feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * lint
2025-08-11 21:27:42 +00:00 · 2023-11-22 10:29:38 +01:00
parent 5fa596a871
commit 76fe032b5f
45 changed files with 1280 additions and 123 deletions
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@@ -21,6 +21,7 @@ import (
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/quota"
+	"github.com/zitadel/zitadel/internal/repository/restrictions"
 	"github.com/zitadel/zitadel/internal/repository/user"
 )

@@ -115,10 +116,9 @@ type InstanceSetup struct {
 	Quotas *struct {
 		Items []*SetQuota
 	}
-	Features map[domain.Feature]any
-	Limits   *struct {
-		AuditLogRetention *time.Duration
-	}
+	Features     map[domain.Feature]any
+	Limits       *SetLimits
+	Restrictions *SetRestrictions
 }

 type SecretGenerators struct {
@@ -135,12 +135,13 @@ type SecretGenerators struct {
 }

 type ZitadelConfig struct {
-	projectID    string
-	mgmtAppID    string
-	adminAppID   string
-	authAppID    string
-	consoleAppID string
-	limitsID     string
+	projectID      string
+	mgmtAppID      string
+	adminAppID     string
+	authAppID      string
+	consoleAppID   string
+	limitsID       string
+	restrictionsID string
 }

 func (s *InstanceSetup) generateIDs(idGenerator id.Generator) (err error) {
@@ -169,6 +170,10 @@ func (s *InstanceSetup) generateIDs(idGenerator id.Generator) (err error) {
 		return err
 	}
 	s.zitadel.limitsID, err = idGenerator.Next()
+	if err != nil {
+		return err
+	}
+	s.zitadel.restrictionsID, err = idGenerator.Next()
 	return err
 }

@@ -200,6 +205,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str
 	userAgg := user.NewAggregate(userID, orgID)
 	projectAgg := project.NewAggregate(setup.zitadel.projectID, orgID)
 	limitsAgg := limits.NewAggregate(setup.zitadel.limitsID, instanceID, instanceID)
+	restrictionsAgg := restrictions.NewAggregate(setup.zitadel.restrictionsID, instanceID, instanceID)

 	validations := []preparation.Validation{
 		prepareAddInstance(instanceAgg, setup.InstanceName, setup.DefaultLanguage),
@@ -453,9 +459,11 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str
 	}

 	if setup.Limits != nil {
-		validations = append(validations, c.SetLimitsCommand(limitsAgg, &limitsWriteModel{}, &SetLimits{
-			AuditLogRetention: setup.Limits.AuditLogRetention,
-		}))
+		validations = append(validations, c.SetLimitsCommand(limitsAgg, &limitsWriteModel{}, setup.Limits))
+	}
+
+	if setup.Restrictions != nil {
+		validations = append(validations, c.SetRestrictionsCommand(restrictionsAgg, &restrictionsWriteModel{}, setup.Restrictions))
 	}

 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...)