feat: Private label email policy (#813)

* Label Policy added * save * chore: update docs action * Save * Save * Get colors from DB * Variables inserted * Get images from global directory. * Add tests * Add tests * Corrections from mergerequest * Corrections from mergerequest * Test corrected. * Added colors to all notifications. * Added colors to Corrected text and formatting.all notifications. * Spelling error corrected. * fix: tests * Merge Branch corrected. * Step6 added * Corrections from mergerequest * fix: generate management * Formatted texts. * fix: migrations Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2025-08-11 19:17:32 +00:00 · 2020-10-20 19:10:23 +02:00
parent cfd119924f
commit 42384763d1
65 changed files with 7143 additions and 13940 deletions
--- a/internal/org/repository/eventsourcing/eventstore.go
+++ b/internal/org/repository/eventsourcing/eventstore.go
@@ -705,6 +705,46 @@ func (es *OrgEventstore) ChangeIDPOIDCConfig(ctx context.Context, config *iam_mo
 	return nil, errors.ThrowInternal(nil, "EVENT-Sldk8", "Errors.Internal")
 }

+func (es *OrgEventstore) AddLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	if policy == nil || !policy.IsValid() {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-37rSC", "Errors.Org.LabelPolicyInvalid")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoLabelPolicy := iam_es_model.LabelPolicyFromModel(policy)
+
+	addAggregate := LabelPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoLabelPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.LabelPolicyToModel(repoOrg.LabelPolicy), nil
+}
+
+func (es *OrgEventstore) ChangeLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	if policy == nil || !policy.IsValid() {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-0NBIw", "Errors.Org.LabelPolicyInvalid")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoLabelPolicy := iam_es_model.LabelPolicyFromModel(policy)
+
+	addAggregate := LabelPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoLabelPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.LabelPolicyToModel(repoOrg.LabelPolicy), nil
+}
+
 func (es *OrgEventstore) AddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
 	if policy == nil || !policy.IsValid() {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sjkl9", "Errors.Org.LoginPolicy.Invalid")
--- a/internal/org/repository/eventsourcing/eventstore_mock_test.go
+++ b/internal/org/repository/eventsourcing/eventstore_mock_test.go
@@ -2,6 +2,7 @@ package eventsourcing

 import (
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/crypto"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
@@ -157,3 +158,17 @@ func GetMockChangesOrgWithPasswordAgePolicy(ctrl *gomock.Controller) *OrgEventst
 	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
 	return GetMockedEventstore(ctrl, mockEs)
 }
+
+func GetMockChangesOrgWithLabelPolicy(ctrl *gomock.Controller) *OrgEventstore {
+	orgData, _ := json.Marshal(model.Org{Name: "MusterOrg"})
+	labelPolicy, _ := json.Marshal(iam_es_model.LabelPolicy{PrimaryColor: "000001", SecondaryColor: "FFFFF1"})
+	events := []*es_models.Event{
+		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
+		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.LabelPolicyAdded, Data: labelPolicy},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
--- a/internal/org/repository/eventsourcing/eventstore_test.go
+++ b/internal/org/repository/eventsourcing/eventstore_test.go
@@ -3,10 +3,11 @@ package eventsourcing
 import (
 	"context"
 	"encoding/json"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"testing"
 	"time"

+	iam_model "github.com/caos/zitadel/internal/iam/model"
+
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"

