New eventstore policies (#1084)

* feat: login policy

* feat: password complexity policy

* feat: org iam policy

* feat: label policy

* feat: add and change policies

* feat: second factors

* feat: second and multi factors

* feat: better naming

* feat: better naming

internal/v2/repository/iam/aggregate.go

@@ -2,16 +2,26 @@ package iam
 
 import (
 	"context"
-
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+	iam_login "github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	factors2 "github.com/caos/zitadel/internal/v2/repository/iam/policy/login/factors"
+	iam_factors "github.com/caos/zitadel/internal/v2/repository/iam/policy/login/factors"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login/idpprovider"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
 	"github.com/caos/zitadel/internal/v2/repository/idp"
 	"github.com/caos/zitadel/internal/v2/repository/idp/oidc"
 	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/factors"
 )
 
 const (
-	iamEventTypePrefix = eventstore.EventType("iam.")
+	IamEventTypePrefix = eventstore.EventType("iam.")
 )
 
 const (
@@ -87,6 +97,110 @@ func (a *Aggregate) PushStepDone(ctx context.Context, step Step) *Aggregate {
 	return a
 }
 
+func (a *Aggregate) PushOrgIAMPolicyAddedEvent(ctx context.Context, userLoginMustBeDomain bool) *Aggregate {
+	a.Aggregate = *a.PushEvents(org_iam.NewAddedEvent(ctx, userLoginMustBeDomain))
+	return a
+}
+
+func (a *Aggregate) PushOrgIAMPolicyChangedFromExisting(ctx context.Context, current *org_iam.WriteModel, userLoginMustBeDomain bool) *Aggregate {
+	e, err := org_iam.ChangedEventFromExisting(ctx, current, userLoginMustBeDomain)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushPasswordAgePolicyAddedEvent(ctx context.Context, expireWarnDays, maxAgeDays uint64) *Aggregate {
+	a.Aggregate = *a.PushEvents(password_age.NewAddedEvent(ctx, expireWarnDays, maxAgeDays))
+	return a
+}
+
+func (a *Aggregate) PushPasswordAgePolicyChangedFromExisting(ctx context.Context, current *password_age.WriteModel, expireWarnDays, maxAgeDays uint64) *Aggregate {
+	e, err := password_age.ChangedEventFromExisting(ctx, current, expireWarnDays, maxAgeDays)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushPasswordComplexityPolicyAddedEvent(ctx context.Context, minLength uint64, hasLowercase, hasUppercase, hasNumber, hasSymbol bool) *Aggregate {
+	a.Aggregate = *a.PushEvents(password_complexity.NewAddedEvent(ctx, minLength, hasLowercase, hasUppercase, hasNumber, hasSymbol))
+	return a
+}
+
+func (a *Aggregate) PushPasswordComplexityPolicyChangedFromExisting(ctx context.Context, current *password_complexity.WriteModel, minLength uint64, hasLowercase, hasUppercase, hasNumber, hasSymbol bool) *Aggregate {
+	e, err := password_complexity.ChangedEventFromExisting(ctx, current, minLength, hasLowercase, hasUppercase, hasNumber, hasSymbol)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushPasswordLockoutPolicyAddedEvent(ctx context.Context, maxAttempts uint64, showLockoutFailure bool) *Aggregate {
+	a.Aggregate = *a.PushEvents(password_lockout.NewAddedEvent(ctx, maxAttempts, showLockoutFailure))
+	return a
+}
+
+func (a *Aggregate) PushPasswordLockoutPolicyChangedFromExisting(ctx context.Context, current *password_lockout.WriteModel, maxAttempts uint64, showLockoutFailure bool) *Aggregate {
+	e, err := password_lockout.ChangedEventFromExisting(ctx, current, maxAttempts, showLockoutFailure)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushLabelPolicyAddedEvent(ctx context.Context, primaryColor, secondaryColor string) *Aggregate {
+	a.Aggregate = *a.PushEvents(label.NewAddedEvent(ctx, primaryColor, secondaryColor))
+	return a
+}
+
+func (a *Aggregate) PushLabelPolicyChangedFromExisting(ctx context.Context, current *label.WriteModel, primaryColor, secondaryColor string) *Aggregate {
+	e, err := label.ChangedEventFromExisting(ctx, current, primaryColor, secondaryColor)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyAddedEvent(ctx context.Context, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA bool, passwordlessType login.PasswordlessType) *Aggregate {
+	a.Aggregate = *a.PushEvents(iam_login.NewAddedEvent(ctx, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA, passwordlessType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyChangedFromExisting(ctx context.Context, current *iam_login.WriteModel, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA bool, passwordlessType login.PasswordlessType) *Aggregate {
+	e, err := iam_login.ChangedEventFromExisting(ctx, current, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA, passwordlessType)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicySecondFactorAdded(ctx context.Context, mfaType factors.SecondFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(iam_factors.NewLoginPolicySecondFactorAddedEvent(ctx, mfaType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicySecondFactorRemoved(ctx context.Context, mfaType factors.SecondFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(iam_factors.NewLoginPolicySecondFactorRemovedEvent(ctx, mfaType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyMultiFactorAdded(ctx context.Context, mfaType factors.MultiFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(factors2.NewLoginPolicyMultiFactorAddedEvent(ctx, mfaType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyMultiFactorRemoved(ctx context.Context, mfaType factors.MultiFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(factors2.NewLoginPolicyMultiFactorRemovedEvent(ctx, mfaType))
+	return a
+}
+
 func (a *Aggregate) PushIDPConfigAdded(
 	ctx context.Context,
 	configID,
@@ -172,7 +286,7 @@ func (a *Aggregate) PushLoginPolicyIDPProviderAddedEvent(
 	providerType provider.Type,
 ) *Aggregate {
 
