feat: multiple domains (#188)

* check uniqueness on create and register user * change user email, reserve release unique email * usergrant unique aggregate * usergrant uniqueness * validate UserGrant * fix tests * domain is set on username in all orgs * domain in admin * org domain sql * zitadel domain org name * org domains * org iam policy * default org iam policy * SETUP * load login names * login by login name * login name * fix: merge master * fix: merge master * Update internal/user/repository/eventsourcing/user.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: fix unique domains * fix: rename env variable Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 04:57:33 +00:00 · 2020-06-16 11:40:18 +02:00
parent 64b14b4e19
commit 7a6ca24625
109 changed files with 12578 additions and 6025 deletions
--- a/internal/user/repository/eventsourcing/eventstore.go
+++ b/internal/user/repository/eventsourcing/eventstore.go
@@ -8,6 +8,7 @@ import (
 	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/id"
+	org_model "github.com/caos/zitadel/internal/org/model"
 	policy_model "github.com/caos/zitadel/internal/policy/model"
 	"github.com/golang/protobuf/ptypes"

@@ -103,8 +104,8 @@ func (es *UserEventstore) UserEventsByID(ctx context.Context, id string, sequenc
 	return es.FilterEvents(ctx, query)
 }

-func (es *UserEventstore) PrepareCreateUser(ctx context.Context, user *usr_model.User, policy *policy_model.PasswordComplexityPolicy, resourceOwner string) (*model.User, []*es_models.Aggregate, error) {
-	user.SetEmailAsUsername()
+func (es *UserEventstore) PrepareCreateUser(ctx context.Context, user *usr_model.User, pwPolicy *policy_model.PasswordComplexityPolicy, orgIamPolicy *org_model.OrgIamPolicy, resourceOwner string) (*model.User, []*es_models.Aggregate, error) {
+	err := user.CheckOrgIamPolicy(orgIamPolicy)
 	if !user.IsValid() {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9dk45", "User is invalid")
 	}
@@ -115,7 +116,7 @@ func (es *UserEventstore) PrepareCreateUser(ctx context.Context, user *usr_model
 	}
 	user.AggregateID = id

-	err = user.HashPasswordIfExisting(policy, es.PasswordAlg, true)
+	err = user.HashPasswordIfExisting(pwPolicy, es.PasswordAlg, true)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -132,13 +133,13 @@ func (es *UserEventstore) PrepareCreateUser(ctx context.Context, user *usr_model
 	repoInitCode := model.InitCodeFromModel(user.InitCode)
 	repoPhoneCode := model.PhoneCodeFromModel(user.PhoneCode)

-	createAggregates, err := UserCreateAggregate(ctx, es.AggregateCreator(), repoUser, repoInitCode, repoPhoneCode, resourceOwner)
+	createAggregates, err := UserCreateAggregate(ctx, es.AggregateCreator(), repoUser, repoInitCode, repoPhoneCode, resourceOwner, orgIamPolicy.UserLoginMustBeDomain)

 	return repoUser, createAggregates, err
 }

-func (es *UserEventstore) CreateUser(ctx context.Context, user *usr_model.User, policy *policy_model.PasswordComplexityPolicy) (*usr_model.User, error) {
-	repoUser, aggregates, err := es.PrepareCreateUser(ctx, user, policy, "")
+func (es *UserEventstore) CreateUser(ctx context.Context, user *usr_model.User, pwPolicy *policy_model.PasswordComplexityPolicy, orgIamPolicy *org_model.OrgIamPolicy) (*usr_model.User, error) {
+	repoUser, aggregates, err := es.PrepareCreateUser(ctx, user, pwPolicy, orgIamPolicy, "")
 	if err != nil {
 		return nil, err
 	}
@@ -152,8 +153,11 @@ func (es *UserEventstore) CreateUser(ctx context.Context, user *usr_model.User,
 	return model.UserToModel(repoUser), nil
 }

