feat: organization settings for user uniqueness (#10246)

# Which Problems Are Solved Currently the username uniqueness is on instance level, we want to achieve a way to set it at organization level. # How the Problems Are Solved Addition of endpoints and a resource on organization level, where this setting can be managed. If nothing it set, the uniqueness is expected to be at instance level, where only users with instance permissions should be able to change this setting. # Additional Changes None # Additional Context Includes #10086 Closes #9964 --------- Co-authored-by: Marco A. <marco@zitadel.com>
2025-08-11 20:47:32 +00:00 · 2025-07-29 15:56:21 +02:00
parent b206a8ed87
commit 6d98b33c56
55 changed files with 4785 additions and 352 deletions
--- a/internal/command/org_policy_domain.go
+++ b/internal/command/org_policy_domain.go
@@ -124,13 +124,23 @@ func prepareAddOrgDomainPolicy(
 			if instancePolicy.UserLoginMustBeDomain == userLoginMustBeDomain {
 				return cmds, nil
 			}
+
+			organizationScopedUsernames, err := checkOrganizationScopedUsernames(ctx, filter, a.ID, nil)
+			if err != nil {
+				return nil, err
+			}
+
 			// the UserLoginMustBeDomain setting will be different from the instance
 			// therefore get all usernames and the current primary domain
 			usersWriteModel, err := domainPolicyUsernames(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
-			return append(cmds, usersWriteModel.NewUsernameChangedEvents(ctx, userLoginMustBeDomain)...), nil
+			return append(cmds, usersWriteModel.NewUsernameChangedEvents(ctx,
+				userLoginMustBeDomain,
+				organizationScopedUsernames,
+				instancePolicy.UserLoginMustBeDomain,
+			)...), nil
 		}, nil
 	}
 }
@@ -163,13 +173,22 @@ func prepareChangeOrgDomainPolicy(
 			if !usernameChange {
 				return cmds, err
 			}
+
+			organizationScopedUsernames, err := checkOrganizationScopedUsernames(ctx, filter, a.ID, nil)
+			if err != nil {
+				return nil, err
+			}
 			// get all usernames and the primary domain
 			usersWriteModel, err := domainPolicyUsernames(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
 			// to compute the username changed events
-			return append(cmds, usersWriteModel.NewUsernameChangedEvents(ctx, userLoginMustBeDomain)...), nil
+			return append(cmds, usersWriteModel.NewUsernameChangedEvents(ctx,
+				userLoginMustBeDomain,
+				organizationScopedUsernames,
+				writeModel.UserLoginMustBeDomain,
+			)...), nil
 		}, nil
 	}
 }
@@ -190,13 +209,20 @@ func prepareRemoveOrgDomainPolicy(
 			if err != nil {
 				return nil, err
 			}
+			policyChange := org.NewDomainPolicyRemovedEvent(ctx, &a.Aggregate)
 			cmds := []eventstore.Command{
-				org.NewDomainPolicyRemovedEvent(ctx, &a.Aggregate),
+				policyChange,
 			}
+
+			organizationScopedUsernames, err := checkOrganizationScopedUsernames(ctx, filter, a.ID, nil)
+			if err != nil {
+				return nil, err
+			}
+
 			// regardless if the UserLoginMustBeDomain setting is true or false,
 			// if it will be the same value as currently on the instance,
 			// then there no further changes are needed
-			if instancePolicy.UserLoginMustBeDomain == writeModel.UserLoginMustBeDomain {
+			if writeModel.UserLoginMustBeDomain == instancePolicy.UserLoginMustBeDomain {
 				return cmds, nil
 			}
 			// get all usernames and the primary domain
@@ -205,7 +231,11 @@ func prepareRemoveOrgDomainPolicy(
 				return nil, err
 			}
 			// to compute the username changed events
-			return append(cmds, usersWriteModel.NewUsernameChangedEvents(ctx, instancePolicy.UserLoginMustBeDomain)...), nil
+			return append(cmds, usersWriteModel.NewUsernameChangedEvents(ctx,
+				instancePolicy.UserLoginMustBeDomain,
+				organizationScopedUsernames,
+				writeModel.UserLoginMustBeDomain,
+			)...), nil
 		}, nil
 	}
 }