPs                            []*IDPConfig              `json:"-"`
 	DefaultLoginPolicy              *LoginPolicy              `json:"-"`
+	DefaultLabelPolicy              *LabelPolicy              `json:"-"`
 	DefaultOrgIAMPolicy             *OrgIAMPolicy             `json:"-"`
 	DefaultPasswordComplexityPolicy *PasswordComplexityPolicy `json:"-"`
 	DefaultPasswordAgePolicy        *PasswordAgePolicy        `json:"-"`
@@ -51,6 +52,9 @@ func IAMFromModel(iam *model.IAM) *IAM {
 	if iam.DefaultLoginPolicy != nil {
 		converted.DefaultLoginPolicy = LoginPolicyFromModel(iam.DefaultLoginPolicy)
 	}
+	if iam.DefaultLabelPolicy != nil {
+		converted.DefaultLabelPolicy = LabelPolicyFromModel(iam.DefaultLabelPolicy)
+	}
 	if iam.DefaultPasswordComplexityPolicy != nil {
 		converted.DefaultPasswordComplexityPolicy = PasswordComplexityPolicyFromModel(iam.DefaultPasswordComplexityPolicy)
 	}
@@ -81,6 +85,9 @@ func IAMToModel(iam *IAM) *model.IAM {
 	if iam.DefaultLoginPolicy != nil {
 		converted.DefaultLoginPolicy = LoginPolicyToModel(iam.DefaultLoginPolicy)
 	}
+	if iam.DefaultLabelPolicy != nil {
+		converted.DefaultLabelPolicy = LabelPolicyToModel(iam.DefaultLabelPolicy)
+	}
 	if iam.DefaultPasswordComplexityPolicy != nil {
 		converted.DefaultPasswordComplexityPolicy = PasswordComplexityPolicyToModel(iam.DefaultPasswordComplexityPolicy)
 	}
@@ -161,6 +168,10 @@ func (i *IAM) AppendEvent(event *es_models.Event) (err error) {
 		return i.appendAddIDPProviderToLoginPolicyEvent(event)
 	case LoginPolicyIDPProviderRemoved:
 		return i.appendRemoveIDPProviderFromLoginPolicyEvent(event)
+	case LabelPolicyAdded:
+		return i.appendAddLabelPolicyEvent(event)
+	case LabelPolicyChanged:
+		return i.appendChangeLabelPolicyEvent(event)
 	case PasswordComplexityPolicyAdded:
 		return i.appendAddPasswordComplexityPolicyEvent(event)
 	case PasswordComplexityPolicyChanged:
--- a/internal/iam/repository/eventsourcing/model/label_policy.go
+++ b/internal/iam/repository/eventsourcing/model/label_policy.go
@@ -0,0 +1,78 @@
+package model
+
+import (
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type LabelPolicy struct {
+	models.ObjectRoot
+	State          int32  `json:"-"`
+	PrimaryColor   string `json:"primaryColor"`
+	SecondaryColor string `json:"secondaryColor"`
+}
+
+func LabelPolicyToModel(policy *LabelPolicy) *iam_model.LabelPolicy {
+	return &iam_model.LabelPolicy{
+		ObjectRoot:     policy.ObjectRoot,
+		State:          iam_model.PolicyState(policy.State),
+		PrimaryColor:   policy.PrimaryColor,
+		SecondaryColor: policy.SecondaryColor,
+	}
+}
+
+func LabelPolicyFromModel(policy *iam_model.LabelPolicy) *LabelPolicy {
+	return &LabelPolicy{
+		ObjectRoot:     policy.ObjectRoot,
+		State:          int32(policy.State),
+		PrimaryColor:   policy.PrimaryColor,
+		SecondaryColor: policy.SecondaryColor,
+	}
+}
+
+func (p *LabelPolicy) Changes(changed *LabelPolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 2)
+
+	if changed.PrimaryColor != p.PrimaryColor {
+		changes["primaryColor"] = changed.PrimaryColor
+	}
+	if changed.SecondaryColor != p.SecondaryColor {
+		changes["secondaryColor"] = changed.SecondaryColor
+	}
+
+	return changes
+}
+
+func (i *IAM) appendAddLabelPolicyEvent(event *es_models.Event) error {
+	i.DefaultLabelPolicy = new(LabelPolicy)
+	err := i.DefaultLabelPolicy.SetDataLabel(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultLabelPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangeLabelPolicyEvent(event *es_models.Event) error {
+	return i.DefaultLabelPolicy.SetDataLabel(event)
+}
+
+func (p *LabelPolicy) SetDataLabel(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "MODEL-ikjhf", "unable to unmarshal data")
+	}
+	return nil
+}
+
+func (p *IDPProvider) SetDataLabel(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "MODEL-c41Hn", "unable to unmarshal data")
+	}
+	return nil
+}
--- a/internal/iam/repository/eventsourcing/model/label_policy_test.go
+++ b/internal/iam/repository/eventsourcing/model/label_policy_test.go
@@ -0,0 +1,132 @@
+package model
+
+import (
+	"encoding/json"
+	"testing"
+
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+)
+
+func TestLabelPolicyChanges(t *testing.T) {