-func (es *UserEventstore) PrepareRegisterUser(ctx context.Context, user *usr_model.User, policy *policy_model.PasswordComplexityPolicy, resourceOwner string) (*model.User, []*es_models.Aggregate, error) {
-	user.SetEmailAsUsername()
+func (es *UserEventstore) PrepareRegisterUser(ctx context.Context, user *usr_model.User, policy *policy_model.PasswordComplexityPolicy, orgIamPolicy *org_model.OrgIamPolicy, resourceOwner string) (*model.User, []*es_models.Aggregate, error) {
+	err := user.CheckOrgIamPolicy(orgIamPolicy)
+	if err != nil {
+		return nil, nil, err
+	}
 	if !user.IsValid() || user.Password == nil || user.SecretString == "" {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9dk45", "Errors.User.InvalidData")
 	}
@@ -175,12 +179,12 @@ func (es *UserEventstore) PrepareRegisterUser(ctx context.Context, user *usr_mod
 	repoUser := model.UserFromModel(user)
 	repoEmailCode := model.EmailCodeFromModel(user.EmailCode)

-	aggregates, err := UserRegisterAggregate(ctx, es.AggregateCreator(), repoUser, resourceOwner, repoEmailCode)
+	aggregates, err := UserRegisterAggregate(ctx, es.AggregateCreator(), repoUser, resourceOwner, repoEmailCode, orgIamPolicy.UserLoginMustBeDomain)
 	return repoUser, aggregates, err
 }

-func (es *UserEventstore) RegisterUser(ctx context.Context, user *usr_model.User, policy *policy_model.PasswordComplexityPolicy, resourceOwner string) (*usr_model.User, error) {
-	repoUser, createAggregates, err := es.PrepareRegisterUser(ctx, user, policy, resourceOwner)
+func (es *UserEventstore) RegisterUser(ctx context.Context, user *usr_model.User, pwPolicy *policy_model.PasswordComplexityPolicy, orgIamPolicy *org_model.OrgIamPolicy, resourceOwner string) (*usr_model.User, error) {
+	repoUser, createAggregates, err := es.PrepareRegisterUser(ctx, user, pwPolicy, orgIamPolicy, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/user/repository/eventsourcing/eventstore_test.go
+++ b/internal/user/repository/eventsourcing/eventstore_test.go
@@ -2,13 +2,13 @@ package eventsourcing

 import (
 	"context"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	policy_model "github.com/caos/zitadel/internal/policy/model"
 	"encoding/json"
 	"net"
 	"testing"
 	"time"

-	policy_model "github.com/caos/zitadel/internal/policy/model"
-
 	"github.com/golang/mock/gomock"

