feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * lint
2025-08-11 20:27:32 +00:00 · 2023-11-22 10:29:38 +01:00
parent 5fa596a871
commit 76fe032b5f
45 changed files with 1280 additions and 123 deletions
--- a/internal/command/restrictions.go
+++ b/internal/command/restrictions.go
@@ -0,0 +1,81 @@
+package command
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command/preparation"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/restrictions"
+)
+
+type SetRestrictions struct {
+	DisallowPublicOrgRegistration *bool
+}
+
+// SetRestrictions creates new restrictions or updates existing restrictions.
+func (c *Commands) SetInstanceRestrictions(
+	ctx context.Context,
+	setRestrictions *SetRestrictions,
+) (*domain.ObjectDetails, error) {
+	instanceId := authz.GetInstance(ctx).InstanceID()
+	wm, err := c.getRestrictionsWriteModel(ctx, instanceId, instanceId)
+	if err != nil {
+		return nil, err
+	}
+	aggregateId := wm.AggregateID
+	if aggregateId == "" {
+		aggregateId, err = c.idGenerator.Next()
+		if err != nil {
+			return nil, err
+		}
+	}
+	setCmd, err := c.SetRestrictionsCommand(restrictions.NewAggregate(aggregateId, instanceId, instanceId), wm, setRestrictions)()
+	if err != nil {
+		return nil, err
+	}
+	cmds, err := setCmd(ctx, nil)
+	if err != nil {
+		return nil, err
+	}
+	if len(cmds) > 0 {
+		events, err := c.eventstore.Push(ctx, cmds...)
+		if err != nil {
+			return nil, err
+		}
+		err = AppendAndReduce(wm, events...)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return writeModelToObjectDetails(&wm.WriteModel), nil
+}
+
+func (c *Commands) getRestrictionsWriteModel(ctx context.Context, instanceId, resourceOwner string) (*restrictionsWriteModel, error) {
+	wm := newRestrictionsWriteModel(instanceId, resourceOwner)
+	return wm, c.eventstore.FilterToQueryReducer(ctx, wm)
+}
+
+func (c *Commands) SetRestrictionsCommand(a *restrictions.Aggregate, wm *restrictionsWriteModel, setRestrictions *SetRestrictions) preparation.Validation {
+	return func() (preparation.CreateCommands, error) {
+		if setRestrictions == nil || setRestrictions.DisallowPublicOrgRegistration == nil {
+			return nil, errors.ThrowInvalidArgument(nil, "COMMAND-oASwj", "Errors.Restrictions.NoneSpecified")
+		}
+		return func(ctx context.Context, _ preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			changes := wm.NewChanges(setRestrictions)
+			if len(changes) == 0 {
+				return nil, nil
+			}
+			return []eventstore.Command{restrictions.NewSetEvent(
+				eventstore.NewBaseEventForPush(
+					ctx,
+					&a.Aggregate,
+					restrictions.SetEventType,
+				),
+				changes...,
+			)}, nil
+		}, nil
+	}
+}