New eventstore policies (#1084)

* feat: login policy

* feat: password complexity policy

* feat: org iam policy

* feat: label policy

* feat: add and change policies

* feat: second factors

* feat: second and multi factors

* feat: better naming

* feat: better naming

internal/admin/repository/eventsourcing/eventstore/iam.go

@@ -158,7 +158,7 @@ func (repo *IAMRepository) RemoveIDPConfig(ctx context.Context, idpConfigID stri
 		if p.AggregateID == repo.SystemDefaults.IamID {
 			continue
 		}
-		provider := &iam_model.IDPProvider{ObjectRoot: es_models.ObjectRoot{AggregateID: p.AggregateID}, IdpConfigID: p.IDPConfigID}
+		provider := &iam_model.IDPProvider{ObjectRoot: es_models.ObjectRoot{AggregateID: p.AggregateID}, IDPConfigID: p.IDPConfigID}
 		providerAgg := new(es_models.Aggregate)
 		_, providerAgg, err = repo.OrgEvents.PrepareRemoveIDPProviderFromLoginPolicy(ctx, provider, true)
 		if err != nil {
@@ -238,11 +238,17 @@ func (repo *IAMRepository) GetDefaultLabelPolicy(ctx context.Context) (*iam_mode
 
 func (repo *IAMRepository) AddDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddLabelPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.AddLabelPolicy(ctx, policy)
 }
 
 func (repo *IAMRepository) ChangeDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.ChangeLabelPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.ChangeLabelPolicy(ctx, policy)
 }
 
@@ -273,11 +279,17 @@ func (repo *IAMRepository) GetDefaultLoginPolicy(ctx context.Context) (*iam_mode
 
 func (repo *IAMRepository) AddDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddLoginPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.AddLoginPolicy(ctx, policy)
 }
 
 func (repo *IAMRepository) ChangeDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.ChangeLoginPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.ChangeLoginPolicy(ctx, policy)
 }
 
@@ -320,7 +332,7 @@ func (repo *IAMRepository) RemoveIDPProviderFromLoginPolicy(ctx context.Context,
 	}
 	aggregates = append(aggregates, removeAgg)
 
-	externalIDPs, err := repo.View.ExternalIDPsByIDPConfigID(provider.IdpConfigID)
+	externalIDPs, err := repo.View.ExternalIDPsByIDPConfigID(provider.IDPConfigID)
 	if err != nil {
 		return err
 	}
@@ -348,10 +360,16 @@ func (repo *IAMRepository) SearchDefaultSecondFactors(ctx context.Context) (*iam
 }
 
 func (repo *IAMRepository) AddSecondFactorToLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddSecondFactorToLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
+	}
 	return repo.IAMEventstore.AddSecondFactorToLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
 }
 
 func (repo *IAMRepository) RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) error {
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.RemoveSecondFactorFromLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
+	}
 	return repo.IAMEventstore.RemoveSecondFactorFromLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
 }
 
@@ -367,10 +385,16 @@ func (repo *IAMRepository) SearchDefaultMultiFactors(ctx context.Context) (*iam_
 }
 
 func (repo *IAMRepository) AddMultiFactorToLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) (iam_model.MultiFactorType, error) {
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddMultiFactorToLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
+	}
 	return repo.IAMEventstore.AddMultiFactorToLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
 }
 
 func (repo *IAMRepository) RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) error {
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.RemoveMultiFactorFromLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
+	}
 	return repo.IAMEventstore.RemoveMultiFactorFromLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
 }
 
@@ -401,11 +425,17 @@ func (repo *IAMRepository) GetDefaultPasswordComplexityPolicy(ctx context.Contex
 
 func (repo *IAMRepository) AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddPasswordComplexityPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.AddPasswordComplexityPolicy(ctx, policy)
 }
 
 func (repo *IAMRepository) ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.ChangePasswordComplexityPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.ChangePasswordComplexityPolicy(ctx, policy)
 }
 
@@ -436,11 +466,17 @@ func (repo *IAMRepository) GetDefaultPasswordAgePolicy(ctx context.Context) (*ia
 
 func (repo *IAMRepository) AddDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddPasswordAgePolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.AddPasswordAgePolicy(ctx, policy)
 }
 
 func (repo *IAMRepository) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.ChangePasswordAgePolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.ChangePasswordAgePolicy(ctx, policy)
 }
 
@@ -471,11 +507,17 @@ func (repo *IAMRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context)
 
 func (repo *IAMRepository) AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddPasswordLockoutPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.AddPasswordLockoutPolicy(ctx, policy)
 }
 
 func (repo *IAMRepository) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.ChangePasswordLockoutPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.ChangePasswordLockoutPolicy(ctx, policy)
 }
 
@@ -506,10 +548,16 @@ func (repo *IAMRepository) GetOrgIAMPolicy(ctx context.Context) (*iam_model.OrgI
 
 func (repo *IAMRepository) AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.AddOrgIAMPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.AddOrgIAMPolicy(ctx, policy)
 }
 
 func (repo *IAMRepository) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
 	policy.AggregateID = repo.SystemDefaults.IamID
+	if repo.IAMV2 != nil {
+		return repo.IAMV2.ChangeOrgIAMPolicy(ctx, policy)
+	}
 	return repo.IAMEventstore.ChangeOrgIAMPolicy(ctx, policy)
 }

internal/api/grpc/admin/login_policy_converter.go

@@ -71,14 +71,14 @@ func idpProviderSearchResponseFromModel(response *iam_model.IDPProviderSearchRes
 
 func idpProviderToModel(provider *admin.IdpProviderID) *iam_model.IDPProvider {
 	return &iam_model.IDPProvider{
-		IdpConfigID: provider.IdpConfigId,
+		IDPConfigID: provider.IdpConfigId,
 		Type:        iam_model.IDPProviderTypeSystem,
 	}
 }
 
 func idpProviderFromModel(provider *iam_model.IDPProvider) *admin.IdpProviderID {
 	return &admin.IdpProviderID{
-		IdpConfigId: provider.IdpConfigID,
+		IdpConfigId: provider.IDPConfigID,
 	}
 }
 

internal/api/grpc/management/login_policy_converter.go

@@ -72,27 +72,27 @@ func idpProviderSearchResponseFromModel(response *iam_model.IDPProviderSearchRes
 
 func idpProviderToModel(provider *management.IdpProviderID) *iam_model.IDPProvider {
 	return &iam_model.IDPProvider{
-		IdpConfigID: provider.IdpConfigId,
+		IDPConfigID: provider.IdpConfigId,
 		Type:        iam_model.IDPProviderTypeSystem,
 	}
 }
 
 func idpProviderAddToModel(provider *management.IdpProviderAdd) *iam_model.IDPProvider {
 	return &iam_model.IDPProvider{
-		IdpConfigID: provider.IdpConfigId,
+		IDPConfigID: provider.IdpConfigId,
 		Type:        idpProviderTypeToModel(provider.IdpProviderType),
 	}
 }
 
 func idpProviderIDFromModel(provider *iam_model.IDPProvider) *management.IdpProviderID {
 	return &management.IdpProviderID{
-		IdpConfigId: provider.IdpConfigID,
+		IdpConfigId: provider.IDPConfigID,
 	}
 }
 
 func idpProviderFromModel(provider *iam_model.IDPProvider) *management.IdpProvider {
 	return &management.IdpProvider{
-		IdpConfigId:      provider.IdpConfigID,
+		IdpConfigId:      provider.IDPConfigID,
 		IdpProvider_Type: idpProviderTypeFromModel(provider.Type),
 	}
 }

internal/iam/model/login_policy.go

@@ -22,7 +22,7 @@ type LoginPolicy struct {
 type IDPProvider struct {
 	models.ObjectRoot
 	Type        IDPProviderType
-	IdpConfigID string
+	IDPConfigID string
 }
 
 type PolicyState int32
@@ -66,12 +66,12 @@ func (p *LoginPolicy) IsValid() bool {
 }
 
 func (p *IDPProvider) IsValid() bool {
-	return p.ObjectRoot.AggregateID != "" && p.IdpConfigID != ""
+	return p.ObjectRoot.AggregateID != "" && p.IDPConfigID != ""
 }
 
 func (p *LoginPolicy) GetIdpProvider(id string) (int, *IDPProvider) {
 	for i, m := range p.IDPProviders {
-		if m.IdpConfigID == id {
+		if m.IDPConfigID == id {
 			return i, m
 		}
 	}

internal/iam/repository/eventsourcing/eventstore.go

@@ -554,7 +554,7 @@ func (es *IAMEventstore) AddIDPProviderToLoginPolicy(ctx context.Context, provid
 	if err != nil {
 		return nil, err
 	}
-	if _, m := iam.DefaultLoginPolicy.GetIdpProvider(provider.IdpConfigID); m != nil {
+	if _, m := iam.DefaultLoginPolicy.GetIdpProvider(provider.IDPConfigID); m != nil {
 		return nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-idke6", "Errors.IAM.LoginPolicy.IdpProviderAlreadyExisting")
 	}
 	repoIam := model.IAMFromModel(iam)
@@ -566,7 +566,7 @@ func (es *IAMEventstore) AddIDPProviderToLoginPolicy(ctx context.Context, provid
 		return nil, err
 	}
 	es.iamCache.cacheIAM(repoIam)
-	if _, m := model.GetIDPProvider(repoIam.DefaultLoginPolicy.IDPProviders, provider.IdpConfigID); m != nil {
+	if _, m := model.GetIDPProvider(repoIam.DefaultLoginPolicy.IDPProviders, provider.IDPConfigID); m != nil {
 		return model.IDPProviderToModel(m), nil
 	}
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-Slf9s", "Errors.Internal")
@@ -580,11 +580,11 @@ func (es *IAMEventstore) PrepareRemoveIDPProviderFromLoginPolicy(ctx context.Con
 	if err != nil {
 		return nil, nil, err
 	}
-	if _, m := iam.DefaultLoginPolicy.GetIdpProvider(provider.IdpConfigID); m == nil {
+	if _, m := iam.DefaultLoginPolicy.GetIdpProvider(provider.IDPConfigID); m == nil {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-29skr", "Errors.IAM.LoginPolicy.IdpProviderNotExisting")
 	}
 	repoIam := model.IAMFromModel(iam)
-	removeAgg, err := LoginPolicyIDPProviderRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, &model.IDPProviderID{provider.IdpConfigID})
+	removeAgg, err := LoginPolicyIDPProviderRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, &model.IDPProviderID{provider.IDPConfigID})
 	if err != nil {
 		return nil, nil, err
 	}

internal/iam/repository/eventsourcing/eventstore_test.go

@@ -1494,12 +1494,12 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
 			res: res{
-				result: &iam_model.IDPProvider{IdpConfigID: "IdpConfigID2"},
+				result: &iam_model.IDPProvider{IDPConfigID: "IdpConfigID2"},
 			},
 		},
 		{
@@ -1509,7 +1509,7 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IDPConfigID",
+					IDPConfigID: "IDPConfigID",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
@@ -1539,7 +1539,7 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 				},
 			},
 			res: res{
@@ -1558,8 +1558,8 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 			if tt.res.wantErr && tt.res.errFunc(err) {
 				return
 			}
-			if result.IdpConfigID != tt.res.result.IdpConfigID {
+			if result.IDPConfigID != tt.res.result.IDPConfigID {
-				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IdpConfigID, result.IdpConfigID)
+				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
 			}
 			if result.Type != tt.res.result.Type {
 				t.Errorf("got wrong result Type: expected: %v, actual: %v ", tt.res.result.Type, result.Type)
@@ -1591,7 +1591,7 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IDPConfigID",
+					IDPConfigID: "IDPConfigID",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
@@ -1604,7 +1604,7 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
@@ -1634,7 +1634,7 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 				},
 			},
 			res: res{

internal/iam/repository/eventsourcing/model/login_policy.go

@@ -108,7 +108,7 @@ func IDPProviderToModel(provider *IDPProvider) *iam_model.IDPProvider {
 	return &iam_model.IDPProvider{
 		ObjectRoot:  provider.ObjectRoot,
 		Type:        iam_model.IDPProviderType(provider.Type),
-		IdpConfigID: provider.IDPConfigID,
+		IDPConfigID: provider.IDPConfigID,
 	}
 }
 
@@ -116,7 +116,7 @@ func IDPProviderFromModel(provider *iam_model.IDPProvider) *IDPProvider {
 	return &IDPProvider{
 		ObjectRoot:  provider.ObjectRoot,
 		Type:        int32(provider.Type),
-		IDPConfigID: provider.IdpConfigID,
+		IDPConfigID: provider.IDPConfigID,
 	}
 }
 

internal/management/repository/eventsourcing/eventstore/org.go

@@ -446,7 +446,7 @@ func (repo *OrgRepository) RemoveIDPProviderFromIdpProvider(ctx context.Context,
 		return err
 	}
 	aggregates = append(aggregates, agg)
-	externalIDPs, err := repo.View.ExternalIDPsByIDPConfigID(provider.IdpConfigID)
+	externalIDPs, err := repo.View.ExternalIDPsByIDPConfigID(provider.IDPConfigID)
 	if err != nil {
 		return err
 	}

internal/org/repository/eventsourcing/eventstore.go

@@ -838,7 +838,7 @@ func (es *OrgEventstore) AddIDPProviderToLoginPolicy(ctx context.Context, provid
 	if org.LoginPolicy == nil {
 		return nil, errors.ThrowAlreadyExists(nil, "EVENT-sk9fW", "Errors.Org.LoginPolicy.NotExisting")
 	}
-	if _, m := org.LoginPolicy.GetIdpProvider(provider.IdpConfigID); m != nil {
+	if _, m := org.LoginPolicy.GetIdpProvider(provider.IDPConfigID); m != nil {
 		return nil, errors.ThrowAlreadyExists(nil, "EVENT-Lso9f", "Errors.Org.LoginPolicy.IdpProviderAlreadyExisting")
 	}
 	repoOrg := model.OrgFromModel(org)
@@ -849,7 +849,7 @@ func (es *OrgEventstore) AddIDPProviderToLoginPolicy(ctx context.Context, provid
 	if err != nil {
 		return nil, err
 	}
-	if _, m := iam_es_model.GetIDPProvider(repoOrg.LoginPolicy.IDPProviders, provider.IdpConfigID); m != nil {
+	if _, m := iam_es_model.GetIDPProvider(repoOrg.LoginPolicy.IDPProviders, provider.IDPConfigID); m != nil {
 		return iam_es_model.IDPProviderToModel(m), nil
 	}
 	return nil, errors.ThrowInternal(nil, "EVENT-Slf9s", "Errors.Internal")
@@ -863,11 +863,11 @@ func (es *OrgEventstore) PrepareRemoveIDPProviderFromLoginPolicy(ctx context.Con
 	if err != nil {
 		return nil, nil, err
 	}
-	if _, m := org.LoginPolicy.GetIdpProvider(provider.IdpConfigID); m == nil {
+	if _, m := org.LoginPolicy.GetIdpProvider(provider.IDPConfigID); m == nil {
 		return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-29skr", "Errors.IAM.LoginPolicy.IdpProviderNotExisting")
 	}
 	repoOrg := model.OrgFromModel(org)
-	providerID := &iam_es_model.IDPProviderID{provider.IdpConfigID}
+	providerID := &iam_es_model.IDPProviderID{provider.IDPConfigID}
 	providerAggregates, err := LoginPolicyIDPProviderRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoOrg, providerID, cascade)
 	if err != nil {
 		return nil, nil, err

internal/org/repository/eventsourcing/eventstore_test.go

@@ -1882,7 +1882,7 @@ func TestChangeIdpConfiguration(t *testing.T) {
 				t.Errorf("result has no id")
 			}
 			if result.IDPConfigID != tt.res.result.IDPConfigID {
-				t.Errorf("got wrong result IdpConfigID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
+				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
 			}
 			if result.Name != tt.res.result.Name {
 				t.Errorf("got wrong result name: expected: %v, actual: %v ", tt.res.result.Name, result.Name)
@@ -2569,12 +2569,12 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
 			res: res{
-				result: &iam_model.IDPProvider{IdpConfigID: "IdpConfigID2"},
+				result: &iam_model.IDPProvider{IDPConfigID: "IdpConfigID2"},
 			},
 		},
 		{
@@ -2584,7 +2584,7 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IDPConfigID",
+					IDPConfigID: "IDPConfigID",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
@@ -2614,7 +2614,7 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 				},
 			},
 			res: res{
@@ -2633,8 +2633,8 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 			if tt.res.wantErr && tt.res.errFunc(err) {
 				return
 			}
-			if result.IdpConfigID != tt.res.result.IdpConfigID {
+			if result.IDPConfigID != tt.res.result.IDPConfigID {
-				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IdpConfigID, result.IdpConfigID)
+				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
 			}
 			if result.Type != tt.res.result.Type {
 				t.Errorf("got wrong result Type: expected: %v, actual: %v ", tt.res.result.Type, result.Type)
@@ -2666,7 +2666,7 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IDPConfigID",
+					IDPConfigID: "IDPConfigID",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
@@ -2679,7 +2679,7 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 					Type:        iam_model.IDPProviderTypeSystem,
 				},
 			},
@@ -2709,7 +2709,7 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 				ctx: authz.NewMockContext("orgID", "userID"),
 				provider: &iam_model.IDPProvider{
 					ObjectRoot:  es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
-					IdpConfigID: "IdpConfigID2",
+					IDPConfigID: "IdpConfigID2",
 				},
 			},
 			res: res{

internal/v2/business/iam/converter.go

@@ -6,6 +6,13 @@ import (
 	"github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login/idpprovider"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
 	"github.com/caos/zitadel/internal/v2/repository/idp/oidc"
 	"github.com/caos/zitadel/internal/v2/repository/member"
 )
@@ -42,9 +49,9 @@ func readModelToMembers(readModel *iam_repo.MembersReadModel) []*model.IAMMember
 	return members
 }
 