 	"github.com/caos/zitadel/internal/api/auth"
@@ -86,10 +86,11 @@ func TestUserByID(t *testing.T) {
 func TestCreateUser(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	type args struct {
-		es     *UserEventstore
-		ctx    context.Context
-		user   *model.User
-		policy *policy_model.PasswordComplexityPolicy
+		es        *UserEventstore
+		ctx       context.Context
+		user      *model.User
+		policy    *policy_model.PasswordComplexityPolicy
+		orgPolicy *org_model.OrgIamPolicy
 	}
 	type res struct {
 		user    *model.User
@@ -117,7 +118,8 @@ func TestCreateUser(t *testing.T) {
 						IsEmailVerified: true,
 					},
 				},
-				policy: &policy_model.PasswordComplexityPolicy{},
+				policy:    &policy_model.PasswordComplexityPolicy{},
+				orgPolicy: &org_model.OrgIamPolicy{},
 			},
 			res: res{
 				user: &model.User{ObjectRoot: es_models.ObjectRoot{Sequence: 1},
@@ -148,7 +150,8 @@ func TestCreateUser(t *testing.T) {
 						IsEmailVerified: true,
 					},
 				},
-				policy: &policy_model.PasswordComplexityPolicy{},
+				policy:    &policy_model.PasswordComplexityPolicy{},
+				orgPolicy: &org_model.OrgIamPolicy{UserLoginMustBeDomain: false},
 			},
 			res: res{
 				user: &model.User{ObjectRoot: es_models.ObjectRoot{Sequence: 1},
@@ -184,7 +187,8 @@ func TestCreateUser(t *testing.T) {
 						IsPhoneVerified: true,
 					},
 				},
-				policy: &policy_model.PasswordComplexityPolicy{},
+				policy:    &policy_model.PasswordComplexityPolicy{},
+				orgPolicy: &org_model.OrgIamPolicy{},
 			},
 			res: res{
 				user: &model.User{ObjectRoot: es_models.ObjectRoot{Sequence: 1},
@@ -221,7 +225,8 @@ func TestCreateUser(t *testing.T) {
 						IsEmailVerified: true,
 					},
 				},
-				policy: &policy_model.PasswordComplexityPolicy{},
+				policy:    &policy_model.PasswordComplexityPolicy{},
+				orgPolicy: &org_model.OrgIamPolicy{},
 			},
 			res: res{
 				user: &model.User{ObjectRoot: es_models.ObjectRoot{Sequence: 1},
@@ -239,6 +244,31 @@ func TestCreateUser(t *testing.T) {
 		},
 		{
 			name: "create user invalid",
+			args: args{
+				es:        GetMockManipulateUser(ctrl),
+				ctx:       auth.NewMockContext("orgID", "userID"),
+				user:      &model.User{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}},
+				policy:    &policy_model.PasswordComplexityPolicy{},
+				orgPolicy: &org_model.OrgIamPolicy{},
+			},
+			res: res{
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "create user pw policy nil",
+			args: args{
+				es:        GetMockManipulateUser(ctrl),
+				ctx:       auth.NewMockContext("orgID", "userID"),
+				user:      &model.User{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}},
+				orgPolicy: &org_model.OrgIamPolicy{},
+			},
+			res: res{
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "create user org policy nil",
 			args: args{
 				es:     GetMockManipulateUser(ctrl),
 				ctx:    auth.NewMockContext("orgID", "userID"),
@@ -249,21 +279,10 @@ func TestCreateUser(t *testing.T) {
 				errFunc: caos_errs.IsPreconditionFailed,
 			},
 		},
-		{
-			name: "create user policy nil",
-			args: args{
-				es:   GetMockManipulateUser(ctrl),
-				ctx:  auth.NewMockContext("orgID", "userID"),
-				user: &model.User{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}},
-			},
-			res: res{
-				errFunc: caos_errs.IsPreconditionFailed,
-			},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := tt.args.es.CreateUser(tt.args.ctx, tt.args.user, tt.args.policy)
+			result, err := tt.args.es.CreateUser(tt.args.ctx, tt.args.user, tt.args.policy, tt.args.orgPolicy)