-	a.Aggregate = *a.PushEvents(NewLoginPolicyIDPProviderAddedEvent(ctx, idpConfigID, providerType))
+	a.Aggregate = *a.PushEvents(idpprovider.NewAddedEvent(ctx, idpConfigID, providerType))
 	return a
 }
 
@@ -182,6 +296,6 @@ func (a *Aggregate) PushLoginPolicyIDPProviderRemovedEvent(
 	providerType provider.Type,
 ) *Aggregate {
 
-	a.Aggregate = *a.PushEvents(NewLoginPolicyIDPProviderRemovedEvent(ctx, idpConfigID))
+	a.Aggregate = *a.PushEvents(idpprovider.NewRemovedEvent(ctx, idpConfigID))
 	return a
 }

internal/v2/repository/iam/eventstore.go

@@ -2,6 +2,12 @@ package iam
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
 )
 
 func RegisterEventMappers(es *eventstore.Eventstore) {
@@ -9,17 +15,17 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(SetupDoneEventType, SetupStepMapper).
 		RegisterFilterEventMapper(GlobalOrgSetEventType, GlobalOrgSetMapper).
 		RegisterFilterEventMapper(ProjectSetEventType, ProjectSetMapper).
-		RegisterFilterEventMapper(LabelPolicyAddedEventType, LabelPolicyAddedEventMapper).
-		RegisterFilterEventMapper(LabelPolicyChangedEventType, LabelPolicyChangedEventMapper).
-		RegisterFilterEventMapper(LoginPolicyAddedEventType, LoginPolicyAddedEventMapper).
-		RegisterFilterEventMapper(LoginPolicyChangedEventType, LoginPolicyChangedEventMapper).
-		RegisterFilterEventMapper(OrgIAMPolicyAddedEventType, OrgIAMPolicyAddedEventMapper).
-		RegisterFilterEventMapper(PasswordAgePolicyAddedEventType, PasswordAgePolicyAddedEventMapper).
-		RegisterFilterEventMapper(PasswordAgePolicyChangedEventType, PasswordAgePolicyChangedEventMapper).
-		RegisterFilterEventMapper(PasswordComplexityPolicyAddedEventType, PasswordComplexityPolicyAddedEventMapper).
-		RegisterFilterEventMapper(PasswordComplexityPolicyChangedEventType, PasswordComplexityPolicyChangedEventMapper).
-		RegisterFilterEventMapper(PasswordLockoutPolicyAddedEventType, PasswordLockoutPolicyAddedEventMapper).
-		RegisterFilterEventMapper(PasswordLockoutPolicyChangedEventType, PasswordLockoutPolicyChangedEventMapper).
+		RegisterFilterEventMapper(label.LabelPolicyAddedEventType, label.AddedEventMapper).
+		RegisterFilterEventMapper(label.LabelPolicyChangedEventType, label.ChangedEventMapper).
+		RegisterFilterEventMapper(login.LoginPolicyAddedEventType, login.AddedEventMapper).
+		RegisterFilterEventMapper(login.LoginPolicyChangedEventType, login.ChangedEventMapper).
+		RegisterFilterEventMapper(org_iam.OrgIAMPolicyAddedEventType, org_iam.AddedEventMapper).
+		RegisterFilterEventMapper(password_age.PasswordAgePolicyAddedEventType, password_age.AddedEventMapper).
+		RegisterFilterEventMapper(password_age.PasswordAgePolicyChangedEventType, password_age.ChangedEventMapper).
+		RegisterFilterEventMapper(password_complexity.PasswordComplexityPolicyAddedEventType, password_complexity.AddedEventMapper).
+		RegisterFilterEventMapper(password_complexity.PasswordComplexityPolicyChangedEventType, password_complexity.ChangedEventMapper).
+		RegisterFilterEventMapper(password_lockout.PasswordLockoutPolicyAddedEventType, password_lockout.AddedEventMapper).
+		RegisterFilterEventMapper(password_lockout.PasswordLockoutPolicyChangedEventType, password_lockout.ChangedEventMapper).
 		RegisterFilterEventMapper(MemberAddedEventType, MemberAddedEventMapper).
 		RegisterFilterEventMapper(MemberChangedEventType, MemberChangedEventMapper).
 		RegisterFilterEventMapper(MemberRemovedEventType, MemberRemovedEventMapper).