-func readModelToLabelPolicy(readModel *iam.LabelPolicyReadModel) *model.LabelPolicy {
+func readModelToLabelPolicy(readModel *label.ReadModel) *model.LabelPolicy {
 	return &model.LabelPolicy{
-		ObjectRoot:     readModelToObjectRoot(readModel.ReadModel),
+		ObjectRoot:     readModelToObjectRoot(readModel.ReadModel.ReadModel),
 		PrimaryColor:   readModel.PrimaryColor,
 		SecondaryColor: readModel.SecondaryColor,
 		Default:        true,
@@ -52,9 +59,9 @@ func readModelToLabelPolicy(readModel *iam.LabelPolicyReadModel) *model.LabelPol
 	}
 }
 
-func readModelToLoginPolicy(readModel *iam.LoginPolicyReadModel) *model.LoginPolicy {
+func readModelToLoginPolicy(readModel *login.ReadModel) *model.LoginPolicy {
 	return &model.LoginPolicy{
-		ObjectRoot:            readModelToObjectRoot(readModel.ReadModel),
+		ObjectRoot:            readModelToObjectRoot(readModel.ReadModel.ReadModel),
 		AllowExternalIdp:      readModel.AllowExternalIDP,
 		AllowRegister:         readModel.AllowRegister,
 		AllowUsernamePassword: readModel.AllowUserNamePassword,
@@ -63,25 +70,25 @@ func readModelToLoginPolicy(readModel *iam.LoginPolicyReadModel) *model.LoginPol
 		//TODO: State: int32,
 	}
 }
-func readModelToOrgIAMPolicy(readModel *iam.OrgIAMPolicyReadModel) *model.OrgIAMPolicy {
+func readModelToOrgIAMPolicy(readModel *org_iam.ReadModel) *model.OrgIAMPolicy {
 	return &model.OrgIAMPolicy{
-		ObjectRoot:            readModelToObjectRoot(readModel.ReadModel),
+		ObjectRoot:            readModelToObjectRoot(readModel.ReadModel.ReadModel),
 		UserLoginMustBeDomain: readModel.UserLoginMustBeDomain,
 		Default:               true,
 		//TODO: State: int32,
 	}
 }
-func readModelToPasswordAgePolicy(readModel *iam.PasswordAgePolicyReadModel) *model.PasswordAgePolicy {
+func readModelToPasswordAgePolicy(readModel *password_age.ReadModel) *model.PasswordAgePolicy {
 	return &model.PasswordAgePolicy{
-		ObjectRoot:     readModelToObjectRoot(readModel.ReadModel),
+		ObjectRoot:     readModelToObjectRoot(readModel.ReadModel.ReadModel),
 		ExpireWarnDays: uint64(readModel.ExpireWarnDays),
 		MaxAgeDays:     uint64(readModel.MaxAgeDays),
 		//TODO: State: int32,
 	}
 }
-func readModelToPasswordComplexityPolicy(readModel *iam.PasswordComplexityPolicyReadModel) *model.PasswordComplexityPolicy {
+func readModelToPasswordComplexityPolicy(readModel *password_complexity.ReadModel) *model.PasswordComplexityPolicy {
 	return &model.PasswordComplexityPolicy{
-		ObjectRoot:   readModelToObjectRoot(readModel.ReadModel),
+		ObjectRoot:   readModelToObjectRoot(readModel.ReadModel.ReadModel),
 		HasLowercase: readModel.HasLowercase,
 		HasNumber:    readModel.HasNumber,
 		HasSymbol:    readModel.HasSymbol,
@@ -90,9 +97,9 @@ func readModelToPasswordComplexityPolicy(readModel *iam.PasswordComplexityPolicy
 		//TODO: State: int32,
 	}
 }
-func readModelToPasswordLockoutPolicy(readModel *iam.PasswordLockoutPolicyReadModel) *model.PasswordLockoutPolicy {
+func readModelToPasswordLockoutPolicy(readModel *password_lockout.ReadModel) *model.PasswordLockoutPolicy {
 	return &model.PasswordLockoutPolicy{
-		ObjectRoot:          readModelToObjectRoot(readModel.ReadModel),
+		ObjectRoot:          readModelToObjectRoot(readModel.ReadModel.ReadModel),
 		MaxAttempts:         uint64(readModel.MaxAttempts),
 		ShowLockOutFailures: readModel.ShowLockOutFailures,
 		//TODO: State: int32,
@@ -134,6 +141,59 @@ func writeModelToMember(writeModel *iam.MemberWriteModel) *model.IAMMember {
 	}
 }
 
+func writeModelToLoginPolicy(wm *login.WriteModel) *model.LoginPolicy {
+	return &model.LoginPolicy{
+		ObjectRoot:            writeModelToObjectRoot(wm.WriteModel),
+		AllowUsernamePassword: wm.Policy.AllowUserNamePassword,
+		AllowRegister:         wm.Policy.AllowRegister,
+		AllowExternalIdp:      wm.Policy.AllowExternalIDP,
+		ForceMFA:              wm.Policy.ForceMFA,
+		PasswordlessType:      model.PasswordlessType(wm.Policy.PasswordlessType),
+	}
+}
+
+func writeModelToLabelPolicy(wm *label.WriteModel) *model.LabelPolicy {
+	return &model.LabelPolicy{
+		ObjectRoot:     writeModelToObjectRoot(wm.WriteModel),
+		PrimaryColor:   wm.Policy.PrimaryColor,
+		SecondaryColor: wm.Policy.SecondaryColor,
+	}
+}
+
+func writeModelToOrgIAMPolicy(wm *org_iam.WriteModel) *model.OrgIAMPolicy {
+	return &model.OrgIAMPolicy{
+		ObjectRoot:            writeModelToObjectRoot(wm.WriteModel),
+		UserLoginMustBeDomain: wm.Policy.UserLoginMustBeDomain,
+	}
+}
+
+func writeModelToPasswordAgePolicy(wm *password_age.WriteModel) *model.PasswordAgePolicy {
+	return &model.PasswordAgePolicy{
+		ObjectRoot:     writeModelToObjectRoot(wm.WriteModel),
+		MaxAgeDays:     wm.Policy.MaxAgeDays,
+		ExpireWarnDays: wm.Policy.ExpireWarnDays,
+	}
+}
+
+func writeModelToPasswordComplexityPolicy(wm *password_complexity.WriteModel) *model.PasswordComplexityPolicy {
+	return &model.PasswordComplexityPolicy{
+		ObjectRoot:   writeModelToObjectRoot(wm.WriteModel),
+		MinLength:    wm.Policy.MinLength,
+		HasLowercase: wm.Policy.HasLowercase,
+		HasUppercase: wm.Policy.HasUpperCase,
+		HasNumber:    wm.Policy.HasNumber,
+		HasSymbol:    wm.Policy.HasSymbol,
+	}
+}
+
+func writeModelToPasswordLockoutPolicy(wm *password_lockout.WriteModel) *model.PasswordLockoutPolicy {
+	return &model.PasswordLockoutPolicy{
+		ObjectRoot:          writeModelToObjectRoot(wm.WriteModel),
+		MaxAttempts:         wm.Policy.MaxAttempts,
+		ShowLockOutFailures: wm.Policy.ShowLockOutFailures,
+	}
+}
+
 func readModelToIDPConfigView(rm *iam.IDPConfigReadModel) *model.IDPConfigView {
 	return &model.IDPConfigView{
 		AggregateID:               rm.AggregateID,
@@ -211,10 +271,10 @@ func writeModelToIDPOIDCConfig(wm *oidc.ConfigWriteModel) *model.OIDCIDPConfig {
 	}
 }
 
-func writeModelToIDPProvider(wm *iam.LoginPolicyIDPProviderWriteModel) *model.IDPProvider {
+func writeModelToIDPProvider(wm *idpprovider.WriteModel) *model.IDPProvider {
 	return &model.IDPProvider{
 		ObjectRoot:  writeModelToObjectRoot(wm.WriteModel),
-		IdpConfigID: wm.IDPConfigID,
+		IDPConfigID: wm.Provider.IDPConfigID,
-		Type:        model.IDPProviderType(wm.IDPProviderType),
+		Type:        model.IDPProviderType(wm.Provider.IDPProviderType),
 	}
 }

internal/v2/business/iam/org_iam_policy.go

@@ -0,0 +1,60 @@
+package iam
+
+import (
+	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+)
+
+func (r *Repository) AddOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	addedPolicy := org_iam.NewWriteModel(policy.AggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if addedPolicy != nil {
+		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-Lk0dS", "Errors.IAM.OrgIAMPolicy.AlreadyExists")
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&addedPolicy.WriteModel).
+		PushOrgIAMPolicyAddedEvent(ctx, policy.UserLoginMustBeDomain)
+
+	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToOrgIAMPolicy(addedPolicy), nil
+}
+
+func (r *Repository) ChangeOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	existingPolicy, err := r.orgIAMPolicyWriteModelByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&existingPolicy.WriteModel).
+		PushOrgIAMPolicyChangedFromExisting(ctx, existingPolicy, policy.UserLoginMustBeDomain)
+
+	err = r.eventstore.PushAggregate(ctx, existingPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToOrgIAMPolicy(existingPolicy), nil
+}
+
+func (r *Repository) orgIAMPolicyWriteModelByID(ctx context.Context, iamID string) (policy *org_iam.WriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := org_iam.NewWriteModel(iamID)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/v2/business/iam/policy_label.go

@@ -0,0 +1,69 @@
+package iam
+
+import (
+	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+func (r *Repository) AddLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	if !policy.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-5Mv0s", "Errors.IAM.LabelPolicyInvalid")
+	}
+
+	addedPolicy := label.NewWriteModel(policy.AggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if addedPolicy != nil {
+		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LabelPolicy.AlreadyExists")
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&addedPolicy.WriteModel).
+		PushLabelPolicyAddedEvent(ctx, policy.PrimaryColor, policy.SecondaryColor)
+
+	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToLabelPolicy(addedPolicy), nil
+}
+
+func (r *Repository) ChangeLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	if !policy.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-6M0od", "Errors.IAM.LabelPolicyInvalid")
+	}
+
+	existingPolicy, err := r.labelPolicyWriteModelByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&existingPolicy.WriteModel).
+		PushLabelPolicyChangedFromExisting(ctx, existingPolicy, policy.PrimaryColor, policy.SecondaryColor)
+
+	err = r.eventstore.PushAggregate(ctx, existingPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToLabelPolicy(existingPolicy), nil
+}
+
+func (r *Repository) labelPolicyWriteModelByID(ctx context.Context, iamID string) (policy *label.WriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := label.NewWriteModel(iamID)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/v2/business/iam/policy_login.go

@@ -2,21 +2,73 @@ package iam
 
 import (
 	"context"
-
+	caos_errs "github.com/caos/zitadel/internal/errors"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	iam_login "github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	iam_factor "github.com/caos/zitadel/internal/v2/repository/iam/policy/login/factors"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login/idpprovider"
 	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/factors"
 )
 
+func (r *Repository) AddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
+	if !policy.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-5Mv0s", "Errors.IAM.LoginPolicyInvalid")
+	}
+
+	addedPolicy := iam_login.NewWriteModel(policy.AggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if addedPolicy != nil {
+		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LoginPolicy.AlreadyExists")
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&addedPolicy.WriteModel).
+		PushLoginPolicyAddedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIdp, policy.ForceMFA, login.PasswordlessType(policy.PasswordlessType))
+
+	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToLoginPolicy(addedPolicy), nil
+}
+
+func (r *Repository) ChangeLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
+	if !policy.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-6M0od", "Errors.IAM.LoginPolicyInvalid")
+	}
+
+	existingPolicy, err := r.loginPolicyWriteModelByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&existingPolicy.WriteModel).
+		PushLoginPolicyChangedFromExisting(ctx, existingPolicy, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIdp, policy.ForceMFA, login.PasswordlessType(policy.PasswordlessType))
+
+	err = r.eventstore.PushAggregate(ctx, existingPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToLoginPolicy(existingPolicy), nil
+}
+
 func (r *Repository) AddIDPProviderToLoginPolicy(ctx context.Context, idpProvider *iam_model.IDPProvider) (*iam_model.IDPProvider, error) {
-	writeModel := iam.NewLoginPolicyIDPProviderWriteModel(idpProvider.AggregateID, idpProvider.IdpConfigID)
+	writeModel := idpprovider.NewWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
 	}
 
-	aggregate := iam.AggregateFromWriteModel(&writeModel.WriteModel).
+	aggregate := iam_repo.AggregateFromWriteModel(&writeModel.WriteModel).
-		PushLoginPolicyIDPProviderAddedEvent(ctx, idpProvider.IdpConfigID, provider.Type(idpProvider.Type))
+		PushLoginPolicyIDPProviderAddedEvent(ctx, idpProvider.IDPConfigID, provider.Type(idpProvider.Type))
 
 	if err = r.eventstore.PushAggregate(ctx, writeModel, aggregate); err != nil {
 		return nil, err
@@ -26,13 +78,83 @@ func (r *Repository) AddIDPProviderToLoginPolicy(ctx context.Context, idpProvide
 }
 
 func (r *Repository) RemoveIDPProviderFromLoginPolicy(ctx context.Context, idpProvider *iam_model.IDPProvider) error {
-	writeModel := iam.NewLoginPolicyIDPProviderWriteModel(idpProvider.AggregateID, idpProvider.IdpConfigID)
+	writeModel := idpprovider.NewWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return err
 	}
-	aggregate := iam.AggregateFromWriteModel(&writeModel.WriteModel).
+	aggregate := iam_repo.AggregateFromWriteModel(&writeModel.WriteModel).
-		PushLoginPolicyIDPProviderAddedEvent(ctx, idpProvider.IdpConfigID, provider.Type(idpProvider.Type))
+		PushLoginPolicyIDPProviderAddedEvent(ctx, idpProvider.IDPConfigID, provider.Type(idpProvider.Type))
 
 	return r.eventstore.PushAggregate(ctx, writeModel, aggregate)
 }
+
+func (r *Repository) AddSecondFactorToLoginPolicy(ctx context.Context, iamID string, secondFactor iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
+	writeModel := iam_factor.NewSecondFactorWriteModel(iamID)
+	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return iam_model.SecondFactorTypeUnspecified, err
+	}
+
+	aggregate := iam_repo.AggregateFromWriteModel(&writeModel.WriteModel).
+		PushLoginPolicySecondFactorAdded(ctx, factors.SecondFactorType(secondFactor))
+
+	if err = r.eventstore.PushAggregate(ctx, writeModel, aggregate); err != nil {
+		return iam_model.SecondFactorTypeUnspecified, err
+	}
+
+	return iam_model.SecondFactorType(writeModel.SecondFactor.MFAType), nil
+}
+
+func (r *Repository) RemoveSecondFactorFromLoginPolicy(ctx context.Context, iamID string, secondFactor iam_model.SecondFactorType) error {
+	writeModel := iam_factor.NewSecondFactorWriteModel(iamID)
+	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return err
+	}
+	aggregate := iam_repo.AggregateFromWriteModel(&writeModel.WriteModel).
+		PushLoginPolicySecondFactorRemoved(ctx, factors.SecondFactorType(secondFactor))
+
+	return r.eventstore.PushAggregate(ctx, writeModel, aggregate)
+}
+
+func (r *Repository) AddMultiFactorToLoginPolicy(ctx context.Context, iamID string, secondFactor iam_model.MultiFactorType) (iam_model.MultiFactorType, error) {
+	writeModel := iam_factor.NewMultiFactorWriteModel(iamID)
+	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return iam_model.MultiFactorTypeUnspecified, err
+	}
+
+	aggregate := iam_repo.AggregateFromWriteModel(&writeModel.WriteModel).
+		PushLoginPolicyMultiFactorAdded(ctx, factors.MultiFactorType(secondFactor))
+
+	if err = r.eventstore.PushAggregate(ctx, writeModel, aggregate); err != nil {
+		return iam_model.MultiFactorTypeUnspecified, err
+	}
+
+	return iam_model.MultiFactorType(writeModel.MultiFactor.MFAType), nil
+}
+
+func (r *Repository) RemoveMultiFactorFromLoginPolicy(ctx context.Context, iamID string, secondFactor iam_model.MultiFactorType) error {
+	writeModel := iam_factor.NewMultiFactorWriteModel(iamID)
+	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return err
+	}
+	aggregate := iam_repo.AggregateFromWriteModel(&writeModel.WriteModel).
+		PushLoginPolicyMultiFactorRemoved(ctx, factors.MultiFactorType(secondFactor))
+
+	return r.eventstore.PushAggregate(ctx, writeModel, aggregate)
+}
+
+func (r *Repository) loginPolicyWriteModelByID(ctx context.Context, iamID string) (policy *iam_login.WriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := iam_login.NewWriteModel(iamID)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/v2/business/iam/policy_password_age.go

@@ -0,0 +1,60 @@
+package iam
+
+import (
+	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+)
+
+func (r *Repository) AddPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	addedPolicy := password_age.NewWriteModel(policy.AggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if addedPolicy != nil {
+		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-6L0pd", "Errors.IAM.PasswordAgePolicy.AlreadyExists")
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&addedPolicy.WriteModel).
+		PushPasswordAgePolicyAddedEvent(ctx, policy.ExpireWarnDays, policy.MaxAgeDays)
+
+	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToPasswordAgePolicy(addedPolicy), nil
+}
+
+func (r *Repository) ChangePasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	existingPolicy, err := r.passwordAgePolicyWriteModelByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&existingPolicy.WriteModel).
+		PushPasswordAgePolicyChangedFromExisting(ctx, existingPolicy, policy.ExpireWarnDays, policy.MaxAgeDays)
+
+	err = r.eventstore.PushAggregate(ctx, existingPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToPasswordAgePolicy(existingPolicy), nil
+}
+
+func (r *Repository) passwordAgePolicyWriteModelByID(ctx context.Context, iamID string) (policy *password_age.WriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := password_age.NewWriteModel(iamID)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/v2/business/iam/policy_password_complexity.go