@@ -2731,6 +2732,170 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 	}
 }

+func TestAddLabelPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.LabelPolicy
+	}
+	type res struct {
+		result  *iam_model.LabelPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add label policy, ok",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor: "000000",
+				},
+			},
+			res: res{
+				result: &iam_model.LabelPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor: "000000",
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing org not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.AddLabelPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.PrimaryColor != tt.res.result.PrimaryColor {
+				t.Errorf("got wrong result PrimaryColor: expected: %v, actual: %v ", tt.res.result.PrimaryColor, result.PrimaryColor)
+			}
+		})
+	}
+}
+
+func TestChangeLabelPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.LabelPolicy
+	}
+	type res struct {
+		result  *iam_model.LabelPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add label policy, ok",
+			args: args{
+				es:  GetMockChangesOrgWithLabelPolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor:   "000000",
+					SecondaryColor: "FFFFFF",
+				},
+			},
+			res: res{
+				result: &iam_model.LabelPolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					PrimaryColor:   "000000",
+					SecondaryColor: "FFFFFF",
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.LabelPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.ChangeLabelPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.PrimaryColor != tt.res.result.PrimaryColor {
+				t.Errorf("got wrong result PrimaryColor: expected: %v, actual: %v ", tt.res.result.PrimaryColor, result.PrimaryColor)
+			}
+			if result.SecondaryColor != tt.res.result.SecondaryColor {
+				t.Errorf("got wrong result SecondaryColor: expected: %v, actual: %v ", tt.res.result.SecondaryColor, result.SecondaryColor)
+			}
+		})
+	}
+}
 func TestAddPasswordComplexityPolicy(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	type args struct {
--- a/internal/org/repository/eventsourcing/label_policy.go
+++ b/internal/org/repository/eventsourcing/label_policy.go
@@ -0,0 +1,77 @@
+package eventsourcing
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+func LabelPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.LabelPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-TUWod", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(model.OrgAggregate).
+			AggregateIDFilter(existing.AggregateID)
+
+		validation := checkExistingLabelPolicyValidation()
+		agg.SetPrecondition(validationQuery, validation)
+		return agg.AppendEvent(model.LabelPolicyAdded, policy)
+	}
+}
+
+func LabelPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.LabelPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-unRI2", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.LabelPolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Tz130", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.LabelPolicyChanged, changes)
+	}
+}
+
+func LabelPolicyRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if existing == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-v7E9b", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.LabelPolicyRemoved, nil)
+	}
+}
+
+func checkExistingLabelPolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		existing := false
+		for _, event := range events {
+			switch event.Type {
+			case model.LabelPolicyAdded:
+				existing = true
+			case model.LabelPolicyRemoved:
+				existing = false
+			}
+		}
+		if existing {
+			return errors.ThrowPreconditionFailed(nil, "EVENT-g9mCI", "Errors.Org.LabelPolicy.AlreadyExists")
+		}
+		return nil
+	}
+}
--- a/internal/org/repository/eventsourcing/label_policy_test.go
+++ b/internal/org/repository/eventsourcing/label_policy_test.go
@@ -0,0 +1,186 @@
+package eventsourcing
+
+import (
+	"context"
+	"testing"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+func TestLabelPolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.LabelPolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add label polciy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+				},
+				new: &iam_es_model.LabelPolicy{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					PrimaryColor: "000000",
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.LabelPolicyAdded},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "label policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := LabelPolicyAddedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestLabelPolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.LabelPolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change label policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					LabelPolicy: &iam_es_model.LabelPolicy{
+						ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					},
+				},
+				new: &iam_es_model.LabelPolicy{
+					ObjectRoot:     models.ObjectRoot{AggregateID: "AggregateID"},
+					PrimaryColor:   "000000",
+					SecondaryColor: "FFFFFF",
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.LabelPolicyChanged},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "label policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := LabelPolicyChangedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/model/label_policy.go
+++ b/internal/org/repository/eventsourcing/model/label_policy.go
@@ -0,0 +1,24 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddLabelPolicyEvent(event *es_models.Event) error {
+	o.LabelPolicy = new(iam_es_model.LabelPolicy)
+	err := o.LabelPolicy.SetDataLabel(event)
+	if err != nil {
+		return err
+	}
+	o.LabelPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangeLabelPolicyEvent(event *es_models.Event) error {
+	return o.LabelPolicy.SetDataLabel(event)
+}
+
+func (o *Org) appendRemoveLabelPolicyEvent(event *es_models.Event) {
+	o.LabelPolicy = nil
+}
--- a/internal/org/repository/eventsourcing/model/label_policy_test.go
+++ b/internal/org/repository/eventsourcing/model/label_policy_test.go
@@ -0,0 +1,91 @@
+package model
+
+import (
+	"encoding/json"
+	"testing"
+
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func TestAppendAddLabelPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.LabelPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add label policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"},
+				event:  &es_models.Event{},
+			},
+			result: &Org{LabelPolicy: &iam_es_model.LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddLabelPolicyEvent(tt.args.event)
+			if tt.result.LabelPolicy.PrimaryColor != tt.args.org.LabelPolicy.PrimaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LabelPolicy.PrimaryColor, tt.args.org.LabelPolicy.PrimaryColor)
+			}
+			if tt.result.LabelPolicy.SecondaryColor != tt.args.org.LabelPolicy.SecondaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LabelPolicy.SecondaryColor, tt.args.org.LabelPolicy.SecondaryColor)
+			}
+		})
+	}
+}
+
+func TestAppendChangeLabelPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.LabelPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change label policy event",
+			args: args{
+				org: &Org{LabelPolicy: &iam_es_model.LabelPolicy{
+					SecondaryColor: "FFFFF0",
+					PrimaryColor:   "000001",
+				}},
+				policy: &iam_es_model.LabelPolicy{PrimaryColor: "000000", SecondaryColor: "FFFFFF"},
+				event:  &es_models.Event{},
+			},
+			result: &Org{LabelPolicy: &iam_es_model.LabelPolicy{
+				SecondaryColor: "FFFFFF",
+				PrimaryColor:   "000000",
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangeLabelPolicyEvent(tt.args.event)
+			if tt.result.LabelPolicy.PrimaryColor != tt.args.org.LabelPolicy.PrimaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LabelPolicy.PrimaryColor, tt.args.org.LabelPolicy.PrimaryColor)
+			}
+			if tt.result.LabelPolicy.SecondaryColor != tt.args.org.LabelPolicy.SecondaryColor {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.LabelPolicy.SecondaryColor, tt.args.org.LabelPolicy.SecondaryColor)
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/model/org.go
+++ b/internal/org/repository/eventsourcing/model/org.go
@@ -2,6 +2,7 @@ package model