internal/v2/repository/iam/member.go

@@ -9,9 +9,9 @@ import (
 )
 
 var (
-	MemberAddedEventType   = iamEventTypePrefix + member.AddedEventType
-	MemberChangedEventType = iamEventTypePrefix + member.ChangedEventType
-	MemberRemovedEventType = iamEventTypePrefix + member.RemovedEventType
+	MemberAddedEventType   = IamEventTypePrefix + member.AddedEventType
+	MemberChangedEventType = IamEventTypePrefix + member.ChangedEventType
+	MemberRemovedEventType = IamEventTypePrefix + member.RemovedEventType
 )
 
 type MemberReadModel struct {

internal/v2/repository/iam/policy/label/events.go

@@ -0,0 +1,73 @@
+package label
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+)
+
+var (
+	iamEventPrefix              = eventstore.EventType("iam.")
+	LabelPolicyAddedEventType   = iamEventPrefix + label.LabelPolicyAddedEventType
+	LabelPolicyChangedEventType = iamEventPrefix + label.LabelPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	label.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	primaryColor,
+	secondaryColor string,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *label.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LabelPolicyAddedEventType),
+			primaryColor,
+			secondaryColor),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := label.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*label.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	label.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	primaryColor,
+	secondaryColor string,
+) (*ChangedEvent, error) {
+	event := label.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			LabelPolicyChangedEventType,
+		),
+		&current.Policy,
+		primaryColor,
+		secondaryColor,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := label.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*label.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/label/read_model.go

@@ -0,0 +1,21 @@
+package label
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+)
+
+type ReadModel struct{ label.ReadModel }
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *label.AddedEvent, *label.ChangedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/label/write_model.go

@@ -0,0 +1,47 @@
+package label
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy label.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/login/events.go

@@ -0,0 +1,89 @@
+package login
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+)
+
+var (
+	iamEventPrefix              = eventstore.EventType("iam.")
+	LoginPolicyAddedEventType   = iamEventPrefix + login.LoginPolicyAddedEventType
+	LoginPolicyChangedEventType = iamEventPrefix + login.LoginPolicyChangedEventType
+
+	LoginPolicyIDPProviderAddedEventType   = iamEventPrefix + login.LoginPolicyIDPProviderAddedEventType
+	LoginPolicyIDPProviderRemovedEventType = iamEventPrefix + login.LoginPolicyIDPProviderRemovedEventType
+)
+
+type AddedEvent struct {
+	login.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType login.PasswordlessType,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *login.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, login.LoginPolicyAddedEventType),
+			allowUsernamePassword,
+			allowRegister,
+			allowExternalIDP,
+			forceMFA,
+			passwordlessType),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := login.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*login.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	login.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType login.PasswordlessType,
+) (*ChangedEvent, error) {
+
+	event := login.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			LoginPolicyChangedEventType,
+		),
+		&current.Policy,
+		allowUsernamePassword,
+		allowRegister,
+		allowExternalIDP,
+		forceMFA,
+		passwordlessType,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := login.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*login.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/login/factors/events.go

@@ -0,0 +1,123 @@
+package factors
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/factors"
+)
+
+var (
+	iamEventPrefix                          = eventstore.EventType("iam.")
+	LoginPolicySecondFactorAddedEventType   = iamEventPrefix + factors.LoginPolicySecondFactorAddedEventType
+	LoginPolicySecondFactorRemovedEventType = iamEventPrefix + factors.LoginPolicySecondFactorRemovedEventType
+
+	LoginPolicyMultiFactorAddedEventType   = iamEventPrefix + factors.LoginPolicyMultiFactorAddedEventType
+	LoginPolicyMultiFactorRemovedEventType = iamEventPrefix + factors.LoginPolicyMultiFactorRemovedEventType
+)
+
+type LoginPolicySecondFactorAddedEvent struct {
+	factors.SecondFactorAddedEvent
+}
+
+func NewLoginPolicySecondFactorAddedEvent(
+	ctx context.Context,
+	mfaType factors.SecondFactorType,
+) *LoginPolicySecondFactorAddedEvent {
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *factors.NewSecondFactorAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicySecondFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.SecondFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *e.(*factors.SecondFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicySecondFactorRemovedEvent struct {
+	factors.SecondFactorRemovedEvent
+}
+
+func NewLoginPolicySecondFactorRemovedEvent(
+	ctx context.Context,
+	mfaType factors.SecondFactorType,
+) *LoginPolicySecondFactorRemovedEvent {
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *factors.NewSecondFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicySecondFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.SecondFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *e.(*factors.SecondFactorRemovedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorAddedEvent struct {
+	factors.MultiFactorAddedEvent
+}
+
+func NewLoginPolicyMultiFactorAddedEvent(
+	ctx context.Context,
+	mfaType factors.MultiFactorType,
+) *LoginPolicyMultiFactorAddedEvent {
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *factors.NewMultiFactorAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyMultiFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.MultiFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *e.(*factors.MultiFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorRemovedEvent struct {
+	factors.MultiFactorRemovedEvent
+}
+
+func NewLoginPolicyMultiFactorRemovedEvent(
+	ctx context.Context,
+	mfaType factors.MultiFactorType,
+) *LoginPolicyMultiFactorRemovedEvent {
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *factors.NewMultiFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyMultiFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.MultiFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *e.(*factors.MultiFactorRemovedEvent),
+	}, nil
+}

