feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * lint
2025-08-11 18:57:32 +00:00 · 2023-11-22 10:29:38 +01:00
parent 5fa596a871
commit 76fe032b5f
45 changed files with 1280 additions and 123 deletions
--- a/internal/command/restrictions_model.go
+++ b/internal/command/restrictions_model.go
@@ -0,0 +1,55 @@
+package command
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/restrictions"
+)
+
+type restrictionsWriteModel struct {
+	eventstore.WriteModel
+	disallowPublicOrgRegistrations bool
+}
+
+// newRestrictionsWriteModel aggregateId is filled by reducing unit matching events
+func newRestrictionsWriteModel(instanceId, resourceOwner string) *restrictionsWriteModel {
+	return &restrictionsWriteModel{
+		WriteModel: eventstore.WriteModel{
+			InstanceID:    instanceId,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
+
+func (wm *restrictionsWriteModel) Query() *eventstore.SearchQueryBuilder {
+	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		ResourceOwner(wm.ResourceOwner).
+		InstanceID(wm.InstanceID).
+		AddQuery().
+		AggregateTypes(restrictions.AggregateType).
+		EventTypes(restrictions.SetEventType)
+
+	return query.Builder()
+}
+
+func (wm *restrictionsWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		wm.ChangeDate = event.CreatedAt()
+		if e, ok := event.(*restrictions.SetEvent); ok && e.DisallowPublicOrgRegistrations != nil {
+			wm.disallowPublicOrgRegistrations = *e.DisallowPublicOrgRegistrations
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+// NewChanges returns all changes that need to be applied to the aggregate.
+// nil properties in setRestrictions are ignored
+func (wm *restrictionsWriteModel) NewChanges(setRestrictions *SetRestrictions) (changes []restrictions.RestrictionsChange) {
+	if setRestrictions == nil {
+		return nil
+	}
+	changes = make([]restrictions.RestrictionsChange, 0, 1)
+	if setRestrictions.DisallowPublicOrgRegistration != nil && (wm.disallowPublicOrgRegistrations != *setRestrictions.DisallowPublicOrgRegistration) {
+		changes = append(changes, restrictions.ChangePublicOrgRegistrations(*setRestrictions.DisallowPublicOrgRegistration))
+	}
+	return changes
+}