 			if tt.res.errFunc == nil && result.AggregateID == "" {
 				t.Errorf("result has no id")
@@ -296,6 +315,7 @@ func TestRegisterUser(t *testing.T) {
 		user          *model.User
 		resourceOwner string
 		policy        *policy_model.PasswordComplexityPolicy
+		orgPolicy     *org_model.OrgIamPolicy
 	}
 	type res struct {
 		user    *model.User
@@ -326,6 +346,7 @@ func TestRegisterUser(t *testing.T) {
 					},
 				},
 				policy:        &policy_model.PasswordComplexityPolicy{},
+				orgPolicy:     &org_model.OrgIamPolicy{UserLoginMustBeDomain: true},
 				resourceOwner: "ResourceOwner",
 			},
 			res: res{
@@ -359,6 +380,7 @@ func TestRegisterUser(t *testing.T) {
 					},
 				},
 				policy:        &policy_model.PasswordComplexityPolicy{},
+				orgPolicy:     &org_model.OrgIamPolicy{UserLoginMustBeDomain: false},
 				resourceOwner: "ResourceOwner",
 			},
 			res: res{
@@ -381,6 +403,7 @@ func TestRegisterUser(t *testing.T) {
 				ctx:           auth.NewMockContext("orgID", "userID"),
 				user:          &model.User{ObjectRoot: es_models.ObjectRoot{Sequence: 1}},
 				policy:        &policy_model.PasswordComplexityPolicy{},
+				orgPolicy:     &org_model.OrgIamPolicy{},
 				resourceOwner: "ResourceOwner",
 			},
 			res: res{
@@ -403,6 +426,7 @@ func TestRegisterUser(t *testing.T) {
 					},
 				},
 				policy:        &policy_model.PasswordComplexityPolicy{},
+				orgPolicy:     &org_model.OrgIamPolicy{},
 				resourceOwner: "ResourceOwner",
 			},
 			res: res{
@@ -424,14 +448,15 @@ func TestRegisterUser(t *testing.T) {
 						EmailAddress: "EmailAddress",
 					},
 				},
-				policy: &policy_model.PasswordComplexityPolicy{},
+				policy:    &policy_model.PasswordComplexityPolicy{},
+				orgPolicy: &org_model.OrgIamPolicy{},
 			},
 			res: res{
 				errFunc: caos_errs.IsPreconditionFailed,
 			},
 		},
 		{
-			name: "no policy",
+			name: "no pw policy",
 			args: args{
 				es:  GetMockManipulateUser(ctrl),
 				ctx: auth.NewMockContext("orgID", "userID"),
@@ -445,6 +470,28 @@ func TestRegisterUser(t *testing.T) {
 						EmailAddress: "EmailAddress",
 					},
 				},
+				orgPolicy: &org_model.OrgIamPolicy{},
+			},
+			res: res{
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "no org policy",
+			args: args{
+				es:  GetMockManipulateUser(ctrl),
+				ctx: auth.NewMockContext("orgID", "userID"),
+				user: &model.User{ObjectRoot: es_models.ObjectRoot{Sequence: 1},
+					Profile: &model.Profile{
+						UserName:  "EmailAddress",
+						FirstName: "FirstName",
+						LastName:  "LastName",
+					},
+					Email: &model.Email{
+						EmailAddress: "EmailAddress",
+					},
+				},
+				policy: &policy_model.PasswordComplexityPolicy{},
 			},
 			res: res{
 				errFunc: caos_errs.IsPreconditionFailed,
@@ -453,7 +500,7 @@ func TestRegisterUser(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := tt.args.es.RegisterUser(tt.args.ctx, tt.args.user, tt.args.policy, tt.args.resourceOwner)
+			result, err := tt.args.es.RegisterUser(tt.args.ctx, tt.args.user, tt.args.policy, tt.args.orgPolicy, tt.args.resourceOwner)

 			if tt.res.errFunc == nil && result.AggregateID == "" {
 				t.Errorf("result has no id")
--- a/internal/user/repository/eventsourcing/user.go
+++ b/internal/user/repository/eventsourcing/user.go
@@ -5,7 +5,9 @@ import (
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
 	"github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
+	"strings"
 )

 func UserByIDQuery(id string, latestSequence uint64) (*es_models.SearchQuery, error) {
@@ -53,7 +55,7 @@ func UserAggregateOverwriteContext(ctx context.Context, aggCreator *es_models.Ag
 	return aggCreator.NewAggregate(ctx, user.AggregateID, model.UserAggregate, model.UserVersion, user.Sequence, es_models.OverwriteResourceOwner(resourceOwnerID), es_models.OverwriteEditorUser(userID))
 }

-func UserCreateAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, initCode *model.InitUserCode, phoneCode *model.PhoneCode, resourceOwner string) (_ []*es_models.Aggregate, err error) {
+func UserCreateAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, initCode *model.InitUserCode, phoneCode *model.PhoneCode, resourceOwner string, userLoginMustBeDomain bool) (_ []*es_models.Aggregate, err error) {
 	if user == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-duxk2", "user should not be nil")
 	}
@@ -67,6 +69,14 @@ func UserCreateAggregate(ctx context.Context, aggCreator *es_models.AggregateCre
 	if err != nil {
 		return nil, err
 	}
+	if !userLoginMustBeDomain {
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(org_es_model.OrgAggregate).
+			AggregateIDsFilter()
+
+		validation := addUserNameValidation(user.UserName)
+		agg.SetPrecondition(validationQuery, validation)
+	}

 	agg, err = agg.AppendEvent(model.UserAdded, user)
 	if err != nil {
@@ -107,7 +117,7 @@ func UserCreateAggregate(ctx context.Context, aggCreator *es_models.AggregateCre
 	}, nil
 }

-func UserRegisterAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, resourceOwner string, emailCode *model.EmailCode) ([]*es_models.Aggregate, error) {
+func UserRegisterAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, user *model.User, resourceOwner string, emailCode *model.EmailCode, userLoginMustBeDomain bool) ([]*es_models.Aggregate, error) {
 	if user == nil || resourceOwner == "" || emailCode == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-duxk2", "user, resourceowner, emailcode should not be nothing")
 	}
@@ -117,6 +127,14 @@ func UserRegisterAggregate(ctx context.Context, aggCreator *es_models.AggregateC
 		return nil, err
 	}