internal/v2/repository/iam/policy/login/factors/write_model.go

@@ -0,0 +1,80 @@
+package factors
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/factors"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type SecondFactorWriteModel struct {
+	eventstore.WriteModel
+	SecondFactor factors.SecondFactoryWriteModel
+
+	iamID string
+}
+
+func NewSecondFactorWriteModel(iamID string) *SecondFactorWriteModel {
+	return &SecondFactorWriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *SecondFactorWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *LoginPolicySecondFactorAddedEvent:
+			wm.SecondFactor.AppendEvents(&e.SecondFactorAddedEvent)
+		}
+	}
+}
+
+func (wm *SecondFactorWriteModel) Reduce() error {
+	if err := wm.SecondFactor.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *SecondFactorWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}
+
+type MultiFactorWriteModel struct {
+	eventstore.WriteModel
+	MultiFactor factors.MultiFactoryWriteModel
+
+	iamID string
+}
+
+func NewMultiFactorWriteModel(iamID string) *MultiFactorWriteModel {
+	return &MultiFactorWriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *MultiFactorWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *LoginPolicyMultiFactorAddedEvent:
+			wm.MultiFactor.AppendEvents(&e.MultiFactorAddedEvent)
+		}
+	}
+}
+
+func (wm *MultiFactorWriteModel) Reduce() error {
+	if err := wm.MultiFactor.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *MultiFactorWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/login/idpprovider/events.go

@@ -0,0 +1,66 @@
+package idpprovider
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/idpprovider"
+
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+)
+
+type AddedEvent struct {
+	idpprovider.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	idpConfigID string,
+	idpProviderType provider.Type,
+) *AddedEvent {
+
+	return &AddedEvent{
+		AddedEvent: *idpprovider.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, login.LoginPolicyIDPProviderAddedEventType),
+			idpConfigID,
+			idpProviderType),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpprovider.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{
+		AddedEvent: *e.(*idpprovider.AddedEvent),
+	}, nil
+}
+
+type RemovedEvent struct {
+	idpprovider.RemovedEvent
+}
+
+func NewRemovedEvent(
+	ctx context.Context,
+	idpConfigID string,
+) *RemovedEvent {
+	return &RemovedEvent{
+		RemovedEvent: *idpprovider.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, login.LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpprovider.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &RemovedEvent{
+		RemovedEvent: *e.(*idpprovider.RemovedEvent),
+	}, nil
+}

internal/v2/repository/iam/policy/login/idpprovider/write_model.go

@@ -0,0 +1,66 @@
+package idpprovider
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/idpprovider"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Provider idpprovider.WriteModel
+
+	idpConfigID string
+	iamID       string
+
+	IsRemoved bool
+}
+
+func NewWriteModel(iamID, idpConfigID string) *WriteModel {
+	return &WriteModel{
+		iamID:       iamID,
+		idpConfigID: idpConfigID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			if e.IDPConfigID != wm.idpConfigID {
+				continue
+			}
+			wm.Provider.AppendEvents(&e.AddedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			if e.IDPConfigID != wm.idpConfigID {
+				continue
+			}
+			wm.IsRemoved = false
+		case *RemovedEvent:
+			if e.IDPConfigID != wm.idpConfigID {
+				continue
+			}
+			wm.IsRemoved = true
+		}
+	}
+	if err := wm.Provider.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/login/read_model.go

@@ -0,0 +1,21 @@
+package login
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+)
+
+type ReadModel struct{ login.ReadModel }
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *login.AddedEvent, *login.ChangedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/login/write_model.go

@@ -0,0 +1,47 @@
+package login
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy login.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/org_iam/events.go

@@ -0,0 +1,70 @@
+package org_iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+)
+
+var (
+	iamEventPrefix               = eventstore.EventType("iam.")
+	OrgIAMPolicyAddedEventType   = iamEventPrefix + org_iam.OrgIAMPolicyAddedEventType
+	OrgIAMPolicyChangedEventType = iamEventPrefix + org_iam.OrgIAMPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	org_iam.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	userLoginMustBeDomain bool,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *org_iam.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, OrgIAMPolicyAddedEventType),
+			userLoginMustBeDomain,
+		),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := org_iam.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*org_iam.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	org_iam.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	userLoginMustBeDomain bool,
+) (*ChangedEvent, error) {
+	event := org_iam.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			OrgIAMPolicyChangedEventType,
+		),
+		&current.Policy,
+		userLoginMustBeDomain,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := org_iam.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*org_iam.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/org_iam/read_model.go

