feat: add domain verification (#560)

* feat: add domain verification * add checks * add and fix tests * fix go.mod * regenerate proto
2025-08-12 08:27:32 +00:00 · 2020-08-06 15:03:03 +02:00
parent f80367b49a
commit 7015b226ef
26 changed files with 15815 additions and 14883 deletions
--- a/internal/org/repository/eventsourcing/eventstore.go
+++ b/internal/org/repository/eventsourcing/eventstore.go
@@ -4,9 +4,12 @@ import (
 	"context"
 	"encoding/json"

-	"github.com/caos/zitadel/internal/config/systemdefaults"
-
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	http_utils "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
@@ -14,30 +17,39 @@ import (
 	"github.com/caos/zitadel/internal/id"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
-	"github.com/golang/protobuf/ptypes"
 )

 type OrgEventstore struct {
 	eventstore.Eventstore
-	IAMDomain           string
-	idGenerator         id.Generator
-	defaultOrgIamPolicy *org_model.OrgIamPolicy
+	IAMDomain             string
+	idGenerator           id.Generator
+	verificationAlgorithm crypto.EncryptionAlgorithm
+	verificationGenerator crypto.Generator
+	defaultOrgIamPolicy   *org_model.OrgIamPolicy
+	verificationValidator func(domain string, token string, verifier string, checkType http_utils.CheckType) error
 }

 type OrgConfig struct {
 	eventstore.Eventstore
-	IAMDomain string
+	IAMDomain          string
+	VerificationConfig *crypto.KeyConfig
 }

 func StartOrg(conf OrgConfig, defaults systemdefaults.SystemDefaults) *OrgEventstore {
 	policy := defaults.DefaultPolicies.OrgIam
 	policy.Default = true
 	policy.IamDomain = conf.IAMDomain
+	verificationAlg, err := crypto.NewAESCrypto(defaults.DomainVerification.VerificationKey)
+	logging.Log("EVENT-aZ22d").OnError(err).Panic("cannot create verificationAlgorithm for domain verification")
+	verificationGen := crypto.NewEncryptionGenerator(defaults.DomainVerification.VerificationGenerator, verificationAlg)
 	return &OrgEventstore{
-		Eventstore:          conf.Eventstore,
-		idGenerator:         id.SonyFlakeGenerator,
-		IAMDomain:           conf.IAMDomain,
-		defaultOrgIamPolicy: &policy,
+		Eventstore:            conf.Eventstore,
+		idGenerator:           id.SonyFlakeGenerator,
+		verificationAlgorithm: verificationAlg,
+		verificationGenerator: verificationGen,
+		verificationValidator: http_utils.ValidateDomain,
+		IAMDomain:             conf.IAMDomain,
+		defaultOrgIamPolicy:   &policy,
 	}
 }

@@ -149,7 +161,7 @@ func (es *OrgEventstore) ReactivateOrg(ctx context.Context, orgID string) (*org_
 }

 func (es *OrgEventstore) AddOrgDomain(ctx context.Context, domain *org_model.OrgDomain) (*org_model.OrgDomain, error) {
-	if !domain.IsValid() {
+	if domain == nil || !domain.IsValid() {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-8sFJW", "Errors.Org.InvalidDomain")
 	}
 	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
@@ -171,6 +183,107 @@ func (es *OrgEventstore) AddOrgDomain(ctx context.Context, domain *org_model.Org
 	return nil, errors.ThrowInternal(nil, "EVENT-ISOP0", "Errors.Internal")
 }