@@ -0,0 +1,68 @@
+package iam
+
+import (
+	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+)
+
+func (r *Repository) AddPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	if err := policy.IsValid(); err != nil {
+		return nil, err
+	}
+
+	addedPolicy := password_complexity.NewWriteModel(policy.AggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if addedPolicy != nil {
+		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-Lk0dS", "Errors.IAM.PasswordComplexityPolicy.AlreadyExists")
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&addedPolicy.WriteModel).
+		PushPasswordComplexityPolicyAddedEvent(ctx, policy.MinLength, policy.HasLowercase, policy.HasUppercase, policy.HasNumber, policy.HasSymbol)
+
+	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToPasswordComplexityPolicy(addedPolicy), nil
+}
+
+func (r *Repository) ChangePasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	if err := policy.IsValid(); err != nil {
+		return nil, err
+	}
+
+	existingPolicy, err := r.passwordComplexityPolicyWriteModelByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&existingPolicy.WriteModel).
+		PushPasswordComplexityPolicyChangedFromExisting(ctx, existingPolicy, policy.MinLength, policy.HasLowercase, policy.HasUppercase, policy.HasNumber, policy.HasSymbol)
+
+	err = r.eventstore.PushAggregate(ctx, existingPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToPasswordComplexityPolicy(existingPolicy), nil
+}
+
+func (r *Repository) passwordComplexityPolicyWriteModelByID(ctx context.Context, iamID string) (policy *password_complexity.WriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := password_complexity.NewWriteModel(iamID)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/v2/business/iam/policy_password_lockout.go

@@ -0,0 +1,60 @@
+package iam
+
+import (
+	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
+)
+
+func (r *Repository) AddPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	addedPolicy := password_lockout.NewWriteModel(policy.AggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return nil, err
+	}
+	if addedPolicy != nil {
+		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-0olDf", "Errors.IAM.PasswordLockoutPolicy.AlreadyExists")
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&addedPolicy.WriteModel).
+		PushPasswordLockoutPolicyAddedEvent(ctx, policy.MaxAttempts, policy.ShowLockOutFailures)
+
+	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToPasswordLockoutPolicy(addedPolicy), nil
+}
+
+func (r *Repository) ChangePasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	existingPolicy, err := r.passwordLockoutPolicyWriteModelByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	iamAgg := iam_repo.AggregateFromWriteModel(&existingPolicy.WriteModel).
+		PushPasswordLockoutPolicyChangedFromExisting(ctx, existingPolicy, policy.MaxAttempts, policy.ShowLockOutFailures)
+
+	err = r.eventstore.PushAggregate(ctx, existingPolicy, iamAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToPasswordLockoutPolicy(existingPolicy), nil
+}
+
+func (r *Repository) passwordLockoutPolicyWriteModelByID(ctx context.Context, iamID string) (policy *password_lockout.WriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := password_lockout.NewWriteModel(iamID)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/v2/repository/iam/aggregate.go

@@ -2,16 +2,26 @@ package iam
 
 import (
 	"context"
-
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+	iam_login "github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	factors2 "github.com/caos/zitadel/internal/v2/repository/iam/policy/login/factors"
+	iam_factors "github.com/caos/zitadel/internal/v2/repository/iam/policy/login/factors"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login/idpprovider"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
 	"github.com/caos/zitadel/internal/v2/repository/idp"
 	"github.com/caos/zitadel/internal/v2/repository/idp/oidc"
 	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/factors"
 )
 
 const (
-	iamEventTypePrefix = eventstore.EventType("iam.")
+	IamEventTypePrefix = eventstore.EventType("iam.")
 )
 
 const (
@@ -87,6 +97,110 @@ func (a *Aggregate) PushStepDone(ctx context.Context, step Step) *Aggregate {
 	return a
 }
 
+func (a *Aggregate) PushOrgIAMPolicyAddedEvent(ctx context.Context, userLoginMustBeDomain bool) *Aggregate {
+	a.Aggregate = *a.PushEvents(org_iam.NewAddedEvent(ctx, userLoginMustBeDomain))
+	return a
+}
+
+func (a *Aggregate) PushOrgIAMPolicyChangedFromExisting(ctx context.Context, current *org_iam.WriteModel, userLoginMustBeDomain bool) *Aggregate {
+	e, err := org_iam.ChangedEventFromExisting(ctx, current, userLoginMustBeDomain)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushPasswordAgePolicyAddedEvent(ctx context.Context, expireWarnDays, maxAgeDays uint64) *Aggregate {
+	a.Aggregate = *a.PushEvents(password_age.NewAddedEvent(ctx, expireWarnDays, maxAgeDays))
+	return a
+}
+
+func (a *Aggregate) PushPasswordAgePolicyChangedFromExisting(ctx context.Context, current *password_age.WriteModel, expireWarnDays, maxAgeDays uint64) *Aggregate {
+	e, err := password_age.ChangedEventFromExisting(ctx, current, expireWarnDays, maxAgeDays)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushPasswordComplexityPolicyAddedEvent(ctx context.Context, minLength uint64, hasLowercase, hasUppercase, hasNumber, hasSymbol bool) *Aggregate {
+	a.Aggregate = *a.PushEvents(password_complexity.NewAddedEvent(ctx, minLength, hasLowercase, hasUppercase, hasNumber, hasSymbol))
+	return a
+}
+
+func (a *Aggregate) PushPasswordComplexityPolicyChangedFromExisting(ctx context.Context, current *password_complexity.WriteModel, minLength uint64, hasLowercase, hasUppercase, hasNumber, hasSymbol bool) *Aggregate {
+	e, err := password_complexity.ChangedEventFromExisting(ctx, current, minLength, hasLowercase, hasUppercase, hasNumber, hasSymbol)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushPasswordLockoutPolicyAddedEvent(ctx context.Context, maxAttempts uint64, showLockoutFailure bool) *Aggregate {
+	a.Aggregate = *a.PushEvents(password_lockout.NewAddedEvent(ctx, maxAttempts, showLockoutFailure))
+	return a
+}
+
+func (a *Aggregate) PushPasswordLockoutPolicyChangedFromExisting(ctx context.Context, current *password_lockout.WriteModel, maxAttempts uint64, showLockoutFailure bool) *Aggregate {
+	e, err := password_lockout.ChangedEventFromExisting(ctx, current, maxAttempts, showLockoutFailure)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushLabelPolicyAddedEvent(ctx context.Context, primaryColor, secondaryColor string) *Aggregate {
+	a.Aggregate = *a.PushEvents(label.NewAddedEvent(ctx, primaryColor, secondaryColor))
+	return a
+}
+
+func (a *Aggregate) PushLabelPolicyChangedFromExisting(ctx context.Context, current *label.WriteModel, primaryColor, secondaryColor string) *Aggregate {
+	e, err := label.ChangedEventFromExisting(ctx, current, primaryColor, secondaryColor)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyAddedEvent(ctx context.Context, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA bool, passwordlessType login.PasswordlessType) *Aggregate {
+	a.Aggregate = *a.PushEvents(iam_login.NewAddedEvent(ctx, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA, passwordlessType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyChangedFromExisting(ctx context.Context, current *iam_login.WriteModel, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA bool, passwordlessType login.PasswordlessType) *Aggregate {
+	e, err := iam_login.ChangedEventFromExisting(ctx, current, allowUsernamePassword, allowRegister, allowExternalIDP, forceMFA, passwordlessType)
+	if err != nil {
+		return a
+	}
+	a.Aggregate = *a.PushEvents(e)
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicySecondFactorAdded(ctx context.Context, mfaType factors.SecondFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(iam_factors.NewLoginPolicySecondFactorAddedEvent(ctx, mfaType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicySecondFactorRemoved(ctx context.Context, mfaType factors.SecondFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(iam_factors.NewLoginPolicySecondFactorRemovedEvent(ctx, mfaType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyMultiFactorAdded(ctx context.Context, mfaType factors.MultiFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(factors2.NewLoginPolicyMultiFactorAddedEvent(ctx, mfaType))
+	return a
+}
+
+func (a *Aggregate) PushLoginPolicyMultiFactorRemoved(ctx context.Context, mfaType factors.MultiFactorType) *Aggregate {
+	a.Aggregate = *a.PushEvents(factors2.NewLoginPolicyMultiFactorRemovedEvent(ctx, mfaType))
+	return a
+}
+
 func (a *Aggregate) PushIDPConfigAdded(
 	ctx context.Context,
 	configID,
@@ -172,7 +286,7 @@ func (a *Aggregate) PushLoginPolicyIDPProviderAddedEvent(
 	providerType provider.Type,
 ) *Aggregate {
 
-	a.Aggregate = *a.PushEvents(NewLoginPolicyIDPProviderAddedEvent(ctx, idpConfigID, providerType))
+	a.Aggregate = *a.PushEvents(idpprovider.NewAddedEvent(ctx, idpConfigID, providerType))
 	return a
 }
 
@@ -182,6 +296,6 @@ func (a *Aggregate) PushLoginPolicyIDPProviderRemovedEvent(
 	providerType provider.Type,
 ) *Aggregate {
 
-	a.Aggregate = *a.PushEvents(NewLoginPolicyIDPProviderRemovedEvent(ctx, idpConfigID))
+	a.Aggregate = *a.PushEvents(idpprovider.NewRemovedEvent(ctx, idpConfigID))
 	return a
 }

internal/v2/repository/iam/eventstore.go

@@ -2,6 +2,12 @@ package iam
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
 )
 
 func RegisterEventMappers(es *eventstore.Eventstore) {
@@ -9,17 +15,17 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(SetupDoneEventType, SetupStepMapper).
 		RegisterFilterEventMapper(GlobalOrgSetEventType, GlobalOrgSetMapper).
 		RegisterFilterEventMapper(ProjectSetEventType, ProjectSetMapper).
-		RegisterFilterEventMapper(LabelPolicyAddedEventType, LabelPolicyAddedEventMapper).
+		RegisterFilterEventMapper(label.LabelPolicyAddedEventType, label.AddedEventMapper).
-		RegisterFilterEventMapper(LabelPolicyChangedEventType, LabelPolicyChangedEventMapper).
+		RegisterFilterEventMapper(label.LabelPolicyChangedEventType, label.ChangedEventMapper).
-		RegisterFilterEventMapper(LoginPolicyAddedEventType, LoginPolicyAddedEventMapper).
+		RegisterFilterEventMapper(login.LoginPolicyAddedEventType, login.AddedEventMapper).
-		RegisterFilterEventMapper(LoginPolicyChangedEventType, LoginPolicyChangedEventMapper).
+		RegisterFilterEventMapper(login.LoginPolicyChangedEventType, login.ChangedEventMapper).
-		RegisterFilterEventMapper(OrgIAMPolicyAddedEventType, OrgIAMPolicyAddedEventMapper).
+		RegisterFilterEventMapper(org_iam.OrgIAMPolicyAddedEventType, org_iam.AddedEventMapper).
-		RegisterFilterEventMapper(PasswordAgePolicyAddedEventType, PasswordAgePolicyAddedEventMapper).
+		RegisterFilterEventMapper(password_age.PasswordAgePolicyAddedEventType, password_age.AddedEventMapper).
-		RegisterFilterEventMapper(PasswordAgePolicyChangedEventType, PasswordAgePolicyChangedEventMapper).
+		RegisterFilterEventMapper(password_age.PasswordAgePolicyChangedEventType, password_age.ChangedEventMapper).
-		RegisterFilterEventMapper(PasswordComplexityPolicyAddedEventType, PasswordComplexityPolicyAddedEventMapper).
+		RegisterFilterEventMapper(password_complexity.PasswordComplexityPolicyAddedEventType, password_complexity.AddedEventMapper).
-		RegisterFilterEventMapper(PasswordComplexityPolicyChangedEventType, PasswordComplexityPolicyChangedEventMapper).
+		RegisterFilterEventMapper(password_complexity.PasswordComplexityPolicyChangedEventType, password_complexity.ChangedEventMapper).
-		RegisterFilterEventMapper(PasswordLockoutPolicyAddedEventType, PasswordLockoutPolicyAddedEventMapper).
+		RegisterFilterEventMapper(password_lockout.PasswordLockoutPolicyAddedEventType, password_lockout.AddedEventMapper).
-		RegisterFilterEventMapper(PasswordLockoutPolicyChangedEventType, PasswordLockoutPolicyChangedEventMapper).
+		RegisterFilterEventMapper(password_lockout.PasswordLockoutPolicyChangedEventType, password_lockout.ChangedEventMapper).
 		RegisterFilterEventMapper(MemberAddedEventType, MemberAddedEventMapper).
 		RegisterFilterEventMapper(MemberChangedEventType, MemberChangedEventMapper).
 		RegisterFilterEventMapper(MemberRemovedEventType, MemberRemovedEventMapper).

internal/v2/repository/iam/member.go

@@ -9,9 +9,9 @@ import (
 )
 
 var (
-	MemberAddedEventType   = iamEventTypePrefix + member.AddedEventType
+	MemberAddedEventType   = IamEventTypePrefix + member.AddedEventType
-	MemberChangedEventType = iamEventTypePrefix + member.ChangedEventType
+	MemberChangedEventType = IamEventTypePrefix + member.ChangedEventType
-	MemberRemovedEventType = iamEventTypePrefix + member.RemovedEventType
+	MemberRemovedEventType = IamEventTypePrefix + member.RemovedEventType
 )
 
 type MemberReadModel struct {

internal/v2/repository/iam/policy/label/events.go

@@ -0,0 +1,73 @@
+package label
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+)
+
+var (
+	iamEventPrefix              = eventstore.EventType("iam.")
+	LabelPolicyAddedEventType   = iamEventPrefix + label.LabelPolicyAddedEventType
+	LabelPolicyChangedEventType = iamEventPrefix + label.LabelPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	label.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	primaryColor,
+	secondaryColor string,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *label.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LabelPolicyAddedEventType),
+			primaryColor,
+			secondaryColor),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := label.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*label.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	label.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	primaryColor,
+	secondaryColor string,
+) (*ChangedEvent, error) {
+	event := label.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			LabelPolicyChangedEventType,
+		),
+		&current.Policy,
+		primaryColor,
+		secondaryColor,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := label.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*label.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/label/read_model.go

@@ -0,0 +1,21 @@
+package label
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+)
+
+type ReadModel struct{ label.ReadModel }
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *label.AddedEvent, *label.ChangedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/label/write_model.go

@@ -0,0 +1,47 @@
+package label
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy label.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/login/events.go

@@ -0,0 +1,89 @@
+package login
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+)
+
+var (
+	iamEventPrefix              = eventstore.EventType("iam.")
+	LoginPolicyAddedEventType   = iamEventPrefix + login.LoginPolicyAddedEventType
+	LoginPolicyChangedEventType = iamEventPrefix + login.LoginPolicyChangedEventType
+
+	LoginPolicyIDPProviderAddedEventType   = iamEventPrefix + login.LoginPolicyIDPProviderAddedEventType
+	LoginPolicyIDPProviderRemovedEventType = iamEventPrefix + login.LoginPolicyIDPProviderRemovedEventType
+)
+
+type AddedEvent struct {
+	login.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType login.PasswordlessType,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *login.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, login.LoginPolicyAddedEventType),
+			allowUsernamePassword,
+			allowRegister,
+			allowExternalIDP,
+			forceMFA,
+			passwordlessType),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := login.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*login.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	login.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType login.PasswordlessType,
+) (*ChangedEvent, error) {
+
+	event := login.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			LoginPolicyChangedEventType,
+		),
+		&current.Policy,
+		allowUsernamePassword,
+		allowRegister,
+		allowExternalIDP,
+		forceMFA,
+		passwordlessType,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := login.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*login.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/login/factors/events.go

