feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed

* fix: system limit permissions

* feat: add iam limits api

* feat: disallow public org registrations on default instance

* add integration test

* test: integration

* fix test

* docs: describe public org registrations

* avoid updating docs deps

* fix system limits integration test

* silence integration tests

* fix linting

* ignore strange linter complaints

* review

* improve reset properties naming

* redefine the api

* use restrictions aggregate

* test query

* simplify and test projection

* test commands

* fix unit tests

* move integration test

* support restrictions on default instance

* also test GetRestrictions

* self review

* lint

* abstract away resource owner

* fix tests

* lint

internal/query/projection/main_test.go

@@ -1,61 +0,0 @@
-package projection
-
-import (
-	"database/sql"
-	"testing"
-	"time"
-
-	"github.com/zitadel/zitadel/internal/eventstore"
-	"github.com/zitadel/zitadel/internal/eventstore/repository"
-	"github.com/zitadel/zitadel/internal/eventstore/repository/mock"
-	action_repo "github.com/zitadel/zitadel/internal/repository/action"
-	iam_repo "github.com/zitadel/zitadel/internal/repository/instance"
-	key_repo "github.com/zitadel/zitadel/internal/repository/keypair"
-	"github.com/zitadel/zitadel/internal/repository/limits"
-	"github.com/zitadel/zitadel/internal/repository/org"
-	proj_repo "github.com/zitadel/zitadel/internal/repository/project"
-	quota_repo "github.com/zitadel/zitadel/internal/repository/quota"
-	usr_repo "github.com/zitadel/zitadel/internal/repository/user"
-	"github.com/zitadel/zitadel/internal/repository/usergrant"
-)
-
-type expect func(mockRepository *mock.MockRepository)
-
-func eventstoreExpect(t *testing.T, expects ...expect) *eventstore.Eventstore {
-	m := mock.NewRepo(t)
-	for _, e := range expects {
-		e(m)
-	}
-	es := eventstore.NewEventstore(
-		&eventstore.Config{
-			Querier: m.MockQuerier,
-			Pusher:  m.MockPusher,
-		},
-	)
-	iam_repo.RegisterEventMappers(es)
-	org.RegisterEventMappers(es)
-	usr_repo.RegisterEventMappers(es)
-	proj_repo.RegisterEventMappers(es)
-	quota_repo.RegisterEventMappers(es)
-	limits.RegisterEventMappers(es)
-	usergrant.RegisterEventMappers(es)
-	key_repo.RegisterEventMappers(es)
-	action_repo.RegisterEventMappers(es)
-	return es
-}
-
-func eventFromEventPusher(event eventstore.Command) *repository.Event {
-	data, _ := eventstore.EventData(event)
-	return &repository.Event{
-		ID:            "",
-		Seq:           0,
-		CreationDate:  time.Time{},
-		Typ:           event.Type(),
-		Data:          data,
-		EditorUser:    event.Creator(),
-		Version:       event.Aggregate().Version,
-		AggregateID:   event.Aggregate().ID,
-		AggregateType: event.Aggregate().Type,
-		ResourceOwner: sql.NullString{String: event.Aggregate().ResourceOwner, Valid: event.Aggregate().ResourceOwner != ""},
-	}
-}

internal/query/projection/projection.go

@@ -70,6 +70,7 @@ var (
 	MilestoneProjection                 *handler.Handler
 	QuotaProjection                     *quotaProjection
 	LimitsProjection                    *handler.Handler
+	RestrictionsProjection              *handler.Handler
 )
 
 type projection interface {
@@ -143,6 +144,7 @@ func Create(ctx context.Context, sqlClient *database.DB, es handler.EventStore,
 	MilestoneProjection = newMilestoneProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["milestones"]), systemUsers)
 	QuotaProjection = newQuotaProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["quotas"]))
 	LimitsProjection = newLimitsProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["limits"]))
+	RestrictionsProjection = newRestrictionsProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["restrictions"]))
 	newProjectionsList()
 	return nil
 }
@@ -247,5 +249,6 @@ func newProjectionsList() {
 		MilestoneProjection,
 		QuotaProjection.handler,
 		LimitsProjection,
+		RestrictionsProjection,
 	}
 }