+	if !userLoginMustBeDomain {
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(org_es_model.OrgAggregate).
+			AggregateIDsFilter()
+
+		validation := addUserNameValidation(user.UserName)
+		agg.SetPrecondition(validationQuery, validation)
+	}
 	agg, err = agg.AppendEvent(model.UserRegistered, user)
 	if err != nil {
 		return nil, err
@@ -152,9 +170,9 @@ func getUniqueUserAggregates(ctx context.Context, aggCreator *es_models.Aggregat
 	}, nil
 }
 func reservedUniqueUserNameAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, resourceOwner, userName string) (*es_models.Aggregate, error) {
-	aggregate, err := aggCreator.NewAggregate(ctx, userName, model.UserUserNameAggregate, model.UserVersion, 0)
+	aggregate, err := aggCreator.NewAggregate(ctx, userName+resourceOwner, model.UserUserNameAggregate, model.UserVersion, 0)
 	if resourceOwner != "" {
-		aggregate, err = aggCreator.NewAggregate(ctx, userName, model.UserUserNameAggregate, model.UserVersion, 0, es_models.OverwriteResourceOwner(resourceOwner))
+		aggregate, err = aggCreator.NewAggregate(ctx, userName+resourceOwner, model.UserUserNameAggregate, model.UserVersion, 0, es_models.OverwriteResourceOwner(resourceOwner))
 	}
 	if err != nil {
 		return nil, err
@@ -631,3 +649,44 @@ func isEventValidation(aggregate *es_models.Aggregate, eventType es_models.Event
 		return nil
 	}
 }
+
+func addUserNameValidation(userName string) func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		domains := make([]*org_es_model.OrgDomain, 0)
+		for _, event := range events {
+			switch event.Type {
+			case org_es_model.OrgDomainAdded:
+				domain := new(org_es_model.OrgDomain)
+				domain.SetData(event)
+			case org_es_model.OrgDomainVerified:
+				domain := new(org_es_model.OrgDomain)
+				domain.SetData(event)
+				for _, d := range domains {
+					if d.Domain == domain.Domain {
+						d.Verified = true
+					}
+				}
+			case org_es_model.OrgDomainRemoved:
+				domain := new(org_es_model.OrgDomain)
+				domain.SetData(event)
+				for i, d := range domains {
+					if d.Domain == domain.Domain {
+						domains[i] = domains[len(domains)-1]
+						domains[len(domains)-1] = nil
+						domains = domains[:len(domains)-1]
+					}
+				}
+			}
+		}
+		split := strings.Split(userName, "@")
+		if len(split) != 2 {
+			return nil
+		}
+		for _, d := range domains {
+			if d.Verified && d.Domain == split[1] {
+				return errors.ThrowPreconditionFailed(nil, "EVENT-us5Zw", "domain already reserved")
+			}
+		}
+		return nil
+	}
+}
--- a/internal/user/repository/eventsourcing/user_test.go
+++ b/internal/user/repository/eventsourcing/user_test.go
@@ -223,7 +223,7 @@ func TestUserCreateAggregate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			aggregates, err := UserCreateAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.initCode, tt.args.phoneCode, "")
+			aggregates, err := UserCreateAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.initCode, tt.args.phoneCode, "", true)

 			if !tt.res.wantErr && len(aggregates) != tt.res.aggregatesLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.aggregatesLen, len(aggregates))
@@ -348,7 +348,7 @@ func TestUserRegisterAggregate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			aggregates, err := UserRegisterAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.resourceOwner, tt.args.emailCode)
+			aggregates, err := UserRegisterAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.new, tt.args.resourceOwner, tt.args.emailCode, false)

 			if tt.res.errFunc == nil && len(aggregates[0].Events) != tt.res.eventLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(aggregates[0].Events))
--- a/internal/user/repository/view/model/user.go
+++ b/internal/user/repository/view/model/user.go
@@ -2,6 +2,7 @@ package model

 import (
 	"encoding/json"
+	"github.com/lib/pq"
 	"time"