@@ -0,0 +1,19 @@
+package org_iam
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+)
+
+type ReadModel struct{ org_iam.ReadModel }
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *org_iam.AddedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/org_iam/write_model.go

@@ -0,0 +1,47 @@
+package org_iam
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy org_iam.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/password_age/events.go

@@ -0,0 +1,73 @@
+package password_age
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+)
+
+var (
+	iamEventPrefix                    = eventstore.EventType("iam.")
+	PasswordAgePolicyAddedEventType   = iamEventPrefix + password_age.PasswordAgePolicyAddedEventType
+	PasswordAgePolicyChangedEventType = iamEventPrefix + password_age.PasswordAgePolicyChangedEventType
+)
+
+type AddedEvent struct {
+	password_age.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *password_age.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordAgePolicyAddedEventType),
+			expireWarnDays,
+			maxAgeDays),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_age.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*password_age.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	password_age.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	expireWarnDays,
+	maxAgeDays uint64,
+) (*ChangedEvent, error) {
+	event := password_age.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			PasswordAgePolicyChangedEventType,
+		),
+		&current.Policy,
+		expireWarnDays,
+		maxAgeDays,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_age.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*password_age.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/password_age/read_model.go

@@ -0,0 +1,25 @@
+package password_age
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+)
+
+type ReadModel struct {
+	password_age.ReadModel
+}
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *password_age.AddedEvent,
+			*password_age.ChangedEvent:
+
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/password_age/write_model.go

@@ -0,0 +1,47 @@
+package password_age
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy password_age.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/password_complexity/events.go

@@ -0,0 +1,85 @@
+package password_complexity
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+)
+
+const (
+	iamEventPrefix                           = eventstore.EventType("iam.")
+	PasswordComplexityPolicyAddedEventType   = iamEventPrefix + password_complexity.PasswordComplexityPolicyAddedEventType
+	PasswordComplexityPolicyChangedEventType = iamEventPrefix + password_complexity.PasswordComplexityPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	password_complexity.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	minLength uint64,
+	hasLowercase,
+	hasUppercase,
+	hasNumber,
+	hasSymbol bool,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *password_complexity.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordComplexityPolicyAddedEventType),
+			minLength,
+			hasLowercase,
+			hasUppercase,
+			hasNumber,
+			hasSymbol),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_complexity.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*password_complexity.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	password_complexity.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	minLength uint64,
+	hasLowerCase,
+	hasUpperCase,
+	hasNumber,
+	hasSymbol bool,
+) (*ChangedEvent, error) {
+	event := password_complexity.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			PasswordComplexityPolicyChangedEventType,
+		),
+		&current.Policy,
+		minLength,
+		hasLowerCase,
+		hasUpperCase,
+		hasNumber,
+		hasSymbol,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_complexity.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*password_complexity.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/password_complexity/read_model.go

@@ -0,0 +1,25 @@
+package password_complexity
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+)
+
+type ReadModel struct {
+	password_complexity.ReadModel
+}
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *password_complexity.AddedEvent,
+			*password_complexity.ChangedEvent:
+
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/password_complexity/write_model.go

@@ -0,0 +1,47 @@
+package password_complexity
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy password_complexity.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/password_lockout/events.go

@@ -0,0 +1,73 @@
+package password_lockout
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
+)
+
+var (
+	iamEventPrefix                        = eventstore.EventType("iam.")
+	PasswordLockoutPolicyAddedEventType   = iamEventPrefix + password_lockout.PasswordLockoutPolicyAddedEventType
+	PasswordLockoutPolicyChangedEventType = iamEventPrefix + password_lockout.PasswordLockoutPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	password_lockout.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *password_lockout.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordLockoutPolicyAddedEventType),
+			maxAttempts,
+			showLockoutFailure),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_lockout.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*password_lockout.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	password_lockout.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) (*ChangedEvent, error) {
+	event := password_lockout.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			PasswordLockoutPolicyChangedEventType,
+		),
+		&current.Policy,
+		maxAttempts,
+		showLockoutFailure,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_lockout.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*password_lockout.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/password_lockout/read_model.go

@@ -0,0 +1,23 @@
+package password_lockout
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
+)
+
+type ReadModel struct {
+	password_lockout.ReadModel
+}
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *password_lockout.AddedEvent, *password_lockout.ChangedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/password_lockout/write_model.go

@@ -0,0 +1,47 @@
+package password_lockout
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy password_lockout.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy_label.go