@@ -0,0 +1,123 @@
+package factors
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/factors"
+)
+
+var (
+	iamEventPrefix                          = eventstore.EventType("iam.")
+	LoginPolicySecondFactorAddedEventType   = iamEventPrefix + factors.LoginPolicySecondFactorAddedEventType
+	LoginPolicySecondFactorRemovedEventType = iamEventPrefix + factors.LoginPolicySecondFactorRemovedEventType
+
+	LoginPolicyMultiFactorAddedEventType   = iamEventPrefix + factors.LoginPolicyMultiFactorAddedEventType
+	LoginPolicyMultiFactorRemovedEventType = iamEventPrefix + factors.LoginPolicyMultiFactorRemovedEventType
+)
+
+type LoginPolicySecondFactorAddedEvent struct {
+	factors.SecondFactorAddedEvent
+}
+
+func NewLoginPolicySecondFactorAddedEvent(
+	ctx context.Context,
+	mfaType factors.SecondFactorType,
+) *LoginPolicySecondFactorAddedEvent {
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *factors.NewSecondFactorAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicySecondFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.SecondFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *e.(*factors.SecondFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicySecondFactorRemovedEvent struct {
+	factors.SecondFactorRemovedEvent
+}
+
+func NewLoginPolicySecondFactorRemovedEvent(
+	ctx context.Context,
+	mfaType factors.SecondFactorType,
+) *LoginPolicySecondFactorRemovedEvent {
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *factors.NewSecondFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicySecondFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.SecondFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *e.(*factors.SecondFactorRemovedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorAddedEvent struct {
+	factors.MultiFactorAddedEvent
+}
+
+func NewLoginPolicyMultiFactorAddedEvent(
+	ctx context.Context,
+	mfaType factors.MultiFactorType,
+) *LoginPolicyMultiFactorAddedEvent {
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *factors.NewMultiFactorAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyMultiFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.MultiFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *e.(*factors.MultiFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorRemovedEvent struct {
+	factors.MultiFactorRemovedEvent
+}
+
+func NewLoginPolicyMultiFactorRemovedEvent(
+	ctx context.Context,
+	mfaType factors.MultiFactorType,
+) *LoginPolicyMultiFactorRemovedEvent {
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *factors.NewMultiFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyMultiFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := factors.MultiFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *e.(*factors.MultiFactorRemovedEvent),
+	}, nil
+}

internal/v2/repository/iam/policy/login/factors/write_model.go

@@ -0,0 +1,80 @@
+package factors
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/factors"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type SecondFactorWriteModel struct {
+	eventstore.WriteModel
+	SecondFactor factors.SecondFactoryWriteModel
+
+	iamID string
+}
+
+func NewSecondFactorWriteModel(iamID string) *SecondFactorWriteModel {
+	return &SecondFactorWriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *SecondFactorWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *LoginPolicySecondFactorAddedEvent:
+			wm.SecondFactor.AppendEvents(&e.SecondFactorAddedEvent)
+		}
+	}
+}
+
+func (wm *SecondFactorWriteModel) Reduce() error {
+	if err := wm.SecondFactor.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *SecondFactorWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}
+
+type MultiFactorWriteModel struct {
+	eventstore.WriteModel
+	MultiFactor factors.MultiFactoryWriteModel
+
+	iamID string
+}
+
+func NewMultiFactorWriteModel(iamID string) *MultiFactorWriteModel {
+	return &MultiFactorWriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *MultiFactorWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *LoginPolicyMultiFactorAddedEvent:
+			wm.MultiFactor.AppendEvents(&e.MultiFactorAddedEvent)
+		}
+	}
+}
+
+func (wm *MultiFactorWriteModel) Reduce() error {
+	if err := wm.MultiFactor.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *MultiFactorWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/login/idpprovider/events.go

@@ -0,0 +1,66 @@
+package idpprovider
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/idpprovider"
+
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+)
+
+type AddedEvent struct {
+	idpprovider.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	idpConfigID string,
+	idpProviderType provider.Type,
+) *AddedEvent {
+
+	return &AddedEvent{
+		AddedEvent: *idpprovider.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, login.LoginPolicyIDPProviderAddedEventType),
+			idpConfigID,
+			idpProviderType),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpprovider.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{
+		AddedEvent: *e.(*idpprovider.AddedEvent),
+	}, nil
+}
+
+type RemovedEvent struct {
+	idpprovider.RemovedEvent
+}
+
+func NewRemovedEvent(
+	ctx context.Context,
+	idpConfigID string,
+) *RemovedEvent {
+	return &RemovedEvent{
+		RemovedEvent: *idpprovider.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, login.LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpprovider.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &RemovedEvent{
+		RemovedEvent: *e.(*idpprovider.RemovedEvent),
+	}, nil
+}

internal/v2/repository/iam/policy/login/idpprovider/write_model.go

@@ -0,0 +1,66 @@
+package idpprovider
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login/idpprovider"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Provider idpprovider.WriteModel
+
+	idpConfigID string
+	iamID       string
+
+	IsRemoved bool
+}
+
+func NewWriteModel(iamID, idpConfigID string) *WriteModel {
+	return &WriteModel{
+		iamID:       iamID,
+		idpConfigID: idpConfigID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			if e.IDPConfigID != wm.idpConfigID {
+				continue
+			}
+			wm.Provider.AppendEvents(&e.AddedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			if e.IDPConfigID != wm.idpConfigID {
+				continue
+			}
+			wm.IsRemoved = false
+		case *RemovedEvent:
+			if e.IDPConfigID != wm.idpConfigID {
+				continue
+			}
+			wm.IsRemoved = true
+		}
+	}
+	if err := wm.Provider.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/login/read_model.go

@@ -0,0 +1,21 @@
+package login
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+)
+
+type ReadModel struct{ login.ReadModel }
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *login.AddedEvent, *login.ChangedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/login/write_model.go

@@ -0,0 +1,47 @@
+package login
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy login.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/org_iam/events.go

@@ -0,0 +1,70 @@
+package org_iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+)
+
+var (
+	iamEventPrefix               = eventstore.EventType("iam.")
+	OrgIAMPolicyAddedEventType   = iamEventPrefix + org_iam.OrgIAMPolicyAddedEventType
+	OrgIAMPolicyChangedEventType = iamEventPrefix + org_iam.OrgIAMPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	org_iam.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	userLoginMustBeDomain bool,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *org_iam.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, OrgIAMPolicyAddedEventType),
+			userLoginMustBeDomain,
+		),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := org_iam.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*org_iam.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	org_iam.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	userLoginMustBeDomain bool,
+) (*ChangedEvent, error) {
+	event := org_iam.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			OrgIAMPolicyChangedEventType,
+		),
+		&current.Policy,
+		userLoginMustBeDomain,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := org_iam.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*org_iam.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/org_iam/read_model.go

@@ -0,0 +1,19 @@
+package org_iam
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+)
+
+type ReadModel struct{ org_iam.ReadModel }
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *org_iam.AddedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/org_iam/write_model.go

@@ -0,0 +1,47 @@
+package org_iam
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy org_iam.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/password_age/events.go

@@ -0,0 +1,73 @@
+package password_age
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+)
+
+var (
+	iamEventPrefix                    = eventstore.EventType("iam.")
+	PasswordAgePolicyAddedEventType   = iamEventPrefix + password_age.PasswordAgePolicyAddedEventType
+	PasswordAgePolicyChangedEventType = iamEventPrefix + password_age.PasswordAgePolicyChangedEventType
+)
+
+type AddedEvent struct {
+	password_age.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *password_age.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordAgePolicyAddedEventType),
+			expireWarnDays,
+			maxAgeDays),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_age.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*password_age.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	password_age.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	expireWarnDays,
+	maxAgeDays uint64,
+) (*ChangedEvent, error) {
+	event := password_age.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			PasswordAgePolicyChangedEventType,
+		),
+		&current.Policy,
+		expireWarnDays,
+		maxAgeDays,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_age.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*password_age.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/password_age/read_model.go

@@ -0,0 +1,25 @@
+package password_age
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+)
+
+type ReadModel struct {
+	password_age.ReadModel
+}
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *password_age.AddedEvent,
+			*password_age.ChangedEvent:
+
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/password_age/write_model.go

@@ -0,0 +1,47 @@
+package password_age
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy password_age.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/password_complexity/events.go

@@ -0,0 +1,85 @@
+package password_complexity
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+)
+
+const (
+	iamEventPrefix                           = eventstore.EventType("iam.")
+	PasswordComplexityPolicyAddedEventType   = iamEventPrefix + password_complexity.PasswordComplexityPolicyAddedEventType
+	PasswordComplexityPolicyChangedEventType = iamEventPrefix + password_complexity.PasswordComplexityPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	password_complexity.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	minLength uint64,
+	hasLowercase,
+	hasUppercase,
+	hasNumber,
+	hasSymbol bool,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *password_complexity.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordComplexityPolicyAddedEventType),
+			minLength,
+			hasLowercase,
+			hasUppercase,
+			hasNumber,
+			hasSymbol),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_complexity.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*password_complexity.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	password_complexity.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	minLength uint64,
+	hasLowerCase,
+	hasUpperCase,
+	hasNumber,
+	hasSymbol bool,
+) (*ChangedEvent, error) {
+	event := password_complexity.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			PasswordComplexityPolicyChangedEventType,
+		),
+		&current.Policy,
+		minLength,
+		hasLowerCase,
+		hasUpperCase,
+		hasNumber,
+		hasSymbol,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_complexity.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*password_complexity.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/password_complexity/read_model.go

@@ -0,0 +1,25 @@
+package password_complexity
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+)
+
+type ReadModel struct {
+	password_complexity.ReadModel
+}
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *password_complexity.AddedEvent,
+			*password_complexity.ChangedEvent:
+
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/password_complexity/write_model.go

@@ -0,0 +1,47 @@
+package password_complexity
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy password_complexity.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy/password_lockout/events.go

@@ -0,0 +1,73 @@
+package password_lockout
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
+)
+
+var (
+	iamEventPrefix                        = eventstore.EventType("iam.")
+	PasswordLockoutPolicyAddedEventType   = iamEventPrefix + password_lockout.PasswordLockoutPolicyAddedEventType
+	PasswordLockoutPolicyChangedEventType = iamEventPrefix + password_lockout.PasswordLockoutPolicyChangedEventType
+)
+
+type AddedEvent struct {
+	password_lockout.AddedEvent
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) *AddedEvent {
+	return &AddedEvent{
+		AddedEvent: *password_lockout.NewAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, PasswordLockoutPolicyAddedEventType),
+			maxAttempts,
+			showLockoutFailure),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_lockout.AddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{AddedEvent: *e.(*password_lockout.AddedEvent)}, nil
+}
+
+type ChangedEvent struct {
+	password_lockout.ChangedEvent
+}
+
+func ChangedEventFromExisting(
+	ctx context.Context,
+	current *WriteModel,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) (*ChangedEvent, error) {
+	event := password_lockout.NewChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			PasswordLockoutPolicyChangedEventType,
+		),
+		&current.Policy,
+		maxAttempts,
+		showLockoutFailure,
+	)
+	return &ChangedEvent{
+		*event,
+	}, nil
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := password_lockout.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangedEvent{ChangedEvent: *e.(*password_lockout.ChangedEvent)}, nil
+}

internal/v2/repository/iam/policy/password_lockout/read_model.go

@@ -0,0 +1,23 @@
+package password_lockout
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
+)
+
+type ReadModel struct {
+	password_lockout.ReadModel
+}
+
+func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
+		case *password_lockout.AddedEvent, *password_lockout.ChangedEvent:
+			rm.ReadModel.AppendEvents(e)
+		}
+	}
+}

internal/v2/repository/iam/policy/password_lockout/write_model.go

@@ -0,0 +1,47 @@
+package password_lockout
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
+)
+
+const (
+	AggregateType = "iam"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+	Policy password_lockout.WriteModel
+
+	iamID string
+}
+
+func NewWriteModel(iamID string) *WriteModel {
+	return &WriteModel{
+		iamID: iamID,
+	}
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.Policy.AppendEvents(&e.AddedEvent)
+		case *ChangedEvent:
+			wm.Policy.AppendEvents(&e.ChangedEvent)
+		}
+	}
+}
+
+func (wm *WriteModel) Reduce() error {
+	if err := wm.Policy.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
+		AggregateIDs(wm.iamID)
+}

internal/v2/repository/iam/policy_label.go

@@ -1,83 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	LabelPolicyAddedEventType   = iamEventTypePrefix + policy.LabelPolicyAddedEventType
-	LabelPolicyChangedEventType = iamEventTypePrefix + policy.LabelPolicyChangedEventType
-)
-
-type LabelPolicyReadModel struct{ policy.LabelPolicyReadModel }
-
-func (rm *LabelPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *LabelPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.LabelPolicyAddedEvent)
-		case *LabelPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.LabelPolicyChangedEvent)
-		case *policy.LabelPolicyAddedEvent, *policy.LabelPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type LabelPolicyAddedEvent struct {
-	policy.LabelPolicyAddedEvent
-}
-
-func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LabelPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LabelPolicyAddedEvent{LabelPolicyAddedEvent: *e.(*policy.LabelPolicyAddedEvent)}, nil
-}
-
-type LabelPolicyChangedEvent struct {
-	policy.LabelPolicyChangedEvent
-}
-
-func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LabelPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *e.(*policy.LabelPolicyChangedEvent)}, nil
-}
-
-// func NewLabelPolicyAddedEvent(
-// 	ctx context.Context,
-// 	primaryColor,
-// 	secondaryColor string,
-// ) *LabelPolicyAddedEvent {
-
-// 	return &LabelPolicyAddedEvent{
-// 		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
-// 			ctx,
-// 			primaryColor,
-// 			secondaryColor,
-// 		),
-// 	}
-// }
-
-// func NewLabelPolicyChangedEvent(
-// 	ctx context.Context,
-// 	primaryColor,
-// 	secondaryColor string,
-// ) *MemberChangedEvent {
-
-// 	return &LabelPolicyChangedEvent{
-// 		LabelPolicyChangedEvent: *policy.NewLabelPolicyChangedEvent(
-// 			ctx,
-// 			primaryColor,
-// 			secondaryColor,
-// 		),
-// 	}
-// }

internal/v2/repository/iam/policy_login.go

@@ -1,171 +0,0 @@
-package iam
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	LoginPolicyAddedEventType   = iamEventTypePrefix + policy.LoginPolicyAddedEventType
-	LoginPolicyChangedEventType = iamEventTypePrefix + policy.LoginPolicyChangedEventType
-
-	LoginPolicyIDPProviderAddedEventType   = iamEventTypePrefix + policy.LoginPolicyIDPProviderAddedEventType
-	LoginPolicyIDPProviderRemovedEventType = iamEventTypePrefix + policy.LoginPolicyIDPProviderRemovedEventType
-)
-
-type LoginPolicyReadModel struct{ policy.LoginPolicyReadModel }
-
-func (rm *LoginPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *LoginPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.LoginPolicyAddedEvent)
-		case *LoginPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.LoginPolicyChangedEvent)
-		case *policy.LoginPolicyAddedEvent, *policy.LoginPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type LoginPolicyAddedEvent struct {
-	policy.LoginPolicyAddedEvent
-}
-
-func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LoginPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyAddedEvent{LoginPolicyAddedEvent: *e.(*policy.LoginPolicyAddedEvent)}, nil
-}
-
-type LoginPolicyChangedEvent struct {
-	policy.LoginPolicyChangedEvent
-}
-
-func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.LoginPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *e.(*policy.LoginPolicyChangedEvent)}, nil
-}
-
-type LoginPolicyIDPProviderWriteModel struct {
-	eventstore.WriteModel
-	policy.IDPProviderWriteModel
-
-	idpConfigID string
-	iamID       string
-
-	IsRemoved bool
-}
-
-func NewLoginPolicyIDPProviderWriteModel(iamID, idpConfigID string) *LoginPolicyIDPProviderWriteModel {
-	return &LoginPolicyIDPProviderWriteModel{
-		iamID:       iamID,
-		idpConfigID: idpConfigID,
-	}
-}
-
-func (wm *LoginPolicyIDPProviderWriteModel) AppendEvents(events ...eventstore.EventReader) {
-	wm.WriteModel.AppendEvents(events...)
-	for _, event := range events {
-		switch e := event.(type) {
-		case *LoginPolicyIDPProviderAddedEvent:
-			if e.IDPConfigID != wm.idpConfigID {
-				continue
-			}
-			wm.IDPProviderWriteModel.AppendEvents(&e.IDPProviderAddedEvent)
-		}
-	}
-}
-
-func (wm *LoginPolicyIDPProviderWriteModel) Reduce() error {
-	for _, event := range wm.Events {
-		switch e := event.(type) {
-		case *LoginPolicyIDPProviderAddedEvent:
-			if e.IDPConfigID != wm.idpConfigID {
-				continue
-			}
-			wm.IsRemoved = false
-		case *LoginPolicyIDPProviderRemovedEvent:
-			if e.IDPConfigID != wm.idpConfigID {
-				continue
-			}
-			wm.IsRemoved = true
-		}
-	}
-	if err := wm.IDPProviderWriteModel.Reduce(); err != nil {
-		return err
-	}
-	return wm.WriteModel.Reduce()
-}
-
-func (wm *LoginPolicyIDPProviderWriteModel) Query() *eventstore.SearchQueryBuilder {
-	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, AggregateType).
-		AggregateIDs(wm.iamID)
-}
-
-type LoginPolicyIDPProviderAddedEvent struct {
-	policy.IDPProviderAddedEvent
-}
-
-func NewLoginPolicyIDPProviderAddedEvent(
-	ctx context.Context,
-	idpConfigID string,
-	idpProviderType provider.Type,
-) *LoginPolicyIDPProviderAddedEvent {
-
-	return &LoginPolicyIDPProviderAddedEvent{
-		IDPProviderAddedEvent: *policy.NewIDPProviderAddedEvent(
-			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderAddedEventType),
-			idpConfigID,
-			provider.TypeSystem),
-	}
-}
-
-func IDPProviderAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.IDPProviderAddedEventEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyIDPProviderAddedEvent{
-		IDPProviderAddedEvent: *e.(*policy.IDPProviderAddedEvent),
-	}, nil
-}
-
-type LoginPolicyIDPProviderRemovedEvent struct {
-	policy.IDPProviderRemovedEvent
-}
-
-func NewLoginPolicyIDPProviderRemovedEvent(
-	ctx context.Context,
-	idpConfigID string,
-) *LoginPolicyIDPProviderRemovedEvent {
-
-	return &LoginPolicyIDPProviderRemovedEvent{
-		IDPProviderRemovedEvent: *policy.NewIDPProviderRemovedEvent(
-			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderRemovedEventType),
-			idpConfigID),
-	}
-}
-
-func IDPProviderRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.IDPProviderRemovedEventEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &LoginPolicyIDPProviderRemovedEvent{
-		IDPProviderRemovedEvent: *e.(*policy.IDPProviderRemovedEvent),
-	}, nil
-}