 	"github.com/caos/logging"
@@ -23,39 +24,41 @@ const (
 	UserKeyEmail         = "email"
 	UserKeyState         = "user_state"
 	UserKeyResourceOwner = "resource_owner"
+	UserKeyLoginNames    = "login_names"
 )

 type UserView struct {
-	ID                     string    `json:"-" gorm:"column:id;primary_key"`
-	CreationDate           time.Time `json:"-" gorm:"column:creation_date"`
-	ChangeDate             time.Time `json:"-" gorm:"column:change_date"`
-	ResourceOwner          string    `json:"-" gorm:"column:resource_owner"`
-	State                  int32     `json:"-" gorm:"column:user_state"`
-	PasswordSet            bool      `json:"-" gorm:"column:password_set"`
-	PasswordChangeRequired bool      `json:"-" gorm:"column:password_change_required"`
-	PasswordChanged        time.Time `json:"-" gorm:"column:password_change"`
-	LastLogin              time.Time `json:"-" gorm:"column:last_login"`
-	UserName               string    `json:"userName" gorm:"column:user_name"`
-	FirstName              string    `json:"firstName" gorm:"column:first_name"`
-	LastName               string    `json:"lastName" gorm:"column:last_name"`
-	NickName               string    `json:"nickName" gorm:"column:nick_name"`
-	DisplayName            string    `json:"displayName" gorm:"column:display_name"`
-	PreferredLanguage      string    `json:"preferredLanguage" gorm:"column:preferred_language"`
-	Gender                 int32     `json:"gender" gorm:"column:gender"`
-	Email                  string    `json:"email" gorm:"column:email"`
-	IsEmailVerified        bool      `json:"-" gorm:"column:is_email_verified"`
-	Phone                  string    `json:"phone" gorm:"column:phone"`
-	IsPhoneVerified        bool      `json:"-" gorm:"column:is_phone_verified"`
-	Country                string    `json:"country" gorm:"column:country"`
-	Locality               string    `json:"locality" gorm:"column:locality"`
-	PostalCode             string    `json:"postalCode" gorm:"column:postal_code"`
-	Region                 string    `json:"region" gorm:"column:region"`
-	StreetAddress          string    `json:"streetAddress" gorm:"column:street_address"`
-	OTPState               int32     `json:"-" gorm:"column:otp_state"`
-	MfaMaxSetUp            int32     `json:"-" gorm:"column:mfa_max_set_up"`
-	MfaInitSkipped         time.Time `json:"-" gorm:"column:mfa_init_skipped"`
-	InitRequired           bool      `json:"-" gorm:"column:init_required"`
-	Sequence               uint64    `json:"-" gorm:"column:sequence"`
+	ID                     string         `json:"-" gorm:"column:id;primary_key"`
+	CreationDate           time.Time      `json:"-" gorm:"column:creation_date"`
+	ChangeDate             time.Time      `json:"-" gorm:"column:change_date"`
+	ResourceOwner          string         `json:"-" gorm:"column:resource_owner"`
+	State                  int32          `json:"-" gorm:"column:user_state"`
+	PasswordSet            bool           `json:"-" gorm:"column:password_set"`
+	PasswordChangeRequired bool           `json:"-" gorm:"column:password_change_required"`
+	PasswordChanged        time.Time      `json:"-" gorm:"column:password_change"`
+	LastLogin              time.Time      `json:"-" gorm:"column:last_login"`
+	UserName               string         `json:"userName" gorm:"column:user_name"`
+	LoginNames             pq.StringArray `json:"-" gorm:"column:login_names"`
+	FirstName              string         `json:"firstName" gorm:"column:first_name"`
+	LastName               string         `json:"lastName" gorm:"column:last_name"`
+	NickName               string         `json:"nickName" gorm:"column:nick_name"`
+	DisplayName            string         `json:"displayName" gorm:"column:display_name"`
+	PreferredLanguage      string         `json:"preferredLanguage" gorm:"column:preferred_language"`
+	Gender                 int32          `json:"gender" gorm:"column:gender"`
+	Email                  string         `json:"email" gorm:"column:email"`
+	IsEmailVerified        bool           `json:"-" gorm:"column:is_email_verified"`
+	Phone                  string         `json:"phone" gorm:"column:phone"`
+	IsPhoneVerified        bool           `json:"-" gorm:"column:is_phone_verified"`
+	Country                string         `json:"country" gorm:"column:country"`
+	Locality               string         `json:"locality" gorm:"column:locality"`
+	PostalCode             string         `json:"postalCode" gorm:"column:postal_code"`
+	Region                 string         `json:"region" gorm:"column:region"`
+	StreetAddress          string         `json:"streetAddress" gorm:"column:street_address"`
+	OTPState               int32          `json:"-" gorm:"column:otp_state"`
+	MfaMaxSetUp            int32          `json:"-" gorm:"column:mfa_max_set_up"`
+	MfaInitSkipped         time.Time      `json:"-" gorm:"column:mfa_init_skipped"`
+	InitRequired           bool           `json:"-" gorm:"column:init_required"`
+	Sequence               uint64         `json:"-" gorm:"column:sequence"`
 }