@@ -1,83 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	LabelPolicyAddedEventType   = iamEventTypePrefix + policy.LabelPolicyAddedEventType
-	LabelPolicyChangedEventType = iamEventTypePrefix + policy.LabelPolicyChangedEventType
-)
-
-type LabelPolicyReadModel struct{ policy.LabelPolicyReadModel }
-
-func (rm *LabelPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *LabelPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.LabelPolicyAddedEvent)
-		case *LabelPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.LabelPolicyChangedEvent)
-		case *policy.LabelPolicyAddedEvent, *policy.LabelPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type LabelPolicyAddedEvent struct {
-	policy.LabelPolicyAddedEvent
-}
-
-func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LabelPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LabelPolicyAddedEvent{LabelPolicyAddedEvent: *e.(*policy.LabelPolicyAddedEvent)}, nil
-}
-
-type LabelPolicyChangedEvent struct {
-	policy.LabelPolicyChangedEvent
-}
-
-func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LabelPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *e.(*policy.LabelPolicyChangedEvent)}, nil
-}
-
-// func NewLabelPolicyAddedEvent(
-// 	ctx context.Context,
-// 	primaryColor,
-// 	secondaryColor string,
-// ) *LabelPolicyAddedEvent {
-
-// 	return &LabelPolicyAddedEvent{
-// 		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
-// 			ctx,
-// 			primaryColor,
-// 			secondaryColor,
-// 		),
-// 	}
-// }
-
-// func NewLabelPolicyChangedEvent(
-// 	ctx context.Context,
-// 	primaryColor,
-// 	secondaryColor string,
-// ) *MemberChangedEvent {
-
-// 	return &LabelPolicyChangedEvent{
-// 		LabelPolicyChangedEvent: *policy.NewLabelPolicyChangedEvent(
-// 			ctx,
-// 			primaryColor,
-// 			secondaryColor,
-// 		),
-// 	}
-// }

internal/v2/repository/iam/policy_login.go

@@ -1,171 +0,0 @@
-package iam
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	LoginPolicyAddedEventType   = iamEventTypePrefix + policy.LoginPolicyAddedEventType
-	LoginPolicyChangedEventType = iamEventTypePrefix + policy.LoginPolicyChangedEventType
-
-	LoginPolicyIDPProviderAddedEventType   = iamEventTypePrefix + policy.LoginPolicyIDPProviderAddedEventType
-	LoginPolicyIDPProviderRemovedEventType = iamEventTypePrefix + policy.LoginPolicyIDPProviderRemovedEventType
-)
-
-type LoginPolicyReadModel struct{ policy.LoginPolicyReadModel }
-
-func (rm *LoginPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *LoginPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.LoginPolicyAddedEvent)
-		case *LoginPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.LoginPolicyChangedEvent)
-		case *policy.LoginPolicyAddedEvent, *policy.LoginPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type LoginPolicyAddedEvent struct {
-	policy.LoginPolicyAddedEvent
-}
-
-func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LoginPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyAddedEvent{LoginPolicyAddedEvent: *e.(*policy.LoginPolicyAddedEvent)}, nil
-}
-
-type LoginPolicyChangedEvent struct {
-	policy.LoginPolicyChangedEvent
-}
-
-func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LoginPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *e.(*policy.LoginPolicyChangedEvent)}, nil
-}
-
-type LoginPolicyIDPProviderWriteModel struct {
-	eventstore.WriteModel
-	policy.IDPProviderWriteModel
-
-	idpConfigID string
-	iamID       string
-
-	IsRemoved bool
-}
-
-func NewLoginPolicyIDPProviderWriteModel(iamID, idpConfigID string) *LoginPolicyIDPProviderWriteModel {
-	return &LoginPolicyIDPProviderWriteModel{
-		iamID:       iamID,
-		idpConfigID: idpConfigID,
-	}
-}
-
-func (wm *LoginPolicyIDPProviderWriteModel) AppendEvents(events ...eventstore.EventReader) {
-	wm.WriteModel.AppendEvents(events...)
-	for _, event := range events {
-		switch e := event.(type) {
-		case *LoginPolicyIDPProviderAddedEvent:
-			if e.IDPConfigID != wm.idpConfigID {
-				continue
-			}
-			wm.IDPProviderWriteModel.AppendEvents(&e.IDPProviderAddedEvent)
-		}
-	}
-}
-
-func (wm *LoginPolicyIDPProviderWriteModel) Reduce() error {
-	for _, event := range wm.Events {
-		switch e := event.(type) {
-		case *LoginPolicyIDPProviderAddedEvent:
-			if e.IDPConfigID != wm.idpConfigID {
-				continue
-			}
-			wm.IsRemoved = false
-		case *LoginPolicyIDPProviderRemovedEvent:
-			if e.IDPConfigID != wm.idpConfigID {
-				continue
-			}
-			wm.IsRemoved = true
-		}
-	}
-	if err := wm.IDPProviderWriteModel.Reduce(); err != nil {
-		return err
-	}
-	return wm.WriteModel.Reduce()
-}
-
-func (wm *LoginPolicyIDPProviderWriteModel) Query() *eventstore.SearchQueryBuilder {
-	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
-		AggregateIDs(wm.iamID)
-}
-
-type LoginPolicyIDPProviderAddedEvent struct {
-	policy.IDPProviderAddedEvent
-}
-
-func NewLoginPolicyIDPProviderAddedEvent(
-	ctx context.Context,
-	idpConfigID string,
-	idpProviderType provider.Type,
-) *LoginPolicyIDPProviderAddedEvent {
-
-	return &LoginPolicyIDPProviderAddedEvent{
-		IDPProviderAddedEvent: *policy.NewIDPProviderAddedEvent(
-			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderAddedEventType),
-			idpConfigID,
-			provider.TypeSystem),
-	}
-}
-
-func IDPProviderAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.IDPProviderAddedEventEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyIDPProviderAddedEvent{
-		IDPProviderAddedEvent: *e.(*policy.IDPProviderAddedEvent),
-	}, nil
-}
-
-type LoginPolicyIDPProviderRemovedEvent struct {
-	policy.IDPProviderRemovedEvent
-}
-
-func NewLoginPolicyIDPProviderRemovedEvent(
-	ctx context.Context,
-	idpConfigID string,
-) *LoginPolicyIDPProviderRemovedEvent {
-
-	return &LoginPolicyIDPProviderRemovedEvent{
-		IDPProviderRemovedEvent: *policy.NewIDPProviderRemovedEvent(
-			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderRemovedEventType),
-			idpConfigID),
-	}
-}
-
-func IDPProviderRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.IDPProviderRemovedEventEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyIDPProviderRemovedEvent{
-		IDPProviderRemovedEvent: *e.(*policy.IDPProviderRemovedEvent),
-	}, nil
-}