internal/query/projection/restrictions.go

@@ -0,0 +1,96 @@
+package projection
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	old_handler "github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/restrictions"
+)
+
+const (
+	RestrictionsProjectionTable = "projections.restrictions"
+
+	RestrictionsColumnAggregateID   = "aggregate_id"
+	RestrictionsColumnCreationDate  = "creation_date"
+	RestrictionsColumnChangeDate    = "change_date"
+	RestrictionsColumnResourceOwner = "resource_owner"
+	RestrictionsColumnInstanceID    = "instance_id"
+	RestrictionsColumnSequence      = "sequence"
+
+	RestrictionsColumnDisallowPublicOrgRegistration = "disallow_public_org_registration"
+)
+
+type restrictionsProjection struct{}
+
+func newRestrictionsProjection(ctx context.Context, config handler.Config) *handler.Handler {
+	return handler.NewHandler(ctx, &config, &restrictionsProjection{})
+}
+
+func (*restrictionsProjection) Name() string {
+	return RestrictionsProjectionTable
+}
+
+func (*restrictionsProjection) Init() *old_handler.Check {
+	return handler.NewTableCheck(
+		handler.NewTable([]*handler.InitColumn{
+			handler.NewColumn(RestrictionsColumnAggregateID, handler.ColumnTypeText),
+			handler.NewColumn(RestrictionsColumnCreationDate, handler.ColumnTypeTimestamp),
+			handler.NewColumn(RestrictionsColumnChangeDate, handler.ColumnTypeTimestamp),
+			handler.NewColumn(RestrictionsColumnResourceOwner, handler.ColumnTypeText),
+			handler.NewColumn(RestrictionsColumnInstanceID, handler.ColumnTypeText),
+			handler.NewColumn(RestrictionsColumnSequence, handler.ColumnTypeInt64),
+			handler.NewColumn(RestrictionsColumnDisallowPublicOrgRegistration, handler.ColumnTypeBool),
+		},
+			handler.NewPrimaryKey(RestrictionsColumnInstanceID, RestrictionsColumnResourceOwner),
+		),
+	)
+}
+
+func (p *restrictionsProjection) Reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: restrictions.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  restrictions.SetEventType,
+					Reduce: p.reduceRestrictionsSet,
+				},
+			},
+		},
+		{
+			Aggregate: instance.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  instance.InstanceRemovedEventType,
+					Reduce: reduceInstanceRemovedHelper(RestrictionsColumnInstanceID),
+				},
+			},
+		},
+	}
+}
+
+func (p *restrictionsProjection) reduceRestrictionsSet(event eventstore.Event) (*handler.Statement, error) {
+	e, err := assertEvent[*restrictions.SetEvent](event)
+	if err != nil {
+		return nil, err
+	}
+	conflictCols := []handler.Column{
+		handler.NewCol(RestrictionsColumnInstanceID, e.Aggregate().InstanceID),
+		handler.NewCol(RestrictionsColumnResourceOwner, e.Aggregate().ResourceOwner),
+	}
+	updateCols := []handler.Column{
+		handler.NewCol(RestrictionsColumnInstanceID, e.Aggregate().InstanceID),
+		handler.NewCol(RestrictionsColumnResourceOwner, e.Aggregate().ResourceOwner),
+		handler.NewCol(RestrictionsColumnCreationDate, handler.OnlySetValueOnInsert(RestrictionsProjectionTable, e.CreationDate())),
+		handler.NewCol(RestrictionsColumnChangeDate, e.CreationDate()),
+		handler.NewCol(RestrictionsColumnSequence, e.Sequence()),
+		handler.NewCol(RestrictionsColumnAggregateID, e.Aggregate().ID),
+	}
+	if e.DisallowPublicOrgRegistrations != nil {
+		updateCols = append(updateCols, handler.NewCol(RestrictionsColumnDisallowPublicOrgRegistration, *e.DisallowPublicOrgRegistrations))
+	}
+	return handler.NewUpsertStatement(e, conflictCols, updateCols), nil
+}