+	type args struct {
+		existing *LabelPolicy
+		new      *LabelPolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "labelpolicy all attributes change",
+			args: args{
+				existing: &LabelPolicy{PrimaryColor: "000001", SecondaryColor: "FFFFFA"},
+				new:      &LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"},
+			},
+			res: res{
+				changesLen: 2,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"},
+				new:      &LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddLabelPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *LabelPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add label policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultLabelPolicy: &LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddLabelPolicyEvent(tt.args.event)
+			if tt.result.DefaultLabelPolicy.PrimaryColor != tt.args.iam.DefaultLabelPolicy.PrimaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLabelPolicy.PrimaryColor, tt.args.iam.DefaultLabelPolicy.PrimaryColor)
+			}
+			if tt.result.DefaultLabelPolicy.SecondaryColor != tt.args.iam.DefaultLabelPolicy.SecondaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLabelPolicy.SecondaryColor, tt.args.iam.DefaultLabelPolicy.SecondaryColor)
+			}
+		})
+	}
+}
+
+func TestAppendChangeLabelPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *LabelPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change label policy event",
+			args: args{
+				iam: &IAM{DefaultLabelPolicy: &LabelPolicy{
+					PrimaryColor: "000001", SecondaryColor: "FFFFF0",
+				}},
+				policy: &LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultLabelPolicy: &LabelPolicy{
+				PrimaryColor: "000000", SecondaryColor: "FFFFFF",
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangeLabelPolicyEvent(tt.args.event)
+			if tt.result.DefaultLabelPolicy.PrimaryColor != tt.args.iam.DefaultLabelPolicy.PrimaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLabelPolicy.PrimaryColor, tt.args.iam.DefaultLabelPolicy.PrimaryColor)
+			}
+			if tt.result.DefaultLabelPolicy.SecondaryColor != tt.args.iam.DefaultLabelPolicy.SecondaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultLabelPolicy.SecondaryColor, tt.args.iam.DefaultLabelPolicy.SecondaryColor)
+			}
+		})
+	}
+}
--- a/internal/iam/repository/eventsourcing/model/types.go
+++ b/internal/iam/repository/eventsourcing/model/types.go
@@ -30,6 +30,8 @@ const (
 	LoginPolicyIDPProviderAdded          models.EventType = "iam.policy.login.idpprovider.added"
 	LoginPolicyIDPProviderRemoved        models.EventType = "iam.policy.login.idpprovider.removed"
 	LoginPolicyIDPProviderCascadeRemoved models.EventType = "iam.policy.login.idpprovider.cascade.removed"
+	LabelPolicyAdded                     models.EventType = "iam.policy.label.added"
+	LabelPolicyChanged                   models.EventType = "iam.policy.label.changed"

 	PasswordComplexityPolicyAdded   models.EventType = "iam.policy.password.complexity.added"
 	PasswordComplexityPolicyChanged models.EventType = "iam.policy.password.complexity.changed"
--- a/internal/iam/repository/view/label_policy_view.go
+++ b/internal/iam/repository/view/label_policy_view.go
@@ -0,0 +1,32 @@
+package view
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+	"github.com/jinzhu/gorm"
+)
+
+func GetLabelPolicyByAggregateID(db *gorm.DB, table, aggregateID string) (*model.LabelPolicyView, error) {
+	policy := new(model.LabelPolicyView)
+	userIDQuery := &model.LabelPolicySearchQuery{Key: iam_model.LabelPolicySearchKeyAggregateID, Value: aggregateID, Method: global_model.SearchMethodEquals}
+	query := repository.PrepareGetByQuery(table, userIDQuery)
+	err := query(db, policy)
+	if caos_errs.IsNotFound(err) {
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-68G11", "Errors.IAM.LabelPolicy.NotExisting")
+	}
+	return policy, err
+}
+
+func PutLabelPolicy(db *gorm.DB, table string, policy *model.LabelPolicyView) error {
+	save := repository.PrepareSave(table)
+	return save(db, policy)
+}
+
+func DeleteLabelPolicy(db *gorm.DB, table, aggregateID string) error {
+	delete := repository.PrepareDeleteByKey(table, model.LabelPolicySearchKey(iam_model.LabelPolicySearchKeyAggregateID), aggregateID)
+
+	return delete(db)
+}