internal/v2/repository/iam/policy_org_iam.go

@@ -1,37 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	OrgIAMPolicyAddedEventType = iamEventTypePrefix + policy.OrgIAMPolicyAddedEventType
-)
-
-type OrgIAMPolicyReadModel struct{ policy.OrgIAMPolicyReadModel }
-
-func (rm *OrgIAMPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *OrgIAMPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.OrgIAMPolicyAddedEvent)
-		case *policy.OrgIAMPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type OrgIAMPolicyAddedEvent struct {
-	policy.OrgIAMPolicyAddedEvent
-}
-
-func OrgIAMPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.OrgIAMPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &OrgIAMPolicyAddedEvent{OrgIAMPolicyAddedEvent: *e.(*policy.OrgIAMPolicyAddedEvent)}, nil
-}

internal/v2/repository/iam/policy_password_age.go

@@ -1,57 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	PasswordAgePolicyAddedEventType   = iamEventTypePrefix + policy.PasswordAgePolicyAddedEventType
-	PasswordAgePolicyChangedEventType = iamEventTypePrefix + policy.PasswordAgePolicyChangedEventType
-)
-
-type PasswordAgePolicyReadModel struct {
-	policy.PasswordAgePolicyReadModel
-}
-
-func (rm *PasswordAgePolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *PasswordAgePolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordAgePolicyAddedEvent)
-		case *PasswordAgePolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordAgePolicyChangedEvent)
-		case *policy.PasswordAgePolicyAddedEvent,
-			*policy.PasswordAgePolicyChangedEvent:
-
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type PasswordAgePolicyAddedEvent struct {
-	policy.PasswordAgePolicyAddedEvent
-}
-
-func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordAgePolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordAgePolicyAddedEvent{PasswordAgePolicyAddedEvent: *e.(*policy.PasswordAgePolicyAddedEvent)}, nil
-}
-
-type PasswordAgePolicyChangedEvent struct {
-	policy.PasswordAgePolicyChangedEvent
-}
-
-func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordAgePolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *e.(*policy.PasswordAgePolicyChangedEvent)}, nil
-}

internal/v2/repository/iam/policy_password_complexity.go

@@ -1,57 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	PasswordComplexityPolicyAddedEventType   = iamEventTypePrefix + policy.PasswordComplexityPolicyAddedEventType
-	PasswordComplexityPolicyChangedEventType = iamEventTypePrefix + policy.PasswordComplexityPolicyChangedEventType
-)
-
-type PasswordComplexityPolicyReadModel struct {
-	policy.PasswordComplexityPolicyReadModel
-}
-
-func (rm *PasswordComplexityPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *PasswordComplexityPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordComplexityPolicyAddedEvent)
-		case *PasswordComplexityPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordComplexityPolicyChangedEvent)
-		case *policy.PasswordComplexityPolicyAddedEvent,
-			*policy.PasswordComplexityPolicyChangedEvent:
-
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type PasswordComplexityPolicyAddedEvent struct {
-	policy.PasswordComplexityPolicyAddedEvent
-}
-
-func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordComplexityPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordComplexityPolicyAddedEvent{PasswordComplexityPolicyAddedEvent: *e.(*policy.PasswordComplexityPolicyAddedEvent)}, nil
-}
-
-type PasswordComplexityPolicyChangedEvent struct {
-	policy.PasswordComplexityPolicyChangedEvent
-}
-
-func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordComplexityPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *e.(*policy.PasswordComplexityPolicyChangedEvent)}, nil
-}

internal/v2/repository/iam/policy_password_lockout.go

@@ -1,55 +0,0 @@
-package iam
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
-)
-
-var (
-	PasswordLockoutPolicyAddedEventType   = iamEventTypePrefix + policy.PasswordLockoutPolicyAddedEventType
-	PasswordLockoutPolicyChangedEventType = iamEventTypePrefix + policy.PasswordLockoutPolicyChangedEventType
-)
-
-type PasswordLockoutPolicyReadModel struct {
-	policy.PasswordLockoutPolicyReadModel
-}
-
-func (rm *PasswordLockoutPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *PasswordLockoutPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordLockoutPolicyAddedEvent)
-		case *PasswordLockoutPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordLockoutPolicyChangedEvent)
-		case *policy.PasswordLockoutPolicyAddedEvent, *policy.PasswordLockoutPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(e)
-		}
-	}
-}
-
-type PasswordLockoutPolicyAddedEvent struct {
-	policy.PasswordLockoutPolicyAddedEvent
-}
-
-func PasswordLockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordLockoutPolicyAddedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordLockoutPolicyAddedEvent{PasswordLockoutPolicyAddedEvent: *e.(*policy.PasswordLockoutPolicyAddedEvent)}, nil
-}
-
-type PasswordLockoutPolicyChangedEvent struct {
-	policy.PasswordLockoutPolicyChangedEvent
-}
-
-func PasswordLockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := policy.PasswordLockoutPolicyChangedEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *e.(*policy.PasswordLockoutPolicyChangedEvent)}, nil
-}

internal/v2/repository/iam/read_model.go

@@ -2,8 +2,19 @@ package iam
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	iam_label "github.com/caos/zitadel/internal/v2/repository/iam/policy/label"
+	iam_login "github.com/caos/zitadel/internal/v2/repository/iam/policy/login"
+	iam_org_iam "github.com/caos/zitadel/internal/v2/repository/iam/policy/org_iam"
+	iam_password_age "github.com/caos/zitadel/internal/v2/repository/iam/policy/password_age"
+	iam_password_complexity "github.com/caos/zitadel/internal/v2/repository/iam/policy/password_complexity"
+	iam_password_lockout "github.com/caos/zitadel/internal/v2/repository/iam/policy/password_lockout"
 	"github.com/caos/zitadel/internal/v2/repository/member"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
 )
 
 type ReadModel struct {
@@ -18,12 +29,12 @@ type ReadModel struct {
 	GlobalOrgID string
 	ProjectID   string
 
-	DefaultLoginPolicy              LoginPolicyReadModel
+	DefaultLoginPolicy              iam_login.ReadModel
-	DefaultLabelPolicy              LabelPolicyReadModel
+	DefaultLabelPolicy              iam_label.ReadModel
-	DefaultOrgIAMPolicy             OrgIAMPolicyReadModel
+	DefaultOrgIAMPolicy             iam_org_iam.ReadModel
-	DefaultPasswordComplexityPolicy PasswordComplexityPolicyReadModel
+	DefaultPasswordComplexityPolicy iam_password_complexity.ReadModel
-	DefaultPasswordAgePolicy        PasswordAgePolicyReadModel
+	DefaultPasswordAgePolicy        iam_password_age.ReadModel
-	DefaultPasswordLockoutPolicy    PasswordLockoutPolicyReadModel
+	DefaultPasswordLockoutPolicy    iam_password_lockout.ReadModel
 }
 
 func NewReadModel(id string) *ReadModel {
@@ -60,26 +71,26 @@ func (rm *ReadModel) AppendEvents(events ...eventstore.EventReader) {
 			*IDPOIDCConfigChangedEvent:
 
 			rm.IDPs.AppendEvents(event)
-		case *policy.LabelPolicyAddedEvent,
+		case *label.AddedEvent,
-			*policy.LabelPolicyChangedEvent:
+			*label.ChangedEvent:
 
 			rm.DefaultLabelPolicy.AppendEvents(event)
-		case *policy.LoginPolicyAddedEvent,
+		case *login.AddedEvent,
-			*policy.LoginPolicyChangedEvent:
+			*login.ChangedEvent:
 
 			rm.DefaultLoginPolicy.AppendEvents(event)
-		case *policy.OrgIAMPolicyAddedEvent:
+		case *org_iam.AddedEvent:
 			rm.DefaultOrgIAMPolicy.AppendEvents(event)
-		case *policy.PasswordComplexityPolicyAddedEvent,
+		case *password_complexity.AddedEvent,
-			*policy.PasswordComplexityPolicyChangedEvent:
+			*password_complexity.ChangedEvent:
 
 			rm.DefaultPasswordComplexityPolicy.AppendEvents(event)
-		case *policy.PasswordAgePolicyAddedEvent,
+		case *password_age.AddedEvent,
-			*policy.PasswordAgePolicyChangedEvent:
+			*password_age.ChangedEvent:
 
 			rm.DefaultPasswordAgePolicy.AppendEvents(event)
-		case *policy.PasswordLockoutPolicyAddedEvent,
+		case *password_lockout.AddedEvent,
-			*policy.PasswordLockoutPolicyChangedEvent:
+			*password_lockout.ChangedEvent:
 
 			rm.DefaultPasswordLockoutPolicy.AppendEvents(event)
 		}

internal/v2/repository/org/policy_label.go

@@ -2,45 +2,45 @@ package org
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/label"
 )
 
 var (
-	LabelPolicyAddedEventType   = orgEventTypePrefix + policy.LabelPolicyAddedEventType
+	LabelPolicyAddedEventType   = orgEventTypePrefix + label.LabelPolicyAddedEventType
-	LabelPolicyChangedEventType = orgEventTypePrefix + policy.LabelPolicyChangedEventType
+	LabelPolicyChangedEventType = orgEventTypePrefix + label.LabelPolicyChangedEventType
 )
 
-type LabelPolicyReadModel struct{ policy.LabelPolicyReadModel }
+type LabelPolicyReadModel struct{ label.ReadModel }
 
 func (rm *LabelPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
 		case *LabelPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.LabelPolicyAddedEvent)
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
 		case *LabelPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.LabelPolicyChangedEvent)
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
-		case *policy.LabelPolicyAddedEvent, *policy.LabelPolicyChangedEvent:
+		case *label.AddedEvent, *label.ChangedEvent:
 			rm.ReadModel.AppendEvents(e)
 		}
 	}
 }
 
 type LabelPolicyAddedEvent struct {
-	policy.LabelPolicyAddedEvent
+	label.AddedEvent
 }
 
 type LabelPolicyChangedEvent struct {
-	policy.LabelPolicyChangedEvent
+	label.ChangedEvent
 }
 
-// func NewLabelPolicyAddedEvent(
+// func NewAddedEvent(
 // 	ctx context.Context,
 // 	primaryColor,
 // 	secondaryColor string,
-// ) *LabelPolicyAddedEvent {
+// ) *AddedEvent {
 
-// 	return &LabelPolicyAddedEvent{
+// 	return &AddedEvent{
-// 		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
+// 		AddedEvent: *policy.NewAddedEvent(
 // 			ctx,
 // 			primaryColor,
 // 			secondaryColor,
@@ -48,14 +48,14 @@ type LabelPolicyChangedEvent struct {
 // 	}
 // }
 
-// func NewLabelPolicyChangedEvent(
+// func NewChangedEvent(
 // 	ctx context.Context,
 // 	primaryColor,
 // 	secondaryColor string,
 // ) *MemberChangedEvent {
 
-// 	return &LabelPolicyChangedEvent{
+// 	return &ChangedEvent{
-// 		LabelPolicyChangedEvent: *policy.NewLabelPolicyChangedEvent(
+// 		ChangedEvent: *policy.NewChangedEvent(
 // 			ctx,
 // 			primaryColor,
 // 			secondaryColor,

internal/v2/repository/org/policy_login.go

@@ -2,33 +2,33 @@ package org
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/login"
 )
 
 var (
-	LoginPolicyAddedEventType   = orgEventTypePrefix + policy.LoginPolicyAddedEventType
+	LoginPolicyAddedEventType   = orgEventTypePrefix + login.LoginPolicyAddedEventType
-	LoginPolicyChangedEventType = orgEventTypePrefix + policy.LoginPolicyChangedEventType
+	LoginPolicyChangedEventType = orgEventTypePrefix + login.LoginPolicyChangedEventType
 )
 
-type LoginPolicyReadModel struct{ policy.LoginPolicyReadModel }
+type LoginPolicyReadModel struct{ login.ReadModel }
 
 func (rm *LoginPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
 		case *LoginPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.LoginPolicyAddedEvent)
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
 		case *LoginPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.LoginPolicyChangedEvent)
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
-		case *policy.LoginPolicyAddedEvent, *policy.LoginPolicyChangedEvent:
+		case *login.AddedEvent, *login.ChangedEvent:
 			rm.ReadModel.AppendEvents(e)
 		}
 	}
 }
 
 type LoginPolicyAddedEvent struct {
-	policy.LoginPolicyAddedEvent
+	login.AddedEvent
 }
 
 type LoginPolicyChangedEvent struct {
-	policy.LoginPolicyChangedEvent
+	login.ChangedEvent
 }

internal/v2/repository/org/policy_org_iam.go

@@ -2,26 +2,26 @@ package org
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/org_iam"
 )
 
 var (
-	OrgIAMPolicyAddedEventType = orgEventTypePrefix + policy.OrgIAMPolicyAddedEventType
+	OrgIAMPolicyAddedEventType = orgEventTypePrefix + org_iam.OrgIAMPolicyAddedEventType
 )
 
-type OrgIAMPolicyReadModel struct{ policy.OrgIAMPolicyReadModel }
+type OrgIAMPolicyReadModel struct{ org_iam.ReadModel }
 
 func (rm *OrgIAMPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
 		case *OrgIAMPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.OrgIAMPolicyAddedEvent)
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
-		case *policy.OrgIAMPolicyAddedEvent:
+		case *org_iam.AddedEvent:
 			rm.ReadModel.AppendEvents(e)
 		}
 	}
 }
 
 type OrgIAMPolicyAddedEvent struct {
-	policy.OrgIAMPolicyAddedEvent
+	org_iam.AddedEvent
 }

internal/v2/repository/org/policy_password_age.go

@@ -2,35 +2,35 @@ package org
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_age"
 )
 
 var (
-	PasswordAgePolicyAddedEventType   = orgEventTypePrefix + policy.PasswordAgePolicyAddedEventType
+	PasswordAgePolicyAddedEventType   = orgEventTypePrefix + password_age.PasswordAgePolicyAddedEventType
-	PasswordAgePolicyChangedEventType = orgEventTypePrefix + policy.PasswordAgePolicyChangedEventType
+	PasswordAgePolicyChangedEventType = orgEventTypePrefix + password_age.PasswordAgePolicyChangedEventType
 )
 
 type PasswordAgePolicyReadModel struct {
-	policy.PasswordAgePolicyReadModel
+	password_age.ReadModel
 }
 
 func (rm *PasswordAgePolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
 		case *PasswordAgePolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordAgePolicyAddedEvent)
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
 		case *PasswordAgePolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordAgePolicyChangedEvent)
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
-		case *policy.PasswordAgePolicyAddedEvent, *policy.PasswordAgePolicyChangedEvent:
+		case *password_age.AddedEvent, *password_age.ChangedEvent:
 			rm.ReadModel.AppendEvents(e)
 		}
 	}
 }
 
 type PasswordAgePolicyAddedEvent struct {
-	policy.PasswordAgePolicyAddedEvent
+	password_age.AddedEvent
 }
 
 type PasswordAgePolicyChangedEvent struct {
-	policy.PasswordAgePolicyChangedEvent
+	password_age.ChangedEvent
 }

internal/v2/repository/org/policy_password_complexity.go

@@ -2,35 +2,35 @@ package org
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_complexity"
 )
 
 var (
-	PasswordComplexityPolicyAddedEventType   = orgEventTypePrefix + policy.PasswordComplexityPolicyAddedEventType
+	PasswordComplexityPolicyAddedEventType   = orgEventTypePrefix + password_complexity.PasswordComplexityPolicyAddedEventType
-	PasswordComplexityPolicyChangedEventType = orgEventTypePrefix + policy.PasswordComplexityPolicyChangedEventType
+	PasswordComplexityPolicyChangedEventType = orgEventTypePrefix + password_complexity.PasswordComplexityPolicyChangedEventType
 )
 
 type PasswordComplexityPolicyReadModel struct {
-	policy.PasswordComplexityPolicyReadModel
+	password_complexity.ReadModel
 }
 
 func (rm *PasswordComplexityPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
 		case *PasswordComplexityPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordComplexityPolicyAddedEvent)
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
 		case *PasswordComplexityPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordComplexityPolicyChangedEvent)
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
-		case *policy.PasswordComplexityPolicyAddedEvent, *policy.PasswordComplexityPolicyChangedEvent:
+		case *password_complexity.AddedEvent, *password_complexity.ChangedEvent:
 			rm.ReadModel.AppendEvents(e)
 		}
 	}
 }
 
 type PasswordComplexityPolicyAddedEvent struct {
-	policy.PasswordComplexityPolicyAddedEvent
+	password_complexity.AddedEvent
 }
 
 type PasswordComplexityPolicyChangedEvent struct {
-	policy.PasswordComplexityPolicyChangedEvent
+	password_complexity.ChangedEvent
 }

internal/v2/repository/org/policy_password_lockout.go

@@ -2,35 +2,35 @@ package org
 
 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/v2/repository/policy"
+	"github.com/caos/zitadel/internal/v2/repository/policy/password_lockout"
 )
 
 var (
-	PasswordLockoutPolicyAddedEventType   = orgEventTypePrefix + policy.PasswordLockoutPolicyAddedEventType
+	PasswordLockoutPolicyAddedEventType   = orgEventTypePrefix + password_lockout.PasswordLockoutPolicyAddedEventType
-	PasswordLockoutPolicyChangedEventType = orgEventTypePrefix + policy.PasswordLockoutPolicyChangedEventType
+	PasswordLockoutPolicyChangedEventType = orgEventTypePrefix + password_lockout.PasswordLockoutPolicyChangedEventType
 )
 
 type PasswordLockoutPolicyReadModel struct {
-	policy.PasswordLockoutPolicyReadModel
+	password_lockout.ReadModel
 }
 
 func (rm *PasswordLockoutPolicyReadModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
 		case *PasswordLockoutPolicyAddedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordLockoutPolicyAddedEvent)
+			rm.ReadModel.AppendEvents(&e.AddedEvent)
 		case *PasswordLockoutPolicyChangedEvent:
-			rm.ReadModel.AppendEvents(&e.PasswordLockoutPolicyChangedEvent)
+			rm.ReadModel.AppendEvents(&e.ChangedEvent)
-		case *policy.PasswordLockoutPolicyAddedEvent, *policy.PasswordLockoutPolicyChangedEvent:
+		case *password_lockout.AddedEvent, *password_lockout.ChangedEvent:
 			rm.ReadModel.AppendEvents(e)
 		}
 	}
 }
 