internal/query/projection/restrictions_test.go

@@ -0,0 +1,96 @@
+package projection
+
+import (
+	"testing"
+
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
+	"github.com/zitadel/zitadel/internal/repository/restrictions"
+)
+
+func TestRestrictionsProjection_reduces(t *testing.T) {
+	type args struct {
+		event func(t *testing.T) eventstore.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		reduce func(event eventstore.Event) (*handler.Statement, error)
+		want   wantReduce
+	}{
+		{
+			name: "reduceRestrictionsSet should update defined",
+			args: args{
+				event: getEvent(testEvent(
+					restrictions.SetEventType,
+					restrictions.AggregateType,
+					[]byte(`{ "disallowPublicOrgRegistrations": true }`),
+				), restrictions.SetEventMapper),
+			},
+			reduce: (&restrictionsProjection{}).reduceRestrictionsSet,
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("restrictions"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO projections.restrictions (instance_id, resource_owner, creation_date, change_date, sequence, aggregate_id, disallow_public_org_registration) VALUES ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT (instance_id, resource_owner) DO UPDATE SET (creation_date, change_date, sequence, aggregate_id, disallow_public_org_registration) = (projections.restrictions.creation_date, EXCLUDED.change_date, EXCLUDED.sequence, EXCLUDED.aggregate_id, EXCLUDED.disallow_public_org_registration)",
+							expectedArgs: []interface{}{
+								"instance-id",
+								"ro-id",
+								anyArg{},
+								anyArg{},
+								uint64(15),
+								"agg-id",
+								true,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceRestrictionsSet shouldn't update undefined",
+			args: args{
+				event: getEvent(testEvent(
+					restrictions.SetEventType,
+					restrictions.AggregateType,
+					[]byte(`{}`),
+				), restrictions.SetEventMapper),
+			},
+			reduce: (&restrictionsProjection{}).reduceRestrictionsSet,
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("restrictions"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO projections.restrictions (instance_id, resource_owner, creation_date, change_date, sequence, aggregate_id) VALUES ($1, $2, $3, $4, $5, $6) ON CONFLICT (instance_id, resource_owner) DO UPDATE SET (creation_date, change_date, sequence, aggregate_id) = (projections.restrictions.creation_date, EXCLUDED.change_date, EXCLUDED.sequence, EXCLUDED.aggregate_id)",
+							expectedArgs: []interface{}{
+								"instance-id",
+								"ro-id",
+								anyArg{},
+								anyArg{},
+								uint64(15),
+								"agg-id",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			event := baseEvent(t)
+			got, err := tt.reduce(event)
+			if !errors.IsErrorInvalidArgument(err) {
+				t.Errorf("no wrong event mapping: %v, got: %v", err, got)
+			}
+			event = tt.args.event(t)
+			got, err = tt.reduce(event)
+			assertReduce(t, got, err, RestrictionsProjectionTable, tt.want)
+		})
+	}
+}

internal/query/query.go

@@ -30,6 +30,7 @@ import (
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/quota"
+	"github.com/zitadel/zitadel/internal/repository/restrictions"
 	"github.com/zitadel/zitadel/internal/repository/session"
 	usr_repo "github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/repository/usergrant"
@@ -113,6 +114,7 @@ func StartQueries(
 	oidcsession.RegisterEventMappers(repo.eventstore)
 	quota.RegisterEventMappers(repo.eventstore)
 	limits.RegisterEventMappers(repo.eventstore)
+	restrictions.RegisterEventMappers(repo.eventstore)
 
 	repo.checkPermission = permissionCheck(repo)
 

internal/query/restrictions.go

@@ -0,0 +1,108 @@
+package query
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"time"
+
+	sq "github.com/Masterminds/squirrel"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/call"
+	zitade_errors "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+var (
+	restrictionsTable = table{
+		name:          projection.RestrictionsProjectionTable,
+		instanceIDCol: projection.RestrictionsColumnInstanceID,
+	}
+	RestrictionsColumnAggregateID = Column{
+		name:  projection.RestrictionsColumnAggregateID,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnCreationDate = Column{
+		name:  projection.RestrictionsColumnCreationDate,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnChangeDate = Column{
+		name:  projection.RestrictionsColumnChangeDate,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnResourceOwner = Column{
+		name:  projection.RestrictionsColumnResourceOwner,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnInstanceID = Column{
+		name:  projection.RestrictionsColumnInstanceID,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnSequence = Column{
+		name:  projection.RestrictionsColumnSequence,
+		table: restrictionsTable,
+	}
+	RestrictionsColumnDisallowPublicOrgRegistrations = Column{
+		name:  projection.RestrictionsColumnDisallowPublicOrgRegistration,
+		table: restrictionsTable,
+	}
+)
+
+type Restrictions struct {
+	AggregateID   string
+	CreationDate  time.Time
+	ChangeDate    time.Time
+	ResourceOwner string
+	Sequence      uint64
+
+	DisallowPublicOrgRegistration bool
+}
+
+func (q *Queries) GetInstanceRestrictions(ctx context.Context) (restrictions Restrictions, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	stmt, scan := prepareRestrictionsQuery(ctx, q.client)
+	instanceID := authz.GetInstance(ctx).InstanceID()
+	query, args, err := stmt.Where(sq.Eq{
+		RestrictionsColumnInstanceID.identifier():    instanceID,
+		RestrictionsColumnResourceOwner.identifier(): instanceID,
+	}).ToSql()
+	if err != nil {
+		return restrictions, zitade_errors.ThrowInternal(err, "QUERY-XnLMQ", "Errors.Query.SQLStatment")
+	}
+	err = q.client.QueryRowContext(ctx, func(row *sql.Row) error {
+		restrictions, err = scan(row)
+		return err
+	}, query, args...)
+	if errors.Is(err, sql.ErrNoRows) {
+		// not found is not an error
+		err = nil
+	}
+	return restrictions, err
+}
+
+func prepareRestrictionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (Restrictions, error)) {
+	return sq.Select(
+			RestrictionsColumnAggregateID.identifier(),
+			RestrictionsColumnCreationDate.identifier(),
+			RestrictionsColumnChangeDate.identifier(),
+			RestrictionsColumnResourceOwner.identifier(),
+			RestrictionsColumnSequence.identifier(),
+			RestrictionsColumnDisallowPublicOrgRegistrations.identifier(),
+		).
+			From(restrictionsTable.identifier() + db.Timetravel(call.Took(ctx))).
+			PlaceholderFormat(sq.Dollar),
+		func(row *sql.Row) (restrictions Restrictions, err error) {
+			return restrictions, row.Scan(
+				&restrictions.AggregateID,
+				&restrictions.CreationDate,
+				&restrictions.ChangeDate,
+				&restrictions.ResourceOwner,
+				&restrictions.Sequence,
+				&restrictions.DisallowPublicOrgRegistration,
+			)
+		}
+}