--- a/internal/iam/repository/view/model/label_policy.go
+++ b/internal/iam/repository/view/model/label_policy.go
@@ -0,0 +1,82 @@
+package model
+
+import (
+	"encoding/json"
+	"time"
+
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+
+	es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/logging"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/model"
+)
+
+const (
+	LabelPolicyKeyAggregateID = "aggregate_id"
+)
+
+type LabelPolicyView struct {
+	AggregateID  string    `json:"-" gorm:"column:aggregate_id;primary_key"`
+	CreationDate time.Time `json:"-" gorm:"column:creation_date"`
+	ChangeDate   time.Time `json:"-" gorm:"column:change_date"`
+	State        int32     `json:"-" gorm:"column:label_policy_state"`
+
+	PrimaryColor   string `json:"primaryColor" gorm:"column:primary_color"`
+	SecondaryColor string `json:"secondaryColor" gorm:"column:secondary_color"`
+	Default        bool   `json:"-" gorm:"-"`
+
+	Sequence uint64 `json:"-" gorm:"column:sequence"`
+}
+
+func LabelPolicyViewFromModel(policy *model.LabelPolicyView) *LabelPolicyView {
+	return &LabelPolicyView{
+		AggregateID:    policy.AggregateID,
+		Sequence:       policy.Sequence,
+		CreationDate:   policy.CreationDate,
+		ChangeDate:     policy.ChangeDate,
+		PrimaryColor:   policy.PrimaryColor,
+		SecondaryColor: policy.SecondaryColor,
+		Default:        policy.Default,
+	}
+}
+
+func LabelPolicyViewToModel(policy *LabelPolicyView) *model.LabelPolicyView {
+	return &model.LabelPolicyView{
+		AggregateID:    policy.AggregateID,
+		Sequence:       policy.Sequence,
+		CreationDate:   policy.CreationDate,
+		ChangeDate:     policy.ChangeDate,
+		PrimaryColor:   policy.PrimaryColor,
+		SecondaryColor: policy.SecondaryColor,
+		Default:        policy.Default,
+	}
+}
+
+func (i *LabelPolicyView) AppendEvent(event *models.Event) (err error) {
+	i.Sequence = event.Sequence
+	i.ChangeDate = event.CreationDate
+	switch event.Type {
+	case es_model.LabelPolicyAdded, org_es_model.LabelPolicyAdded:
+		i.setRootData(event)
+		i.CreationDate = event.CreationDate
+		err = i.SetData(event)
+	case es_model.LabelPolicyChanged, org_es_model.LabelPolicyChanged:
+		err = i.SetData(event)
+	}
+	return err
+}
+
+func (r *LabelPolicyView) setRootData(event *models.Event) {
+	r.AggregateID = event.AggregateID
+}
+
+func (r *LabelPolicyView) SetData(event *models.Event) error {
+	if err := json.Unmarshal(event.Data, r); err != nil {
+		logging.Log("MODEL-Flp9C").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-Hs8uf", "Could not unmarshal data")
+	}
+	return nil
+}
--- a/internal/iam/repository/view/model/label_policy_query.go
+++ b/internal/iam/repository/view/model/label_policy_query.go
@@ -0,0 +1,59 @@
+package model
+
+import (
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+type LabelPolicySearchRequest iam_model.LabelPolicySearchRequest
+type LabelPolicySearchQuery iam_model.LabelPolicySearchQuery
+type LabelPolicySearchKey iam_model.LabelPolicySearchKey
+
+func (req LabelPolicySearchRequest) GetLimit() uint64 {
+	return req.Limit
+}
+
+func (req LabelPolicySearchRequest) GetOffset() uint64 {
+	return req.Offset
+}
+
+func (req LabelPolicySearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == iam_model.LabelPolicySearchKeyUnspecified {
+		return nil
+	}
+	return LabelPolicySearchKey(req.SortingColumn)
+}
+
+func (req LabelPolicySearchRequest) GetAsc() bool {
+	return req.Asc
+}
+
+func (req LabelPolicySearchRequest) GetQueries() []repository.SearchQuery {
+	result := make([]repository.SearchQuery, len(req.Queries))
+	for i, q := range req.Queries {
+		result[i] = LabelPolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+	}
+	return result
+}
+
+func (req LabelPolicySearchQuery) GetKey() repository.ColumnKey {
+	return LabelPolicySearchKey(req.Key)
+}
+
+func (req LabelPolicySearchQuery) GetMethod() global_model.SearchMethod {
+	return req.Method
+}
+
+func (req LabelPolicySearchQuery) GetValue() interface{} {
+	return req.Value
+}
+
+func (key LabelPolicySearchKey) ToColumnName() string {
+	switch iam_model.LabelPolicySearchKey(key) {
+	case iam_model.LabelPolicySearchKeyAggregateID:
+		return LabelPolicyKeyAggregateID
+	default:
+		return ""
+	}
+}