 type PasswordLockoutPolicyAddedEvent struct {
-	policy.PasswordLockoutPolicyAddedEvent
+	password_lockout.AddedEvent
 }
 
 type PasswordLockoutPolicyChangedEvent struct {
-	policy.PasswordLockoutPolicyChangedEvent
+	password_lockout.ChangedEvent
 }

internal/v2/repository/policy/label.go

@@ -1,160 +0,0 @@
-package policy
-
-import (
-	"encoding/json"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-)
-
-const (
-	LabelPolicyAddedEventType   = "policy.label.added"
-	LabelPolicyChangedEventType = "policy.label.changed"
-	LabelPolicyRemovedEventType = "policy.label.removed"
-)
-
-type LabelPolicyReadModel struct {
-	eventstore.ReadModel
-
-	PrimaryColor   string
-	SecondaryColor string
-}
-
-func (rm *LabelPolicyReadModel) Reduce() error {
-	for _, event := range rm.Events {
-		switch e := event.(type) {
-		case *LabelPolicyAddedEvent:
-			rm.PrimaryColor = e.PrimaryColor
-			rm.SecondaryColor = e.SecondaryColor
-		case *LabelPolicyChangedEvent:
-			rm.PrimaryColor = e.PrimaryColor
-			rm.SecondaryColor = e.SecondaryColor
-		}
-	}
-	return rm.ReadModel.Reduce()
-}
-
-type LabelPolicyWriteModel struct {
-	eventstore.WriteModel
-
-	PrimaryColor   string
-	SecondaryColor string
-}
-
-func (wm *LabelPolicyWriteModel) Reduce() error {
-	return errors.ThrowUnimplemented(nil, "POLIC-xJjvN", "reduce unimpelemnted")
-}
-
-type LabelPolicyAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	PrimaryColor   string `json:"primaryColor,omitempty"`
-	SecondaryColor string `json:"secondaryColor,omitempty"`
-}
-
-func (e *LabelPolicyAddedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *LabelPolicyAddedEvent) Data() interface{} {
-	return e
-}
-
-func NewLabelPolicyAddedEvent(
-	base *eventstore.BaseEvent,
-	primaryColor,
-	secondaryColor string,
-) *LabelPolicyAddedEvent {
-
-	return &LabelPolicyAddedEvent{
-		BaseEvent:      *base,
-		PrimaryColor:   primaryColor,
-		SecondaryColor: secondaryColor,
-	}
-}
-
-func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &LabelPolicyAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-puqv4", "unable to unmarshal label policy")
-	}
-
-	return e, nil
-}
-
-type LabelPolicyChangedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	PrimaryColor   string `json:"primaryColor,omitempty"`
-	SecondaryColor string `json:"secondaryColor,omitempty"`
-}
-
-func (e *LabelPolicyChangedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *LabelPolicyChangedEvent) Data() interface{} {
-	return e
-}
-
-func NewLabelPolicyChangedEvent(
-	base *eventstore.BaseEvent,
-	current *LabelPolicyWriteModel,
-	primaryColor,
-	secondaryColor string,
-) *LabelPolicyChangedEvent {
-
-	e := &LabelPolicyChangedEvent{
-		BaseEvent: *base,
-	}
-	if primaryColor != "" && current.PrimaryColor != primaryColor {
-		e.PrimaryColor = primaryColor
-	}
-	if secondaryColor != "" && current.SecondaryColor != secondaryColor {
-		e.SecondaryColor = secondaryColor
-	}
-
-	return e
-}
-
-func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &LabelPolicyChangedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-qhfFb", "unable to unmarshal label policy")
-	}
-
-	return e, nil
-}
-
-type LabelPolicyRemovedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-}
-
-func (e *LabelPolicyRemovedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *LabelPolicyRemovedEvent) Data() interface{} {
-	return nil
-}
-
-func NewLabelPolicyRemovedEvent(base *eventstore.BaseEvent) *LabelPolicyRemovedEvent {
-	return &LabelPolicyRemovedEvent{
-		BaseEvent: *base,
-	}
-}
-
-func LabelPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	return &LabelPolicyRemovedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}

internal/v2/repository/policy/label/events.go

@@ -0,0 +1,127 @@
+package label
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	LabelPolicyAddedEventType   = "policy.label.added"
+	LabelPolicyChangedEventType = "policy.label.changed"
+	LabelPolicyRemovedEventType = "policy.label.removed"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	PrimaryColor   string `json:"primaryColor,omitempty"`
+	SecondaryColor string `json:"secondaryColor,omitempty"`
+}
+
+func (e *AddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func NewAddedEvent(
+	base *eventstore.BaseEvent,
+	primaryColor,
+	secondaryColor string,
+) *AddedEvent {
+
+	return &AddedEvent{
+		BaseEvent:      *base,
+		PrimaryColor:   primaryColor,
+		SecondaryColor: secondaryColor,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-puqv4", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type ChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	PrimaryColor   string `json:"primaryColor,omitempty"`
+	SecondaryColor string `json:"secondaryColor,omitempty"`
+}
+
+func (e *ChangedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *ChangedEvent) Data() interface{} {
+	return e
+}
+
+func NewChangedEvent(
+	base *eventstore.BaseEvent,
+	current *WriteModel,
+	primaryColor,
+	secondaryColor string,
+) *ChangedEvent {
+
+	e := &ChangedEvent{
+		BaseEvent: *base,
+	}
+	if primaryColor != "" && current.PrimaryColor != primaryColor {
+		e.PrimaryColor = primaryColor
+	}
+	if secondaryColor != "" && current.SecondaryColor != secondaryColor {
+		e.SecondaryColor = secondaryColor
+	}
+
+	return e
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-qhfFb", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type RemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *RemovedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *RemovedEvent) Data() interface{} {
+	return nil
+}
+
+func NewRemovedEvent(base *eventstore.BaseEvent) *RemovedEvent {
+	return &RemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &RemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}

internal/v2/repository/policy/label/read_model.go

@@ -0,0 +1,24 @@
+package label
+
+import "github.com/caos/zitadel/internal/eventstore/v2"
+
+type ReadModel struct {
+	eventstore.ReadModel
+
+	PrimaryColor   string
+	SecondaryColor string
+}
+
+func (rm *ReadModel) Reduce() error {
+	for _, event := range rm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.PrimaryColor = e.PrimaryColor
+			rm.SecondaryColor = e.SecondaryColor
+		case *ChangedEvent:
+			rm.PrimaryColor = e.PrimaryColor
+			rm.SecondaryColor = e.SecondaryColor
+		}
+	}
+	return rm.ReadModel.Reduce()
+}

internal/v2/repository/policy/label/write_model.go

@@ -0,0 +1,26 @@
+package label
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+
+	PrimaryColor   string
+	SecondaryColor string
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.PrimaryColor = e.PrimaryColor
+			wm.SecondaryColor = e.SecondaryColor
+		case *ChangedEvent:
+			wm.PrimaryColor = e.PrimaryColor
+			wm.SecondaryColor = e.SecondaryColor
+		}
+	}
+	return wm.WriteModel.Reduce()
+}

internal/v2/repository/policy/login.go

@@ -1,243 +0,0 @@
-package policy
-
-import (
-	"encoding/json"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
-)
-
-const (
-	LoginPolicyAddedEventType              = "policy.login.added"
-	LoginPolicyChangedEventType            = "policy.login.changed"
-	LoginPolicyRemovedEventType            = "policy.login.removed"
-	LoginPolicyIDPProviderAddedEventType   = "policy.login." + provider.AddedEventType
-	LoginPolicyIDPProviderRemovedEventType = "policy.login." + provider.RemovedEventType
-)
-
-type LoginPolicyReadModel struct {
-	eventstore.ReadModel
-
-	AllowUserNamePassword bool
-	AllowRegister         bool
-	AllowExternalIDP      bool
-}
-
-func (rm *LoginPolicyReadModel) Reduce() error {
-	for _, event := range rm.Events {
-		switch e := event.(type) {
-		case *LoginPolicyAddedEvent:
-			rm.AllowUserNamePassword = e.AllowUserNamePassword
-			rm.AllowExternalIDP = e.AllowExternalIDP
-			rm.AllowRegister = e.AllowRegister
-		case *LoginPolicyChangedEvent:
-			rm.AllowUserNamePassword = e.AllowUserNamePassword
-			rm.AllowExternalIDP = e.AllowExternalIDP
-			rm.AllowRegister = e.AllowRegister
-		}
-	}
-	return rm.ReadModel.Reduce()
-}
-
-type LoginPolicyWriteModel struct {
-	eventstore.WriteModel
-
-	AllowUserNamePassword bool
-	AllowRegister         bool
-	AllowExternalIDP      bool
-}
-
-func (wm *LoginPolicyWriteModel) Reduce() error {
-	return errors.ThrowUnimplemented(nil, "POLIC-xJjvN", "reduce unimpelemnted")
-}
-
-type LoginPolicyAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	AllowUserNamePassword bool `json:"allowUsernamePassword"`
-	AllowRegister         bool `json:"allowRegister"`
-	AllowExternalIDP      bool `json:"allowExternalIdp"`
-}
-
-func (e *LoginPolicyAddedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *LoginPolicyAddedEvent) Data() interface{} {
-	return e
-}
-
-func NewLoginPolicyAddedEvent(
-	base *eventstore.BaseEvent,
-	allowUserNamePassword,
-	allowRegister,
-	allowExternalIDP bool,
-) *LoginPolicyAddedEvent {
-
-	return &LoginPolicyAddedEvent{
-		BaseEvent:             *base,
-		AllowExternalIDP:      allowExternalIDP,
-		AllowRegister:         allowRegister,
-		AllowUserNamePassword: allowUserNamePassword,
-	}
-}
-
-func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &LoginPolicyAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-nWndT", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type LoginPolicyChangedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	AllowUserNamePassword bool `json:"allowUsernamePassword,omitempty"`
-	AllowRegister         bool `json:"allowRegister"`
-	AllowExternalIDP      bool `json:"allowExternalIdp"`
-}
-
-func (e *LoginPolicyChangedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *LoginPolicyChangedEvent) Data() interface{} {
-	return e
-}
-
-func NewLoginPolicyChangedEvent(
-	base *eventstore.BaseEvent,
-	current *LoginPolicyWriteModel,
-	allowUserNamePassword,
-	allowRegister,
-	allowExternalIDP bool,
-) *LoginPolicyChangedEvent {
-
-	e := &LoginPolicyChangedEvent{
-		BaseEvent: *base,
-	}
-
-	if current.AllowUserNamePassword != allowUserNamePassword {
-		e.AllowUserNamePassword = allowUserNamePassword
-	}
-	if current.AllowRegister != allowRegister {
-		e.AllowRegister = allowRegister
-	}
-	if current.AllowExternalIDP != allowExternalIDP {
-		e.AllowExternalIDP = allowExternalIDP
-	}
-
-	return e
-}
-
-func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &LoginPolicyChangedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-ehssl", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type LoginPolicyRemovedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-}
-
-func (e *LoginPolicyRemovedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *LoginPolicyRemovedEvent) Data() interface{} {
-	return nil
-}
-
-func NewLoginPolicyRemovedEvent(base *eventstore.BaseEvent) *LoginPolicyRemovedEvent {
-	return &LoginPolicyRemovedEvent{
-		BaseEvent: *base,
-	}
-}
-
-func LoginPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	return &LoginPolicyRemovedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
-
-type IDPProviderWriteModel struct {
-	provider.WriteModel
-}
-
-func (wm *IDPProviderWriteModel) AppendEvents(events ...eventstore.EventReader) {
-	for _, event := range events {
-		switch e := event.(type) {
-		case *IDPProviderAddedEvent:
-			wm.WriteModel.AppendEvents(&e.AddedEvent)
-		}
-	}
-}
-
-type IDPProviderAddedEvent struct {
-	provider.AddedEvent
-}
-
-func NewIDPProviderAddedEvent(
-	base *eventstore.BaseEvent,
-	idpConfigID string,
-	idpProviderType provider.Type,
-) *IDPProviderAddedEvent {
-
-	return &IDPProviderAddedEvent{
-		AddedEvent: *provider.NewAddedEvent(
-			base,
-			idpConfigID,
-			idpProviderType),
-	}
-}
-
-func IDPProviderAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := provider.AddedEventEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &IDPProviderAddedEvent{
-		AddedEvent: *e.(*provider.AddedEvent),
-	}, nil
-}
-
-type IDPProviderRemovedEvent struct {
-	provider.RemovedEvent
-}
-
-func NewIDPProviderRemovedEvent(
-	base *eventstore.BaseEvent,
-	idpConfigID string,
-) *IDPProviderRemovedEvent {
-
-	return &IDPProviderRemovedEvent{
-		RemovedEvent: *provider.NewRemovedEvent(base, idpConfigID),
-	}
-}
-
-func IDPProviderRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e, err := provider.RemovedEventEventMapper(event)
-	if err != nil {
-		return nil, err
-	}
-
-	return &IDPProviderRemovedEvent{
-		RemovedEvent: *e.(*provider.RemovedEvent),
-	}, nil
-}

internal/v2/repository/policy/login/events.go

@@ -0,0 +1,155 @@
+package login
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+)
+
+const (
+	loginPolicyPrefix                      = "policy.login."
+	LoginPolicyAddedEventType              = loginPolicyPrefix + "added"
+	LoginPolicyChangedEventType            = loginPolicyPrefix + "changed"
+	LoginPolicyRemovedEventType            = loginPolicyPrefix + "removed"
+	LoginPolicyIDPProviderAddedEventType   = loginPolicyPrefix + provider.AddedEventType
+	LoginPolicyIDPProviderRemovedEventType = loginPolicyPrefix + provider.RemovedEventType
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AllowUserNamePassword bool             `json:"allowUsernamePassword"`
+	AllowRegister         bool             `json:"allowRegister"`
+	AllowExternalIDP      bool             `json:"allowExternalIdp"`
+	ForceMFA              bool             `json:"forceMFA"`
+	PasswordlessType      PasswordlessType `json:"passwordlessType"`
+}
+
+func (e *AddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func NewAddedEvent(
+	base *eventstore.BaseEvent,
+	allowUserNamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType PasswordlessType,
+) *AddedEvent {
+	return &AddedEvent{
+		BaseEvent:             *base,
+		AllowExternalIDP:      allowExternalIDP,
+		AllowRegister:         allowRegister,
+		AllowUserNamePassword: allowUserNamePassword,
+		ForceMFA:              forceMFA,
+		PasswordlessType:      passwordlessType,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-nWndT", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type ChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AllowUserNamePassword bool             `json:"allowUsernamePassword,omitempty"`
+	AllowRegister         bool             `json:"allowRegister"`
+	AllowExternalIDP      bool             `json:"allowExternalIdp"`
+	ForceMFA              bool             `json:"forceMFA"`
+	PasswordlessType      PasswordlessType `json:"passwordlessType"`
+}
+
+func (e *ChangedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *ChangedEvent) Data() interface{} {
+	return e
+}
+
+func NewChangedEvent(
+	base *eventstore.BaseEvent,
+	current *WriteModel,
+	allowUserNamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType PasswordlessType,
+) *ChangedEvent {
+
+	e := &ChangedEvent{
+		BaseEvent: *base,
+	}
+
+	if current.AllowUserNamePassword != allowUserNamePassword {
+		e.AllowUserNamePassword = allowUserNamePassword
+	}
+	if current.AllowRegister != allowRegister {
+		e.AllowRegister = allowRegister
+	}
+	if current.AllowExternalIDP != allowExternalIDP {
+		e.AllowExternalIDP = allowExternalIDP
+	}
+	if current.ForceMFA != forceMFA {
+		e.ForceMFA = forceMFA
+	}
+	if current.PasswordlessType != passwordlessType {
+		e.PasswordlessType = passwordlessType
+	}
+
+	return e
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-ehssl", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type RemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *RemovedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *RemovedEvent) Data() interface{} {
+	return nil
+}
+
+func NewRemovedEvent(base *eventstore.BaseEvent) *RemovedEvent {
+	return &RemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &RemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}

internal/v2/repository/policy/login/factors/events.go

@@ -0,0 +1,164 @@
+package factors
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	loginPolicySecondFactorPrefix           = "policy.login.secondfactor."
+	LoginPolicySecondFactorAddedEventType   = loginPolicySecondFactorPrefix + "added"
+	LoginPolicySecondFactorRemovedEventType = loginPolicySecondFactorPrefix + "removed"
+
+	loginPolicyMultiFactorPrefix           = "policy.login.multifactor."
+	LoginPolicyMultiFactorAddedEventType   = loginPolicyMultiFactorPrefix + "added"
+	LoginPolicyMultiFactorRemovedEventType = loginPolicyMultiFactorPrefix + "removed"
+)
+
+type SecondFactorAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MFAType SecondFactorType `json:"mfaType"`
+}
+
+func NewSecondFactorAddedEvent(
+	base *eventstore.BaseEvent,
+	mfaType SecondFactorType,
+) *SecondFactorAddedEvent {
+	return &SecondFactorAddedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func SecondFactorAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &SecondFactorAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-Lp0dE", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *SecondFactorAddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *SecondFactorAddedEvent) Data() interface{} {
+	return e
+}
+
+type SecondFactorRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	MFAType              SecondFactorType `json:"mfaType"`
+}
+
+func NewSecondFactorRemovedEvent(
+	base *eventstore.BaseEvent,
+	mfaType SecondFactorType,
+) *SecondFactorRemovedEvent {
+	return &SecondFactorRemovedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func SecondFactorRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &SecondFactorRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-5M9gd", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *SecondFactorRemovedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *SecondFactorRemovedEvent) Data() interface{} {
+	return e
+}
+
+type MultiFactorAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MFAType MultiFactorType `json:"mfaType"`
+}
+
+func NewMultiFactorAddedEvent(
+	base *eventstore.BaseEvent,
+	mfaType MultiFactorType,
+) *MultiFactorAddedEvent {
+	return &MultiFactorAddedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func MultiFactorAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MultiFactorAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-5Ms90", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *MultiFactorAddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *MultiFactorAddedEvent) Data() interface{} {
+	return e
+}
+
+type MultiFactorRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	MFAType              MultiFactorType `json:"mfaType"`
+}
+
+func NewMultiFactorRemovedEvent(
+	base *eventstore.BaseEvent,
+	mfaType MultiFactorType,
+) *MultiFactorRemovedEvent {
+	return &MultiFactorRemovedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func MultiFactorRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MultiFactorRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-1N8sd", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *MultiFactorRemovedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *MultiFactorRemovedEvent) Data() interface{} {
+	return e
+}