internal/query/restrictions_test.go

@@ -0,0 +1,111 @@
+package query
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	"errors"
+	"fmt"
+	"regexp"
+	"testing"
+)
+
+var (
+	expectedRestrictionsQuery = regexp.QuoteMeta("SELECT projections.restrictions.aggregate_id," +
+		" projections.restrictions.creation_date," +
+		" projections.restrictions.change_date," +
+		" projections.restrictions.resource_owner," +
+		" projections.restrictions.sequence," +
+		" projections.restrictions.disallow_public_org_registration" +
+		" FROM projections.restrictions" +
+		" AS OF SYSTEM TIME '-1 ms'",
+	)
+
+	restrictionsCols = []string{
+		"aggregate_id",
+		"creation_date",
+		"change_date",
+		"resource_owner",
+		"sequence",
+		"disallow_public_org_registration",
+	}
+)
+
+func Test_RestrictionsPrepare(t *testing.T) {
+	type want struct {
+		sqlExpectations sqlExpectation
+		err             checkErr
+		object          interface{}
+	}
+	tests := []struct {
+		name    string
+		prepare interface{}
+		want    want
+	}{
+		{
+			name:    "prepareRestrictionsQuery no result",
+			prepare: prepareRestrictionsQuery,
+			want: want{
+				sqlExpectations: mockQueryScanErr(
+					expectedRestrictionsQuery,
+					nil,
+					nil,
+				),
+				err: func(err error) (error, bool) {
+					if !errors.Is(err, sql.ErrNoRows) {
+						return fmt.Errorf("err should be sql.ErrNoRows got: %w", err), false
+					}
+					return nil, true
+				},
+				object: Restrictions{},
+			},
+		},
+		{
+			name:    "prepareRestrictionsQuery",
+			prepare: prepareRestrictionsQuery,
+			want: want{
+				sqlExpectations: mockQuery(
+					expectedRestrictionsQuery,
+					restrictionsCols,
+					[]driver.Value{
+						"restrictions1",
+						testNow,
+						testNow,
+						"instance1",
+						0,
+						true,
+					},
+				),
+				object: Restrictions{
+					AggregateID:                   "restrictions1",
+					CreationDate:                  testNow,
+					ChangeDate:                    testNow,
+					ResourceOwner:                 "instance1",
+					Sequence:                      0,
+					DisallowPublicOrgRegistration: true,
+				},
+			},
+		},
+		{
+			name:    "prepareRestrictionsQuery sql err",
+			prepare: prepareRestrictionsQuery,
+			want: want{
+				sqlExpectations: mockQueryErr(
+					expectedRestrictionsQuery,
+					sql.ErrConnDone,
+				),
+				err: func(err error) (error, bool) {
+					if !errors.Is(err, sql.ErrConnDone) {
+						return fmt.Errorf("err should be sql.ErrConnDone got: %w", err), false
+					}
+					return nil, true
+				},
+				object: (*Restrictions)(nil),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assertPrepare(t, tt.prepare, tt.want.object, tt.want.sqlExpectations, tt.want.err, defaultPrepareArgs...)
+		})
+	}
+}