+func (es *OrgEventstore) GenerateOrgDomainValidation(ctx context.Context, domain *org_model.OrgDomain) (string, string, error) {
+	if domain == nil || !domain.IsValid() {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-R24hb", "Errors.Org.InvalidDomain")
+	}
+	checkType, ok := domain.ValidationType.CheckType()
+	if !ok {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-Gsw31", "Errors.Org.DomainVerificationTypeInvalid")
+	}
+	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
+	if err != nil {
+		return "", "", err
+	}
+	_, d := existing.GetDomain(domain)
+	if d == nil {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-AGD31", "Errors.Org.DomainNotOnOrg")
+	}
+	if d.Verified {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-HGw21", "Errors.Org.DomainAlreadyVerified")
+	}
+	token, err := domain.GenerateVerificationCode(es.verificationGenerator)
+	if err != nil {
+		return "", "", err
+	}
+	url, err := http_utils.TokenUrl(domain.Domain, token, checkType)
+	if err != nil {
+		return "", "", errors.ThrowPreconditionFailed(err, "EVENT-Bae21", "Errors.Org.DomainVerificationTypeInvalid")
+	}
+
+	repoOrg := model.OrgFromModel(existing)
+	repoDomain := model.OrgDomainFromModel(domain)
+	aggregate := OrgDomainValidationGeneratedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoDomain)
+
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, aggregate)
+	if err != nil {
+		return "", "", err
+	}
+	return token, url, err
+}
+
+func (es *OrgEventstore) ValidateOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
+	if domain == nil || !domain.IsValid() {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-R24hb", "Errors.Org.InvalidDomain")
+	}
+	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
+	if err != nil {
+		return err
+	}
+	_, d := existing.GetDomain(domain)
+	if d == nil {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-Sjdi3", "Errors.Org.DomainNotOnOrg")
+	}
+	if d.Verified {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-4gT342", "Errors.Org.DomainAlreadyVerified")
+	}
+	if d.ValidationCode == nil || d.ValidationType == org_model.OrgDomainValidationTypeUnspecified {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-SFBB3", "Errors.Org.DomainVerificationMissing")
+	}
+	validationCode, err := crypto.DecryptString(d.ValidationCode, es.verificationAlgorithm)
+	if err != nil {
+		return err
+	}
+	repoOrg := model.OrgFromModel(existing)
+	repoDomain := model.OrgDomainFromModel(domain)
+	checkType, _ := d.ValidationType.CheckType()
+	err = es.verificationValidator(d.Domain, validationCode, validationCode, checkType)
+	if err == nil {
+		orgAggregates, err := OrgDomainVerifiedAggregate(ctx, es.Eventstore.AggregateCreator(), repoOrg, repoDomain)
+		if err != nil {
+			return err
+		}
+		return es_sdk.PushAggregates(ctx, es.PushAggregates, repoOrg.AppendEvents, orgAggregates...)
+	}
+	if err := es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, OrgDomainValidationFailedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoDomain)); err != nil {
+		return err
+	}
+	return errors.ThrowInvalidArgument(err, "EVENT-GH3s", "Errors.Org.DomainVerificationFailed")
+}
+
+func (es *OrgEventstore) SetPrimaryOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
+	if domain == nil || !domain.IsValid() {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-SsDG2", "Errors.Org.InvalidDomain")
+	}
+	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
+	if err != nil {
+		return err
+	}
+	_, d := existing.GetDomain(domain)
+	if d == nil {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-GDfA3", "Errors.Org.DomainNotOnOrg")
+	}
+	if !d.Verified {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-Ggd32", "Errors.Org.DomainNotVerified")
+	}
+	repoOrg := model.OrgFromModel(existing)
+	repoDomain := model.OrgDomainFromModel(domain)
+	if err := es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, OrgDomainSetPrimaryAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoDomain)); err != nil {
+		return err
+	}
+	return nil
+}
+
 func (es *OrgEventstore) RemoveOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
 	if domain.Domain == "" {
 		return errors.ThrowPreconditionFailed(nil, "EVENT-SJsK3", "Errors.Org.DomainMissing")
--- a/internal/org/repository/eventsourcing/eventstore_test.go
+++ b/internal/org/repository/eventsourcing/eventstore_test.go
@@ -7,8 +7,11 @@ import (
 	"time"

 	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"

 	"github.com/caos/zitadel/internal/api/authz"
+	http_util "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	es_mock "github.com/caos/zitadel/internal/eventstore/mock"
@@ -23,8 +26,17 @@ type testOrgEventstore struct {
 }

 func newTestEventstore(t *testing.T) *testOrgEventstore {
-	mock := mockEventstore(t)
-	return &testOrgEventstore{OrgEventstore: OrgEventstore{Eventstore: mock}, mockEventstore: mock}
+	ctrl := gomock.NewController(t)
+	mock := es_mock.NewMockEventstore(ctrl)
+	verificationAlgorithm := crypto.NewMockEncryptionAlgorithm(ctrl)
+	verificationGenerator := crypto.NewMockGenerator(ctrl)
+	return &testOrgEventstore{
+		OrgEventstore: OrgEventstore{
+			Eventstore:            mock,
+			verificationAlgorithm: verificationAlgorithm,
+			verificationGenerator: verificationGenerator,
+		},
+		mockEventstore: mock}
 }

 func (es *testOrgEventstore) expectFilterEvents(events []*es_models.Event, err error) *testOrgEventstore {
@@ -51,11 +63,49 @@ func (es *testOrgEventstore) expectAggregateCreator() *testOrgEventstore {
 	return es
 }