internal/v2/repository/iam/policy_org_iam.go

@@ -1,37 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	OrgIAMPolicyAddedEventType = iamEventTypePrefix + policy.OrgIAMPolicyAddedEventType
-)
-
-type OrgIAMPolicyReadModel struct{ policy.OrgIAMPolicyReadModel }
-
-func (rm *OrgIAMPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *OrgIAMPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.OrgIAMPolicyAddedEvent)
-		case *policy.OrgIAMPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type OrgIAMPolicyAddedEvent struct {
-	policy.OrgIAMPolicyAddedEvent
-}
-
-func OrgIAMPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.OrgIAMPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &OrgIAMPolicyAddedEvent{OrgIAMPolicyAddedEvent: *e.(*policy.OrgIAMPolicyAddedEvent)}, nil
-}

internal/v2/repository/iam/policy_password_age.go

@@ -1,57 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	PasswordAgePolicyAddedEventType   = iamEventTypePrefix + policy.PasswordAgePolicyAddedEventType
-	PasswordAgePolicyChangedEventType = iamEventTypePrefix + policy.PasswordAgePolicyChangedEventType
-)
-
-type PasswordAgePolicyReadModel struct {
-	policy.PasswordAgePolicyReadModel
-}
-
-func (rm *PasswordAgePolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *PasswordAgePolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordAgePolicyAddedEvent)
-		case *PasswordAgePolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordAgePolicyChangedEvent)
-		case *policy.PasswordAgePolicyAddedEvent,
-			*policy.PasswordAgePolicyChangedEvent:
-
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type PasswordAgePolicyAddedEvent struct {
-	policy.PasswordAgePolicyAddedEvent
-}
-
-func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordAgePolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordAgePolicyAddedEvent{PasswordAgePolicyAddedEvent: *e.(*policy.PasswordAgePolicyAddedEvent)}, nil
-}
-
-type PasswordAgePolicyChangedEvent struct {
-	policy.PasswordAgePolicyChangedEvent
-}
-
-func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordAgePolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *e.(*policy.PasswordAgePolicyChangedEvent)}, nil
-}

internal/v2/repository/iam/policy_password_complexity.go

@@ -1,57 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	PasswordComplexityPolicyAddedEventType   = iamEventTypePrefix + policy.PasswordComplexityPolicyAddedEventType
-	PasswordComplexityPolicyChangedEventType = iamEventTypePrefix + policy.PasswordComplexityPolicyChangedEventType
-)
-
-type PasswordComplexityPolicyReadModel struct {
-	policy.PasswordComplexityPolicyReadModel
-}
-
-func (rm *PasswordComplexityPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *PasswordComplexityPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordComplexityPolicyAddedEvent)
-		case *PasswordComplexityPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordComplexityPolicyChangedEvent)
-		case *policy.PasswordComplexityPolicyAddedEvent,
-			*policy.PasswordComplexityPolicyChangedEvent:
-
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type PasswordComplexityPolicyAddedEvent struct {
-	policy.PasswordComplexityPolicyAddedEvent
-}
-
-func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordComplexityPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordComplexityPolicyAddedEvent{PasswordComplexityPolicyAddedEvent: *e.(*policy.PasswordComplexityPolicyAddedEvent)}, nil
-}
-
-type PasswordComplexityPolicyChangedEvent struct {
-	policy.PasswordComplexityPolicyChangedEvent
-}
-
-func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordComplexityPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *e.(*policy.PasswordComplexityPolicyChangedEvent)}, nil
-}