 func UserFromModel(user *model.UserView) *UserView {
@@ -70,6 +73,7 @@ func UserFromModel(user *model.UserView) *UserView {
 		PasswordChanged:        user.PasswordChanged,
 		LastLogin:              user.LastLogin,
 		UserName:               user.UserName,
+		LoginNames:             user.LoginNames,
 		FirstName:              user.FirstName,
 		LastName:               user.LastName,
 		NickName:               user.NickName,
--- a/internal/user/repository/view/model/user_query.go
+++ b/internal/user/repository/view/model/user_query.go
@@ -69,6 +69,8 @@ func (key UserSearchKey) ToColumnName() string {
 		return UserKeyState
 	case usr_model.USERSEARCHKEY_RESOURCEOWNER:
 		return UserKeyResourceOwner
+	case usr_model.USERSEARCHKEY_LOGIN_NAMES:
+		return UserKeyLoginNames
 	default:
 		return ""
 	}
--- a/internal/user/repository/view/user_view.go
+++ b/internal/user/repository/view/user_view.go
@@ -2,10 +2,12 @@ package view

 import (
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	global_model "github.com/caos/zitadel/internal/model"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	"github.com/caos/zitadel/internal/user/repository/view/model"
 	"github.com/caos/zitadel/internal/view"
 	"github.com/jinzhu/gorm"
+	"github.com/lib/pq"
 )

 func UserByID(db *gorm.DB, table, userID string) (*model.UserView, error) {
@@ -28,6 +30,32 @@ func UserByUserName(db *gorm.DB, table, userName string) (*model.UserView, error
 	return user, err
 }

+func UserByLoginName(db *gorm.DB, table, loginName string) (*model.UserView, error) {
+	user := new(model.UserView)
+	loginNameQuery := &model.UserSearchQuery{
+		Key:    usr_model.USERSEARCHKEY_LOGIN_NAMES,
+		Method: global_model.SEARCHMETHOD_EQUALS_IN_ARRAY,
+		Value:  pq.Array([]string{loginName}),
+	}
+	query := view.PrepareGetByQuery(table, loginNameQuery)
+	err := query(db, user)
+	return user, err
+}
+
+func UsersByOrgID(db *gorm.DB, table, orgID string) ([]*model.UserView, error) {
+	users := make([]*model.UserView, 0)
+	orgIDQuery := &usr_model.UserSearchQuery{
+		Key:    usr_model.USERSEARCHKEY_RESOURCEOWNER,
+		Method: global_model.SEARCHMETHOD_EQUALS,
+		Value:  orgID,
+	}
+	query := view.PrepareSearchQuery(table, model.UserSearchRequest{
+		Queries: []*usr_model.UserSearchQuery{orgIDQuery},
+	})
+	_, err := query(db, &users)
+	return users, err
+}
+
 func SearchUsers(db *gorm.DB, table string, req *usr_model.UserSearchRequest) ([]*model.UserView, int, error) {
 	users := make([]*model.UserView, 0)
 	query := view.PrepareSearchQuery(table, model.UserSearchRequest{Limit: req.Limit, Offset: req.Offset, Queries: req.Queries})