-func mockEventstore(t *testing.T) *es_mock.MockEventstore {
-	ctrl := gomock.NewController(t)
-	e := es_mock.NewMockEventstore(ctrl)
+func (es *testOrgEventstore) expectGenerateVerification(r rune) *testOrgEventstore {
+	generator, _ := es.verificationGenerator.(*crypto.MockGenerator)
+	generator.EXPECT().Length().Return(uint(2))
+	generator.EXPECT().Runes().Return([]rune("aa"))
+	generator.EXPECT().Alg().Return(es.verificationAlgorithm)
+	return es
+}

-	return e
+func (es *testOrgEventstore) expectEncrypt() *testOrgEventstore {
+	algorithm, _ := es.verificationAlgorithm.(*crypto.MockEncryptionAlgorithm)
+	algorithm.EXPECT().Encrypt(gomock.Any()).DoAndReturn(
+		func(value []byte) (*crypto.CryptoValue, error) {
+			return &crypto.CryptoValue{
+				CryptoType: crypto.TypeEncryption,
+				Algorithm:  "enc",
+				KeyID:      "id",
+				Crypted:    value,
+			}, nil
+		})
+	algorithm.EXPECT().Algorithm().Return("enc")
+	algorithm.EXPECT().EncryptionKeyID().Return("id")
+	return es
+}
+
+func (es *testOrgEventstore) expectDecrypt() *testOrgEventstore {
+	algorithm, _ := es.verificationAlgorithm.(*crypto.MockEncryptionAlgorithm)
+	algorithm.EXPECT().Algorithm().AnyTimes().Return("enc")
+	algorithm.EXPECT().DecryptionKeyIDs().Return([]string{"id"})
+	algorithm.EXPECT().DecryptString(gomock.Any(), gomock.Any()).DoAndReturn(
+		func(value []byte, id string) (string, error) {
+			return string(value), nil
+		})
+	return es
+}
+
+func (es *testOrgEventstore) expectVerification(success bool) *testOrgEventstore {
+	es.verificationValidator = func(_, _, _ string, _ http_util.CheckType) error {
+		if success {
+			return nil
+		}
+		return errors.ThrowInvalidArgument(nil, "id", "invalid token")
+	}
+	return es
 }

 func TestOrgEventstore_OrgByID(t *testing.T) {
@@ -351,6 +401,446 @@ func TestOrgEventstore_ReactivateOrg(t *testing.T) {
 	}
 }