 import (
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/iam/model"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"

@@ -23,6 +24,7 @@ type Org struct {
 	Domains                  []*OrgDomain                           `json:"-"`
 	Members                  []*OrgMember                           `json:"-"`
 	OrgIAMPolicy             *iam_es_model.OrgIAMPolicy             `json:"-"`
+	LabelPolicy              *iam_es_model.LabelPolicy              `json:"-"`
 	IDPs                     []*iam_es_model.IDPConfig              `json:"-"`
 	LoginPolicy              *iam_es_model.LoginPolicy              `json:"-"`
 	PasswordComplexityPolicy *iam_es_model.PasswordComplexityPolicy `json:"-"`
@@ -48,6 +50,9 @@ func OrgFromModel(org *org_model.Org) *Org {
 	if org.LoginPolicy != nil {
 		converted.LoginPolicy = iam_es_model.LoginPolicyFromModel(org.LoginPolicy)
 	}
+	if org.LabelPolicy != nil {
+		converted.LabelPolicy = iam_es_model.LabelPolicyFromModel(org.LabelPolicy)
+	}
 	if org.PasswordComplexityPolicy != nil {
 		converted.PasswordComplexityPolicy = iam_es_model.PasswordComplexityPolicyFromModel(org.PasswordComplexityPolicy)
 	}
@@ -75,6 +80,9 @@ func OrgToModel(org *Org) *org_model.Org {
 	if org.LoginPolicy != nil {
 		converted.LoginPolicy = iam_es_model.LoginPolicyToModel(org.LoginPolicy)
 	}
+	if org.LabelPolicy != nil {
+		converted.LabelPolicy = iam_es_model.LabelPolicyToModel(org.LabelPolicy)
+	}
 	if org.PasswordComplexityPolicy != nil {
 		converted.PasswordComplexityPolicy = iam_es_model.PasswordComplexityPolicyToModel(org.PasswordComplexityPolicy)
 	}
@@ -175,6 +183,12 @@ func (o *Org) AppendEvent(event *es_models.Event) (err error) {
 		err = o.appendAddOIDCIDPConfigEvent(event)
 	case OIDCIDPConfigChanged:
 		err = o.appendChangeOIDCIDPConfigEvent(event)
+	case LabelPolicyAdded:
+		err = o.appendAddLabelPolicyEvent(event)
+	case LabelPolicyChanged:
+		err = o.appendChangeLabelPolicyEvent(event)
+	case LabelPolicyRemoved:
+		o.appendRemoveLabelPolicyEvent(event)
 	case LoginPolicyAdded:
 		err = o.appendAddLoginPolicyEvent(event)
 	case LoginPolicyChanged:
--- a/internal/org/repository/eventsourcing/model/types.go
+++ b/internal/org/repository/eventsourcing/model/types.go
@@ -51,6 +51,9 @@ const (
 	LoginPolicyIDPProviderAdded          models.EventType = "org.policy.login.idpprovider.added"
 	LoginPolicyIDPProviderRemoved        models.EventType = "org.policy.login.idpprovider.removed"
 	LoginPolicyIDPProviderCascadeRemoved models.EventType = "org.policy.login.idpprovider.cascade.removed"
+	LabelPolicyAdded                     models.EventType = "org.policy.label.added"
+	LabelPolicyChanged                   models.EventType = "org.policy.label.changed"
+	LabelPolicyRemoved                   models.EventType = "org.policy.label.removed"

 	PasswordComplexityPolicyAdded   models.EventType = "org.policy.password.complexity.added"
 	PasswordComplexityPolicyChanged models.EventType = "org.policy.password.complexity.changed"