internal/v2/repository/iam/policy_password_lockout.go

@@ -1,55 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	PasswordLockoutPolicyAddedEventType   = iamEventTypePrefix + policy.PasswordLockoutPolicyAddedEventType
-	PasswordLockoutPolicyChangedEventType = iamEventTypePrefix + policy.PasswordLockoutPolicyChangedEventType
-)
-
-type PasswordLockoutPolicyReadModel struct {
-	policy.PasswordLockoutPolicyReadModel
-}
-
-func (rm *PasswordLockoutPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *PasswordLockoutPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordLockoutPolicyAddedEvent)
-		case *PasswordLockoutPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordLockoutPolicyChangedEvent)
-		case *policy.PasswordLockoutPolicyAddedEvent, *policy.PasswordLockoutPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type PasswordLockoutPolicyAddedEvent struct {
-	policy.PasswordLockoutPolicyAddedEvent
-}
-
-func PasswordLockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordLockoutPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordLockoutPolicyAddedEvent{PasswordLockoutPolicyAddedEvent: *e.(*policy.PasswordLockoutPolicyAddedEvent)}, nil
-}
-
-type PasswordLockoutPolicyChangedEvent struct {
-	policy.PasswordLockoutPolicyChangedEvent
-}
-
-func PasswordLockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordLockoutPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *e.(*policy.PasswordLockoutPolicyChangedEvent)}, nil
-}

internal/v2/repository/iam/read_model.go

@@ -2,8 +2,19 @@ package iam
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	iam_label "github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+	iam_login "github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	iam_org_iam "github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+	iam_password_age "github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+	iam_password_complexity "github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+	iam_password_lockout "github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
 	"github.com/caos/zitadel/internal/v2/repository/member"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
 )
 
 type ReadModel struct {
@@ -18,12 +29,12 @@ type ReadModel struct {
 	GlobalOrgID string
 	ProjectID   string
 
-	DefaultLoginPolicy              LoginPolicyReadModel
-	DefaultLabelPolicy              LabelPolicyReadModel
-	DefaultOrgIAMPolicy             OrgIAMPolicyReadModel
-	DefaultPasswordComplexityPolicy PasswordComplexityPolicyReadModel
-	DefaultPasswordAgePolicy        PasswordAgePolicyReadModel
-	DefaultPasswordLockoutPolicy    PasswordLockoutPolicyReadModel
+	DefaultLoginPolicy              iam_login.ReadModel
+	DefaultLabelPolicy              iam_label.ReadModel
+	DefaultOrgIAMPolicy             iam_org_iam.ReadModel
+	DefaultPasswordComplexityPolicy iam_password_complexity.ReadModel
+	DefaultPasswordAgePolicy        iam_password_age.ReadModel
+	DefaultPasswordLockoutPolicy    iam_password_lockout.ReadModel
 }
 
 func NewReadModel(id string) *ReadModel {
@@ -60,26 +71,26 @@ func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
 			*IDPOIDCConfigChangedEvent:
 
 			rm.IDPs.AppendEvents(event)
-		case *policy.LabelPolicyAddedEvent,
-			*policy.LabelPolicyChangedEvent:
+		case *label.AddedEvent,
+			*label.ChangedEvent:
 
 			rm.DefaultLabelPolicy.AppendEvents(event)
-		case *policy.LoginPolicyAddedEvent,
-			*policy.LoginPolicyChangedEvent:
+		case *login.AddedEvent,
+			*login.ChangedEvent:
 
 			rm.DefaultLoginPolicy.AppendEvents(event)
-		case *policy.OrgIAMPolicyAddedEvent:
+		case *org_iam.AddedEvent:
 			rm.DefaultOrgIAMPolicy.AppendEvents(event)
-		case *policy.PasswordComplexityPolicyAddedEvent,
-			*policy.PasswordComplexityPolicyChangedEvent:
+		case *password_complexity.AddedEvent,
+			*password_complexity.ChangedEvent:
 
 			rm.DefaultPasswordComplexityPolicy.AppendEvents(event)
-		case *policy.PasswordAgePolicyAddedEvent,
-			*policy.PasswordAgePolicyChangedEvent:
+		case *password_age.AddedEvent,
+			*password_age.ChangedEvent:
 
 			rm.DefaultPasswordAgePolicy.AppendEvents(event)
-		case *policy.PasswordLockoutPolicyAddedEvent,
-			*policy.PasswordLockoutPolicyChangedEvent:
+		case *password_lockout.AddedEvent,
+			*password_lockout.ChangedEvent:
 
 			rm.DefaultPasswordLockoutPolicy.AppendEvents(event)
 		}