+func TestOrgEventstore_GenerateOrgDomainValidation(t *testing.T) {
+	type fields struct {
+		Eventstore *testOrgEventstore
+	}
+	type res struct {
+		token string
+		url   string
+		isErr func(error) bool
+	}
+	type args struct {
+		ctx    context.Context
+		domain *org_model.OrgDomain
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name:   "no domain",
+			fields: fields{Eventstore: newTestEventstore(t)},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: nil,
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "validation type invalid error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt(),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org"},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "org doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsNotFound,
+			},
+		},
+		{
+			name: "domain doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain already verified error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "push failed",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt().
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push correct http",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt().
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "aa",
+				url:   "https://hodor.org/.well-known/zitadel-challenge/aa",
+				isErr: nil,
+			},
+		},
+		{
+			name: "push correct dns",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt().
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeDNS},
+			},
+			res: res{
+				token: "aa",
+				url:   "_zitadel-challenge.hodor.org",
+				isErr: nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			token, url, err := tt.fields.Eventstore.GenerateOrgDomainValidation(tt.args.ctx, tt.args.domain)
+			if tt.res.isErr == nil && err != nil {
+				t.Errorf("no error expected got:%T %v", err, err)
+			}
+			if tt.res.isErr != nil && !tt.res.isErr(err) {
+				t.Errorf("wrong error got %T: %v", err, err)
+			}
+			assert.Equal(t, tt.res.token, token)
+			assert.Equal(t, tt.res.url, url)
+		})
+	}
+}
+
+func TestOrgEventstore_ValidateOrgDomain(t *testing.T) {
+	type fields struct {
+		Eventstore *testOrgEventstore
+	}
+	type res struct {
+		isErr func(error) bool
+	}
+	type args struct {
+		ctx    context.Context
+		domain *org_model.OrgDomain
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name:   "no domain",
+			fields: fields{Eventstore: newTestEventstore(t)},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: nil,
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "org doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsNotFound,
+			},
+		},
+		{
+			name: "domain doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain already verified error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain validation not created error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "verification fails",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(false).
+				expectAggregateCreator().
+				expectPushEvents(0, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "verification and push fails",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(false).
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push failed",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(true).
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push correct",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(true).
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.fields.Eventstore.ValidateOrgDomain(tt.args.ctx, tt.args.domain)
+			if tt.res.isErr == nil && err != nil {
+				t.Errorf("no error expected got:%T %v", err, err)
+			}
+			if tt.res.isErr != nil && !tt.res.isErr(err) {
+				t.Errorf("wrong error got %T: %v", err, err)
+			}
+		})
+	}
+}
+
+func TestOrgEventstore_SetPrimaryOrgDomain(t *testing.T) {
+	type fields struct {
+		Eventstore *testOrgEventstore
+	}
+	type res struct {
+		isErr func(error) bool
+	}
+	type args struct {
+		ctx    context.Context
+		domain *org_model.OrgDomain
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name:   "no domain",
+			fields: fields{Eventstore: newTestEventstore(t)},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: nil,
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "org doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsNotFound,
+			},
+		},
+		{
+			name: "domain doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain not verified error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "push failed",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil).
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push correct",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil).
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.fields.Eventstore.SetPrimaryOrgDomain(tt.args.ctx, tt.args.domain)
+			if tt.res.isErr == nil && err != nil {
+				t.Errorf("no error expected got:%T %v", err, err)
+			}
+			if tt.res.isErr != nil && !tt.res.isErr(err) {
+				t.Errorf("wrong error got %T: %v", err, err)
+			}
+		})
+	}
+}
+
 func TestOrgEventstore_OrgMemberByIDs(t *testing.T) {
 	type fields struct {
 		Eventstore *testOrgEventstore
@@ -1003,7 +1493,7 @@ func orgCreatedEvent() *es_models.Event {
 		AggregateType:    model.OrgAggregate,
 		AggregateVersion: "v1",
 		CreationDate:     time.Now().Add(-1 * time.Minute),
-		Data:             []byte(`{"name": "hodor-org", "domain":"hodor.org"}`),
+		Data:             []byte(`{"name": "hodor-org"}`),
 		EditorService:    "testsvc",
 		EditorUser:       "testuser",
 		ID:               "sdlfö4t23kj",
@@ -1013,6 +1503,64 @@ func orgCreatedEvent() *es_models.Event {
 	}
 }

+func orgDomainAddedEvent() *es_models.Event {
+	return &es_models.Event{
+		AggregateID:      "hodor-org",
+		AggregateType:    model.OrgAggregate,
+		AggregateVersion: "v1",
+		CreationDate:     time.Now().Add(-1 * time.Minute),
+		Data:             []byte(`{"domain":"hodor.org"}`),
+		EditorService:    "testsvc",
+		EditorUser:       "testuser",
+		ID:               "sdlfö4t23kj",
+		ResourceOwner:    "hodor-org",
+		Sequence:         33,
+		Type:             model.OrgDomainAdded,
+	}
+}
+
+func orgDomainVerificationAddedEvent(token string) *es_models.Event {
+	data, _ := json.Marshal(&org_model.OrgDomain{
+		Domain:         "hodor.org",
+		ValidationType: org_model.OrgDomainValidationTypeDNS,
+		ValidationCode: &crypto.CryptoValue{
+			CryptoType: crypto.TypeEncryption,
+			Algorithm:  "enc",
+			KeyID:      "id",
+			Crypted:    []byte(token),
+		},
+	})
+	return &es_models.Event{
+		AggregateID:      "hodor-org",
+		AggregateType:    model.OrgAggregate,
+		AggregateVersion: "v1",
+		CreationDate:     time.Now().Add(-1 * time.Minute),
+		Data:             data,
+		EditorService:    "testsvc",
+		EditorUser:       "testuser",
+		ID:               "sdlfö4t23kj",
+		ResourceOwner:    "hodor-org",
+		Sequence:         34,
+		Type:             model.OrgDomainVerificationAdded,
+	}
+}
+
+func orgDomainVerifiedEvent() *es_models.Event {
+	return &es_models.Event{
+		AggregateID:      "hodor-org",
+		AggregateType:    model.OrgAggregate,
+		AggregateVersion: "v1",
+		CreationDate:     time.Now().Add(-1 * time.Minute),
+		Data:             []byte(`{"domain":"hodor.org"}`),
+		EditorService:    "testsvc",
+		EditorUser:       "testuser",
+		ID:               "sdlfö4t23kj",
+		ResourceOwner:    "hodor-org",
+		Sequence:         35,
+		Type:             model.OrgDomainVerified,
+	}
+}
+
 func orgInactiveEvent() *es_models.Event {
 	return &es_models.Event{
 		AggregateID:      "hodor-org",
--- a/internal/org/repository/eventsourcing/model/domain.go
+++ b/internal/org/repository/eventsourcing/model/domain.go
@@ -2,6 +2,8 @@ package model