internal/v2/repository/policy/login/factors/factors.go

@@ -0,0 +1,16 @@
+package factors
+
+type SecondFactorType int32
+
+const (
+	SecondFactorTypeUnspecified SecondFactorType = iota
+	SecondFactorTypeOTP
+	SecondFactorTypeU2F
+)
+
+type MultiFactorType int32
+
+const (
+	MultiFactorTypeUnspecified MultiFactorType = iota
+	MultiFactorTypeU2FWithPIN
+)

internal/v2/repository/policy/login/factors/write_model.go

@@ -0,0 +1,37 @@
+package factors
+
+import "github.com/caos/zitadel/internal/eventstore/v2"
+
+type SecondFactoryWriteModel struct {
+	eventstore.WriteModel
+	MFAType SecondFactorType
+}
+
+func (wm *SecondFactoryWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *SecondFactorAddedEvent:
+			wm.MFAType = e.MFAType
+		case *SecondFactorRemovedEvent:
+			wm.MFAType = e.MFAType
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+type MultiFactoryWriteModel struct {
+	eventstore.WriteModel
+	MFAType MultiFactorType
+}
+
+func (wm *MultiFactoryWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *MultiFactorAddedEvent:
+			wm.MFAType = e.MFAType
+		case *MultiFactorRemovedEvent:
+			wm.MFAType = e.MFAType
+		}
+	}
+	return wm.WriteModel.Reduce()
+}

internal/v2/repository/policy/login/idpprovider/events.go

@@ -0,0 +1,60 @@
+package idpprovider
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+)
+
+type AddedEvent struct {
+	provider.AddedEvent
+}
+
+func NewAddedEvent(
+	base *eventstore.BaseEvent,
+	idpConfigID string,
+	idpProviderType provider.Type,
+) *AddedEvent {
+
+	return &AddedEvent{
+		AddedEvent: *provider.NewAddedEvent(
+			base,
+			idpConfigID,
+			idpProviderType),
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := provider.AddedEventEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AddedEvent{
+		AddedEvent: *e.(*provider.AddedEvent),
+	}, nil
+}
+
+type RemovedEvent struct {
+	provider.RemovedEvent
+}
+
+func NewRemovedEvent(
+	base *eventstore.BaseEvent,
+	idpConfigID string,
+) *RemovedEvent {
+	return &RemovedEvent{
+		RemovedEvent: *provider.NewRemovedEvent(base, idpConfigID),
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := provider.RemovedEventEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &RemovedEvent{
+		RemovedEvent: *e.(*provider.RemovedEvent),
+	}, nil
+}

internal/v2/repository/policy/login/idpprovider/write_model.go

@@ -0,0 +1,19 @@
+package idpprovider
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/idp/provider"
+)
+
+type WriteModel struct {
+	provider.WriteModel
+}
+
+func (wm *WriteModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.WriteModel.AppendEvents(&e.AddedEvent)
+		}
+	}
+}

internal/v2/repository/policy/login/login.go

@@ -0,0 +1,8 @@
+package login
+
+type PasswordlessType int32
+
+const (
+	PasswordlessTypeNotAllowed PasswordlessType = iota
+	PasswordlessTypeAllowed
+)

internal/v2/repository/policy/login/read_model.go

@@ -0,0 +1,35 @@
+package login
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+type ReadModel struct {
+	eventstore.ReadModel
+
+	AllowUserNamePassword bool
+	AllowRegister         bool
+	AllowExternalIDP      bool
+	ForceMFA              bool
+	PasswordlessType      PasswordlessType
+}
+
+func (rm *ReadModel) Reduce() error {
+	for _, event := range rm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.AllowUserNamePassword = e.AllowUserNamePassword
+			rm.AllowExternalIDP = e.AllowExternalIDP
+			rm.AllowRegister = e.AllowRegister
+			rm.ForceMFA = e.ForceMFA
+			rm.PasswordlessType = e.PasswordlessType
+		case *ChangedEvent:
+			rm.AllowUserNamePassword = e.AllowUserNamePassword
+			rm.AllowExternalIDP = e.AllowExternalIDP
+			rm.AllowRegister = e.AllowRegister
+			rm.ForceMFA = e.ForceMFA
+			rm.PasswordlessType = e.PasswordlessType
+		}
+	}
+	return rm.ReadModel.Reduce()
+}

internal/v2/repository/policy/login/write_model.go

@@ -0,0 +1,35 @@
+package login
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+
+	AllowUserNamePassword bool
+	AllowRegister         bool
+	AllowExternalIDP      bool
+	ForceMFA              bool
+	PasswordlessType      PasswordlessType
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.AllowRegister = e.AllowRegister
+			wm.AllowUserNamePassword = e.AllowUserNamePassword
+			wm.AllowExternalIDP = e.AllowExternalIDP
+			wm.ForceMFA = e.ForceMFA
+			wm.PasswordlessType = e.PasswordlessType
+		case *ChangedEvent:
+			wm.AllowRegister = e.AllowRegister
+			wm.AllowUserNamePassword = e.AllowUserNamePassword
+			wm.AllowExternalIDP = e.AllowExternalIDP
+			wm.ForceMFA = e.ForceMFA
+			wm.PasswordlessType = e.PasswordlessType
+		}
+	}
+	return wm.WriteModel.Reduce()
+}

internal/v2/repository/policy/org_iam.go

@@ -1,81 +0,0 @@
-package policy
-
-import (
-	"encoding/json"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-)
-
-const (
-	OrgIAMPolicyAddedEventType = "policy.org.iam.added"
-)
-
-type OrgIAMPolicyAggregate struct {
-	eventstore.Aggregate
-}
-
-type OrgIAMPolicyReadModel struct {
-	eventstore.ReadModel
-
-	UserLoginMustBeDomain bool
-}
-
-func (rm *OrgIAMPolicyReadModel) Reduce() error {
-	for _, event := range rm.Events {
-		switch e := event.(type) {
-		case *OrgIAMPolicyAddedEvent:
-			rm.UserLoginMustBeDomain = e.UserLoginMustBeDomain
-		}
-	}
-	return rm.ReadModel.Reduce()
-}
-
-type OrgIAMPolicyWriteModel struct {
-	eventstore.WriteModel
-
-	UserLoginMustBeDomain bool
-}
-
-func (wm *OrgIAMPolicyWriteModel) Reduce() error {
-	return errors.ThrowUnimplemented(nil, "POLIC-xJjvN", "reduce unimpelemnted")
-}
-
-type OrgIAMPolicyAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	UserLoginMustBeDomain bool `json:"allowUsernamePassword"`
-}
-
-func (e *OrgIAMPolicyAddedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *OrgIAMPolicyAddedEvent) Data() interface{} {
-	return e
-}
-
-func NewOrgIAMPolicyAddedEvent(
-	base *eventstore.BaseEvent,
-	userLoginMustBeDomain bool,
-) *OrgIAMPolicyAddedEvent {
-
-	return &OrgIAMPolicyAddedEvent{
-		BaseEvent:             *base,
-		UserLoginMustBeDomain: userLoginMustBeDomain,
-	}
-}
-
-func OrgIAMPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &OrgIAMPolicyAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-TvSmA", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}

internal/v2/repository/policy/org_iam/events.go

@@ -0,0 +1,92 @@
+package org_iam
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	OrgIAMPolicyAddedEventType   = "policy.org.iam.added"
+	OrgIAMPolicyChangedEventType = "policy.org.iam.changed"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain"`
+}
+
+func (e *AddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func NewAddedEvent(
+	base *eventstore.BaseEvent,
+	userLoginMustBeDomain bool,
+) *AddedEvent {
+
+	return &AddedEvent{
+		BaseEvent:             *base,
+		UserLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-TvSmA", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type ChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain"`
+}
+
+func (e *ChangedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *ChangedEvent) Data() interface{} {
+	return e
+}
+
+func NewChangedEvent(
+	base *eventstore.BaseEvent,
+	current *WriteModel,
+	userLoginMustBeDomain bool,
+) *ChangedEvent {
+	e := &ChangedEvent{
+		BaseEvent: *base,
+	}
+	if current.UserLoginMustBeDomain != userLoginMustBeDomain {
+		e.UserLoginMustBeDomain = userLoginMustBeDomain
+	}
+	return e
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-0Pl9d", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}

internal/v2/repository/policy/org_iam/read_model.go

@@ -0,0 +1,21 @@
+package org_iam
+
+import "github.com/caos/zitadel/internal/eventstore/v2"
+
+type ReadModel struct {
+	eventstore.ReadModel
+
+	UserLoginMustBeDomain bool
+}
+
+func (rm *ReadModel) Reduce() error {
+	for _, event := range rm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.UserLoginMustBeDomain = e.UserLoginMustBeDomain
+		case *ChangedEvent:
+			rm.UserLoginMustBeDomain = e.UserLoginMustBeDomain
+		}
+	}
+	return rm.ReadModel.Reduce()
+}

internal/v2/repository/policy/org_iam/write_model.go

@@ -0,0 +1,21 @@
+package org_iam
+
+import "github.com/caos/zitadel/internal/eventstore/v2"
+
+type WriteModel struct {
+	eventstore.WriteModel
+
+	UserLoginMustBeDomain bool
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.UserLoginMustBeDomain = e.UserLoginMustBeDomain
+		case *ChangedEvent:
+			wm.UserLoginMustBeDomain = e.UserLoginMustBeDomain
+		}
+	}
+	return wm.WriteModel.Reduce()
+}

internal/v2/repository/policy/password_age.go

@@ -1,177 +0,0 @@
-package policy
-
-import (
-	"encoding/json"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-)
-
-const (
-	PasswordAgePolicyAddedEventType   = "policy.password.age.added"
-	PasswordAgePolicyChangedEventType = "policy.password.age.changed"
-	PasswordAgePolicyRemovedEventType = "policy.password.age.removed"
-)
-
-type PasswordAgePolicyAggregate struct {
-	eventstore.Aggregate
-}
-
-type PasswordAgePolicyReadModel struct {
-	eventstore.ReadModel
-
-	ExpireWarnDays uint16
-	MaxAgeDays     uint16
-}
-
-func (rm *PasswordAgePolicyReadModel) Reduce() error {
-	for _, event := range rm.Events {
-		switch e := event.(type) {
-		case *PasswordAgePolicyAddedEvent:
-			rm.ExpireWarnDays = e.ExpireWarnDays
-			rm.MaxAgeDays = e.MaxAgeDays
-		case *PasswordAgePolicyChangedEvent:
-			rm.ExpireWarnDays = e.ExpireWarnDays
-			rm.MaxAgeDays = e.MaxAgeDays
-		}
-	}
-	return rm.ReadModel.Reduce()
-}
-
-type PasswordAgePolicyWriteModel struct {
-	eventstore.WriteModel
-
-	ExpireWarnDays uint16
-	MaxAgeDays     uint16
-}
-
-func (wm *PasswordAgePolicyWriteModel) Reduce() error {
-	return errors.ThrowUnimplemented(nil, "POLIC-xJjvN", "reduce unimpelemnted")
-}
-
-type PasswordAgePolicyAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	ExpireWarnDays uint16 `json:"expireWarnDays"`
-	MaxAgeDays     uint16 `json:"maxAgeDays"`
-}
-
-func (e *PasswordAgePolicyAddedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordAgePolicyAddedEvent) Data() interface{} {
-	return e
-}
-
-func NewPasswordAgePolicyAddedEvent(
-	base *eventstore.BaseEvent,
-	expireWarnDays,
-	maxAgeDays uint16,
-) *PasswordAgePolicyAddedEvent {
-
-	return &PasswordAgePolicyAddedEvent{
-		BaseEvent:      *base,
-		ExpireWarnDays: expireWarnDays,
-		MaxAgeDays:     maxAgeDays,
-	}
-}
-
-func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &PasswordAgePolicyAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-T3mGp", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type PasswordAgePolicyChangedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	ExpireWarnDays uint16 `json:"expireWarnDays,omitempty"`
-	MaxAgeDays     uint16 `json:"maxAgeDays,omitempty"`
-}
-
-func (e *PasswordAgePolicyChangedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordAgePolicyChangedEvent) Data() interface{} {
-	return e
-}
-
-func NewPasswordAgePolicyChangedEvent(
-	base *eventstore.BaseEvent,
-	current *PasswordAgePolicyWriteModel,
-	expireWarnDays,
-	maxAgeDays uint16,
-) *PasswordAgePolicyChangedEvent {
-
-	e := &PasswordAgePolicyChangedEvent{
-		BaseEvent: *base,
-	}
-
-	if current.ExpireWarnDays != expireWarnDays {
-		e.ExpireWarnDays = expireWarnDays
-	}
-	if current.MaxAgeDays != maxAgeDays {
-		e.MaxAgeDays = maxAgeDays
-	}
-
-	return e
-}
-
-func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &PasswordAgePolicyChangedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-PqaVq", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type PasswordAgePolicyRemovedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-}
-
-func (e *PasswordAgePolicyRemovedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordAgePolicyRemovedEvent) Data() interface{} {
-	return nil
-}
-
-func NewPasswordAgePolicyRemovedEvent(
-	base *eventstore.BaseEvent,
-	current,
-	changed *PasswordAgePolicyRemovedEvent,
-) *PasswordAgePolicyChangedEvent {
-
-	return &PasswordAgePolicyChangedEvent{
-		BaseEvent: *base,
-	}
-}
-
-func PasswordAgePolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &PasswordAgePolicyRemovedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-02878", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}

internal/v2/repository/policy/password_age/events.go

@@ -0,0 +1,137 @@
+package password_age
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	PasswordAgePolicyAddedEventType   = "policy.password.age.added"
+	PasswordAgePolicyChangedEventType = "policy.password.age.changed"
+	PasswordAgePolicyRemovedEventType = "policy.password.age.removed"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ExpireWarnDays uint64 `json:"expireWarnDays"`
+	MaxAgeDays     uint64 `json:"maxAgeDays"`
+}
+
+func (e *AddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func NewAddedEvent(
+	base *eventstore.BaseEvent,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *AddedEvent {
+
+	return &AddedEvent{
+		BaseEvent:      *base,
+		ExpireWarnDays: expireWarnDays,
+		MaxAgeDays:     maxAgeDays,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-T3mGp", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type ChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ExpireWarnDays uint64 `json:"expireWarnDays,omitempty"`
+	MaxAgeDays     uint64 `json:"maxAgeDays,omitempty"`
+}
+
+func (e *ChangedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *ChangedEvent) Data() interface{} {
+	return e
+}
+
+func NewChangedEvent(
+	base *eventstore.BaseEvent,
+	current *WriteModel,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *ChangedEvent {
+
+	e := &ChangedEvent{
+		BaseEvent: *base,
+	}
+
+	if current.ExpireWarnDays != expireWarnDays {
+		e.ExpireWarnDays = expireWarnDays
+	}
+	if current.MaxAgeDays != maxAgeDays {
+		e.MaxAgeDays = maxAgeDays
+	}
+
+	return e
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-PqaVq", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type RemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *RemovedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *RemovedEvent) Data() interface{} {
+	return nil
+}
+
+func NewRemovedEvent(
+	base *eventstore.BaseEvent,
+) *RemovedEvent {
+	return &RemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &RemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-02878", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}

internal/v2/repository/policy/password_age/read_model.go

@@ -0,0 +1,24 @@
+package password_age
+
+import "github.com/caos/zitadel/internal/eventstore/v2"
+
+type ReadModel struct {
+	eventstore.ReadModel
+
+	ExpireWarnDays uint64
+	MaxAgeDays     uint64
+}
+
+func (rm *ReadModel) Reduce() error {
+	for _, event := range rm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.ExpireWarnDays = e.ExpireWarnDays
+			rm.MaxAgeDays = e.MaxAgeDays
+		case *ChangedEvent:
+			rm.ExpireWarnDays = e.ExpireWarnDays
+			rm.MaxAgeDays = e.MaxAgeDays
+		}
+	}
+	return rm.ReadModel.Reduce()
+}

internal/v2/repository/policy/password_age/write_model.go

@@ -0,0 +1,26 @@
+package password_age
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+
+	ExpireWarnDays uint64
+	MaxAgeDays     uint64
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.ExpireWarnDays = e.ExpireWarnDays
+			wm.MaxAgeDays = e.MaxAgeDays
+		case *ChangedEvent:
+			wm.ExpireWarnDays = e.ExpireWarnDays
+			wm.MaxAgeDays = e.MaxAgeDays
+		}
+	}
+	return wm.WriteModel.Reduce()
+}