 import (
 	"encoding/json"
+
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/org/model"
@@ -10,9 +12,11 @@ import (
 type OrgDomain struct {
 	es_models.ObjectRoot `json:"-"`

-	Domain   string `json:"domain"`
-	Verified bool   `json:"-"`
-	Primary  bool   `json:"-"`
+	Domain         string              `json:"domain"`
+	Verified       bool                `json:"-"`
+	Primary        bool                `json:"-"`
+	ValidationType int32               `json:"validationType"`
+	ValidationCode *crypto.CryptoValue `json:"validationCode"`
 }

 func GetDomain(domains []*OrgDomain, domain string) (int, *OrgDomain) {
@@ -77,6 +81,21 @@ func (o *Org) appendPrimaryDomainEvent(event *es_models.Event) error {
 	return nil
 }

+func (o *Org) appendVerificationDomainEvent(event *es_models.Event) error {
+	domain := new(OrgDomain)
+	err := domain.SetData(event)
+	if err != nil {
+		return err
+	}
+	for _, d := range o.Domains {
+		if d.Domain == domain.Domain {
+			d.ValidationType = domain.ValidationType
+			d.ValidationCode = domain.ValidationCode
+		}
+	}
+	return nil
+}
+
 func (m *OrgDomain) SetData(event *es_models.Event) error {
 	err := json.Unmarshal(event.Data, m)
 	if err != nil {
@@ -95,10 +114,12 @@ func OrgDomainsFromModel(domains []*model.OrgDomain) []*OrgDomain {

 func OrgDomainFromModel(domain *model.OrgDomain) *OrgDomain {
 	return &OrgDomain{
-		ObjectRoot: domain.ObjectRoot,
-		Domain:     domain.Domain,
-		Verified:   domain.Verified,
-		Primary:    domain.Primary,
+		ObjectRoot:     domain.ObjectRoot,
+		Domain:         domain.Domain,
+		Verified:       domain.Verified,
+		Primary:        domain.Primary,
+		ValidationType: int32(domain.ValidationType),
+		ValidationCode: domain.ValidationCode,
 	}
 }

@@ -112,9 +133,11 @@ func OrgDomainsToModel(domains []*OrgDomain) []*model.OrgDomain {

 func OrgDomainToModel(domain *OrgDomain) *model.OrgDomain {
 	return &model.OrgDomain{
-		ObjectRoot: domain.ObjectRoot,
-		Domain:     domain.Domain,
-		Verified:   domain.Verified,
-		Primary:    domain.Primary,
+		ObjectRoot:     domain.ObjectRoot,
+		Domain:         domain.Domain,
+		Primary:        domain.Primary,
+		Verified:       domain.Verified,
+		ValidationType: model.OrgDomainValidationType(domain.ValidationType),
+		ValidationCode: domain.ValidationCode,
 	}
 }
--- a/internal/org/repository/eventsourcing/model/org.go
+++ b/internal/org/repository/eventsourcing/model/org.go
@@ -2,6 +2,7 @@ package model

 import (
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	org_model "github.com/caos/zitadel/internal/org/model"
@@ -112,6 +113,8 @@ func (o *Org) AppendEvent(event *es_models.Event) error {
 		o.removeMember(member.UserID)
 	case OrgDomainAdded:
 		o.appendAddDomainEvent(event)
+	case OrgDomainVerificationAdded:
+		o.appendVerificationDomainEvent(event)
 	case OrgDomainVerified:
 		o.appendVerifyDomainEvent(event)
 	case OrgDomainPrimarySet:
--- a/internal/org/repository/eventsourcing/model/types.go
+++ b/internal/org/repository/eventsourcing/model/types.go
@@ -7,15 +7,17 @@ const (
 	OrgDomainAggregate models.AggregateType = "org.domain"
 	OrgNameAggregate   models.AggregateType = "org.name"

-	OrgAdded            models.EventType = "org.added"
-	OrgChanged          models.EventType = "org.changed"
-	OrgDeactivated      models.EventType = "org.deactivated"
-	OrgReactivated      models.EventType = "org.reactivated"
-	OrgRemoved          models.EventType = "org.removed"
-	OrgDomainAdded      models.EventType = "org.domain.added"
-	OrgDomainVerified   models.EventType = "org.domain.verified"
-	OrgDomainRemoved    models.EventType = "org.domain.removed"
-	OrgDomainPrimarySet models.EventType = "org.domain.primary.set"
+	OrgAdded                    models.EventType = "org.added"
+	OrgChanged                  models.EventType = "org.changed"
+	OrgDeactivated              models.EventType = "org.deactivated"
+	OrgReactivated              models.EventType = "org.reactivated"
+	OrgRemoved                  models.EventType = "org.removed"
+	OrgDomainAdded              models.EventType = "org.domain.added"
+	OrgDomainVerificationAdded  models.EventType = "org.domain.verification.added"
+	OrgDomainVerificationFailed models.EventType = "org.domain.verification.failed"
+	OrgDomainVerified           models.EventType = "org.domain.verified"
+	OrgDomainRemoved            models.EventType = "org.domain.removed"
+	OrgDomainPrimarySet         models.EventType = "org.domain.primary.set"

 	OrgNameReserved models.EventType = "org.name.reserved"
 	OrgNameReleased models.EventType = "org.name.released"
--- a/internal/org/repository/eventsourcing/org.go
+++ b/internal/org/repository/eventsourcing/org.go
@@ -247,29 +247,53 @@ func OrgDomainAddedAggregate(aggCreator *es_models.AggregateCreator, existing *m
 	}
 }

-func OrgDomainVerifiedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) ([]*es_models.Aggregate, error) {
-	return func(ctx context.Context) ([]*es_models.Aggregate, error) {
+func OrgDomainValidationGeneratedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
 		if domain == nil {
-			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-DHs7s", "Errors.Internal")
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-GD2gq", "Errors.Internal")
 		}
 		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
 		if err != nil {
 			return nil, err
 		}
-		aggregates := make([]*es_models.Aggregate, 0, 2)
-		agg, err = agg.AppendEvent(model.OrgDomainVerified, domain)
-		if err != nil {
-			return nil, err
-		}
-		domainAgregate, err := reservedUniqueDomainAggregate(ctx, aggCreator, existing.AggregateID, domain.Domain)
-		if err != nil {
-			return nil, err
-		}
-		aggregates = append(aggregates, domainAgregate)
-		return append(aggregates, agg), nil
+		return agg.AppendEvent(model.OrgDomainVerificationAdded, domain)
 	}
 }

+func OrgDomainValidationFailedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if domain == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-BHF52", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.OrgDomainVerificationFailed, domain)
+	}
+}
+
+func OrgDomainVerifiedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) ([]*es_models.Aggregate, error) {
+	if domain == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-DHs7s", "Errors.Internal")
+	}
+	agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+	if err != nil {
+		return nil, err
+	}
+	aggregates := make([]*es_models.Aggregate, 0, 2)
+	agg, err = agg.AppendEvent(model.OrgDomainVerified, domain)
+	if err != nil {
+		return nil, err
+	}
+	domainAgregate, err := reservedUniqueDomainAggregate(ctx, aggCreator, existing.AggregateID, domain.Domain)
+	if err != nil {
+		return nil, err
+	}
+	aggregates = append(aggregates, domainAgregate)
+	return append(aggregates, agg), nil
+}
+
 func OrgDomainSetPrimaryAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
 		if domain == nil {
--- a/internal/org/repository/eventsourcing/org_test.go
+++ b/internal/org/repository/eventsourcing/org_test.go
@@ -676,8 +676,7 @@ func TestOrgDomainVerifiedAggregates(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			agg := OrgDomainVerifiedAggregate(tt.args.aggCreator, tt.args.org, tt.args.domain)
-			got, err := agg(tt.args.ctx)
+			got, err := OrgDomainVerifiedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.org, tt.args.domain)
 			if tt.res.isErr == nil && err != nil {
 				t.Errorf("no error expected got %T: %v", err, err)
 			}