internal/v2/repository/policy/password_complexity.go

@@ -1,201 +0,0 @@
-package policy
-
-import (
-	"encoding/json"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-)
-
-const (
-	PasswordComplexityPolicyAddedEventType   = "policy.password.complexity.added"
-	PasswordComplexityPolicyChangedEventType = "policy.password.complexity.changed"
-	PasswordComplexityPolicyRemovedEventType = "policy.password.complexity.removed"
-)
-
-type PasswordComplexityPolicyAggregate struct {
-	eventstore.Aggregate
-}
-
-type PasswordComplexityPolicyReadModel struct {
-	eventstore.ReadModel
-
-	MinLength    uint8
-	HasLowercase bool
-	HasUpperCase bool
-	HasNumber    bool
-	HasSymbol    bool
-}
-
-func (rm *PasswordComplexityPolicyReadModel) Reduce() error {
-	for _, event := range rm.Events {
-		switch e := event.(type) {
-		case *PasswordComplexityPolicyAddedEvent:
-			rm.MinLength = e.MinLength
-			rm.HasLowercase = e.HasLowercase
-			rm.HasUpperCase = e.HasUpperCase
-			rm.HasNumber = e.HasNumber
-			rm.HasSymbol = e.HasSymbol
-		case *PasswordComplexityPolicyChangedEvent:
-			rm.MinLength = e.MinLength
-			rm.HasLowercase = e.HasLowercase
-			rm.HasUpperCase = e.HasUpperCase
-			rm.HasNumber = e.HasNumber
-			rm.HasSymbol = e.HasSymbol
-		}
-	}
-	return rm.ReadModel.Reduce()
-}
-
-type PasswordComplexityPolicyWriteModel struct {
-	eventstore.WriteModel
-
-	MinLength    uint8
-	HasLowercase bool
-	HasUpperCase bool
-	HasNumber    bool
-	HasSymbol    bool
-}
-
-func (wm *PasswordComplexityPolicyWriteModel) Reduce() error {
-	return errors.ThrowUnimplemented(nil, "POLIC-xJjvN", "reduce unimpelemnted")
-}
-
-type PasswordComplexityPolicyAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	MinLength    uint8 `json:"minLength,omitempty"`
-	HasLowercase bool  `json:"hasLowercase"`
-	HasUpperCase bool  `json:"hasUppercase"`
-	HasNumber    bool  `json:"hasNumber"`
-	HasSymbol    bool  `json:"hasSymbol"`
-}
-
-func (e *PasswordComplexityPolicyAddedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordComplexityPolicyAddedEvent) Data() interface{} {
-	return e
-}
-
-func NewPasswordComplexityPolicyAddedEvent(
-	base *eventstore.BaseEvent,
-	hasLowerCase,
-	hasUpperCase,
-	hasNumber,
-	hasSymbol bool,
-	minLength uint8,
-) *PasswordComplexityPolicyAddedEvent {
-
-	return &PasswordComplexityPolicyAddedEvent{
-		BaseEvent:    *base,
-		HasLowercase: hasLowerCase,
-		HasNumber:    hasNumber,
-		HasSymbol:    hasSymbol,
-		HasUpperCase: hasUpperCase,
-		MinLength:    minLength,
-	}
-}
-
-func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &PasswordComplexityPolicyAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-wYxlM", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type PasswordComplexityPolicyChangedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	MinLength    uint8 `json:"minLength"`
-	HasLowercase bool  `json:"hasLowercase"`
-	HasUpperCase bool  `json:"hasUppercase"`
-	HasNumber    bool  `json:"hasNumber"`
-	HasSymbol    bool  `json:"hasSymbol"`
-}
-
-func (e *PasswordComplexityPolicyChangedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordComplexityPolicyChangedEvent) Data() interface{} {
-	return e
-}
-
-func NewPasswordComplexityPolicyChangedEvent(
-	base *eventstore.BaseEvent,
-	current *PasswordComplexityPolicyWriteModel,
-	minLength uint8,
-	hasLowerCase,
-	hasUpperCase,
-	hasNumber,
-	hasSymbol bool,
-) *PasswordComplexityPolicyChangedEvent {
-
-	e := &PasswordComplexityPolicyChangedEvent{
-		BaseEvent: *base,
-	}
-
-	if current.MinLength != minLength {
-		e.MinLength = minLength
-	}
-	if current.HasLowercase != hasLowerCase {
-		e.HasLowercase = hasLowerCase
-	}
-	if current.HasUpperCase != hasUpperCase {
-		e.HasUpperCase = hasUpperCase
-	}
-	if current.HasNumber != hasNumber {
-		e.HasNumber = hasNumber
-	}
-	if current.HasSymbol != hasSymbol {
-		e.HasSymbol = hasSymbol
-	}
-
-	return e
-}
-
-func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &PasswordComplexityPolicyChangedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-zBGB0", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type PasswordComplexityPolicyRemovedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-}
-
-func (e *PasswordComplexityPolicyRemovedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordComplexityPolicyRemovedEvent) Data() interface{} {
-	return nil
-}
-
-func NewPasswordComplexityPolicyRemovedEvent(base *eventstore.BaseEvent) *PasswordComplexityPolicyRemovedEvent {
-	return &PasswordComplexityPolicyRemovedEvent{
-		BaseEvent: *base,
-	}
-}
-
-func PasswordComplexityPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	return &PasswordComplexityPolicyRemovedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}

internal/v2/repository/policy/password_complexity/events.go

@@ -0,0 +1,151 @@
+package password_complexity
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	PasswordComplexityPolicyAddedEventType   = "policy.password.complexity.added"
+	PasswordComplexityPolicyChangedEventType = "policy.password.complexity.changed"
+	PasswordComplexityPolicyRemovedEventType = "policy.password.complexity.removed"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MinLength    uint64 `json:"minLength,omitempty"`
+	HasLowercase bool   `json:"hasLowercase"`
+	HasUpperCase bool   `json:"hasUppercase"`
+	HasNumber    bool   `json:"hasNumber"`
+	HasSymbol    bool   `json:"hasSymbol"`
+}
+
+func (e *AddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func NewAddedEvent(
+	base *eventstore.BaseEvent,
+	minLength uint64,
+	hasLowerCase,
+	hasUpperCase,
+	hasNumber,
+	hasSymbol bool,
+) *AddedEvent {
+	return &AddedEvent{
+		BaseEvent:    *base,
+		MinLength:    minLength,
+		HasLowercase: hasLowerCase,
+		HasNumber:    hasNumber,
+		HasSymbol:    hasSymbol,
+		HasUpperCase: hasUpperCase,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-wYxlM", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type ChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MinLength    uint64 `json:"minLength"`
+	HasLowercase bool   `json:"hasLowercase"`
+	HasUpperCase bool   `json:"hasUppercase"`
+	HasNumber    bool   `json:"hasNumber"`
+	HasSymbol    bool   `json:"hasSymbol"`
+}
+
+func (e *ChangedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *ChangedEvent) Data() interface{} {
+	return e
+}
+
+func NewChangedEvent(
+	base *eventstore.BaseEvent,
+	current *WriteModel,
+	minLength uint64,
+	hasLowerCase,
+	hasUpperCase,
+	hasNumber,
+	hasSymbol bool,
+) *ChangedEvent {
+
+	e := &ChangedEvent{
+		BaseEvent: *base,
+	}
+
+	if current.MinLength != minLength {
+		e.MinLength = minLength
+	}
+	if current.HasLowercase != hasLowerCase {
+		e.HasLowercase = hasLowerCase
+	}
+	if current.HasUpperCase != hasUpperCase {
+		e.HasUpperCase = hasUpperCase
+	}
+	if current.HasNumber != hasNumber {
+		e.HasNumber = hasNumber
+	}
+	if current.HasSymbol != hasSymbol {
+		e.HasSymbol = hasSymbol
+	}
+
+	return e
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-zBGB0", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type RemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *RemovedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *RemovedEvent) Data() interface{} {
+	return nil
+}
+
+func NewRemovedEvent(base *eventstore.BaseEvent) *RemovedEvent {
+	return &RemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &RemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}

internal/v2/repository/policy/password_complexity/read_model.go

@@ -0,0 +1,33 @@
+package password_complexity
+
+import "github.com/caos/zitadel/internal/eventstore/v2"
+
+type ReadModel struct {
+	eventstore.ReadModel
+
+	MinLength    uint64
+	HasLowercase bool
+	HasUpperCase bool
+	HasNumber    bool
+	HasSymbol    bool
+}
+
+func (rm *ReadModel) Reduce() error {
+	for _, event := range rm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.MinLength = e.MinLength
+			rm.HasLowercase = e.HasLowercase
+			rm.HasUpperCase = e.HasUpperCase
+			rm.HasNumber = e.HasNumber
+			rm.HasSymbol = e.HasSymbol
+		case *ChangedEvent:
+			rm.MinLength = e.MinLength
+			rm.HasLowercase = e.HasLowercase
+			rm.HasUpperCase = e.HasUpperCase
+			rm.HasNumber = e.HasNumber
+			rm.HasSymbol = e.HasSymbol
+		}
+	}
+	return rm.ReadModel.Reduce()
+}

internal/v2/repository/policy/password_complexity/write_model.go

@@ -0,0 +1,35 @@
+package password_complexity
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+
+	MinLength    uint64
+	HasLowercase bool
+	HasUpperCase bool
+	HasNumber    bool
+	HasSymbol    bool
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.MinLength = e.MinLength
+			wm.HasLowercase = e.HasLowercase
+			wm.HasUpperCase = e.HasUpperCase
+			wm.HasNumber = e.HasNumber
+			wm.HasSymbol = e.HasSymbol
+		case *ChangedEvent:
+			wm.MinLength = e.MinLength
+			wm.HasLowercase = e.HasLowercase
+			wm.HasUpperCase = e.HasUpperCase
+			wm.HasNumber = e.HasNumber
+			wm.HasSymbol = e.HasSymbol
+		}
+	}
+	return wm.WriteModel.Reduce()
+}

internal/v2/repository/policy/password_lockout.go

@@ -1,168 +0,0 @@
-package policy
-
-import (
-	"encoding/json"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/eventstore/v2/repository"
-)
-
-const (
-	PasswordLockoutPolicyAddedEventType   = "policy.password.lockout.added"
-	PasswordLockoutPolicyChangedEventType = "policy.password.lockout.changed"
-	PasswordLockoutPolicyRemovedEventType = "policy.password.lockout.removed"
-)
-
-type PasswordLockoutPolicyAggregate struct {
-	eventstore.Aggregate
-}
-
-type PasswordLockoutPolicyReadModel struct {
-	eventstore.ReadModel
-
-	MaxAttempts         uint8
-	ShowLockOutFailures bool
-}
-
-func (rm *PasswordLockoutPolicyReadModel) Reduce() error {
-	for _, event := range rm.Events {
-		switch e := event.(type) {
-		case *PasswordLockoutPolicyAddedEvent:
-			rm.MaxAttempts = e.MaxAttempts
-			rm.ShowLockOutFailures = e.ShowLockOutFailures
-		case *PasswordLockoutPolicyChangedEvent:
-			rm.MaxAttempts = e.MaxAttempts
-			rm.ShowLockOutFailures = e.ShowLockOutFailures
-		}
-	}
-	return rm.ReadModel.Reduce()
-}
-
-type PasswordLockoutPolicyWriteModel struct {
-	eventstore.WriteModel
-
-	MaxAttempts         uint8
-	ShowLockOutFailures bool
-}
-
-func (wm *PasswordLockoutPolicyWriteModel) Reduce() error {
-	return errors.ThrowUnimplemented(nil, "POLIC-xJjvN", "reduce unimpelemnted")
-}
-
-type PasswordLockoutPolicyAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	MaxAttempts         uint8 `json:"maxAttempts,omitempty"`
-	ShowLockOutFailures bool  `json:"showLockOutFailures"`
-}
-
-func (e *PasswordLockoutPolicyAddedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordLockoutPolicyAddedEvent) Data() interface{} {
-	return e
-}
-
-func NewPasswordLockoutPolicyAddedEvent(
-	base *eventstore.BaseEvent,
-	maxAttempts uint8,
-	showLockOutFailures bool,
-) *PasswordLockoutPolicyAddedEvent {
-
-	return &PasswordLockoutPolicyAddedEvent{
-		BaseEvent:           *base,
-		MaxAttempts:         maxAttempts,
-		ShowLockOutFailures: showLockOutFailures,
-	}
-}
-
-func PasswordLockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &PasswordLockoutPolicyAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-8XiVd", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type PasswordLockoutPolicyChangedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-
-	MaxAttempts         uint8 `json:"maxAttempts,omitempty"`
-	ShowLockOutFailures bool  `json:"showLockOutFailures,omitempty"`
-}
-
-func (e *PasswordLockoutPolicyChangedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordLockoutPolicyChangedEvent) Data() interface{} {
-	return e
-}
-
-func NewPasswordLockoutPolicyChangedEvent(
-	base *eventstore.BaseEvent,
-	current *PasswordLockoutPolicyWriteModel,
-	maxAttempts uint8,
-	showLockOutFailures bool,
-) *PasswordLockoutPolicyChangedEvent {
-
-	e := &PasswordLockoutPolicyChangedEvent{
-		BaseEvent: *base,
-	}
-
-	if current.MaxAttempts != maxAttempts {
-		e.MaxAttempts = maxAttempts
-	}
-	if current.ShowLockOutFailures != showLockOutFailures {
-		e.ShowLockOutFailures = showLockOutFailures
-	}
-
-	return e
-}
-
-func PasswordLockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	e := &PasswordLockoutPolicyChangedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-
-	err := json.Unmarshal(event.Data, e)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "POLIC-lWGRc", "unable to unmarshal policy")
-	}
-
-	return e, nil
-}
-
-type PasswordLockoutPolicyRemovedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-}
-
-func (e *PasswordLockoutPolicyRemovedEvent) CheckPrevious() bool {
-	return true
-}
-
-func (e *PasswordLockoutPolicyRemovedEvent) Data() interface{} {
-	return nil
-}
-
-func NewPasswordLockoutPolicyRemovedEvent(
-	base *eventstore.BaseEvent,
-) *PasswordLockoutPolicyRemovedEvent {
-
-	return &PasswordLockoutPolicyRemovedEvent{
-		BaseEvent: *base,
-	}
-}
-
-func PasswordLockoutPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
-	return &PasswordLockoutPolicyRemovedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}

internal/v2/repository/policy/password_lockout/events.go

@@ -0,0 +1,131 @@
+package password_lockout
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	PasswordLockoutPolicyAddedEventType   = "policy.password.lockout.added"
+	PasswordLockoutPolicyChangedEventType = "policy.password.lockout.changed"
+	PasswordLockoutPolicyRemovedEventType = "policy.password.lockout.removed"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MaxAttempts         uint64 `json:"maxAttempts,omitempty"`
+	ShowLockOutFailures bool   `json:"showLockOutFailures"`
+}
+
+func (e *AddedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func NewAddedEvent(
+	base *eventstore.BaseEvent,
+	maxAttempts uint64,
+	showLockOutFailures bool,
+) *AddedEvent {
+
+	return &AddedEvent{
+		BaseEvent:           *base,
+		MaxAttempts:         maxAttempts,
+		ShowLockOutFailures: showLockOutFailures,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-8XiVd", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type ChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MaxAttempts         uint64 `json:"maxAttempts,omitempty"`
+	ShowLockOutFailures bool   `json:"showLockOutFailures,omitempty"`
+}
+
+func (e *ChangedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *ChangedEvent) Data() interface{} {
+	return e
+}
+
+func NewChangedEvent(
+	base *eventstore.BaseEvent,
+	current *WriteModel,
+	maxAttempts uint64,
+	showLockOutFailures bool,
+) *ChangedEvent {
+
+	e := &ChangedEvent{
+		BaseEvent: *base,
+	}
+
+	if current.MaxAttempts != maxAttempts {
+		e.MaxAttempts = maxAttempts
+	}
+	if current.ShowLockOutFailures != showLockOutFailures {
+		e.ShowLockOutFailures = showLockOutFailures
+	}
+
+	return e
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-lWGRc", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type RemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *RemovedEvent) CheckPrevious() bool {
+	return true
+}
+
+func (e *RemovedEvent) Data() interface{} {
+	return nil
+}
+
+func NewRemovedEvent(
+	base *eventstore.BaseEvent,
+) *RemovedEvent {
+
+	return &RemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &RemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}

internal/v2/repository/policy/password_lockout/read_model.go

@@ -0,0 +1,24 @@
+package password_lockout
+
+import "github.com/caos/zitadel/internal/eventstore/v2"
+
+type ReadModel struct {
+	eventstore.ReadModel
+
+	MaxAttempts         uint64
+	ShowLockOutFailures bool
+}
+
+func (rm *ReadModel) Reduce() error {
+	for _, event := range rm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			rm.MaxAttempts = e.MaxAttempts
+			rm.ShowLockOutFailures = e.ShowLockOutFailures
+		case *ChangedEvent:
+			rm.MaxAttempts = e.MaxAttempts
+			rm.ShowLockOutFailures = e.ShowLockOutFailures
+		}
+	}
+	return rm.ReadModel.Reduce()
+}

internal/v2/repository/policy/password_lockout/write_model.go

@@ -0,0 +1,26 @@
+package password_lockout
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+type WriteModel struct {
+	eventstore.WriteModel
+
+	MaxAttempts         uint64
+	ShowLockOutFailures bool
+}
+
+func (wm *WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *AddedEvent:
+			wm.MaxAttempts = e.MaxAttempts
+			wm.ShowLockOutFailures = e.ShowLockOutFailures
+		case *ChangedEvent:
+			wm.MaxAttempts = e.MaxAttempts
+			wm.ShowLockOutFailures = e.ShowLockOutFailures
+		}
+	}
+	return wm.WriteModel.Reduce()
+}